• View downloads
• View release notes

• View downloads
• View release notes

✨ New Features & Improvements

• @directus/app
  • Added keyboard navigation to the cards layout (#26976 by @HZooly)
  • Added native Tabs group interface. Uninstall the extension if currently using it to avoid unintended side effects. (#26836 by @bryantgillespie)
  • Added bulk folder deletion from the files grid with move-up or delete-all options (#26886 by @HZooly)
  • Used shorter tooltip delay for disabled elements (#26965 by @HZooly)
• @directus/utils
  • Added parseNow utility to resolve the $NOW dynamic variable (#26954 by @costajohnt)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed calendar picker crash when using dynamic variables (e.g. $NOW) (#26954 by @costajohnt)
  • Updated relationship_not_setup wording to clarify it may also result from missing permissions (#26918 by @Ikromjon1998)
  • Restored useItem support for custom query options like fields and deep by adding an optional extra query parameter and updating affected call sites. (#26985 by @LZylstra)
• @directus/api
  • Fixed file replacement returning Forbidden (#27001 by @ComfortablyCoding)
  • Updated happy-dom, path-to-regexp, picomatch, node-forge, and brace-expansion to address CVEs (#27006 by @br41nslug)
  • Fixed extension auto reload not triggering (#26986 by @ComfortablyCoding)
• @directus/utils
  • Fixed calendar picker crash when using dynamic variables (e.g. $NOW) (#26954 by @costajohnt)
• @directus/schema
  • Fixed MySQL foreignKeys query to include TABLE_NAME in the JOIN condition, preventing a cartesian product when InnoDB statistics on system tables are degraded. (#26964 by @HattoriEnzo)
• @directus/sdk
  • Fixed filter operator typing for date and time fields to support comparison and range operators. (#26957 by @costajohnt)

📦 Published Versions

• @directus/app@15.7.0
• @directus/api@35.0.1
• @directus/composables@11.2.17
• create-directus-extension@11.0.33
• @directus/env@5.7.1
• @directus/extensions@3.0.23
• @directus/extensions-registry@3.0.23
• @directus/extensions-sdk@17.1.1
• @directus/memory@3.1.6
• @directus/pressure@3.0.21
• @directus/schema@13.0.7
• @directus/schema-builder@0.0.18
• @directus/storage-driver-azure@12.0.21
• @directus/storage-driver-cloudinary@12.0.21
• @directus/storage-driver-gcs@12.0.21
• @directus/storage-driver-s3@12.1.7
• @directus/storage-driver-supabase@3.0.21
• @directus/themes@1.3.1
• @directus/types@15.0.1
• @directus/utils@13.4.0
• @directus/validation@2.0.21
• @directus/sdk@21.2.2

• Closed Secure Link vulnerability
• iOS profile now uses external IMAP settings correctly
• Fixed issue with importing contacts from VCF files
• Security improvements

Changelog

• 65612b7 chore: add .DS_Store to .gitignore
• 29e4666 chore: enable windows test build and release binaries
• 38276ab fix: fixes webserver network type

