Releases: warp-tech/warpgate
v0.25.5
Security fixes
GHSA-3c3w-75j2-7h74
This is a high severity vulnerability. An attacker-crafted Warpgate login URL could lead a user to a redirect page that runs attacker-injected JS code
Features
- fixed #947 - configurable advertised MySQL server version by @Eugeny in #2083
- The new
mysql.advertised_versionlets you specify the MySQL server version that Warpgate will advertise to clients. Note that the previous hardcoded value of 8.0.0 now defaults to 8.0.3 which disables some ancient compatibility behaviours in various DB clients.
- The new
Changes
Fixes
- #1989 - HTTP: return 401 instead of a redirect for cookie-less fetch by @Eugeny in #2060
- fixed #2048 - HTTP: strip cookie domains by @Eugeny in #2061
- fixed #2049 - WebSS sessions were never marked as ended by @Eugeny in #2062
- fixed #2050 - SSH target menu freezing when running in Docker by @Eugeny in #2063
- fixed #1957 - don't offer credentials for disabled SSH auth methods by @Eugeny in #2071
- #1962 - handle connection accept errors gracefully by @Eugeny in #2072
- fix(logging): emit audit events to the JSON console by @mathieuHa in #2077
- fixed #1421 - MySQL/Postgres TLS upgrade race by @Eugeny in #2081
- fixed #2065 - rsync/scp/Ansible hang: early channel data dropped by @Eugeny in #2087
New Contributors
- @mathieuHa made their first contribution in #2077
Full Changelog: v0.25.4...v0.25.5
Contributors
Assets 10
v0.25.4
Fixes
Full Changelog: v0.25.3...v0.25.4
Contributors
Assets 10
v0.25.3
Contributors
Assets 10
v0.25.2
Fixes
- fixed #2029 - broken MySQL query, remove log entry size limit by @Eugeny in #2031
- fixed #2027 - make username matching case insensitive by @Eugeny in #2032
Full Changelog: v0.25.1...v0.25.2
What's Changed
- fixed #2029 - broken MySQL query, remove log entry size limit by @Eugeny in #2031
- fixed #2027 - make username matching case insensitive by @Eugeny in #2032
- Bump x509-parser from 0.17.0 to 0.18.1 by @dependabot[bot] in #1934
Full Changelog: v0.25.1...v0.25.2
Contributors
Assets 10
v0.25.1
v0.25.0
New features
#1990 - SSH target selection menu
Users can now omit the target name when connecting to Warpgate's SSH port, which will trigger an interactive target selection menu in the terminal.
#1882 - Configurable password policy
Added password complexity rules, configurable under Config > Global Parameters.
#2013 - SSH jump host support
Added support for SSH targets that are only reachable behind another jump host. The jump host has itself to be defined as a separate SSH target, after which it becomes selectable in the new "Jump host" field in the SSH target configuration.
by @rjourdan04
#1985 - Audit logging improvements
Added audit logging for failed web logins, as well as details regarding credentials used, IPs, etc.
by @LarsSven
Changes
- Add logs download button by @LarsSven in #1977
- Postgres protocol 3.2 support by @Eugeny in #2009
- New connection animation by @Eugeny in #2017
- fixed #2000 - always require TLS for Postgres connections by @Eugeny in #2020
- fixed #2003 - allow dismissing tutorial by @Eugeny in #2022
Fixes
- #1988 - fix migrations compatibility with MySQL 8 by @Eugeny in #1992
- fix(db): change varchar fields to TEXT to avoid insertion errors by @joseluisgonzalezca in #1999
- perf: find target by name using a query instead of doing it in memory by @joseluisgonzalezca in #2019
New Contributors
- @kamilkrzeminski made their first contribution in #1882
Full Changelog: v0.24.0...v0.25.0
Contributors
Assets 10
v0.24.1
Fixes
- Fixed the bug where clicking SSH connection instructions would open both instructions and WebSSH
Full Changelog: v0.24.0...v0.24.1
v0.24.0
WebSSH update
This is a large feature release bringing a web-based SSH terminal and self-service ticket requests.
