Version 0.1.1

Author: guimard

.github/workflows/ci.yml

@@ -175,9 +175,10 @@ jobs:
 
     - name: Build RPM
       run: |
+        VERSION=$(grep -oP 'project\(open-bastion VERSION \K[0-9.]+' CMakeLists.txt)
         mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
-        tar czf ~/rpmbuild/SOURCES/open-bastion-0.1.0.tar.gz \
-          --transform 's,^,open-bastion-0.1.0/,' \
+        tar czf ~/rpmbuild/SOURCES/open-bastion-${VERSION}.tar.gz \
+          --transform "s,^,open-bastion-${VERSION}/," \
           --exclude='.git' .
         rpmbuild -ba rpm/open-bastion.spec
 

CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.1] - 2026-02-07
+
+### Added
+
+- **Supplementary groups synchronization** (#95): LLNG can now manage Unix supplementary
+  groups on target servers via the `managed_groups` configuration
+- **Local whitelist for managed groups** (`allowed_managed_groups`): Defense-in-depth
+  option to restrict which groups LLNG can modify on each server
+- **CrowdSec IP/CIDR whitelist** (#96): New `crowdsec_whitelist` option to bypass
+  CrowdSec checks for trusted IPs/networks (VPN exit nodes, corporate NAT)
+  - Supports IPv4, IPv6, and CIDR notation
+  - Prevents self-inflicted DoS on shared IPs
+
+### Fixed
+
+- **TOCTOU race condition in cache_key.c** (#97): Use `open()` with
+  `O_CREAT|O_EXCL|O_NOFOLLOW` instead of `fopen()` to prevent symlink attacks
+- Check `fclose()` return value to detect flush errors before rename
+
 ## [0.1.0] - 2025-02-07
 
 Initial release.

CMakeLists.txt

@@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.10)
-project(open-bastion VERSION 0.1.0 LANGUAGES C)
+project(open-bastion VERSION 0.1.1 LANGUAGES C)
 
 set(CMAKE_C_STANDARD 11)
 set(CMAKE_C_STANDARD_REQUIRED ON)

debian/changelog

@@ -1,3 +1,12 @@
+open-bastion (0.1.1) unstable; urgency=medium
+
+  * Supplementary groups synchronization via managed_groups configuration
+  * Local whitelist for managed groups (allowed_managed_groups)
+  * CrowdSec IP/CIDR whitelist to bypass checks for trusted IPs/networks
+  * Fixed TOCTOU race condition in cache_key.c
+
+ -- Xavier Guimard <xguimard@linagora.com>  Sat, 07 Feb 2026 22:51:15 +0100
+
 open-bastion (0.1.0) unstable; urgency=medium
 
   * Initial release

rpm/open-bastion.spec

@@ -1,5 +1,5 @@
 Name:           open-bastion
-Version:        0.1.0
+Version:        0.1.1
 Release:        1%{?dist}
 Summary:        Open Bastion PAM/NSS module for SSH bastion authentication
 
@@ -87,6 +87,12 @@ token-based and key-based authorization with server groups.
 %systemd_postun_with_restart ob-heartbeat.timer
 
 %changelog
+* Sat Feb 07 2026 Xavier Guimard <xguimard@linagora.com> - 0.1.1-1
+- Supplementary groups synchronization via managed_groups
+- Local whitelist for managed groups (allowed_managed_groups)
+- CrowdSec IP/CIDR whitelist for trusted IPs/networks
+- Fixed TOCTOU race condition in cache_key.c
+
 * Sat Dec 14 2025 Xavier Guimard <xguimard@linagora.com> - 0.1.0-1
 - Initial RPM package
 - Renamed project from pam-llng to open-bastion

src/crowdsec.c

@@ -23,7 +23,7 @@
 #include "crowdsec.h"
 
 /* Module version for scenario_version field */
-#define CROWDSEC_MODULE_VERSION "0.1.0"
+#define CROWDSEC_MODULE_VERSION "0.1.1"
 
 /* Maximum response size to prevent DoS */
 #define MAX_RESPONSE_SIZE (256 * 1024)