v1.6.13-rc1
Pre-release
Pre-release
Documentation : https://docs.bunkerweb.io/1.6.13~rc1/
Docker tags :
- All-in-one :
bunkerity/bunkerweb-all-in-one:1.6.13-rc1orghcr.io/bunkerity/bunkerweb-all-in-one:1.6.13-rc1 - BunkerWeb :
bunkerity/bunkerweb:1.6.13-rc1orghcr.io/bunkerity/bunkerweb:1.6.13-rc1 - Scheduler :
bunkerity/bunkerweb-scheduler:1.6.13-rc1orghcr.io/bunkerity/bunkerweb-scheduler:1.6.13-rc1 - Autoconf :
bunkerity/bunkerweb-autoconf:1.6.13-rc1orghcr.io/bunkerity/bunkerweb-autoconf:1.6.13-rc1 - UI :
bunkerity/bunkerweb-ui:1.6.13-rc1orghcr.io/bunkerity/bunkerweb-ui:1.6.13-rc1 - API :
bunkerity/bunkerweb-api:1.6.13-rc1orghcr.io/bunkerity/bunkerweb-api:1.6.13-rc1
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.13~rc1&filter=all&dist=
Changelog :
- [SECURITY]
blacklist,greylist,antibot: forward-confirm reverse DNS (FCrDNS) before honoring anIGNORE_RDNS/GREYLIST_RDNSsuffix match, so an attacker who sets their own PTR to a trusted suffix (e.g..googlebot.com) can no longer bypass the block, gain greylist access, or skip the challenge without controlling the domain. (Fixes GHSA-q54j-5484-pvjm) Thanks to @kule500 for the report. - [SECURITY]
letsencrypt: validate the ACME challengetokenagainst the base64url charset so a../payload can no longer write, overwrite, or delete files outside the challenge directory as thenginxuser through the internal API. (Fixes GHSA-79fm-4xj6-pp5g) Thanks to @xyptonize and @kule500 for the report. - [SECURITY]
api: document that the config, service, plugin, and global-settings write permissions granted through the fine-grained API ACL are admin-equivalent — their payload is rendered verbatim into raw NGINX/OpenResty Lua configuration, so a scoped non-admin token holding one can execute code as the BunkerWeb process user — and log a warning when such a permission is granted to a non-admin API user. (Refs GHSA-5xh4-hfr2-jm9m, GHSA-4xv6-4mw6-34m7, GHSA-cc8g-89qq-j9vm) - [FEATURE]
antibot: addANTIBOT_SUCCESS_URIto redirect clients to a fixed URI after they solve the challenge instead of the page they originally requested (leave empty to keep returning to the original page). (Fixes #3704) - [BUGFIX]
headers:KEEP_UPSTREAM_HEADERSnow honorsContent-Security-Policy-Report-Only, which it silently ignored, and keeps it by default — an upstream report-only header is no longer overwritten whenCONTENT_SECURITY_POLICY_REPORT_ONLY=yes.