AdGuard Home v0.108.0-b.89
Pre-releaseChanges compared to the previous beta, v0.108.0-b.88. See CHANGELOG.md for all changes.
Acknowledgements
A special thanks to @Nora-Qiu, @wallace0409, @Evelynkaz, and @N0zoM1z0 for reporting the vulnerabilities, our community moderators team, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!
Full changelog
Security
-
AdGuard Home is now more resistant to JIGGLE attacks.
This is GHSA-p5f5-3p5g-rfjw. We thank @Nora-Qiu for reporting this security issue.
-
AdGuard Home now validates responses from DoH upstreams more strictly.
This is GHSA-4qjf-2hgm-92q6. We thank @wallace0409 for reporting this security issue.
-
QUIC connections are now protected from unbounded reads.
This is GHSA-qr92-rwvw-mhgh and GHSA-cccx-2r6r-m9r4. We thank @wallace0409 for reporting this security issue.
-
AdGuard Home now validates responses from DNSCrypt upstreams more strictly.
-
The H2C connection establishment via HTTP/1.1 request upgrade is no longer supported. See RFC 9113.
-
Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.26.5.
-
The size of rulelists is limited. This is necessary to prevent a user's machine from becoming overloaded if the filter source misbehaves.
We thank Damir (@Evelynkaz) for reporting this security issue.
-
QUIC connections now observe timeouts more strictly.
This is GHSA-73vv-3434-p64c. We thank @N0zoM1z0 for reporting this security issue.
Added
- Improved updater logging to give users more insight into the problem with version updating (#8410).
Changed
- The interval of filter updates can now be set to any number of hours between
0and8760(365 days) in the configuration file.
Configuration changes
- The
filteringobject of the YAML configuration now includes a new property,max_http_size, which defines the maximum size of the HTTP request for rulelists. To disable the limitation, set a large size, such as1 TB.
Fixed
-
Validation of the
answerfield in DNS rewrite rules in case it is represented as CNAME. -
Invalid AA flag in DNS responses (#7955).
-
The parsing of the
echparameter in DNS rewrite rules for the HTTPS record type (#8276). -
Blocked services check on the Custom filtering rules page does not work properly without specifying of a client.