v0.8.2
aymanbagabas
Ayman Bagabas
This tag was signed with the committer’s verified signature.
aymanbagabas
Ayman Bagabas
22d00e9
This commit was signed with the committer’s verified signature.
aymanbagabas
Ayman Bagabas
Prevent path traversal attacks
This is a security release to patch an issue where a malicious user could take over other user's repositories. Please upgrade your Soft Serve instances to prevent these attacks from happening.
Changelog
Bug fixes
- 22d00e9: fix(ssh): cmd: remove unnecessary call to utils.SanitizeRepo (@aymanbagabas)
- a8d1bf3: fix: prevent path traversal attacks (#631) (@aymanbagabas)
- 9cd64aa: fix: using lipgloss tables instead of tablewriter (#618) (@caarlos0)
Verifying the artifacts
First, download the checksums.txt file, for example, with wget:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt'Then, verify it using cosign:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/soft-serve/releases/download/v0.8.2/checksums.txt.sig' \
./checksums.txtIf the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:
sha256sum --ignore-missing -c checksums.txtDone! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.
Contributors
caarlos0 and aymanbagabas