v0.11.4
·
13 commits
to main
since this release
v0.11.4
aymanbagabas
Ayman Bagabas
This tag was signed with the committer’s verified signature.
The key has expired.
aymanbagabas
Ayman Bagabas
3ef6600
This commit was signed with the committer’s verified signature.
The key has expired.
aymanbagabas
Ayman Bagabas
This release includes a bug fix to our SSRF protection rules where it won't do DNS resolutions before checking SSRF. It also adds LFS SSRF security checks so make sure you upgrade your instance to get the latest security updates.
Changelog
Fixed
- 19bc627: fix(ssh): add argument validation to webhook deliveries commands (@aymanbagabas)
- 3ef6600: fix(ssrf): handle DNS resolution in SSRF protection (@aymanbagabas)
Other stuff
Verifying the artifacts
First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.4/checksums.txt'
wget 'https://github.com/charmbracelet/soft-serve/releases/download/v0.11.4/checksums.txt.sigstore.json'Then, verify it using cosign:
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--bundle 'checksums.txt.sigstore.json' \
./checksums.txtIf the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:
sha256sum --ignore-missing -c checksums.txtDone! You artifacts are now verified!
Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.
Contributors
vnykmshr, aymanbagabas, and charmcli