Security
- ICS calendar subscriptions and one-off feed imports now validate the destination IP at the moment the connection is established, closing a DNS-rebinding hole where an attacker-controlled hostname could pass the pre-flight private-IP check but resolve to an internal address (e.g. cloud metadata) during the actual fetch. Literal private IPs — including IPv6 loopback and IPv4-mapped IPv6 in both decimal and hex form — are now rejected as well. The
ICS_SUBSCRIPTION_ALLOW_PRIVATE_NETWORKopt-in continues to bypass both checks for trusted LAN feeds.
Changed
- Bumped
tsdavto 2.3.1 and pinned build-script permissions (allowScripts) forbetter-sqlite3,bcryptandpuppeteer.