Sourced from github.com/Azure/go-ntlmssp's releases.

v0.1.1

Fix CVE-2026-32952: A malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport.

v0.1.0

What's Changed

• Bump minimum required version to Go 1.24 by @​qmuntal in Azure/go-ntlmssp#53
• Fix OOM in NTLM negotiator by avoiding buffering of seekable request bodies by @​Copilot in Azure/go-ntlmssp#54
• Don't modify the rountripped request by @​qmuntal in Azure/go-ntlmssp#57
• Fix a race occurring when the wrapped Rountripper closes the request body in another goroutine by @​qmuntal in Azure/go-ntlmssp#58
• Fix a race occurring when the wrapped Rountripper reads request fields in another goroutine by @​qmuntal in Azure/go-ntlmssp#59
• Only perform basic auth if requested by the server by @​qmuntal in Azure/go-ntlmssp#60
• Don't pass the original body in the client handshake request by @​qmuntal in Azure/go-ntlmssp#61
• Return latest server response in case there is an error processing the handshake by @​qmuntal in Azure/go-ntlmssp#63
• Send body on client NTLM handshake by @​qmuntal in Azure/go-ntlmssp#64
• Support user accounts not living in server's domain by @​qmuntal in Azure/go-ntlmssp#65
• Implement NewAuthenticateMessage and deprecate ProcessChallenge by @​qmuntal in Azure/go-ntlmssp#67
• Make basic authentication support opt-in by @​qmuntal in Azure/go-ntlmssp#66
• Allow passing custom client domain and workstation name by @​qmuntal in Azure/go-ntlmssp#68
• set NEGOTIATE_NTLM and NEGOTIATE_ALWAYS_SIGN capabilities by @​qmuntal in Azure/go-ntlmssp#69
• testing: add e2e tests by @​gdams in Azure/go-ntlmssp#56

New Contributors

• @​qmuntal made their first contribution in Azure/go-ntlmssp#53
• @​Copilot made their first contribution in Azure/go-ntlmssp#54

Full Changelog: Azure/go-ntlmssp@v0.0.1...v0.1.0

v0.0.1

What's Changed

• Commit to Go 1.6 by @​boumenot in Azure/go-ntlmssp#5
• Handle http redirect by @​nqv in Azure/go-ntlmssp#4
• drain request body for connection reuse by @​paulmey in Azure/go-ntlmssp#6
• Add CoC notice by @​paulmey in Azure/go-ntlmssp#7
• Support for auth when server responds with Www-Authenticate: NTLM by @​lafriks in Azure/go-ntlmssp#8
• update README with example by @​PaluMacil in Azure/go-ntlmssp#11
• add version, domain and workstation fields by @​justdan96 in Azure/go-ntlmssp#13
• move to a current version of Go by @​boumenot in Azure/go-ntlmssp#19
• (BUG) Negotiation fails for servers where 'NTLMv2 session security' i… by @​davejohnston in Azure/go-ntlmssp#18
• Update negotiator.go by @​mszuyev in Azure/go-ntlmssp#24
• Fix golint import path by @​paulmey in Azure/go-ntlmssp#25
• add ProcessChallengeWithHash function by @​ropnop in Azure/go-ntlmssp#27
• Set workstation to empty string in authenticate_message.go by @​Catbuttes in Azure/go-ntlmssp#30
• Change of the negociator working, to handle several identical header by @​Resousse in Azure/go-ntlmssp#31
• Support for UPN by @​tirupatibg in Azure/go-ntlmssp#32
• Adding Microsoft SECURITY.MD by @​microsoft-github-policy-service[bot] in Azure/go-ntlmssp#39
• Handle 3rd return value from GetDomain by @​opoplawski in Azure/go-ntlmssp#41
• initial refactor by @​gdams in Azure/go-ntlmssp#48
• fix linter errors by @​gdams in Azure/go-ntlmssp#49
• add dependabot/codeowners + installation instructions by @​gdams in Azure/go-ntlmssp#50

... (truncated)

• See full diff in compare view