Skip to content

v1.1.13

Choose a tag to compare

View all tags
@github-actions github-actions released this 07 Jun 15:01
· 16 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.1.13
f7a3d9e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

  • Push endpoint now requires authentication (CVE-style fix): The
    /api/luxor_living/push endpoint previously defaulted to unauthenticated
    access (auth_method = none), allowing any host that could reach the HA HTTP
    port to write arbitrary values to KNX group addresses (lights, covers, etc.).
    The none auth option is removed. All requests without valid credentials now
    return 403. Token and Bearer auth methods additionally reject if no token is
    configured (previously silently accepted all requests).
  • Health view now requires HA authentication: /api/luxor_living/health
    now sets requires_auth = True and requires a valid HA long-lived access
    token. Previously exposed topology information (entry IDs, KNX address counts,
    simulation mode, circuit breaker state) without authentication.

Changed

  • Push webhook config: None auth option removed from Options Flow. Existing
    installations with auth_method = none will have requests rejected until a
    token and auth method are configured under Settings → Integrations →
    LUXORliving → Configure.
Assets 4
Loading