Pomerium v0.27.1 is here! This patch fixes a security vulnerability and adds more user information on the user information dashboard.
Downloads are immediately available on Github, CloudSmith, and Docker Hub for all supported platforms.
Overall
We fixed a security vulnerability affecting the internal API. This affected only Pomerium Enterprise and Pomerium Zero deployments utilizing service accounts.
Pomerium Core
More secure: We’ve added additional validation checks for gRPC API authorization.
Standardized everywhere: The user info dashboard page (at URL path /.pomerium/) now provides user info also for the programmatic access flow.
Pomerium Enterprise
Security: We’ve restricted the debug “DataBroker Browser” page to users with global admin privileges. Now only those with correct privileges can view the debug page!
Fixed:
- ID sync correction: Our user info dashboard page now correctly displays group membership info for Pomerium Enterprise deployments with directory sync configured.
- Out of hibernation: Previously, the Kubernetes service account token route setting could be seen in the UI, but couldn’t be used. We woke it from hibernation.
- All as you left it: We’ve fixed the database migration command to keep the schema version metadata in sync when rolling back to a previous schema version. Rollbacks will now correctly unlock that time capsule.
Before You Upgrade
We always recommend testing in a separate environment and backing up your database before fully implementing new releases. Feel free to reach out to us on our Discuss forums if there are any issues.
Secure All Your Web Applications With Pomerium
Haven’t tried our free hosted control plane Pomerium Zero yet? Explore Pomerium Zero’s capabilities and sign up for free!
