Pomerium Versions Save

Pomerium is an identity and context-aware access proxy.

v0.18.1

11 months ago

Security

  • This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

What's Changed

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.18.0...v0.18.1

v0.17.4

11 months ago

Security

  • This release fixes a bug whereby specially crafted requests could result in incorrect authorization decisions made by Pomerium. CVE-2023-33189.

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.17.3...v0.17.4

v0.22.1

11 months ago

What's Changed

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.22.0...v0.22.1

v0.22.0

11 months ago

Changelog

v0.22.0 (2023-05-01)

Full Changelog

New

  • config: default to authenticate.pomerium.app when authenticate url is not specified #4132 (@calebdoxsey)
  • support loading route configuration via rds #4098 (@calebdoxsey)
  • authenticate: have an option to trim the contents of the callback #4090 (@wasaga)
  • urlutil: add version to query string #4028 (@calebdoxsey)
  • authenticate: fix authenticate_internal_service_url for all in one #4003 (@wasaga)
  • cryptutil: generate certificates from deriveca #3992 (@calebdoxsey)
  • authenticate: only use csrf none for apple #3979 (@calebdoxsey)
  • envoyconfig: preserve case of HTTP headers when using HTTP/1 #3956 (@calebdoxsey)

Fixed

  • autocert: fix certmagic cache logging #4134 (@calebdoxsey)
  • tls: wildcard catch-all cert must be at the end of cert list #4119 (@wasaga)
  • store authenticate state on creation #4064 (@wasaga)
  • authorize: move sign out and jwks urls to route, update issuer for JWT #4046 (@calebdoxsey)
  • hpke: move published public keys to a new endpoint #4044 (@calebdoxsey)
  • config: fix set_response_headers #4026 (@calebdoxsey)
  • authorize: allow access to /.pomerium/webauthn when policy denies access #4015 (@calebdoxsey)
  • authenticate: don't require a session for sign_out #4007 (@calebdoxsey)
  • authenticate: fix identity provider id in encrypted query string #4006 (@calebdoxsey)
  • derivecert: fix ecdsa code to be deterministic #3989 (@calebdoxsey)
  • fix webauthn url #3983 (@calebdoxsey)
  • lua: fix rewrite response headers to handle dashes in URLs #3980 (@calebdoxsey)
  • authenticate: save the session cookie with a different name #3978 (@calebdoxsey)
  • identity: fix nil reference error when there is no authenticator #3930 (@calebdoxsey)
  • authenticate: always trust the passed in idp #3917 (@calebdoxsey)

