diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f227932..320ba697 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,48 @@ ## Breaking Changes +## Changes since v7.15.2 + +# V7.15.2 + +## Release Highlights + +- 🔵 Golang version upgrade to v1.25.9 + - Upgrade of all dependencies to their latest versions + - [CVE-2026-34986](https://nvd.nist.gov/vuln/detail/CVE-2026-34986) + - [CVE-2026-32281](https://nvd.nist.gov/vuln/detail/CVE-2026-32281) + - [CVE-2026-32289](https://nvd.nist.gov/vuln/detail/CVE-2026-32289) + - [CVE-2026-32288](https://nvd.nist.gov/vuln/detail/CVE-2026-32288) + - [CVE-2026-32280](https://nvd.nist.gov/vuln/detail/CVE-2026-32280) + - [CVE-2026-32282](https://nvd.nist.gov/vuln/detail/CVE-2026-32282) + - [CVE-2026-32283](https://nvd.nist.gov/vuln/detail/CVE-2026-32283) +- 🕵️‍♀️ Vulnerabilities have been addressed + +## Important Notes + +We have had security audits performed on OAuth2 Proxy in the past couple of weeks and as a result we have fixed +several CRITICAL vulnerabilities. + +The security vulnerabilities include multiple authentication bypasses and a potential session fixation attack. +For more details and to identify if you are effects, we urge all users of OAuth2 Proxy to read the security +disclosures. + +- (Critical) [GHSA-5hvv-m4w4-gf6v](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v) fix: health check user-agent authentication bypass +- (Critical) [GHSA-7x63-xv5r-3p2x](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x) fix: authentication bypass via X-Forwarded-Uri header spoofing +- (High) [GHSA-pxq7-h93f-9jrg](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg) fix: fragment evaluation as part of the allowed routes +- (Moderate) [GHSA-c5c4-8r6x-56w3](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3) fix: email validation bypass via malformed multi-@ email claims + +Furthermore, for improving the security of OAuth2 Proxy we introduced a new flag `--trusted-proxy-ip` that allows users +to explicitly specify trusted reverse proxy IPs for the `X-Forwarded-*` headers. This is an important step to prevent +potential header spoofing attacks and to ensure that OAuth2 Proxy only trusts headers from known and trusted sources. +We highly recommend users to review their deployment architecture and consider using this flag to enhance the security +of their OAuth2 Proxy instances. Check the docs for more details: https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#proxy-options + +Furthermore, we want to thank everyone who contributed to the audits and reported potential issues to make open source +software like OAuth2 Proxy more secure for everyone. + +## Breaking Changes + ## Changes since v7.15.1 - [#3411](https://github.com/oauth2-proxy/oauth2-proxy/pull/3411) chore(deps): update gomod dependencies (@tuunit) @@ -13,8 +55,8 @@ - [GHSA-f24x-5g9q-753f](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f) fix: clear session cookie at beginning of signinpage handler (@fnoehWM / @bella-WI / @tuunit) - [GHSA-5hvv-m4w4-gf6v](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v) fix: health check user-agent authentication bypass (@tuunit) - [GHSA-7x63-xv5r-3p2x](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x) fix: authentication bypass via X-Forwarded-Uri header spoofing (@tuunit) -- [GHSA-c5c4-8r6x-56w3](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3) fix: email validation bypass via malformed multi-@ email claims (@tuunit) - [GHSA-pxq7-h93f-9jrg](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-pxq7-h93f-9jrg) fix: fragment evaluation as part of the allowed routes (@tuunit) +- [GHSA-c5c4-8r6x-56w3](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-c5c4-8r6x-56w3) fix: email validation bypass via malformed multi-@ email claims (@tuunit) # V7.15.1 diff --git a/contrib/local-environment/dex.yaml b/contrib/local-environment/dex.yaml index f0a2ead4..e3ed0f8f 100644 --- a/contrib/local-environment/dex.yaml +++ b/contrib/local-environment/dex.yaml @@ -6,7 +6,7 @@ storage: type: etcd config: endpoints: - - http://etcd:2379 + - http://etcd:2379 namespace: dex/ web: http: 0.0.0.0:5556 @@ -16,17 +16,18 @@ expiry: signingKeys: "4h" idTokens: "1h" staticClients: -- id: oauth2-proxy - redirectURIs: - # These redirect URIs point to the `--redirect-url` for OAuth2 proxy. - - 'http://oauth2-proxy.localtest.me:4180/oauth2/callback' # For basic proxy example. - - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example. - name: 'OAuth2 Proxy' - secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK + - id: oauth2-proxy + redirectURIs: + # These redirect URIs point to the `--redirect-url` for OAuth2 proxy. + - "http://oauth2-proxy.localtest.me:4180/oauth2/callback" # For basic proxy example. + - "http://oauth2-proxy.localtest.me:8080/oauth2/callback" # For nginx example. + - "http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback" # For traefik example. + name: "OAuth2 Proxy" + secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK enablePasswordDB: true staticPasswords: -- email: "admin@example.com" - # bcrypt hash of the string "password" - hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" - username: "admin" - userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" + - email: "admin@example.com" + # bcrypt hash of the string "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + username: "admin" + userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" diff --git a/contrib/local-environment/docker-compose-alpha-config.yaml b/contrib/local-environment/docker-compose-alpha-config.yaml index 515c42e0..2dde7345 100644 --- a/contrib/local-environment/docker-compose-alpha-config.yaml +++ b/contrib/local-environment/docker-compose-alpha-config.yaml @@ -14,7 +14,7 @@ version: "3.0" services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 command: --config /oauth2-proxy.cfg --alpha-config /oauth2-proxy-alpha-config.yaml hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-gitea.yaml b/contrib/local-environment/docker-compose-gitea.yaml index 3e57ef2d..17d707fb 100644 --- a/contrib/local-environment/docker-compose-gitea.yaml +++ b/contrib/local-environment/docker-compose-gitea.yaml @@ -14,7 +14,7 @@ version: '3.0' services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml index ba3db49a..70d2042b 100644 --- a/contrib/local-environment/docker-compose-keycloak.yaml +++ b/contrib/local-environment/docker-compose-keycloak.yaml @@ -10,11 +10,11 @@ # # Access http://oauth2-proxy.localtest.me:4180 to initiate a login cycle using user=admin@example.com, password=password # Access http://keycloak.localtest.me:9080 with the same credentials to check out the settings -version: '3.0' +version: "3.0" services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: @@ -43,9 +43,9 @@ services: image: keycloak/keycloak:25.0 hostname: keycloak command: - - 'start-dev' - - '--http-port=9080' - - '--import-realm' + - "start-dev" + - "--http-port=9080" + - "--import-realm" volumes: - ./keycloak:/opt/keycloak/data/import environment: diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml index 23138eb4..2aa403ec 100644 --- a/contrib/local-environment/docker-compose-nginx.yaml +++ b/contrib/local-environment/docker-compose-nginx.yaml @@ -22,12 +22,12 @@ version: "3.0" services: oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 - ports: - - 4180:4180/tcp + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 + ports: [] hostname: oauth2-proxy container_name: oauth2-proxy command: --config /oauth2-proxy.cfg + restart: unless-stopped volumes: - "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg" networks: diff --git a/contrib/local-environment/docker-compose-traefik.yaml b/contrib/local-environment/docker-compose-traefik.yaml index 94d9239b..302f1a42 100644 --- a/contrib/local-environment/docker-compose-traefik.yaml +++ b/contrib/local-environment/docker-compose-traefik.yaml @@ -23,7 +23,7 @@ version: '3.0' services: oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 ports: [] hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose.yaml b/contrib/local-environment/docker-compose.yaml index 4832eb92..7630167d 100644 --- a/contrib/local-environment/docker-compose.yaml +++ b/contrib/local-environment/docker-compose.yaml @@ -13,7 +13,7 @@ version: "3.0" services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.1 