chore: add release notes to doc/

2025-09-05 04:24:11 +08:00 · 2024-12-10 12:53:57 +00:00 · 2024-12-10 12:53:57 +00:00 · 4062b3e046
commit 4062b3e046
parent ad54cc6aad
46 changed files with 1130 additions and 0 deletions
--- a/doc/release-notes/v3.00.00.md
+++ b/doc/release-notes/v3.00.00.md
@ -0,0 +1 @@
+This is the first public release!
--- a/doc/release-notes/v3.00.01.md
+++ b/doc/release-notes/v3.00.01.md
@ -0,0 +1,7 @@
+- feat: add OpenSUSE 15.2 to the officially supported distros
+- enh: install-ttyrec.sh: replaces build-and-install-ttyrec.sh, no longer builds in-place but prefers .deb and .rpm packages & falls back to precompiled static binaries otherwise
+- enh: packages-check.sh: add qrencode-libs for RHEL/CentOS
+- enh: provide a separated Dockerfile for the sandbox, squashing useless layers
+- doc: a lot of fixes here and there
+- chore: remove spurious config files
+- chore: a few GitHub actions workflow fixes
--- a/doc/release-notes/v3.00.02.md
+++ b/doc/release-notes/v3.00.02.md
@ -0,0 +1,4 @@
+- feat: add more archs to dockerhub sandbox, it is now available for `linux/386`, `linux/amd64`, `linux/arm/v6`, `linux/arm/v7`, `linux/arm64`, `linux/ppc64le` and `linux/s390x`.
+- fix: `adminSudo`: allow called plugins to read from stdin
+- fix: add missing `echo` in the entrypoint of the sandbox
+- chore: `install-ttyrec.sh`: adapt for multiarch
--- a/doc/release-notes/v3.01.00.md
+++ b/doc/release-notes/v3.01.00.md
@ -0,0 +1,19 @@
+**Changelog:**
+- feat: add FreeBSD 12.1 to automated tests, and multiple fixes to get back proper FreeBSD compatibility/experience
+- feat: partial MFA support for FreeBSD
+- feat: add `interactiveModeByDefault` option (#54)
+- feat: install: add SELinux module for TOTP MFA (#26)
+- enh: httpproxy: add informational headers to the egress side request
+- fix: osh.pl: validate remote user and host format to fail early if invalid
+- fix: osh-encrypt-rsync.pl: allow more broad chars to avoid letting weird-named files behind
+- fix: osh-backup-acl-keys.sh: don't exclude .gpg, or we miss `/root/.gnupg/secring.gpg`
+- fix: selfListSessions: bad sorting of the list
+- misc: a few other fixes here and there
+
+[How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html)
+
+**Specific upgrade instructions:**
+
+A new `bastion.conf` option was introduced: *interactiveModeByDefault*. If not present in your config file, its value defaults to 1 (true), which changes the behavior of The Bastion when a user connects without specifying any command. When this happens, it'll now display the help then drop the user into interactive mode (if this mode is enabled), instead of displaying the help and aborting with an error message. Set it to 0 (false) if you want to keep the previous behavior.
+
+An SELinux module has been added in this version, to ensure TOTP MFA works correctly under systems where SELinux is on enforcing mode. This module will be installed automatically whenever SELinux is detected on the system. If you don't want to use this module, specify `--no-install-selinux-module` on your `/opt/bastion/bin/admin/install` upgrade call (please refer to the generic upgrade instructions for more details).
--- a/doc/release-notes/v3.01.01.md
+++ b/doc/release-notes/v3.01.01.md
@ -0,0 +1,10 @@
+**Changelog:**
+- fix: interactive mode: mark non-printable chars as such to avoid readline quirks
+- fix: osh-encrypt-rsync: remove `logfile` as a mandatory parameter
+- fix: typo in `MFAPasswordWarnDays` parameter in `bastion.conf.dist`
+- enh: interactive mode: better autocompletion for `accountCreate` and `adminSudo`
+- enh: allow dot in group name as it is allowed in account, and adjust sudogen accordingly
+- doc: add information about `puppet-thebastion` and `yubico-piv-checker` + some adjustments
+- chore: tests: fail the tests when code is not tidy
+
+[How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html)
--- a/doc/release-notes/v3.01.02.md
+++ b/doc/release-notes/v3.01.02.md
@ -0,0 +1,9 @@
+**Changelog:**
+- feat: support CentOS 8.3
+- fix: is_valid_remote_user: extend allowed size from 32 to 128
+- doc: `bastions.conf.dist`: wrong options values in `accountMFAPolicy` comments
+- chore: packages-check: remove unused packages
+
+Now we're supporting (and automatically testing) the last 3 point releases of CentOS 7 and CentOS 8, to allow for a smoother upgrade path. Previously, we would only test the latest point release.
+
+[How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html)
--- a/doc/release-notes/v3.01.03.md
+++ b/doc/release-notes/v3.01.03.md
@ -0,0 +1,5 @@
+- fix: sudogen: don't check for account/groups validity too much when deleting them (fixes #86)
+- fix: guests: get rid of ghost guest accesses in corner cases (fixes internal ticket)
+- fix: osh.pl: plugin_config 'disabled' key is a boolean
+- chore: speedup tests by ~20%
+- chore: osh-accountDelete: fix typo
--- a/doc/release-notes/v3.01.99-rc1.md
+++ b/doc/release-notes/v3.01.99-rc1.md
@ -0,0 +1,19 @@
+This is a **release-candidate**.
+
+As several important pull-requests have been merged, we're starting with a rc, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.
+
+- feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
+- feat: more information in the logs (see https://ovh.github.io/the-bastion/installation/upgrading.html#version-specific-upgrade-instructions and the logs documentation https://ovh.github.io/the-bastion/administration/logs.html)
+- feat: realms: use remote bastion MFA validation information for local policy enforcement
+- feat: add `LC_BASTION_DETAILS` envvar
+- feat: `accountModify`: add `--osh-only` (closes #97)
+- enh: satellite scripts: better error handling
+- enh: config: better parsing and normalization
+- fix: proper sqlite log location for invalid realm accounts
+- fix: tests: syslog-logged errors were not counted towards the total
+- fix: groupList: remove 9K group limit
+- fix: global-log: directly set proper perms on file creation
+- fix: realmDelete: bad sudoers configuration
+- fix: remove useless warning when there is no guest access
+- chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
+- chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.
--- a/doc/release-notes/v3.01.99-rc2.md
+++ b/doc/release-notes/v3.01.99-rc2.md
@ -0,0 +1,8 @@
+This is a **release-candidate**.
+
+As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~2 weeks, the next v3.02.00 stable version will be released.
+
+The following changes have been done since the previous rc:
+- fix: re-introduce the ttyrecfile field (fixes #114)
+- fix: logs: sql dbname was not properly passed through the update logs func (fixes #114)
+- doc: upgrade: add a note about config normalization
--- a/doc/release-notes/v3.01.99-rc3.md
+++ b/doc/release-notes/v3.01.99-rc3.md
@ -0,0 +1,15 @@
+This is a **release-candidate**.
+
+As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released.
+This rc (rc3) is expected to be the last before the release.