Dependency

  • chore(deps): bump github.com/google/go-jsonnet from 0.19.1 to 0.20.0 #4140 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.51.0 #4130 (@dependabot[bot])
  • chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.2 to 3.23.3 #4129 (@dependabot[bot])
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 #4128 (@dependabot[bot])
  • chore(deps): bump github.com/rs/zerolog from 1.29.0 to 1.29.1 #4127 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.21 #4126 (@dependabot[bot])
  • chore(deps): bump coverallsapp/github-action from 2.1.0 to 2.1.2 #4124 (@dependabot[bot])
  • chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 #4123 (@dependabot[bot])
  • chore(deps): bump docker/metadata-action from 4.3.0 to 4.4.0 #4122 (@dependabot[bot])
  • chore(deps): bump google-github-actions/auth from 1.0.0 to 1.1.0 #4121 (@dependabot[bot])
  • dependencies: upgrade go and envoy #4116 (@calebdoxsey)
  • chore(deps): bump debian from d4bbca2 to 1fbdbcf #4115 (@dependabot[bot])
  • chore(deps): bump golang from 413cd9e to 73c225b #4114 (@dependabot[bot])
  • chore(deps): bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 #4113 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.116.0 to 0.118.0 #4112 (@dependabot[bot])
  • chore(deps): bump github.com/ory/dockertest/v3 from 3.9.1 to 3.10.0 #4111 (@dependabot[bot])
  • chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 #4110 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.33.1 to 4.33.3 #4109 (@dependabot[bot])
  • chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4108 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.5 to 1.31.2 #4106 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 #4105 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.114.0 to 0.116.0 #4104 (@dependabot[bot])
  • chore(deps): bump golang from 1.20.2-buster to 1.20.3-buster #4103 (@dependabot[bot])
  • chore(deps): bump distroless/base from 5812871 to 357bc96 #4102 (@dependabot[bot])
  • chore(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible #4101 (@dependabot[bot])
  • chore(deps): bump coverallsapp/github-action from 2.0.0 to 2.1.0 #4100 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.112.0 to 0.114.0 #4096 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.50.1 to 0.51.0 #4093 (@dependabot[bot])
  • chore(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 #4088 (@dependabot[bot])
  • chore(deps): bump debian from c1c4bb9 to d4bbca2 #4085 (@dependabot[bot])
  • chore(deps): bump golang from 57dbdd5 to 97c3e1d #4084 (@dependabot[bot])
  • chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.0 to 0.10.1 #4083 (@dependabot[bot])
  • chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.54.0 #4082 (@dependabot[bot])
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.47 to 7.0.50 #4081 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 #4080 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.32.2 to 4.33.1 #4079 (@dependabot[bot])
  • chore(deps): bump actions/stale from 7.0.0 to 8.0.0 #4077 (@dependabot[bot])
  • chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.1 to 0.10.0 #4074 (@dependabot[bot])
  • chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 #4073 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.50.0 to 0.50.1 #4072 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.18 #4070 (@dependabot[bot])
  • chore(deps): bump coverallsapp/github-action from 1.2.4 to 2.0.0 #4069 (@dependabot[bot])
  • chore(deps): bump actions/checkout from 3.3.0 to 3.4.0 #4068 (@dependabot[bot])
  • chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 #4067 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.31.2 to 4.32.2 #4066 (@dependabot[bot])
  • chore(deps): bump golang from 1.20.1-buster to 1.20.2-buster #4060 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.5 to 1.17.6 #4059 (@dependabot[bot])
  • chore(deps): bump github.com/VictoriaMetrics/fastcache from 1.12.0 to 1.12.1 #4057 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.50.0 #4056 (@dependabot[bot])
  • chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4055 (@dependabot[bot])
  • chore(deps): bump actions/cache from 3.2.6 to 3.3.1 #4054 (@dependabot[bot])
  • chore(deps): bump golang from d99d361 to 9628a1a #4043 (@dependabot[bot])
  • chore(deps): bump debian from 7b16406 to c1c4bb9 #4042 (@dependabot[bot])
  • chore(deps): bump coverallsapp/github-action from 1.2.2 to 1.2.4 #4041 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.31.1 to 4.31.2 #4040 (@dependabot[bot])
