Update adguard/adguardhome Docker tag to v0.107.55

[renovate]

This PR contains the following updates:

Package	Update	Change
adguard/adguardhome (source)	patch	v0.107.40 -> v0.107.55

---

Release Notes

AdguardTeam/AdGuardHome (adguard/adguardhome)

v0.107.55

Compare Source

See also the v0.107.55 GitHub milestone.

Security

• The permission check and migration on Windows has been fixed to use the Windows security model more accurately (#​7400).

• Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.23.4.

• The Windows executables are now signed.

Added

• The --no-permcheck command-line option to disable checking and migration of permissions for the security-sensitive files and directories, which caused issues on Windows (#​7400).

Fixed

• Setup guide styles in Firefox.

• Goroutine leak during the upstream DNS server test (#​7357).

• Goroutine leak during configuration update resulting in increased response time ([#​6818]).

v0.107.54

Compare Source

See also the v0.107.54 GitHub milestone.

Security

• Incorrect handling of sensitive files permissions on Windows (#​7314).

Changed

• Improved filtering performance (#​6818).

Fixed

• Repetitive statistics log messages (#​7338).
• Custom client cache (#​7250).
• Missing runtime clients with information from the system hosts file on first
  AdGuard Home start (#​7315).

v0.107.53

Compare Source

See also the v0.107.53 GitHub milestone.

Security

• Previous versions of AdGuard Home allowed users to add any system file it had
  access to as filters, exposing them to be world-readable. To prevent this,
  AdGuard Home now allows adding filtering-rule list files only from files
  matching the patterns enumerated in the filtering.safe_fs_patterns property
  in the configuration file.

  We thank @​itz-d0dgy for reporting this vulnerability, designated
  CVE-2024-36814, to us.

• Additionally, AdGuard Home will now try to change the permissions of its files
  and directories to more restrictive ones to prevent similar vulnerabilities
  as well as limit the access to the configuration.

  We thank @​go-compile for reporting this vulnerability, designated
  CVE-2024-36586, to us.

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in 1.23.2.

Added

• Support for 64-bit RISC-V architecture (#​5704).
• Ecosia search engine is now supported in safe search (#​5009).

Changed

• Upstream server URL domain names requirements has been relaxed and now follow
  the same rules as their domain specifications.

Configuration changes

In this release, the schema version has changed from 28 to 29.

• The new array filtering.safe_fs_patterns contains glob patterns for paths of
  files that can be added as local filtering-rule lists. The migration should
  add list files that have already been added, as well as the default value,
  $DATA_DIR/userfilters/*.

Fixed

• Property clients.runtime_sources.dhcp in the configuration file not taking
  effect.
• Stale Google safe search domains list (#​7155).
• Bing safe search from Edge sidebar (#​7154).
• Text overflow on the query log page (#​7119).

Known issues

• Due to the complexity of the Windows permissions architecture and poor support
  from the standard Go library, we have to postpone the proper automated Windows
  fix until the next release.

  Temporary workaround: Set the permissions of the AdGuardHome directory
  to more restrictive ones manually. To do that:

  1. Locate the AdGuardHome directory.
  2. Right-click on it and navigate to Properties → Security → Advanced.
  3. (You might need to disable permission inheritance to make them more
     restricted.)
  4. Adjust to give the Full control access to only the user which runs
     AdGuard Home. Typically, Administrator.

v0.107.52

Compare Source

See also the v0.107.52 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.22.5.

Added

• The ability to disable logging using the new log.enabled configuration
  property (#​7079).

Changed

• Frontend rewritten in TypeScript.

• The systemd-based service now uses journal for logging by default. It
  also doesn't create the /var/log/ directory anymore (#​7053).

  NOTE: With an installed service for changes to take effect, you need to
  reinstall the service using -r flag of the install script
  or via the CLI (with root privileges):

  ./AdGuardHome -s uninstall
  ./AdGuardHome -s install

  Don't forget to backup your configuration file and other important data before
  reinstalling the service.

Deprecated

• Node 18 support, Node 20 will be required in future releases.

Fixed

• Panic caused by missing user-specific blocked services object in configuration
  file (#​7069).
• Tracking /etc/hosts file changes causing panics within particular
  filesystems on start (#​7076).

v0.107.51

Compare Source

See also the v0.107.51 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.22.4.

