Merge branch 'master' into Add-SameSite-option-csrf-cookie

2026-02-27 17:12:56 +01:00 · 2026-02-27 17:12:56 +01:00 · ca0c9d04b5
parent 04c25fca19 88075737a6
commit ca0c9d04b5
13 changed files with 46 additions and 15 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -20,11 +20,17 @@ jobs:
    - name: Check out code
      uses: actions/checkout@v6

+    - name: Get Go version
+      run: |
+        version=$(grep "^go " go.mod | cut -d' ' -f2 | cut -d. -f1,2)
+        echo "version=${version}" >> "$GITHUB_OUTPUT"
+      id: go-version
+
    - name: Set up Go
      uses: actions/setup-go@v6
      with:
-        go-version-file: go.mod
-      id: go
+        go-version: ${{ steps.go-version.outputs.version }}
+        check-latest: true

    - name: Install golangci-lint
      env:
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@ -42,11 +42,18 @@ jobs:
        git tag -a "${version}" -m "Release ${version}"
        echo "version=${version}" >> $GITHUB_OUTPUT
      id: tag
-    
-    - name: Set up go
+
+    - name: Get Go version
+      run: |
+        version=$(grep "^go " go.mod | cut -d' ' -f2 | cut -d. -f1,2)
+        echo "version=${version}" >> "$GITHUB_OUTPUT"
+      id: go-version
+
+    - name: Set up Go
      uses: actions/setup-go@v6
      with:
-        go-version-file: go.mod
+        go-version: ${{ steps.go-version.outputs.version }}
+        check-latest: true

    - name: Get dependencies
      env:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,24 @@

 - [#3347](https://github.com/oauth2-proxy/oauth2-proxy/pull/3347) New option "--cookie-csrf-samesite" added, to define the SameSite value of CSRF cookie. If option is not configured, then CSRF cookie SameSite is equal to the one configured for the session cookie.

+## Breaking Changes
+
+## Changes since v7.14.3
+
+# V7.14.3
+
+## Release Highlights
+
+- 🔵 Go1.25.7 and upgrade of dependencies to latest versions
+  - Fixes [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/cve-2025-68121)
+- 🐛 Bug fixes
+  - Allow Redis URL parameters to configure username, password and max idle connection timeout if the matching configuration is empty.
+
+## Important Notes
+
+We improved our supply chain security by added additional checks to prevent potential command injection in the publish release workflow and to ensure that it can only be triggered from branches originating in the local repository. This potential issue was reported by automated systems as well as a couple of security researchers, and we want to thank everyone for their diligence in looking out for the security of the project. Especially Aastha Aggarwal for her detailed report and follow-up. @Aastha2602
+
+
 ## Breaking Changes

 ## Changes since v7.14.2
--- a/2
+++ b/2
@ -66,7 +66,7 @@ DOCKER_BUILDX_PUSH            := $(DOCKER_BUILDX) --push
 DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD_PLATFORM}

 DOCKER_BUILD_PLATFORM_ALPINE         ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7,linux/s390x
-DOCKER_BUILD_RUNTIME_IMAGE_ALPINE    ?= alpine:3.23.2
+DOCKER_BUILD_RUNTIME_IMAGE_ALPINE    ?= alpine:3.23.3
 DOCKER_BUILDX_ARGS_ALPINE            ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE_ALPINE} ${DOCKER_BUILDX_COMMON_ARGS}
 DOCKER_BUILDX_X_PLATFORM_ALPINE      := docker buildx build ${DOCKER_BUILDX_ARGS_ALPINE} --platform ${DOCKER_BUILD_PLATFORM_ALPINE}
 DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE := $(DOCKER_BUILDX_X_PLATFORM_ALPINE) --push
--- a/contrib/local-environment/docker-compose-alpha-config.yaml
+++ b/contrib/local-environment/docker-compose-alpha-config.yaml
@ -13,7 +13,7 @@
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3
    command: --config /oauth2-proxy.cfg --alpha-config /oauth2-proxy-alpha-config.yaml
    hostname: oauth2-proxy
    volumes:
--- a/contrib/local-environment/docker-compose-gitea.yaml
+++ b/contrib/local-environment/docker-compose-gitea.yaml
@ -13,7 +13,7 @@
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3
    command: --config /oauth2-proxy.cfg
    hostname: oauth2-proxy
    volumes:
--- a/contrib/local-environment/docker-compose-keycloak.yaml
+++ b/contrib/local-environment/docker-compose-keycloak.yaml
@ -13,7 +13,7 @@
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3
    command: --config /oauth2-proxy.cfg
    hostname: oauth2-proxy
    volumes:
--- a/contrib/local-environment/docker-compose-nginx.yaml
+++ b/contrib/local-environment/docker-compose-nginx.yaml
@ -21,7 +21,7 @@
 #    127.0.0.1 oauth2-proxy.oauth2-proxy.localhost
 services:
  oauth2-proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3
    ports: []
    hostname: oauth2-proxy
    container_name: oauth2-proxy
--- a/contrib/local-environment/docker-compose-traefik.yaml
+++ b/contrib/local-environment/docker-compose-traefik.yaml
@ -22,7 +22,7 @@
 services:

  oauth2-proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3
    ports: []
    hostname: oauth2-proxy
    volumes:
--- a/contrib/local-environment/docker-compose.yaml
+++ b/contrib/local-environment/docker-compose.yaml
@ -12,7 +12,7 @@
 services:
  oauth2-proxy:
    container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3
    command: --config /oauth2-proxy.cfg
    hostname: oauth2-proxy
    volumes:
--- a/docs/docs/installation.md
+++ b/docs/docs/installation.md
@ -5,7 +5,7 @@ title: Installation

 1.  Choose how to deploy:

-    a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.2`)
+    a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.3`)

    b. Using Go to install the latest release
    ```bash
--- a/docs/versioned_docs/version-7.14.x/installation.md
+++ b/docs/versioned_docs/version-7.14.x/installation.md
@ -5,7 +5,7 @@ title: Installation

 1.  Choose how to deploy:

-    a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.2`)
+    a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.3`)

    b. Using Go to install the latest release
    ```bash
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/oauth2-proxy/oauth2-proxy/v7

-go 1.25.6
+go 1.25.0

 require (
 	cloud.google.com/go/compute/metadata v0.9.0