Releases: pomerium/pomerium
Releases · pomerium/pomerium
v0.29.4
What's Changed
Changed
- authorize: move IdP token session creator initialization by @kenjenkins in #5617
- proxy: use querier cache for user info (#5532) by @calebdoxsey in #5623
- config: support weighted URLs in To field (#5624) by @calebdoxsey in #5625
Full Changelog: v0.29.3...v0.29.4
Contributors
calebdoxsey and kenjenkins
Assets 10
v0.29.3
What's Changed
Changed
- remove debug log message for directories by @backport-actions-token in #5561
- circuit breaker: add temporary runtime flag to lift default connection/request limits by @wasaga in #5575
- add additional authorization check logs by @ba 8000 ckport-actions-token in #5602
- config: apply unlimited conns setting to internal clusters by @kenjenkins in #5607
Full Changelog: v0.29.2...v0.29.3
Contributors
wasaga and kenjenkins
Assets 10
v0.29.2
What's Changed
The previous release was mistakenly done against the main branch.
Fixes
- authenticate: remove /.pomerium/callback handler (@calebdoxsey in #5553)
Full Changelog: v0.29.0...v0.29.2
v0.29.1
What's Changed
Fixes
- authenticate: remove /.pomerium/callback handler (@calebdoxsey in #5553)
Full Changelog: v0.29.0...v0.29.1
v0.29.0
What's Changed
Breaking
- Enable seamless request tracing across multiple services with the new OTEL-based tracing system. Users can now easily configure and understand traces, with improved visibility into the flow of requests, even at low sample rates. All previously supported tracing methods are removed. (@kralicky in #5388) and #5447)
New
- New
jwt_issuer_formatglobal setting. (@kenjenkins in #5519) - Enable UDP routes with
CONNECT-UDPtunneling. (@calebdoxsey in #5390) - HTTP/3 Support (@calebdoxsey in #5349)
- Enable authorization errors to return a JSON response instead of HTML, providing a cleaner and more consistent error format for developers using gRPC services. (@calebdoxsey in #5400 (ENG-1750))
- Prevent false positive vulnerability reports by only generating a fallback certificate when no other certificate is configured, minimizing unnecessary certificate generation. (@kenjenkins in #5250)
- Enable precise control over user group claims in JWTs by allowing filtering of groups either globally or per route. This enhancement helps reduce excessive group lists, preventing large headers that can disrupt upstream services while maintaining the integrity of signed JWTs. (@kenjenkins in #5417 (ENG-1802))
- Enable core Pomerium to access the original PPL policy by adding a
source_pplfield to the configuration, ensuring better introspection and compatibility with the Routes Portal. This enhancement allows the raw PPL to be passed alongside the generated Rego, providing more comprehensive policy visibility. (@calebdoxsey in #5419 (ENG-1832))
- importutil: refactor GenerateRouteNames to allow for protobuf or config routes by @calebdoxsey in #5427
- Add names, descriptions, and logos to routes, enhancing route cards with clear identifiers and visual appeal. Enjoy a more informative and engaging interface with route-specific icons and descriptions, and easily connect to services with direct links or command instructions. (@calebdoxsey in #5424 (ENG-1833))
- Enhance Directory Group query performance by introducing a cache warming feature that preloads records, significantly reducing delays and timeouts. (@calebdoxsey in #5439 (ENG-1915))
- Access your available routes through a new JSON endpoint at
/.pomerium/api/v1/routes, providing a list tailored to your permissions. (@calebdoxsey in #5428 (ENG-1845)) - Discover available routes with a new HTML page that displays each accessible route as a card. This intuitive interface makes navigation and route management simpler and more efficient. (@calebdoxsey in #5443 (ENG-1871))
- Discover and display site logos automatically by fetching and embedding favicons from destination addresses, enhancing visual recognition and user experience. (@calebdoxsey in #5448)
- Enhance user experience with new icons for well-known services, making it easier to identify them at a glance. (@calebdoxsey in #5453)
- Enable dynamic configuration reloading by handling
SIGHUPsignals, allowing updates without restarting the application. (@calebdoxsey in #5459) - Enable customization of the HTTP/3 advertise port in the
Alt-Svcheader, enhancing flexibility for configurations using protobuf. (@calebdoxsey in #5466) - Authenticate using IdP access and identity tokens, with initial support for Azure AD access tokens. (@calebdoxsey in #5484 (ENG-2001, ENG-2001))