  • chore(deps): bump github.com/jackc/pgx/v5 from 5.3.0 to 5.3.1 #4039 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.6.0 to 0.7.0 #4038 (@dependabot[bot])
  • chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.1 to 3.23.2 #4037 (@dependabot[bot])
  • chore(deps): bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 #4036 (@dependabot[bot])
  • chore(deps): bump github.com/prometheus/common from 0.39.0 to 0.41.0 #4035 (@dependabot[bot])
  • chore(deps): bump distroless/base from 8e770ae to 5812871 #4025 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.3 to 1.30.5 #4024 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.48.0 to 0.49.2 #4023 (@dependabot[bot])
  • chore(deps): bump github.com/yuin/gopher-lua from 0.0.0-20200816102855-ee81675732da to 1.1.0 #4022 (@dependabot[bot])
  • chore(deps): bump github.com/natefinch/atomic from 0.0.0-20200526193002-18c0533a5b09 to 1.0.1 #4021 (@dependabot[bot])
  • chore(deps): bump github.com/golangci/golangci-lint from 1.50.1 to 1.51.2 #4020 (@dependabot[bot])
  • chore(deps): bump actions/cache from 3.2.5 to 3.2.6 #4019 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.15 #4018 (@dependabot[bot])
  • chore(deps): bump coverallsapp/github-action from 1.1.3 to 1.2.2 #4017 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.10 to 1.18.14 #4002 (@dependabot[bot])
  • chore(deps): bump github.com/mholt/acmez from 1.0.4 to 1.1.0 #4000 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 #3999 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.2 to 1.30.3 #3998 (@dependabot[bot])
  • chore(deps): bump golang from 1.20.0-buster to 1.20.1-buster #3997 (@dependabot[bot])
  • chore(deps): bump distroless/base from 9687cd3 to 8e770ae #3995 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.30.8 to 4.31.1 #3994 (@dependabot[bot])
  • chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 #3993 (@dependabot[bot])
  • chore(deps): bump debian from 50cf570 to 7b16406 #3970 (@dependabot[bot])
  • chore(deps): bump golang from 4447a7f to f8fbd74 #3969 (@dependabot[bot])
  • chore(deps): bump distroless/base from 4f9fe94 to 9687cd3 #3968 (@dependabot[bot])
  • chore(deps): bump github.com/docker/docker from 20.10.23+incompatible to 23.0.1+incompatible #3967 (@dependabot[bot])
  • chore(deps): bump google.golang.org/grpc from 1.52.3 to 1.53.0 #3965 (@dependabot[bot])
  • chore(deps): bump github.com/jackc/pgx/v5 from 5.2.0 to 5.3.0 #3964 (@dependabot[bot])
  • chore(deps): bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 #3963 (@dependabot[bot])
  • chore(deps): bump actions/cache from 3.2.4 to 3.2.5 #3962 (@dependabot[bot])
  • chore(deps): bump fossa-contrib/fossa-action from 1.2.0 to 2.0.0 #3961 (@dependabot[bot])
  • chore(deps): bump debian from 12931ad to 50cf570 #3950 (@dependabot[bot])
  • chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster #3949 (@dependabot[bot])
  • chore(deps): bump distroless/base from 76b0529 to 4f9fe94 #3948 (@dependabot[bot])
  • chore(deps): bump github.com/cloudflare/circl from 1.3.1 to 1.3.2 #3947 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.17.3 to 1.17.4 #3946 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.1 to 1.30.2 #3944 (@dependabot[bot])
  • chore(deps): bump google-github-actions/setup-gcloud from 1.0.1 to 1.1.0 #3943 (@dependabot[bot])
  • chore(deps): bump docker/build-push-action from 3.3.0 to 4.0.0 #3942 (@dependabot[bot])
  • chore(deps): bump docker/setup-buildx-action from 2.4.0 to 2.4.1 #3941 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 #3940 (@dependabot[bot])
  • chore(deps): bump distroless/base from 9eeffdc to 76b0529 #3928 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.8 to 1.18.10 #3927 (@dependabot[bot])
  • chore(deps): bump google.golang.org/grpc from 1.52.0 to 1.52.3 #3926 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.30.0 to 1.30.1 #3925 (@dependabot[bot])
  • chore(deps): bump actions/cache from 3.2.3 to 3.2.4 #3923 (@dependabot[bot])
  • chore(deps): bump tibdex/github-app-token from 1.7.0 to 1.8.0 #3922 (@dependabot[bot])
  • chore(deps): bump goreleaser/goreleaser-action from 4.1.1 to 4.2.0 #3921 (@dependabot[bot])
  • chore(deps): bump github.com/rs/zerolog from 1.28.0 to 1.29.0 #3920 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 #3913 (@dependabot[bot])
  • chore(deps): bump cloud.google.com/go/storage from 1.28.1 to 1.29.0 #3912 (@dependabot[bot])
  • chore(deps): bump github.com/docker/docker from 20.10.22+incompatible to 20.10.23+incompatible #3911 (@dependabot[bot])
  • chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 #3910 (@dependabot[bot])

