Skip to content

AdGuard Home v0.108.0-b.89

Pre-release
Pre-release

Choose a tag to compare

@adguard-bot adguard-bot released this 14 Jul 14:12

Changes compared to the previous beta, v0.108.0-b.88. See CHANGELOG.md for all changes.

Acknowledgements

A special thanks to @Nora-Qiu, @wallace0409, @Evelynkaz, and @N0zoM1z0 for reporting the vulnerabilities, our community moderators team, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!

Full changelog

Security

  • AdGuard Home is now more resistant to JIGGLE attacks.

    This is GHSA-p5f5-3p5g-rfjw. We thank @Nora-Qiu for reporting this security issue.

  • AdGuard Home now validates responses from DoH upstreams more strictly.

    This is GHSA-4qjf-2hgm-92q6. We thank @wallace0409 for reporting this security issue.

  • QUIC connections are now protected from unbounded reads.

    This is GHSA-qr92-rwvw-mhgh and GHSA-cccx-2r6r-m9r4. We thank @wallace0409 for reporting this security issue.

  • AdGuard Home now validates responses from DNSCrypt upstreams more strictly.

  • The H2C connection establishment via HTTP/1.1 request upgrade is no longer supported. See RFC 9113.

  • Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.26.5.

  • The size of rulelists is limited. This is necessary to prevent a user's machine from becoming overloaded if the filter source misbehaves.

    We thank Damir (@Evelynkaz) for reporting this security issue.

  • QUIC connections now observe timeouts more strictly.

    This is GHSA-73vv-3434-p64c. We thank @N0zoM1z0 for reporting this security issue.

Added

  • Improved updater logging to give users more insight into the problem with version updating (#8410).

Changed

  • The interval of filter updates can now be set to any number of hours between 0 and 8760 (365 days) in the configuration file.

Configuration changes

  • The filtering object of the YAML configuration now includes a new property, max_http_size, which defines the maximum size of the HTTP request for rulelists. To disable the limitation, set a large size, such as 1 TB.

Fixed

  • Validation of the answer field in DNS rewrite rules in case it is represented as CNAME.

  • Invalid AA flag in DNS responses (#7955).

  • The parsing of the ech parameter in DNS rewrite rules for the HTTPS record type (#8276).

  • Blocked services check on the Custom filtering rules page does not work properly without specifying of a client.