+
+The following changes have been done since the previous rc:
+- feat: `rootListIngressKeys`: look for all well-known authkeys files
+- feat: add `--(in|ex)clude` filters to `groupList` and `accountList`
+- enh: `groupList`: use cache to speedup calls
+- enh: config: detect `warnBefore`/`idleTimeout` misconfiguration (#125)
+- fix: scripts: `(( ))` returns 1 if evaluated to zero, hence failing under `set -e`
+- fix: config: be more permissive for `documentationURL` regex
+- fix: TOCTTOU fixes in ttyrec rotation script and lingering sessions reaper
+- fix: confusing error messages in `groupDelServer`
+- chore: tests: also update totalerrors while tests are running
--- a/doc/release-notes/v3.01.99-rc4.md
+++ b/doc/release-notes/v3.01.99-rc4.md
@ -0,0 +1,8 @@
+This is a release-candidate.
+
+As several important pull-requests have been merged, we're starting with rc series, which will be tested in the field for a few days. If no regression or blocking bug is found within ~1 week, the next v3.02.00 stable version will be released.
+This rc (rc4) is expected to be the last before the release.
+
+The following changes have been done since the previous rc:
+
+- fix: admins no longer inherited superowner powers
--- a/doc/release-notes/v3.02.00.md
+++ b/doc/release-notes/v3.02.00.md
@ -0,0 +1,35 @@
+Changes since **v3.01.03**:
+
+- feat: add support for a PIV-enforced policy (see https://ovh.github.io/the-bastion/using/piv)
+- feat: more information in the logs (see https://ovh.github.io/the-bastion/installation/upgrading.html#version-specific-upgrade-instructions and the logs documentation https://ovh.github.io/the-bastion/administration/logs.html)
+- feat: realms: use remote bastion MFA validation information for local policy enforcement
+- feat: add `LC_BASTION_DETAILS` envvar
+- feat: `accountModify`: add `--osh-only` (closes #97)
+- feat: `rootListIngressKeys`: report keys found in all well-known authkeys files, not just the one used by The Bastion
+- feat: add `--(in|ex)clude` filters to `groupList` and `accountList`
+- enh: `groupList`: use cache to speedup calls
+- enh: satellite scripts: better error handling
+- enh: config: better parsing and normalization
+- enh: config: detect `warnBefore`/`idleTimeout` misconfiguration (#125)
+- fix: config: be more permissive for `documentationURL` validation regex
+- fix: `TOCTTOU` fixes in ttyrec rotation script and lingering sessions reaper
+- fix: confusing error messages in `groupDelServer`
+- fix: proper sqlite log location for invalid realm accounts
+- fix: tests: syslog-logged errors were not counted towards the total
+- fix: `groupList`: remove 9K group limit
+- fix: global-log: directly set proper perms on file creation
+- fix: `realmDelete`: invalid sudoers configuration
+- fix: remove useless warning when there is no guest access
+- chore: tests: remove OpenSUSE Leap 15.0 (due to https://bugzilla.opensuse.org/show_bug.cgi?id=1146027)
+- chore: a few other fixes & enhancements around tests, documentation, perlcritic et al.
+
+**General upgrade instructions:**
+[How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html)
+
+**Specific upgrade instructions:**
+Please [read through the details](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-02-00-2021-02-01), in a nutshell:
+- Logs have been enhanced
+- The main configuration file now supports proper booleans (in a backward compatible way)
+
+
+
--- a/doc/release-notes/v3.03.00.md
+++ b/doc/release-notes/v3.03.00.md
@ -0,0 +1,21 @@
+Changes:
+
+- feat: transmit PIV enforcement status to remote realms, so that the remote policy can be enforced (#33)
+- feat: add `groupGenerateEgressKey` and `groupDelEgressKey` (#135)
+- feat: auto-add hostname as comment in `groupAddServer` and `selfAddPersonalAccesss` (side-note in #60)
+- enh: `groupAddGuestAccess` now supports setting a comment (#17, #18)
+- enh: `groupAddServer`: augment the returned JSON with the added server details
+- enh: move unexpected-sudo messages from `security` to `code-warning` type
+- enh: egress ssh key: compute an ID so that keys can be pointed to and deleted
+- fix: `groupDelGuestAccess`: deleting a guest access returned an error on TTL-forced groups
+- fix: groupSetRole(): pass sudo param to subfuncs to avoid a security warning
+- fix: execute(): remove osh_warn on tainted params to avoid exposing arguments on coding error
+- fix: `groupModify`: deny early if user is not an owner of the group
+- enh: `groupInfo`: nicer message when no egress key exists
+- enh: `install`: use in-place overwrite for sudoers files, the 3-seconds wait by default has been removed (and the `--no-wait` parameter is now a no-op)
+- fix: `interactive`: omit inactivity message warning when set to 0 seconds
+- a few other internal fixes here and there
+
+**General upgrade instructions:** [How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html)
+
+**Specific upgrade instructions:** none
--- a/doc/release-notes/v3.03.01.md
+++ b/doc/release-notes/v3.03.01.md
@ -0,0 +1,17 @@
+Changes:
+
+- enh: `osh-orphaned-homedir.sh`: add more security checks to ensure we don't archive still-used home dirs
+- enh: install.inc: try harder to hit GitHub API in CI
+- fix: `fixrights.sh`: 'chmod --' not supported under FreeBSD
+- fix: `packages-check.sh`: centos: ensure cache is up to date before trying to install packages
+- fix: `groupDelServer`: missing autocompletion in interactive mode
+- fix: `install-yubico-piv-checker`: ppc64le installation was broken
+- fix: `scp`: abort early if host is not found to avoid a warn()
+- fix: `osh-backup-acl-keys`: detect file removed transient error
+- fix: add a case to the ignored perl panic race condition
+- chore: `mkdir -p` doesn't fail if dir already exists
+- chore: tests: support multiple unit-test files
+
+**General upgrade instructions:** [How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html)
+
+**Specific upgrade instructions:** none
--- a/doc/release-notes/v3.03.99-rc1.md
+++ b/doc/release-notes/v3.03.99-rc1.md
@ -0,0 +1,32 @@
+# :warning: This is a release candidate
+
+As several important pull-requests have been merged, we're starting a **release candidate cycle**.
+This pre-release which will be battle-tested in the field for a few days.
+
+Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
+
+Prerequisites before this version goes stable:
+- No regression or blocking bug is found within ~2 weeks
+- A minimal documentation about the HTTP Proxy is published
+
+# :pushpin: Changes
+
+- feat: add the `groupDestroy` command for owners
+- feat: add filtering options to several commands: `--include` and `--exclude` to `selfListAccesses`, `accountListAccesses`, `accountList`, `groupList`, `groupListServers` (#60)
+- feat: http proxy: greatly optimize performance for large payload responses
+- feat: `accountModify`: add a new `accept-new` POLICY in `egress-strict-host-key-checking` parameter (@jonathanmarsaud)
+- feat: add UTF-8 chars to output when supported and allowed (new `allowUTF8` option)
+- enh: nicify the output of *print_acls()*, by omitting empty columns from output and properly aligning vertically, rendering `selfListAccesses`, `accountListAccesses`, `groupListServers` and `groupListAccesses` output more easily readable
+- enh: http proxy: add options to fine-tune logging
+- enh: clearer error message on non-existing group
+- enh: `setup-encryption.sh`: check that `luks-config.sh` exists (#181)
+- enh: `setup-gpg.sh`: clarify the use of `^D` with `--import` (#179)
+- enh: http proxy: add functional tests framework for this feature, along with the first tests
+- fix: `groupCreate`: deny groups starting with 'key' (#178)
+- fix: superowners need to have `+x` on group homes
+- doc: FreeBSD 13.0 is now tested instead of 12.1
+
+# :fast_forward: Upgrading
+
+- General upgrade instructions: [How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- Specific upgrade instructions: none
--- a/doc/release-notes/v3.03.99-rc2.md
+++ b/doc/release-notes/v3.03.99-rc2.md
@ -0,0 +1,31 @@
+# :warning: This is a release candidate
+
+Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
+
+This version will go stable in a few days if no regression is found.