Changed

  • Update SECURITY.md #4145 (@backport-actions-token[bot])
  • config: remove source, remove deadcode, fix linting issues #4118 (@calebdoxsey)
  • chore(deps): bump actions/checkout from 3.4.0 to 3.5.0 #4078 (@dependabot[bot])
  • move hpke public key handler out of internal #4065 (@wasaga)
  • authenticate: add events #4051 (@wasaga)
  • authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
  • authenticate: fix callback handler for split mode #4008 (@wasaga)
  • webauthn: only return known device credentials that match the given type #3981 (@calebdoxsey)
  • apple: fix userinfo #3974 (@calebdoxsey)
  • Appleid #3959 (@mnestor)
  • envoy: optimize listener #3952 (@wasaga)
  • databroker: add list types method #3937 (@calebdoxsey)
  • remove log message when no provider defined #3936 (@calebdoxsey)
  • maybe fix flaky test #3929 (@calebdoxsey)
  • chore(deps): bump docker/setup-buildx-action from 2.2.1 to 2.4.0 #3924 (@dependabot[bot])
  • add google cloud creds to ignore #3906 (@wasaga)

v0.21.3

1 year ago

Changelog

v0.21.3 (2023-03-23)

Full Changelog

Changed

  • ci: build version branch images #4062 (@backport-actions-token[bot])
  • authorize: move sign out and jwks urls to route, update issuer for JWT #4049 (@backport-actions-token[bot])
  • hpke: move published public keys to a new endpoint #4048 (@backport-actions-token[bot])

v0.21.2

1 year ago

Changelog

v0.21.2 (2023-02-23)

Full Changelog

Changed

  • authenticate: fix identity provider id in encrypted query string #4011 (@backport-actions-token[bot])
  • authenticate: fix callback handler for split mode #4010 (@backport-actions-token[bot])
  • authenticate: don't require a session for sign_out #4009 (@backport-actions-token[bot])
  • authenticate: fix authenticate_internal_service_url for all in one #4005 (@backport-actions-token[bot])
  • derivecert: fix ecdsa code to be deterministic #3991 (@backport-actions-token[bot])
  • fix webauthn url #3988 (@backport-actions-token[bot])
  • webauthn: only return known device credentials that match the given type #3987 (@backport-actions-token[bot])

v0.21.1

1 year ago

What's Changed

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.21.0...v0.21.1

v0.21.0

1 year ago

Changelog

v0.21.0 (2023-02-09)

Full Changelog

Changed

  • docker: switch to debian #3939 (@backport-actions-token[bot])
  • identity: fix nil reference error when there is no authenticator #3933 (@backport-actions-token[bot])
  • authenticate: always trust the passed in idp #3931 (@backport-actions-token[bot])
  • add google cloud creds to ignore #3907 (@backport-actions-token[bot])
  • tls_derive: rename for consistency #3905 (@wasaga)
  • envoyconfig: clean up filter chain construction #3844 (@calebdoxsey)
  • use tlsClientConfig instead of custom dialer #3830 (@wasaga)
  • controlplane: remove gorilla handlers dependency #3813 (@calebdoxsey)
  • events: remove xds configuraton update #3792 (@wasaga)

Breaking

  • proxy: add userinfo and webauthn endpoints #3755 (@calebdoxsey)
  • remove forward auth #3628 (@calebdoxsey)

New

  • scripts: update get-envoy script to download all binaries #3886 (@calebdoxsey)
  • explicitly list gRPC services accessible via the gRPC listener #3879 (@wasaga)
  • authenticate: add additional error details for hmac errors #3878 (@calebdoxsey)
  • auto tls #3856 (@wasaga)
  • mTLS: allow gRPC TLS for all in one #3854 (@wasaga)
  • authorize: log check() error #3846 (@wasaga)
  • config: add support for extended TCP route URLs #3845 (@calebdoxsey)
  • derive CA from pre-shared key #3815 (@wasaga)
  • httputil: ignore errors < 400 #3781 (@calebdoxsey)
  • authenticate: implement hpke-based login flow #3779 (@calebdoxsey)
  • identity: add identity profile #3777 (@calebdoxsey)
  • urlutil: add time validation functions #3776 (@calebdoxsey)
  • httputil: add cookie chunker #3775 (@calebdoxsey)
  • config: add option for tls renegotiation #3773 (@calebdoxsey)
  • hpke: add HPKE key to JWKS endpoint #3762 (@calebdoxsey)
  • hpke: add hpke package #3761 (@calebdoxsey)

