Skip to content

v0.15.8
Compare
Choose a tag to compare
@Meierschlumpf Meierschlumpf released this 07 Dec 21:38
· 17 commits to dev since this release
v0.15.8
31a7559
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Note

We've been working actively on working torwards version 1.0 which will include many improvements to performance, security and the overall look & feel of Homarr. It will greatly overhaul the technical architecture of Homarr. This work is done by volunteers. Please consider supporting our work via donations at https://opencollective.com/homarr

🔒 Security patch v0.15.8 🔒

Caution

Please update your Homarr instance to this new version. Versions before <0.15.8 contain two vulnerabilities:

  1. Allow an admin user to add arbitrary JavaScript code to other users board (aka. XSS or cross site-scripting). We implemented a fix where JavaScript is no longer being executed.
  2. Any logged in user to create a file on your filesystem (or inside your docker container). This shouldn't be dangerous when running Docker but could lead to dangerous situations if you run Homarr bare-metal using root. At this time, full RCE doesn't seem possible but creating files is possible.

Fix broken avatars in Jellyseer

For some users avatars were broken in Jellyseerr. Thanks to @TyxTang for fixing it

Fix broken translations in the DNS hole widget

Some timer modal for dns-hole translations did not work. Thanks to @marius-arch

Contributors

marius-arch and TyxTang
Assets 2
Loading