Skip to content

v1.7.1

Choose a tag to compare

@ulsklyc ulsklyc released this 10 Jul 19:46

Security

  • ICS calendar subscriptions and one-off feed imports now validate the destination IP at the moment the connection is established, closing a DNS-rebinding hole where an attacker-controlled hostname could pass the pre-flight private-IP check but resolve to an internal address (e.g. cloud metadata) during the actual fetch. Literal private IPs — including IPv6 loopback and IPv4-mapped IPv6 in both decimal and hex form — are now rejected as well. The ICS_SUBSCRIPTION_ALLOW_PRIVATE_NETWORK opt-in continues to bypass both checks for trusted LAN feeds.

Changed

  • Bumped tsdav to 2.3.1 and pinned build-script permissions (allowScripts) for better-sqlite3, bcrypt and puppeteer.