Changelog

• 8234c31 Fix versitygw#1864 to not return parent keys for ListObjectVersions with prefix
• d4ea895 chore(deps): bump actions/download-artifact from 4 to 7
• 7ebe0f8 chore(deps): bump actions/download-artifact from 7 to 8
• 790bac2 chore(deps): bump actions/upload-artifact from 4 to 6
• 892590a chore(deps): bump actions/upload-artifact from 6 to 7
• 6e9f0db chore(deps): bump github.com/clipperhouse/uax29/v2
• 22d49ed chore(deps): bump github.com/gofiber/fiber/v2 from 2.52.11 to 2.52.12
• 496b098 chore(deps): bump goreleaser/goreleaser-action from 6 to 7
• 0530636 chore(deps): bump the dev-dependencies group with 21 updates
• fa9f9ef chore(deps): bump the dev-dependencies group with 4 updates
• 0954428 chore(deps): bump the dev-dependencies group with 7 updates
• 3f2de08 chore: cleanup go.mod with go mod tidy
• fc5c0a3 chore: fix typos and error return wrapping types in posix
• 4fa7d38 chore: fix warning in system.yml github workflow
• af76584 chore: update README.md to highlight new web gui feature
• dc0572b chore: update readme for testing overview
• e7a1231 feat: add cli options to specify webui gateway/admin listing
• b3eac97 feat: add concurrency limiter to scoutfs
• fd0c9df feat: add favicon to all pages in webui
• 599ab1b feat: add multi-address listener for s3/admin/webui
• e2821fc feat: add option to disable s3proxy client data integrity checks
• 4b11f54 feat: add posix concurrency-limiter
• 8550dba feat: add tagging support for directory objects in posix
• 7fb3ded feat: adds Location, x-amz-bucket-arn response headers in CreateBucket
• 2436475 feat: adds checksums for directory objects in posix
• f7814ad feat: adds fiber max connections and in-flight requests limiter
• 9c21299 feat: allow anonymous access for s3proxy backend
• 5ae791b feat: configuration option to disable ACLs
• d03a331 feat: optimize multipart upload checksum calculation.
• 3e26175 feat: replace aws-sdk-go-v2 s3 manager with transfermanager
• 5c918f3 feat: revert ignore object ACL behavior
• 880d4ce feat: update go version to 1.25.0 and golang.org/x/net to 0.51.0
• e702a48 fix: CopyObject with URL-encoded special chars
• da82e5e fix: add missing tests to group-tests map
• 2232efd fix: adds application/xml Content-Type to error responses
• f1577fd fix: correct private canned ACL behavior on bucket creation
• 89aa822 fix: fixes DeleteObject if-match quoted comparison
• 6fafc15 fix: fixes PutBucketCors CORSRules validation
• 46bcc8a fix: fixes object default Content-Type
• 760f252 fix: improve WalkVersions() ancestor-directory guard for prefix filtering
• 3d56636 fix: make webui sidebar responsive on mobile
• 68755ca fix: replace debuglogger.Logf("Internal Error, %v", err) with debuglogger.InternalError(err)
• 4ebe408 fix: store final checksum on CompleteMultipartUpload
• 7695be5 fix: store part checksums at destination path in UploadPartCopy

Changelog

• bcf341b Add "lexical" sort to walker.go
• 73e2df4 Base import of cutdown version of io/fs/walk.go from golang as walker.go
• 0c520a3 Reload TLS certificates on SIGHUP
• bef8f38 Revert of 34da183 and 8e18b43 for backend/walk.go
• a69f5a4 chore(deps): bump actions/checkout from 4 to 6
• 2489d87 chore(deps): bump docker/build-push-action from 5 to 6
• 1dfc77d chore(deps): bump github.com/clipperhouse/uax29/v2
• d2996e1 chore(deps): bump the dev-dependencies group with 2 updates
• e37dfa6 chore(deps): bump the dev-dependencies group with 6 updates
• 82878f4 chore(deps): bump the dev-dependencies group with 7 updates
• 792a3eb chore: add advanced codeql workflow for repo customizations
• f78483a chore: add codeql ignore for embedded 3rd party js assets
• e08539e chore: add dependabot updates for github actions
• 68d7924 feat: add web-based UI for S3 object management and admin operations
• 2e67940 feat: adds delimiter support in ListMultipartUploads
• 6c564fe feat: makes root creds usable for admin subcommand with lower precendence
• 43fd18b fix: admin server debug always enabled when --admin-port option enabled
• 01fc142 fix: correct spelling for debuglogger.InternalError() (#1784)
• 86e2b02 fix: fixes delete markers access for some actions
• 2365f9f fix: fixes list-limiters parsing and validation
• 43559e6 fix: fixes non-existing object deletion with versionId
• f6225aa fix: fixes some write operations blocking in read-only mode
• 12092cf fix: fixes the SignedStreamingPayloadTrailer_success test failure
• 63fcdb3 fix: pin github.com/nats-io/nkeys version to v0.4.12
• f29206a fix: put object on windows when parent directories dont already exists
• 11e5049 fix: remove duplicate cors headers from options router
• 7017ffa fix: removes object metadata loading from posix ListParts
• 8569b15 fix: return not implemented in object actions, if acl header is present
• 03f0be2 fix: reverts the nats-io/nkeys package version to v0.4.12
• 9343860 fix: webui md5 missing error when enabling directory object lock

