chore(deps): update ghcr.io/warp-tech/warpgate docker tag to v0.20.0

[renovate]

This PR contains the following updates:

Package	Update	Change
ghcr.io/warp-tech/warpgate	minor	v0.8.1 → 0.20.0

---

Release Notes

warp-tech/warpgate (ghcr.io/warp-tech/warpgate)

v0.20.0

Compare Source

Changes

• feat(ssh): add configurable client authentication methods by @​liebermantodd in #​1637
• Improve logging/messaging around SSH target authentication failure by @​LarsSven in #​1677
• feat(cli): add support for setting config path through env by @​justinforlenza in #​1650

Fixes

• fix: modify GEX parameters in SSH key exchange configuration so that it uses 2048 bits by @​joseluisgonzalezca in #​1659
• fix: generate SSO login return URL based on request host by @​joseluisgonzalezca in #​1661
• fixed LDAP server attribute saving by @​Eugeny in #​1662
• Correctly naturally sort all relevant lists in the UI by @​LarsSven in #​1656
• Correct PostreSQL connection string & Allow targets to customize default database name in connection examples by @​SteezyCougar in #​1577

New Contributors

• @​justinforlenza made their first contribution in #​1650
• @​liebermantodd made their first contribution in #​1637

Full Changelog: warp-tech/warpgate@v0.19.1...v0.20.0

v0.19.1

Compare Source

Fixes

• Undo API-incompatible TlsMode change by @​LarsSven in #​1648
• fixed #​1647 - SSH keys admin UI page not working

Full Changelog: warp-tech/warpgate@v0.19.0...v0.19.1

v0.19.0

Compare Source

Changes

• Experimental LDAP user sync by @​Eugeny in #​1603
• Create the admin user by default even if unattended-setup not called by @​MohammedNoureldin in #​1620
• Add SCP example command to SSH targets by @​LarsSven in #​1612
• Add JSON log output format for easier log processing by @​mrmm in #​1609
• fixed #​974 - make securing files optional by @​Eugeny in #​1636

Fixes

• remove dependency on the deprecated rustls-pemfile by @​Eugeny in #​1615
• fixed #​1456 - added a clickable button to submit the OTP by @​Eugeny in #​1614
• Fix cross-domain cookie handling and domain rebinding by @​SteezyCougar in #​1553
• fixed #​1632 - natural sort for targets by @​Eugeny in #​1645

New Contributors

• @​MohammedNoureldin made their first contribution in #​1620
• @​mrmm made their first contribution in #​1609

Full Changelog: warp-tech/warpgate@v0.18.0...v0.19.0

v0.18.0

Compare Source

Changes

• Add target groups by @​alairock in #​1518
• Add create-user CLI command by @​LarsSven in #​1549
• Add configurable idle timeout for PostgreSQL targets by @​SteezyCougar in #​1565

Fixes

• Use warpgate.yaml for Container Healthcheck by @​micha-k in #​1539
• Clean up ssh key generation and loading by @​LarsSven in #​1544

New Contributors

• @​micha-k made their first contribution in #​1539
• @​alairock made their first contribution in #​1518

Full Changelog: warp-tech/warpgate@v0.17.0...v0.18.0

v0.17.0

Compare Source

Important changes

• Warpgate now automatically falls back to email if preferred_username is not available from an SSO provider when auto-creating new users - by @​SteezyCougar in #​1475

Features

• Added a Helm chart (beta) - by @​alice-dops in #​1502
• Added ML-KEM post-quantum key exchange by @​kruton in #​1527

Fixes

• SSH server doesnt offer ed25519 hostkey by @​fpfeifferik in #​1473
• Added diffie-hellman-group-exchange-sha256 to SSH key exchange list by @​joseluisgonzalezca in #​1493
• Canonicalize Oauth Redirect with cross domain session cookie by @​SteezyCougar in #​1476
• Spawn task immediately when accepting connection by @​kruton in #​1521
• Fixed --debug CLI option by @​kruton in #​1526

Docs

• Correct dependency install command by @​LarsSven in #​1506

New Contributors

• @​fpfeifferik made their first contribution in #​1473
• @​SteezyCougar made their first contribution in #​1475
• @​LarsSven made their first contribution in #​1506
• @​step-security-bot made their first contribution in #​1508
• @​kruton made their first contribution in #​1521

Full Changelog: warp-tech/warpgate@v0.16.0...v0.17.0

v0.16.0

Compare Source

Security fixes

• 3c003fc - fixed CVE-2025-54804
  • This vulnerability has allowed a malicious authenticated client or target server to trigger a Rust panic in Warpgate and potentially cause a service restart

Major changes

• Docker image : add healthcheck, linting and run as regular user by @​hugosxm in #​1433
  • The Docker image now runs under UID 1000 instead of 0. Depending on your setup, this might cause permission errors when trying to access the Warpgate data files, you might have to chmod them. Run Docker with --uid 0 to revert to the old, less safe behaviour.
• Added bandwidth limiting support in #​1443
  • You can set bandwidth limits globally, per user and per target - works for SSH, MySQL and Postgres targets.