Fixed

  • config: add missing options #3882 (@calebdoxsey)
  • postgres: return unknown records instead of skipping them #3876 (@calebdoxsey)
  • config: use insecure skip verify if derived certificates are not used #3861 (@calebdoxsey)
  • config: generate derived certificates instead of self-signed certificates #3860 (@calebdoxsey)
  • identity: fix expired session deletion #3855 (@calebdoxsey)
  • proxy: fix sign out redirect #3827 (@calebdoxsey)
  • dashboard: fix missing avatar and logout menu #3819 (@calebdoxsey)
  • autocert: use atomic pointer to allow nil #3816 (@calebdoxsey)
  • webauthn: require session when accessing /.pomerium/webauthn #3814 (@calebdoxsey)
  • oidc: fix token revocation #3810 (@calebdoxsey)
  • jwt: require logged in user to return .pomerium/jwt #3807 (@calebdoxsey)
  • storage: ignore removed fields when deserializing the data #3768 (@wasaga)

Dependency

  • chore(deps): bump debian from 7ca0fec to 12931ad #3904 (@dependabot[bot])
  • chore(deps): bump distroless/base from 8ee3d86 to 9eeffdc #3903 (@dependabot[bot])
  • chore(deps): bump golang from 1.19.4-buster to 1.19.5-buster #3902 (@dependabot[bot])
  • chore(deps): bump alpine from 8914eb5 to f271e74 #3901 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 #3900 (@dependabot[bot])
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.46 to 7.0.47 #3899 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 #3898 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.105.0 to 0.107.0 #3897 (@dependabot[bot])
  • chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 #3896 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.30.6 to 4.30.8 #3895 (@dependabot[bot])
  • chore(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 #3894 (@dependabot[bot])
  • chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0 #3893 (@dependabot[bot])
  • chore(deps): bump distroless/base from 8848703 to 8ee3d86 #3874 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 #3873 (@dependabot[bot])
  • chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 #3872 (@dependabot[bot])
  • chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 #3871 (@dependabot[bot])
  • chore(deps): bump actions/cache from 3.2.2 to 3.2.3 #3870 (@dependabot[bot])
  • chore(deps): bump actions/setup-node from 3.5.1 to 3.6.0 #3869 (@dependabot[bot])
  • chore(deps): bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 #3868 (@dependabot[bot])
  • chore(deps): bump actions/checkout from 3.2.0 to 3.3.0 #3867 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.6 to 1.30.0 #3866 (@dependabot[bot])
  • chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 #3865 (@dependabot[bot])
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.45 to 7.0.46 #3864 (@dependabot[bot])
  • chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 #3863 (@dependabot[bot])
  • chore(deps): bump luxon from 2.3.0 to 2.5.2 in /ui #3862 (@dependabot[bot])
  • chore(deps): bump json5 from 2.2.0 to 2.2.3 in /ui #3853 (@dependabot[bot])
  • chore(deps): bump actions/stale from 6.0.1 to 7.0.0 #3852 (@dependabot[bot])
  • chore(deps): bump actions/cache from 3.0.11 to 3.2.2 #3851 (@dependabot[bot])
  • chore(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 #3850 (@dependabot[bot])
  • chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 #3849 (@dependabot[bot])
  • chore(deps): bump github.com/rs/cors from 1.8.2 to 1.8.3 #3848 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.5 to 1.29.6 #3847 (@dependabot[bot])
  • chore(deps): bump golang from e464bb0 to 7c97bae #3843 (@dependabot[bot])
  • chore(deps): bump distroless/base from 9283685 to 8848703 #3842 (@dependabot[bot])
  • chore(deps): bump debian from 880aa5f to 7ca0fec #3841 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 #3840 (@dependabot[bot])
