Skip to content

AdGuard Home v0.107.53

Compare
Choose a tag to compare
@adguard-bot adguard-bot released this 03 Oct 12:46
· 1010 commits to master since this release

It's been a while since we postponed the next AdGuard Home update for a few months. But of course, we had a good reason for it: with the help of community members (we are very thankful to you! πŸ™), we discovered two vulnerabilities and have been working on patching them. Testing the solutions took a bit longer than expected, but in the end, we believe in quality over speed.

Luckily, it's not all patching vulnerabilities and fixing bugs; we've made some improvements, too. For example, we've added support for 64-bit RISC-V architecture and Ecosia search engine to Safe Search. Find the complete changelog below.

Acknowledgments

A special thanks to our open-source contributor, @javabean, to @itz-d0dgy and @go-compile for reporting the vulnerabilities, our community moderators team, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!

Full changelog

Security

  • Previous versions of AdGuard Home allowed users to add any system file it had access to as filters, exposing them to be world-readable. To prevent this, AdGuard Home now allows adding filtering-rule list files only from files matching the patterns enumerated in the filtering.safe_fs_patterns property in the configuration file.

    We thank @itz-d0dgy for reporting this vulnerability, designated CVE-2024-36814, to us.

  • Additionally, AdGuard Home will now try to change the permissions of its files and directories to more restrictive ones to prevent similar vulnerabilities as well as limit the access to the configuration.

    We thank @go-compile for reporting this vulnerability, designated CVE-2024-36586, to us.

  • Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.23.2.

Added

  • Support for 64-bit RISC-V architecture (#5704).
  • Ecosia search engine is now supported in safe search (#5009).

Changed

  • Upstream server URL domain names requirements has been relaxed and now follow the same rules as their domain specifications.

Configuration changes

In this release, the schema version has changed from 28 to 29.

  • The new array filtering.safe_fs_patterns contains glob patterns for paths of files that can be added as local filtering-rule lists. The migration should add list files that have already been added, as well as the default value, $DATA_DIR/userfilters/*.

Fixed

  • Property clients.runtime_sources.dhcp in the configuration file not taking effect.
  • Stale Google safe search domains list (#7155).
  • Bing safe search from Edge sidebar (#7154).
  • Text overflow on the query log page (#7119).

Known issues

  • Due to the complexity of the Windows permissions architecture and poor support from the standard Go library, we have to postpone the proper automated Windows fix until the next release.

    Temporary workaround: Set the permissions of the AdGuardHome directory to more restrictive ones manually. To do that:

    1. Locate the AdGuardHome directory.
    2. Right-click on it and navigate to Properties β†’ Security β†’ Advanced.
    3. (You might need to disable permission inheritance to make them more restricted.)
    4. Adjust to give the Full control access to only the user which runs AdGuard Home. Typically, Administrator.

    An example of a what a properly restricted configuration could look like:

    permissions