⚡ Security

• Fixed CVE-2023-45140 with severity 4.8 (CVSS 3.0)

💡 Highlights

This release fixes a security issue where JIT MFA on sftp and scp plugins was not honored. Please refer to CVE-2023-45140 for impact and mitigation details.
Upgrading to this version is sufficient to fix the issue, but please read through the specific upgrading instructions of this version.

A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the commit log.

📌 Changes

• feat: support JIT MFA through plugins, including sftp and scp (fixes CVE-2023-45140)
• feat: add configuration option for plugins to override the global lock/kill timeout
• enh: setup-gpg.sh: allow importing multiple public keys at once
• enh: connect.pl: report empty ttyrec as ttyrec_empty instead of ttyrec_error
• enh: orphaned homedirs: adjust behavior on master instances
• fix: check_collisions: don't report orphan uids on slave, just use their name
• fix: scp: adapt wrapper and tests to new scp versions requiring -O
• meta: dev: add devenv docker, pre-commit info, and documentation on how to use them, along with how to write integration tests

⏩ Upgrading

• General upgrade instructions
• Specific upgrade instructions for v3.14.15