Fix issue security advisory on DTD processing. Make default Ignore DTD option True, which is more secure.

Fix issue security advisory on DTD processing. Make default Ignore DTD option True, which is more secure.

You can install pre-built binaries from https://repo.dovecot.org/

Docker images can be found at https://hub.docker.com/r/dovecot/dovecot

Please review https://doc.dovecot.org/2.4.3/installation/upgrade/2.3-to-2.4.html and https://doc.dovecot.org/2.4.3/installation/installation.html.

Important

There are experimental features in 2.4, one is enabled with --enable-experimental-mail-utf8, and another with --enable-experimental-imap4rev2, and you also need to set mail_utf8_extensions=yes and imap4rev2_enabled=yes to enable them in config.

Critical bug fixes

• CVE-2025-59028: Invalid base64 authentication can cause DoS for other
  logins.
• CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks
  and read unintended files during indexing. Fixed by dropping the script.
• CVE-2026-24031: SQL injection possible if auth_username_chars is
  configured empty. Fixed escaping to always happen. v2.4 regression.
• CVE-2026-27859: Excessive RFC 2231 MIME parameters in email would cause
  excessive CPU usage. Fixed by limiting number of parameters to process.
• CVE-2026-27860: LDAP query injection possible if auth_username_chars
  is configured empty. Fixed escaping to always happen. v2.4 regression.
• CVE-2026-27857: Sending excessive parenthesis causes imap-login to use
  excessive memory.
• CVE-2026-27856: Doveadm credentials were not checked using timing-safe
  checking function.
• CVE-2026-27855: OTP driver vulnerable to replay attack.

Changes

• Remove default service/*/service_extra_groups=$SET:default_internal_group.
  They are now replaced by default mail_access_groups=$SET:default_internal_group.
• The version file has been renamed as version.txt to avoid clash with
  C++ headers.
• auth: oauth2 - Do not export token automatically, must be exported using
  fields.
• config: Don't accept 0 as meaning unlimited anymore for
  last_valid_uid, last_valid_gid, mail_cache_max_headers_count,
  mail_cache_max_header_name_length, mail_vsize_bg_after_count,
  mail_sort_max_read_count, message_max_size, submission_max_recipients
  and quota_mail_size.
• imap, pop3: Don't autoexpunge if Dovecot is shutting down or process
  is killed.
• imap: LIST - Handle invalid mUTF-7 mailbox names as never matching anything
• lazy-expunge: Change lazy_expunge_only_last_instance default to yes.
• lda: Use EX_TEMPFAIL (75) if configuration is invalid instead of 89.
  v2.4 regression.
• lib-master: Increase ANVIL_DEFAULT_LOOKUP_TIMEOUT_MSECS from 5s to 30s
• lib: crc32 - Use zlib's built-in CRC32 function

New features

• Improve UTF-8 support for mail storage.
• auth: Add default auth-token UNIX socket for token-based authentication.
• doc: solr-config-9.xml - Make it compatible with Solr 9.8.0
• doveadm: dsync - Search mails when exporting to reduce number of mails
  exported by dsync-server.
• dovecot-sysreport: Add -D|--destdir support.
• imap, imap-hibernate: Use DOVECOT-TOKEN authentication for unhibernation.
  Default imap-master socket permissioms have been changed due to this.
• imap: Add APPENDLIMIT capability when configured with quota_mail_size.
• imap: Support STATUS (DELETED) for IMAP4rev2.
• imapc: Add support for SEARCH MIMEPART
• imapc: Improve error forwarding.
• imapc: Support SORT and ESORT extensions.
• imapc: Support STATUS (DELETED) for IMAP4rev2.
• lib-sql: Support parameterized queries.
• lib-test: Add new test-dir API for better temporary test directory
  handling.
• lmtp: Advertize SIZE capability when configured with quota_mail_size.
• lmtp: Support XCLIENT DESTADDR and DESTPORT
• pop3-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
• submission-login: proxy - Add support for XCLIENT DESTIP and DESTPORT
• Various optimizations have been made to the code.

