github netresearch/ofelia v0.21.2
on GitHub

latest releases: v0.25.0, v0.24.0, v0.23.1...
3 months ago

Highlights

This security-focused release addresses 5 vulnerabilities and 6 stability issues discovered during a comprehensive code review.

Security hardening

  • Credential leak prevention: /api/config no longer exposes WebPasswordHash and WebSecretKey
  • CSRF bypass removed: The X-Requested-With header bypass has been eliminated
  • Rate limiter DoS fix: Stale entries are now cleaned up to prevent unbounded memory growth
  • IP spoofing prevention: X-Forwarded-For and X-Real-IP headers are only trusted from loopback or explicitly configured proxies
  • Configurable trusted proxies: New web-trusted-proxies option for deployments behind reverse proxies in non-loopback networks

Stability improvements

  • Context propagation to Docker API calls — scheduler shutdown, job removal, and max-runtime cancellation now reach Docker containers
  • Double-close panic on daemon done channel fixed with sync.Once
  • Concurrent map access crash in Config protected with mutex
  • Shutdown hooks execute in priority groups instead of all concurrently
  • Shutdown timeout now enforced even when hooks ignore context cancellation
  • Swarm services correctly return NonZeroExitError for non-zero exit codes

Changes

Security

  • fix(security): hide WebPasswordHash and WebSecretKey from /api/config (#511)
  • fix(security): remove CSRF bypass via X-Requested-With header (#511)
  • fix(security): implement rate limiter cleanup to prevent memory DoS (#511)
  • fix(security): only trust forwarded headers from trusted proxies (#511)
  • fix(security): make trusted proxies configurable (#511)
  • fix(security): also check X-Real-IP in rate limiter middleware (#511)

Bug Fixes

  • fix: propagate context to Docker API calls for cancellation support (#511)
  • fix: prevent double-close panic on daemon done channel (#511)
  • fix: add mutex to Config to prevent concurrent map access crash (#511)
  • fix: execute shutdown hooks in priority groups (#511)
  • fix: enforce shutdown timeout even when hooks ignore context (#511)
  • fix: return NonZeroExitError for non-zero Swarm service exit codes (#511)

Dependencies

  • chore(deps): bump golang.org/x/crypto from 0.48.0 to 0.49.0 (#512)
  • chore(deps): bump github.com/netresearch/go-cron from 0.13.0 to 0.13.1 (#514)
  • chore(deps): bump golang.org/x/time from 0.14.0 to 0.15.0 (#515)

Verification

All binaries include SLSA Level 3 provenance attestations.

Verify binary provenance

slsa-verifier verify-artifact ofelia-linux-amd64 \
  --provenance-path ofelia-linux-amd64.intoto.jsonl \
  --source-uri github.com/netresearch/ofelia

Verify checksums signature

cosign verify-blob \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity "https://github.com/netresearch/ofelia/.github/workflows/release-slsa.yml@refs/tags/v0.21.2" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  checksums.txt

Included in this release

View all PRs and Issues included in this release

Check out latest releases or
releases around netresearch/ofelia v0.21.2

Don't miss a new ofelia release

NewReleases is sending notifications on new releases.

Get notifications