Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package netbird for openSUSE:Factory checked in at 2026-02-16 13:08:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/netbird (Old) and /work/SRC/openSUSE:Factory/.netbird.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "netbird" Mon Feb 16 13:08:42 2026 rev:8 rq:1333135 version:0.65.1 Changes: -------- --- /work/SRC/openSUSE:Factory/netbird/netbird.changes 2026-01-27 16:12:51.947431983 +0100 +++ /work/SRC/openSUSE:Factory/.netbird.new.1977/netbird.changes 2026-02-16 13:14:15.690356541 +0100 @@ -1,0 +2,176 @@ +Sat Feb 14 19:37:54 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 0.65.1: + - [misc] Fix reverse proxy getting started messaging by + @braginini in #5317 + - [management] Move service reload outside transaction in account + settings update by @bcmmbaga in #5325 + +------------------------------------------------------------------- +Fri Feb 13 20:55:21 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 0.65.0: + NetBird now includes a built-in reverse proxy in the management + server, enabling proxied access to backend services through your + NetBird network. Allowing you to expose your services to the + public with the option to secure them with SSO, PINs, or + passwords. + + No VPN client required for end users. Just point a custom domain + at your NetBird server, configure the proxy in the dashboard, and + your internal services are securely accessible from any browser. + Think of it as a self-hosted alternative to Cloudflare Tunnels, + but without the MITM and fully under your control. + + Key features: + - Custom domains - Map your own domains to internal services and + let NetBird handle TLS and routing via CNAME verification + - Built-in authentication - Protect exposed services with SSO + (via your configured IdP), PIN codes, passwords, or magic links + directly from the dashboard + - Multiple targets - Route traffic to one or more backend peers + or resources with optional path-based routing + - Access logs - Monitor who's accessing your proxied services + with built-in logging + - Proxy settings - Fine-tune behavior with options like host + header passthrough and redirect rewriting + + 🏗️ Self-Hosted Improvements + - Added combined NetBird server binary for simplified self-hosted + deployments, reducing the number of containers needed to run + NetBird. #5232 + 🔒 Management Improvements + - Enforced access control on accessible peers, ensuring proper + authorization checks when querying the accessible peers + endpoint. #5301 + - Added cloud API spec to the public OpenAPI definition with REST + client support. #5222 + 🖥️ Client Improvements + - Added early message buffer for the relay client, preventing + message loss during connection establishment. #5282 + - Refactored relay connection container for improved reliability + and code maintainability. #5271 + +------------------------------------------------------------------- +Thu Feb 12 09:24:03 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 0.64.6: + 🚨 Security Fix + Security: Fixed account impersonation validation in management + API + + Fixed a vulnerability in the management server's authentication + middleware where the ?account= query parameter could be used to + impersonate arbitrary accounts without proper validation when + getting a list of accessible peers. It requires the attacker to + have prior knowledge of the target accounts' and peer IDs. + + The fix adds explicit validation via IsValidChildAccount() before + allowing account switching. Account impersonation is now only + permitted when the target account is confirmed as a legitimate + child account of the requesting user's parent account. + + Affected component: Management server HTTP middleware + (auth_middleware.go) and /api/peers/<peer_id>/accessible-peers + endpoint + + Severity: High — an authenticated user could potentially access + or act on behalf of accounts they should not have access to by + passing an arbitrary account parameter and fetching the list of + accessible peers. + + Recommendation: All self-hosted deployments should upgrade to + this version. + + - Client Improvements + - Added missing BSD flags to the debug bundle. #5254 + - Cached the result of wgInterface.ToInterface() using + sync.Once for better performance. #5256 + - Fixed nil pointer panic in the ICE agent during sleep/wake + cycles. #5261 + - Always log DNS forwarder responses for improved + troubleshooting. #5262 + - Fixed netstack detection and added a WireGuard port option. + #5251 + - Corrected wrong URL logging for DefaultAdminURL. #5252 + - Added timing measurements to handleSync for better + observability. #5228 + - Fixed duplicate firewall rules in USP filter. #5269 + - Added environment variable to skip DNS probing when needed. + #5270 + - Fixed race condition and ensured correct message ordering in + Relay. #5265 + - Ensured login is checked in foreground mode when required. + #5295 + - Fixed multiple panics in device and engine code. #5287 + - Cleaned up stale nftables entries without handle. #5272 + - Management Improvements + - Fixed incorrectly setting disconnected status for connected + peers. #5247 + - Added gRPC debounce for message types to reduce noise. #5239 + - Added validation of stream start time for connecting peers. + #5267 + - Fixed ischild check logic. #5279 + +------------------------------------------------------------------- +Tue Feb 3 20:12:12 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 0.64.5: + - Add selfhosting video by @braginini in #5235 + - [management] adding account id validation to accessible peers + handler by @pascal-fischer in #5246 + +------------------------------------------------------------------- +Sun Feb 1 20:26:40 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 0.64.4: + - [client] Add macOS default resolvers as fallback by @lixmal in + #5201 + - [client] Add block inbound option to the embed client by + @lixmal in #5215 + - [management] Disable local users for a smooth single-idp mode + by @braginini in #5226 + https://docs.netbird.io/selfhosted/identity-providers/disable-local-authentication + - [management] disable sync lim by @crn4 in #5233 + - [management] run cancelPeerRoutines in goroutine in sync by + @crn4 in #5234 + +------------------------------------------------------------------- +Thu Jan 29 19:23:15 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 0.64.3: + - [client] Remove redundant square bracket trimming in USP + endpoint parsing by @pappz in #5197 + - [client] Refactor/optimise raw socket headers by @pappz in + #5174 + - [management] fix ephemeral peers being not removed by @crn4 in + #5203 + - [management] fix skip of ephemeral peers on deletion by @crn4 + in #5206 + - [client] Stop NetBird on firewall init failure by @lixmal in + #5208 + - [management] Streamline domain validation by @lixmal in #5211 + - [client] Fix WG watcher missing initial handshake by @pappz in + #5213 + +------------------------------------------------------------------- +Tue Jan 27 11:40:48 UTC 2026 - Marcus Rueckert <[email protected]> + +- Update to 0.64.2: + - Client Improvements + - Consolidated authentication logic to improve maintainability + and consistency. #5010 + - Added IPv6 support to the UDP WireGuard proxy. #5169 + - Fixed a flaky JWT SSH test to improve CI stability. #5181 + - Updated Fyne UI and added retry handling to the exit menu. + #5187 + - Prevented eBPF traffic from being tracked in conntrack. #5166 + - Added support for non-PTY, no-command interactive SSH + sessions. #5093 + - Management & Identity + - Fixed validator warning messages to improve clarity. #5168 + - Improved peer deletion error handling. #5188 + - Included default groups claim in the CLI audience. #5186 + - Added user invite link support for the embedded IdP. #5157 + +------------------------------------------------------------------- Old: ---- netbird-0.64.1.obscpio New: ---- netbird-0.65.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ netbird.spec ++++++ --- /var/tmp/diff_new_pack.XSqk7P/_old 2026-02-16 13:14:17.750442056 +0100 +++ /var/tmp/diff_new_pack.XSqk7P/_new 2026-02-16 13:14:17.758442388 +0100 @@ -1,7 +1,7 @@ # # spec file for package netbird # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via https://bugs.opensuse.org/ # + %ifnarch %{ix86} %bcond_without netbird_ui %else @@ -31,10 +32,10 @@ %bcond_with stub_config Name: netbird -Version: 0.64.1 +Version: 0.65.1 Release: 0 Summary: Mesh VPN based on WireGuard -License: BSD-3-Clause AND AGPL-3.0 +License: AGPL-3.0-only AND BSD-3-Clause URL: https://github.com/netbirdio/netbird Source0: %{name}-%{version}.tar.gz Source1: vendor.tar.zst @@ -44,8 +45,8 @@ Patch0: service-install-cli-change.patch BuildRequires: fdupes BuildRequires: fish -BuildRequires: zsh BuildRequires: git-core +BuildRequires: zsh BuildRequires: zstd BuildRequires: golang(API) >= 1.25 # Required for testing @@ -101,8 +102,8 @@ %package bash-completion Summary: Bash Completion for %{name} -Requires: bash-completion Requires: %{name} +Requires: bash-completion Supplements: (%{name} and bash-completion) BuildArch: noarch @@ -111,8 +112,8 @@ %package fish-completion Summary: Fish Completion for %{name} -Requires: fish Requires: %{name} +Requires: fish Supplements: (%{name} and fish) BuildArch: noarch @@ -121,8 +122,8 @@ %package zsh-completion Summary: Zsh Completion for %{name} -Requires: zsh Requires: %{name} +Requires: zsh Supplements: (%{name} and zsh) BuildArch: noarch @@ -151,8 +152,8 @@ %package management-zsh-completion Summary: Zsh Completion for %{name}-management -Requires: zsh Requires: netbird-management +Requires: zsh Supplements: (%{name}-management and zsh) BuildArch: noarch @@ -181,8 +182,8 @@ %package signal-zsh-completion Summary: Zsh Completion for %{name}-signal -Requires: zsh Requires: netbird-signal +Requires: zsh Supplements: (%{name}-signal and zsh) BuildArch: noarch @@ -317,6 +318,7 @@ TestJWTAuthentication TestJWTDetection TestICEBind_HandlesConcurrentMixedTraffic + TestRedirectAs_\* ) # Assemble skip string by replacing spaces with a pipe. disable=$(echo ${failing_tests[*]} | sed 's/ /|/g') ++++++ _service ++++++ --- /var/tmp/diff_new_pack.XSqk7P/_old 2026-02-16 13:14:17.806444381 +0100 +++ /var/tmp/diff_new_pack.XSqk7P/_new 2026-02-16 13:14:17.810444547 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/netbirdio/netbird.git</param> <param name="scm">git</param> <param name="package-meta">yes</param> - <param name="revision">refs/tags/v0.64.1</param> + <param name="revision">refs/tags/v0.65.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">disable</param> ++++++ netbird-0.64.1.obscpio -> netbird-0.65.1.obscpio ++++++ ++++ 69308 lines of diff (skipped) ++++++ netbird.obsinfo ++++++ --- /var/tmp/diff_new_pack.XSqk7P/_old 2026-02-16 13:14:20.482555467 +0100 +++ /var/tmp/diff_new_pack.XSqk7P/_new 2026-02-16 13:14:20.486555633 +0100 @@ -1,5 +1,5 @@ name: netbird -version: 0.64.1 -mtime: 1769189985 -commit: 67211010f7240d53734abd922777c32fccb02754 +version: 0.65.1 +mtime: 1771097235 +commit: 68c481fa44a0790583f80ae8fa1d34e425b8d83b ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/netbird/vendor.tar.zst /work/SRC/openSUSE:Factory/.netbird.new.1977/vendor.tar.zst differ: char 7, line 1
