v0.4.2
What's changed
This release fixes a Man-in-the-Middle vulnerability in the SFTP backend by checking the remote SSH public key against the known hosts in the client.
Security
- Strict SSH Verification: Implemented strict host key verification for the SFTP backend. The system now verifies server keys against
known_hostsand prompts for confirmation on unknown hosts, preventing MITM attacks. Added support for defaultknown_hostslocations on Unix and Windows. - Memory Safety: Eliminated technical Undefined Behavior (UB) in
SecureStoragecompression by refactoring uninitialized buffer management. Maintained performance by avoiding zero-initialization while ensuring Rust's safety guarantees.
Fixes
- SFTP Backend: Improved error reporting in the SFTP backend to show the full cause chain, making it easier to diagnose authentication and connection failures. Fixed a bug where some authentication errors were partially swallowed.
- S3 Backend: Fixed a bug where paths in the S3 backend were incorrectly joined, potentially bypassing the prefix configuration.
Full Changelog: v0.4.1...v0.4.2