Changelog

• 7a4dd59 chore(deps): bump github.com/valyala/fasthttp
• 8d16bff chore(deps): bump the dev-dependencies group with 2 updates
• 6198bf4 chore(deps): bump the dev-dependencies group with 20 updates
• 0124398 chore(deps): bump the dev-dependencies group with 6 updates
• d446102 feat: add option for default global cors allow origin headers
• f467b89 feat: adds Location in CompleteMultipartUpload response
• 8073994 feat: adds integration tests for STREAMING-AWS4-HMAC-SHA256-PAYLOAD requests
• cc54aad feat: adds integration tests for STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER requests
• 2561ef9 feat: implements admin CreateBucket endpoint/cli command
• 5aa2a82 fix: Makes precondition headers insensitive to whether the value is quoted
• c2c2306 fix: adds an error route for ?versions subresource with key
• 12e1308 fix: adds versionId in put/get/delete object tagging actions response.
• 9eaaeed fix: bunch of fixes in signed streaming requests
• 657b9ac fix: changes AuthorizationHeaderMalformed error status to 400
• edac345 fix: cleanup sidecar metadata empty dirs
• 7a26aec fix: fix the concurrency issue in integration tests bucket name generation
• d015842 fix: fixes CreateBucket LocationConstraint validation
• a75aa9b fix: fixes if-none-match precondition header logic in object write operations
• cf99b3e fix: fixes invalid/expired x-amz-object-lock-retain-until-date errors
• 2a7e76a fix: fixes missing bucket object lock config error
• c91e5dc fix: fixes the InvalidRetentionPeriod error code and message
• 39ee175 fix: fixes the PutBucketPolicy response status
• 981a34e fix: fixes x-amz-if-match-size parsing
• b78d21c fix: optimize sidecar empty-dir checks
• 9f6bf18 fix: removes Expect from sigv4 ignored headers list
• 06a4512 fix: removes the NoSuchTagSet error in GetObjecTagging
• 61308d2 fix: return NoSuchKey if a precondition header is present and object doesn't exist in PutObject, CompleteMultipartUpload
• 8e0eec0 fix: return null in GetBucketLocation for us-east-1
• 06f4f0a fix: skips object lock check in DeleteObject without versionId.
• 0cab42d xattr: use different namespace prefixes for FreeBSD vs other platforms

Changelog

• d7cbee7 chore(deps): bump the dev-dependencies group with 10 updates
• 55c94f4 chore(deps): bump the dev-dependencies group with 17 updates
• b29d6a0 chore(deps): bump the dev-dependencies group with 23 updates
• cadd791 chore(deps): bump the dev-dependencies group with 6 updates
• d0ec284 feat: adds STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER option in test generation script
• c58f9b2 feat: adds integration tests for unsigned streaming payload trailer uploads
• ce9693e feat: upgrades actions checkout v4 -> v5 and go-setup v5 -> v6
• 0a2a23d fix: Checks that x-amz-decoded-content-length matches the actual payload in unsigned streaming upload
• dfe6abc fix: adds validation for chunk sizes in unsigned streaming trailer upload
• f631cd0 fix: fixes error handling for unsigned streaming upload malformed encoding
• b57764e fix: fixes ipa iam GetUserAccount id parsing panic
• d507f20 fix: fixes the GetObjectAttributes panic in s3 proxy
• d861dc8 fix: fixes unsigned streaming upload parsing and checksum calculation
• 69e107e fix: rejects STREAMING-UNSIGNED-PAYLOAD-TRAILER for all actions, except for PutObject and UploadPart
• 7627deb fix: removes mandatory checksum header check for PutObjectTagging

