v0.24.0
Changes since v0.23.0
Security
-
Fix a security vulnerability where, with a carefully crafted request or malicious proxy, a user with UserWrite permissions could create another user with higher privileges than their own due to insufficient checks on the allowed set of permissions.
-
Re-auth login redirect uses allowlist for post auth redirects. (#1919, @mikehelmick)
Bug fixes
- Fixes nilptr error in stats puller (not in a previous labeled release) (#1911, @mikehelmick)
System admin
- Add chaff reporting to system admin page. This will show whether a realm has issue any chaff requests in the past 7 days. (#1903, @sethvargo)
Operations
-
Add client-side retry logic and parallelize stats puller. The default parallelize is 5, but it can be customized with
STATS_PULLER_MAX_WORKERS. There is also a behavior change. The stats-puller previously always returned success (but logged errors on failure). This changes the puller to return a non-200 response code if there are still failures after all retries have executed. (#1905, @sethvargo) -
Allow customizing global log retention period for all services in the project. The default value is 14 days. Note: this differs from the unconfigured value of 30 days!. To retain the existing behavior, set
log_retention_periodto30in the Terraform configuration. However, we strongly recommend using a 14-day retention period instead. (#1902, @sethvargo) -
Improve service timeouts. In-request services have a timeout of 10 seconds while background jobs have a timeout of 900s. The Cloud Scheduler timeout (which invokes the background jobs) has a 60s buffer to reduce timeout races. (#1916, @sethvargo)
-
Remove modeler backend service (it is not public-facing). (#1917, @sethvargo)
-
Set Binary Authorization service annotations on Cloud Run services. (#1909, @sethvargo)
Misc
- Indonesia (id) language translation (#1890, @dwisiswant0)
Dependencies
Added
Nothing has changed.
Changed
- github.com/google/exposure-notifications-server: v0.23.0 → v0.24.0
Removed
Nothing has changed.