+
+# :bulb: Highlights
+
+A lot of documentation landed in this version, such as [details about the access management](https://ovh.github.io/the-bastion/using/basics/access_management.html), [PIV keys support](https://ovh.github.io/the-bastion/using/piv.html), [SCP support](https://ovh.github.io/the-bastion/using/scp.html), [the HTTPS Proxy module](https://ovh.github.io/the-bastion/using/http_proxy.html). The reference of the [osh-http-proxy.conf](https://ovh.github.io/the-bastion/administration/configuration/osh-http-proxy_conf.html) file has also been published.
+
+The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:
+- Debian 8
+- Ubuntu 14.04
+- OpenSUSE 15.0/15.1
+
+# :pushpin: Changes
+
+- OS support: drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
+- feat: add admin and super owner accounts list in `info` plugin (#206)
+- enh: replace bool 'allowUTF8' (introduced in rc1) by 'fanciness' enum
+- enh: tests: refactor the framework for more maintainability
+- fix: `setup-first-admin-account.sh`: support to add several admins (#202)
+- fix: use local `$\_` before `while(<>)` loops
+- doc: added a lot of new content
+- doc: `clush`: document `--user` and `--port`
+- doc: several other fixes here and there
+
+# :fast_forward: Upgrading
+
+- General upgrade instructions: [How to upgrade](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- Specific upgrade instructions: *Only if you're upgrading from rc1*: the `allowUTF8` option in `bastion.conf` has been renamed to `fanciness`. This is no longer a bool, but an enum. Replace `true` by `full` and `false` by `none`.
--- a/doc/release-notes/v3.04.00.md
+++ b/doc/release-notes/v3.04.00.md
@ -0,0 +1,40 @@
+# :bulb: Highlights
+
+A lot of documentation landed in this version, such as [details about the access management](https://ovh.github.io/the-bastion/using/basics/access_management.html), [PIV keys support](https://ovh.github.io/the-bastion/using/piv.html), [SCP support](https://ovh.github.io/the-bastion/using/scp.html), [the HTTPS Proxy module](https://ovh.github.io/the-bastion/using/http_proxy.html). The reference of the [osh-http-proxy.conf](https://ovh.github.io/the-bastion/administration/configuration/osh-http-proxy_conf.html) file has also been published.
+
+The following operating systems are no longer supported, as they've been EOL for quite a while. The code may continue to work, but these are no longer part of the tests:
+- Debian 8
+- Ubuntu 14.04
+- OpenSUSE 15.0/15.1
+
+The following additional OSes major versions are now supported and part of the automated tests:
+- OpenSUSE 15.3
+
+# :pushpin: Changes
+
+- OS support: drop EOL OSes: Debian 8, Ubuntu 14.04, OpenSUSE 15.0/15.1, add OpenSUSE 15.3
+- feat: add the `groupDestroy` command for group owners
+- feat: add filtering options to several commands: `--include` and `--exclude` to `selfListAccesses`, `accountListAccesses`, `accountList`, `groupList`, `groupListServers` (#60)
+- feat: http proxy: greatly optimize performance for large payload responses (x10 or more)
+- feat: `accountModify`: add a new `accept-new` POLICY in `egress-strict-host-key-checking` parameter (@jonathanmarsaud)
+- feat: add UTF-8 chars to output when supported and allowed (new `fanciness` option)
+- feat: add admin and super owner accounts list in `info` plugin (#206)
+- enh: tests: refactor the framework for more maintainability
+- enh: nicify the output of *print_acls()*, by omitting empty columns from output and properly aligning vertically, rendering `selfListAccesses`, `accountListAccesses`, `groupListServers` and `groupListAccesses` output more easily readable
+- enh: http proxy: add options to fine-tune logging
+- enh: clearer error message on non-existing group
+- enh: `setup-encryption.sh`: check that `luks-config.sh` exists (#181)
+- enh: `setup-gpg.sh`: clarify the use of `^D` with `--import` (#179)
+- enh: http proxy: add functional tests framework for this feature, along with the first tests
+- fix: `setup-first-admin-account.sh`: support to add several admins (#202)
+- fix: localize `$_` before `while(<>)` loops
+- fix: `groupCreate`: deny groups starting with '*key*' (#178)
+- fix: superowners need to have `+x` on group homes
+- doc: added a lot of new content (see highlights)
+- doc: `clush`: document `--user` and `--port`
+- doc: several other fixes here and there
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.04.00](https://ovh.github.io/the-bastion/installation/upgrading.html)
--- a/doc/release-notes/v3.05.00.md
+++ b/doc/release-notes/v3.05.00.md
@ -0,0 +1,37 @@
+# :bulb: Highlights
+
+Documentation about the following satellite configuration files is now automatically generated:
+- The script responsible for encrypting and optionally moving the ttyrec files out of the server ([osh-encrypt-rsync.conf](https://ovh.github.io/the-bastion/administration/configuration/osh-encrypt-rsync_conf.html))
+- The script responsible for backing up everything needed to be able to restore a bastion from scratch ([osh-backup-acl-keys.conf](https://ovh.github.io/the-bastion/administration/configuration/osh-backup-acl-keys_conf.html))
+- The script responsible for the expiration of PIV grace periods ([osh-piv-grace-reaper.conf](https://ovh.github.io/the-bastion/administration/configuration/osh-piv-grace-reaper_conf.html))
+- The script responsible for the HA synchronization between instances ([osh-sync-watcher.conf](https://ovh.github.io/the-bastion/administration/configuration/osh-sync-watcher_sh.html))
+
+Good news for people having a hard time coming up with creative account names: these can now be up to 28 characters long, up from the previous 18 characters limit.
+
+`accountInfo` gets a speed boost by no longer listing the user's groups by default, you can still specify `--list-groups` to get them.
+
+Individual accounts can now be configured to be immune to the global account expiration policy, see the `--max-inactive-days` option of both `accountCreeate` and `accountModify` commands.
+
+We're also paving the way for Debian 11. All tests have been running fine since some time now, and starting from this release the pam template will now use `pam_faillock` under Debian 11 instead of the deprecated `pam_tally2` module.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+   - feat: support pam_faillock for Debian 11 (#163)
+   - feat: add `--fallback-password-delay` (3) for ssh password autologin
+   - enh: add `max_inactive_days` to account configuration (#230)
+   - enh: `accountInfo`: add `--list-groups`
+   - enh: max account length is now 28 chars up from 18
+   - enh: better error message when unknown option is used
+   - enh: better use of account creation metadata
+   - enh: config reading: add rootonly parameter
+   - fix: `accountCreate`: `--uid-auto`: rare case where a free UID couldn't be found
+   - doc: generate scripts doc reference for satellite scripts
+   - doc: add faq about session locking (#226)
+   - misc: a few other unimportant fixes
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.05.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-05-00-2021-09-14)
--- a/doc/release-notes/v3.05.01.md
+++ b/doc/release-notes/v3.05.01.md
@ -0,0 +1,20 @@
+# :bulb: Highlights
+
+A few minor features appear in this revision, if you don't need these you might skip this update.
