github bunkerity/bunkerweb v1.6.12

5 hours ago

Documentation : https://docs.bunkerweb.io/1.6.12/

Docker tags :

  • All-in-one : bunkerity/bunkerweb-all-in-one:1.6.12 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.12
  • BunkerWeb : bunkerity/bunkerweb:1.6.12 or ghcr.io/bunkerity/bunkerweb:1.6.12
  • Scheduler : bunkerity/bunkerweb-scheduler:1.6.12 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.12
  • Autoconf : bunkerity/bunkerweb-autoconf:1.6.12 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.12
  • UI : bunkerity/bunkerweb-ui:1.6.12 or ghcr.io/bunkerity/bunkerweb-ui:1.6.12
  • API : bunkerity/bunkerweb-api:1.6.12 or ghcr.io/bunkerity/bunkerweb-api:1.6.12

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.12&filter=all&dist=

Changelog :

v1.6.12 - 2026/06/??

Security

  • nginx: updated NGINX to 1.30.3 to fix:

    • CVE-2026-42055: heap buffer overflow in ngx_http_proxy_v2_module / ngx_http_grpc_module
    • CVE-2026-48142: heap buffer overread in ngx_http_charset_module
  • api: hardened Biscuit token generation by binding Host header, client IP and username as typed terms, preventing signed Datalog fact injection. Added optional API_ALLOWED_HOSTS.

  • api: API_ACL_BOOTSTRAP_FILE now validates supplied bcrypt hashes and rejects weak or malformed values.

  • antibot: Cap.js challenge now uses a strict per-request CSP nonce and sends Cache-Control: no-store.

  • antibot: fixed an open redirect in the post-challenge redirect flow by enforcing same-origin relative paths.

  • ui: fixed session fixation on login by rotating the session ID on every authentication.

  • ui: fixed open redirect via the post-login next parameter.

  • ui: password changes now revoke the user’s other active sessions.

  • ui: cache deletion routes now enforce Biscuit authorization.

  • ui: improved hostname and ban-scope validation.

  • ui: extended CSV/XLSX formula-injection protection to tab and carriage-return-prefixed cells.

  • linux: uninstall hooks now preserve logs, configs, databases and backups unless purge is explicitly requested; upgrade backups moved to /var/backups/bunkerweb.

Features & Improvements

  • reverseproxy: added upstream HTTPS certificate verification with:

    • REVERSE_PROXY_SSL_VERIFY
    • REVERSE_PROXY_SSL_VERIFY_DEPTH
    • REVERSE_PROXY_SSL_TRUSTED_CERTIFICATE
    • REVERSE_PROXY_SSL_TRUSTED_CERTIFICATE_DATA
    • REVERSE_PROXY_SSL_TRUSTED_CERTIFICATE_PRIORITY
  • antibot: ANTIBOT_IGNORE_URI can now match full request URIs, including query strings.

  • scheduler: added SCHEDULER_MAX_WORKERS to cap the job-executor thread pool and reduce database pool pressure.

  • ui: ADMIN_PASSWORD can now accept pre-hashed bcrypt values.

  • ui: logs viewer overhaul:

    • syntax highlighting for BunkerWeb, certbot and NGINX access logs
    • severity filters with counts
    • in-page search and error navigation
    • live-tail with pause and new-line indicator
    • download/copy actions
    • optional local-time display
    • collapsible multi-line entries
    • improved mobile toolbar layout
  • ui: RAW config editor can now fold multi-line file settings, such as certificates and keys.

  • mtls: added MTLS_URL_n regex setting to enforce mTLS per path instead of site-wide.

  • bunkernet UI: improved status reporting with Connected / API unreachable / Not registered states, masked instance ID and disk self-heal.

