Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2024-47077 #11535

Merged
merged 1 commit into from
Sep 27, 2024
Merged

security: fix CVE-2024-47077 #11535

merged 1 commit into from
Sep 27, 2024

Conversation

BeryJu
Copy link
Member

@BeryJu BeryJu commented Sep 27, 2024

Details

REPLACE ME

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu
security: fix CVE-2024-47077
9f4a2f4 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu requested review from a team as code owners September 27, 2024 14:00
@BeryJu
Copy link
Member Author

BeryJu commented Sep 27, 2024

/cherry-pick version-2024.8
/cherry-pick version-2024.6

@netlify Netlify
Copy link

netlify bot commented Sep 27, 2024
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit 9f4a2f4
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/66f6ba785fcaf600080955f4

@netlify Netlify
Copy link

netlify bot commented Sep 27, 2024
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 9f4a2f4
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/66f6ba7837f5b60009b25719
😎 Deploy Preview https://deploy-preview-11535--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@codecov Codecov
Copy link

codecov bot commented Sep 27, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.67%. Comparing base (cdeed5e) to head (9f4a2f4).
Report is 2 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #11535      +/-   ##
==========================================
- Coverage   92.75%   92.67%   -0.08%     
==========================================
  Files         736      736              
  Lines       36512    36518       +6     
==========================================
- Hits        33866    33843      -23     
- Misses       2646     2675      +29
Flag Coverage Δ
e2e 49.16% <0.00%> (-0.12%) ⬇️
integration 24.98% <0.00%> (-0.01%) ⬇️
unit 90.25% <100.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu merged commit 97a36b6 into main Sep 27, 2024
62 of 64 checks passed
@BeryJu BeryJu deleted the security/CVE-2024-47077 branch September 27, 2024 14:17
gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Sep 27, 2024
@BeryJu
security: fix CVE-2024-47077 (#11535)
899d673 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request Sep 27, 2024
Merged
@BeryJu
Copy link
Member Author

BeryJu commented Sep 27, 2024

/cherry-pick version-2024.6

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Sep 27, 2024
@BeryJu
security: fix CVE-2024-47077 (#11535)
cf8d398 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request Sep 27, 2024
Merged
BeryJu added a commit that referenced this pull request Sep 27, 2024
@gcp-cherry-pick-bot @BeryJu
security: fix CVE-2024-47077 (cherry-pick #11535) (#11538)
22e586b 
security: fix CVE-2024-47077 (#11535)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
BeryJu added a commit that referenced this pull request Sep 27, 2024
@gcp-cherry-pick-bot @BeryJu
security: fix CVE-2024-47077 (cherry-pick #11535) (#11537)
57a31b5 
security: fix CVE-2024-47077 (#11535)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
@github-actions GitHub Actions
Copy link
Contributor

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9f4a2f46239a83055a5039d6baf00fc142193a5b
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9f4a2f46239a83055a5039d6baf00fc142193a5b-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-9f4a2f46239a83055a5039d6baf00fc142193a5b

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-9f4a2f46239a83055a5039d6baf00fc142193a5b-arm64

Afterwards, run the upgrade commands from the latest release notes.

kensternberg-authentik added a commit that referenced this pull request Sep 27, 2024
@kensternberg-authentik
Merge branch 'main' into web/bug/fix-wdio-and-lint
e71e875 
* main:
  website: update release notes for 2024.8.3 and 2024.6.5 (#11541)
  website/docs: added a Docs banner to announce new docs structure (#11525)
  security: fix CVE-2024-47070 (#11536)
  security: fix CVE-2024-47077 (#11535)
  sources/ldap: fix ms_ad userAccountControl not checking for lockout (#11532)
  web: Fix missing integrity fields in package-lock.json (#11509)
  core, web: update translations (#11527)
  core: bump ruff from 0.6.7 to 0.6.8 (#11528)
  web: bump the wdio group across 2 directories with 3 updates (#11529)
  web: bump @patternfly/elements from 4.0.1 to 4.0.2 in /web (#11530)
  web: bump @types/node from 22.7.2 to 22.7.3 in /web (#11531)
kensternberg-authentik added a commit that referenced this pull request Sep 27, 2024
@kensternberg-authentik
Merge branch 'web/bug/fix-wdio-and-lint' into web/element/ak-select-t…
a9bb71a 
…able

* web/bug/fix-wdio-and-lint:
  Forgot to run prettier.
  web: small fixes for wdio and lint
  providers/oauth2: improve indexes on tokens (#11543)
  web: bump API Client version (#11544)
  release: 2024.8.3 (#11542)
  package-lock.json update
  website: update release notes for 2024.8.3 and 2024.6.5 (#11541)
  website/docs: added a Docs banner to announce new docs structure (#11525)
  security: fix CVE-2024-47070 (#11536)
  security: fix CVE-2024-47077 (#11535)
  sources/ldap: fix ms_ad userAccountControl not checking for lockout (#11532)
  web: Fix missing integrity fields in package-lock.json (#11509)
  core, web: update translations (#11527)
  core: bump ruff from 0.6.7 to 0.6.8 (#11528)
  web: bump the wdio group across 2 directories with 3 updates (#11529)
  web: bump @patternfly/elements from 4.0.1 to 4.0.2 in /web (#11530)
  web: bump @types/node from 22.7.2 to 22.7.3 in /web (#11531)
kensternberg-authentik added a commit that referenced this pull request Sep 27, 2024
@kensternberg-authentik
Merge branch 'web/bug/fix-wdio-and-lint' into web/policy-wizard-3
1bcecb2 
* web/bug/fix-wdio-and-lint:
  Forgot to run prettier.
  web: small fixes for wdio and lint
  providers/oauth2: improve indexes on tokens (#11543)
  web: bump API Client version (#11544)
  release: 2024.8.3 (#11542)
  package-lock.json update
  website: update release notes for 2024.8.3 and 2024.6.5 (#11541)
  website/docs: added a Docs banner to announce new docs structure (#11525)
  security: fix CVE-2024-47070 (#11536)
  security: fix CVE-2024-47077 (#11535)
  sources/ldap: fix ms_ad userAccountControl not checking for lockout (#11532)
  web: Fix missing integrity fields in package-lock.json (#11509)
  core, web: update translations (#11527)
  core: bump ruff from 0.6.7 to 0.6.8 (#11528)
  web: bump the wdio group across 2 directories with 3 updates (#11529)
  web: bump @patternfly/elements from 4.0.1 to 4.0.2 in /web (#11530)
  web: bump @types/node from 22.7.2 to 22.7.3 in /web (#11531)
  web: small fixes for wdio and lint
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@BeryJu