github fleetdm/fleet 3.5.1

latest releases: fleetctl-docker-deps-v4.60.0, orbit-v1.36.0-1-build-test, fleet-v4.59.0...
3 years ago

This is a security release.

Changes

  • Security: Introduce XML validation library to mitigate Go stdlib XML parsing vulnerability effecting SSO login. See GHSA-w3wf-cfx3-6gcx and the linked content within that advisory.

Follow up: Rotate --auth_jwt_key to invalidate existing sessions. Audit for suspicious activity in the Fleet server.

  • Security: Prevent new queries from using the SQLite ATTACH command. This is a mitigation for the osquery vulnerability GHSA-4g56-2482-x7q8.

Follow up: Audit existing saved queries and logs of live query executions for possible malicious use of ATTACH. Upgrade osquery to 4.6.0 to prevent ATTACH queries from executing.

  • Update icons and fix hosts dashboard for wide screen sizes.

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for this release can be found at https://github.com/fleetdm/fleet/blob/3.5.1/docs/README.md

Binary Checksum

SHA256

1476e27814861bc7964f1c0db122cb156d56996f1612518c330c522ba24368f4  fleet.zip
0adf9b70e6e1099d3c0d026b984a78996c2d1badb3884b4da7e5b1ca7f90fc3f  fleetctl.exe.zip
beab8bad8d48a3f7a4712610b1ba460ec8952f108337b02d709dc7aacd956ebe  fleetctl-macos.tar.gz
aabc45c718bc5286e0cb9bbb3b2afa9d9443e5089a33fdcee47c099b4b5f94af  fleetctl-windows.tar.gz
14da11eb9b389d13fd1e84888590fbf860491758fa251da0d7b86f5a5ad7ad74  fleetctl-linux.tar.gz

Don't miss a new fleet release

NewReleases is sending notifications on new releases.