From 06f1234b69676c63dae998a3539992c17700c9cc Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Thu, 26 Feb 2026 14:43:52 +0100 Subject: [PATCH 1/4] ci: ensure we always use the latest patch version of golang (#3349) Signed-off-by: Jan Larwig --- .github/workflows/ci.yml | 10 ++++++++-- .github/workflows/publish-release.yml | 13 ++++++++++--- go.mod | 2 +- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd9b6dbe..4c9b969e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,11 +20,17 @@ jobs: - name: Check out code uses: actions/checkout@v6 + - name: Get Go version + run: | + version=$(grep "^go " go.mod | cut -d' ' -f2) + echo "version=${version}" >> "$GITHUB_OUTPUT" + id: go-version + - name: Set up Go uses: actions/setup-go@v6 with: - go-version-file: go.mod - id: go + go-version: ${{ steps.go-version.outputs.version }} + check-latest: true - name: Install golangci-lint env: diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 9f235fb6..c71266c9 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -42,11 +42,18 @@ jobs: git tag -a "${version}" -m "Release ${version}" echo "version=${version}" >> $GITHUB_OUTPUT id: tag - - - name: Set up go + + - name: Get Go version + run: | + version=$(grep "^go " go.mod | cut -d' ' -f2) + echo "version=${version}" >> "$GITHUB_OUTPUT" + id: go-version + + - name: Set up Go uses: actions/setup-go@v6 with: - go-version-file: go.mod + go-version: ${{ steps.go-version.outputs.version }} + check-latest: true - name: Get dependencies env: diff --git a/go.mod b/go.mod index c998b25f..4f54660f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/oauth2-proxy/oauth2-proxy/v7 -go 1.25.6 +go 1.25.0 require ( cloud.google.com/go/compute/metadata v0.9.0 From 788f3d0e1df540d945a3ffe0e95d432baf1387c3 Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Thu, 26 Feb 2026 14:48:35 +0100 Subject: [PATCH 2/4] ci: ensure we always use the latest patch version of golang (#3350) Signed-off-by: Jan Larwig --- .github/workflows/ci.yml | 2 +- .github/workflows/publish-release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4c9b969e..5c3a18c5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: - name: Get Go version run: | - version=$(grep "^go " go.mod | cut -d' ' -f2) + version=$(grep "^go " go.mod | cut -d' ' -f2 | cut -d. -f1,2) echo "version=${version}" >> "$GITHUB_OUTPUT" id: go-version diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index c71266c9..f853d8de 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -45,7 +45,7 @@ jobs: - name: Get Go version run: | - version=$(grep "^go " go.mod | cut -d' ' -f2) + version=$(grep "^go " go.mod | cut -d' ' -f2 | cut -d. -f1,2) echo "version=${version}" >> "$GITHUB_OUTPUT" id: go-version From b5c8df79886c3d4601adc0ec9fda1d17290f45b1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 26 Feb 2026 15:03:07 +0100 Subject: [PATCH 3/4] release v7.14.3 (#3351) * update to release version v7.14.3 * doc: release note v7.14.3 Signed-off-by: Jan Larwig --------- Signed-off-by: Jan Larwig Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jan Larwig --- CHANGELOG.md | 18 ++++++++++++++++++ .../docker-compose-alpha-config.yaml | 2 +- .../docker-compose-gitea.yaml | 2 +- .../docker-compose-keycloak.yaml | 2 +- .../docker-compose-nginx.yaml | 2 +- .../docker-compose-traefik.yaml | 2 +- contrib/local-environment/docker-compose.yaml | 2 +- docs/docs/installation.md | 2 +- .../version-7.14.x/installation.md | 2 +- 9 files changed, 26 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 76c506ba..4542945f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,24 @@ ## Important Notes +## Breaking Changes + +## Changes since v7.14.3 + +# V7.14.3 + +## Release Highlights + +- 🔵 Go1.25.7 and upgrade of dependencies to latest versions + - Fixes [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/cve-2025-68121) +- 🐛 Bug fixes + - Allow Redis URL parameters to configure username, password and max idle connection timeout if the matching configuration is empty. + +## Important Notes + +We improved our supply chain security by added additional checks to prevent potential command injection in the publish release workflow and to ensure that it can only be triggered from branches originating in the local repository. This potential issue was reported by automated systems as well as a couple of security researchers, and we want to thank everyone for their diligence