-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
75 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# :zap: Security | ||
|
||
- No security fixes since previous release | ||
- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08) | ||
|
||
# :bulb: Highlights | ||
|
||
Will 2025 be the year of IPv6? Let's not try to answer this controversial question and just say that the main change of this pre-release is *drum roll* the official support of IPv6! | ||
Most of the code was already IPv6-aware, but in some places IPv4 was assumed so these all have been adjusted to work with both IP versions. | ||
Note that by default, IPv6 support is disabled, we've introduced the ``IPv6Allowed`` boolean option in ``bastion.conf`` that you must set to true to allow egress connections in IPv6. We've also taken this opportunity to add an ``IPv4Allowed`` option, which is enabled by default, you can set it to ``false`` should you want to have a strictly IPv6-only bastion! | ||
A lot of tests have been added to ensure everything works correctly with this change, but as this is still an important change, and only a few tests have been done in-the-field yet, this'll be a pre-release for a few weeks. | ||
|
||
We've also taken this opportunity to make a few other changes, such as: | ||
- speeding up the ``is_valid_ip`` check (35% speedup, noticeable for groups with thousands of ACLs) | ||
- set ``ECDSA`` as the default algorithm for generated egress keys instead of RSA, for new installs only ([defaultAccountEgressKeyAlgorithm](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html#defaultaccountegresskeyalgorithm)) | ||
|
||
Some work has also been done around the unit tests (using the more standard ``TAP::Harness``) and functional tests (speeding them up). | ||
|
||
A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.18.00...v3.18.99-rc1). | ||
|
||
# :pushpin: Changes | ||
- feat: IPv6 support | ||
- chg: set ECDSA as default egress key algo for new installs | ||
- chg: ``groupInfo``: remove deprecated JSON fields | ||
- enh: 35% faster ``is_valid_ip()`` when fast=1 | ||
- enh: ``accountInfo``: add osh-only information for accounts | ||
- enh: tests: add ``--skip-functional-tests`` and ``--skip-unit-tests`` | ||
- fix: ``accountInfo``: don't attempt (and fail) to display info non-auditors don't have access to | ||
- fix: ``groupInfo``: don't attempt to (and fail) display the guest list when account doesn't have access to it | ||
- fix: deny subnets for ``nc``, ``mtr``, ``ping``, ``alive`` plugins | ||
- fix: is_in_any_net: support matching subnets | ||
- chore: faster tests by removing grant/revoke command dance | ||
- chore: tests: no longer run consistency check by default | ||
- chore: use proper naming of 'subnet' instead of 'prefix' or 'slash' | ||
- chore: use ``TAP::Harness`` for unit tests | ||
|
||
# :fast_forward: Upgrading | ||
|
||
- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html) | ||
- [Specific upgrade instructions for v3.18.99-rc1](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-18-99-rc1-2025-01-03) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters