Skip to content

security: fix CVE 2024 52307#12115

Merged
BeryJu merged 3 commits intomainfrom
security/CVE-2024-52307
Nov 21, 2024
Merged

security: fix CVE 2024 52307#12115
BeryJu merged 3 commits intomainfrom
security/CVE-2024-52307

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Nov 21, 2024

Details

REPLACE ME

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested review from a team as code owners November 21, 2024 13:01
@netlify
Copy link

netlify bot commented Nov 21, 2024
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit 3cd06ee
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/673f34738e389700088a1428
😎 Deploy Preview https://deploy-preview-12115--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@netlify
Copy link

netlify bot commented Nov 21, 2024
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 3cd06ee
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/673f347351a6f700082bce54
😎 Deploy Preview https://deploy-preview-12115--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@codecov
Copy link

codecov bot commented Nov 21, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.62%. Comparing base (e9c29e1) to head (3cd06ee).
Report is 1 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #12115      +/-   ##
==========================================
- Coverage   92.67%   92.62%   -0.06%     
==========================================
  Files         761      761              
  Lines       37963    37973      +10     
==========================================
- Hits        35184    35171      -13     
- Misses       2779     2802      +23
Flag Coverage Δ
e2e 49.07% <19.04%> (-0.07%) ⬇️
integration 24.83% <19.04%> (+<0.01%) ⬆️
unit 90.20% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚨 Try these New Features:

@BeryJu
Copy link
Member Author

BeryJu commented Nov 21, 2024

/cherry-pick version-2024.10

@BeryJu
Copy link
Member Author

BeryJu commented Nov 21, 2024

/cherry-pick version-2024.8

@BeryJu
security: fix CVE-2024-52307
a0e6191 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add docs
66d8651 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix tests
3cd06ee 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the security/CVE-2024-52307 branch from e9e25af to 3cd06ee Compare November 21, 2024 13:24
@BeryJu BeryJu merged commit 5ea4580 into main Nov 21, 2024
@BeryJu BeryJu deleted the security/CVE-2024-52307 branch November 21, 2024 13:24
@gcp-cherry-pick-bot
Copy link
Contributor

gcp-cherry-pick-bot bot commented Nov 21, 2024

Cherry-pick failed with Merge error 5ea4580884f99369f0ccfe484c04cb03a66e65b8 into temp-cherry-pick-d8271c-version-2024.10

@gcp-cherry-pick-bot
Copy link
Contributor

gcp-cherry-pick-bot bot commented Nov 21, 2024

Cherry-pick failed with Merge error 5ea4580884f99369f0ccfe484c04cb03a66e65b8 into temp-cherry-pick-d8271c-version-2024.8

BeryJu added a commit that referenced this pull request Nov 21, 2024
@BeryJu
security: fix CVE 2024 52307 (#12115)
11b013d 
* security: fix CVE-2024-52307

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
BeryJu added a commit that referenced this pull request Nov 21, 2024
@BeryJu
security: fix CVE 2024 52307 (#12115)
e7f49d9 
* security: fix CVE-2024-52307

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
#	website/docs/security/CVE-2024-52307.md
#	website/sidebars.js
@github-actions
Copy link
Contributor

github-actions bot commented Nov 21, 2024

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-3cd06eebf4cba2e51dc7d6d251b1642583787ac5
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-3cd06eebf4cba2e51dc7d6d251b1642583787ac5-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-3cd06eebf4cba2e51dc7d6d251b1642583787ac5

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-3cd06eebf4cba2e51dc7d6d251b1642583787ac5-arm64

Afterwards, run the upgrade commands from the latest release notes.

