Back to all versions
4.15.2
2025-01-27 patch
Bug Fixes 10
- Connection handling in setup after migrations (#12293)Closes currently open database connections after migration steps 40, 64, and 70 to ensure correct type mapping for the eventstore.command2 database type.Setup Database
- Allow overwriting resource owner of events (#12261)Introduced a new eventstore command type with an explicit enforce_owner flag, allowing the eventstore to intentionally overwrite resource owners for aggregates reused across owners.Eventstore
- Accept IDP sessions on passkey registration (#12275)Updated session validation logic to recognize the 'intent' factor, preventing 'You have to authenticate' errors when redirecting to passkey registration after an IDP login.Login V2
- Remove unnecessary entry from default denylist (#12294)Cleaned up the default denylist by removing redundant IPv4-mapped IPv6 entries that are already covered by v4 resolution.Network
- Always validate exp and iat claims of JWT IdPsEnsures that for JWT IdPs, the exp (expiration) and iat (issued at) claims are always validated to prevent token replay or lifetime bypasses.IDP Security
- Client_id verification during code exchange and refresh token flowsCorrectly verify the client_id during code exchange and refresh token flows to prevent impersonation or token leakage.OIDC Security
- JWT IDP: Manage and validate audienceImproved management and validation of the audience (aud) claim for JWT IdPs to ensure tokens are intended for the correct recipient.IDP Security
- Use protected http client for outgoing connectionsEnforces the use of a protected HTTP client for all outgoing connections to mitigate potential SSRF or unintended internal access.Network Security