Changes

• Warpgate now sets TCP_NODELAY for better performance - in #​1447 and by @​tom-90 in #​1449

Fixes

• fd6607b - fix channels losing unflushed data when closing
• 4d5ebe4 - fix SCP hangups
• 05235d9 - fixed incorrect relative path resolution in setup
• 5a4b295 - fixed #​1424 - OOB UI fails with repeating characters
• version attribute is obsolete by @​ulab in #​1435
• 8ad6972 - fixed #​1442 - unnecessary get_info auth restrictions

New Contributors

• @​hugosxm made their first contribution in #​1433
• @​ulab made their first contribution in #​1435
• @​tom-90 made their first contribution in #​1449

Full Changelog: warp-tech/warpgate@v0.15.0...v0.16.0

v0.15.0

Compare Source

Features

• fixed #​1104 - SNI support in #​1402 - see https://warpgate.null.page/sni/
• fixed #​1220 - direct-streamlocal (local UNIX socket forwarding) support in 103a480
• fixed #​1368 - correctly generate version number in docker in #​1372
• fixed #​954 - enable gzip support for http targets in 9e144f8
• fixed #​1367 - replace Swagger with Stoplight Elements in the API playground and add a note about token header in 1df9b45

Fixes

• fixed #​1381 - skip password auth in postgres if not required in #​1383
• fix(panel): fix user profile link by @​joseluisgonzalezca in #​1384
• feat(http): support for insecured websocket connections if TLS Verifyflag is disabled by @​joseluisgonzalezca in #​1385
• fix(logs): normalize logs timestamp format with fixed sub-second digits by @​joseluisgonzalezca in #​1387
• fix(auth): skip web approval auth method only if there are other authentication methods available by @​joseluisgonzalezca in #​1390
• fixed #​1396 - fixed API token auth for getAllTargets API in #​1397
• fixed #​1395 - preselect current user in access instructions modal by @​Eugeny in #​1405
• fixed #​1404 - SSO user autocreation not working with Entra ID by @​Eugeny in #​1406
• fixed #​1411 - duplicate Host header sent to HTTP/2 targets by @​Eugeny in #​1412

New Contributors

• @​joseluisgonzalezca made their first contribution in #​1384

Full Changelog: warp-tech/warpgate@v0.14.1...v0.15.0

v0.14.1

Compare Source

Fixes

• c0de2f0: fixed #​1366 - API crash

v0.14.0

Compare Source

Major changes

• 863af5e: #​1323 - In-browser auth (2FA/SSO) support for PostgreSQL (#​1338) #​1338
• 53971dc: #​1334 New in-browser auth requests will automatically show up on the Warpgate homepage if the user is logged in (#​1335) #​1335
• ec98c3d: Option to check and accepting SSH target's host keys from the admin UI (#​1307) #​1307

Changes

• Deleting an SSH target will now auto-remove its known hosts entry (#​1300) #​1300 (Chinmay Pai)
• Prefer SSO provider buttons will prefer label over name in the login UI (Eugene)
• 4533401: Warpgate will now forward HTTP basic auth credentials (if present) from an HTTP target's URL correctly (#​1343) #​1343
• cea7acc: #​1281 - Added description fields for most objects (#​1294) #​1294
• 9841421: #​1281 - List role members and targets in the UI (#​1295) #​1295
• 6b22399: Added SBOMs to release artifacts (#​1289) #​1289
• 74ca553: Add "getting started" hints to the UI (#​1344) #​1344

Fixes

• Fixed Warpgate attempting RSA key auth against a target too many times, exhausting the OpenSSH limits (#​1274) #​1274 (Eugene)
• 95dce41: Fix SSH Client to respond to keyboard-interactive when target has optional 2FA (#​1273) (samtoxie) #​1273
• 51c8937: fixed frontend crash in list pagination
• 5d3a8ac: Force the config file format to YAML (#​1299) (Mice7R) #​1299
• 4b74303: #​1271 - modals are invisible with prefers-reduced-motion
• 0a3e444: fixed #​1285 - unable to add public keys via credentials self-service
• 26a9c99: fixed #​1326 - UI allowing duplicate target names (#​1328) #​1328
• d465586: fixed enter key handling in the "create target" form
• b4076ef: fixed #​1320 - JDBC based Postgres clients not connecting
• 87b409b: SQL content of prepared Postgres queries were not logged
• 5ee29b9: fixed #​1337 - automatically strip the public key comment when setting via the API
• 2381f55: fixed #​972 - SSH server not offering keyboard-interactive when only OOB or SSO auth is enabled for a user
• 9bc1c9d: fixed #​1346 - changing own password does not remove existing passwors
• 33803f1: fixed #​1336 - correctly parse ECC certificates - no longer handle incorrect PEM header
• 331af97: fixed #​1356 - generate config schema (#​1357) #​1357