+
+- It is now possible to sign the backups in addition to encryption
+
+- The interactive mode now supports an ``mfa`` command, to proactively request an MFA challenge that will be valid for a configured amount of time. The ``--proactive-mfa`` parameter is the equivalent for non-interactive mode, e.g. to be used along with `--osh clush` or `--osh batch`
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+- feat: osh-backup-acl-keys: add the possibility to sign encrypted backups (#209)
+- feat: ``--proactive-mfa`` and ``mfa``/``nofa`` interactive commands
+- doc: add help about the interactive builtin commands (#227)
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.05.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-05-01-2021-09-22)
--- a/doc/release-notes/v3.06.00.md
+++ b/doc/release-notes/v3.06.00.md
@ -0,0 +1,17 @@
+# :bulb: Highlights
+ 
+The main new feature of this version is the `--pubkey-auth-optional` option to `accountModify`, to tag some accounts so that they don't need a public key for the ingress connection, but only a password (and maybe a TOTP). Of course, as passwords are always less secure than public-key authentication, please only use it for specific use cases you may have. #237 for more details, along with the specific upgrade instructions (see below).
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+- feat: `accountModify`: add `--pubkey-auth-optional` (#237, thanks @madchrist)
+- fix: `accountPIV`: fix bad autocompletion rule
+- fix: groupdel: false positive in lock contention detection
+- doc: `bastion.conf`: add superowner system group requirement
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.06.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-06-00-2021-10-15)
--- a/doc/release-notes/v3.07.00.md
+++ b/doc/release-notes/v3.07.00.md
@ -0,0 +1,25 @@
+# :bulb: Highlights
+
+The two main features of this version are:
+
+- The support of the Duo PAM auth as MFA (see #249 for more information)
+- A new access setup option, `--force-password`, which is similar to `--force-key`, but to be used when a specific egress password is required instead of a specific SSH key for a given host. Note that this doesn't work for guest group accesses yet, which will be implemented in a future version. More information can be found in #256.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+- feat: add support for Duo PAM auth as MFA (#249)
+- feat: new access option: `--force-password <HASH>`, to only try one specific egress password (#256, thanks @madchrist)
+- fix: add helpers handling of SIGPIPE/SIGHUP
+- fix: avoid double-close log messages on SIGHUP
+- fix: `--self-password` was missing as a `-P` synonym (#257, thanks @madchrist)
+- fix: tests under OpenSUSE (fping raw sockets)
+- chore: ensure proper Getopt::Long options are set everywhere
+- chore: move HEXIT() to helper module, use HEXIT only in helpers
+- chore: factorize helpers header 
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.07.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-07-00-2021-12-13)
--- a/doc/release-notes/v3.08.00.md
+++ b/doc/release-notes/v3.08.00.md
@ -0,0 +1,39 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+The 2 main changes of this version are:
+
+- System scripts are now using GnuPG 2.x instead of GnuPG 1.x. All supported OSes do support GnuPG 2.x. The 2.x series of GnuPG support more key algorithms (such as ECDSA and Ed25519), for both higher security and speed. Please refer to the specific upgrade instructions for more information.
+
+- New restricted plugin `accountUnlock`, to unlock accounts locked by either `pam_tally`, `pam_tally2` or `pam_faillock`
+
+Additionally, the supported list of operating systems has changed:
+
+- Removed official support for OpenSUSE Leap 15.2 (EOL), older minor releases of CentOS 7.x and 8.x (EOL). No code has been removed that would break compatibility, but we removed these OSes from the automated tests suite, so the code may stop working in the future on these OSes for a root cause that we wouldn't be able to detect automatically.
+- Added official support for Debian "Bullseye" 11, RockyLinux 8.x
+ 
+Also note that since `v3.03.99-rc2`, the FreeBSD integration tests were not running properly, this has been fixed and the few non-passing tests since this version have also been resolved.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+- feat: move scripts to GnuPG 2.x, add tests & doc
+- feat: add new OSes (Debian "Bullseye" 11, RockyLinux 8.x) and deprecate old ones (OpenSUSE Leap 15.2, older minor releases of CentOS 7.x and 8.x)
+- feat: add the ``accountUnlock`` restricted plugin
+- enh: detect silent password change failures
+- enh: ``batch``: detect when asked to start a plugin requiring MFA
+- enh: rewrite ``packages-check.sh``, ``perl-tidy.sh`` and ``shell-check.sh`` with more features and deprecated code removed
+- feat: add the ``code-info`` syslog type in addition to ``code-warn``
+- enh: tests: ``--module`` can now be specified multiple times
+- fix: FreeBSD tests & portions of code, regression since v3.03.99-rc2
+- chore: install: remove obsolete upgrading sections for pre-v3.x versions
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.08.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-08-00-2022-01-04)
--- a/doc/release-notes/v3.08.01.md
+++ b/doc/release-notes/v3.08.01.md
@ -0,0 +1,22 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+The main change of this version is:
+
+- A new system script, [osh-remove-empty-folders.sh](https://ovh.github.io/the-bastion/administration/configuration/osh-remove-empty-folders_conf.html), called by cron and responsible for cleaning up the ``ttyrec/`` directory of users homes, which may contain a high amount of empty folders for busy users tonnecting to a lot of different servers, as we create one folder per destination IP.
+
+An exhaustive list of changes can be found below.
+
+# :pushpin: Changes
+
+- feat: add `osh-remove-empty-folders.sh` script                                                                                                                            
+- enh: better errror detection and logging in `accountDelete` & `groupDelete`
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.08.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-08-01-2022-01-19)
--- a/doc/release-notes/v3.09.00-rc1.md
+++ b/doc/release-notes/v3.09.00-rc1.md
@ -0,0 +1,55 @@
+# :warning: This is a release candidate
+
+Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
+
+This version will go stable in a few days if no regression is found.
+
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+This version has quite a lot of commits. This includes a standardization of satellite scripts configuration format and standard parameters, hence some configuration review might need to be done after upgrading (detailed in the specific upgrades instructions below).
+
+The 3 main changes of this version are:
+
+- The ``osh-encrypt-rsync.pl`` script functionalities have been extended to not only cover the encryption/rotation/exporting of ``ttyrec`` files, but now also each user's local [access logs](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html#enableaccountaccesslog) and [sql logs](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html#enableaccountsqllog), where applicable. Previously, these logs where handled by the ``compress-old-logs.sh`` script, which was just compressing these files in-place. The latter script has now been removed in favor of the new features of ``osh-encrypt-rsync.pl``, which not only handles compression/encryption, but also export of these files to the same remote escrow filer than you may have configured for your ``ttyrec`` files.
+
+- The NRPE probes we use to monitor our bastion clusters have been added to the ``contrib/`` folder, if you're using Nagios, Icinga or any other NRPE-compatible monitoring system, you might want to have a look to [said folder](contrib/nrpe).
+
+- Ubuntu 22.04 LTS is now supported and part of the automated tests. CentOS 8 has been removed, as this distribution has been EOL for some time. The software might still work for the meantime, but any potential future incompatibility might go undetected, and is not guaranteed to be fixed. Note that however, RockyLinux 8 is supported and tested.
