SFTPGo - Package Updates
-
G girish pinned this topic on
-
[0.3.0]
- Update SFTPGo to 2.6.6
- Full changelog
- Update golang.org/x/crypto/ssh to v0.35.0 to fix CVE-2025-22869
- Add postinstall, checklist
-
[0.4.0]
- oidc.ini replaced with .env
-
[0.5.0]
- Update to base image 5.0.0
-
[0.6.0]
- simplify the oidc login hook
-
[0.7.0]
- Fix description
-
[0.8.0]
- Set trust proxy IP
-
[1.0.0]
- Fix upstream version
- Initial stable release
-
[1.1.0]
- Do not use ephemeral port range for FTPD_PASSIVE_PORT
-
[1.2.0]
- Remove containerPort and make config of internal port static
-
[1.3.0]
- Update sftpgo to 2.7.0
- Full Changelog
- SFTPD: Added support for Post-Quantum Traditional Hybrid Key Exchange through the newly added algorithm
mlkem768x25519-sha256. - JWT: replace jwtauth/jwx with lightweight wrapper around go-jose. Implementing our own wrapper simplifies the codebase and improves maintainability. Moreover, go-jose depends only on the standard library, resulting in a leaner dependency that still meets all our requirements.
- WebUI: add French and German translations.
- Public shares: show disclaimer on login page.
- Enable setting password change requirements in user templates.
- DataProvider: preserve the initial sort order for related resources (such as folders and groups), improving compatibility and predictability when managing them with Terraform.
- OIDC: allow login if the password method is disabled.
- OIDC: ensure token username adheres to configured naming conventions.
- Removed Git support. Hosting Git repositories over SSH falls outside the intended scope of a file transfer solution, and the use of external commands introduces unnecessary security risks by increasing the attack surface. For example, a user could upload a Git repository containing custom hooks to their SFTPGo folder; when they push to the repository, a Git pre-receive hook shell script would be executed with the privileges of the
sftpgouser. Thanks to @hyperreality for the detailed report. - Removed rsync support. In the previous versions,
rsyncwas executed as an external command, which means we have no insight into or control over what it actually does. From a security perspective, this is far from ideal. To be clear, there's nothing inherently wrong withrsyncitself. However, if we were to support it properly within SFTPGo, we would need to implement the low-level protocol internally rather than relying on launching an external process. This would ensure it works seamlessly with any storage backend, just as SFTP does, for example. We recommend using one of the many alternatives that rely on the SFTP protocol, such asrclone.
