mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
319 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
faa2bb1bdc
|
Bump github.com/go-git/go-git/v5 from 5.17.1 to 5.18.0 (#43740)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.17.1 to 5.18.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.18.0</h2> <h2>What's Changed</h2> <ul> <li>plumbing: transport/http, Add support for followRedirects policy by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/2004">go-git/go-git#2004</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0">https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0</a></p> <h2>v5.17.2</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1941">go-git/go-git#1941</a></li> <li>dotgit: skip writing pack files that already exist on disk by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1944">go-git/go-git#1944</a></li> </ul> <p>⚠️ This release fixes a bug (<a href="https://redirect.github.com/go-git/go-git/issues/1942">go-git/go-git#1942</a>) that blocked some users from upgrading to <code>v5.17.1</code>. Thanks <a href="https://github.com/pskrbasu"><code>@pskrbasu</code></a> for reporting it. 🙇</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2">https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
3c1b8fc7a3
|
Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#43298)
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.43.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md">go.opentelemetry.io/otel/sdk's changelog</a>.</em></p> <blockquote> <h2>[1.43.0/0.65.0/0.19.0] 2026-04-02</h2> <h3>Added</h3> <ul> <li>Add <code>IsRandom</code> and <code>WithRandom</code> on <code>TraceFlags</code>, and <code>IsRandom</code> on <code>SpanContext</code> in <code>go.opentelemetry.io/otel/trace</code> for <a href="https://www.w3.org/TR/trace-context-2/#random-trace-id-flag">W3C Trace Context Level 2 Random Trace ID Flag</a> support. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8012">#8012</a>)</li> <li>Add service detection with <code>WithService</code> in <code>go.opentelemetry.io/otel/sdk/resource</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7642">#7642</a>)</li> <li>Add <code>DefaultWithContext</code> and <code>EnvironmentWithContext</code> in <code>go.opentelemetry.io/otel/sdk/resource</code> to support plumbing <code>context.Context</code> through default and environment detectors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8051">#8051</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Add support for per-series start time tracking for cumulative metrics in <code>go.opentelemetry.io/otel/sdk/metric</code>. Set <code>OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true</code> to enable. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8060">#8060</a>)</li> <li>Add <code>WithCardinalityLimitSelector</code> for metric reader for configuring cardinality limits specific to the instrument kind. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7855">#7855</a>)</li> </ul> <h3>Changed</h3> <ul> <li>Introduce the <code>EMPTY</code> Type in <code>go.opentelemetry.io/otel/attribute</code> to reflect that an empty value is now a valid value, with <code>INVALID</code> remaining as a deprecated alias of <code>EMPTY</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Improve slice handling in <code>go.opentelemetry.io/otel/attribute</code> to optimize short slice values with fixed-size fast paths. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8039">#8039</a>)</li> <li>Improve performance of span metric recording in <code>go.opentelemetry.io/otel/sdk/trace</code> by returning early if self-observability is not enabled. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8067">#8067</a>)</li> <li>Improve formatting of metric data diffs in <code>go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8073">#8073</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>Deprecate <code>INVALID</code> in <code>go.opentelemetry.io/otel/attribute</code>. Use <code>EMPTY</code> instead. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Return spec-compliant <code>TraceIdRatioBased</code> description. This is a breaking behavioral change, but it is necessary to make the implementation <a href="https://opentelemetry.io/docs/specs/otel/trace/sdk/#traceidratiobased">spec-compliant</a>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8027">#8027</a>)</li> <li>Fix a race condition in <code>go.opentelemetry.io/otel/sdk/metric</code> where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8056">#8056</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li><code>WithHostID</code> detector in <code>go.opentelemetry.io/otel/sdk/resource</code> to use full path for <code>kenv</code> command on BSD. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8113">#8113</a>)</li> <li>Fix missing <code>request.GetBody</code> in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code> to correctly handle HTTP2 GOAWAY frame. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8096">#8096</a>)</li> </ul> <h2>[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06</h2> <h3>Added</h3> <ul> <li>Add <code>go.opentelemetry.io/otel/semconv/v1.40.0</code> package. The package contains semantic conventions from the <code>v1.40.0</code> version of the OpenTelemetry Semantic Conventions. See the <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/semconv/v1.40.0/MIGRATION.md">migration documentation</a> for information on how to upgrade from <code>go.opentelemetry.io/otel/semconv/v1.39.0</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7985">#7985</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
f8d2660c6c
|
Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.81.0 to 1.97.3 (#43204)
Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) from 1.81.0 to 1.97.3. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
8201ae63f1
|
Bump github.com/aws/aws-sdk-go-v2/service/kinesis from 1.35.3 to 1.43.5 (#43200)
Bumps [github.com/aws/aws-sdk-go-v2/service/kinesis](https://github.com/aws/aws-sdk-go-v2) from 1.35.3 to 1.43.5. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
98075b2734
|
Bump github.com/aws/aws-sdk-go-v2/service/lambda from 1.72.0 to 1.88.5 (#43199)
Bumps [github.com/aws/aws-sdk-go-v2/service/lambda](https://github.com/aws/aws-sdk-go-v2) from 1.72.0 to 1.88.5. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
abaad3d4ca
|
Bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#42952)
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.4 to 3.0.5. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Magnus Jensen
|
d4f48b6f9c
|
ACME MDM -> main (#42926)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** The entire ACME feature branch merge # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually --------- Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Martin Angers <martin.n.angers@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> |
||
|
dependabot[bot]
|
1aef37c75c
|
Bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1 (#42670)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.16.5 to 5.17.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.17.1</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1930">go-git/go-git#1930</a></li> <li>[v5] plumbing: format/index, Improve v4 entry name validation by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1935">go-git/go-git#1935</a></li> <li>[v5] plumbing: format/idxfile, Fix version and fanout checks by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1937">go-git/go-git#1937</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1">https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1</a></p> <h2>v5.17.0</h2> <h2>What's Changed</h2> <ul> <li>build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1839">go-git/go-git#1839</a></li> <li>git: worktree, optimize infiles function for very large repos by <a href="https://github.com/k-anshul"><code>@k-anshul</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1853">go-git/go-git#1853</a></li> <li>git: Add strict checks for supported extensions by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1861">go-git/go-git#1861</a></li> <li>backport, git: Improve Status() speed with new index.ModTime check by <a href="https://github.com/cedric-appdirect"><code>@cedric-appdirect</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1862">go-git/go-git#1862</a></li> <li>storage: filesystem, Avoid overwriting loose obj files by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1864">go-git/go-git#1864</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.5...v5.17.0">https://github.com/go-git/go-git/compare/v5.16.5...v5.17.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
32f1c2026c
|
Bump golang.org/x/image from 0.18.0 to 0.38.0 (#42661)
Bumps [golang.org/x/image](https://github.com/golang/image) from 0.18.0 to 0.38.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
82c3983939
|
Bump github.com/antchfx/xpath from 1.2.2 to 1.3.6 (#42633)
Bumps [github.com/antchfx/xpath](https://github.com/antchfx/xpath) from 1.2.2 to 1.3.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/antchfx/xpath/releases">github.com/antchfx/xpath's releases</a>.</em></p> <blockquote> <h2>v1.3.6</h2> <p>Merged PR:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/120">#120</a>(<a href="https://github.com/mislav"><code>@mislav</code></a>) - Fix <code>last()</code> predicate on grouped expr.</li> </ul> <p>Fixed:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/121">#121</a></li> </ul> <h2>Release v1.3.5</h2> <p>Merged PR:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/117">#117</a>(<a href="https://github.com/mislav"><code>@mislav</code></a>)- fix <code>ancestor::</code> axes with position predicate.</li> </ul> <p>Fixed:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/113">#113</a> - (fix <code>string()</code> function)</li> </ul> <h2>v1.3.4</h2> <p>Merged PR:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/107">#107</a>(<a href="https://github.com/Mrflatt"><code>@Mrflatt</code></a>) - supports Regexp feature in <code>replace()</code> function</li> <li><a href="https://redirect.github.com/antchfx/xpath/issues/111">#111</a>(<a href="https://github.com/wjc4"><code>@wjc4</code></a>) - Improve <code>getHashCode</code> performance</li> </ul> <p>Fixed:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/109">#109</a></li> </ul> <h2>v1.3.3</h2> <p>fix non-English predicate query <a href="https://redirect.github.com/antchfx/xpath/issues/106">#106</a></p> <h2>v1.3.2</h2> <p>New Features:</p> <ul> <li>Supports Unicode chars for Non-English (PR <a href="https://redirect.github.com/antchfx/xpath/issues/100">#100</a>)</li> </ul> <p>Bug Fixed:</p> <ul> <li><a href="https://redirect.github.com/antchfx/xpath/issues/101">#101</a></li> <li><a href="https://redirect.github.com/antchfx/xpath/issues/102">#102</a></li> <li><a href="https://redirect.github.com/antchfx/xpath/issues/104">#104</a></li> </ul> <h2>v1.3.1</h2> <ul> <li>Merged PR <a href="https://redirect.github.com/antchfx/xpath/issues/97">#97</a>.</li> <li>Allows node-set numeric operator <code>+</code>, <code>-</code>, <code>mod()</code>.<a href=" |
||
|
Lucas Manuel Rodriguez
|
d8588ed790
|
Bump macadmins version and add macos_thermal_pressure and macos_soc_power tables (#42569)
**Related issue:** Resolves #42530 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## fleetd/orbit/Fleet Desktop - [X] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [X] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [X] Verified that fleetd runs on macOS, Linux and Windows - [X] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|
dependabot[bot]
|
915feb9868
|
Bump github.com/russellhaering/goxmldsig from 1.4.0 to 1.6.0 (#42009)
Bumps [github.com/russellhaering/goxmldsig](https://github.com/russellhaering/goxmldsig) from 1.4.0 to 1.6.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/russellhaering/goxmldsig/releases">github.com/russellhaering/goxmldsig's releases</a>.</em></p> <blockquote> <h2>v1.6.0</h2> <h2>What's Changed</h2> <ul> <li><strong>Security:</strong> Fix possible signature validation bypass caused by loop variable capture in <code>validateSignature</code> (GHSA-479m-364c-43vc)</li> <li>Bump minimum Go version to 1.23</li> <li>Bump <code>github.com/beevik/etree</code> to v1.6.0</li> <li>Add fuzz tests for XML signature validation and canonicalization</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/russellhaering/goxmldsig/compare/v1.5.0...v1.6.0">https://github.com/russellhaering/goxmldsig/compare/v1.5.0...v1.6.0</a></p> <h2>v1.5.0</h2> <h2>What's Changed</h2> <ul> <li>Bump dependencies</li> <li>Update GitHub workflows</li> <li>Security hardening by <a href="https://github.com/ahacker1-securesaml"><code>@ahacker1-securesaml</code></a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/russellhaering/goxmldsig/compare/v1.4.0...v1.5.0">https://github.com/russellhaering/goxmldsig/compare/v1.4.0...v1.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7d1865399e
|
Bump github.com/nats-io/nats-server/v2 from 2.12.3 to 2.12.6 (#42338)
Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.12.3 to 2.12.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nats-io/nats-server/releases">github.com/nats-io/nats-server/v2's releases</a>.</em></p> <blockquote> <h2>Release v2.12.6</h2> <h2>Changelog</h2> <p>Refer to the <a href="https://docs.nats.io/release-notes/whats_new/whats_new_212">2.12 Upgrade Guide</a> for backwards compatibility notes with 2.11.x.</p> <h3>Go Version</h3> <ul> <li>1.25.8</li> </ul> <h3>Dependencies</h3> <ul> <li>golang.org/x/crypto v0.49.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7953">#7953</a>)</li> <li>github.com/nats-io/jwt/v2 v2.8.1 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7960">#7960</a>)</li> <li>golang.org/x/sys v0.42.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li> <li>golang.org/x/time v0.15.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7923">#7923</a>)</li> </ul> <h3>CVEs</h3> <ul> <li>Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)</li> <li>Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)</li> <li>Fixes CVE-2026-33218 (affects systems using leafnodes)</li> <li>Fixes CVE-2026-33219 (affects systems using WebSockets)</li> <li>Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)</li> <li>Fixes CVE-2026-33248 (affects systems using mutual TLS)</li> <li>Fixes CVE-2026-33247 (affects systems providing credentials on the command line)</li> <li>Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)</li> </ul> <h3>Improved</h3> <p>General</p> <ul> <li>Non-WebSocket leafnode connections can now be proxied using HTTP CONNECT (<a href="https://redirect.github.com/nats-io/nats-server/issues/7781">#7781</a>)</li> <li>The <code>$SYS.REQ.USER.INFO</code> response now includes the friendly nametag of the account and/or user if known (<a href="https://redirect.github.com/nats-io/nats-server/issues/7973">#7973</a>)</li> </ul> <p>JetStream</p> <ul> <li>The stream peer-remove command now accepts a peer ID as well as a server name (<a href="https://redirect.github.com/nats-io/nats-server/issues/7952">#7952</a>)</li> </ul> <p>MQTT</p> <ul> <li>Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (<a href="https://redirect.github.com/nats-io/nats-server/issues/7933">#7933</a>)</li> </ul> <h3>Fixed</h3> <p>General</p> <ul> <li>Client connections are no longer registered after an auth callout timeout (<a href="https://redirect.github.com/nats-io/nats-server/issues/7932">#7932</a>)</li> <li>Improved handling of duplicate headers</li> <li>A correctness bug when validating relative distinguished names has been fixed</li> <li>Secrets are now redacted correctly in trace logging (<a href="https://redirect.github.com/nats-io/nats-server/issues/7942">#7942</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Scott Gress