- Improve file management by setting consistent default directories and logging errors when directory environment variables are unset. Ensure file writes are atomic to prevent redundancy and potential file conflicts, enhancing reliability and reducing clutter in temporary storage. (@calebdoxsey in #5477)
- Enhance performance by reducing redundant session creation for identical IdP tokens. (@calebdoxsey in #5491 (ENG-2025, ENG-2025))
- Enhance PPL logic with new
notandexcludeoperators, allowing more flexible string and list matching. Define more precise permissions by excluding specific domains or groups in your policy configurations. (@calebdoxsey in #5490 (ENG-2030, ENG-2030))
- Support loading idp token sessions in the proxy service by @calebdoxsey in #5488
- Handle long names in the cards for route portal by @nhayfield in #5514
Fixes
- Ensure the "groups" claim in JWTs is serialized as an empty list instead of JSON null, improving compatibility with third-party libraries. (@kenjenkins in #5394)
- Ensure complete and accurate metrics output by properly flushing the buffered writer. (@kenjenkins in #5398)
- Ensure custom branding settings are consistently applied across all pages, even when using multiple configuration sources. This resolves an issue where core pages were not displaying the correct branding when using an ingress controller, ensuring a uniform appearance with your chosen colors and logo. (@calebdoxsey in #5401 (ENG-1766))
- Ensure the HTTP redirect server properly uses the proxy protocol when configured. (@calebdoxsey in #5405)
- Ensure that logo URLs containing
%signs are correctly processed, preventing configuration errors in Envoy. This fix allows branding options with special characters to be used without causing issues. (@kenjenkins in #5460 (ENG-1958)) - Fix the
identity_manager_last_session_refresh_errorsmetrics view. (@kenjenkins in #5543) - Reduce memory usage during metrics output by @wasaga in #5530
- Ensure Pomerium in Zero mode can connect to the cloud control plane using
HTTPS_PROXYegress proxy by @wasaga in #5520
Changed
- authorize: enable WaitForReady on databroker query requests by @kralicky in #5415
- authorize: filter only by group ID by @kenjenkins in #5437
- authorize: log JWT groups filtering by @kenjenkins in #5432
- authorize: remove audit logging by @wasaga in #5369
- authorize: remove unused mutex by @wasaga in #5442
- authorize: remove wait for ready by @calebdoxsey in #5376
- authorize: return 403 on invalid sessions by @calebdoxsey in #5536
- chore(deps): bump golang.org/x/net from 0.31.0 to 0.33.0 by @kenjenkins in #5404
- config: add internal_address_config to address deprecation warning by @kralicky in #5425
- config: add new OTLP tracing fields by @kenjenkins in #5421
- config: add options to adjust databroker lease ttl, and retry initial interval by @kralicky in #5391
- config: adjust envoy otel trace batching settings to match go sdk by @kralicky in #5446
- config: fix JWT groups filter option by @kenjenkins in #5429
- config: preserve existing user when creating sessions from idp token by @calebdoxsey in #5502
- config: reimplement file watcher by @calebdoxsey in #5498
- config: set default tracing sample rate to 1.0 by @kralicky in #5422
- config: support emails from directory user by @calebdoxsey in #5504
- envoy: enable extended connect by @calebdoxsey in #5387
...
Contributors
gaurdro, calebdoxsey, and 5 other contributors
Assets 10
v0.28.0
What's Changed
New
- More flexible PPL string matchers.
- Add new jwt issuer format route option.
- Add an 'issuer' field to the /.well-known/pomerium endpoint.
- Add new request header variable 'pomerium.jwt'.
Changed
- Better error serialization for requests from kubectl.
- Improved header evaluation performance in the authorize service.
- Improved RouteID calculation performance (used for generating configuration with large numbers of routes).
Bug Fixes
- Fix enterprise detection in the dashboard.
- Fix response code redirect option.
Full Changelog: v0.27.2...v0.28.0
v0.27.2
What's Changed
Pomerium Zero
- Add a Pomerium Zero import tool, allowing you to bring your existing Pomerium configuration into Pomerium Zero.
- Add active users reporting, for self-serve billing in Pomerium Zero. End user information is pseudonymized and reported to Pomerium Zero, in order to bill paid organizations according to the number of active users across the organization as a whole.
