diff --git a/docs/self-hosted/oel/keto/changelog/v26.2.10.md b/docs/self-hosted/oel/keto/changelog/v26.2.10.md new file mode 100644 index 000000000..1068972e6 --- /dev/null +++ b/docs/self-hosted/oel/keto/changelog/v26.2.10.md @@ -0,0 +1 @@ +No changelog entries found for keto/oel in versions v26.2.10 diff --git a/docs/self-hosted/oel/keto/changelog/v26.2.9.md b/docs/self-hosted/oel/keto/changelog/v26.2.9.md new file mode 100644 index 000000000..bbfea35fb --- /dev/null +++ b/docs/self-hosted/oel/keto/changelog/v26.2.9.md @@ -0,0 +1,17 @@ +## v26.2.9 + +### Patch security vulnerabilities in dependencies + +Bump several dependencies to patched versions to address security advisories reported by Dependabot. + +Notable updates: + +- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string + literals). +- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface). +- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header). +- `postcss` to `>=8.5.10` (XSS via unescaped `` in CSS stringify output). +- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators). +- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion). +- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`, + `i18next-fs-backend`, `@nestjs/core` to their respective patched versions. diff --git a/docs/self-hosted/oel/kratos/changelog/v26.2.10.md b/docs/self-hosted/oel/kratos/changelog/v26.2.10.md new file mode 100644 index 000000000..5a6c1d191 --- /dev/null +++ b/docs/self-hosted/oel/kratos/changelog/v26.2.10.md @@ -0,0 +1,60 @@ +## v26.2.10 + +### Add unified bulk session management endpoint + +The admin session API now exposes a single endpoint for bulk disable and bulk delete operations across multiple identities or +sessions: + +- `POST /admin/sessions` (`manageSessions`) + +The `action` field selects the operation: + +- `action: "disable"` — soft-revoke matching sessions (sets `active = false`, preserves audit data). +- `action: "delete"` — permanently delete matching sessions. + +Targets are filtered by `identities` (a list of identity IDs) or `sessions` (a list of session IDs); exactly one of the two must +be provided. To scope the operation to every session in the network, pass `identities: ["*"]`; the wildcard is not accepted in the +`sessions` field and may not be mixed with explicit IDs. Up to 500 explicit IDs are accepted per call. + +All requests respond `200 OK` with `{"processed": N, "more": }`. `processed` reports how many rows the call affected (for +`disable`, only sessions that were active before the call). `more` is `true` only when a wildcard request reached the per-call +batch limit and additional matching rows may remain; callers should re-issue the same request to continue draining. Explicit-IDs +requests always return `more: false`. + +```ts +client.manageSessions({ action: "disable", identities: ["uuid-a", "uuid-b"] }) +client.manageSessions({ action: "delete", sessions: ["uuid-c"] }) +client.manageSessions({ action: "disable", identities: ["*"] }) +``` + +No existing endpoints are changed. + +### Fix admin identity import for TOTP, lookup-secret, and passkey credentials + +This change fixes two related issues with the admin identity import API (`POST /admin/identities` and +`PUT /admin/identities/{id}`). + +**TOTP and lookup-secret can now be used at AAL2 login after import.** Previously, the import wrote the credential row but did not +write the matching row in `identity_credential_identifiers`, so the AAL2 login flow could not resolve the credential and returned +"You have no TOTP device set up." (`4000015`) for TOTP, or "You have not configured backup codes yet." for lookup-secret. + +**Passkey imports without a `user_handle` are now rejected with a `400`.** A passkey's identifier is the `user_handle` returned by +the authenticator during the WebAuthn assertion. The userHandle is generated at registration time and stored on the authenticator, +so it cannot be reconstructed by the server: the import has to supply it, or inherit it from a previously persisted passkey +credential. Previously, an import that omitted `user_handle` would silently persist a non-functional credential. The import now +rejects this case up front, and also rejects imports that supply an empty `credentials.passkey.config.credentials` list. + +### Reject imported password hashes with extreme cost parameters + +Kratos now bounds the cost parameters embedded in imported password hashes. Hashes that declare cost parameters far above any sane +production value are rejected at the admin identity import API with a `400 Bad Request`, and at login time the comparator returns +a clear error instead of allocating gigabytes of memory or running for hours. + +This closes a denial-of-service class where an attacker with write access to the identity graph could persist a hash whose decoded +parameters would crash the Kratos process on every subsequent login attempt for that identity. + +The bounds apply to Argon2 (`m`, `t`, `p`), PBKDF2 (`i`), plain scrypt (`N`, `r`, `p`), Firebase scrypt (`ln`, `r`, `p`), and +bcrypt (`cost`). They are set comfortably above strong real-world configurations: Argon2 memory up to 1 GiB, PBKDF2 iterations up +to 10,000,000, scrypt N up to 2^20, Firebase scrypt `ln` up to 17, and bcrypt cost up to 17. + +Imports of correctly-configured hashes are unaffected. diff --git a/docs/self-hosted/oel/kratos/changelog/v26.2.9.md b/docs/self-hosted/oel/kratos/changelog/v26.2.9.md new file mode 100644 index 000000000..d0087d58d --- /dev/null +++ b/docs/self-hosted/oel/kratos/changelog/v26.2.9.md @@ -0,0 +1,42 @@ +## v26.2.9 + +### Harden identity-schema loading against denial-of-service + +Adds a structural pre-parse gate to identity-schema loading. Before a customer-supplied schema reaches the upstream JSON Schema +compiler, kratos now rejects schemas that exceed any of the following limits: + +- 1 MiB body size on the fetched schema document. +- 32 levels of nested objects or arrays. +- 1024 keys per object (`properties`, `patternProperties`, `$defs`, etc.). +- 128 elements per array (`allOf`, `anyOf`, `oneOf`, tuple `items`, etc.). +- 8192 total nodes across the schema tree. + +The same pass also rejects `$ref` values that resolve to the document root (`#`, `#/`, or empty) — these produce a +self-referential pointer in the compiled schema and would otherwise crash the kratos process via fatal stack overflow at validate +time. Invalid regular expressions in `pattern` and `patternProperties` keys are now caught up front, instead of panicking deep in +the upstream compiler. + +When kratos fetches a schema URL outside of an HTTP request context (for example from a background task), the loader now attaches +an SSRF-guarded HTTP client by default. Request paths that already attach a configured client via the request middleware are +unaffected. + +The Ory Network HTTP cache for identity schemas now caps response bodies at the same 1 MiB limit and refuses to cache anything +larger. + +Existing identity schemas at realistic sizes (well under all limits) are unaffected. + +### Patch security vulnerabilities in dependencies + +Bump several dependencies to patched versions to address security advisories reported by Dependabot. + +Notable updates: + +- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string + literals). +- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface). +- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header). +- `postcss` to `>=8.5.10` (XSS via unescaped `` in CSS stringify output). +- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators). +- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion). +- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`, + `i18next-fs-backend`, `@nestjs/core` to their respective patched versions. diff --git a/docs/self-hosted/oel/oathkeeper/changelog/v26.2.10.md b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.10.md new file mode 100644 index 000000000..0e016df2c --- /dev/null +++ b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.10.md @@ -0,0 +1,7 @@ +## v26.2.10 + +### Add rule ID and OpenTelemetry trace context to Oathkeeper logs + +Oathkeeper proxy and decision API log entries now include the matched access rule ID as `rule_id` and, when an OpenTelemetry span +is in scope, the trace and span ID as `otel.trace_id` and `otel.span_id`. The trace fields use the same shape as other Ory +services, so you can correlate Oathkeeper log entries with traces and with logs from upstream services without custom mapping. diff --git a/docs/self-hosted/oel/oathkeeper/changelog/v26.2.9.md b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.9.md new file mode 100644 index 000000000..bbfea35fb --- /dev/null +++ b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.9.md @@ -0,0 +1,17 @@ +## v26.2.9 + +### Patch security vulnerabilities in dependencies + +Bump several dependencies to patched versions to address security advisories reported by Dependabot. + +Notable updates: + +- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string + literals). +- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface). +- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header). +- `postcss` to `>=8.5.10` (XSS via unescaped `` in CSS stringify output). +- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators). +- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion). +- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`, + `i18next-fs-backend`, `@nestjs/core` to their respective patched versions. diff --git a/docs/self-hosted/oel/oauth2/changelog/v26.2.10.md b/docs/self-hosted/oel/oauth2/changelog/v26.2.10.md new file mode 100644 index 000000000..e4056c106 --- /dev/null +++ b/docs/self-hosted/oel/oauth2/changelog/v26.2.10.md @@ -0,0 +1,6 @@ +## v26.2.10 + +### Don't log spurious errors in Hydra OAuth 2.0 flows + +This change removes spurious "the OAuth 2.0 Authorization request must be aborted" messages from Hydra's logs, which do not +indicate an error but simply that the user has been redirected. diff --git a/docs/self-hosted/oel/oauth2/changelog/v26.2.9.md b/docs/self-hosted/oel/oauth2/changelog/v26.2.9.md new file mode 100644 index 000000000..bbfea35fb --- /dev/null +++ b/docs/self-hosted/oel/oauth2/changelog/v26.2.9.md @@ -0,0 +1,17 @@ +## v26.2.9 + +### Patch security vulnerabilities in dependencies + +Bump several dependencies to patched versions to address security advisories reported by Dependabot. + +Notable updates: + +- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string + literals). +- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface). +- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header). +- `postcss` to `>=8.5.10` (XSS via unescaped `` in CSS stringify output). +- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators). +- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion). +- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`, + `i18next-fs-backend`, `@nestjs/core` to their respective patched versions. diff --git a/docs/self-hosted/oel/oel-hydra-image-tags.md b/docs/self-hosted/oel/oel-hydra-image-tags.md index 91bd4c27d..1e5371a02 100644 --- a/docs/self-hosted/oel/oel-hydra-image-tags.md +++ b/docs/self-hosted/oel/oel-hydra-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.10 | 2026-05-11 | +| 26.2.9 | 2026-05-04 | | 26.2.8 | 2026-04-28 | | 26.2.7 | 2026-04-24 | | 26.2.6 | 2026-04-22 | diff --git a/docs/self-hosted/oel/oel-keto-image-tags.md b/docs/self-hosted/oel/oel-keto-image-tags.md index 8203ed3e9..6f4343ca2 100644 --- a/docs/self-hosted/oel/oel-keto-image-tags.md +++ b/docs/self-hosted/oel/oel-keto-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.10 | 2026-05-11 | +| 26.2.9 | 2026-05-04 | | 26.2.8 | 2026-04-28 | | 26.2.7 | 2026-04-24 | | 26.2.6 | 2026-04-22 | diff --git a/docs/self-hosted/oel/oel-kratos-image-tags.md b/docs/self-hosted/oel/oel-kratos-image-tags.md index 39665bcdb..fd1a11a35 100644 --- a/docs/self-hosted/oel/oel-kratos-image-tags.md +++ b/docs/self-hosted/oel/oel-kratos-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.10 | 2026-05-11 | +| 26.2.9 | 2026-05-04 | | 26.2.8 | 2026-04-28 | | 26.2.7 | 2026-04-24 | | 26.2.6 | 2026-04-22 | diff --git a/docs/self-hosted/oel/oel-oathkeeper-image-tags.md b/docs/self-hosted/oel/oel-oathkeeper-image-tags.md index 065bba49e..6becfcdd3 100644 --- a/docs/self-hosted/oel/oel-oathkeeper-image-tags.md +++ b/docs/self-hosted/oel/oel-oathkeeper-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.10 | 2026-05-11 | +| 26.2.9 | 2026-05-04 | | 26.2.8 | 2026-04-28 | | 26.2.7 | 2026-04-24 | | 26.2.6 | 2026-04-22 | diff --git a/docs/self-hosted/oel/oel-polis-image-tags.md b/docs/self-hosted/oel/oel-polis-image-tags.md index b368d29fd..ed514ec89 100644 --- a/docs/self-hosted/oel/oel-polis-image-tags.md +++ b/docs/self-hosted/oel/oel-polis-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.10 | 2026-05-11 | +| 26.2.9 | 2026-05-04 | | 26.2.8 | 2026-04-28 | | 26.2.7 | 2026-04-24 | | 26.2.6 | 2026-04-22 | diff --git a/docs/self-hosted/oel/polis/changelog/v26.2.10.md b/docs/self-hosted/oel/polis/changelog/v26.2.10.md new file mode 100644 index 000000000..a49c8e022 --- /dev/null +++ b/docs/self-hosted/oel/polis/changelog/v26.2.10.md @@ -0,0 +1 @@ +No changelog entries found for polis/oel in versions v26.2.10 diff --git a/docs/self-hosted/oel/polis/changelog/v26.2.9.md b/docs/self-hosted/oel/polis/changelog/v26.2.9.md new file mode 100644 index 000000000..bbfea35fb --- /dev/null +++ b/docs/self-hosted/oel/polis/changelog/v26.2.9.md @@ -0,0 +1,17 @@ +## v26.2.9 + +### Patch security vulnerabilities in dependencies + +Bump several dependencies to patched versions to address security advisories reported by Dependabot. + +Notable updates: + +- `github.com/jackc/pgx/v5` to `v5.9.2` across all Go modules (SQL injection via placeholder confusion in dollar-quoted string + literals). +- `github.com/moby/spdystream` to `v0.5.1` (denial of service on container runtime interface). +- `go.opentelemetry.io/otel` to `v1.41.0` (remote DoS amplification via multi-value baggage header). +- `postcss` to `>=8.5.10` (XSS via unescaped `` in CSS stringify output). +- `uuid` to `>=14.0.0` (missing buffer bounds check in v3/v5/v6 generators). +- `@xmldom/xmldom` to `>=0.8.13` (XML node injection and uncontrolled recursion). +- `axios`, `follow-redirects`, `lodash`, `picomatch`, `brace-expansion`, `serialize-javascript`, `yaml`, `file-type`, + `i18next-fs-backend`, `@nestjs/core` to their respective patched versions.