Headline
CVE-2021-22565: Release v1.1.2 · google/exposure-notifications-verification-server
An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.
Security
- SECURITY PATCH! This release fixes an issue where users or API keys with permission to expire verification codes could have expired codes that belonged to another realm if they guessed the UUID.
Self-report
- Allows HTTP GET request method (in addition to POST) for initiating the user report webview. The API key and nonce must still be passed as HTTP headers (unless dev mode is also enabled). dev mode should NOT be enabled in production to avoid logging the API key query params. (#2260, @mikehelmick)
Operations
- Make Cloud Scheduler timezone configurable in Terraform via
var.cloud_scheduler_timezone
and update the default value to UTC time. (#2262, @sethvargo) - Return more detailed responses on code expiration errors. Only return 500 on server-side errors. (#2264, @sethvargo)
Dependencies****Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.