kensternberg-authentik added a commit that referenced this pull request Nov 21, 2024
@kensternberg-authentik
Merge branch 'main' into web/flow/table-driven-executor
8982798 
* main: (23 commits)
  website/docs: update info about footer links to match new UI (#12120)
  website/docs: prepare release notes (#12142)
  providers/oauth2: fix migration (#12138)
  providers/oauth2: fix migration dependencies (#12123)
  web: bump API Client version (#12129)
  providers/oauth2: fix redirect uri input (#12122)
  providers/proxy: fix redirect_uri (#12121)
  website/docs: prepare release notes (#12119)
  web: bump API Client version (#12118)
  security: fix CVE 2024 52289 (#12113)
  security: fix CVE 2024 52307 (#12115)
  security: fix CVE 2024 52287 (#12114)
  website/docs: add CSP to hardening (#11970)
  core: bump uvicorn from 0.32.0 to 0.32.1 (#12103)
  core: bump google-api-python-client from 2.153.0 to 2.154.0 (#12104)
  core: bump pydantic from 2.9.2 to 2.10.0 (#12105)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#12110)
  internal: add CSP header to files in `/media` (#12092)
  core, web: update translations (#12101)
  web: fix bug that prevented error reporting in current wizard. (#12033)
  ...
kensternberg-authentik added a commit that referenced this pull request Nov 21, 2024
@kensternberg-authentik
Merge branch 'main' into web/flow/disambiguate-brand-links
7edc630 
* main: (23 commits)
  website/docs: update info about footer links to match new UI (#12120)
  website/docs: prepare release notes (#12142)
  providers/oauth2: fix migration (#12138)
  providers/oauth2: fix migration dependencies (#12123)
  web: bump API Client version (#12129)
  providers/oauth2: fix redirect uri input (#12122)
  providers/proxy: fix redirect_uri (#12121)
  website/docs: prepare release notes (#12119)
  web: bump API Client version (#12118)
  security: fix CVE 2024 52289 (#12113)
  security: fix CVE 2024 52307 (#12115)
  security: fix CVE 2024 52287 (#12114)
  website/docs: add CSP to hardening (#11970)
  core: bump uvicorn from 0.32.0 to 0.32.1 (#12103)
  core: bump google-api-python-client from 2.153.0 to 2.154.0 (#12104)
  core: bump pydantic from 2.9.2 to 2.10.0 (#12105)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#12110)
  internal: add CSP header to files in `/media` (#12092)
  core, web: update translations (#12101)
  web: fix bug that prevented error reporting in current wizard. (#12033)
  ...
kensternberg-authentik added a commit that referenced this pull request Nov 22, 2024
@kensternberg-authentik
Merge branch 'main' into web/bugfix/dual-select-selector-revision
e89585e 
* main: (70 commits)
  core: bump goauthentik.io/api/v3 from 3.2024102.2 to 3.2024104.1 (#12149)
  core: bump debugpy from 1.8.8 to 1.8.9 (#12150)
  core: bump webauthn from 2.2.0 to 2.3.0 (#12151)
  core: bump pydantic from 2.10.0 to 2.10.1 (#12152)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#12156)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#12157)
  core: bump sentry-sdk from 2.18.0 to 2.19.0 (#12153)
  web: bump API Client version (#12147)
  root: Backport version change (#12146)
  website/docs: update info about footer links to match new UI (#12120)
  website/docs: prepare release notes (#12142)
  providers/oauth2: fix migration (#12138)
  providers/oauth2: fix migration dependencies (#12123)
  web: bump API Client version (#12129)
  providers/oauth2: fix redirect uri input (#12122)
  providers/proxy: fix redirect_uri (#12121)
  website/docs: prepare release notes (#12119)
  web: bump API Client version (#12118)
  security: fix CVE 2024 52289 (#12113)
  security: fix CVE 2024 52307 (#12115)
  ...
kensternberg-authentik added a commit that referenced this pull request Nov 22, 2024
@kensternberg-authentik
Merge branch 'main' into web/update-provider-forms-for-invalidation
76b9add 
* main: (142 commits)
  core: bump goauthentik.io/api/v3 from 3.2024102.2 to 3.2024104.1 (#12149)
  core: bump debugpy from 1.8.8 to 1.8.9 (#12150)
  core: bump webauthn from 2.2.0 to 2.3.0 (#12151)
  core: bump pydantic from 2.10.0 to 2.10.1 (#12152)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#12156)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#12157)
  core: bump sentry-sdk from 2.18.0 to 2.19.0 (#12153)
  web: bump API Client version (#12147)
  root: Backport version change (#12146)
  website/docs: update info about footer links to match new UI (#12120)
  website/docs: prepare release notes (#12142)
  providers/oauth2: fix migration (#12138)
  providers/oauth2: fix migration dependencies (#12123)
  web: bump API Client version (#12129)
  providers/oauth2: fix redirect uri input (#12122)
  providers/proxy: fix redirect_uri (#12121)
  website/docs: prepare release notes (#12119)
  web: bump API Client version (#12118)
  security: fix CVE 2024 52289 (#12113)
  security: fix CVE 2024 52307 (#12115)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BeryJu