+
+As a side note, an overhaul of the [left menu of the documentation](https://ovh.github.io/the-bastion) has been done, in an effort to enhance documentation navigation as the documentation book thickens.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+- feat: ``osh-encrypt-rsync.pl``: handle sqlite and user logs along with ttyrec files
+- remove: ``compress-old-logs.sh`` script, as ``osh-encrypt-rsync.pl`` does the job now
+- remove: delete CentOS 8 from tests (EOL)
+- feat: add ``osh-cleanup-guest-key-access.pl`` script
+- feat: add NRPE probes in ``contrib/``
+- enh: standardize snake_case for all system scripts json config files
+- enh: cron scripts: factorize common code and standardize logging & config
+- enh: ``osh-lingering-sessions-reaper.pl``: make it configurable
+- enh: ``osh-piv-grace-reaper.pl``: run only on master, standardize config reading
+- enh: add more info in syslog warnings for ``accountDelete``
+- fix: ``ping``: force a deadline, and restore default sighandlers
+- fix: ``accountInfo``: missing creation date on non-json output
+- fix: ``osh-remove-empty-folders.pl``: fix folders counting (logging only)
+- fix: ``osh-encrypt-rsync.pl``: delete +a source files properly
+- fix: ``osh-encrypt-rsync.pl``: ensure $verbose is always set & make it configurable
+- fix: ``install``: ensure that the healthcheck user can always connect from 127.0.0.1
+- fix: ``install``: avoid cases of sigpipe on `tr`
+- fix: don't emit a membership log when nothing changed
+- fix: ``{group,account}Delete``: move() would sometimes fail, replace by mv
+- fix: workaround for undocumented caching in ``getpw``/``getgr`` funcs
+- doc: better menu organization and more complete config files reference
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.09.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-09-00-2022-07-xx)
--- a/doc/release-notes/v3.09.00-rc2.md
+++ b/doc/release-notes/v3.09.00-rc2.md
@ -0,0 +1,28 @@
+# :warning: This is a release candidate
+
+Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
+
+This version will go stable in a few days if no regression is found.
+
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+Please refer to the `rc1` changelog.
+
+# :pushpin: Changes
+
+since `rc1`:
+
+- enh: MFA: specify account name in message
+- enh: print_public_key: better formatter
+- enh: move some code from get_hashes_list() to a new get_password_file()
+- doc: osh-encrypt-rsync.conf: add verbose
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.09.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-09-00-2022-07-xx)
--- a/doc/release-notes/v3.09.00-rc3.md
+++ b/doc/release-notes/v3.09.00-rc3.md
@ -0,0 +1,54 @@
+# :warning: This is a release candidate
+
+Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
+
+This version will go stable in a few days if no regression is found.
+
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+Please refer to the `rc1` changelog.
+
+# :pushpin: Changes
+
+since `rc2`:
+- enh: install: better error detection
+- fix: performance issues introduced by rc1
+
+
+# :warning: This is a release candidate
+
+Note that release candidates, due to the higher-than-usual amount of changes they contain, are statistically more likely to have a few quirks or bugs. Please refrain to use this version in critical production systems, unless it contains either a feature you really need, or a bugfix you've been waiting for, which may outweigh the potential drawbacks of using a release candidate.
+
+This version will go stable in a few days if no regression is found.
+
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+Please refer to the `rc2` changelog.
+
+# :pushpin: Changes
+
+since `rc2`:
+
+- enh: install: better error detection
+- fix: performance issues introduced in rc1
+
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.09.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-09-00-2022-07-xx)
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.09.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-09-00-2022-07-xx)
--- a/doc/release-notes/v3.09.00.md
+++ b/doc/release-notes/v3.09.00.md
@ -0,0 +1,50 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+This version has quite a lot of commits. This includes a standardization of satellite scripts configuration format and standard parameters, hence some configuration review might need to be done after upgrading (detailed in the specific upgrades instructions below).
+
+The 3 main changes of this version are:
+
+- The ``osh-encrypt-rsync.pl`` script functionalities have been extended to not only cover the encryption/rotation/exporting of ``ttyrec`` files, but now also each user's local [access logs](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html#enableaccountaccesslog) and [sql logs](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html#enableaccountsqllog), where applicable. Previously, these logs where handled by the ``compress-old-logs.sh`` script, which was just compressing these files in-place. The latter script has now been removed in favor of the new features of ``osh-encrypt-rsync.pl``, which not only handles compression/encryption, but also export of these files to the same remote escrow filer than you may have configured for your ``ttyrec`` files.
+
+- The NRPE probes we use to monitor our bastion clusters have been added to the ``contrib/`` folder, if you're using Nagios, Icinga or any other NRPE-compatible monitoring system, you might want to have a look to [said folder](contrib/nrpe).
+
+- Ubuntu 22.04 LTS is now supported and part of the automated tests. CentOS 8 has been removed, as this distribution has been EOL for some time. The software might still work for the meantime, but any potential future incompatibility might go undetected, and is not guaranteed to be fixed. Note that however, RockyLinux 8 is supported and tested.
+
+As a side note, an overhaul of the [left menu of the documentation](https://ovh.github.io/the-bastion) has been done, in an effort to enhance documentation navigation as the documentation book thickens.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+- feat: ``osh-encrypt-rsync.pl``: handle sqlite and user logs along with ttyrec files
+- remove: ``compress-old-logs.sh`` script, as ``osh-encrypt-rsync.pl`` does the job now
+- remove: delete CentOS 8 from tests (EOL)
+- feat: add ``osh-cleanup-guest-key-access.pl`` script
+- feat: add NRPE probes in ``contrib/``
+- enh: standardize snake_case for all system scripts json config files
+- enh: cron scripts: factorize common code and standardize logging & config
+- enh: ``osh-lingering-sessions-reaper.pl``: make it configurable
+- enh: ``osh-piv-grace-reaper.pl``: run only on master, standardize config reading
+- enh: add more info in syslog warnings for ``accountDelete``
+- enh: tests: faster perl-check script
+- fix: accountInfo wasn't showing TTL account expiration #329
+- fix: ``ping``: force a deadline, and restore default sighandlers
+- fix: ``accountInfo``: missing creation date on non-json output
+- fix: ``osh-remove-empty-folders.pl``: fix folders counting (logging only)
+- fix: ``osh-encrypt-rsync.pl``: delete +a source files properly
+- fix: ``osh-encrypt-rsync.pl``: ensure $verbose is always set & make it configurable
+- fix: ``install``: ensure that the healthcheck user can always connect from 127.0.0.1
+- fix: ``install``: avoid cases of sigpipe on `tr`
+- fix: don't emit a membership log when nothing changed
+- fix: ``{group,account}Delete``: move() would sometimes fail, replace by mv
+- fix: workaround for undocumented caching in ``getpw``/``getgr`` funcs
+- doc: better menu organization and more complete config files reference
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.09.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-09-00-2022-09-21)
--- a/doc/release-notes/v3.09.02.md
+++ b/doc/release-notes/v3.09.02.md
@ -0,0 +1,20 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+Previous version (v3.09.01) was tagged but not released, main change since last released version is a speedup of the internal `execute()` function, speeding up several portions of the code.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+- fix: basic mitigation for ``scp``'s CVE-2020-15778 (upstream doesn't consider it a bug)
+- fix: ``batch``: don't attempt to read if STDIN is closed
+- enh: make ``execute()`` way WAY faster
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.09.02](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-09-02-2022-11-15)
--- a/doc/release-notes/v3.10.00.md
+++ b/doc/release-notes/v3.10.00.md
@ -0,0 +1,24 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+Main changes from the previous version are:
+- Two new restricted commands: `accountFreeze` and `accountUnfreeze,` to temporarily disable an account, in a reversible way.
