[security] Pomerium v0.22.2, v0.21.4, v0.20.1, v0.19.2, v0.18.1, and v0.17.4 release

As mentioned in our pre-announcement yesterday, we have released Pomerium v0.22.2, v0.21.4, v0.20.1, v0.19.2, v0.18.1, and v0.17.4. We recommend all users immediately upgrade.

These patch releases include a CRITICAL security fix to Pomerium Core. In versions prior to v0.22.2, a specially crafted requests could result in incorrect authorization decisions made by Pomerium.

This is CVE-2023-33189 and issue GHSA-pvrc-wvj2-f59p.

Thank you to Alex Bessonov for reporting this issue.

Downloads are immediately available at Github Releases, and Dockerhub for all supported platforms.

Upgrading ingress controller:


kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.22.2

v0.21.3 (uses core v0.21.4)

kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.21.3


kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.20.1