Releases: warp-tech/warpgate
v0.9.1
Security fixes
CVE-2023-48795 - Terrapin Attack [12fdf62]
A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.
This release adds the support for the kex-strict-*-v00@openssh.com
extensions designed by OpenSSH specifically to prevent this attack.
More info: https://terrapin-attack.com
Changes
v0.9.0
Security fixes
CVE-2023-48712
This vulnerability allows a user to escalate their privileges if the admin account isn't protected by 2FA.
Migration
- If you have a proxy in front of Warpgate setting
X-Forwarded-*
headers, sethttp.trust_x_forwarded_for
totrue
in the config file.
Changes
v0.8.1
Security fixes
CVE-2023-43660
The SSH key verification for a user could be bypassed by sending an SSH key offer without a signature. This allowed bypassing authentication completely under following conditions:
- The attacker knows the username and a valid target name
- The attacked knows the user's public key
- Only SSH public key authentication is required for the user account
Fixes
v0.8.0
Changes
- 0bc9ae1: session details (IP & security key) are now shown during OOB auth to reduce the chance of phishing a user into approving an auth attempt #858
- 983d0ad: bumped russh
Fixes
v0.7.4
Changes
- Fixed Docker image build
v0.7.3
Security fixes
CVE-2023-37268 [8173f65]
Insufficient authentication checks for SSO users allowed any SSO user to elevate their permission to these of any other SSO user. All configurations using SSO are affected.
Changes
v0.7.2
v0.7.1
Security fixes
CVE-2023-28113 [6b3b49a]
A malicious client or target could negotiate insecure Diffie-Hellman key exchange parameters in way that leads to an insecure shared secret and breaks confidentiality of traffic (for their own connection only).
Commits
v0.7.0
Changes
Minimum required glibc version on Linux is now 2.18
Fixes
v0.6.5
Changes
- f967609: Added unattended setup command (
warpgate unattended-setup
) - fixes #409 - 7066dd5: Added password recovery command (
warpgate recover-access
) - fixes #410 - Added option to forward username to SSH targets as-is #445 (Alex Donec)
- Removed the 1 second auth delay on SSH - #459 (Eugene Pankov)
- c236da5: Added support for MySQL and PostgreSQL as database storage (
database_url
config option) - fixed #452
UI improvements
- 67866fe: added visual feedback to save buttons
- fd993c4: autofocus the OTP field - fixes #386
- 5bdddd3: allow cancelling authentication