v6.7.9

concourse-bot released this 12 Oct 19:34

_^🔗 security

Fix team name overwritten bug
- All Concourse versions prior to v6.7.9 is vulnerable to parameter pollution that allows authorization bypass in functionality that is meant to restrict cross team actions. An user in any team could make certain http requests to trigger unauthorized activity for other teams like pausing pipelines, re-triggering builds or exposing pipelines. (#8581)
Bump Dex to v2.35.1 for CVE-2022-39222. (#8582)

📦 Bundled resource types

bosh-io-release: v1.0.5
bosh-io-stemcell: v1.0.5
cf: v1.1.4
docker-image: v1.5.5
git: v1.12.3
github-release: v1.5.5
hg: v1.2.7
mock: v0.11.3
pool: v1.1.7
registry-image: v0.14.2
s3: v1.1.3
semver: v1.2.3
time: v1.4.1
tracker: v1.0.8

Assets 14