Bug fixes

• Fix building dovecot with BSD, Solaris and macOS.
• auth: Crash would occur if users were iterated but
  userdb_ldap_iterate_fields was not set.
• auth: Fix request leak when client authenticates with unsupported mechanism.
• auth: Some passdbs would default to PLAIN instead of CRYPT scheme.
• config: Section and setting names could have been intermixed, resulting
  in the setting being silently ignored.
• configure: Fix checking if BUILD_IMAP_HIBERNATE is set
• doveadm: dsync - -e parameter was handled wrong with dsync-server.
• fts-flatcurve: Mailbox leak would occur if mailbox failed to open.
• imap: Fix potential issues with unhibernation and process state handling.
• imapc: SEARCH failure handling was done wrong.
• imapc: UID STORE commands included extra comma in uidset.
• lib-auth-client: auth-master - Fix panic when reconnecting after
  handshake timeout.
• lib-compression: Lz4 algorithm would assert-crash with malicious data.
• lib-dcrypt: Fix digest algorithm handling.
• lib-dict: Escape username paths to prevent traversal issues with dict-fs.
• lib-http: Fix HTTP parsing edge cases and state handling.
• lib-iostream: Disallow empty ssl_min_protocol.
• lib-json: Fix incorrect character handling logic.
• lib-ldap: Fix various TLS related bugs.
• lib-mail: Fix charset translation and MIME parsing edge cases.
• lib-mail: Fix multiple bounds checks and parsing issues in message handling.
• lib-var-expand: Multiple fixes and improvements for expansion handling.
• lib: Fix punycode decoding out-of-bounds reads.
• lib: Fix unicode normalization edge cases causing crashes.
• lib-http: Chunked transfer trailer size was not limited.
• login-common: Improve logging and internal error handling.
• login-common: login_log_format_elements was split by spaces naively, which
  could break variable expansion. Use template aware splitting now.
• master: Dovecot would fail to start if listen directive was used and
  dovenull or dovecot user was missing.
• pop3c: Connection might've hung with SSL.
• util: Fix handling of environment variables containing control characters.
• Many other bugs have been fixed.

Fix issue security advisory on DTD processing.

Releases Notes for 29.6.6

Windows Installer
Windows No Installer (zip)
macOS - Universal
Linux - deb, AppImage or rpm

Windows intel x32 releases are marked -ia32-

ChangeLog:

• Uses electron 40.8.4
• #2143 , #1055
• Updates to draw.io core 29.6.6.

The Asterisk Development Team would like to announce
the release of Certified asterisk-22.8-cert2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert2
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert2

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-22.8-cert2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

• 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

• Mike Bradeen (1):

  • res_pjsip: Address pjproject security vulnerabilities

Commit List:

• res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-25

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

The Asterisk Development Team would like to announce
the release of Certified asterisk-20.7-cert10.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert10
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert10

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-20.7-cert10

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

• 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

• Mike Bradeen (1):

  • res_pjsip: Address pjproject security vulnerabilities

Commit List:

• res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-24

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

The Asterisk Development Team would like to announce
the release of asterisk-21.12.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.2

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-21.12.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

• 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

• Mike Bradeen (1):

  • res_pjsip: Address pjproject security vulnerabilities

Commit List:

• res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-25

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

The Asterisk Development Team would like to announce
release candidate 1 of asterisk-22.9.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.9.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.9.0-rc1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.9.0-rc1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 48
• Commit Authors: 20
• Issues Resolved: 31
• Security Advisories Resolved: 0

The Asterisk Development Team would like to announce
release candidate 1 of asterisk-23.3.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.3.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.3.0-rc1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.3.0-rc1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 48
• Commit Authors: 20
• Issues Resolved: 31
• Security Advisories Resolved: 0

The Asterisk Development Team would like to announce
release candidate 1 of asterisk-20.19.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.19.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.19.0-rc1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.19.0-rc1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 48
• Commit Authors: 20
• Issues Resolved: 31
• Security Advisories Resolved: 0

Hi,

The OpenWrt community is proud to announce the second service release of the OpenWrt 25.12 stable series.

Download firmware images using the OpenWrt Firmware Selector:

• https://firmware-selector.openwrt.org/?version=25.12.2

Download firmware images directly from our download servers:

• https://downloads.openwrt.org/releases/25.12.2/targets/

Main changes between OpenWrt 25.12.1 and OpenWrt 25.12.2

Only the main changes are listed below. See the full changelog for details.

