mirror of
https://github.com/ovh/the-bastion.git
synced 2025-03-10 06:24:42 +08:00
26 lines
1.8 KiB
Markdown
26 lines
1.8 KiB
Markdown
# :zap: Security
|
|
|
|
- Fixed [CVE-2023-45140](https://github.com/ovh/the-bastion/security/advisories/GHSA-pr4q-w883-pf5x) with severity 4.8 (CVSS 3.0)
|
|
|
|
# :bulb: Highlights
|
|
|
|
This release fixes a security issue where JIT MFA on ``sftp`` and ``scp`` plugins was not honored. Please refer to [CVE-2023-45140](https://github.com/ovh/the-bastion/security/advisories/GHSA-pr4q-w883-pf5x) for impact and mitigation details.
|
|
Upgrading to this version is sufficient to fix the issue, but please read through the specific [upgrading instructions](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-14-15-2023-11-08) of this version.
|
|
|
|
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
|
|
|
|
# :pushpin: Changes
|
|
|
|
- feat: support JIT MFA through plugins, including ``sftp`` and ``scp`` (fixes [CVE-2023-45140](https://github.com/ovh/the-bastion/security/advisories/GHSA-pr4q-w883-pf5x))
|
|
- feat: add configuration option for plugins to override the global lock/kill timeout
|
|
- enh: ``setup-gpg.sh``: allow importing multiple public keys at once
|
|
- enh: ``connect.pl``: report empty ttyrec as ``ttyrec_empty`` instead of ``ttyrec_error``
|
|
- enh: orphaned homedirs: adjust behavior on master instances
|
|
- fix: check_collisions: don't report orphan uids on slave, just use their name
|
|
- fix: ``scp``: adapt wrapper and tests to new ``scp`` versions requiring ``-O``
|
|
- meta: dev: add devenv docker, pre-commit info, and documentation on how to use them, along with how to write integration tests
|
|
|
|
# :fast_forward: Upgrading
|
|
|
|
- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
|
|
- [Specific upgrade instructions for v3.14.15](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-14-15-2023-11-08)
|