Changed

• The HTTP server's write timeout has been increased from 1 minute to 5 minutes
  to match the one used by AdGuard Home's HTTP client to fetch filtering-list
  data (#​7041).

v0.107.50

Compare Source

See also the v0.107.50 GitHub milestone.

Fixed

• Broken private reverse DNS upstream servers validation causing update failures
  (#​7013).

v0.107.49

Compare Source

See also the v0.107.49 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.22.3.

Added

• Support for comments in the ipset file (#​5345).

Changed

• Private rDNS resolution now also affects SOA and NS requests (#​6882).
• Rewrite rules mechanics were changed due to improved resolving in safe search.

Deprecated

• Currently, AdGuard Home skips persistent clients that have duplicate fields
  when reading them from the configuration file. This behaviour is deprecated
  and will cause errors on startup in a future release.

Fixed

• Acceptance of duplicate UIDs for persistent clients at startup. See also the
  section on client settings on the [Wiki page][wiki-config].
• Domain specifications for top-level domains not considered for requests to
  unqualified domains (#​6744).
• Support for link-local subnets, i.e. fe80::/16, as client identifiers
  (#​6312).
• Issues with QUIC and HTTP/3 upstreams on older Linux kernel versions
  (#​6422).
• YouTube restricted mode is not enforced by HTTPS queries on Firefox.
• Support for link-local subnets, i.e. fe80::/16, in the access settings
  (#​6192).
• The ability to apply an invalid configuration for private rDNS, which led to
  server not starting.
• Ignoring query log for clients with ClientID set (#​5812).
• Subdomains of in-addr.arpa and ip6.arpa containing zero-length prefix
  incorrectly considered invalid when specified for private rDNS upstream
  servers (#​6854).
• Unspecified IP addresses aren't checked when using "Fastest IP address" mode
  (#​6875).

v0.107.48

Compare Source

See also the v0.107.48 GitHub milestone.

Fixed

• Access settings not being applied to encrypted protocols (#​6890).

v0.107.47

Compare Source

See also the v0.107.47 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.22.2.

Changed

• Time Zone Database is now embedded in the binary (#​6758).
• Failed authentication attempts show the originating IP address in the logs, if
  the request came from a trusted proxy (#​5829).

Deprecated

• Go 1.22 support. Future versions will require at least Go 1.23 to build.
• Currently, AdGuard Home uses a best-effort algorithm to fix invalid IDs of
  filtering-rule lists on startup. This feature is deprecated, and invalid IDs
  will cause errors on startup in a future version.
• Node.JS 16. Future versions will require at least Node.JS 18 to build.

Fixed

• Resetting DNS upstream mode when applying unrelated settings (#​6851).
• Symbolic links to the configuration file begin replaced by a copy of the real
  file upon startup on FreeBSD (#​6717).

Removed

• Go 1.21 support.

v0.107.46

Compare Source

See also the v0.107.46 GitHub milestone.

Added

• Ability to disable the use of system hosts file information for query
  resolution (#​6610).
• Ability to define custom directories for storage of query log files and
  statistics (#​5992).

Changed

• Private rDNS resolution (dns.use_private_ptr_resolvers in YAML
  configuration) now requires a valid "Private reverse DNS servers", when
  enabled (#​6820).

  NOTE: Disabling private rDNS resolution behaves effectively the same as if
  no private reverse DNS servers provided by user and by the OS.

Fixed

• Statistics for 7 days displayed by day on the dashboard graph (#​6712).
• Missing "served from cache" label on long DNS server strings (#​6740).
• Incorrect tracking of the system hosts file's changes (#​6711).

v0.107.45

Compare Source

See also the v0.107.45 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the Go
  vulnerabilities fixed in Go 1.21.8.

Added

• Context menu item in the Query Log to add a Client to the Persistent client
  list (#​6679).

Changed

• Starting with this release our scripts are using Go's forward compatibility
  mechanism for updating the Go version.

  Important note for porters: This change means that if your go version
  is 1.21+ but is different from the one required by AdGuard Home, the go tool
  will automatically download the required version.