Device support

• airoha: rename kernel module kmod-pwm-an7581 to kmod-pwm-airoha — users with this module explicitly installed need to reinstall under the new name
• apm821xx: fix U-Boot environment definitions for NETGEAR WNDR4700, Western Digital MyBookLive, Meraki MR24 and Meraki MX60; fix PCIe boot failure on Meraki MX60
• ath79: fix initramfs boot for Huawei AP5030DN and AP6010DN
• ath79: fix VLAN CPU port tagging on 2-CPU-port devices (affects several dual-CPU switch configurations)
• ath79: remove incorrectly included WiFi packages from Mikrotik RB750r2 (device has no WiFi hardware)
• ipq40xx: fix ART partition name for Linksys Velop WHW03 V1 — restores correct WiFi calibration data access
• ipq40xx: fix MAC address reading for Linksys devices using eMMC-based NVMEM
• lantiq: xrx200: fix failsafe mode on BT HomeHub 5A — LAN ports 1 & 2 now work correctly in failsafe (#22480)
• mediatek: Bananapi BPI-R4: fix SFP+ electric module support — modules that stopped working after a snapshot upgrade are now functional again (#19878)
• ramips: fix kernel decompress error that bricked ELECOM WRC-X1800GS on 25.12.0 (#22270)
• ramips: fix initramfs kernel load address for TP-Link EAP615-Wall v1
• ramips: fix MAC address assignment for Xiaomi Mi AC2100
• realtek: fix D-Link fan control script

WiFi fixes and improvements

• wifi-scripts: fix 160 MHz channel width configuration — hostapd was not correctly configured for 160 MHz, preventing its use (#22481)
• wifi-scripts: fix SU beamformee antenna count — incorrect count was passed to the driver
• hostapd: fix memory leak in Radio Resource Management (RRM) ubus interface
• mac80211: ath12k: add thermal sensor support for QCA/IPQ devices
• mac80211: ath9k: fix GPIO mask handling from device tree
• mt76: fix severe WiFi latency regression (up to multiple seconds) on 2.4 GHz introduced in 25.12.1 — affected many MediaTek devices including OpenWrt One, Zyxel EX5601, ASUS RT-AX53U, Xiaomi AX3000T/AX6000, Cudy WR3000/X6, GL Flint 2 and others (#22491)
• mt76: multiple further stability fixes for MediaTek WiFi chipsets (MT7615/MT7915/MT7996/MT7992/MT792x):
  • add per-link beacon monitoring for MLO (Multi-Link Operation)
  • fix MT7996/MT7992 link handling during MLO station add/remove
  • fix scan work requeue race with spinlock

Upgrading to 25.12.2

Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.

• Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

• Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. fc0c518

• Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. cd8dcfe

• TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).

• Meraki MX60: Direct sysupgrade to 25.12.2 is not possible without manual preparation — meraki_loadaddr must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions.

Known issues

• Zyxel EX5601-T0: the WAN interface was renamed from eth1 to wan — check and update your network configuration after upgrading.
• Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. #21486
• 802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. #22200
• SQM CAKE MQ (cake_mq): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. #22344

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/25.12/notes-25.12.2

In particular, make sure to read the known issues before upgrading:
https://openwrt.org/releases/25.12/notes-25.12.2#known_issues

For a detailed list of all changes, refer to
https://openwrt.org/releases/25.12/changelog-25.12.2

To download the 25.12.2 images, navigate to:
https://downloads.openwrt.org/releases/25.12.2/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=25.12.2

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

• a low-volume mailing list for important announcements:
  https://lists.openwrt.org/mailman/listinfo/openwrt-announce

• a dedicated "announcements" section in the forum:
  https://forum.openwrt.org/c/announcements/14

• other announcement channels (such as RSS feeds) might be added in the
  future, they will be listed at https://openwrt.org/contact

Backups are one of those quiet, powerful features: when they work, you don’t notice them, but when you need them, they’re everything. We’ve evolved Home Assistant’s built-in backup format over the years to keep it safe and secure, especially when backing up to remote locations. As modern cryptography has advanced, we needed to build a system to match. SecureTar v3 is a purpose-built library for creating and reading password-protected Home Assistant backups with modern cryptography and safer, stronger defaults.

To help us get this right, we commissioned Trail of Bits, a leading security engineering firm, to independently audit our work. Their review found that SecureTar v3 follows best-in-class practices for core security algorithms, such as hashing and encryption. They also identified three areas for improvement, which they confirmed were resolved in their follow-up review. This audit was paid for by the Open Home Foundation so we could invest in improvements that protect users’ privacy, security, and control.

Your backups will start using this new encryption automatically, beginning with the release of version 2026.4 on April 1, 2026. Please note old backups will still work and be readable after this change (see Recommended next steps below). For more technical details, please read on…

A bit of history

Home Assistant backups have always been encrypted by default, and use a high entropy key, to help ensure your data is safe. When we introduced backups, early formats (v1 and v2) used the same AES-128 encryption variant, along with a simple key derivation (the code that turns your passphrase into the actual key used for encryption). Sam Gleske brought to our attention that the key-derivation step was no longer up to modern standards.

