github bunkerity/bunkerweb v1.6.12-rc1
on GitHub

pre-release4 hours ago

Documentation : https://docs.bunkerweb.io/1.6.12~rc1/

Docker tags :

  • All-in-one : bunkerity/bunkerweb-all-in-one:1.6.12-rc1 or ghcr.io/bunkerity/bunkerweb-all-in-one:1.6.12-rc1
  • BunkerWeb : bunkerity/bunkerweb:1.6.12-rc1 or ghcr.io/bunkerity/bunkerweb:1.6.12-rc1
  • Scheduler : bunkerity/bunkerweb-scheduler:1.6.12-rc1 or ghcr.io/bunkerity/bunkerweb-scheduler:1.6.12-rc1
  • Autoconf : bunkerity/bunkerweb-autoconf:1.6.12-rc1 or ghcr.io/bunkerity/bunkerweb-autoconf:1.6.12-rc1
  • UI : bunkerity/bunkerweb-ui:1.6.12-rc1 or ghcr.io/bunkerity/bunkerweb-ui:1.6.12-rc1
  • API : bunkerity/bunkerweb-api:1.6.12-rc1 or ghcr.io/bunkerity/bunkerweb-api:1.6.12-rc1

Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.12~rc1&filter=all&dist=

Changelog :

  • [SECURITY] antibot: Cap.js script-src now uses a strict per-request nonce (no more 'unsafe-inline'); every challenge response also sends Cache-Control: no-store. Requires Cap.js widget 0.1.48+.
  • [SECURITY] letsencrypt (UI): harden delete + new heal flow — per-request scratch dir, fcntl.flock, ./.. rejected in cert_name, DOMPurify + markupsafe.escape at every HTML sink, 500 on persistence failure; new /letsencrypt/{orphans,accounts,cache-status,heal} endpoints, per-row Heal button, sidebar orphan toast.
  • [SECURITY] linux: after-remove hooks now preserve /var/log/bunkerweb, /etc/bunkerweb, /var/lib/bunkerweb and the upgrade backups on plain uninstall (only purge wipes configs + DB; logs and backups always kept, disposal commands printed). Upgrade backups moved from /var/tmp to /var/backups/bunkerweb because systemd-tmpfiles reaps /var/tmp after 30 days (silently losing the backup — including the SQLite DB — on a delayed reinstall); postinstall restores from the new path and falls back to the legacy /var/tmp location. Backups are still written via install -m 0600 -o root -g root (atomic) and pre-existing world-readable ones are retro-tightened. Also removed the unreachable RPM purge) scriptlet arm (rpm only ever passes 0/1).
  • [SECURITY] api: the API_ACL_BOOTSTRAP_FILE loader now validates a supplied password_hash/password_bcrypt — it must be a real bcrypt hash meeting the minimum cost (10); a weak or malformed hash is ignored and a secure random password is generated instead of being stored verbatim (which let a controlled ACL file install a near-plaintext admin credential).
  • [SECURITY] ui: extend the CSV/XLSX formula-injection escaping (CWE-1236) to the \t (tab) and \r (carriage-return) leaders that defusedcsv omits — server-side csv_safe/csv_writer and the client-side bwCsvSafe hook now prefix those cells with ' as well.
  • [BUGFIX] letsencrypt (core): fix self-propagating cache poisoning that caused fleet-wide certbot AccountNotFound; add CA-agnostic consistency gate (LE + ZeroSSL paths), server-scoped select_account_id, auto-purge + re-register when the ACME server reports a pinned --account as deleted (stale-account JWS recovery), redacted-value Configurator WARN logs.
  • [BUGFIX] letsencrypt: close the scheduler↔UI cache-row write race — certbot-renew/certbot-new and the UI heal/delete flow now serialize on one shared fcntl.flock (/var/cache/bunkerweb/letsencrypt/.cache-write.lock) instead of a UI-only lock, so a renew no longer silently overwrites a concurrent heal (or vice-versa).
  • [BUGFIX] letsencrypt: route53 certificates issued with explicit AWS access keys now auto-renew — the renew job re-derives the credentials and sets AWS_CONFIG_FILE (which certbot-dns-route53 requires but the blanket certbot renew never set). Other DNS providers unaffected.
  • [FEATURE] scheduler: new SCHEDULER_MAX_WORKERS env var caps the job-executor thread pool to bound DB-pool pressure on shared MariaDB/MySQL/PostgreSQL; auto default tightened from min(8, cpu*4) to min(8, max(2, cpu*2)) and a warning is emitted when the resolved value exceeds DATABASE_POOL_SIZE + DATABASE_POOL_MAX_OVERFLOW.
  • [FEATURE] ui: ADMIN_PASSWORD now also accepts a pre-hashed bcrypt value ($2a$/$2b$/$2y$), stored as-is so the plaintext never lands in env files or secrets (env create + OVERRIDE_ADMIN_CREDS paths only; wizard and profile still take plaintext). The strength policy is skipped for a hash, but a cost factor below 10 is rejected and 1011 logs a warning.
  • [BUGFIX] installer: misc/install-bunkerweb.sh is now idempotent on re-runs of a testing/dev install — the force-bad-version directive is appended to /etc/dpkg/dpkg.cfg only when the exact line is absent, so repeated runs no longer duplicate it. The Docker deployment path also warns when the resolved image tag is dev, which has no published Docker Hub image and would otherwise yield a compose stack that fails to pull.
  • [BUGFIX] ci: the install script published to the Testing GitHub release now has its DEFAULT_BUNKERWEB_VERSION pinned to testing (rewritten before checksum generation, gated on an exactly-one-declaration check), so downloading it from the Testing release defaults to the testing channel instead of the hardcoded stable version.
