github ZoeyVid/NPMplus 2024-10-21-r1
on GitHub

latest releases: 2024-11-02-r1, 2024-10-24-r1, 2024-10-23-r1...
one month ago

Breaking changes in host names and custom acme servers, fixed upstreams CVEs, please report any issues you find

What's Changed

  • merge upstream (including CVE fixes - shell/command injection while creating certificates - permission to create certs was required to exploit)
    • Note: upstream fixed this by adding regex checks in API endpoint (is included), this may break new hosts/your hosts if you update them, and you are using regex inside your host names
    • Note: I added a second fix by switching from ('child_process').exec to require('child_process').execFile, this should prevent this kind of injection completely, so the regex change from upstream should be safe to revert if needed
    • I also fixed some small upstream bugs which I already noticed while testing, so there are probably more through new regex checks
  • dep updates
  • generate nginx access lists using node module instead of apache2-utils
  • for new instances, fix appsec file upload: increase appsec timeouts, I recommend that you create a backup of your /opt/npm/etc/crowdsec/crowdsec.conf config file, delete it, then restart NPMplus (so the file gets recreated) and you then configure it again, so you have the new timeouts
  • reload nginx after certbot-ocsp-fetcher.sh finished
  • custom certbot.ini support REMOVED, if you want to use a custom acme server please do this using the new envs you can find in the compose.yaml
  • fix disabling ipv6
  • nginx/custom is now nginx_custom (from sub folder to new folder)
  • you no longer need to enter your email while creating certs (please do this in compose.yaml)
  • DNS propagation delay support removed
  • fixed duplicating '#' in nginx.conf in rootless mode
  • allow backend to compress
  • improve default ssl_ecdh_curve (enable X25519MLKEM768)
  • also disable proxy_request_buffering if you disable proxy buffering using env
  • limit mine types to compress (text/images/auido) - if you have ideas if something is missing or should not be compressed please open a discussion (currently: text/html text/css text/javascript text/xml application/atom+xml application/rss+xml text/markdown text/mathml text/plain text/vnd.sun.j2me.app-descriptor text/vnd.wap.wml text/x-component application/json application/xhtml+xml application/xspf+xml font/woff font/woff2 image/avif image/bmp image/png image/svg+xml image/tiff image/vnd.wap.wbmp image/webp image/x-icon image/x-jng audio/midi audio/mpeg audio/ogg audio/x-m4a audio/x-realaudio)

How to update

  • Read the changes above
  • Pull the zoeyvid/npmplus:latest image
  • apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
  • redeploy the compose stack
  • report any issues you find

Full Changelog: 2024-10-05-r1...2024-10-21-r1

Check out latest releases or
releases around ZoeyVid/NPMplus 2024-10-21-r1

Don't miss a new NPMplus release

NewReleases is sending notifications on new releases.

Get notifications