[security] Pomerium v013.4 is released

[b...@pomerium.com]

We have just released Pomerium 0.13.4 to address potential security issues discovered during an internal security audit performed by Cure53. We recommend that all users update.

• JWT leak via open redirect in programmatic access
  
  Using programmatic access on protected sites, one can get a signed login URL with pomerium_redirect_uri set to an arbitrary URL. Then, if the user has already logged into Pomerium, they will be redirected to the specified pomerium_redirect_uri with a JWT attached. This allows an outside attacker to get a signed login URL that, upon visiting it, will redirect a victim to the attacker’s site. This creates an issue of Open Redirect and, more seriously, JWT leakage.
  
  This issue is CVE-2021-29651 and advisory GHSA-35vc-w93w-75c2.
  
  
• authenticate: pomerium_signature is not verified in middleware
  
  Some API endpoints under /.pomerium/ do not verify parameters with pomerium_signature. This could allow modifying parameters intended to be trusted to Pomerium. The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass.
  
  This issue is CVE-2021-29652 and advisory GHSA-fv82-r8qv-ch4v.

You can download binary and source distributions from github. Or you can pull the v0.13.4 container image from dockerhub.

Thank you,
Bobby