[security] Pomerium v0.10.4 is released

Skip to first unread message


Sep 23, 2020, 6:06:40 PM9/23/20
to pomerium-announce
We have just released Pomerium v0.10.4, a patch release that fixes several bugs and addresses a potential low-risk security issue. We recommend all users upgrade to v0.10.4. 

In versions prior to v0.9.0, Pomerium displayed error pages with a "retry request" link which allowed a user to retry their previous request. It was possible that an attacker could craft a special URL that -- if a user could be tricked into visiting -- could result in an error page containing a retry link pointing to an external website. While we do not believe this affects v0.9 and v0.10 releases, in abundance of caution, we've removed the retry functionality. 

Please review the upgrade guide and changelog for a complete list of changes and improvements.

You can download binary and source distributions from github. Or you can pull the v0.10.4 container image from dockerhub.

Thank you to John Pugliesi from Viaduct Inc for reporting this issue. 

Reply all
Reply to author
0 new messages