|
91362ba2ca
|
Add fleetctl new command (#41909)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #41345 # Details This PR: * Adds a new `fleetctl new` command which creates a starter GitOps repo file structure * Adds support for file globs for the `configuration_profiles:` key in GitOps, to support its use in the `fleetctl new` templates. This involved moving the `BaseItem` type and `SupportsFileInclude` interface into the `fleet` package so that the `MDMProfileSpec` type could implement the interface and do glob expansion. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] added unit and intg tests for globbing profiles - [ ] added tests for `fleetctl new` - [X] QA'd all new/changed functionality manually - [X] `fleetctl new` with no args prompted for org name and created a new `it-and-security` folder under current folder w/ correct files - [X] `fleetctl new --dir /tmp/testnew` created correct files under `/tmp/testnew` - [X] `fleetctl new --dir /tmp/testexisting --force` with an existing `/tmp/testexisting` folder created correct files under `/tmp/testexisting` - [X] `fleetctl new --org-name=foo` created correct files under `it-and-security` without prompting for org name - [X] `paths:` in `configuration_profiles` picks up multiple matching profiles - [X] `paths:` + `path:` in `configuration_profiles` will error if the same profile is picked up twice <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added `fleetctl new` command to initialize GitOps repository structure via CLI. * Added glob pattern support for `configuration_profiles` field, enabling flexible profile selection. * **Chores** * Updated CLI dependencies to support enhanced user interactions. * Removed legacy website generator configuration files. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
dependabot[bot]
|
73c386f207
|
Bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#42011)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.78.0 to 1.79.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/grpc/grpc-go/releases">google.golang.org/grpc's releases</a>.</em></p> <blockquote> <h2>Release 1.79.3</h2> <h1>Security</h1> <ul> <li>server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like <code>grpc/authz</code>. Any request with a non-canonical path is now immediately rejected with an <code>Unimplemented</code> error. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8981">#8981</a>)</li> </ul> <h2>Release 1.79.2</h2> <h1>Bug Fixes</h1> <ul> <li>stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. (<a href="https://redirect.github.com/grpc/grpc-go/pull/8874">grpc/grpc-go#8874</a>)</li> </ul> <h2>Release 1.79.1</h2> <h1>Bug Fixes</h1> <ul> <li>grpc: Remove the <code>-dev</code> suffix from the User-Agent header. (<a href="https://redirect.github.com/grpc/grpc-go/pull/8902">grpc/grpc-go#8902</a>)</li> </ul> <h2>Release 1.79.0</h2> <h1>API Changes</h1> <ul> <li>mem: Add experimental API <code>SetDefaultBufferPool</code> to change the default buffer pool. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8806">#8806</a>) <ul> <li>Special Thanks: <a href="https://github.com/vanja-p"><code>@vanja-p</code></a></li> </ul> </li> <li>experimental/stats: Update <code>MetricsRecorder</code> to require embedding the new <code>UnimplementedMetricsRecorder</code> (a no-op struct) in all implementations for forward compatibility. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8780">#8780</a>)</li> </ul> <h1>Behavior Changes</h1> <ul> <li>balancer/weightedtarget: Remove handling of <code>Addresses</code> and only handle <code>Endpoints</code> in resolver updates. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8841">#8841</a>)</li> </ul> <h1>New Features</h1> <ul> <li>experimental/stats: Add support for asynchronous gauge metrics through the new <code>AsyncMetricReporter</code> and <code>RegisterAsyncReporter</code> APIs. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8780">#8780</a>)</li> <li>pickfirst: Add support for weighted random shuffling of endpoints, as described in <a href="https://redirect.github.com/grpc/proposal/pull/535">gRFC A113</a>. <ul> <li>This is enabled by default, and can be turned off using the environment variable <code>GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING</code>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8864">#8864</a>)</li> </ul> </li> <li>xds: Implement <code>:authority</code> rewriting, as specified in <a href="https://github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md">gRFC A81</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8779">#8779</a>)</li> <li>balancer/randomsubsetting: Implement the <code>random_subsetting</code> LB policy, as specified in <a href="https://github.com/grpc/proposal/blob/master/A68-random-subsetting.md">gRFC A68</a>. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8650">#8650</a>) <ul> <li>Special Thanks: <a href="https://github.com/marek-szews"><code>@marek-szews</code></a></li> </ul> </li> </ul> <h1>Bug Fixes</h1> <ul> <li>credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8726">#8726</a>) <ul> <li>Special Thanks: <a href="https://github.com/Atul1710"><code>@Atul1710</code></a></li> </ul> </li> <li>xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in <code>CONNECTING</code> state. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8813">#8813</a>)</li> <li>health: Fix a bug where health checks failed for clients using legacy compression options (<code>WithDecompressor</code> or <code>RPCDecompressor</code>). (<a href="https://redirect.github.com/grpc/grpc-go/issues/8765">#8765</a>) <ul> <li>Special Thanks: <a href="https://github.com/sanki92"><code>@sanki92</code></a></li> </ul> </li> <li>transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8769">#8769</a>) <ul> <li>Special Thanks: <a href="https://github.com/joybestourous"><code>@joybestourous</code></a></li> </ul> </li> <li>server: Propagate status detail headers, if available, when terminating a stream during request header processing. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8754">#8754</a>) <ul> <li>Special Thanks: <a href="https://github.com/joybestourous"><code>@joybestourous</code></a></li> </ul> </li> </ul> <h1>Performance Improvements</h1> <ul> <li>credentials/alts: Optimize read buffer alignment to reduce copies. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8791">#8791</a>)</li> <li>mem: Optimize pooling and creation of <code>buffer</code> objects. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8784">#8784</a>)</li> <li>transport: Reduce slice re-allocations by reserving slice capacity. (<a href="https://redirect.github.com/grpc/grpc-go/issues/8797">#8797</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Lucas Manuel Rodriguez
