diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c6a81840..efa6acbef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,17 @@ ## v1.6.9 - 2026/03/?? +- [SECURITY] Implement `SafeFileSystemCache` for Web UI session storage with token regeneration on privilege changes, preventing session fixation attacks. - [SECURITY] Sanitize uploaded filenames in the Web UI to strip path separators, null bytes, and control characters, preventing path traversal attacks. - [SECURITY] Add tar extraction path filtering in `Let's Encrypt` certificate handling to only allow expected directories, preventing path traversal. Add 300s timeout to certificate account registration. Use explicit whitelist for API environment variables. - [SECURITY] Validate IP addresses and service names across all ban management endpoints (API, Lua, UI, CLI) to prevent invalid data injection. Fix Redis key parsing for service names containing underscores. +- [BUGFIX] Close local database connections before forking worker processes to prevent file descriptor leaks and connection pool corruption. +- [BUGFIX] Fix race condition in instance update logic by using direct SQL `UPDATE` statements instead of ORM session operations. +- [BUGFIX] Ensure thread safety when managing the session factory by moving instance update operations outside the synchronization lock. +- [BUGFIX] Handle empty or unreadable certificates gracefully in Let's Encrypt `retrieve_certificates` and `retrieve_certificates_info` functions to prevent crashes during certificate enumeration. +- [BUGFIX] Enhance error handling for missing server name in SSL certificate functions to avoid crashes when the server name is not yet configured. +- [BUGFIX] Improve backup cleanup logic when replacing destination files to correctly remove leftover backups after a successful replacement. +- [BUGFIX] Mark the Flask session as modified when adding flash messages to ensure session data is correctly persisted across redirects. - [BUGFIX] Fix Domeneshop DNS provider in the `Let's Encrypt` plugin to use the correct credential keys and ensure proper certificate generation. - [BUGFIX] Handle file-not-found and OS errors gracefully when archiving plugin UI pages in the database, and skip storing content when tar archiving fails to prevent corrupt data. - [BUGFIX] Return false instead of a potentially incorrect result when version comparison encounters invalid version strings, preventing spurious update notifications. @@ -13,10 +21,12 @@ - [BUGFIX] Add backup and rollback mechanism when deploying new configurations to BunkerWeb instances, preventing data loss if the file copy operation fails. - [BUGFIX] Generate and deploy initial configuration on first start before running plugin jobs, ensuring API endpoints are available when jobs execute. - [BUGFIX] Skip Content-Security-Policy header override in the antibot plugin when nonces are not available (e.g., HEAD requests), preventing malformed CSP headers. +- [UI] Add confetti animation and visual unlock effect when activating a PRO License Key in the Web UI. - [UI] Fix service cloning to correctly strip the source service prefix from configuration keys, preventing settings from being ignored during import. - [UI] Rate-limit worker restarts to prevent excessive restarts when multiple plugin reload triggers fire in quick succession. - [UI] Fix crashes when CSRF validation or request teardown occurs outside a valid user context, improving stability during edge-case scenarios. - [API] Add lifespan handler to properly close database connections on shutdown, preventing connection leaks. +- [DOCS] Update documentation and default configurations to remove the deprecated nightly CRS version and ensure full compatibility with CRS v4. - [DOCS] Update Domeneshop DNS provider credential key names in documentation to match the corrected `client_token`/`client_secret` keys. - [DOCS] Add documentation for the Cache PRO plugin covering response caching configuration and settings. - [DEPS] Update coreruleset-v4 version to v4.24.1