Releases: forgekeep/nebula-mesh
Release list
v0.7.5
nebula-mesh v0.7.5
Install: see README for install snippets (all packages/archives are in the assets below).
Changelog
Dependency updates
- 0b0d291: chore(deps): bump the go-minor-and-patch group with 5 updates (#277) (@dependabot[bot])
Full changelog: v0.7.4...v0.7.5
v0.7.4
v0.7.3
nebula-mesh v0.7.3
Install: see README for install snippets (all packages/archives are in the assets below).
Security
- Bumped
golang.org/x/netto v0.56.0, resolving a medium-severity denial-of-service advisory in its HTML parser. - Bumped
golang.org/x/cryptoto v0.53.0, clearing advisories reported againstx/crypto/ssh*andx/sys/windows(unreachable code paths here — this project only usesx/crypto/bcryptandx/crypto/scrypt, andgovulncheck ./...was clean before and after).
No functional or user-facing changes in this release — dependency and CI maintenance only.
Changelog
Dependency updates
- e9a019b: chore(deps): bump the go-minor-and-patch group with 6 updates (#276) (@dependabot[bot])
- a5dc045: chore(deps): bump x/crypto to v0.53.0 and x/net to v0.56.0 (#273) (@juev)
Full changelog: v0.7.2...v0.7.3
v0.7.2
nebula-mesh v0.7.2
Install — see README for the full snippets.
- Server:
nebula-mgmt_0.7.2_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-mgmt:0.7.2 - Agent:
nebula-agent_0.7.2_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-agent:0.7.2
Security
- GHSA-7rx3-5wx3-5v76 — missing authorization / SSRF (CVSS 7.7, High). A non-admin operator (role
user) could setallow_privateon a webhook subscription, switching the dispatcher to the unguarded HTTP client and bypassing the private/loopback/link-local SSRF guard at delivery.allow_privateis now admin-only. Affects 0.6.0–0.7.1; fixed in 0.7.2.
Changelog
Bug fixes
Others
Full changelog: v0.7.1...v0.7.2
v0.7.1
nebula-mesh v0.7.1
Install — see README for the full snippets.
- Server:
nebula-mgmt_0.7.1_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-mgmt:0.7.1 - Agent:
nebula-agent_0.7.1_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-agent:0.7.1
Changelog
Bug fixes
Others
- 0426e2f: Merge commit from fork (@juev)
- 1305876: docs(readme): bump install VERSION to 0.7.0 for the v0.7.0 release (@juev)
- af6d0d4: docs(readme): bump install VERSION to 0.7.1 for the v0.7.1 release (@juev)
Full changelog: v0.7.0...v0.7.1
v0.7.0
nebula-mesh v0.7.0
Install — see README for the full snippets.
- Server:
nebula-mgmt_0.7.0_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-mgmt:0.7.0 - Agent:
nebula-agent_0.7.0_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-agent:0.7.0
Changelog
Features
- ef38b2b: feat(auth): per-account lockout after repeated failed logins (#270) (@juev)
- 183cd78: feat(metrics)!: default metrics.require_auth to true (#267) (@juev)
- ef1c4a9: feat(oidc): optional TLS CA certificate pinning for the IdP (#269) (@juev)
- 6690495: feat(web): self-service password change for operators (#268) (@juev)
Bug fixes
- 46a4b76: fix(security): add object-src 'none' to CSP (#265) (@juev)
- 0dee8b3: fix(security): use generic error on duplicate registration username (#266) (@juev)
Full changelog: v0.6.0...v0.7.0
v0.6.0
nebula-mesh v0.6.0
Install — see README for the full snippets.
- Server:
nebula-mgmt_0.6.0_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-mgmt:0.6.0 - Agent:
nebula-agent_0.6.0_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-agent:0.6.0
Changelog
Features
- 3bfd1b3: feat(webhooks): emit lifecycle events to a configured endpoint (phase 1) (#257) (@juev)
- a7eb491: feat(webhooks): managed webhook subscriptions (phase 2) (#258) (@juev)
Others
- 9487a75: docs(readme): bump install VERSION to 0.6.0 for the v0.6.0 release (@juev)
- d041317: refactor(api): migrate OpenAPI contract to 3.1 via libopenapi (#255) (@juev)
Full changelog: v0.5.0...v0.6.0
v0.5.0
nebula-mesh v0.5.0
Install — see README for the full snippets.