|
ba3746f9fa
|
Fix fleetd crash in Apple M5 hardware by upgrading gopsutil (#41940)
Resolves #41863 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually Tests performed on the following OSs: - Windows (arm64) - macOS (Apple silicon) - Linux (arm64) - Linux (amd64) Features tested on the OSs above: - "My device". - Restart fleetd. - Kill fleet desktop, should re-start. - Killing stale osqueryd processes on orbit startup. - Checking if osquery is up and running, exit and start. - Checking if Fleet Desktop is already running before launching it. - orbit auto update - Gracefully shutting down Fleet Desktop before restarting it --- ## fleetd/orbit/Fleet Desktop - [X] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows - [x] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|
Scott Gress
|
2c56b89072
|
Support globs in script paths in GitOps (#40799)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40302 # Details This PR adds support for a `paths:` key for scripts declared under `controls:` in a GitOps fleet file. If supplied, `paths:` must contain a "glob" expression (as [supported by the doublestar package](https://github.com/bmatcuk/doublestar?tab=readme-ov-file#patterns)). The existing `path:` key still works but may not contain glob expressions. When a `paths:` key is encountered, we expand it and add all matching valid (as in, `.sh` or `.ps1`) files to the set of script files to process. Subsequent PRs will add this functionality to other entities that use `path:` (such as reports and policies). # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually Tried with various combinations of `*` and `**` in gitops runs, and mixing of `path:` and `paths:` |
||
|
dependabot[bot]
|
3cda538f37
|
Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#40531)
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.6.1 to 1.6.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cloudflare/circl/releases">github.com/cloudflare/circl's releases</a>.</em></p> <blockquote> <h2>CIRCL v1.6.3</h2> <p>Fix a bug on ecc/p384 scalar multiplication.</p> <h3>What's Changed</h3> <ul> <li>sign/mldsa: Check opts for nil value by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/582">cloudflare/circl#582</a></li> <li>ecc/p384: Point addition must handle point doubling case. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/583">cloudflare/circl#583</a></li> <li>Release CIRCL v1.6.3 by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/584">cloudflare/circl#584</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/cloudflare/circl/compare/v1.6.2...v1.6.3">https://github.com/cloudflare/circl/compare/v1.6.2...v1.6.3</a></p> <h2>CIRCL v1.6.2</h2> <ul> <li>New SLH-DSA, improvements in ML-DSA for arm64.</li> <li>Tested compilation on WASM.</li> </ul> <h2>What's Changed</h2> <ul> <li>Optimize pairing product computation by moving exponentiations to G1. by <a href="https://github.com/dfaranha"><code>@dfaranha</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/547">cloudflare/circl#547</a></li> <li>sign: Adding SLH-DSA signature by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/512">cloudflare/circl#512</a></li> <li>Update code generators to CIRCL v1.6.1. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/548">cloudflare/circl#548</a></li> <li>ML-DSA: Add preliminary Wycheproof test vectors by <a href="https://github.com/bwesterb"><code>@bwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/552">cloudflare/circl#552</a></li> <li>go fmt by <a href="https://github.com/bwesterb"><code>@bwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/554">cloudflare/circl#554</a></li> <li>gz-compressing test vectors, use of HexBytes and ReadGzip functions. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/555">cloudflare/circl#555</a></li> <li>group: Removes use of elliptic Marshal and Unmarshal functions. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/556">cloudflare/circl#556</a></li> <li>Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by <a href="https://github.com/bwesterb"><code>@bwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/559">cloudflare/circl#559</a></li> <li>Update to golangci-lint v2 by <a href="https://github.com/bwesterb"><code>@bwesterb</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/560">cloudflare/circl#560</a></li> <li>Preparation for ARM64 Implementation of poly operations for dilithium package. by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/562">cloudflare/circl#562</a></li> <li>prepare power2Round for custom implementations in assembly by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/564">cloudflare/circl#564</a></li> <li>ARM64 implementation for poly.PackLe16 by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/563">cloudflare/circl#563</a></li> <li>add arm64 version of polyMulBy2toD by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/565">cloudflare/circl#565</a></li> <li>add arm64 version of polySub by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/566">cloudflare/circl#566</a></li> <li>group: add byteLen method for short groups and RandomScalar uses rand.Int by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/568">cloudflare/circl#568</a></li> <li>add arm64 version of poly.Add/Sub by <a href="https://github.com/elementrics"><code>@elementrics</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/572">cloudflare/circl#572</a></li> <li>group: Adding cryptobyte marshaling to scalars by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/569">cloudflare/circl#569</a></li> <li>Bumping up to Go1.25 by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/574">cloudflare/circl#574</a></li> <li>ci: Including WASM compilation. by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/577">cloudflare/circl#577</a></li> <li>Revert to using package-declared HPKE errors for shortkem instead of standard library errors by <a href="https://github.com/harshiniwho"><code>@harshiniwho</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/578">cloudflare/circl#578</a></li> <li>Release v1.6.2 by <a href="https://github.com/armfazh"><code>@armfazh</code></a> in <a href="https://redirect.github.com/cloudflare/circl/pull/579">cloudflare/circl#579</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dfaranha"><code>@dfaranha</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/547">cloudflare/circl#547</a></li> <li><a href="https://github.com/elementrics"><code>@elementrics</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/562">cloudflare/circl#562</a></li> <li><a href="https://github.com/harshiniwho"><code>@harshiniwho</code></a> made their first contribution in <a href="https://redirect.github.com/cloudflare/circl/pull/578">cloudflare/circl#578</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/cloudflare/circl/compare/v1.6.1...v1.6.2">https://github.com/cloudflare/circl/compare/v1.6.1...v1.6.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6c584e889a
|
Bump github.com/nats-io/nats-server/v2 from 2.12.1 to 2.12.3 (#40406)
Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.12.1 to 2.12.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nats-io/nats-server/releases">github.com/nats-io/nats-server/v2's releases</a>.</em></p> <blockquote> <h2>Release v2.12.3</h2> <h2>Changelog</h2> <p>Refer to the <a href="https://docs.nats.io/release-notes/whats_new/whats_new_212">2.12 Upgrade Guide</a> for backwards compatibility notes with 2.11.x.</p> <h3>Go Version</h3> <ul> <li>1.25.5 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7604">#7604</a>)</li> </ul> <h3>Dependencies</h3> <ul> <li>github.com/google/go-tpm v0.9.7 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7578">#7578</a>)</li> <li>github.com/nats-io/nkeys v0.4.12 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7578">#7578</a>)</li> <li>golang.org/x/crypto v0.45.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7578">#7578</a>)</li> <li>github.com/klauspost/compress v1.18.2 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7604">#7604</a>)</li> <li>github.com/antithesishq/antithesis-sdk-go v0.5.0-default-no-op (<a href="https://redirect.github.com/nats-io/nats-server/issues/7604">#7604</a>)</li> <li>golang.org/x/crypto v0.46.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7648">#7648</a>)</li> <li>golang.org/x/sys v0.39.0 (<a href="https://redirect.github.com/nats-io/nats-server/issues/7648">#7648</a>)</li> </ul> <h3>Added</h3> <p>General</p> <ul> <li>Added WebSocket-specific ping interval configuration with <code>ping_internal</code> in the <code>websocket</code> block (<a href="https://redirect.github.com/nats-io/nats-server/issues/7614">#7614</a>)</li> </ul> <h3>Improved</h3> <p>JetStream</p> <ul> <li>The scan for the last sourced message sequence when setting up a subject-filtered source is now considerably faster (<a href="https://redirect.github.com/nats-io/nats-server/issues/7553">#7553</a>)</li> <li>The metalayer will now stage and deduplicate recovery operations at startup, instead of rapidly applying and then undoing conflicting assignments (<a href="https://redirect.github.com/nats-io/nats-server/issues/7540">#7540</a>)</li> <li>Consumer interest checks on interest-based streams are now significantly faster when there are large gaps in interest (<a href="https://redirect.github.com/nats-io/nats-server/issues/7656">#7656</a>)</li> </ul> <p>MQTT</p> <ul> <li>Retained messages will now work correctly even when sourced from a different account and has a subject transform (<a href="https://redirect.github.com/nats-io/nats-server/issues/7636">#7636</a>)</li> </ul> <h3>Fixed</h3> <p>General</p> <ul> <li>WebSocket connections will now correctly limit the buffer size during decompression (<a href="https://redirect.github.com/nats-io/nats-server/issues/7625">#7625</a>, thanks to Pavel Kokout at Aisle Research)</li> </ul> <p>JetStream</p> <ul> <li>A protocol error caused by an invalid transform of acknowledgement reply subjects when originating from a gateway connection has been fixed (<a href="https://redirect.github.com/nats-io/nats-server/issues/7579">#7579</a>)</li> <li>The meta layer will now only respond to peer remove requests after quorum has been reached (<a href="https://redirect.github.com/nats-io/nats-server/issues/7581">#7581</a>)</li> <li>Invalid subject filters containing non-terminating full wildcard no longer produce unexpected matches (<a href="https://redirect.github.com/nats-io/nats-server/issues/7585">#7585</a>)</li> <li>A data race when creating a stream in clustered mode has been fixed (<a href="https://redirect.github.com/nats-io/nats-server/issues/7586">#7586</a>)</li> <li>Raft will no longer allow multiple membership changes to take place concurrently (<a href="https://redirect.github.com/nats-io/nats-server/issues/7565">#7565</a>, <a href="https://redirect.github.com/nats-io/nats-server/issues/7609">#7609</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Josh Roskos
|
6769d8dd3a
|
Bump shogo82148/rdsmysql/v2 v2.4.0 to v2.5.0 (#40103)
https://github.com/shogo82148/rdsmysql/pull/222 Adds AWS GovCloud RDS CA certificates (us-gov-east-1, us-gov-west-1) to the rdsmysql TLS bundle, improving compatibility for Fleet deployments in AWS GovCloud regions. Transitive dependency updates pulled in by rdsmysql v2.5.0: - github.com/aws/aws-sdk-go-v2 and related submodules (minor bumps) - github.com/go-sql-driver/mysql v1.9.1 -> v1.9.3 - filippo.io/edwards25519 v1.1.0 -> v1.1.1 <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves https://github.com/fleetdm/fleet/issues/40148 ## Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually — dependency bump only; ran full local test suite across all affected packages (`server/platform/mysql`, `server/logging`, `server/config`, `server/mail`) with no regressions. `go mod verify` passed. |
||
|
dependabot[bot]
|
2c5733a374
|
Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#40113)
Bumps
[filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519)
from 1.1.0 to 1.1.1.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="
|
||
|
Lucas Manuel Rodriguez
|
e9f9d5a7d5
|
Remove github.com/apex/log dependency only used in a tool (#39822)
Realized this when developing in VSCode and typing `log.` then it auto-imported that apex/log thing, which seems we only use in a tool. |
||
|
Lucas Manuel Rodriguez
|
1085d66f6f
|
Update macadmins/osquery-extensions to v1.3.2 (#39691)
Resolves #39642. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] QA'd all new/changed functionality manually ```sh fleetd 1.51.1: osquery> .schema munki_installs CREATE TABLE munki_installs(`installed_version` TEXT, `installed` TEXT, `name` TEXT, `end_time` TEXT, `display_name` TEXT); Using this branch: osquery> .schema munki_installs CREATE TABLE munki_installs(`installed_version` TEXT, `version_to_install` TEXT, `installed` TEXT, `name` TEXT, `end_time` TEXT, `display_name` TEXT); ``` ## fleetd/orbit/Fleet Desktop - [X] Verified that fleetd runs on macOS - [X] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|
dependabot[bot]
|
c1e3e89b5f
|
Bump github.com/go-git/go-git/v5 from 5.13.0 to 5.16.5 (#39590)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.13.0 to 5.16.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-git/go-git/releases">github.com/go-git/go-git/v5's releases</a>.