+- New options to the `accountInfo` commands: `--no-password-info` and `--no-output,` to get a speed boost when those informations are not needed by the caller
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+- feat: add `accountFreeze`/`accountUnfreeze` commands
+- enh: `accountInfo`: add `--no-password-info` and `--no-output options`
+- enh: more precise matching of ssh client error messages
+- enh: osh.pl: add the account name on each error message
+- fix: invalid suffixed account creation (#357)
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.10.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-10-00-2023-02-17)
--- a/doc/release-notes/v3.11.00.md
+++ b/doc/release-notes/v3.11.00.md
@ -0,0 +1,29 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+Main changes from the previous version are:
+- `SFTP` passthrough is now supported, all the commands manipulating accesses have been modified accordingly, to add the ``--sftp`` option. More information can be found [in the documentation](https://ovh.github.io/the-bastion/using/sftp_scp.html).
+- The `groupInfo` and `accountInfo` commands have been augmented with a new `--all` option, reserved for bastion auditors, to dump detailed data about all the groups or accounts, respectively. The amount of information to be dumped can be controlled with a series of `--with-*` and `--without-*` options, more information can be found in each command's own documentation ([groupInfo](https://ovh.github.io/the-bastion/plugins/open/groupInfo.html) and [accountInfo](https://ovh.github.io/the-bastion/plugins/restricted/accountInfo.html). Prefer the use of `accountInfo --all` instead of `accountList --audit`, as the latter will be deprecated soon.
+
+Another change that should be noted is the removal of the implicit `--port-any` and `--user-any` to the `self(Add|Del)PersonalAccess` and `account(Add|Del)PersonalAccess` commands, when either `--user` or `--port` are omitted, to be consistent with `group(Add|Del)Server` which never had this behaviour. This always emitted a deprecation warning since the first publicly released version, encouraging the explicit use of `--user-any` and/or `--port-any` when this was desired. Now, omitting these options will simply return an error, as this has always been the case with `group(Add|Del)Server`.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+- feat: add ``sftp`` support
+- feat: add the possibility to auditors of listing all groups with ``groupInfo`` and all accounts with ``accountInfo``,
+    using ``--all``, along with filtering additional data with ``--with-*`` and ``without-*`` new options
+- enh: ``setup-encryption.sh``: don't require install to be called before us
+- enh: remove implicit `--(user|port)-any` if omitted when using `(self|account)(Add|Del)PersonalAccess` commands
+- fix: race condition when two parallel account creations used the ``--uid-auto`` option
+- doc: add restore from backup howto
+- doc: add PuTTY connection setup howto
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.11.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-11-00-2023-03-23)
--- a/doc/release-notes/v3.11.01.md
+++ b/doc/release-notes/v3.11.01.md
@ -0,0 +1,13 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+This is a hotfix release, the only fixed issue is a display issue introduced in `v3.11.00` in the `groupInfo` command, which would always display an empty list for the gatekeepers of a group, along with "?" instead of the number of accesses for each guest.
+Note that the JSON output was correct, only the human-readable output of `groupInfo` was impacted.
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
--- a/doc/release-notes/v3.11.02.md
+++ b/doc/release-notes/v3.11.02.md
@ -0,0 +1,28 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+Main changes from the previous version are:
+- A new script `bin/admin/check_uid_gid_collisions.pl` has been added, to ease procedures such as [HA setup](https://ovh.github.io/the-bastion/installation/restoring_from_backup.html#ensuring-the-uids-gids-are-in-sync) and [backup restoration](https://ovh.github.io/the-bastion/installation/advanced.html#ensuring-the-uids-gids-are-in-sync). The documentation has been updated accordingly to reference the proper usage of this script at the right steps.
+- We now support RockyLinux 9, OpenSUSE Leap 15.4. Debian 12 is also now part of the test workflows to ensure we support it as soon as it's officially released in the next few months.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+- feat: add uid/gid collisions checking script & document it for HA cluster setup and backup restore (#378)
+- fix: ``groupAddServer``: ``--force-key`` wasn't working properly (#259)
+- fix: ``groupInfo``: reintroduce group name in human-readable output (mistakenly removed in v3.11.00)
+- chg: add Debian 12 to tests (not released yet, so not officially supported for now)
+- chg: add RockyLinux 9 support
+- chg: bump OpenSUSE Leap tests from 15.3 to 15.4
+- chg: push sandbox and tester images from Debian 10 to Debian 11
+- remove: get rid of decade-old Debian ``openssh-blacklist`` logic
+- remove: get rid of deprecated ``UseRoaming`` option from ``ssh_config``
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.11.02](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-11-02-2023-04-18)
--- a/doc/release-notes/v3.12.00.md
+++ b/doc/release-notes/v3.12.00.md
@ -0,0 +1,30 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+Main changes from the previous version are:
+- Debian "Stretch" 9 is no longer officially supported, as this version has been EOL upstream for a few months now. This doesn't mean that the future versions of The Bastion won't work under this distro, it means that this distro release is no longer part of the automated tests. As Debian Stretch is EOL, you should consider upgrading to a more recent version, as maintaining a secured underlying OS is paramount to the whole security of The Bastion (or of any other software).
+
+- Debian "Bookworm" 12 has been part of the automated tests for a while, but is now officially supported as this has been officially released upstream.
+
+- Two new configuration parameters have been added to the [selfAddPersonalAccess](https://ovh.github.io/the-bastion/plugins/restricted/selfAddPersonalAccess.html#options) and [accountAddPersonalAccess](https://ovh.github.io/the-bastion/plugins/restricted/accountAddPersonalAccess.html#options) commands.
+
+Side note: tagged releases are now signed. This was a prerequisite to the upcoming integrated and secure `adminUpgrade` command.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+- feat: add 2 configurable knobs to ``(self|account)AddPersonalAccess``
+- feat: plugins: add loadConfig parameter & config validator support
+- chg: drop support for Debian 9, add support for Debian 12
+- fix: ``accountList``: crash in some cases
+- fix: add missing autocompletions, readonly flags and help category for some plugins
+- chore: fix GitHub actions under FreeBSD
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.12.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-12-00-2023-06-27)
--- a/doc/release-notes/v3.13.00.md
+++ b/doc/release-notes/v3.13.00.md
@ -0,0 +1,23 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+The change from the previous version is:
+
+- The plugins output is now recorded using `ttyrec`, as the egress connections are, instead of being stored in `sqlite` format
+within the home folder of the account. This helps avoiding the sqlite databases growing too much in size when
+accounts are using `--osh` commands very intensively.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+- enh: use `ttyrec` instead of `sqlite` to record plugin output
+- fix: `selfMFASetupPassword`: restore default sighandlers to avoid being zombified
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.13.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-13-00-2023-07-28)
--- a/doc/release-notes/v3.13.01.md
+++ b/doc/release-notes/v3.13.01.md
@ -0,0 +1,28 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+This minor release has only a few changes, mainly on the documentation and setup sides. Two new important documentation sections have appeared:
+
+- The [JSON API](https://ovh.github.io/the-bastion/using/api.html) section, detailing how to integrate The Bastion in your automated workflows, and
+- The [Multi-Factor Authentication (MFA)](https://ovh.github.io/the-bastion/administration/mfa.html) section, detailing several possible setups to harden your users accesses
+
+The features documented above have been available since `v3.00.00`, so updating to this version is not required to use them.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+- doc: add JSON API and MFA documentations
+- fix: clush: restore default handlers for SIGHUP/PIPE
+- enh: setup-gpg.sh: create additional backup signing config with --generate
+
+Thanks to @toutoen and @docwalter for their contribution to this release.
