tale/headplane v0.7.0-beta.3
v0.7.3-beta.3

on GitHub

pre-release4 hours ago

Security Hotfix

This release fixes GHSA-vgj6-hcf2-fqf6, a path traversal / RBAC bypass in Headscale rename API calls.

Headplane now URL-encodes user-controlled node and user rename path segments before sending requests to Headscale. This prevents crafted rename values containing path traversal sequences from escaping the intended Headscale API endpoint.

Users running Headplane 0.7.0-beta.1 or beta.2 should upgrade to beta.3.
Thank you for @kah-ja for helping discover this.

What's Changed

fix: treat Go zero-time as no-expiry in UI by @eccgecko in #527
chore: update flake.lock by @github-actions[bot] in #524
fix: harden OIDC weak RSA fallback and subject claim handling by @croatialu in #537
chore: update flake.lock by @github-actions[bot] in #533

New Contributors

@eccgecko made their first contribution in #527
@croatialu made their first contribution in #537

Full Changelog: v0.7.0-beta.2...v0.7.0-beta.3

Check out latest releases or
releases around tale/headplane v0.7.0-beta.3

Don't miss a new headplane release

NewReleases is sending notifications on new releases.

Get notifications