diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd9b6dbe..5c3a18c5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,11 +20,17 @@ jobs: - name: Check out code uses: actions/checkout@v6 + - name: Get Go version + run: | + version=$(grep "^go " go.mod | cut -d' ' -f2 | cut -d. -f1,2) + echo "version=${version}" >> "$GITHUB_OUTPUT" + id: go-version + - name: Set up Go uses: actions/setup-go@v6 with: - go-version-file: go.mod - id: go + go-version: ${{ steps.go-version.outputs.version }} + check-latest: true - name: Install golangci-lint env: diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 9f235fb6..f853d8de 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -42,11 +42,18 @@ jobs: git tag -a "${version}" -m "Release ${version}" echo "version=${version}" >> $GITHUB_OUTPUT id: tag - - - name: Set up go + + - name: Get Go version + run: | + version=$(grep "^go " go.mod | cut -d' ' -f2 | cut -d. -f1,2) + echo "version=${version}" >> "$GITHUB_OUTPUT" + id: go-version + + - name: Set up Go uses: actions/setup-go@v6 with: - go-version-file: go.mod + go-version: ${{ steps.go-version.outputs.version }} + check-latest: true - name: Get dependencies env: diff --git a/CHANGELOG.md b/CHANGELOG.md index d5227612..9e7bed1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,24 @@ - [#3347](https://github.com/oauth2-proxy/oauth2-proxy/pull/3347) New option "--cookie-csrf-samesite" added, to define the SameSite value of CSRF cookie. If option is not configured, then CSRF cookie SameSite is equal to the one configured for the session cookie. +## Breaking Changes + +## Changes since v7.14.3 + +# V7.14.3 + +## Release Highlights + +- 🔵 Go1.25.7 and upgrade of dependencies to latest versions + - Fixes [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/cve-2025-68121) +- 🐛 Bug fixes + - Allow Redis URL parameters to configure username, password and max idle connection timeout if the matching configuration is empty. + +## Important Notes + +We improved our supply chain security by added additional checks to prevent potential command injection in the publish release workflow and to ensure that it can only be triggered from branches originating in the local repository. This potential issue was reported by automated systems as well as a couple of security researchers, and we want to thank everyone for their diligence in looking out for the security of the project. Especially Aastha Aggarwal for her detailed report and follow-up. @Aastha2602 + + ## Breaking Changes ## Changes since v7.14.2 diff --git a/Makefile b/Makefile index 73507560..ed9d2186 100644 --- a/Makefile +++ b/Makefile @@ -66,7 +66,7 @@ DOCKER_BUILDX_PUSH := $(DOCKER_BUILDX) --push DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD_PLATFORM} DOCKER_BUILD_PLATFORM_ALPINE ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7,linux/s390x -DOCKER_BUILD_RUNTIME_IMAGE_ALPINE ?= alpine:3.23.2 +DOCKER_BUILD_RUNTIME_IMAGE_ALPINE ?= alpine:3.23.3 DOCKER_BUILDX_ARGS_ALPINE ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE_ALPINE} ${DOCKER_BUILDX_COMMON_ARGS} DOCKER_BUILDX_X_PLATFORM_ALPINE := docker buildx build ${DOCKER_BUILDX_ARGS_ALPINE} --platform ${DOCKER_BUILD_PLATFORM_ALPINE} DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE := $(DOCKER_BUILDX_X_PLATFORM_ALPINE) --push diff --git a/contrib/local-environment/docker-compose-alpha-config.yaml b/contrib/local-environment/docker-compose-alpha-config.yaml index 95e386ca..c0da829f 100644 --- a/contrib/local-environment/docker-compose-alpha-config.yaml +++ b/contrib/local-environment/docker-compose-alpha-config.yaml @@ -13,7 +13,7 @@ services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 command: --config /oauth2-proxy.cfg --alpha-config /oauth2-proxy-alpha-config.yaml hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-gitea.yaml b/contrib/local-environment/docker-compose-gitea.yaml index 6e8583ea..5f4b6d68 100644 --- a/contrib/local-environment/docker-compose-gitea.yaml +++ b/contrib/local-environment/docker-compose-gitea.yaml @@ -13,7 +13,7 @@ services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml index 6576a9ef..34b53bdc 100644 --- a/contrib/local-environment/docker-compose-keycloak.yaml +++ b/contrib/local-environment/docker-compose-keycloak.yaml @@ -13,7 +13,7 @@ services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml index 69ff0f14..cd37bb9e 100644 --- a/contrib/local-environment/docker-compose-nginx.yaml +++ b/contrib/local-environment/docker-compose-nginx.yaml @@ -21,7 +21,7 @@ # 127.0.0.1 oauth2-proxy.oauth2-proxy.localhost services: oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 ports: [] hostname: oauth2-proxy container_name: oauth2-proxy diff --git a/contrib/local-environment/docker-compose-traefik.yaml b/contrib/local-environment/docker-compose-traefik.yaml index d3a49e0c..c049e97a 100644 --- a/contrib/local-environment/docker-compose-traefik.yaml +++ b/contrib/local-environment/docker-compose-traefik.yaml @@ -22,7 +22,7 @@ services: oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 ports: [] hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose.yaml b/contrib/local-environment/docker-compose.yaml index 97bc4cef..5028c55f 100644 --- a/contrib/local-environment/docker-compose.yaml +++ b/contrib/local-environment/docker-compose.yaml @@ -12,7 +12,7 @@ services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/docs/docs/installation.md b/docs/docs/installation.md index 4bb94f4f..75603801 100644 --- a/docs/docs/installation.md +++ b/docs/docs/installation.md @@ -5,7 +5,7 @@ title: Installation 1. Choose how to deploy: - a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.2`) + a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.3`) b. Using Go to install the latest release ```bash diff --git a/docs/versioned_docs/version-7.14.x/installation.md b/docs/versioned_docs/version-7.14.x/installation.md index 4bb94f4f..75603801 100644 --- a/docs/versioned_docs/version-7.14.x/installation.md +++ b/docs/versioned_docs/version-7.14.x/installation.md @@ -5,7 +5,7 @@ title: Installation 1. Choose how to deploy: - a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.2`) + a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.3`) b. Using Go to install the latest release ```bash diff --git a/go.mod b/go.mod index c998b25f..4f54660f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/oauth2-proxy/oauth2-proxy/v7 -go 1.25.6 +go 1.25.0 require ( cloud.google.com/go/compute/metadata v0.9.0