Skip to content

Releases: portier/portier-broker

v0.8.3

23 Jun 08:41
Compare
Choose a tag to compare

This release fixes a security issue in the openssl crate: RUSTSEC-2023-0044

This issue affects Portier Broker < 0.8.0 on Linux, as well as source builds of >= 0.8.0, < 0.8.3 on Linux that used the native-tls feature flag. Regular builds of >= 0.8.0 use Rustls instead of OpenSSL, and are thus not affected. Upgrading is strongly recommended.

v0.8.2

13 Apr 19:04
Compare
Choose a tag to compare
  • This release fixes CVE-2023-26964, a moderate severity issue in the h2 crate. Portier Broker is affected by this primarily in outgoing Webfinger requests or OpenID Connect discovery requests, which may use HTTP/2 connecting to untrusted hosts. Upgrading is recommended.

  • This release adds support for listening on Unix sockets via socket activation. See the updated example systemd socket unit.

v0.8.1

24 Mar 08:13
Compare
Choose a tag to compare
  • This release fixes three security issues in the openssl crate: RUSTSEC-2023-0022, RUSTSEC-2023-0023, RUSTSEC-2023-0024.

    These issues affect Portier Broker < 0.8.0 on Linux, as well as source builds of >= 0.8.0, < 0.8.1 on Linux that used the native-tls feature flag. Regular builds of >= 0.8.0 use Rustls instead of OpenSSL, and are thus not affected. Upgrading is strongly recommended.

  • The broker is now packaged as a Nix flake, and may be used as an input with, for example, the URL: "github:portier/portier-broker/v0.8.1"

v0.8.0

19 Mar 19:49
Compare
Choose a tag to compare
  • This release switches the default TLS implementation to Rustls. The broker may use TLS to connect to mailservers, to perform OpenID Connect discovery requests, and to perform Webfinger requests.

    The Rustls implementation will still use the system root certificate store on all platforms (and honors OpenSSL environment variables to find it), so this change should be mostly transparent.

    Official release builds will use Rustls going forward. The native-tls backend is still available via feature flags when building from source.

  • The broker can now generate RSA keypairs without the help of the openssl command-line tool. This is implemented using the rsa crate. A new option rsa_modulus_bits allows configuring the size of the RSA keypair generated, and defaults to 2048. (The same as the old default for generate_rsa_command).

    The generate_rsa_command option is still available, so if it is set, the broker will still invoke an external command to generate keypairs.

  • Linux release builds (and Docker images) are now also available for armv7 (32-bit ARM with hard-float).

  • Linux release builds (and Docker images) are now static binaries built using musl libc.

    This change should be mostly transparent. It is still possible to make glibc builds by building from source.

    A possible concern when upgrading to this version is that it no longer uses NSS to resolve hostnames, because this is not supported by musl libc. This may be an issue if you were using mDNS, LDAP, or some other NSS module to resolve your mailserver, for example.

  • Docker images are now also available on GitHub Container Registry as ghcr.io/portier/portier-broker. This is in addition to Docker Hub, and these are the exact same images.

  • Docker images are now based on an Alpine Linux base.

    Note that the user ID the brokers runs as inside the container has also changed from 999 to 2000.

v0.7.4

05 Mar 20:51
Compare
Choose a tag to compare
  • This release upgrades dependencies and contains security fixes. Specifically, this release includes a fix for RUSTSEC-2023-0018, a race condition in the remove_dir_all crate. We do not believe Portier is affected, but upgrading is still recommended out of caution.
  • For building from source, the minimum Rust version is now 1.60.

v0.7.3

10 Jan 06:40
Compare
Choose a tag to compare
  • This release upgrades dependencies and contains security fixes. Specifically, this release includes a fix for RUSTSEC-2023-0001, a Windows-specific advisory for Tokio. We do not believe Portier is affected, but upgrading is still recommended out of caution.

v0.7.2

23 Dec 14:24
Compare
Choose a tag to compare
  • This release upgrades dependencies and contains security fixes. Specifically, this release includes a fix for RUSTSEC-2022-0072, an open redirect vulnerability.

v0.7.1

01 Dec 13:25
Compare
Choose a tag to compare
  • This release upgrades dependencies and contains security fixes. Specifically, this release includes a fix for RUSTSEC-2022-0069, a file disclosure vulnerability affecting Windows.

v0.7.0

20 Oct 19:13
Compare
Choose a tag to compare
  • Email validation has become slightly stricter, to align with validation already performed by the Lettre library. This fixes a panic when the SMTP or sendmail transports were used to send mail to an address that was valid according to Portier, but not Lettre.
  • For building from source, the minimum Rust version is now 1.59.
  • Dependencies have been upgraded to the latest versions.

v0.6.1

09 Mar 08:13
Compare
Choose a tag to compare

This release contains dependency upgrades only, and specifically regex 1.5.5 to mitigate RUSTSEC-2022-0013. We believe this vulnerability does not affect the broker, because it does not use untrusted regexes, but upgrading is recommended out of caution.