From 3d2cf21e0b689c2261d6743ef90696de44fc29a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Wed, 3 Jul 2024 15:09:20 +0000 Subject: [PATCH] release v3.16.99-rc1 --- doc/CHANGELOG.md | 14 ++++++++++++++ doc/sphinx/installation/upgrading.rst | 19 +++++++++++++++++++ etc/ssh/ssh_config.debian12 | 5 +++-- lib/perl/OVH/Bastion.pm | 2 +- 4 files changed, 37 insertions(+), 3 deletions(-) diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index ea1eaf3d8..e7a226c2e 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,3 +1,17 @@ +## v3.16.99-rc1 - 2024/07/04 +feat: support wildcards in --user for ACL management plugins (fix #461) +feat: accountFreeze: terminate running sessions if any +chg: support: add Ubuntu 24.04 LTS +chg: support: bump OpenSUSE Leap from 15.5 to 15.6 +chg: support: remove CentOS 7 (EOL) +chg: support: remove Ubuntu 16.04 LTS (EOL) +enh: enable sntrup KEX by default for supported OpenSSH versions (Debian12, Ubuntu20+) +enh: autologin: set term to ``raw noecho`` when --no-tty is used +fix: stealth\_stdout/stderr was ignored for plugins (fix #482) +fix: ignore transient errors during global destruction +fix: install of ttyrec was failing under FreeBSD 13.2 +fix: selfGenerateProxyPassword: help message was incorrect + ## v3.16.01 - 2024/04/17 - enh: info: removed uname dependency, added configuration - chg: bastion-sync-helper.sh: use sh instead of bash diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst index bdaf07106..6dd96e3d4 100644 --- a/doc/sphinx/installation/upgrading.rst +++ b/doc/sphinx/installation/upgrading.rst @@ -27,6 +27,25 @@ See the ``--help`` for a more fine-grained upgrade path if needed. Version-specific upgrade instructions ===================================== +v3.16.99-rc1 - 2024/07/04 +************************* + +This release drops support for Ubuntu 16.04 and CentOS 7. If you're still using these EOL OS releases (which is +obviously discouraged), proper functioning of The Bastion is no longer tested or guaranteed. + +This release adds official support for Ubuntu 24.04 LTS and OpenSUSE Leap 15.6, these were already working but +are now part of the integration tests. + +This release adds support of wildcards (also called "shell-style globbing characters"), namely ``?`` and ``*``, +when using the ``--user`` option for plugins such as ``groupAddServer``, ``groupDelServer``, ``groupAddGuestAccess``, +``groupDelGuestAccess``, ``accountAddPersonalAccess``, ``accountDelPersonalAccess``, ``selfAddPersonalAccess``, +``selfDelPersonalAccess``. + +This release adds support of the ``sntrup761x25519-sha512@openssh.com`` KEX algorithm by default on shipped versions +of ``sshd_config`` and ``ssh_config``. If you're upgrading, these files won't be touched, so if you want to add +support, you'll need to modify them manually by prepending ``sntrup761x25519-sha512@openssh.com`` to the +``KexAlgorithms`` line. Verify that the OpenSSH version shipped by your OS does support it (run ``ssh -Q kex``). + v3.16.01 - 2024/04/17 ********************* diff --git a/etc/ssh/ssh_config.debian12 b/etc/ssh/ssh_config.debian12 index b15b69a64..6b5b516a3 100644 --- a/etc/ssh/ssh_config.debian12 +++ b/etc/ssh/ssh_config.debian12 @@ -45,7 +45,8 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh. MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 # List of allowed key exchange algorithms. -# we prefer curve25519-sha256 which is considered the most modern/secure, +# we prefer sntrup761x25519-sha512@openssh.com which is believed to be quantum-resistant, +# then curve25519-sha256 which is considered the modern and secure, # and still allow diffie hellman with group exchange using sha256 which is # the most secure dh-based kex. # we avoid algorithms based on the disputed NIST curves, and anything based @@ -55,7 +56,7 @@ MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh. # - OmniOS 5.11 needs diffie-hellman-group1-sha1 # - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1 # - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 +KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 # === AUTHENTICATION === diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index c3bd19710..7bdb62426 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -5,7 +5,7 @@ use common::sense; use Fcntl; use POSIX qw(strftime); -our $VERSION = '3.16.01'; +our $VERSION = '3.16.99-rc1'; BEGIN { # only used by the handler below