v0.13.3

Compare Source

Changes

• 306138f: reenabled HTTP/2 support as client (both for HTTP targets and OIDC)

v0.13.2

Compare Source

Changes

• ee05440: pasting a public key will automatically fill out the label field now if the key has a comment

Fixes

• 5b050e5: fixed #​1264 - config file permission error in kubernetes (#​1265) (hashfunc) #​1265
• 91c4a5a, 1772601: fixed #​1263 - errors when working with public key creds on Postgres
• 549ddba, 93609ae: fixed #​1270 - public key values getting truncated on MySQL

v0.13.1

Compare Source

Changes

• 5dfa025: added an option to trust unknown OIDC audiences (#​1254) (samtoxie) #​1254

Fixes

• 2e75b28: fixed #​1261 - reenable accidentally disabled Postgres TLS support

v0.13.0

Compare Source

Changes

• 409b382: UI facelift (#​1175)
• 010534a: added support for user API tokens and an API playground (#​1191)
• 1dec4c9: added a title field for public keys (#​1171) (Mohammad Al Shakoush)
• 59884fb: added "last used" and "date created" fields for public keys (#​1182) (Mohammad Al Shakoush)
• d51d882: fixed #​1189 - updated default config to listen on IPv6 as well
• b76872f: added an option to auto-create SSO users #​1245
• e203688: implemented agent forwarding over SSH (samtoxie) #​1249
• 55dcd11: added streamlocal-forward support (remote UNIX socket forwarding) #​1243

Fixes

• 40e49a2: Fixed SSO not respecting the OS' trusted TLS CAs (Thibaud Lepretre) #​1233
• 2abe104: fixed #​1234 - rustls panic in tokio-tungstenite
• 2cdf8ba: bump vulnerable deps (#​1241) #​1241
• 8d53f7b: bumped russh for the mlock() fix
• 7e15422: fixed #​1258 - hide the version info until logged in (Eugene)
• 6ade841: correctly bind to both ipv4 and ipv6 when [::] is set as listen endpoint (#​1193)
• create and canonicalize relative data_path (#​1180) (willow)
• e89bc03: fixed #​1218 - make target search case insensitive
• b665ca1: fixed #​1197 - ticket creation on non-sqlite databases

v0.12.0

Compare Source

Changes

• Self-service credentials management (#​1145) - you can now allow users to manage their own credentials. Enable it in Config -> Misc -> Global parameters.
• Multiple return domains for SSO, prefer host header over external_host (dbf96a8 / #​1093) - Warpgate now users the Host header to resolve its own external URL and only falls back to the external_host from the config file if the header is missing. If you're running behind a reverse proxy, make sure that http.trust_x_forwarded_headers is set in the config and you're passing the X-Forwarded-Host header. SSO logins will also dynamically construct their return URL from the Host header. You can restrict the allowed return domains with the new sso_providers[].return_domain_whitelist option (a list of hostnames).
• Passing user-identifying headers to HTTP targets (cc0b054 / #​1107) - Warpgate now passes x-warpgate-username and x-warpgate-authentication-type headers to HTTP targets.
• --enable-admin-token option (9dd1c58) - setting it allows passing a global admin token via the WARPGATE_ADMIN_TOKEN env variable. This token can be used to authenticate against the admin REST API (pass it in the x-warpgate-token header).

Other changes

• ef46e75: add keepalive_interval to ssh config (#​1134) (Piotr Rotter)
• f1d565b: Svelte 5 migration (#​1101)
• a20fdb8: Bumped russh (#​1131)
• 379b1bc: fixed #​983 - enable ssh-rsa when insecure algorithms are allowed
• b359838: Separate DB models for credentials (#​1143)

Fixes

• 846e6d1: fixed #​1110 - Fix switch for insecure ssh algorithms option (#​1111) (hashfunc)
• 38dbb3b: fixed #​1096 - SEC1 EC private key file support for TLS
• 80ee6cc: fixed #​1074 - strip trailing slash in SSO issuer URLs and log errors properly
• 8acaaee: show more detailed error messages for API errors
• 3b29a3e: fixed #​929 - sso: broken additional_trusted_audiences config option
• 557921f: postgres listener was incorrectly using the mysql certificate & key
• 41d3158: fixed #​1039 - first DB migration failing on Postgres
• 64d7194: fixed #​1150 - send the ssh-rsa client key when insecure algorithms are enabled

v0.11.0

Compare Source

⚠️ This is the last release that supports loading targets, users and roles from the config file. Upgrade to this version before installing v0.12 if you haven't migrated yet!

