⚡ Security
- Security fix for CVE-2025-59339 (Scored 4.4 with CVSS v3)
💡 Highlights
This release fixes the lack of GPG signature of ttyrec files when using the osh-encrypt-rsync script (see CVE above).
Thanks to @siv0 for the responsible disclosure!
Most of the other changes are fixes around the HTTPS Proxy and enhancements to the setup helper scripts,
adding more checks to ensure they behave correctly even when the system is not in the suspected state.
If you've been using the docker sandbox, modifying the container image and committing it to a remote registry,
you may have noticed that The Bastion was not behaving correctly in some cases, such as ACLKeepers of a group
were not able to run ACLKeepers commands if they were not also members of the same group.
This is due to the fact that filesystem-level ACLs are silently dropped in a container image pushed to a registry,
so when you pull this image back from the registry, this information is lacking, and as The Bastion is relying
on the OS DAC in addition to the system group membership to secure sensitive modifications by accounts, they were
in effect losing some of their privileges. This has been fixed by re-applying the filesystem-level ACLs on the
sandbox container start.
A more complete list of changes can be found below,
for an exhaustive (and boring) list, please refer to the commit log.
📌 Changes
- feat: httpproxy: craft the
Hostheader on the egress request (#564) - fix: httpproxy: duplicate
X-Bastion-Local-Statusheaders in some cases - fix:
osh-encrypt-rsync: sign files when encrypting (fixes CVE-2025-59339) - fix: docker sandbox: re-apply filesystem ACLs on start
- fix: add checks and make setup helper scripts more idempotent
- doc: added a few FAQ entries