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.13.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-13-01-2023-08-22)
--- a/doc/release-notes/v3.14.00.md
+++ b/doc/release-notes/v3.14.00.md
@ -0,0 +1,20 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known security issues: `v3.00.00` (first public version)
+
+# :bulb: Highlights
+
+This release fixes a possibly problematic behavior introduced in `v3.13.00` when replacing `sqlite` logging of plugins output by `ttyrec` where the `scp` and `sftp` plugins, when downloading a file (from the remote server to the local machine through the bastion) would save the binary stream as part of the ttyrec file, possibly taking a lot of space when these plugins are often used.
+
+Another, somehow niche, new feature is the support of so-called `type8` and `type9` hash types for egress passwords, mainly used by network devices. More information is available in the specific upgrade instructions link below.
+
+# :pushpin: Changes
+
+- feat: add type8 and type9 password hashes
+- feat: add `stealth_stderr`/`stdout` `ttyrec` support, enable it for `scp` & `sftp`
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.14.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-14-00-2023-09-19)
--- a/doc/release-notes/v3.14.15.md
+++ b/doc/release-notes/v3.14.15.md
@ -0,0 +1,26 @@
+# :zap: Security
+
+- Fixed [CVE-2023-45140](https://github.com/ovh/the-bastion/security/advisories/GHSA-pr4q-w883-pf5x) with severity 4.8 (CVSS 3.0)
+
+# :bulb: Highlights
+
+This release fixes a security issue where JIT MFA on ``sftp`` and ``scp`` plugins was not honored. Please refer to [CVE-2023-45140](https://github.com/ovh/the-bastion/security/advisories/GHSA-pr4q-w883-pf5x) for impact and mitigation details.
+Upgrading to this version is sufficient to fix the issue, but please read through the specific [upgrading instructions](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-14-15-2023-11-08) of this version.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+- feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes [CVE-2023-45140](https://github.com/ovh/the-bastion/security/advisories/GHSA-pr4q-w883-pf5x))
+- feat: add configuration option for plugins to override the global lock/kill timeout
+- enh: ``setup-gpg.sh``: allow importing multiple public keys at once
+- enh: ``connect.pl``: report empty ttyrec as ``ttyrec_empty`` instead of ``ttyrec_error``
+- enh: orphaned homedirs: adjust behavior on master instances
+- fix: check_collisions: don't report orphan uids on slave, just use their name
+- fix: ``scp``: adapt wrapper and tests to new ``scp`` versions requiring ``-O``
+- meta: dev: add devenv docker, pre-commit info, and documentation on how to use them, along with how to write integration tests
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.14.15](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-14-15-2023-11-08)
--- a/doc/release-notes/v3.14.16.md
+++ b/doc/release-notes/v3.14.16.md
@ -0,0 +1,31 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+This release introduces a new global configuration option, [ttyrecStealthStdoutPattern](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html?highlight=ttyrecstealthstdoutpattern#ttyrecstealthstdoutpattern), to handle corner-cases where recording stdout of some specific commands would take up gigabytes. If you use ``rsync`` through the bastion, and noticed that some ttyrec files take up a gigantic amount of space, this might help salvaging your hard-drives!
+
+Another noteworthy change is for users using pre-v3.14.15 ``scp`` or ``sftp`` helpers: this release introduces a compatibility logic to avoid requiring them to upgrade their helpers when JIT MFA is not required for their use case. Of course, when JIT MFA is required by policy, the connection will still fail and the only way to go through is to use the new wrappers that can support properly asking MFA to the users.
+
+Otherwise, this release is mainly a bugfix / tiny enhancements release.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
+
+# :pushpin: Changes
+
+- feat: add ``ttyrecStealthStdoutPattern`` config
+- enh: ``osh-lingering-sessions-reaper.sh``: handle dangling plugins
+- enh: ``osh-orphaned-homedir.sh``: also cleanup ``/run/faillock``
+- enh: plugins: better signal handling to avoid dangling children processes
+- fix: ``scp``/``sftp``: when using pre-v3.14.15 helpers, the JIT MFA logic now behaves as before, so that these old helpers still work when JIT MFA is not needed
+- fix: ``accountInfo``: return always\_active=1 for globally-always-active accounts
+- fix: ``ping``: don't exit with ``fping`` when host is unreachable
+- fix: ``osh-sync-watcher``: default to a valid ``rshcmd`` (fixes #433)
+- fix: install: generation of the MFA secret under FreeBSD
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.14.16](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-14-16-2024-02-20)
--- a/doc/release-notes/v3.15.00.md
+++ b/doc/release-notes/v3.15.00.md
@ -0,0 +1,23 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+This release introduces two notable changes, apart from the usual fixes and enhancements:
+A new global configuration option, [dnsSupportLevel](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html?highlight=dnssupportlevel#global-network-policies) for systems with non-working DNS (fixes #397).
+Support of the ``@`` character when referencing the name of a remote account in a personal or group-based access (fixes #437).
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.14.16...v3.15.00).
+
+# :pushpin: Changes
+- feat: add ``dnsSupportLevel`` for systems with broken DNS (fixes #397)
+- enh: allow ``@`` as a valid remote user char
+- fix: ``connect.pl``: don't look for error messages when ``sysret==0`` 
+- fix: avoid a warn() when an non-resolvable host is specified with scp or sftp
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.15.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-15-00-2024-03-22)
--- a/doc/release-notes/v3.16.00.md
+++ b/doc/release-notes/v3.16.00.md
@ -0,0 +1,23 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+The main noteworthy change in this release is the support for so-called Secure Keys :key:  (FIDO2) for ingress connection. If you're upgrading from a previous version, you'll have to enable support in the configuration file, refer to the specific upgrade instructions below. This is enabled on new installations by default.
+
+How to generate and use a Secure Key from your hardware token to secure SSH access is usually detailed in the documentation of your hardware key vendor (For example [Yubico](https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html)).
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.15.00...v3.16.00).
+
+# :pushpin: Changes
+- feat: support hardware-based Secure Keys (FIDO2) for ingress authentication
+- enh: remove netcat dependency by using perl bultins
+- enh: ``--wait`` now checks whether the TCP port is open instead of just pinging the host
+- fix: logic error in ``etc/pam.d/sshd.rhel`` breaking MFA handling if enabled
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.16.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-16-00-2024-04-10)
--- a/doc/release-notes/v3.16.01.md
+++ b/doc/release-notes/v3.16.01.md
@ -0,0 +1,20 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+This release only has minor changes. It has been tagged back in April but the formal GitHub Release was missing!
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.16.00...v3.16.01).
+
+# :pushpin: Changes
+- enh: info plugin: removed `uname` dependency, added configuration
+- chg: bastion-sync-helper.sh: use `sh` instead of `bash`
+- fix: alive plugin: don't mask signals
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.16.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-16-01-2024-04-17)
--- a/doc/release-notes/v3.16.99-rc1.md
+++ b/doc/release-notes/v3.16.99-rc1.md
@ -0,0 +1,42 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+This is a pre-release, so that the #461 change can be thoroughly tested before being promoted to a release.
+
+This releases updates the supported OS list as follows:
+- drop support for Ubuntu 16.04 and CentOS 7
+- add support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6
+
+This release adds support of wildcards (also called "shell-style globbing characters"), namely ``?`` and ``*``,
+when using the ``--user`` option for plugins such as ``groupAddServer``, ``groupDelServer``, ``groupAddGuestAccess``,
+``groupDelGuestAccess``, ``accountAddPersonalAccess``, ``accountDelPersonalAccess``, ``selfAddPersonalAccess``,
+``selfDelPersonalAccess``. This implements #461.