Changelog

• 2dd442c Allow self-signed certificates
• 45f55c2 auth/vault: add Vault namespace support
• 11bd58c chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0
• cdc4358 chore(deps): bump the dev-dependencies group with 11 updates
• 3a65521 chore(deps): bump the dev-dependencies group with 12 updates
• c3c39e4 chore(deps): bump the dev-dependencies group with 16 updates
• ff973c2 chore(deps): bump the dev-dependencies group with 17 updates
• 703c7cd chore(deps): bump the dev-dependencies group with 17 updates
• 971ae78 chore(deps): bump the dev-dependencies group with 23 updates
• dff3eb0 chore(deps): bump the dev-dependencies group with 23 updates
• 9ae6807 chore(deps): bump the dev-dependencies group with 3 updates
• 6cf3b93 chore(deps): bump the dev-dependencies group with 6 updates
• 40da4a3 chore: cleanup unused constants
• 4c3965d feat: add option to disable strict bucket name checks
• 3c3e9dd feat: add project id support for scoutfs backend
• ce6193b feat: adds bucket policy version support
• 05f8225 feat: adds missing versioning-related bucket policy actions
• a64733b feat: adds projectID prop in IAM user account
• 8d2eeeb feat: adds tagging support for object versions in posix
• d396859 feat: adds the x-amz-expected-bucket-owner check in the gateway
• 7745972 feat: adds x-amz-tagging-count support for HeadObject
• a4dc837 feat: concurrent execution of integration tests
• 64f50cc feat: gracul shutdown of s3api and admin servers
• 12f4920 feat: implements checksum calculation for all actions
• caa7ca0 feat: implements fiber panic recovery
• 9bde1dd feat: implements tagging support for CreateBucket
• 707af47 feat: prevents locked objects overwrite with CopyObject and CompleteMultipartUpload
• d05f25f feat: refactoring of the integration tests
• 7aa733a feat: use docker entrypoint for flexible env var docker config
• ebdda06 fix: adds BadDigest error for incorrect Content-Md5 s
• 9f54a25 fix: adds an error route for object calls with ?uploads query arg
• df74e7f fix: adds checks for x-amz-content-sha256 in anonymous requests
• 4740372 fix: adds error routes to reject x-amz-copy-source for GET, POST, HEAD, DELETErequests
• 9a01185 fix: adds request body check for CopyObject and UploadPartCopy
• 7744dac fix: adds validation for bucket canned ACL
• eae11b4 fix: adds versionId validation for object level actions
• ca6a92b fix: changes empty mp parts error on CompleteMultipartUpload
• a606e57 fix: correct a few object lock behaviors
• 8bb4bcb fix: fixes NoSuchVersion errors for some actions in posix
• 068b04e fix: fixes PutObjectRetention error cases and object lock error code/message.
• 8c3e49d fix: fixes checksum header and algorithm mismatch error
• 5c084b8 fix: fixes locked objects overwrite in versioning-enabled buckets
• 5c3cef6 fix: fixes s3 event and access logs sending in ProcessController
• 6176d9e fix: fixes sigv4 and presigned url auth errors.
• ebf7a03 fix: fixes the bucket/object tagging key/value name validation
• 5bc6852 fix: fixes the checksum type/algo mismatch error in create mp
• 24679a8 fix: fixes the composite checksums in CompleteMultipartUpload
• 54e2c39 fix: fixes the invalid Content-Length error
• 1d0a1d8 fix: fixes the panic in GetBucketVersioning in s3 proxy
• d15d348 fix: fixes the response header names normalizing
• ee67b41 fix: head object should set X-Amz-Bucket-Region on access denied
• 27dc84b fix: implements proper error handling for malformed http requests
• 045bdec fix: makes object metadata keys lowercase in object creation actions
• a057a25 fix: removes content-md5 check from the actions where it's unnecessary
• f435880 fix: removes trailing / for bucket operations in host-style parser
• 932f1c9 fix: sets crc64nvme as defualt checksum for complete mp action

