Skip to content

2.9.3
Compare
Choose a tag to compare
@p53 p53 released this 11 Dec 21:50
· 90 commits to master since this release
2.9.3
266f841
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

SECURITY NOTICE:

As fork of louketo-proxy we inherited IMPERSONATION type security vulnerability. There are 2 levels of impact: 1. Unaffected 2. Affected (High Risk)

  1. Unaffected - if you use one of these options, you are not susceptible to this attack:
    • --enable-encrypted-token=true
    • --store-url=<redis-url>
    • --enable-idp-session-check=true
  2. High Risk - if you don't use one of above options

Quick migitation: Enable at least one of above mentioned options
Normal migitation: Upgrade to latest version >=2.9.3
Enhance security: additionally beside upgrade to >=2.9.3 enable one of mentioned options (encryption, store_url, enable-idp-session-check)

Short Description of vulnerability: existing user in your userbase might impersonate other user in your userbase
Detailed description will be provided in 1-2 months (from security reasons)

What's Changed

  • Update HMAC description docu by @p53
  • Refactor handlers by @p53, Pierre Bogossian [email protected], Nikifor Georgiev
  • Generate UMA ticket when invalid UMA token but valid resource accessed by @p53
  • Enable to use openid-provider-proxy settings in all requests to keycloak by @p53
  • Update docu for 2.9.1 by @p53
  • Turn off issuer, client id check for refresh token by @p53
  • Turn off tok verif refresh by @p53
  • Update docu for 2.9.2 by @p53
  • Remove refresh token validation, add e2e tests by @p53
  • Add tests for skipopenidtlsverify by @p53
  • Fix resources-stringslice parsing after urfavecli to v2 upgrade by @p53
  • Update docs 2.9.3 by @p53

Contributors

p53
Assets 10
Loading