Skip to content

v1.6.13

Latest

Choose a tag to compare

@github-actions github-actions released this 16 Jul 18:13
2ae80bb

Documentation : https://docs.bunkerweb.io/1.6.13/

Docker tags :

  • All-in-one : bunkerity/bunkerweb-all-in-one:1.6.13 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.13
  • BunkerWeb : bunkerity/bunkerweb:1.6.13 or ghcr.io/bunkerity/bunkerweb:1.6.13
  • Scheduler : bunkerity/bunkerweb-scheduler:1.6.13 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.13
  • Autoconf : bunkerity/bunkerweb-autoconf:1.6.13 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.13
  • UI : bunkerity/bunkerweb-ui:1.6.13 or ghcr.io/bunkerity/bunkerweb-ui:1.6.13
  • API : bunkerity/bunkerweb-api:1.6.13 or ghcr.io/bunkerity/bunkerweb-api:1.6.13

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.13&filter=all&dist=

Changelog :

Security

  • [SECURITY] nginx: update NGINX to 1.30.4, except on Fedora, which remains on 1.30.3 until the new version is available in its repositories. This fixes:

    • CVE-2026-42533, a heap buffer overflow in regex matching used by the map directive.
    • CVE-2026-60005, an uninitialized memory access in the slice directive with background cache updates, which could disclose worker-process memory or crash a worker.
    • CVE-2026-56434, a use-after-free in ngx_http_ssi_filter_module.
  • [SECURITY] blacklist, greylist, antibot: forward-confirm reverse DNS results before honoring an IGNORE_RDNS or GREYLIST_RDNS suffix match. An attacker can no longer bypass blocking, gain greylist access, or skip an antibot challenge by configuring a PTR record that ends with a trusted suffix such as .googlebot.com without controlling that domain. (Fixes GHSA-q54j-5484-pvjm) Thanks to @kule500 for the report.

  • [SECURITY] letsencrypt: validate ACME challenge tokens against the base64url character set. This prevents ../ payloads from writing, overwriting, or deleting files outside the challenge directory as the nginx user through the internal API. (Fixes GHSA-79fm-4xj6-pp5g) Thanks to @xyptonize and @kule500 for the report.

  • [SECURITY] instances: validate registered destinations as IPv4 or IPv6 literals, or as IDNA-normalized DNS hostnames, at every input and outbound-client boundary. Trailing-dot FQDNs remain supported, while URL user information, paths, queries, fragments, malformed ports, and non-HTTP(S) schemes are rejected with a validation error instead of causing an internal server error. (Refs GHSA-rwch-jhxx-cx5f) Thanks to @adilkhan7546 for the report.

  • [SECURITY] ui: enforce TOTP verification using the exact validation endpoint instead of matching any path containing /totp. This prevents password-only sessions from accessing /profile/totp-refresh and rotating recovery codes before completing the second authentication factor. (Fixes GHSA-j63f-j59c-q626) Thanks to @de3erve-hunter for the report.

  • [SECURITY] api: document that fine-grained permissions allowing writes to configurations, services, plugins, or global settings are equivalent to administrator access. Their payloads are rendered into raw NGINX or OpenResty Lua configuration and can therefore execute code as the BunkerWeb process user. A warning is now logged when one of these permissions is granted to a non-administrator API user. (Refs GHSA-5xh4-hfr2-jm9m, GHSA-4xv6-4mw6-34m7, GHSA-cc8g-89qq-j9vm)

Features

  • [FEATURE] limit: add USE_LIMIT_REQ_GLOBAL and LIMIT_REQ_GLOBAL_RATE to cap the total aggregate request rate for a service across all clients and URLs. The global limit is evaluated before the existing per-IP and per-URL limits, allowing origin or backend capacity to be protected independently. Disabled by default.

  • [FEATURE] country: add COUNTRY_IGNORE_URI to skip country whitelist and blacklist checks for URIs matching a list of PCRE expressions. Matching is performed against both the request path and the complete request URI, including its query string, consistently with ANTIBOT_IGNORE_URI.

  • [FEATURE] antibot: add ANTIBOT_SUCCESS_URI to redirect clients to a fixed URI after they successfully complete a challenge. Leaving the setting empty preserves the existing behavior and returns clients to the originally requested page. (Fixes #3704)

Bug fixes

  • [BUGFIX] authbasic: fix an error occurring after every successful basic-auth login. The plugin attempted to write to the undeclared $auth_user variable and to the read-only $remote_user core variable, resulting in variable "remote_user" not changeable. Both unnecessary writes have been removed. NGINX continues to populate $remote_user automatically from the authenticated request.

  • [BUGFIX] ui, api: delete custom configurations using their exact keys. Removing the final UI-managed or API-managed configuration no longer requires replacing every configuration belonging to the same method, avoiding races with concurrent updates.

  • [BUGFIX] headers: make KEEP_UPSTREAM_HEADERS recognize and preserve Content-Security-Policy-Report-Only. Upstream report-only policies are now kept by default and are no longer silently overwritten when CONTENT_SECURITY_POLICY_REPORT_ONLY=yes.