Changelog

• c93d2cd Fix scoutfs backend s3 upload with non-aligned size.
• fbde51b be able to debug LDAP queries; be consistent between GetUserAccount() and ListUserAccounts() on how to build the search filters; objectClasses were missing in GetUserAccount research filter leading to a bad result for example when a posixgGroup have the same name as a posixUser.
• eb0a8ee chore(deps): bump the dev-dependencies group with 10 updates
• 8fb020e chore(deps): bump the dev-dependencies group with 25 updates
• 5aa407d cleanup: ipa iam server debug logging done with debuglogger
• b358e38 cleanup: minor fixes to ldap exported functions and test
• 24b1c45 cleanup: move debuglogger to top level for full project access
• b46a486 cleanup: s3 iam server debug logging done with debuglogger
• 58117c0 feat: add get bucket location frontend handlers
• 8cad7fd feat: add response header overrides for GetObject
• 818e91e feat: adds x-amz-object-size in PutObject response headers
• 4c41b8b feat: changes cors implementation in s3 to store/retreive in meta bucket
• 7a098b9 feat: implement conditional writes
• b3ed763 feat: implements conditional reads for GetObject and HeadObject
• 18e3012 fix: #1527 - case-insensitive x-amz-checksum-mode header value
• 2bb8a1e fix: NotImplemented for GetObject/HeadObject PartNumber
• 6a82213 fix: add keeplive option (CLI and env var)
• 8436202 fix: adds full wildcard and any character match for bucket policy actions
• 8e18b43 fix: lex sort order of listobjects backend.Walk
• 34da183 fix: lex sort order of listobjectversions backend.WalkVersions
• 488a9ac fix: panic in signed-chunk-reader with incorrect debug string
• a4091fd fix: previous pr was not rebased before merging and caused a build error

