Skip to content
This repository has been archived by the owner on Dec 15, 2020. It is now read-only.

2.1.2
Compare
Choose a tag to compare
@zwass zwass released this 30 May 19:12
· 142 commits to master since this release
2.1.2
eb21211

This is a security update

This advisory only effects installations using the LOGIN authentication method for SMTP (added in Fleet 2.0.2).

The implementation of LOGIN auth could expose SMTP credentials over an insecure connection if the server did not claim to support STARTTLS. This could allow an attacker to sniff or MITM SMTP traffic and obtain the credentials.

Effected users should immediately update to Fleet 2.1.2 and rotate the effected SMTP credentials.

Changes

  • Prevent sending of SMTP credentials over insecure connection

  • Prefix generated SAML IDs with 'id' (improves compatibility with some IdPs)

Upgrading

Please visit our update guide for upgrade instructions.

Documentation

Documentation for this release can be found at https://github.com/kolide/fleet/blob/2.1.1/docs/README.md

Assets 3
Loading