- Server:
nebula-mgmt_0.5.0_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-mgmt:0.5.0 - Agent:
nebula-agent_0.5.0_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-agent:0.5.0
Changelog
Features
- 0530e4d: feat(api): add OpenAPI spec and contract tests for the REST API (#252) (@juev)
- 41483ab: feat(ops): add backup and restore commands (#251) (@juev)
Bug fixes
- 9389b76: fix(agent): honor nebula_config_path for rendered config writes (#249) (@juev)
- c55eb1b: fix(agent): poll immediately on poller start instead of waiting a full interval (#248) (@juev)
- bf9f4b7: fix(fsutil): fsync parent directory after atomic rename for crash safety (#250) (@juev)
Others
- 5140060: Merge commit from fork (@juev)
- bc38708: Merge commit from fork (@juev)
- 5abbcc8: docs(agent): fix sidecar example to use published nebula-agent image (#246) (@juev)
- 7186b86: docs(readme): bump install VERSION to 0.5.0 for the v0.5.0 release (#253) (@juev)
- f6d4ddd: docs(readme): bump pinned VERSION to v0.4.0 and guard against doc rot (#247) (@juev)
Full changelog: v0.4.0...v0.5.0
v0.4.0
nebula-mesh v0.4.0
Install — see README for the full snippets.
- Server:
nebula-mgmt_0.4.0_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-mgmt:0.4.0 - Agent:
nebula-agent_0.4.0_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-agent:0.4.0
Changelog
Bug fixes
- 432e4ac: fix(agent): refuse plaintext http:// server_url unless explicitly opted out (#235) (@ak2k)
- 3ca7c26: fix(agent): zeroize private keys after enrollment writes them to disk (#236) (@ak2k)
- 945ec58: fix(alerts): enforce the webhook SSRF guard at delivery time (#243) (@ak2k)
- ec8b364: fix(api): stop auditing pre-auth malformed agent polls (#242) (@ak2k)
- 853717c: fix(api,mobilebundle): apply stored firewall rules to generated configs (#245) (@ak2k)
- 849d56e: fix(api,web): audit network creation and firewall policy updates (#239) (@ak2k)
- d2b777b: fix(keystore,pki): bind CA-key envelopes to their ca_id with GCM AAD (#238) (@ak2k)
- 3d66eae: fix(ratelimit): key on rightmost X-Forwarded-For entry, not leftmost (#232) (@ak2k)
- 638bee2: fix(store): derive audit-log id from crypto/rand, not UnixNano (#240) (@ak2k)
- 64653a6: fix(store): pin Migrate to one connection so PRAGMA foreign_keys holds (#244) (@ak2k)
- 6ac19c8: fix(store,api,web): empty operator role defaults to user, not admin (#234) (@ak2k)
- 9eead1e: fix(web): equalize login timing for OIDC accounts (#233) (@ak2k)
- d92dd9a: fix(web): reject login with empty username instead of defaulting to admin (#223) (@juev)
- aca9080: fix(web): require non-admins to pick a network when creating a host (#241) (@ak2k)
- 10e6bc1: fix(web,store): make TOTP codes one-time within their validity window (#237) (@ak2k)
Full changelog: v0.3.8...v0.4.0
v0.3.8
nebula-mesh v0.3.8
Install — see README for the full snippets.
- Server:
nebula-mgmt_0.3.8_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-mgmt:0.3.8 - Agent:
nebula-agent_0.3.8_<os>_<arch>.tar.gzordocker pull ghcr.io/forgekeep/nebula-agent:0.3.8
Changelog
Bug fixes
- 3077efa: fix(api): require target group selector and bound its length in firewall rules (#200) (@juev)
- 4358d7a: fix(api): scope agent-poll blocklist to the host's CA (#206) (@juev)
- 60a512c: fix(cli): add request timeout to CLI HTTP client (#220) (@juev)
- c60ab50: fix(cli): check discarded io.ReadAll errors on response bodies (#218) (@juev)
- 0b8b74c: fix(cli): validate --server URL before issuing requests (#219) (@juev)
- 34d2e64: fix(config): create parent dir in SaveServerConfig before CreateTemp (#221) (@juev)
- c452237: fix(configgen): round-trip operator strings in generated YAML (#176) (#177) (@juev)
- d5010ef: fix(keystore): zeroize decoded master-key bytes in NewMasterFromBase64 (#201) (@juev)
- 7396708: fix(store): make ConsumeToken UPDATE conditional on used=0 and check RowsAffected (#202) (@juev)
- d7cf570: fix(web): invalidate operator sessions on admin password reset (#205) (@juev)
Others
- 7cb01ba: Merge commit from fork (@juev)
- 1f1ab9a: Merge commit from fork (@juev)
- 87bcdc4: chore(cli,models): check json.Marshal errors and fix function typo (#222) (@juev)
- 08e4be3: ci(security): gate PRs on standalone gosec + govulncheck (#212) (@juev)
- a8a9eea: docs(security): add STRIDE threat-model document (#210) (@juev)
- b2038fc: test(security): add local multi-operator offensive test bench (#211) (@juev)
Full changelog: v0.3.7...v0.3.8