This is a security release.
Changes
- Security: Introduce XML validation library to mitigate Go stdlib XML parsing vulnerability effecting SSO login. See GHSA-w3wf-cfx3-6gcx and the linked content within that advisory.
Follow up: Rotate --auth_jwt_key to invalidate existing sessions. Audit for suspicious activity in the Fleet server.
- Security: Prevent new queries from using the SQLite
ATTACHcommand. This is a mitigation for the osquery vulnerability GHSA-4g56-2482-x7q8.
Follow up: Audit existing saved queries and logs of live query executions for possible malicious use of ATTACH. Upgrade osquery to 4.6.0 to prevent ATTACH queries from executing.
- Update icons and fix hosts dashboard for wide screen sizes.
Upgrading
Please visit our update guide for upgrade instructions.
Documentation
Documentation for this release can be found at https://github.com/fleetdm/fleet/blob/3.5.1/docs/README.md
Binary Checksum
SHA256
1476e27814861bc7964f1c0db122cb156d56996f1612518c330c522ba24368f4 fleet.zip
0adf9b70e6e1099d3c0d026b984a78996c2d1badb3884b4da7e5b1ca7f90fc3f fleetctl.exe.zip
beab8bad8d48a3f7a4712610b1ba460ec8952f108337b02d709dc7aacd956ebe fleetctl-macos.tar.gz
aabc45c718bc5286e0cb9bbb3b2afa9d9443e5089a33fdcee47c099b4b5f94af fleetctl-windows.tar.gz
14da11eb9b389d13fd1e84888590fbf860491758fa251da0d7b86f5a5ad7ad74 fleetctl-linux.tar.gz