Changelog

• 936239b DRY of scoutfs integration, alignment testing for scoutfs.MoveData
• e62337f Fix O_TMPFILE Linkat race.
• 8e6dd45 Fix race in GetObject
• 3934bea Lowercase err message.
• 298d4ec Merged scoutfs and posix ListObjects and ListObjectsV2
• f0858a4 Small cleanups.
• 3208247 chore(deps): bump github.com/valyala/fasthttp
• 6e91e87 chore(deps): bump the dev-dependencies group with 18 updates
• 13c7cb4 chore(deps): bump the dev-dependencies group with 19 updates
• 47e49ce chore(deps): bump the dev-dependencies group with 19 updates
• cef2950 chore(deps): bump the dev-dependencies group with 20 updates
• f29337a chore(deps): bump the dev-dependencies group with 20 updates
• 5be9e3b feat: a total refactoring of the gateway middlewares by lowering them from server to router level.
• 36d2a55 feat: add rabbitmq s3 event notification support
• 1eeb7de feat: add versioning dir option to scoutfs backend
• e5850ff feat: adds copy source validation for x-amz-copy-source header.
• f877502 feat: adds integration tests for public buckets.
• 0895ada feat: adds not implemented routes for bucket accelerate configuration actions
• ed92ad3 feat: adds not implemented routes for bucket ecryption actions
• cdccdcc feat: adds not implemented routes for bucket intelligent tiering actions
• 24b88e2 feat: adds not implemented routes for bucket inventory configuration actions
• 025b0ee feat: adds not implemented routes for bucket lifecycle configuration actions
• 5f28a74 feat: adds not implemented routes for bucket logging actions
• 45a1f7a feat: adds not implemented routes for bucket metrics configuration actions
• d784c0a feat: adds not implemented routes for bucket notification configuration actions
• be79fc2 feat: adds not implemented routes for bucket public access block actions
• 88f84bf feat: adds not implemented routes for bucket replication actions
• 6b450a5 feat: adds not implemented routes for bucket request payment actions
• 14a2984 feat: adds not implemented routes for bucket website actions
• 67d0750 feat: adds unit tests for object DELETE and POST operations
• ba76aea feat: adds unit tests for the object HEAD and GET controllers.
• 09031a3 feat: bucket cors implementation
• d90944a feat: implementes GetBucketPolicyStatus s3 action
• 866b07b feat: implementes unit tests for all the bucket action controllers.
• d2038ca feat: implements advanced routing for HeadObject and bucket PUT operations.
• a7c3cb5 feat: implements advanced routing for ListBuckets, HeadBucket and bucket delete operations
• b7c758b feat: implements advanced routing for bucket POST and object PUT operations.
• a3fef42 feat: implements advanced routing for object DELETE and POST actions.
• 56d4e4a feat: implements advanced routing for object GET actions.
• abdf342 feat: implements advanced routing for the admin apis. Adds the debug logging and quite mode for the separate admin server.
• b8456bc feat: implements advanced routing system for the bucket get operations.
• dc16c04 feat: implements integration tests for the new advanced router
• edaf9d6 feat: implements public bucket access for write operations
• 39cef57 feat: implements public bucket access.
• ab571a6 feat: implements unit tests for admin controllers
• 394675a feat: implements unit tests for controller utilities
• 7f9ab35 feat: implements unit tests for object PUT controllers
• 0eadc38 fix: add -1 to azure etag to avoid client sdk verfications
• e134f63 fix: add test cases and fix behavior for head/get range requests
• 3d20a63 fix: adds Acces-Control-Allow-Headers to cors responses
• 7dc213e fix: adds bucket region in ListBuckets result
• 8db1966 fix: adds not implemented routes for bucket analytics s3 actions.
• 4187b4d fix: adds validation for x-amz-content-sha256 header
• 891672b fix: fixes the HeadObject version access control with policies.
• 4395c9e fix: fixes the InvalidBucketAclWithObjectOwnership error code.
• 69ba00a fix: fixes the UploadPart failure with no precalculated checksum header for FULL_OBJECT checksum type
• 2b9e343 fix: fixes the invalid part number marker error description in ListParts
• e74d2c0 fix: fixes the invalid x-amz-mp-object-size header error in CompleteMultipartUpload.
• 0972af0 fix: fixes the nil body reader panic.
• 65cd44a fix: fixes the s3 access logs and metrics manager reporting. Fixes the default cotext keys setter order in the middlewares.
• dafe099 fix: iam ldap reconnect after network disconnects
• e18c4f4 fix: ignores special checksum headers when parsing x-amz-checksum-x headers
• 3363988 fix: makes checksum type and algorithm case insensitive in CreateMultipartUpload
• 7953241 fix: panic in access log when region header not set in request context
• 6306512 fix: update marker/continuation token to be the azure next marker

Changelog

• ee4d0b0 chore(deps): bump the dev-dependencies group with 3 updates
• a915c3f chore(deps): bump the dev-dependencies group with 6 updates
• 36509da chore: use time.Equal for s3proxy time equality checks
• e39ab6f feat: split the vault mount path into kv and auth
• cbd3eb1 fix: ListMultipartUploads pagination panic and duplicate results
• f295df2 fix: add new auth method to update ownership within acl
• 91b904d fix: add retry for iam freeipa http requests
• c196b5f fix: admin bucket actions for s3proxy
• c320108 fix: always log internal server error messages to stderr
• 003bf5d fix: convert deprecated fasthttp VisitAll() to All()
• 08ccf82 fix: refresh expired iam vault tokens when needed

Changelog

• d971e0e chore(deps): bump the dev-dependencies group with 12 updates
• 3aa2042 chore(deps): bump the dev-dependencies group with 18 updates
• b33499c chore(deps): bump the dev-dependencies group with 18 updates
• 23169fa chore(deps): bump the dev-dependencies group with 2 updates
• 532123e chore(deps): bump the dev-dependencies group with 4 updates
• d9300ea feat: add SECURITY.md to define GitHub security policy
• 98a7b7f feat: adds a middleware to validate bucket/object names
• 7b8b483 feat: calculate full object crc for multi-part uploads for compatible checksums
• 458db64 feat: implements public bucket access.
• 7260854 fix: add object path validation util
• 0d73e3e fix: prevent internal request retry to s3proxy backend
• 6541232 fix: s3 backend user bucket listing
• d831985 fix: s3log crash if startTime not defined
• 5ba5327 fix: s3proxy create bucket always returning BucketAlreadyExists