Bug fixes
- Improve handling of transient errors from the databroker.
- Fix a data race in the in-memory databroker storage backend.
- Remove an incorrect “unknown config option” warning message when the
set_response_headersconfig file key is present.
Other changes
- For any routes where the Kubernetes Service Account Token option is set, allow both websockets and SPDY connection upgrades. (One of these is necessary for commands like
kubectl execandkubectl port-forwardto work correctly, depending on your version of Kubernetes.) - Previously, the Log Level option could affect the default value of the Authorize Log Fields option: setting the main log level to
debugwould change the default set of authorize log fields to includeheaders(logging all HTTP request headers). This undocumented behavior has been removed, and these two options are now entirely independent. - Remove some currently-unused configuration options:
databroker_storage_cert_filedatabroker_storage_key_filedatabroker_storage_ca_filedatabroker_storage_tls_skip_verifygrpc_client_dns_roundrobin
- Various other minor code clean-up.
Full Changelog: v0.27.1...v0.27.2
v0.27.1
Security
Pomerium v0.27.1 includes a fix to the databroker service API authorization logic. Certain service account tokens from Pomerium Zero or Pomerium Enterprise could grant unintended authorization to the databroker service API. CVE-2024-47616
What's Changed
Security
- grpcutil: additional JWT validation by @kenjenkins in #5304
Fixed
- proxy: support loading sessions from headers and query string by @calebdoxsey in #5294
- proxy: fix is-enterprise check by @calebdoxsey in #5297
Full Changelog: v0.27.0...v0.27.1
Contributors
calebdoxsey and kenjenkins
Assets 10
v0.27.0
What's Changed
Breaking
- proxy: deprecate the /.pomerium/jwt endpoint by @kenjenkins in #5254
- zero/k8s: use Deployment instead of StatefulSet by @wasaga in #5248
New
- authorize: use uuid for jti, current time for iat and exp by @calebdoxsey in #5147
- config: add
databroker_storage_connection_string_fileby @calebdoxsey in #5242 - config: add mTLS UserPrincipalName SAN match by @kenjenkins in #5177
- config: add runtime flag to allow disabling config hot-reload (#5079) by @kralicky in #5112
- envoy: allow TLS 1.3 for upstream connections by @calebdoxsey in #5263
- envoy: log TLS connection failures in the mTLS
reject_connectionmode by @kralicky in #5210 - envoy: resource monitoring & overload manager configuration by @kralicky in #5106
- envoy: support http2 prior knowledge for insecure upstream targets (h2c://) by @kralicky in #5205
- ui: add "Policy ID" label to error details page by @calebdoxsey in #5127
- ui: add request id to upstream error page by @calebdoxsey in #5166
- ui: add user info link to error page by @calebdoxsey in #5158
- ui: user info dashboard improvements by @calebdoxsey in #5128
- zero/connect: add re-run health checks command by @wasaga in #5219
- zero/k8s: write bootstrap configuration to a secret by @kralicky in #5114
Fixes
- authorize: require new login when authenticate url changes by @calebdoxsey in #5165
- controlplane: avoid calling Close on nil listener by @kenjenkins in #5156
- databroker/leaser: set timeout on ReleaseLease by @wasaga in #52 8000 08
- logging: add support for using the standard grpc env vars to control log severity and verbosity by @kralicky in #5120
- session: do not invalidate based on ID token by @kenjenkins in #5182
- ui: fix cycle in profile data by @calebdoxsey in #5168
- ui: set Cache-Control: no-cache, tweak sign-out cancel button behavior by @calebdoxsey in #5264
- zero/connect: ignore unknown message types by @wasaga in #5223
- zero/health-checks: fix early checks sometimes missing by @wasaga in #5229
- zero/health-checks: zero route availability improvements by @wasaga in #5111
Changed
- authenticate: rework session ID token handling by @kenjenkins in #5178
- authorize: add request-id to error messages by @wasaga in #5267
- ci: do not include timestamp into buildmeta by @wasaga in #5215
- config: optimize policy iterators by @kralicky in #5184
- config: sort runtime flags, name consistency by @kenjenkins in #5255
- envoy: upgrade to v1.31.0 by @kenjenkins in #5183
- github: update README.md by @cmo-pomerium in #5163
- github: update README.md by @nikhil-pomerium in #5253
