v3.14.16
⚡ Security
- No security fixes since previous release
- Oldest release with no known security issue is
v3.14.15
(2023-11-08)
💡 Highlights
This release introduces a new global configuration option, ttyrecStealthStdoutPattern, to handle corner-cases where recording stdout of some specific commands would take up gigabytes. If you use rsync
through the bastion, and noticed that some ttyrec files take up a gigantic amount of space, this might help salvaging your hard-drives!
Another noteworthy change is for users using pre-v3.14.15 scp
or sftp
helpers: this release introduces a compatibility logic to avoid requiring them to upgrade their helpers when JIT MFA is not required for their use case. Of course, when JIT MFA is required by policy, the connection will still fail and the only way to go through is to use the new wrappers that can support properly asking MFA to the users.
Otherwise, this release is mainly a bugfix / tiny enhancements release.
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat: add
ttyrecStealthStdoutPattern
config - enh:
osh-lingering-sessions-reaper.sh
: handle dangling plugins - enh:
osh-orphaned-homedir.sh
: also cleanup/run/faillock
- enh: plugins: better signal handling to avoid dangling children processes
- fix:
scp
/sftp
: when using pre-v3.14.15 helpers, the JIT MFA logic now behaves as before, so that these old helpers still work when JIT MFA is not needed - fix:
accountInfo
: return always_active=1 for globally-always-active accounts - fix:
ping
: don't exit withfping
when host is unreachable - fix:
osh-sync-watcher
: default to a validrshcmd
(fixes #433) - fix: install: generation of the MFA secret under FreeBSD