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/nginx.conf b/contrib/local-environment/nginx.conf index f3761387..0e7bf7b4 100644 --- a/contrib/local-environment/nginx.conf +++ b/contrib/local-environment/nginx.conf @@ -1,49 +1,44 @@ -# Reverse proxy to oauth2-proxy -server { - listen 8080; - server_name oauth2-proxy.localtest.me; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Uri $request_uri; - - proxy_pass http://oauth2-proxy:4180/; - } -} - # Reverse proxy to httpbin server { listen 8080; - server_name httpbin.localtest.me; + server_name oauth2-proxy.localtest.me; - auth_request /internal-auth/oauth2/auth; + location /oauth2/ { + proxy_pass http://oauth2-proxy:4180; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Auth-Request-Redirect $request_uri; + } - # On 401, redirect to the sign_in page via a named location - # This ensures a proper 302 redirect that browsers will follow - error_page 401 = @oauth2_signin; + location = /oauth2/auth { + proxy_pass http://oauth2-proxy:4180; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Uri $request_uri; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + } location / { + auth_request /oauth2/auth; + error_page 401 = @oauth2_signin; + + # pass information via X-User and X-Email headers to backend, + # requires running with --set-xauthrequest flag + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + proxy_pass http://httpbin/; + # or "root /path/to/site;" or "fastcgi_pass ..." etc } - # Named location for OAuth2 sign-in redirect - # Returns a proper 302 that works with --skip-provider-button + # Named location for handling OAuth2 sign-in redirects + # This ensures the browser receives a proper 302 redirect that it will follow location @oauth2_signin { - return 302 http://oauth2-proxy.localtest.me:8080/oauth2/sign_in?rd=$scheme://$host$request_uri; - } - - # auth_request must be a URI so this allows an internal path to then proxy to - # the real auth_request path. - # The trailing /'s are required so that nginx strips the prefix before proxying. - location /internal-auth/ { - internal; # Ensure external users can't access this path - - # Make sure the OAuth2 Proxy knows where the original request came from. - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Uri $request_uri; - - proxy_pass http://oauth2-proxy:4180/; + return 302 /oauth2/sign_in?rd=$scheme://$http_host$request_uri; } } diff --git a/contrib/local-environment/oauth2-proxy-nginx.cfg b/contrib/local-environment/oauth2-proxy-nginx.cfg index 0a383ab7..2565c226 100644 --- a/contrib/local-environment/oauth2-proxy-nginx.cfg +++ b/contrib/local-environment/oauth2-proxy-nginx.cfg @@ -9,7 +9,7 @@ whitelist_domains=[".localtest.me"] # Required to allow redirection back to orig # dex provider client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK" client_id="oauth2-proxy" -redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback" +redirect_url="http://oauth2-proxy.localtest.me:8080/oauth2/callback" oidc_issuer_url="http://dex.localtest.me:5556/dex" provider="oidc" diff --git a/docs/docs/installation.md b/docs/docs/installation.md index d329bd55..7898f70c 100644 --- a/docs/docs/installation.md +++ b/docs/docs/installation.md @@ -5,7 +5,7 @@ title: Installation 1. Choose how to deploy: - a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.1`) + a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.2`) b. Using Go to install the latest release ```bash diff --git a/docs/package.json b/docs/package.json index a288a213..0bb4b494 100644 --- a/docs/package.json +++ b/docs/package.json @@ -42,5 +42,8 @@ }, "engines": { "node": ">=18.0" + }, + "overrides" : { + "webpackbar" : "^7.0.0" } } diff --git a/docs/versioned_docs/version-7.15.x/installation.md b/docs/versioned_docs/version-7.15.x/installation.md index d329bd55..7898f70c 100644 --- a/docs/versioned_docs/version-7.15.x/installation.md +++ b/docs/versioned_docs/version-7.15.x/installation.md @@ -5,7 +5,7 @@ title: Installation 1. Choose how to deploy: - a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.1`) + a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.15.2`) b. Using Go to install the latest release ```bash