Skip to content

v1.6.13-rc1

Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 11 Jul 11:33
407e34c

Documentation : https://docs.bunkerweb.io/1.6.13~rc1/

Docker tags :

  • All-in-one : bunkerity/bunkerweb-all-in-one:1.6.13-rc1 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.13-rc1
  • BunkerWeb : bunkerity/bunkerweb:1.6.13-rc1 or ghcr.io/bunkerity/bunkerweb:1.6.13-rc1
  • Scheduler : bunkerity/bunkerweb-scheduler:1.6.13-rc1 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.13-rc1
  • Autoconf : bunkerity/bunkerweb-autoconf:1.6.13-rc1 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.13-rc1
  • UI : bunkerity/bunkerweb-ui:1.6.13-rc1 or ghcr.io/bunkerity/bunkerweb-ui:1.6.13-rc1
  • API : bunkerity/bunkerweb-api:1.6.13-rc1 or ghcr.io/bunkerity/bunkerweb-api:1.6.13-rc1

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.13~rc1&filter=all&dist=

Changelog :

  • [SECURITY] blacklist, greylist, antibot: forward-confirm reverse DNS (FCrDNS) before honoring an IGNORE_RDNS/GREYLIST_RDNS suffix match, so an attacker who sets their own PTR to a trusted suffix (e.g. .googlebot.com) can no longer bypass the block, gain greylist access, or skip the challenge without controlling the domain. (Fixes GHSA-q54j-5484-pvjm) Thanks to @kule500 for the report.
  • [SECURITY] letsencrypt: validate the ACME challenge token against the base64url charset so a ../ payload can no longer write, overwrite, or delete files outside the challenge directory as the nginx user through the internal API. (Fixes GHSA-79fm-4xj6-pp5g) Thanks to @xyptonize and @kule500 for the report.
  • [SECURITY] api: document that the config, service, plugin, and global-settings write permissions granted through the fine-grained API ACL are admin-equivalent — their payload is rendered verbatim into raw NGINX/OpenResty Lua configuration, so a scoped non-admin token holding one can execute code as the BunkerWeb process user — and log a warning when such a permission is granted to a non-admin API user. (Refs GHSA-5xh4-hfr2-jm9m, GHSA-4xv6-4mw6-34m7, GHSA-cc8g-89qq-j9vm)
  • [FEATURE] antibot: add ANTIBOT_SUCCESS_URI to redirect clients to a fixed URI after they solve the challenge instead of the page they originally requested (leave empty to keep returning to the original page). (Fixes #3704)
  • [BUGFIX] headers: KEEP_UPSTREAM_HEADERS now honors Content-Security-Policy-Report-Only, which it silently ignored, and keeps it by default — an upstream report-only header is no longer overwritten when CONTENT_SECURITY_POLICY_REPORT_ONLY=yes.