Skip to content

Releases: warp-tech/warpgate

v0.11.0

09 Oct 08:03
Compare
Choose a tag to compare

⚠️ This is the last release that supports loading targets, users and roles from the config file. Upgrade to this version before installing v0.12 if you haven't migrated yet!

PostgreSQL

v0.11 adds experimental PostgreSQL target support.

Enable the PostgreSQL protocol in your config file (default: /etc/warpgate.yaml) if you didn't do so during the initial setup:

+ postgres:
+   enable: true
+   certificate: /var/lib/warpgate/tls.certificate.pem
+   key: /var/lib/warpgate/tls.key.pem

You can reuse the same certificate and key that are used for the HTTP listener.

See [https://github.com/warp-tech/warpgate/wiki/Adding-a-PostgreSQL-target](Adding a PostgreSQL target) for more details.

Changes

Fixes

  • 116bf9f: fixed SSO authentication getting incorrectly rejected when user has both an "any provider" and a provider specific SSO credential
  • 1f597a8: fixed #1053 - prevent repeated consumption of the ticket uses within the same SSH session
  • 38bdbad: fixed #1077 - handle non-standard PKCS8 EC private key PEMs
  • 7e49f13: #1056 - auto-strip .well-known/openid-configuration from OIDC URLs
  • 9e3760e: fixed #1082 - terminal replay crashing when the session is finished

v0.10.2

14 Aug 21:11
Compare
Choose a tag to compare

Security fixes

CVE-2024-43410 - SSH OOM DoS through malicious packet length

It was possible for an attacker to cause Warpgate to allocate an arbitrary amount of memory by sending a packet with a malformed length field, potentially causing the service to get killed due to excessive RAM usage.

Other fIxes

  • c328127: fixed #941 - unnecessary port number showing up in external URLs

v0.10.1

26 Jul 17:01
Compare
Choose a tag to compare

Fixes

  • ed6f68c: fixed #1017 - fixed broken HTTP proxying
  • daacd55: fixed #972 - ssh: only offer available auth methods after a rejected public key offer

v0.10.0

18 Jul 14:27
Compare
Choose a tag to compare

HTTP

SSH

  • Made inactivity timeout configurable (#990) #990 (Néfix Estrada)
  • 5551c33: Switch OOB SSO authentication for SSH to use the instructions instead of the name (#964) (Shea Smith) #964
  • Bumped russh to v0.44
  • 8896bb3: fixed #961 - added option to allow insecure ssh key exchanges (#971) #971

SSO

  • 916d51a: Add support for role mappings on custom SSO providers. (#920) (Skyler Mansfield) #920
  • 75a2b8c: fixed #929 - support additional trusted OIDC audiences

UI

  • 257fb38: Enhance ticket creation api and UI to support ticket expiry (#957) (Thibaud Lepretre) #957
  • f3dc1ad: Enhance ticket creation api and UI to support ticket number of usage (#959) (Thibaud Lepretre) #959

Other changes

v0.9.1

18 Dec 15:26
Compare
Choose a tag to compare

Security fixes

CVE-2023-48795 - Terrapin Attack [12fdf62]

A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.

This release adds the support for the kex-strict-*-v00@openssh.com extensions designed by OpenSSH specifically to prevent this attack.

More info: https://terrapin-attack.com

Changes

  • 21d6ab4: make HTTP session timeout and cookie age configurable in the config file (Nicolas SEYS) #922

v0.9.0

23 Nov 19:37
Compare
Choose a tag to compare

Security fixes

CVE-2023-48712

⚠️ Update ASAP.

This vulnerability allows a user to escalate their privileges if the admin account isn't protected by 2FA.

Migration

  • If you have a proxy in front of Warpgate setting X-Forwarded-* headers, set http.trust_x_forwarded_for to true in the config file.

Changes

  • b0a9130: Add support for trusting X-Forwarded-For header to get client IP (Skyler Mansfield) #921
  • d9af747: Add better support for X-Forward-* headers when constructing external url (Skyler Mansfield) #921

v0.8.1

27 Sep 20:39
Compare
Choose a tag to compare

Security fixes

CVE-2023-43660

The SSH key verification for a user could be bypassed by sending an SSH key offer without a signature. This allowed bypassing authentication completely under following conditions:

  • The attacker knows the username and a valid target name
  • The attacked knows the user's public key
  • Only SSH public key authentication is required for the user account

Fixes

  • dec0b97: Fix redirection with a relative location (Nicolas SEYS) #896

v0.8.0

20 Aug 17:43
Compare
Choose a tag to compare

Changes

  • 0bc9ae1: session details (IP & security key) are now shown during OOB auth to reduce the chance of phishing a user into approving an auth attempt #858
  • 983d0ad: bumped russh

Fixes

  • f0bc1db: fixed #358 - quotes in connection instructions on Windows #859
  • 49b92cd: fixed #855 - log client IPs and credentials used #861
  • aca8d3d: fixed #857 - fixed default ticket expiry when using MySQL as a database, bumped sea-orm #862

v0.7.4

02 Aug 07:37
Compare
Choose a tag to compare

Changes

  • Fixed Docker image build

v0.7.3

10 Jul 09:21
Compare
Choose a tag to compare

Security fixes

CVE-2023-37268 [8173f65]

Insufficient authentication checks for SSO users allowed any SSO user to elevate their permission to these of any other SSO user. All configurations using SSO are affected.

Changes

  • f13a22f: HTTP: fixed #747 - don't include port in the X-Forwarded-For header
  • UI: added search boxes - #761
  • 4fe4bfe: fixed login errors not being displayed properly
  • b1995be: Admin: disallow completely disabling authentication for a protocol