security: fix CVE-2024-38371 (cherry-pick #10229)

[gcp-cherry-pick-bot]

Cherry-picked security: fix CVE-2024-38371 (#10229)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	d6d79f2
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/667bde5c0b1d7c0008c3ac61
😎 Deploy Preview	https://deploy-preview-10233--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 90.47619% with 4 lines in your changes missing coverage. Please review.

Project coverage is 92.51%. Comparing base (8af754e) to head (d6d79f2).

Files	Patch %	Lines
authentik/providers/oauth2/views/device_init.py	85.71%	4 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                 @@
##           version-2024.4   #10233      +/-   ##
==================================================
+ Coverage           92.48%   92.51%   +0.03%     
==================================================
  Files                 669      669              
  Lines               32917    32925       +8     
==================================================
+ Hits                30443    30461      +18     
+ Misses               2474     2464      -10     

Flag	Coverage Δ
e2e	50.55% <23.80%> (+0.02%)	⬆️
integration	25.90% <0.00%> (-0.01%)	⬇️
unit	89.83% <90.47%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-d6d79f2d39aed9d8af4813419ef87492d8b821cc
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-d6d79f2d39aed9d8af4813419ef87492d8b821cc-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-d6d79f2d39aed9d8af4813419ef87492d8b821cc

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-ghcr.io/goauthentik/dev-server:gh-d6d79f2d39aed9d8af4813419ef87492d8b821cc-arm64

Afterwards, run the upgrade commands from the latest release notes.