- go: update to Go 1.23 by @kralicky in #5216
- logging: change log.Error function by @calebdoxsey in #5251
- logging: convert warnings to info or error by @calebdoxsey in #5235
- proto: update protoc dependencies by @calebdoxsey in #5218
- ui: update logo by @calebdoxsey in #5249
- zero: refactor controller by @wasaga in #5134
- zero/api: generate error methods for response types by @kralicky in #5252
- zero/api: reset token and url cache if 401 is received by @wasaga in #5256
- zero/api: switch to github.com/oapi-codegen/oapi-codegen by @calebdoxsey in #5226
- zero/bundle-download: update metadata by @wasaga in #5212
- zero/cmd: make it more evident what caused shutdown by @wasaga in #5209
- zero/connect: add telemetry request command by @wasaga in #5131
- zero/k8s: set externalTrafficPolicy: Local by @wasaga in #5266
- zero/telemetry: add hostname and version by @wasaga in #5146
- zero/telemetry: add prometheus streaming converter to OTLP by @wasaga in #5132
- zero/telemetry: collect limited core metrics by @wasaga in #5142
- zero/telemetry: internal envoy stats scraper and metrics producer by @wasaga in #5136
- zero/telemetry: refactor telemetry and controller by @wasaga in #5135
Dependency Updates
- bump the docker group in /.github with 3 updates by @dependabot in #5124
- bump the github-actions group with 9 updates by @dependabot in #5121
- bump the docker group with 3 updates by @dependabot in #5123
- bump the go group with 27 updates by @dependabot in #5122
- bump braces from 3.0.2 to 3.0.3 in /ui by @dependabot in #5139
- bump busybox from
5eef5edto9ae97d3in /.github in the docker group by @dependabot in #5161 - bump the github-actions group with 4 updates by @dependabot in #5160
- bump the docker group with 2 updates by @dependabot in #5159
- bump the go group with 21 updates by @dependabot in #5162
- bump google.golang.org/grpc from 1.64.0 to 1.64.1 by @dependabot in #5169
- bump github.com/docker/docker from 27.0.3+incompatible to 27.1.0+incompatible by @dependabot in #5193
- bump the docker group with 3 updates by @dependabot in #5201
- bump the github-actions group with 9 updates by @dependabot in #5200
- bump the go group across 1 directory with 26 updates by @dependabot in #5207
- bump the docker group in /.github with 2 updates by @dependabot in #5202
- replace usages of x/exp/maps + bump golang.org/x/exp by @kralicky in #5221
- bump micromatch from 4.0.5 to 4.0.8 in /ui by @dependabot in #5240
- bump busybox from
9ae97d3to8274294in /.github in the docker group by @dependabot in #5260 - bump the github-actions group with 6 updates by @dependabot in #5259
- bump the docker group with 2 updates by @dependabot in #5258
- bump github.com/opencontainers/runc from 1.1.12 to 1.1.14 by @dependabot in #5261
- bump the go group across 1 directory with 28 updates by @dependabot in #5262
Contributors
calebdoxsey, wasaga, and 5 other contributors
Assets 10
v0.26.1
Security
Pomerium v0.26.1 includes multiple security updates:
-
The Pomerium user info page (at
/.pomerium) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users, and have now been removed. CVE-2024-39315Credit to Vadim Sheydaev, aka Enr1g for reporting this issue.
-
This release also includes an update from Envoy 1.30.1 to Envoy 1.30.3 to address multiple security issues:
- CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream
- CVE-2024-34363: Crash due to uncaught nlohmann JSON exception
- CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components
- CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
- CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()
- CVE-2024-32976: Endless loop while decompressing Brotli data with extra input
- CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
- CVE-2024-38525: datadog tracer does not handle trace headers with unicode characters
-
The release also removes a transitive dependency on the gopkg.in/square/go-jose.v2 library which is vulnerable to GHSA-c5q2-7r4c-mv6g.
What's Changed
Security
- envoy: upgrade to v1.30.3 by @kenjenkins in #5155
- core/userinfo: remove excess userinfo data by @calebdoxsey in #5148
- update the pomerium/webauthn dependency (#5125) by @kenjenkins in #5157
Fixes
- core/autocert: fix filter chain, handshake by @calebdoxsey in #5151
Full Changelog: v0.26.0...v0.26.1
Contributors
calebdoxsey and kenjenkins