Skip to content

kastelldev/kastell

v1.17.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2mo Server & OS Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

automation cli coolify devops digitalocean docker
+10 more
dokploy hetzner linode mcp security-audit self-hosted server-management typescript vps vultr

Affected surfaces

auth rbac

Summary

AI summary

Added bulk rollback, doctor auto‑fix, fix scheduling, SSH ControlMaster and custom profiles; promoted several security tiers.

Full changelog

v1.17.0 — Fix Advanced + Doctor Integration

Added

  • Bulk rollbackkastell fix --rollback-all and --rollback-to <fix-id> for batch fix reversal
  • Doctor auto-fixkastell doctor --auto-fix diagnose-then-fix pipeline with --dry-run and --force options
  • Fix schedulingkastell schedule fix|audit installs local cron for automated fix/audit runs
  • SSH ControlMaster — connection multiplexing prevents sshd MaxStartups exhaustion during bulk operations
  • Interactive menu full CLI parity — all CLI flags now accessible from interactive menu (schedule, audit extras, fix extras, fleet/doctor/evidence/backup options)
  • WAF bot detection checks — NGX-WAF-BOT-DETECT and NGX-WAF-CHALLENGE-MODE audit checks
  • Custom fix profiles — user-defined profiles from ~/.kastell/profiles/
  • --no-interactive flag for automated fix runs

Fixed

  • SSH lockout prevention — NET-HOSTS-DENY moved to GUARDED tier
  • Sysctl SSH breakage — all sysctl fixes promoted to GUARDED with SSH probe + rollback
  • Session-terminating commands — restart/halt promoted to GUARDED tier
  • MCP SAFE_MODE guards — serverLock/Guard/Secure enforce isSafeMode()
  • SSH ControlMaster Windows — socket path, stale cleanup, fork detection

Changed

  • TOCTOU elimination, KASTELL_DIR consolidation, severityChalk utility
  • 9,871 tests across 219 suites (up from 9,611 / 215)

Security

  • Tier promotion system — dangerous fixes auto-promoted SAFE to GUARDED
  • MCP fail-closed SAFE_MODE default

Full Changelog: https://github.com/kastelldev/kastell/compare/v1.16.0...v1.17.0

Security Fixes

  • Tier promotion system automatically moves dangerous fixes from SAFE to GUARDED tier
  • MCP fail‑closed default to SAFE_MODE enhances security posture
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kastelldev/kastell

Get notified when new releases ship.

Sign up free

About kastelldev/kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.

All releases →

Related context

Beta — feedback welcome: [email protected]