</em></p> <blockquote> <h2>v5.16.5</h2> <h2>What's Changed</h2> <ul> <li>build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1744">go-git/go-git#1744</a></li> <li>build: Bump Go test versions to 1.23-1.25 (v5) by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1746">go-git/go-git#1746</a></li> <li>[v5] git: worktree, Don't delete local untracked files when resetting worktree by <a href="https://github.com/Ch00k"><code>@Ch00k</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1800">go-git/go-git#1800</a></li> <li>Expand packfile checks by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1836">go-git/go-git#1836</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.4...v5.16.5">https://github.com/go-git/go-git/compare/v5.16.4...v5.16.5</a></p> <h2>v5.16.4</h2> <h2>What's Changed</h2> <ul> <li>backport plumbing: format/idxfile, prevent panic by <a href="https://github.com/swills"><code>@swills</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1732">go-git/go-git#1732</a></li> <li>[backport] build: test, Fix build on Windows. by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1734">go-git/go-git#1734</a></li> <li>build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1742">go-git/go-git#1742</a></li> <li>build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1741">go-git/go-git#1741</a></li> <li>build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by <a href="https://github.com/go-git-renovate"><code>@go-git-renovate</code></a>[bot] in <a href="https://redirect.github.com/go-git/go-git/pull/1743">go-git/go-git#1743</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.3...v5.16.4">https://github.com/go-git/go-git/compare/v5.16.3...v5.16.4</a></p> <h2>v5.16.3</h2> <h2>What's Changed</h2> <ul> <li>internal: Expand regex to fix build [5.x] by <a href="https://github.com/baloo"><code>@baloo</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1644">go-git/go-git#1644</a></li> <li>build: raise timeouts for windows CI tests and disable CIFuzz [5.x] by <a href="https://github.com/baloo"><code>@baloo</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1646">go-git/go-git#1646</a></li> <li>plumbing: support commits extra headers, support jujutsu signed commit [5.x] by <a href="https://github.com/baloo"><code>@baloo</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1633">go-git/go-git#1633</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.2...v5.16.3">https://github.com/go-git/go-git/compare/v5.16.2...v5.16.3</a></p> <h2>v5.16.2</h2> <h2>What's Changed</h2> <ul> <li>utils: fix diff so subpaths work for sparse checkouts, fixes 1455 to releases/v5.x by <a href="https://github.com/kane8n"><code>@kane8n</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1567">go-git/go-git#1567</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.1...v5.16.2">https://github.com/go-git/go-git/compare/v5.16.1...v5.16.2</a></p> <h2>v5.16.1</h2> <h2>What's Changed</h2> <ul> <li>utils: merkletrie, Fix diff on sparse-checkout index. Fixes <a href="https://redirect.github.com/go-git/go-git/issues/1406">#1406</a> to releases/v5.x by <a href="https://github.com/kane8n"><code>@kane8n</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1561">go-git/go-git#1561</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/kane8n"><code>@kane8n</code></a> made their first contribution in <a href="https://redirect.github.com/go-git/go-git/pull/1561">go-git/go-git#1561</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-git/go-git/compare/v5.16.0...v5.16.1">https://github.com/go-git/go-git/compare/v5.16.0...v5.16.1</a></p> <h2>v5.16.0</h2> <h2>What's Changed</h2> <ul> <li>[v5] plumbing: support mTLS for HTTPS protocol by <a href="https://github.com/hiddeco"><code>@hiddeco</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1510">go-git/go-git#1510</a></li> <li>v5: plumbing: transport, Reintroduce SetHostKeyCallback. Fix <a href="https://redirect.github.com/go-git/go-git/issues/1514">#1514</a> by <a href="https://github.com/pjbgf"><code>@pjbgf</code></a> in <a href="https://redirect.github.com/go-git/go-git/pull/1515">go-git/go-git#1515</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Victor Lyuboslavsky
|
a10f05486f
|
Added OTEL log export support (#39279)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #38607 Contributor docs update: https://github.com/fleetdm/fleet/pull/39285/changes Another contributor docs update: https://github.com/fleetdm/fleet/pull/39402/changes Also: - renamed OtelHandler to OtelTracingHandler - made "opentelemetry" be the default when tracing is enabled - updated OTEL dependencies # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## New Fleet configuration settings - [x] Setting(s) is/are explicitly excluded from GitOps <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added OpenTelemetry log export capability, enabling logs to be sent to OpenTelemetry collectors. * New configuration option `logging.otel_logs_enabled` (requires tracing to be enabled). * **Chores** * Updated OpenTelemetry dependencies to v1.40.0 with latest OTLP exporters and logging support. * Updated dependencies including gRPC (v1.78.0), Google libraries, and cryptography packages. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Lucas Manuel Rodriguez
|
7c9713d08f
|
Fix panic in gRPC launcher API handler (#39409)
- [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] QA'd all new/changed functionality manually |
||
|
Zach Wasserman
|
3a0b72a329
|
Add gzip support to API handlers (#38675)
**Related issue:** Resolves #37944 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually ## New Fleet configuration settings - [x] Setting(s) is/are explicitly excluded from GitOps (it's a server configuration) |
||
|
Victor Lyuboslavsky
|
07949df530
|
Improved OpenTelemetry error handling (#38757)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #38756 - Changed to NOT mark many client errors as exceptions - Instead, added client_error and server_error metrics that can be used to alert on unusual error rates # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added separate metrics for distinguishing between client and server errors, enhancing observability and monitoring capabilities. * **Bug Fixes** * Client request errors no longer incorrectly appear in error tracking as exceptions; improved accuracy of error reporting to external services. * Adjusted logging levels for authentication and enrollment operations to provide clearer diagnostics. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Scott Gress
|
393531b624
|
Implement trusted proxies config (#38471)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves # # Details Adds a new `FLEET_SERVER_TRUSTED_PROXIES` config, allowing more fine-grained control over how the client IP is determined for requests. Uses the [realclientip-go](https://github.com/realclientip/realclientip-go) library as the engine for parsing headers and using rules to determine the IP. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced FLEET_SERVER_TRUSTED_PROXIES configuration option to specify trusted proxy IPs and hosts. The server now supports flexible client IP detection strategies that respect your proxy configuration, with support for multiple formats including single IP header names, hop counts, and IP address ranges, adapting to various infrastructure setups and deployment scenarios. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
Jordan Montgomery
|
e225ef5791
|
Improve Microsoft endpoint validation (#38180)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #13698 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually |
||
|
Nico
|
116c8ddb4f
|
Remove valyala/fastjson and valyala/fasttemplate dependencies (#37914)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Context: https://fleetdm.slack.com/archives/C019WG4GH0A/p1767713469571139 Replaced `valyala` dependencies and now relying on `json.Unmarshal` and manual traversal of `Template` subjects, such as [this one](https://github.com/fleetdm/fleet/blob/main/server/logging/nats_test.go#L113) # Checklist for submitter ## Testing - [x] ~~Added/updated automated tests~~ I'm relying on existing tests on `nats_test.go` which already cover using a `Template` subject, namely: https://github.com/fleetdm/fleet/blob/main/server/logging/nats_test.go#L112-L132 https://github.com/fleetdm/fleet/blob/main/server/logging/nats_test.go#L194-L245 https://github.com/fleetdm/fleet/blob/main/server/logging/nats_test.go#L301-L356 - [ ] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually Ran `nats-server`, subscribed to all subjects by running `nats --server=nats://localhost:4222 subscribe ">"` and got logs from this query: <img width="675" height="411" alt="Screenshot 2026-01-06 at 4 12 52 PM" src="https://github.com/user-attachments/assets/e4e6e5d0-53ac-4b09-9810-b6032794d5f3" /> <img width="773" height="165" alt="Screenshot 2026-01-06 at 4 11 16 PM" src="https://github.com/user-attachments/assets/6f58d1f1-272b-40b3-96f5-1659c0bbb918" /> <img width="2541" height="119" alt="Screenshot 2026-01-06 at 4 11 06 PM" src="https://github.com/user-attachments/assets/2e61acac-063c-4cdd-aeee-871031600125" /> |
