Release v0.17.0

Release Image

These images can also be referenced by their digest: sha256:fdd82564c896eb75ef218508f15b21bbcb30fd173af633074b74fad9d6d370f0.

Changes

This is a bug fix release for an LDAP and Active Directory login bug which could prevent end users who have certain special characters in their LDAP distinguished name (DN) from being able to log in using the Pinniped Supervisor.

Note that this bug had certain security implications for users of the Pinniped Supervisor when configured with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource. If the end user somehow had the ability to change their DN in the LDAP or Active Directory server record, then they could take advantage of this bug to, for example, use special characters in the common name (CN) to attempt LDAP query injection on the group search. The group search decides which groups the user belongs to in Kubernetes clusters, so it is important that end users cannot influence this search. Hopefully that would not happen in practice, since end users generally cannot edit their record in an LDAP or AD server. If you use the Pinniped Supervisor with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource, and your end users are able to change any part of their DN in their LDAP record, then you should upgrade Pinniped to this new version immediately. See GHSA-hvrf-5hhv-4348 for more information.

Bug Fixes

• Escape special characters in LDAP DNs when used in group search filters (#1148)

Minor Changes

• Several dependency bumps (#1146, #1140, and #1149)

A complete list of changes (21 commits, 23 changed files with 637 additions and 358 deletions) can be found here.

Acknowledgements

• Thank you to @scottd018 for reporting the bug fixed by this release