[3.0.3] - 2026-03-30

Added

• Added shuffle option to the artist, genre and album context menus.
• Added shuffle all on artist, genre, album and songs screens.
• Added crossfade
• Added smart playlists
• Added Catppuccin and Dracula themes (Thank you BlackSpirits!)
• Added "Always on top" and "Lock position" options to the mini player context menu

Changed

• Updated the Croatian translation
• Updated the German translation
• Updated the Italian translation
• Updated the Portuguese (brazilian) translation
• Updated the Portuguese (Portugal) translation
• Updated the Simplified Chinese translation
• Updated the Spanish translation
• Updated the Vietnamese translation

Fixed

• Genres which are starting with numbers are incorrectly detected
• Play and skip count are not updated when collection songs are played from playlists
• Flac rating is lost after editing tags
• Dopamine window doesn't show when clicking on pinned Taskbar icon in Windows
• Error when deleting songs that are on a network drive
• The titlebar is only draggable in empty spots

P.S.: If you enjoy Dopamine, please consider donating via PayPal or buying me a coffee. Your support keeps the music going!

Fix issue security advisory on DTD processing. Make default Ignore DTD option True, which is more secure.

Fix issue security advisory on DTD processing. Make default Ignore DTD option True, which is more secure.

You can install pre-built binaries from https://repo.dovecot.org/

Docker images can be found at https://hub.docker.com/r/dovecot/dovecot

Please review https://doc.dovecot.org/2.4.3/installation/upgrade/2.3-to-2.4.html and https://doc.dovecot.org/2.4.3/installation/installation.html.

Important

There are experimental features in 2.4, one is enabled with --enable-experimental-mail-utf8, and another with --enable-experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.

Critical bug fixes

• CVE-2025-59028: Invalid base64 authentication can cause DoS for other
  logins.
• CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks
  and read unintended files during indexing. Fixed by dropping the script.
• CVE-2026-24031: SQL injection possible if auth_username_chars is
  configured empty. Fixed escaping to always happen. v2.4 regression.
• CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would cause
  excessive CPU usage. Fixed by limiting number of parameters to process.
• CVE-2026-27860: LDAP query injection possible if auth_username_chars
  is configured empty. Fixed escaping to always happen. v2.4 regression.
• CVE-2026-27857: Sending excessive parenthesis causes imap-login to use
  excessive memory.
• CVE-2026-27856: Doveadm credentials were not checked using timing-safe
  checking function.
• CVE-2026-27855: OTP driver vulnerable to replay attack.

Changes

• Remove default service/*/service_extra_groups=$SET:default_internal_group.
  They are now replaced by default mail_access_groups=$SET:default_internal_group.
• The version file has been renamed as version.txt to avoid clash with
  C++ headers.
• auth: oauth2 - Do not export token automatically, must be exported using
  fields.
• config: Don't accept 0 as meaning unlimited anymore for
  last_valid_uid, last_valid_gid, mail_cache_max_headers_count,
  mail_cache_max_header_name_length, mail_vsize_bg_after_count,
  mail_sort_max_read_count, message_max_size, submission_max_recipients
  and quota_mail_size.
• imap, pop3: Don't autoexpunge if Dovecot is shutting down or process
  is killed.
• imap: LIST - Handle invalid mUTF-7 mailbox names as never matching anything
• lazy-expunge: Change lazy_expunge_only_last_instance default to yes.
• lda: Use EX_TEMPFAIL (75) if configuration is invalid instead of 89.
  v2.4 regression.
• lib-master: Increase ANVIL_DEFAULT_LOOKUP_TIMEOUT_MSECS from 5s to 30s
• lib: crc32 - Use zlib's built-in CRC32 function

