This release fixes bugs introduced in the 0.9.x versions, fixes some more security issues and brings misc. improvements.
- [CI/Tests] Maximize deny_remote functional/QEMU test coverage (#444, #445)
- [Security] Remove XML_PARSE_NOENT: it enables entity XXE, not prevents it (issue #367) (#442)
- [Security] Security audit round 8: deny_remote NUL-termination + correctness/UB fixes in xpath.c (#440)
- [Bug] Recover from orphaned .tmp pad files after interrupted update (#439)
- [Enhancement] Add pamusb-evdev-helper setgid binary + input group notice in --add-user (#437)
- [Bug] Fix deny_remote false-deny when user has multiple sessions (#436)
- [Enhancement] Multi-architecture build (arm64, armhf, i386, m68k, riscv64) + QEMU functional tests (#429)
- [Bug] Fix make deinstall leaving PAM config behind due to wrong path (#422)
- [Security] Fixed GHSA-gc6f-5hpq-ghxh (heap OOB read in pusb_get_tty_from_display_server cmdline scan) (#426)
- [Security] Fixed GHSA-gc4c-v52c-2v34 / GHSA-7583-9cqv-j9rf (deny_remote IPv6 bypass vectors in tmux.c) (#423)
- [Bug] Fix deny_remote breaking on alphanumeric loginctl session IDs (#418)
- [Bug] Fix pinentry-pamusb.1.gz not removed on make deinstall (#421)
- [Security] Fixed GHSA-ffx6-xjp6-x33g (XRDP session bypass via env var manipulation) (#417)
- [Enhancement] Fix chaotic pam_usb.conf formatting after tool runs (#415)
- [CI/Tests] Add multi-filesystem functional test coverage (ext4, exFAT) (#409)
- [Packaging] Sync packaging exclude lists across all build methods (#408)
- [Enhancement] Add zst-sign Makefile target for Arch package signing
- [Bug] pamusb-check debug output broken (#404)