fix(container): update image adguard/adguardhome to v0.107.54

[renovate]

This PR contains the following updates:

Package	Update	Change
adguard/adguardhome (source)	patch	v0.107.45 -> v0.107.54

---

Release Notes

AdguardTeam/AdGuardHome (adguard/adguardhome)

v0.107.54

Compare Source

See also the v0.107.54 GitHub milestone.

NOTE: Add new changes BELOW THIS COMMENT.
-->

Security

• Incorrect handling of sensitive files permissions on Windows (#​7314).

Changed

• Improved filtering performance (#​6818).

Fixed

• Repetitive statistics log messages (#​7338).
• Custom client cache (#​7250).
• Missing runtime clients with information from the system hosts file on first
  AdGuard Home start (#​7315).

v0.107.53

Compare Source

See also the v0.107.53 GitHub milestone.

Security

• Previous versions of AdGuard Home allowed users to add any system file it had
  access to as filters, exposing them to be world-readable. To prevent this,
  AdGuard Home now allows adding filtering-rule list files only from files
  matching the patterns enumerated in the filtering.safe_fs_patterns property
  in the configuration file.

  We thank @​itz-d0dgy for reporting this vulnerability, designated
  CVE-2024-36814, to us.

• Additionally, AdGuard Home will now try to change the permissions of its files
  and directories to more restrictive ones to prevent similar vulnerabilities
  as well as limit the access to the configuration.

  We thank @​go-compile for reporting this vulnerability, designated
  CVE-2024-36586, to us.

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in 1.23.2.

Added

• Support for 64-bit RISC-V architecture (#​5704).
• Ecosia search engine is now supported in safe search (#​5009).

Changed

• Upstream server URL domain names requirements has been relaxed and now follow
  the same rules as their domain specifications.

Configuration changes

In this release, the schema version has changed from 28 to 29.

• The new array filtering.safe_fs_patterns contains glob patterns for paths of
  files that can be added as local filtering-rule lists. The migration should
  add list files that have already been added, as well as the default value,
  $DATA_DIR/userfilters/*.

Fixed

• Property clients.runtime_sources.dhcp in the configuration file not taking
  effect.
• Stale Google safe search domains list (#​7155).
• Bing safe search from Edge sidebar (#​7154).
• Text overflow on the query log page (#​7119).

Known issues

• Due to the complexity of the Windows permissions architecture and poor support
  from the standard Go library, we have to postpone the proper automated Windows
  fix until the next release.

  Temporary workaround: Set the permissions of the AdGuardHome directory
  to more restrictive ones manually. To do that:

  1. Locate the AdGuardHome directory.
  2. Right-click on it and navigate to Properties → Security → Advanced.
  3. (You might need to disable permission inheritance to make them more
     restricted.)
  4. Adjust to give the Full control access to only the user which runs
     AdGuard Home. Typically, Administrator.

v0.107.52

Compare Source

See also the v0.107.52 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.22.5.

Added

• The ability to disable logging using the new log.enabled configuration
  property (#​7079).

Changed

• Frontend rewritten in TypeScript.

• The systemd-based service now uses journal for logging by default. It
  also doesn't create the /var/log/ directory anymore (#​7053).

  NOTE: With an installed service for changes to take effect, you need to
  reinstall the service using -r flag of the install script
  or via the CLI (with root privileges):

  ./AdGuardHome -s uninstall
  ./AdGuardHome -s install

  Don't forget to backup your configuration file and other important data before
  reinstalling the service.

Deprecated

• Node 18 support, Node 20 will be required in future releases.

Fixed

• Panic caused by missing user-specific blocked services object in configuration
  file (#​7069).
• Tracking /etc/hosts file changes causing panics within particular
  filesystems on start (#​7076).

v0.107.51

Compare Source

See also the v0.107.51 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.22.4.

Changed

• The HTTP server's write timeout has been increased from 1 minute to 5 minutes
  to match the one used by AdGuard Home's HTTP client to fetch filtering-list
  data (#​7041).

v0.107.50

Compare Source

See also the v0.107.50 GitHub milestone.

Fixed

• Broken private reverse DNS upstream servers validation causing update failures
  (#​7013).

v0.107.49

Compare Source

See also the v0.107.49 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.22.3.

Added

• Support for comments in the ipset file (#​5345).

Changed

• Private rDNS resolution now also affects SOA and NS requests (#​6882).
• Rewrite rules mechanics were changed due to improved resolving in safe search.

Deprecated

• Currently, AdGuard Home skips persistent clients that have duplicate fields
  when reading them from the configuration file. This behaviour is deprecated
  and will cause errors on startup in a future release.

Fixed

• Acceptance of duplicate UIDs for persistent clients at startup. See also the
  section on client settings on the [Wiki page][wiki-config].
• Domain specifications for top-level domains not considered for requests to
  unqualified domains (#​6744).
• Support for link-local subnets, i.e. fe80::/16, as client identifiers
  (#​6312).
• Issues with QUIC and HTTP/3 upstreams on older Linux kernel versions
  (#​6422).
• YouTube restricted mode is not enforced by HTTPS queries on Firefox.
• Support for link-local subnets, i.e. fe80::/16, in the access settings
  (#​6192).
• The ability to apply an invalid configuration for private rDNS, which led to
  server not starting.
• Ignoring query log for clients with ClientID set (#​5812).
• Subdomains of in-addr.arpa and ip6.arpa containing zero-length prefix
  incorrectly considered invalid when specified for private rDNS upstream
  servers (#​6854).
• Unspecified IP addresses aren't checked when using "Fastest IP address" mode
  (#​6875).

v0.107.48

Compare Source

See also the v0.107.48 GitHub milestone.

Fixed

• Access settings not being applied to encrypted protocols (#​6890).

v0.107.47

Compare Source

See also the v0.107.47 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.22.2.

Changed

• Time Zone Database is now embedded in the binary (#​6758).
• Failed authentication attempts show the originating IP address in the logs, if
  the request came from a trusted proxy (#​5829).

Deprecated

• Go 1.22 support. Future versions will require at least Go 1.23 to build.
• Currently, AdGuard Home uses a best-effort algorithm to fix invalid IDs of
  filtering-rule lists on startup. This feature is deprecated, and invalid IDs
  will cause errors on startup in a future version.
• Node.JS 16. Future versions will require at least Node.JS 18 to build.

Fixed

• Resetting DNS upstream mode when applying unrelated settings (#​6851).
• Symbolic links to the configuration file begin replaced by a copy of the real
  file upon startup on FreeBSD (#​6717).

Removed

• Go 1.21 support.

v0.107.46

Compare Source

See also the v0.107.46 GitHub milestone.

Added

• Ability to disable the use of system hosts file information for query
  resolution (#​6610).
• Ability to define custom directories for storage of query log files and
  statistics (#​5992).

Changed

• Private rDNS resolution (dns.use_private_ptr_resolvers in YAML
  configuration) now requires a valid "Private reverse DNS servers", when
  enabled (#​6820).

  NOTE: Disabling private rDNS resolution behaves effectively the same as if
  no private reverse DNS servers provided by user and by the OS.

Fixed

• Statistics for 7 days displayed by day on the dashboard graph (#​6712).
• Missing "served from cache" label on long DNS server strings (#​6740).
• Incorrect tracking of the system hosts file's changes (#​6711).

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Path: cluster/apps/adguard/helmrelease.yaml

@@ -125,7 +125,7 @@
               name: config
       containers:
         - name: app-template
-          image: adguard/adguardhome:v0.107.45
+          image: adguard/adguardhome:v0.107.54
           imagePullPolicy:
           args:
             - --config