Migrating
If you use domain binding with SSO and want to use the bound domain for the SSO return URL, you'll need to set the new return_url_domain option to host_header - see more at https://warpgate.null.page/sso/#domain-handling
New features
Web SSH #1943
Your users will now be able to connect to their SSH targets directly from the web browser. The terminal supports multiple tabs and single file transfers via ZMODEM.
Clicking an SSH target will open the terminal by default, but this can be changed under Config > Global parameters.
Default roles #1923
Roles can now be marked "default", which will auto-assign them to any newly created users.
Self-serve tickets #1818
If enabled under Config > Global parameters, users will be able to request ticket creation from their profile page. Admins will be able to see and approve/reject these requests on the Ticket admin page. Tickets for already allowed targets can be optionally auto-approved.
Changes
- Sectioned forms for users and targets by @Eugeny in #1961
- fixed #1975, fixed #1976 - let admin choose the default target click action by @Eugeny in #1983
- Little/max api token duration by @SteezyCougar in #1946
- fixed #1945 - make SCP recording optional by @Eugeny in #1978
- fixed #1948 - add return_url_domain SSO config option by @Eugeny in #1971
Fixes
- Make admin UI search filtering case-insensitive across list and log endpoints by @Copilot in #1922
- Ipv6 hostname parse fix by @Eugeny in #1936
- Small cleanups by @LarsSven in #1939
- fix: parse forwarded header lists by @immanuwell in #1944
- Fix Svelte sourcemap line drift by disabling preprocess-level sourcemap emission by @Copilot in #1959
- fix: display security key and browser auth URL in SSH terminal (#1960) by @xTamasu in #1970
New Contributors
- @immanuwell made their first contribution in #1944
- @xTamasu made their first contribution in #1970
Full Changelog: v0.23.4...v0.24.0
Contributors
Assets 10
v0.23.4
Fixes
- Fix #1558 - get username for API token by @tieb62 in #1899
- Helm : Roll deployment when config or referenced secrets change by @plopoyop in #1898
- fixed #1903 - ensure usernames are unique by @Eugeny in #1911
- read request Host header explicitly by @Eugeny in #1912
New Contributors
Full Changelog: v0.23.3...v0.23.4
What's Changed
- Bump github/codeql-action from 4.35.2 to 4.35.4 by @dependabot[bot] in #1907
- Bump axios from 1.15.0 to 1.16.0 in /warpgate-web by @dependabot[bot] in #1905
- Bump ip-address and socks in /warpgate-web by @dependabot[bot] in #1904
- Fix #1558 - get username for API token by @tieb62 in #1899
- Helm : Roll deployment when config or referenced secrets change by @plopoyop in #1898
- add tieb62 as a contributor for code by @allcontributors[bot] in #1909
- fixed #1903 - ensure usernames are unique by @Eugeny in #1911
- read request Host header explicitly by @Eugeny in #1912
New Contributors
Full Changelog: v0.23.3...v0.23.4
What's Changed
- Bump github/codeql-action from 4.35.2 to 4.35.4 by @dependabot[bot] in #1907
- Bump axios from 1.15.0 to 1.16.0 in /warpgate-web by @dependabot[bot] in #1905
- Bump ip-address and socks in /warpgate-web by @dependabot[bot] in #1904
- Fix #1558 - get username for API token by @tieb62 in #1899
- Helm : Roll deployment when config or referenced secrets change by @plopoyop in #1898
- add tieb62 as a contributor for code by @allcontributors[bot] in #1909
- fixed #1903 - ensure usernames are unique by @Eugeny in #1911
- read request Host header explicitly by @Eugeny in #1912
New Contributors
Full Changelog: v0.23.3...v0.23.4
Contributors
Assets 10
v0.23.3
Security fixes
CVE-2026-44347
- Verify SSO state parameter in #1891
This vulnerability allowed an authorized Warpgate user A to share their SSO return link with another authorized Warpgate user B, potentially misleading B into getting logged in as A and subsequently sharing confidential information through user A's session.
Fixes
Full Changelog: v0.23.2...v0.23.3
What's Changed
- Verify state parameter by @Eugeny in #1891
- fix #1883 - re-normalize options.auth field for database targets by @Eugeny in #1892
Full Changelog: v0.23.2...v0.23.3