+
+We also enable the ``sntrup761x25519-sha512@openssh.com`` KEX algorithm by default on shipped versions
+of ``sshd_config`` and ``ssh_config``, read the specific upgrades instructions linked below if you're interested and this is not a new installation.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.16.01...v3.16.99-rc1).
+
+# :pushpin: Changes
+- feat: accountFreeze: terminate running sessions if any
+- feat: support wildcards in --user (fix #461)
+- enh: autologin: set term to raw noecho when --no-tty is used
+- fix: stealth_stdout/stderr was ignored for plugins (fix #482)
+- fix: ignore transient errors during global destruction
+- fix: install under FreeBSD 13.2
+- fix: selfGenerateProxyPassword: help message was incorrect
+- chg: add Ubuntu 24.04 LTS
+- chg: bump OpenSUSE Leap from 15.5 to 15.6
+- chg: Debian12, Ubuntu20+: enable sntrup KEX by default
+- chg: remove support for EOL CentOS 7
+- chore: adapt help messages for wildcard --user support
+- chore: install-ttyrec: bump latest known version fallback
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.16.99-rc1](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-16-99-rc1-2024-07-04)
--- a/doc/release-notes/v3.16.99-rc2.md
+++ b/doc/release-notes/v3.16.99-rc2.md
@ -0,0 +1,31 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+Please read the ``rc1`` changes that are also included in this pre-release.
+
+The ``rc2`` add support of ``rsync`` (#301). Now, for specific protocols (such as scp, sftp and rsync), instead of having a dedicated option for all the plugins, they share a new ``--protocol`` option, which will permit adding more protocols if needed, without requiring adding new named options. The previous options are still supported and will keep working, even if the [documentation](https://ovh.github.io/the-bastion/using/sftp_scp_rsync.html) has been updated to only reference ``--protocol``.
+
+We also add a new per-account option: egress session multiplexing (usage of the ``ControlPath`` and ``ControlMaster`` ssh client options), for accounts opening a large number of connections to the same hosts, such as is the case with e.g. Ansible usage. You'll find it in the [accountModify](https://ovh.github.io/the-bastion/plugins/restricted/accountModify.html?highlight=multiplexing#cmdoption-accountModify-egress-session-multiplexing) documentation.
+
+Worth noting is also a new plugin: ``groupSetServers``, to permit setting the ACL (asset list) of a group in one shot, to attain a given wanted list, instead of having to rely in several `groupAddServer` and `groupDelServer` calls.
+
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.16.01...v3.16.99-rc1).
+
+# :pushpin: Changes
+- feat: add rsync support through the ``--protocol rsync`` option in all plugins
+- feat: add ``--egress-session-multiplexing`` option to ``accountModify``
+- feat: add ``groupSetServers`` to entirely change a group ACL in one shot
+- enh: add lock for group ACL change to avoid race conditions on busy bastions
+- enh: ``selfPlaySession``: remove sqliteLog.ttyrecfile dependency
+- chore: FreeBSD: ignore OS version mismatch with packages
+- chore: ``selfMFASetupPassword``: clearer message
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.16.99-rc2](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-16-99-rc2-2024-09-17)
--- a/doc/release-notes/v3.16.99-rc3.md
+++ b/doc/release-notes/v3.16.99-rc3.md
@ -0,0 +1,20 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+Please read the ``rc2`` changes that are also included in this pre-release.
+
+This release, the ``rc3``, expected to be the last release candidate, fixes a regression introduced in the ``rc1``.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.16.01...v3.16.99-rc3).
+
+# :pushpin: Changes
+- fix: regression introduced by https://github.com/ovh/the-bastion/commit/932e72eb839c6d248704d217b305b2d34818bd01 for stealth stdout in ssh
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.16.99-rc3](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-16-99-rc3-2024-09-25)
--- a/doc/release-notes/v3.17.00.md
+++ b/doc/release-notes/v3.17.00.md
@ -0,0 +1,50 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+This releases updates the supported OS list as follows:
+- drop support for Ubuntu 16.04 and CentOS 7
+- add support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6
+
+Appart from the supported OS list, this release has a lot of changes, the most important ones are summarized below.
+
+Add support of ``rsync`` (#301). Now, for specific protocols (such as scp, sftp and rsync), instead of having a dedicated option for all the plugins, they share a new ``--protocol`` option, which will permit adding more protocols if needed, without requiring adding new named options. The previous options are still supported and will keep working, even if the [documentation](https://ovh.github.io/the-bastion/using/sftp_scp_rsync.html) has been updated to only reference ``--protocol``.
+
+Add support of wildcards (also called "shell-style globbing characters"), namely ``?`` and ``*``,
+when using the ``--user`` option for plugins such as ``groupAddServer``, ``groupDelServer``, ``groupAddGuestAccess``,
+``groupDelGuestAccess``, ``accountAddPersonalAccess``, ``accountDelPersonalAccess``, ``selfAddPersonalAccess``,
+``selfDelPersonalAccess``. This implements #461.
+
+Add a new per-account option: egress session multiplexing (usage of the ``ControlPath`` and ``ControlMaster`` ssh client options), for accounts opening a large number of connections to the same hosts, such as is the case with e.g. Ansible usage. You'll find it in the [accountModify](https://ovh.github.io/the-bastion/plugins/restricted/accountModify.html?highlight=multiplexing#cmdoption-accountModify-egress-session-multiplexing) documentation.
+
+Worth noting is also a new plugin: ``groupSetServers``, to permit setting the ACL (asset list) of a group in one shot, to attain a given wanted list, instead of having to rely in several `groupAddServer` and `groupDelServer` calls.
+
+We also enable the ``sntrup761x25519-sha512@openssh.com`` KEX algorithm by default on shipped versions
+of ``sshd_config`` and ``ssh_config``, read the specific upgrades instructions linked below if you're interested and this is not a new installation.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.16.01...v3.17.00).
+
+# :pushpin: Changes
+- feat: support wildcards in ``--user`` (fix #461)
+- feat: add rsync support through the ``--protocol rsync`` option in all plugins
+- feat: add ``--egress-session-multiplexing`` option to ``accountModify``
+- feat: add ``groupSetServers`` to entirely change a group ACL in one shot
+- feat: ``accountFreeze``: terminate running sessions if any
+- enh: add lock for group ACL change to avoid race conditions on busy bastions
+- enh: ``selfPlaySession``: remove sqliteLog.ttyrecfile dependency
+- enh: autologin: set term to raw noecho when --no-tty is used
+- chg: add Ubuntu 24.04 LTS
+- chg: bump OpenSUSE Leap from 15.5 to 15.6
+- chg: Debian12, Ubuntu20+: enable sntrup KEX by default
+- chg: remove support for EOL CentOS 7
+- fix: stealth_stdout/stderr was ignored for plugins (fix #482)
+- fix: ignore transient errors during global destruction
+- fix: install under FreeBSD 13.2
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.17.00](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-17-00-2024-10-14)
--- a/doc/release-notes/v3.17.01.md
+++ b/doc/release-notes/v3.17.01.md
@ -0,0 +1,21 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+No specific highlight, as this release addresses a few issues and minor enhancements.
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.17.00...v3.17.01).
+
+# :pushpin: Changes
+- enh: interactive: handle CTRL+C nicely (fix #497)
+- fix: osh.pl: remove a warning on interactive mode timeout
+- fix: allow ssh-as in connect.pl
+- chore: fix bad scpup/scpupload scp/scpdownload references in help and doc (thanks @TomRicci!)
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.17.01](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-17-01-2024-10-23)