5 releases 27 tags

RSS feed

• v0.9.0.1 05848925ed

  Compare

  v0.9.0.1 Stable

  kerem released this 2026-02-27 21:13:00 +03:00 | 164 commits to main since this release

  📅 Originally published on GitHub: Fri, 27 Feb 2026 18:15:54 GMT
  🏷️ Git tag created: Fri, 27 Feb 2026 18:13:00 GMT

  🛡️ Security Hardening Release

  Security audit recommendations implemented from Claude, ChatGPT and Gemini.

  Bug Fixes

  • Fixed SSH WebSocket authentication bypass on connection errors
  • Fixed session ID leaking in auth check API response
  • Fixed stale build date shown on login page and about dialog
  • Fixed OIDC nonce not being validated on callback
  • Fixed OIDC token expiry not being checked
  • Fixed force_password_change flag never being enforced on login
  • Fixed default admin account not requiring password change on first login
  • Fixed X-Forwarded-For header spoofable from non-proxy clients
  • Fixed Content-Disposition header injection in PBS file downloads
  • Fixed ESXi migration command injection via unsanitized user/host inputs
  • Fixed sshpass -p exposing password in /proc (now uses env var)
  • Fixed encryption silently falling back to plaintext storage
  • Fixed LDAP TLS certificate verification defaulting to disabled
  • Fixed missing cluster access checks on 65+ API endpoints
  • Fixed missing VM-level ACL check on backup delete and bulk snapshot delete
  • Fixed datacenter options endpoint accepting arbitrary fields (mass assignment)

  Improvements

  • Added safe_error() helper to prevent internal error details leaking to clients
  • Added SHA256 integrity verification for update archives
  • Replaced paramiko AutoAddPolicy with WarningPolicy across all SSH connections
  • Version bump to 0.9.0.1 (Build 2026.02.27)

  Full Changelog: https://github.com/PegaProx/project-pegaprox/compare/v0.9.0...v0.9.0.1

  Downloads

  • Source code (ZIP)
    0 downloads
  • Source code (TAR.GZ)
    0 downloads