New features

• Improve UTF-8 support for mail storage.
• auth: Add default auth-token UNIX socket for token-based authentication.
• doc: solr-config-9.xml - Make it compatible with Solr 9.8.0
• doveadm: dsync - Search mails when exporting to reduce number of mails
  exported by dsync-server.
• dovecot-sysreport: Add -D|--destdir support.
• imap, imap-hibernate: Use DOVECOT-TOKEN authentication for unhibernation.
  Default imap-master socket permissioms have been changed due to this.
• imap: Add APPENDLIMIT capability when configured with quota_mail_size.
• imap: Support STATUS (DELETED) for IMAP4rev2.
• imapc: Add support for SEARCH MIMEPART
• imapc: Improve error forwarding.
• imapc: Support SORT and ESORT extensions.
• imapc: Support STATUS (DELETED) for IMAP4rev2.
• lib-sql: Support parameterized queries.
• lib-test: Add new test-dir API for better temporary test directory
  handling.
• lmtp: Advertize SIZE capability when configured with quota_mail_size.
• lmtp: Support XCLIENT DESTADDR and DESTPORT
• pop3-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
• submission-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
• Various optimizations have been made to the code.

Bug fixes

• Fix building dovecot with BSD, Solaris and macOS.
• auth: Crash would occur if users were iterated but
  userdb_ldap_iterate_fields was not set.
• auth: Fix request leak when client authenticates with unsupported mechanism.
• auth: Some passdbs would default to PLAIN instead of CRYPT scheme.
• config: Section and setting names could have been intermixed, resulting
  in the setting being silently ignored.
• configure: Fix checking if BUILD_IMAP_HIBERNATE is set
• doveadm: dsync - -e parameter was handled wrong with dsync-server.
• fts-flatcurve: Mailbox leak would occur if mailbox failed to open.
• imap: Fix potential issues with unhibernation and process state handling.
• imapc: SEARCH failure handling was done wrong.
• imapc: UID STORE commands included extra comma in uidset.
• lib-auth-client: auth-master - Fix panic when reconnecting after
  handshake timeout.
• lib-compression: Lz4 algorithm would assert-crash with malicious data.
• lib-dcrypt: Fix digest algorithm handling.
• lib-dict: Escape username paths to prevent traversal issues with dict-fs.
• lib-http: Fix HTTP parsing edge cases and state handling.
• lib-iostream: Disallow empty ssl_min_protocol.
• lib-json: Fix incorrect character handling logic.
• lib-ldap: Fix various TLS related bugs.
• lib-mail: Fix charset translation and MIME parsing edge cases.
• lib-mail: Fix multiple bounds checks and parsing issues in message handling.
• lib-var-expand: Multiple fixes and improvements for expansion handling.
• lib: Fix punycode decoding out-of-bounds reads.
• lib: Fix unicode normalization edge cases causing crashes.
• lib-http: Chunked transfer trailer size was not limited.
• login-common: Improve logging and internal error handling.
• login-common: login_log_format_elements was split by spaces naively, which
  could break variable expansion. Use template aware splitting now.
• master: Dovecot would fail to start if listen directive was used and
  dovenull or dovecot user was missing.
• pop3c: Connection might've hung with SSL.
• util: Fix handling of environment variables containing control characters.
• Many other bugs have been fixed.

Fix issue security advisory on DTD processing.

Releases Notes for 29.6.6

Windows Installer
Windows No Installer (zip)
macOS - Universal
Linux - deb, AppImage or rpm

Windows intel x32 releases are marked -ia32-

ChangeLog:

• Uses electron 40.8.4
• #2143 , #1055
• Updates to draw.io core 29.6.6.

The Asterisk Development Team would like to announce
the release of Certified asterisk-22.8-cert2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert2
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert2

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-22.8-cert2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

• 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

• Mike Bradeen (1):

  • res_pjsip: Address pjproject security vulnerabilities

Commit List:

• res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-25

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833