We have just released Pomerium
v0.10.4, a patch release that fixes several bugs and addresses a potential low-risk security issue. We recommend all users upgrade to v0.10.4.
In versions prior to v0.9.0, Pomerium displayed error pages with a "retry request" link which allowed a user to retry their previous request. It was possible that an attacker could craft a special URL that -- if a user could be tricked into visiting -- could result in an error page containing a retry link pointing to an external website. While we do not believe this affects v0.9 and v0.10 releases, in abundance of caution, we've removed the retry functionality.
Please review the upgrade guide and
changelog for a complete list of changes and improvements.
You can download binary and source distributions
from github. Or you can pull the v0.10.4 container image from
dockerhub.
Thank you to John Pugliesi from Viaduct Inc for reporting this issue.