Goshs

v2.0.7 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 22d Offensive & Pentesting

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

capture-the-flag ctf devtools dns file-server file-transfer

+14 more

go http-server https-server kali-linux ldap ntlm offensive-security penetration-testing red-teaming security-tools sftp smb smtp-server webdav

Affected surfaces

auth rce_ssrf

ReleasePort's take

Light signal

editorial:auto 13d

The `--update` flag is broken in v2.0.7 due to an archive naming change; expect a fix in v2.0.8.

Why it matters: If you rely on the `--update` command‑line flag, patch immediately after v2.0.8 releases to restore auto‑update functionality.

Summary

AI summary

--update flag is broken due to archive naming change; will be fixed in v2.0.8.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Auto-update check now verifies downloads against MITM attacks using checksums. Auto-update check now verifies downloads against MITM attacks using checksums. Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Mismatched host key during tunnel setup exits process immediately instead of silently continuing. Mismatched host key during tunnel setup exits process immediately instead of silently continuing. Source: llm_adapter@2026-05-21 Confidence: high	—
Breaking	High	`--update` command is broken in this release. `--update` command is broken in this release. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Breaking	Medium	`--update` BROKEN! Update mechanism broken in v2.0.7. `--update` BROKEN! Update mechanism broken in v2.0.7. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Windows releases now ship as `.zip` archives (previously `.tar.gz`). Windows releases now ship as `.zip` archives (previously `.tar.gz`). Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Linux releases now include `.deb` and `.rpm` packages for direct installation. Linux releases now include `.deb` and `.rpm` packages for direct installation. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Winget support added (`winget install PatrickHener.Goshs`). Winget support added (`winget install PatrickHener.Goshs`). Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Added installation instructions for Arch (AUR), openSUSE, Parrot OS, and NixOS. Added installation instructions for Arch (AUR), openSUSE, Parrot OS, and NixOS. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Updated goreleaser-action to v7.2.1. Updated goreleaser-action to v7.2.1. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Updated codeql-action to v4.35.3. Updated codeql-action to v4.35.3. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixed SMB credential logging being silently dropped when `-b` (basic auth) is active. Fixed SMB credential logging being silently dropped when `-b` (basic auth) is active. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixed HTTP collaborator frontend incorrectly parsing certain base64-encoded log entries. Fixed HTTP collaborator frontend incorrectly parsing certain base64-encoded log entries. Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	Bumped Go version in Dockerfile. Bumped Go version in Dockerfile. Source: llm_adapter@2026-05-21 Confidence: low	—
Other
Other	Medium	Added demo page and live demo link to README. Added demo page and live demo link to README. Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	Updated documentation link to docs.goshs.de. Updated documentation link to docs.goshs.de. Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	Updated SECURITY.md with advisory details and remediation guidance. Updated SECURITY.md with advisory details and remediation guidance. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

What's Changed in v2.0.7

--update BROKEN! Sorry to inform you, that with renaming the archives to include the version (e.g. goshs_v2.0.7_linux_x86_64.tar.gz instead of goshs_linux_x86_64.tar.gz) the update mechanism broke. It will work again in v2.0.8 then. Sorry for the inconvenience :(

Security

Security Update: The auto-update check now verifies the download against MITM attacks using the checksum
Fixed GHSA-mxg3-432p-mr72: A mismatched host key during tunnel setup exits the process immediately instead of silently continuing

Bug Fixes

Fixed SMB credential logging being silently dropped when -b (basic auth) was active
Fixed HTTP collaborator frontend incorrectly parsing certain base64-encoded log entries

Distribution

Windows releases now ship as .zip archives (previously .tar.gz)
Linux releases now include .deb and .rpm packages for direct installation
Winget support added (winget install PatrickHener.Goshs) — pending first-submission approval
Added installation instructions for Arch (AUR), openSUSE, Parrot OS, and NixOS

Documentation

Added demo page and live demo link to README
Updated documentation link to docs.goshs.de
Updated SECURITY.md with advisory details and remediation guidance

Maintenance

Bumped Go version in Dockerfile
Updated goreleaser-action to v7.2.1
Updated codeql-action to v4.35.3

Breaking Changes

--update flag functionality is currently non‑operational due to archive naming change (e.g., `goshs_v2.0.7_linux_x86_64.tar.gz`).

Security Fixes

GHSA-mxg3-432p-mr72: Tunnel setup now exits immediately on mismatched host key instead of continuing silently.
Auto‑update check verifies downloads against MITM attacks using checksums.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Goshs

Get notified when new releases ship.

About Goshs

All releases →