||
|
Eric Busto
|
b6d19de0d9
|
Add support for publishing logs to NATS. (#36527)
**Related issue:** Resolves [34890](https://github.com/fleetdm/fleet/issues/34890) # Checklist for submitter - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually ## New Fleet configuration settings Looking at other log destinations, I couldn't find anything relevant in GitOps. Please let me know if I missed something, however. ## fleetd/orbit/Fleet Desktop I've tested this on both Linux and MacOS. --------- Co-authored-by: Rachael Shaw <r@rachael.wtf> Co-authored-by: nulmete <nicoulmete1@gmail.com> |
||
|
Lucas Manuel Rodriguez
|
e68a129eb9
|
Fix build warning (#37257)
Fixing the following warning: ``` $ make fleet [...] # github.com/shoenig/go-m1cpu ../../gopath/pkg/mod/github.com/shoenig/go-m1cpu@v0.1.6/cpu.go:75:17: warning: variable length array folded to constant array as an extension [-Wgnu-folding-constant] ../../gopath/pkg/mod/github.com/shoenig/go-m1cpu@v0.1.6/cpu.go:77:16: warning: variable length array folded to constant array as an extension [-Wgnu-folding-constant] ``` PS: This warning happens when building fleet because we need to decouple the client code from `server/service`... (hopefully to be done as part of https://github.com/fleetdm/fleet/issues/36087) |
||
|
Victor Lyuboslavsky
|
61c51672e4
|
Bootstrapping Android app (#36233)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #36202 Updated how Android agent starts. See README updates. # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Periodic configuration check scheduled every 15 minutes in the Android agent * Improved Android management notification handling and app-role support * **Documentation** * Updated Android MDM deployment guide with SHA256 fingerprint instructions and build configuration snippets * **Chores** * Added WorkManager and AMAPI SDK for Android; updated Android/Go tooling and library versions * **Tests** * Added unit test coverage for the periodic config worker <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
dependabot[bot]
|
0cbf0d532a
|
Bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#36040)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.41.0 to 0.45.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
27e6c21a88
|
Bump github.com/opencontainers/selinux from 1.11.0 to 1.13.0 (#35381) | ||
|
dependabot[bot]
|
e2f527adaf
|
Bump github.com/containerd/containerd from 1.7.27 to 1.7.29 (#35274)
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.27 to 1.7.29. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/containerd/containerd/releases">github.com/containerd/containerd's releases</a>.</em></p> <blockquote> <h2>containerd 1.7.29</h2> <p>Welcome to the v1.7.29 release of containerd!</p> <p>The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches.</p> <h3>Security Updates</h3> <ul> <li> <p><strong>containerd</strong></p> <ul> <li><a href="https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w"><strong>GHSA-pwhc-rpq9-4c8w</strong></a></li> <li><a href="https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2"><strong>GHSA-m6hq-p25p-ffr2</strong></a></li> </ul> </li> <li> <p><strong>runc</strong></p> <ul> <li><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r"><strong>GHSA-qw9x-cqr3-wc7r</strong></a></li> <li><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"><strong>GHSA-cgrx-mc8f-2prm</strong></a></li> <li><a href="https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2"><strong>GHSA-9493-h29p-rfm2</strong></a></li> </ul> </li> </ul> <h3>Highlights</h3> <h4>Image Distribution</h4> <ul> <li><strong>Update differ to handle zstd media types</strong> (<a href="https://redirect.github.com/containerd/containerd/pull/12018">#12018</a>)</li> </ul> <h4>Runtime</h4> <ul> <li><strong>Update runc binary to v1.3.3</strong> (<a href="https://redirect.github.com/containerd/containerd/pull/12480">#12480</a>)</li> <li><strong>Fix lost container logs from quickly closing io</strong> (<a href="https://redirect.github.com/containerd/containerd/pull/12375">#12375</a>)</li> </ul> <p>Please try out the release binaries and report any issues at <a href="https://github.com/containerd/containerd/issues">https://github.com/containerd/containerd/issues</a>.</p> <h3>Contributors</h3> <ul> <li>Derek McGowan</li> <li>Akihiro Suda</li> <li>Phil Estes</li> <li>Austin Vazquez</li> <li>Sebastiaan van Stijn</li> <li>ningmingxiao</li> <li>Maksym Pavlenko</li> <li>StepSecurity Bot</li> <li>wheat2018</li> </ul> <h3>Changes</h3> <!-- raw HTML omitted --> <ul> <li><a href=" |
||
|
Ian Littman
|
a910347683
|
Bump macadmins extension to v1.2.7, map crowdstrike_falcon table (#34553)
Fixes #33967, #33193, #35149. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [ ] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux (skipped WIndows due to runtime.GOOS gating) - [ ] Verified auto-update works from the released version of component to the new version (see [tools/tuf/test](../tools/tuf/test/README.md)) |
||
|
Jahziel Villasana-Espinoza
|
0a3c6c35d3
|
Android software ingestion (#33826)
> Closes #33581 <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves # # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## Database migrations - [x] Checked table schema to confirm autoupdate - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). --------- Co-authored-by: RachelElysia <rachel@fleetdm.com> |
||
|
Magnus Jensen
|
61347155b5
|
Error on signed configuration profiles (#33341)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #26688 I'm not sure if the IsSignedProfile check is too aggressive and can potentially shadow other problems with the file? # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## Media: Gitops <img width="575" height="189" alt="Screenshot 2025-09-23 at 11 48 19" src="https://github.com/user-attachments/assets/1e7c950e-2543-4c9a-b6f0-8b546a30eb1f" /> API <img width="1318" height="169" alt="Screenshot 2025-09-23 at 12 04 22" src="https://github.com/user-attachments/assets/fc8f9171-fab9-46be-befa-dc6af82d2f7b" /> Frontend <img width="779" height="89" alt="Screenshot 2025-09-23 at 12 01 59" src="https://github.com/user-attachments/assets/78dcaf56-d344-4499-bdfa-1abb97b29b15" /> |
||
|
Luke Heath
|
a9bf8342d2
|
Update github.com/ulikunitz/xz to v0.5.15 (#33221)
Resolve https://github.com/fleetdm/fleet/security/code-scanning/1445. |
||
|
Lucas Manuel Rodriguez
|
134c74a94b
|
Add initial Arch Linux support (#33096)