  If you want to use the version installed on your builder, run:

  go get go@$YOUR_VERSION
  go mod tidy

  and call make with GOTOOLCHAIN=local.

Deprecated

• Go 1.21 support. Future versions will require at least Go 1.22 to build.

Fixed

• Missing IP addresses in logs when querying for domain names from the ignore
  lists.
• Blank page after resetting access clients (#​6634).
• Wrong algorithm for caching bootstrapped upstream addresses (#​6723).

Removed

• Go 1.20 support, as it has reached end of life.

v0.107.44

Compare Source

See also the [v0.107.44 GitHub milestone][ms-v0.107.44].

Added

• Timezones in the Etc/ area to the timezone list ([#​6568]).
• The schema version of the configuration file to the output of running
  AdGuardHome (or AdGuardHome.exe) with -v --version command-line options
  ([#​6545]).
• Ability to disable plain-DNS serving via UI if an encrypted protocol is
  already used ([#​1660]).

Changed

• The bootstrapped upstream addresses are now updated according to the TTL of
  the bootstrap DNS response ([#​6321]).
• Logging level of timeout errors is now error instead of debug ([#​6574]).
• The field "upstream_mode" in POST /control/dns_config and
  GET /control/dns_info HTTP APIs now accepts load_balance value. Check
  openapi/CHANGELOG.md for more details.

Configuration changes

In this release, the schema version has changed from 27 to 28.

• The new property clients.persistent.*.uid, which is a unique identifier of
  the persistent client.

• The properties dns.all_servers and dns.fastest_addr were removed, their
  values migrated to newly added field dns.upstream_mode that describes the
  logic through which upstreams will be used. See also a [Wiki
  page][wiki-config].

v0.107.43

Compare Source

See also the v0.107.43 GitHub milestone.

Fixed

• Incorrect handling of IPv4-in-IPv6 addresses when binding to an unspecified
  address on some machines (#​6510).

v0.107.42

Compare Source

See also the v0.107.42 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the
  CVE-2023-39326, CVE-2023-45283, and CVE-2023-45285 Go vulnerabilities fixed in
  Go 1.20.12.

Added

• Ability to set client's custom DNS cache (#​6263).
• Ability to disable plain-DNS serving through configuration file if an
  encrypted protocol is already enabled (#​1660).
• Ability to specify rate limiting settings in the Web UI (#​6369).

Changed

Configuration changes

• The new property dns.serve_plain_dns has been added to the configuration
  file (#​1660).
• The property dns.bogus_nxdomain is now validated more strictly.
• Added new properties clients.persistent.*.upstreams_cache_enabled and
  clients.persistent.*.upstreams_cache_size that describe cache configuration
  for each client's custom upstream configuration.

Fixed

• ipset entries family validation (#​6420).
• Pre-filling the New static lease window with data (#​6402).
• Protection pause timer synchronization (#​5759).

v0.107.41

Compare Source

See also the v0.107.41 GitHub milestone.

Security

• Go version has been updated to prevent the possibility of exploiting the
  CVE-2023-45283 and CVE-2023-45284 Go vulnerabilities fixed in
  Go 1.20.11.

Added

• Ability to specify subnet lengths for IPv4 and IPv6 addresses, used for rate
  limiting requests, in the configuration file (#​6368).
• Ability to specify multiple domain specific upstreams per line, e.g.
  [/domain1/../domain2/]upstream1 upstream2 .. upstreamN (#​4977).

Changed

• Increased the height of the ready-to-use filter lists dialog (#​6358).
• Improved logging of authentication failures (#​6357).

Configuration changes

• New properties dns.ratelimit_subnet_len_ipv4 and
  dns.ratelimit_subnet_len_ipv6 have been added to the configuration file
  (#​6368).

Fixed

• Schedule timezone not being sent (#​6401).
• Average request processing time calculation (#​6220).
• Redundant truncation of long client names in the Top Clients table (#​6338).
• Scrolling column headers in the tables (#​6337).
• $important,dnsrewrite rules not overriding allowlist rules (#​6204).
• Dark mode DNS rewrite background (#​6329).
• Issues with QUIC and HTTP/3 upstreams on Linux (#​6335).

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.