SFTPGo - Package Updates
-
This topic is to track SFTGo package updates.
Please open issues in a separate topic instead of replying here.
-
[0.1.0]
- Initial version
-
[0.2.0]
- Various packaging fixes
-
G girish pinned this topic on
-
[0.3.0]
- Update SFTPGo to 2.6.6
- Full changelog
- Update golang.org/x/crypto/ssh to v0.35.0 to fix CVE-2025-22869
- Add postinstall, checklist
-
[0.4.0]
- oidc.ini replaced with .env
-
[0.5.0]
- Update to base image 5.0.0
-
[0.6.0]
- simplify the oidc login hook
-
[0.7.0]
- Fix description
-
[0.8.0]
- Set trust proxy IP
-
[1.0.0]
- Fix upstream version
- Initial stable release
-
[1.1.0]
- Do not use ephemeral port range for FTPD_PASSIVE_PORT
-
[1.2.0]
- Remove containerPort and make config of internal port static
-
[1.3.0]
- Update sftpgo to 2.7.0
- Full Changelog
- SFTPD: Added support for Post-Quantum Traditional Hybrid Key Exchange through the newly added algorithm
mlkem768x25519-sha256. - JWT: replace jwtauth/jwx with lightweight wrapper around go-jose. Implementing our own wrapper simplifies the codebase and improves maintainability. Moreover, go-jose depends only on the standard library, resulting in a leaner dependency that still meets all our requirements.
- WebUI: add French and German translations.
- Public shares: show disclaimer on login page.
- Enable setting password change requirements in user templates.
- DataProvider: preserve the initial sort order for related resources (such as folders and groups), improving compatibility and predictability when managing them with Terraform.
- OIDC: allow login if the password method is disabled.
- OIDC: ensure token username adheres to configured naming conventions.
- Removed Git support. Hosting Git repositories over SSH falls outside the intended scope of a file transfer solution, and the use of external commands introduces unnecessary security risks by increasing the attack surface. For example, a user could upload a Git repository containing custom hooks to their SFTPGo folder; when they push to the repository, a Git pre-receive hook shell script would be executed with the privileges of the
sftpgouser. Thanks to @hyperreality for the detailed report. - Removed rsync support. In the previous versions,
rsyncwas executed as an external command, which means we have no insight into or control over what it actually does. From a security perspective, this is far from ideal. To be clear, there's nothing inherently wrong withrsyncitself. However, if we were to support it properly within SFTPGo, we would need to implement the low-level protocol internally rather than relying on launching an external process. This would ensure it works seamlessly with any storage backend, just as SFTP does, for example. We recommend using one of the many alternatives that rely on the SFTP protocol, such asrclone.
-
[1.4.0]
- Make ports optional
-
[1.4.1]
- Update sftpgo to 2.7.1
- Full Changelog
- SFTPD: Added support for OpenPubkey SSH, enabling tighter integration between OpenID Connect and SFTP.
- Enforced password validation rules also when applied through a group.
- Fixed an issue where JSON dumps containing command actions failed to load correctly at startup when loaded as initial data.
- Data Provider: Fixed lock handling issues during migrations that could affect MySQL when migrations are executed concurrently by multiple instances.
- Fixed a potential path traversal and permission bypass involving specially crafted paths. CVE-2026-30914.
- Fixed placeholder sanitization in group home directories and key prefixes. CVE-2026-30915.
- Unified path handling: Prior to this release, the backslash character (
\) was treated differently depending on the host operating system: on Linux, it was considered a standard character within a file or directory name, while on Windows, it acted as a path separator. We have now unified path handling across all platforms. Moving forward, both forward slashes (/) and backslashes (\) are strictly evaluated as path separators, independently of the underlying OS.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login