For #32859. We can ignore the "Dependency review" failure in [CVE-2023-32698](https://github.com/advisories/GHSA-w7jw-q4fg-qc4c) because we already have the rules to ignore it (we are not vulnerable). I'm not updating nfpm to latest because it would require further changes on all deb/rpm generation (source code breaking changes on the golang interfaces). --- <img width="448" height="151" alt="screenshot-2025-09-11_08-38-20" src="https://github.com/user-attachments/assets/4c00b960-568a-48d9-8098-308c8ab8916f" /> <img width="391" height="73" alt="screenshot-2025-09-11_08-37-40" src="https://github.com/user-attachments/assets/dec6ea22-31f8-4930-b067-0b04b4ec2b5f" /> <img width="759" height="428" alt="Image" src="https://github.com/user-attachments/assets/0a76d070-4709-4a35-8e6e-caf869473d28" /> <img width="1178" height="634" alt="Image" src="https://github.com/user-attachments/assets/98e6fa2a-ba07-4a55-81aa-ad747f1c57b9" /> <img width="1388" height="830" alt="Image" src="https://github.com/user-attachments/assets/19d36bad-d01d-4130-b271-38bea2534833" /> <img width="933" height="930" alt="Image" src="https://github.com/user-attachments/assets/1d6a369b-65d7-46a4-98a6-e6f0b29be2c8" /> <img width="2241" height="693" alt="Image" src="https://github.com/user-attachments/assets/d8f98e97-f027-4c1c-ae5d-c4fa3b592a20" /> - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [X] QA'd all new/changed functionality manually |
||
|
Jonathan Rudenberg
|
48760fec58
|
Add support for reading private_key from AWS Secrets Manager (#31134)
Adds support for reading server `private_key` from AWS Secrets Manager. Combined with #31075, this should allow removing all common sensitive secrets from the environment/config (if I missed any let me know). This works with localstack for local development (set `AWS_ENDPOINT_URL=$LOCALSTACK_URL`, `AWS_ACCESS_KEY_ID=test`, and `AWS_SECRET_ACCESS_KEY=test`). I did not include config options for `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` because they are a bad practice vs role credentials and defeat the purpose of this feature which is to remove secrets from the environment/config. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality --------- Co-authored-by: Scott Gress <scott@fleetdm.com> |
||
|
Scott Gress
|
602f5a470b
|
Feat 1817 add iam auth to mysql and redis (#32488)
for #1817 # Details This PR gives Fleet servers the ability to connect to RDS MySQL and Elasticache Redis via AWS [Identity and Access Management (IAM)](https://aws.amazon.com/iam/). It is based almost entirely on the work of @titanous, branched from his [original pull request](https://github.com/fleetdm/fleet/pull/31075). The main differences between his branch and this are: 1. Removal of auto-detection of AWS region (and cache name for Elasticache) in favor of specifying these values in configuration. The auto-detection is admittedly handy but parsing AWS host URLs is not considered a best practice. 2. Relying on the existence of these new configs to determine whether or not to connect via IAM. This sidesteps a thorny issue of whether to try an IAM-based Elasticache connection when a password is not supplied, since this is technically a valid setup. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually - besides using @titanous's excellent test tool, I verified the following end-to-end: - [X] regular (non RDS) MySQL connection - [X] RDS MySQL connection using username/password - [X] RDS MySQL connection using IAM (no role) - [X] RDS MySQL connection using IAM (assuming role) - [X] regular (non Elasticache) Redis connection - [X] Elasticache Redis connection using username/password - [X] Elasticache Redis connection using NO password (without IAM) - [X] Elasticache Redis connection using IAM (no role) - [X] Elasticache Redis connection using IAM (assuming role) --------- Co-authored-by: Jonathan Rudenberg <jonathan@titanous.com> Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
9bc5393d47
|
Bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#32431) | ||
|
Victor Lyuboslavsky
|
3432d2078d
|
Updated httpsig-go library to 1.2.0 and removed vendored version. (#32426)
Fixes #32393 httpsig-go library has encorporated the changes needed to support TPM, so we are removing our local version of this library. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) |
||
|
Victor Lyuboslavsky
|
17b5732673
|
Updated OpenTelemetry packages to latest. (#32314)
Fixes #32313 Updated packages before identifying issues with our integration. |
||
|
dependabot[bot]
|
5112d247fd
|
Bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 (#32158)
Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.3.0 to 2.4.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-viper/mapstructure/releases">github.com/go-viper/mapstructure/v2's releases</a>.</em></p> <blockquote> <h2>v2.4.0</h2> <h2>What's Changed</h2> <ul> <li>refactor: replace interface{} with any by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/115">go-viper/mapstructure#115</a></li> <li>build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/go-viper/mapstructure/pull/114">go-viper/mapstructure#114</a></li> <li>Generic tests by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/118">go-viper/mapstructure#118</a></li> <li>Fix godoc reference link in README.md by <a href="https://github.com/peczenyj"><code>@peczenyj</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/107">go-viper/mapstructure#107</a></li> <li>feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by <a href="https://github.com/ErfanMomeniii"><code>@ErfanMomeniii</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/117">go-viper/mapstructure#117</a></li> <li>feat: add back previous StringToSlice as a weak function by <a href="https://github.com/sagikazarmark"><code>@sagikazarmark</code></a> in <a href="https://redirect.github.com/go-viper/mapstructure/pull/119">go-viper/mapstructure#119</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/ErfanMomeniii"><code>@ErfanMomeniii</code></a> made their first contribution in <a href="https://redirect.github.com/go-viper/mapstructure/pull/117">go-viper/mapstructure#117</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0">https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
aedf4690fc
|
Bump github.com/docker/docker from 26.1.5+incompatible to 28.0.0+incompatible (#31918) | ||
|
Victor Lyuboslavsky
|
d1992aa983
|
Added integration test for TPM. (#31315)
For #31048 This change includes some refactoring of orbit code. No functional changes. Moved non-Linux-specific code from `securehw_linux.go` to `securehw_tpm.go` so that tests on any platform can use it. There are no server changes impacting the upcoming 4.72 release. Just tests. # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] If the change applies to only one platform, confirmed that `runtime.GOOS` is used as needed to isolate changes - [x] Verified that fleetd runs on macOS, Linux and Windows <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced a new TPM 2.0-based secure hardware interface, enabling creation, loading, and management of ECC keys within a TPM device. * Added support for both standard and RFC 9421-compatible HTTP signatures using TPM-backed keys. * **Bug Fixes** * Improved error handling and resource management for TPM operations. * **Tests** * Added comprehensive unit tests for TPM key file loading scenarios. * Introduced integration tests using a simulated TPM device to validate end-to-end secure hardware and SCEP workflows. * **Chores** * Updated dependencies for enhanced compatibility and security. * Modernized build constraints for improved maintainability. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |