Skip to content

chore(RDODCP-912): Upstream sync v1.11.5#51

Merged
samartha-pm merged 2 commits into
masterfrom
RDODCP-912
Apr 6, 2026
Merged

chore(RDODCP-912): Upstream sync v1.11.5#51
samartha-pm merged 2 commits into
masterfrom
RDODCP-912

Conversation

@samartha-pm

@samartha-pm samartha-pm commented Apr 3, 2026

Copy link
Copy Markdown

Upstream sync:
Cherry-picked from upstream commit 44310b6.

Previously, authfile ACL restrictions were only checked during the initial config handshake. This adds ACL enforcement at the tunnel layer when processing SSH channel requests, ensuring that each outbound connection is validated against the user's allowed addresses.

This is a security enhancement that closes a gap where ACL restrictions could potentially be bypassed after initial authentication.

Note: Dependency update commits (57d2249, 4df5fcf) were not included as the fork already has newer dependency versions than upstream v1.11.5.

Cherry-picked from upstream commit 44310b6.

Previously, authfile ACL restrictions were only checked during the
initial config handshake. This adds ACL enforcement at the tunnel
layer when processing SSH channel requests, ensuring that each
outbound connection is validated against the user's allowed addresses.

This is a security enhancement that closes a gap where ACL restrictions
could potentially be bypassed after initial authentication.

Note: Dependency update commits (57d2249, 4df5fcf) were not included
as the fork already has newer dependency versions than upstream v1.11.5.

Co-Authored-By: Jaime Pillora <dev@jpillora.com>
@samartha-pm samartha-pm requested a review from a team as a code owner April 3, 2026 06:08
@wiz-code-outsystems

wiz-code-outsystems Bot commented Apr 3, 2026

Copy link
Copy Markdown

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities -
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations -
SAST Finding SAST Findings -
Software Management Finding Software Management Findings -
Total -

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

Pull Request Developer Guidance

Questions? See the Wiz FAQ.

Please contact the Security Office if you encounter issues with Wiz pull request scanning.

@samartha-pm samartha-pm merged commit fba25b7 into master Apr 6, 2026
9 checks passed
@samartha-pm samartha-pm deleted the RDODCP-912 branch April 6, 2026 10:20
arshiya-99 added a commit that referenced this pull request Jul 13, 2026
Trivy flags CVE-2026-48113 on our build because the OutSystems fork tag
`1.11.5-os.N` is a SemVer pre-release of `1.11.5`, sorting below the
fixed version. The fix is already present via PR #51. Ref: RDODCP-917
arshiya-99 added a commit that referenced this pull request Jul 13, 2026
* Fix race in tunnel waitGroup causing negative counter panic (jpillora#586)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Improve SOCKS auth: enforce per-user ACL on socks channels (jpillora#591)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* clean workspace dependencies for release

* Add .trivyignore to suppress CVE-2026-48113 false positive

Trivy flags CVE-2026-48113 on our build because the OutSystems fork tag
`1.11.5-os.N` is a SemVer pre-release of `1.11.5`, sorting below the
fixed version. The fix is already present via PR #51. Ref: RDODCP-917

* Remove .trivyignore

* Wire Verbose flag to client logger level (upstream jpillora#281)

The Verbose field was present in Config but never used. Apply the
missing half of upstream commit 200a8e2: set Logger.Info = c.Verbose
so callers can control log verbosity programmatically.

---------

Co-authored-by: Jaime Pillora <jpillora@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants