Merge pull request #368 from pusher/advisory-notes

Open redirect (security vulnerability) notes

CHANGELOG.md

@@ -17,7 +17,7 @@
 - DigitalOcean provider support added
 
 ## Important Notes
-- (Security) Fix for open redirect vulnerability..  a bad actor using `/\` in redirect URIs can redirect a session to another domain
+- (Security) Fix for [open redirect vulnerability](https://github.com/pusher/oauth2_proxy/security/advisories/GHSA-qqxw-m5fj-f7gv)..  a bad actor using `/\` in redirect URIs can redirect a session to another domain
 
 ## Breaking Changes
 

README.md

@@ -35,6 +35,11 @@ oauth2_proxy-4.0.0.linux-amd64: OK
 3.  [Configure OAuth2 Proxy using config file, command line options, or environment variables](https://pusher.github.io/oauth2_proxy/configuration)
 4.  [Configure SSL or Deploy behind a SSL endpoint](https://pusher.github.io/oauth2_proxy/tls-configuration) (example provided for Nginx)
 
+
+## Security
+
+If you are running a version older than v5.0.0 we **strongly recommend you please update** to a current version. RE: [open redirect vulnverability](https://github.com/pusher/oauth2_proxy/security/advisories/GHSA-qqxw-m5fj-f7gv)
+
 ## Docs
 
 Read the docs on our [Docs site](https://pusher.github.io/oauth2_proxy).