Skip to content

v0.4.2

Choose a tag to compare

@jLantxa jLantxa released this 31 May 21:59
Immutable release. Only release title and notes can be modified.
v0.4.2
4665256

What's changed

This release fixes a Man-in-the-Middle vulnerability in the SFTP backend by checking the remote SSH public key against the known hosts in the client.

Security

  • Strict SSH Verification: Implemented strict host key verification for the SFTP backend. The system now verifies server keys against known_hosts and prompts for confirmation on unknown hosts, preventing MITM attacks. Added support for default known_hosts locations on Unix and Windows.
  • Memory Safety: Eliminated technical Undefined Behavior (UB) in SecureStorage compression by refactoring uninitialized buffer management. Maintained performance by avoiding zero-initialization while ensuring Rust's safety guarantees.

Fixes

  • SFTP Backend: Improved error reporting in the SFTP backend to show the full cause chain, making it easier to diagnose authentication and connection failures. Fixed a bug where some authentication errors were partially swallowed.
  • S3 Backend: Fixed a bug where paths in the S3 backend were incorrectly joined, potentially bypassing the prefix configuration.

Full Changelog: v0.4.1...v0.4.2