  • chore(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.22+incompatible #3839 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.5 to 1.18.7 #3838 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.30.5 to 4.30.6 #3837 (@dependabot[bot])
  • chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 #3836 (@dependabot[bot])
  • chore(deps): bump actions/setup-python from 4.3.1 to 4.4.0 #3834 (@dependabot[bot])
  • chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 #3833 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.47.3 to 0.47.4 #3832 (@dependabot[bot])
  • chore(deps): bump github.com/cloudflare/circl from 1.3.0 to 1.3.1 #3831 (@dependabot[bot])
  • postgres: upgrade to pgx v5 #3826 (@calebdoxsey)
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.4 to 1.18.5 #3825 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.47.0 to 0.47.3 #3824 (@dependabot[bot])
  • chore(deps): bump github.com/prometheus/common from 0.37.0 to 0.39.0 #3823 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 #3822 (@dependabot[bot])
  • chore(deps): bump distroless/base from cd1bf87 to 9283685 #3804 (@dependabot[bot])
  • chore(deps): bump debian from 9583740 to 880aa5f #3803 (@dependabot[bot])
  • chore(deps): bump alpine from b95359c to 8914eb5 #3802 (@dependabot[bot])
  • chore(deps): bump golang from 1.19.3-buster to 1.19.4-buster #3801 (@dependabot[bot])
  • chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 #3800 (@dependabot[bot])
  • chore(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 #3799 (@dependabot[bot])
  • chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.0 to 0.9.1 #3798 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.103.0 to 0.104.0 #3797 (@dependabot[bot])
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.39 to 7.0.45 #3796 (@dependabot[bot])
  • chore(deps): bump github.com/go-chi/chi/v5 from 5.0.7 to 5.0.8 #3795 (@dependabot[bot])
  • chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.4 to 4.16.0 #3791 (@dependabot[bot])
  • chore(deps): bump actions/stale from 5.1.1 to 6.0.1 #3790 (@dependabot[bot])
  • chore(deps): bump tibdex/github-app-token from 1.6.0 to 1.7.0 #3789 (@dependabot[bot])
  • chore(deps): bump actions/setup-go from 3.3.1 to 3.4.0 #3788 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.30.2 to 4.30.5 #3787 (@dependabot[bot])
  • chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0 #3786 (@dependabot[bot])
  • chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 #3785 (@dependabot[bot])
  • chore(deps): bump github.com/jackc/pgtype from 1.12.0 to 1.13.0 #3784 (@dependabot[bot])
  • chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.22.11 #3783 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 #3782 (@dependabot[bot])
  • upgrade to golang-lru v2 #3771 (@calebdoxsey)
  • chore(deps): bump azure/docker-login from 81744f9799e7eaa418697cb168452a2882ae844a to 1.0.1 #3770 (@dependabot[bot])
  • chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /ui #3760 (@dependabot[bot])
  • chore(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 #3759 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.102.0 to 0.103.0 #3758 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.2.0 to 0.3.0 #3757 (@dependabot[bot])
  • chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 #3756 (@dependabot[bot])
  • chore(deps): bump alpine from bc41182 to b95359c #3751 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.29.2 to 4.30.2 #3749 (@dependabot[bot])
  • chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
  • chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 #3747 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.1.0 to 0.2.0 #3746 (@dependabot[bot])
  • chore(deps): bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 #3745 (@dependabot[bot])
  • chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.8.0 to 0.9.0 #3744 (@dependabot[bot])
  • bump goreleaser to v4.1.1 #3919 (@backport-actions-token[bot])

