This is a security release. Users are encouraged to update AdGuard Home as soon as possible.
Acknowledgements
A special thanks to our open-source contributor, @mazzz1y, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!
Full Changelog
See also the v0.107.14 GitHub milestone.
Security
A Cross-Site Request Forgery (CSRF) vulnerability has been discovered. The CVE number is to be assigned. We thank Daniel Elkabes from Mend for reporting this vulnerability to us.
SameSite Policy
The SameSite policy on the AdGuard Home session cookies has been upgraded to Lax. Which means that the only cross-site HTTP request for which the browser is allowed to send the session cookie is navigating to the AdGuard Home domain.
Users are strongly advised to log out, clear browser cache, and log in again after updating.
Removal Of Plain-Text APIs (BREAKING API CHANGE)
We have implemented several measures to prevent such vulnerabilities in the future, but some of these measures break backwards compatibility for the sake of better protection.
The following APIs, which previously accepted or returned text/plain data, now accept or return data as JSON. All new formats for the request and response bodies are documented in openapi/openapi.yaml and openapi/CHANGELOG.md.
GET /control/i18n/current_language;POST /control/dhcp/find_active_dhcp;POST /control/filtering/set_rules;POST /control/i18n/change_language.
Stricter Content-Type Checks (BREAKING API CHANGE)
All JSON APIs now check if the request actually has Content-Type set to application/json.
Other Security Changes
- Weaker cipher suites that use the CBC (cipher block chaining) mode of operation have been disabled (#2993).
Added
- Support for plain (unencrypted) HTTP/2 (#4930). This is useful for AdGuard Home installations behind a reverse proxy.
Fixed
- Incorrect path template in DDR responses (#4927).