A new patch version KrakenD Enterprise 2.3.3, and another for KrakenD Community 2.4.2 is available on the download page and the Docker registry. Upgrading from any 2.x is backward compatible.
The following security fixes do not seem to have any impact on KrakenD after all the tests performed, but a patch is offered as a cautionary measure.
Summary of changes
We have updated our internal libraries to rectify security issues identified in scans. While these issues do not affect KrakenD’s operations, the updated version provides clean container scans. Notably, CVE-2023-29406, related to HTTP/1 client’s Host header validation, does not impact most users due to our zero-trust security, but may affect those utilizing the non-recommended
input_headers: ["*"] policy.
- Bump golang library addressing CVE-2023-29406
- Bump golang library addressing CVE-2023-32731
- Bump gin framework addressing CVE-2023-29401. KrakenD does not use the affected function.
Upgrading to the latest version is always advised.