Bug Fixes

  • letsencrypt: fixed cache poisoning that could cause fleet-wide certbot AccountNotFound.
  • letsencrypt: fixed scheduler/UI cache-row write race by sharing one fcntl.flock.
  • letsencrypt: fixed Route53 auto-renewal when explicit AWS credentials are used.
  • letsencrypt: fixed stale ACME account recovery when LETS_ENCRYPT_CONCURRENT_REQUESTS=yes.
  • letsencrypt UI: deleting a certificate no longer fails when unrelated orphaned certificates are present.
  • antibot: after solving a challenge, Chrome now returns to the originally requested URL instead of /.
  • api: malformed API_ALLOWED_HOSTS wildcards no longer brick the API on every request.
  • datastore: changing DATASTORE_LRU_SIZE no longer causes worker API HTTP 444 bootstrap deadlocks.
  • database: fixed rc1 regression that reset UI/API-saved settings to defaults after scheduler restart.
  • database: env vars no longer stay shadowed after a setting was touched in the UI/API.
  • database: multisite env settings for DB-created services are no longer dropped as unknown globals.
  • ssl: SSL_ECDH_CURVE=auto no longer emits X25519 on FIPS OpenSSL.
  • autoconf: service labels are rechecked when valid settings change, such as after PRO plugin or external plugin installation.
  • logger: unreachable LOG_SYSLOG_ADDRESS no longer crash-loops scheduler and UI processes.
  • installer: testing/dev install script is now idempotent and avoids duplicating force-bad-version.
  • ci: Testing release install script now defaults to the testing channel.
  • ui: Setup Wizard now shows a Log Out button when reached while already authenticated.
  • ui: RAW mode no longer breaks multi-line file settings such as PEM certificates and keys.
  • ui: /home, /reports and /bans load much faster on Redis-backed setups.
  • ui: static assets no longer trigger the full per-request lifecycle.
  • ui: form-builder no longer creates phantom method=ui rows on no-op saves.
  • ui / api: fixed possible login lockout with bcrypt 5.0.0 and passwords over 72 bytes.
  • ui: fixed dark/light theme flicker and wrong-theme-on-load.
  • ui: fixed plugin metrics crashes on Redis-backed setups.
  • limit: fixed spurious HTTP/3 429 responses by separating HTTP/1, HTTP/2 and HTTP/3 connection limits.
  • customcert: expired or soon-to-expire custom certificates are now accepted if they are valid X.509 certificates.

Linux & Packaging

  • Fedora 43 and 44 now use NGINX 1.30.3.
  • Ubuntu Pro/ESM installs now use the upstream CrowdSec engine instead of the outdated ESM build.
  • Added Ubuntu 26.04 Resolute Raccoon package target.
  • Ubuntu 24.04 Noble moved to the ubuntu-noble identifier.
  • Ubuntu 22.04 Jammy remains available as ubuntu-jammy.

Dependencies

  • Updated headers-more-nginx-module to 0.40.

  • Updated lua-cjson to 2.1.0.18.

  • Updated lua-resty-signal to 0.05.

  • Updated lua-resty-string to 0.19.

  • Updated lua-upstream-nginx-module to 0.08.

  • Updated LuaJIT to 2.1-20260701.

  • Updated ModSecurity to 3.0.16.

  • Updated lua-resty-openssl to 1.8.0.

  • Updated coreruleset-v4 to 4.27.0.

  • Updated UI dependencies:

    • jQuery 4.0.0
    • Bootstrap 5.3.8
    • DataTables 2.3.8
    • Ace editor 1.44.0
    • ApexCharts.js 5.15.0
    • DOMPurify 3.4.11
    • i18next 26.3.1
    • i18next-http-backend 4.0.0
    • Perfect Scrollbar 1.5.6
    • lottie-player 2.0.12
    • canvas-confetti 1.9.4
    • ipaddr.js 2.4.0
  • Updated build tooling:

    • cssnano 8.0.2
    • domino 2.1.7
    • removed unused root jquery dependency

Contributions

  • Thanks to @cleverguns for the Filipino / Tagalog web UI translation.
  • Thanks to @ray910408 for refreshing src/deps npm build-tool dependencies.
  • Thanks to @immanuwell for parsing the DEBUG environment variable as a boolean in the Gunicorn configuration.

Don't miss a new bunkerweb release

NewReleases is sending notifications on new releases.