v4.6.1

RemotePower v4.6.1

A stability-and-hardening patch on top of v4.6.0 "RepellantMatters". It fixes two issues that only surface under the optional SCGI prefork worker, closes a ReDoS and a defence-in-depth XSS finding, and removes a small UI flash on page reload. No breaking changes and no schema changes; every install keeps working exactly as before.

After upgrading, hard-reload the dashboard once so the new front-end loads (service-worker cache remotepower-shell-v4.6.1).

SCGI worker fixes (optional persistent API worker)

The classic fcgiwrap/CGI execution model is unaffected by both of these — they only bite the opt-in remotepower-api.service prefork worker, which imports api.py once and forks per request.

• Agentless ICMP devices flapped offline. The worker runs with NoNewPrivileges=true, which blocks ping's setuid / file-capability elevation, so its raw ICMP socket failed and reachability sweeps reported agentless devices down. The unit now grants the capability ambiently (AmbientCapabilities=CAP_NET_RAW), so the spawned ping inherits it across exec without any privilege escalation. Classic CGI was never affected.

• Postgres consuming input failed: EOF detected. A forked worker child inherited the parent process's psycopg connection, and two processes sharing one socket corrupted the protocol stream. The Postgres backend now tags each connection with the PID that opened it and transparently reconnects when a child notices the connection belongs to a different process — the same fork-safety guard the SQLite backend already had.

Security

• ReDoS in TLS-host validation (_valid_tls_host). The hostname validator used a single regex with a nested quantifier that backtracked catastrophically on a long run of letters and hyphens. It now validates label by label with a fixed-shape per-label matcher — linear time, same accept/reject set. The function gates what can reach a certificate SAN, so the input is attacker- influenced; the fix removes the denial-of-service surface.

• Package "upgradable" count coerced before render (defence-in-depth). The per-device update badge now coerces the upgradable count to a number (or '?') before it is interpolated into innerHTML, so a non-numeric value can never reach the DOM as markup. The strict no-inline CSP is an independent second barrier; this closes the corresponding CodeQL alert at the source.

UI

• Page subtitle no longer flashes as raw text on reload. In the Industrial (New) UI each page's descriptive subtitle is folded into a hover info icon at runtime, but the fold was gated on the data-ui attribute that JavaScript only sets after the page has already painted — so on a hard reload the subtitle briefly appeared as plain text under the title. The subtitle is now hidden by default in CSS (no attribute dependency, so nothing can paint before the script runs) and revealed inline only in the Old UI. Visibility is decided before the icon-attachment logic, so a subtitle is never left as orphan text.

---

Upgrade is in-place; see upgrading. Older release notes live in CHANGELOG.