PostgreSQL

v0.11 adds experimental PostgreSQL target support.

Enable the PostgreSQL protocol in your config file (default: /etc/warpgate.yaml) if you didn't do so during the initial setup:

+ postgres:
+   enable: true
+   certificate: /var/lib/warpgate/tls.certificate.pem
+   key: /var/lib/warpgate/tls.key.pem

You can reuse the same certificate and key that are used for the HTTP listener.

See [https://github.com/warp-tech/warpgate/wiki/Adding-a-PostgreSQL-target](Adding a PostgreSQL target) for more details.

Changes

• 00d3c36: PostgreSQL support (#​1021) #​1021
• fe521f2: OIDC RP-initiated logout (SSO single logout) support (#​992) #​992
• 3c3b843: Validate a TOTP code before saving it (#​1055) (kekkon) #​1055

Fixes

• 116bf9f: fixed SSO authentication getting incorrectly rejected when user has both an "any provider" and a provider specific SSO credential
• 1f597a8: fixed #​1053 - prevent repeated consumption of the ticket uses within the same SSH session
• 38bdbad: fixed #​1077 - handle non-standard PKCS8 EC private key PEMs
• 7e49f13: #​1056 - auto-strip .well-known/openid-configuration from OIDC URLs
• 9e3760e: fixed #​1082 - terminal replay crashing when the session is finished

v0.10.2

Compare Source

Security fixes

CVE-2024-43410 - SSH OOM DoS through malicious packet length

It was possible for an attacker to cause Warpgate to allocate an arbitrary amount of memory by sending a packet with a malformed length field, potentially causing the service to get killed due to excessive RAM usage.

Other fIxes

• c328127: fixed #​941 - unnecessary port number showing up in external URLs

v0.10.1

Compare Source

Fixes

• ed6f68c: fixed #​1017 - fixed broken HTTP proxying
• daacd55: fixed #​972 - ssh: only offer available auth methods after a rejected public key offer

v0.10.0

Compare Source

HTTP

• Added remote_addr to logs #​945 (Néfix Estrada)
• TLS implementation switched to Rustls

SSH

• Made inactivity timeout configurable (#​990) #​990 (Néfix Estrada)
• 5551c33: Switch OOB SSO authentication for SSH to use the instructions instead of the name (#​964) (Shea Smith) #​964
• Bumped russh to v0.44
• 8896bb3: fixed #​961 - added option to allow insecure ssh key exchanges (#​971) #​971

SSO

• 916d51a: Add support for role mappings on custom SSO providers. (#​920) (Skyler Mansfield) #​920
• 75a2b8c: fixed #​929 - support additional trusted OIDC audiences

UI

• 257fb38: Enhance ticket creation api and UI to support ticket expiry (#​957) (Thibaud Lepretre) #​957
• f3dc1ad: Enhance ticket creation api and UI to support ticket number of usage (#​959) (Thibaud Lepretre) #​959

Other changes

• 72236d0: Added options to specify per-protocol external ports (#​973) #​973
• Added arm64 docker image #​930 (Zasda Yusuf Mikail)
• 81cefeb: fixed #​966 - don't actually try to tighten config file permissions unless necessary
• 7e45fa5: migrate from moment to date-fns (#​988) (Konstantin Nosov) #​988
• b65a189: Upgrade TypeScript and Svelte Versions (#​995) (Yachen Mao) #​995

v0.9.1

Compare Source

Security fixes

CVE-2023-48795 - Terrapin Attack [12fdf62]

A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.

This release adds the support for the kex-strict-*-v00@​openssh.com extensions designed by OpenSSH specifically to prevent this attack.

More info: https://terrapin-attack.com

Changes

• 21d6ab4: make HTTP session timeout and cookie age configurable in the config file (Nicolas SEYS) #​922

v0.9.0

Compare Source

Security fixes

CVE-2023-48712

⚠️ Update ASAP.

This vulnerability allows a user to escalate their privileges if the admin account isn't protected by 2FA.

Migration

• If you have a proxy in front of Warpgate setting X-Forwarded-* headers, set http.trust_x_forwarded_for to true in the config file.

Changes

• b0a9130: Add support for trusting X-Forwarded-For header to get client IP (Skyler Mansfield) #​921
• d9af747: Add better support for X-Forward-* headers when constructing external url (Skyler Mansfield) #​921

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.