Security fixes

GHSA-3c3w-75j2-7h74

This is a high severity vulnerability. An attacker-crafted Warpgate login URL could lead a user to a redirect page that runs attacker-injected JS code

Features

• fixed #947 - configurable advertised MySQL server version by @Eugeny in #2083
  • The new mysql.advertised_version lets you specify the MySQL server version that Warpgate will advertise to clients. Note that the previous hardcoded value of 8.0.0 now defaults to 8.0.3 which disables some ancient compatibility behaviours in various DB clients.

Changes

• fixed #1842 - tell the SSH client when the session is closed due to inactivity by @Eugeny in #2082

Fixes

• #1989 - HTTP: return 401 instead of a redirect for cookie-less fetch by @Eugeny in #2060
• fixed #2048 - HTTP: strip cookie domains by @Eugeny in #2061
• fixed #2049 - WebSS sessions were never marked as ended by @Eugeny in #2062
• fixed #2050 - SSH target menu freezing when running in Docker by @Eugeny in #2063
• fixed #1957 - don't offer credentials for disabled SSH auth methods by @Eugeny in #2071
• #1962 - handle connection accept errors gracefully by @Eugeny in #2072
• fix(logging): emit audit events to the JSON console by @mathieuHa in #2077
• fixed #1421 - MySQL/Postgres TLS upgrade race by @Eugeny in #2081
• fixed #2065 - rsync/scp/Ansible hang: early channel data dropped by @Eugeny in #2087

New Contributors

• @mathieuHa made their first contribution in #2077

Full Changelog: v0.25.4...v0.25.5