in looking out for the security of the project. Especially Aastha Aggarwal for her detailed report and follow-up. @Aastha2602 + + ## Breaking Changes ## Changes since v7.14.2 diff --git a/contrib/local-environment/docker-compose-alpha-config.yaml b/contrib/local-environment/docker-compose-alpha-config.yaml index 595ce4e4..6854ef95 100644 --- a/contrib/local-environment/docker-compose-alpha-config.yaml +++ b/contrib/local-environment/docker-compose-alpha-config.yaml @@ -14,7 +14,7 @@ version: "3.0" services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 command: --config /oauth2-proxy.cfg --alpha-config /oauth2-proxy-alpha-config.yaml hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-gitea.yaml b/contrib/local-environment/docker-compose-gitea.yaml index 65968fe8..bb17c752 100644 --- a/contrib/local-environment/docker-compose-gitea.yaml +++ b/contrib/local-environment/docker-compose-gitea.yaml @@ -14,7 +14,7 @@ version: '3.0' services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml index cc56f4ae..ea86ea82 100644 --- a/contrib/local-environment/docker-compose-keycloak.yaml +++ b/contrib/local-environment/docker-compose-keycloak.yaml @@ -14,7 +14,7 @@ version: '3.0' services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml index 771815b1..113616d6 100644 --- a/contrib/local-environment/docker-compose-nginx.yaml +++ b/contrib/local-environment/docker-compose-nginx.yaml @@ -22,7 +22,7 @@ version: "3.0" services: oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 ports: [] hostname: oauth2-proxy container_name: oauth2-proxy diff --git a/contrib/local-environment/docker-compose-traefik.yaml b/contrib/local-environment/docker-compose-traefik.yaml index b5d25e2f..e4490b3a 100644 --- a/contrib/local-environment/docker-compose-traefik.yaml +++ b/contrib/local-environment/docker-compose-traefik.yaml @@ -23,7 +23,7 @@ version: '3.0' services: oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 ports: [] hostname: oauth2-proxy volumes: diff --git a/contrib/local-environment/docker-compose.yaml b/contrib/local-environment/docker-compose.yaml index 12ddeb68..1eaba82a 100644 --- a/contrib/local-environment/docker-compose.yaml +++ b/contrib/local-environment/docker-compose.yaml @@ -13,7 +13,7 @@ version: "3.0" services: oauth2-proxy: container_name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2 + image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.3 command: --config /oauth2-proxy.cfg hostname: oauth2-proxy volumes: diff --git a/docs/docs/installation.md b/docs/docs/installation.md index 4bb94f4f..75603801 100644 --- a/docs/docs/installation.md +++ b/docs/docs/installation.md @@ -5,7 +5,7 @@ title: Installation 1. Choose how to deploy: - a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.2`) + a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.3`) b. Using Go to install the latest release ```bash diff --git a/docs/versioned_docs/version-7.14.x/installation.md b/docs/versioned_docs/version-7.14.x/installation.md index 4bb94f4f..75603801 100644 --- a/docs/versioned_docs/version-7.14.x/installation.md +++ b/docs/versioned_docs/version-7.14.x/installation.md @@ -5,7 +5,7 @@ title: Installation 1. Choose how to deploy: - a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.2`) + a. Using a [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.14.3`) b. Using Go to install the latest release ```bash From 88075737a6c349508700cab0e342c8591af8c6d0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 27 Feb 2026 15:00:04 +0100 Subject: [PATCH 4/4] chore(deps): update alpine docker tag to v3.23.3 (#3329) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 73507560..ed9d2186 100644 --- a/Makefile +++ b/Makefile @@ -66,7 +66,7 @@ DOCKER_BUILDX_PUSH := $(DOCKER_BUILDX) --push DOCKER_BUILDX_PUSH_X_PLATFORM := $(DOCKER_BUILDX_PUSH) --platform ${DOCKER_BUILD_PLATFORM} DOCKER_BUILD_PLATFORM_ALPINE ?= linux/amd64,linux/arm64,linux/ppc64le,linux/arm/v6,linux/arm/v7,linux/s390x -DOCKER_BUILD_RUNTIME_IMAGE_ALPINE ?= alpine:3.23.2 +DOCKER_BUILD_RUNTIME_IMAGE_ALPINE ?= alpine:3.23.3 DOCKER_BUILDX_ARGS_ALPINE ?= --build-arg RUNTIME_IMAGE=${DOCKER_BUILD_RUNTIME_IMAGE_ALPINE} ${DOCKER_BUILDX_COMMON_ARGS} DOCKER_BUILDX_X_PLATFORM_ALPINE := docker buildx build ${DOCKER_BUILDX_ARGS_ALPINE} --platform ${DOCKER_BUILD_PLATFORM_ALPINE} DOCKER_BUILDX_PUSH_X_PLATFORM_ALPINE := $(DOCKER_BUILDX_X_PLATFORM_ALPINE) --push