v0.21.0-rc2

1 year ago

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.21.0-rc1...v0.21.0-rc2

v0.21.0-rc1

1 year ago

Changelog

v0.21.0 (2023-01-18)

Full Changelog

Breaking

  • proxy: add userinfo and webauthn endpoints #3755 (@calebdoxsey)
  • remove forward auth #3628 (@calebdoxsey)

New

  • scripts: update get-envoy script to download all binaries #3886 (@calebdoxsey)
  • authenticate: add additional error details for hmac errors #3878 (@calebdoxsey)
  • config: add support for extended TCP route URLs #3845 (@calebdoxsey)
  • authenticate: implement hpke-based login flow #3779 (@calebdoxsey)
  • identity: add identity profile #3777 (@calebdoxsey)
  • urlutil: add time validation functions #3776 (@calebdoxsey)
  • httputil: add cookie chunker #3775 (@calebdoxsey)
  • config: add option for tls renegotiation #3773 (@calebdoxsey)
  • hpke: add HPKE key to JWKS endpoint #3762 (@calebdoxsey)
  • hpke: add hpke package #3761 (@calebdoxsey)

Fixed

  • config: add missing options #3882 (@calebdoxsey)
  • postgres: return unknown records instead of skipping them #3876 (@calebdoxsey)
  • config: use insecure skip verify if derived certificates are not used #3861 (@calebdoxsey)
  • config: generate derived certificates instead of self-signed certificates #3860 (@calebdoxsey)
  • identity: fix expired session deletion #3855 (@calebdoxsey)
  • proxy: fix sign out redirect #3827 (@calebdoxsey)
  • dashboard: fix missing avatar and logout menu #3819 (@calebdoxsey)
  • autocert: use atomic pointer to allow nil #3816 (@calebdoxsey)
  • webauthn: require session when accessing /.pomerium/webauthn #3814 (@calebdoxsey)
  • oidc: fix token revocation #3810 (@calebdoxsey)
  • jwt: require logged in user to return .pomerium/jwt #3807 (@calebdoxsey)
  • storage: ignore removed fields when deserializing the data #3768 (@wasaga)