  • [BUGFIX] ui: the Setup Wizard now shows a Log Out button when reached while already authenticated (admin created via ADMIN_PASSWORD but no UI service configured yet), so the user is no longer stranded on the wizard with no way to end their session.
  • [BUGFIX] limit: fix spurious 429 over HTTP/3 — HTTP/3 streams were counted in the low LIMIT_CONN_MAX_HTTP1 zone because its key was keyed on $http2 alone (empty for HTTP/3 too). Now keyed on "$http2$http3", so each protocol counts against its own limit.
  • [BUGFIX] ui: cut /home, /reports and /bans load time from seconds to sub-second on Redis-backed setups by pipelining the Python Redis layer — batched LRANGE, SCAN+MGET instead of blocking KEYS, pipelined facet/metric reads, and per-request flask.g client caching — plus a 30s single-flight cache on home aggregates. The single-flight lock is bypassed when Redis is down, so the degraded instance-API fallback no longer serializes /home per worker during an outage.
  • [BUGFIX] ui: static assets (~70% of UI requests) no longer run the full per-request lifecycle — before_request now early-exits for /css/ /img/ /js/ /json/ /fonts/ /libs/ /locales/ before the cross-process UIData file lock, the CSP nonce, and the get_metadata/get_config DB fan-out. Cuts ~14 DB SELECTs per static request to zero and static latency ~7× (56→8 ms p50); CSP headers (after-request nonce fallback), auth, and dynamic pages are unchanged.
  • [BUGFIX] customcert: drop the 24-hour expiry check — expired or soon-to-expire custom certificates are now accepted and served (operator owns cert lifecycle); the cert is still validated as a parseable X.509.
  • [BUGFIX] database: scheduler now overrides existing method=ui/method=api rows so env vars stop being shadowed once a setting was touched in the UI. Stuck rows self-heal on next scheduler reload. Autoconf precedence unchanged; UI→scheduler direction still blocked.
  • [BUGFIX] database: save_config now supplements its prefix-match set with non-draft DB services, so multisite env settings for services created out-of-band (UI/API/autoconf) are no longer dropped as unknown globals.
  • [BUGFIX] ui: form-builder no longer resubmits default-method values left untouched, so a no-op Save stops creating phantom method=ui rows.
  • [BUGFIX] bunkernet (UI): replace binary "Inactive" with Connected / API unreachable / Not registered + live reason; instance ID masked with reveal toggle and redacted from messages; 5 s ping timeout, disk self-heal so a fresh registration goes Active without a reload.
  • [BUGFIX] mtls: new MTLS_URL_n regex setting enforces mTLS per path instead of site-wide; set MTLS_VERIFY_CLIENT=optional and the client certificate is checked in Lua only on matching URIs (invalid regex fails closed).
  • [LINUX] Updated NGINX version to v1.30.2 for Fedora 43 and 44 integration now that it is available in the repositories.
  • [LINUX] Support Ubuntu 26.04 (Resolute Raccoon): the default ubuntu package target now builds on Ubuntu 26.04 against Python 3.14 (nginx = 1.30.2-1~resolute); the previous default 24.04 Noble moves to the new ubuntu-noble identifier (packagecloud repo ubuntu/noble), and 22.04 Jammy (ubuntu-jammy) is unchanged.
  • [BUGFIX] ui/api: fix a possible login lockout under bcrypt 5.0.0, which raises a ValueError instead of truncating a secret over its 72-byte limit. Password verification now truncates the candidate to 72 bytes (matching how hashes are created), so accounts whose password exceeds 72 bytes — easy with multi-byte characters like accents or emoji — keep working. Setting an over-72-byte password is now rejected up front with a clear message and log across the Setup Wizard, profile page and ADMIN_PASSWORD/API_PASSWORD env vars (pre-hashed values exempt), and the set-password fields cap input at 72.
  • [BUGFIX] ui: fix dark/light theme flicker and wrong-theme-on-load. The client no longer re-applies a stale per-browser localStorage value after paint, so the server-rendered profile theme is authoritative — no flash, and consistent across devices/browsers (theme now follows the logged-in profile; last toggle wins everywhere). Anonymous pages (login/setup) resolve their theme before first paint via a nonce'd head script honoring the last choice, then the OS prefers-color-scheme.
  • [BUGFIX] ui: fix plugin metrics pages (Bad Behavior, Blacklist) crashing with can only concatenate str (not "int") to str on Redis-backed setups — get_metrics aggregation now coerces a non-numeric Redis value instead of doing str += int. (Fixes #3610)
  • [DEPS] Updated lua-resty-string version to v0.18
  • [DEPS] Updated coreruleset-v4 version to v4.27.0
Check out latest releases or
releases around bunkerity/bunkerweb v1.6.12-rc1

Don't miss a new bunkerweb release

NewReleases is sending notifications on new releases.

Get notifications