Hi coreos-dev, Last week, we found a security vulnerability in Dex v2.0 concerning LDAP. This security vulnerability only affects Tectonic users using the LDAP connector with LDAP servers that allow unauthenticated binds. Many IT organizations disable this by default and no customers have been found vulnerable.
Dex v2.4.1 now protects against this. We just released a security patch in Tectonic 1.5.7 <https://coreos.com/tectonic/releases/>, which includes Dex v2.4.1. Those who enabled Tectonic’s experimental Operators and are using Tectonic v1.5.2-tectonic.2 or later should be able to upgrade directly from their Console’s Cluster Settings screen. All other Tectonic users are encouraged to spin up 1.5.7 clusters and migrate workloads to Tectonic 1.5.7. Rob Szumski Tectonic Product Manager, CoreOS