Dependency

  • chore(deps): bump debian from 7ca0fec to 12931ad #3904 (@dependabot[bot])
  • chore(deps): bump distroless/base from 8ee3d86 to 9eeffdc #3903 (@dependabot[bot])
  • chore(deps): bump golang from 1.19.4-buster to 1.19.5-buster #3902 (@dependabot[bot])
  • chore(deps): bump alpine from 8914eb5 to f271e74 #3901 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 #3900 (@dependabot[bot])
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.46 to 7.0.47 #3899 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 #3898 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.105.0 to 0.107.0 #3897 (@dependabot[bot])
  • chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 #3896 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.30.6 to 4.30.8 #3895 (@dependabot[bot])
  • chore(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 #3894 (@dependabot[bot])
  • chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0 #3893 (@dependabot[bot])
  • chore(deps): bump distroless/base from 8848703 to 8ee3d86 #3874 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 #3873 (@dependabot[bot])
  • chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 #3872 (@dependabot[bot])
  • chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 #3871 (@dependabot[bot])
  • chore(deps): bump actions/cache from 3.2.2 to 3.2.3 #3870 (@dependabot[bot])
  • chore(deps): bump actions/setup-node from 3.5.1 to 3.6.0 #3869 (@dependabot[bot])
  • chore(deps): bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 #3868 (@dependabot[bot])
  • chore(deps): bump actions/checkout from 3.2.0 to 3.3.0 #3867 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.6 to 1.30.0 #3866 (@dependabot[bot])
  • chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 #3865 (@dependabot[bot])
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.45 to 7.0.46 #3864 (@dependabot[bot])
  • chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 #3863 (@dependabot[bot])
  • chore(deps): bump luxon from 2.3.0 to 2.5.2 in /ui #3862 (@dependabot[bot])
  • chore(deps): bump json5 from 2.2.0 to 2.2.3 in /ui #3853 (@dependabot[bot])
  • chore(deps): bump actions/stale from 6.0.1 to 7.0.0 #3852 (@dependabot[bot])
  • chore(deps): bump actions/cache from 3.0.11 to 3.2.2 #3851 (@dependabot[bot])
  • chore(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 #3850 (@dependabot[bot])
  • chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 #3849 (@dependabot[bot])
  • chore(deps): bump github.com/rs/cors from 1.8.2 to 1.8.3 #3848 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.5 to 1.29.6 #3847 (@dependabot[bot])
  • chore(deps): bump golang from e464bb0 to 7c97bae #3843 (@dependabot[bot])
  • chore(deps): bump distroless/base from 9283685 to 8848703 #3842 (@dependabot[bot])
  • chore(deps): bump debian from 880aa5f to 7ca0fec #3841 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 #3840 (@dependabot[bot])
  • chore(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.22+incompatible #3839 (@dependabot[bot])
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.5 to 1.18.7 #3838 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.30.5 to 4.30.6 #3837 (@dependabot[bot])
  • chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 #3836 (@dependabot[bot])
  • chore(deps): bump actions/setup-python from 4.3.1 to 4.4.0 #3834 (@dependabot[bot])
  • chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 #3833 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.47.3 to 0.47.4 #3832 (@dependabot[bot])
  • chore(deps): bump github.com/cloudflare/circl from 1.3.0 to 1.3.1 #3831 (@dependabot[bot])
  • postgres: upgrade to pgx v5 #3826 (@calebdoxsey)
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.4 to 1.18.5 #3825 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.47.0 to 0.47.3 #3824 (@dependabot[bot])
  • chore(deps): bump github.com/prometheus/common from 0.37.0 to 0.39.0 #3823 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 #3822 (@dependabot[bot])
  • chore(deps): bump distroless/base from cd1bf87 to 9283685 #3804 (@dependabot[bot])
  • chore(deps): bump debian from 9583740 to 880aa5f #3803 (@dependabot[bot])
  • chore(deps): bump alpine from b95359c to 8914eb5 #3802 (@dependabot[bot])
  • chore(deps): bump golang from 1.19.3-buster to 1.19.4-buster #3801 (@dependabot[bot])
  • chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 #3800 (@dependabot[bot])
  • chore(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 #3799 (@dependabot[bot])
  • chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.0 to 0.9.1 #3798 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.103.0 to 0.104.0 #3797 (@dependabot[bot])
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.39 to 7.0.45 #3796 (@dependabot[bot])
  • chore(deps): bump github.com/go-chi/chi/v5 from 5.0.7 to 5.0.8 #3795 (@dependabot[bot])
  • chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.4 to 4.16.0 #3791 (@dependabot[bot])
  • chore(deps): bump actions/stale from 5.1.1 to 6.0.1 #3790 (@dependabot[bot])
  • chore(deps): bump tibdex/github-app-token from 1.6.0 to 1.7.0 #3789 (@dependabot[bot])
  • chore(deps): bump actions/setup-go from 3.3.1 to 3.4.0 #3788 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.30.2 to 4.30.5 #3787 (@dependabot[bot])
  • chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0 #3786 (@dependabot[bot])
  • chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 #3785 (@dependabot[bot])
  • chore(deps): bump github.com/jackc/pgtype from 1.12.0 to 1.13.0 #3784 (@dependabot[bot])
  • chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.22.11 #3783 (@dependabot[bot])
  • chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 #3782 (@dependabot[bot])
  • upgrade to golang-lru v2 #3771 (@calebdoxsey)
  • chore(deps): bump azure/docker-login from 81744f9799e7eaa418697cb168452a2882ae844a to 1.0.1 #3770 (@dependabot[bot])
  • chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /ui #3760 (@dependabot[bot])
  • chore(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 #3759 (@dependabot[bot])
  • chore(deps): bump google.golang.org/api from 0.102.0 to 0.103.0 #3758 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.2.0 to 0.3.0 #3757 (@dependabot[bot])
  • chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 #3756 (@dependabot[bot])
  • chore(deps): bump alpine from bc41182 to b95359c #3751 (@dependabot[bot])
  • chore(deps): bump mikefarah/yq from 4.29.2 to 4.30.2 #3749 (@dependabot[bot])
  • chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
  • chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 #3747 (@dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.1.0 to 0.2.0 #3746 (@dependabot[bot])
  • chore(deps): bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 #3745 (@dependabot[bot])
  • chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.8.0 to 0.9.0 #3744 (@dependabot[bot])

Changed

  • tls_derive: rename for consistency #3905 (@wasaga)
  • explicitly list gRPC services accessible via the gRPC listener #3879 (@wasaga)
  • auto tls #3856 (@wasaga)
  • mTLS: allow gRPC TLS for all in one #3854 (@wasaga)
  • authorize: log check() error #3846 (@wasaga)
  • envoyconfig: clean up filter chain construction #3844 (@calebdoxsey)
  • use tlsClientConfig instead of custom dialer #3830 (@wasaga)
  • derive CA from pre-shared key #3815 (@wasaga)
  • controlplane: remove gorilla handlers dependency #3813 (@calebdoxsey)
  • events: remove xds configuraton update #3792 (@wasaga)
  • httputil: ignore errors < 400 #3781 (@calebdoxsey)