github AdguardTeam/AdGuardHome v0.107.78
AdGuard Home v0.107.78

10 hours ago

Security, security, security, security, security!

No, we do not have Steve Ballmer for CEO, but we took a page out of his playbook to draw attention to what we think is one of the most important aspects of developing AdGuard Home — security. This update is a good illustration of that: security-related changes take up over half of the changelog, and it’s not a small one.

We thank our awesome community members who helped us immensely by reporting some of the vulnerabilities, so that we could stay on top of our game and deliver timely fixes.

Full changelog

See also the v0.107.78 GitHub milestone.

Security

  • AdGuard Home is now more resistant to JIGGLE attacks.

    This is GHSA-p5f5-3p5g-rfjw. We thank @Nora-Qiu for reporting this security issue.

  • AdGuard Home now validates responses from DoH upstreams more strictly.

    This is GHSA-4qjf-2hgm-92q6. We thank @wallace0409 for reporting this security issue.

  • QUIC connections are now protected from unbounded reads.

    This is GHSA-qr92-rwvw-mhgh and GHSA-cccx-2r6r-m9r4. We thank @wallace0409 for reporting this security issue.

  • AdGuard Home now validates responses from DNSCrypt upstreams more strictly.

  • The H2C connection establishment via HTTP/1.1 request upgrade is no longer supported. See RFC 9113.

  • Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.26.5.

  • The size of rulelists is limited. This is necessary to prevent a user's machine from becoming overloaded if the filter source misbehaves.

    We thank Damir (@Evelynkaz) for reporting this security issue.

Added

  • Improved updater logging to give users more insight into the problem with version updating (#8410).

Changed

  • The interval of filter updates can now be set to any number of hours between 0 and 8760 (365 days) in the configuration file.

Configuration changes

  • The filtering object of the YAML configuration now includes a new property, max_http_size, which defines the maximum size of the HTTP request for rulelists. To disable the limitation, set a large size, such as 1 TB.

Fixed

  • Invalid AA flag in DNS responses (#7955).

  • The parsing of the ech parameter in DNS rewrite rules for the HTTPS record type (#8276).

  • Blocked services check on the Custom filtering rules page does not work properly without specifying of a client.

Don't miss a new AdGuardHome release

NewReleases is sending notifications on new releases.