v0.11.0

PostgreSQL

v0.11 adds experimental PostgreSQL target support.

Enable the PostgreSQL protocol in your config file (default: /etc/warpgate.yaml) if you didn't do so during the initial setup:

+ postgres:
+   enable: true
+   certificate: /var/lib/warpgate/tls.certificate.pem
+   key: /var/lib/warpgate/tls.key.pem

You can reuse the same certificate and key that are used for the HTTP listener.

See [https://github.com/warp-tech/warpgate/wiki/Adding-a-PostgreSQL-target](Adding a PostgreSQL target) for more details.

Changes

• 00d3c36: PostgreSQL support (#1021) #1021
• fe521f2: OIDC RP-initiated logout (SSO single logout) support (#992) #992
• 3c3b843: Validate a TOTP code before saving it (#1055) (kekkon) #1055

Fixes

• 116bf9f: fixed SSO authentication getting incorrectly rejected when user has both an "any provider" and a provider specific SSO credential
• 1f597a8: fixed #1053 - prevent repeated consumption of the ticket uses within the same SSH session
• 38bdbad: fixed #1077 - handle non-standard PKCS8 EC private key PEMs
• 7e49f13: #1056 - auto-strip .well-known/openid-configuration from OIDC URLs
• 9e3760e: fixed #1082 - terminal replay crashing when the session is finished

v0.10.2

Security fixes

CVE-2024-43410 - SSH OOM DoS through malicious packet length

It was possible for an attacker to cause Warpgate to allocate an arbitrary amount of memory by sending a packet with a malformed length field, potentially causing the service to get killed due to excessive RAM usage.

Other fIxes

• c328127: fixed #941 - unnecessary port number showing up in external URLs

v0.10.1

Fixes

• ed6f68c: fixed #1017 - fixed broken HTTP proxying
• daacd55: fixed #972 - ssh: only offer available auth methods after a rejected public key offer

v0.10.0

HTTP

• Added remote_addr to logs #945 (Néfix Estrada)
• TLS implementation switched to Rustls

SSH

• Made inactivity timeout configurable (#990) #990 (Néfix Estrada)
• 5551c33: Switch OOB SSO authentication for SSH to use the instructions instead of the name (#964) (Shea Smith) #964
• Bumped russh to v0.44
• 8896bb3: fixed #961 - added option to allow insecure ssh key exchanges (#971) #971

SSO

• 916d51a: Add support for role mappings on custom SSO providers. (#920) (Skyler Mansfield) #920
• 75a2b8c: fixed #929 - support additional trusted OIDC audiences

UI

• 257fb38: Enhance ticket creation api and UI to support ticket expiry (#957) (Thibaud Lepretre) #957
• f3dc1ad: Enhance ticket creation api and UI to support ticket number of usage (#959) (Thibaud Lepretre) #959

Other changes

• 72236d0: Added options to specify per-protocol external ports (#973) #973
• Added arm64 docker image #930 (Zasda Yusuf Mikail)
• 81cefeb: fixed #966 - don't actually try to tighten config file permissions unless necessary
• 7e45fa5: migrate from moment to date-fns (#988) (Konstantin Nosov) #988
• b65a189: Upgrade TypeScript and Svelte Versions (#995) (Yachen Mao) #995

v0.9.1

Security fixes

CVE-2023-48795 - Terrapin Attack [12fdf62]

A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.

This release adds the support for the kex-strict-*-v00@openssh.com extensions designed by OpenSSH specifically to prevent this attack.

More info: https://terrapin-attack.com

Changes

• 21d6ab4: make HTTP session timeout and cookie age configurable in the config file (Nicolas SEYS) #922

v0.9.0

Security fixes

CVE-2023-48712

⚠️ Update ASAP.

This vulnerability allows a user to escalate their privileges if the admin account isn't protected by 2FA.

Migration

• If you have a proxy in front of Warpgate setting X-Forwarded-* headers, set http.trust_x_forwarded_for to true in the config file.

Changes

• b0a9130: Add support for trusting X-Forwarded-For header to get client IP (Skyler Mansfield) #921
• d9af747: Add better support for X-Forward-* headers when constructing external url (Skyler Mansfield) #921

v0.8.1

Security fixes

CVE-2023-43660

The SSH key verification for a user could be bypassed by sending an SSH key offer without a signature. This allowed bypassing authentication completely under following conditions:

• The attacker knows the username and a valid target name
• The attacked knows the user's public key
• Only SSH public key authentication is required for the user account

Fixes

• dec0b97: Fix redirection with a relative location (Nicolas SEYS) #896

v0.8.0

Changes

• 0bc9ae1: session details (IP & security key) are now shown during OOB auth to reduce the chance of phishing a user into approving an auth attempt #858
• 983d0ad: bumped russh

Fixes

• f0bc1db: fixed #358 - quotes in connection instructions on Windows #859
• 49b92cd: fixed #855 - log client IPs and credentials used #861
• aca8d3d: fixed #857 - fixed default ticket expiry when using MySQL as a database, bumped sea-orm #862

v0.7.4

Changes

• Fixed Docker image build

v0.7.3

Security fixes

CVE-2023-37268 [8173f65]

Insufficient authentication checks for SSO users allowed any SSO user to elevate their permission to these of any other SSO user. All configurations using SSO are affected.

Changes

• f13a22f: HTTP: fixed #747 - don't include port in the X-Forwarded-For header
• UI: added search boxes - #761
• 4fe4bfe: fixed login errors not being displayed properly
• b1995be: Admin: disallow completely disabling authentication for a protocol