It’s worth stressing an important point: Home Assistant’s passphrase generator already produces long, high-entropy passphrases. This means that backups created previously were difficult to break if using this feature. To demonstrate this, we calculated that a brute force passphrase attack (where attackers try many passwords rapidly) on the backups would take more time than the average lifespan of a person to be successful.

Still, because it was possible to manually generate an insecure passphrase for advanced users, and the library’s internal cryptographic primitives could be improved, we decided to overhaul SecureTar to use best-in-class algorithms, and to have that work validated by an external audit.

What we changed and why

The goals were simple: choose modern, well-studied algorithms, avoid design mistakes that could weaken confidentiality or integrity, and make v3 the secure default.

Highlights of the SecureTar v3 design:

• Modern key derivation: SecureTar v3 uses Argon2id for password-based key derivation. Argon2id is a memory-hard algorithm that makes brute-force attacks much more costly.
• Modern encryption and authentication: Encryption is provided by the libsodium secretstream API (exposed in Python via PyNaCl), which implements a robust streaming authenticated-encryption construction using XChaCha20-Poly1305. That combination gives both confidentiality (nobody can read your data) and integrity/authentication (nobody can tamper with it without detection).
• Safer defaults and parsing: We set safer defaults so new backups use v3, and we fixed parsing logic to avoid silently treating corrupt data as valid legacy backups.

We made these choices to ensure that SecureTar is resilient to modern attacks and easier to reason about from a security perspective.

Independent audit by Trail of Bits

After implementing SecureTar v3, we commissioned Trail of Bits to perform the focused security assessment and fix review. Here is what the review found:

1. Timing side-channel in a validation comparison (informational): The audit pointed out a minor coding issue in how we checked a validation key. It wasn’t a security risk (the value is stored openly in the file header), but we updated the check to a safer form so security tools stop flagging it.
2. Insecure fallback to legacy protocol version (informational): Header parsing logic could be confused by corrupted data; we updated the logic so corrupted headers raise an error instead of silently falling back.
3. Supply-chain risk in GitHub Actions workflow (medium): Workflow steps were not pinned to specific commit hashes and used broad permissions, opening the build process to possible supply-chain attacks. We pinned actions to specific commit hashes and tightened permissions.

Crucially, Trail of Bits’ post-fix review confirmed all three findings were resolved. This shows we have not only adopted modern cryptography, but also closed the gaps the audit exposed.

You can read more about the audit and the fixes in the Trail of Bits report.

How you help support this work

Security work (especially external audits and specialist engineering) costs money. The Open Home Foundation provides the structure and finances that let us do this work. That money comes, in part, from people who buy official Home Assistant or ESPHome products from the foundation’s commercial partners, and merchandise from the Open Home Foundation Store: we really appreciate your support!

Because of this, we were able to commission experts, invest engineering time, and validate the fixes. That investment protects users’ backups (which often contain configurations, passwords and API keys, integrations, and automations) and keeps Home Assistant a trustworthy, secure platform for everyone.

Recommended next steps

• Ensure Home Assistant is updated to the latest version. The 2026.4 release includes SecureTar v3.
• Any encrypted backup created after updating to 2026.4 will use v3’s improved format.
• Existing backups are still secure, as Home Assistant’s generated passphrase is strong. That said, for extra security, you can regenerate the encryption key in your backup settings (use the Change encryption key option at the bottom of the backup settings page).
• If you use the ha backup CLI command, or the hassio.backup_full or hassio.backup_partial actions to create backups, and you’ve used a short/low entropy password, you should choose a new password.

For the curious: technical summary

• Key derivation: Argon2id (memory-hard), using separate sub-keys for each backup part.
• Encryption / AEAD: XChaCha20-Poly1305 via libsodium secretstream (PyNaCl) with 256-bit key size. AEAD means your data is not only encrypted, but also authenticated (validating the data is unchanged/not tampered with).
• Audit: Trail of Bits: 3 findings (2 informational, 1 medium), all resolved.
• Build hardening: GitHub Actions pinned to commit SHAs and narrower permissions to reduce supply-chain risk.

Looking for more? Check out the SecureTar repository on GitHub.

Final note

Security is iterative, and this latest work has helped build a stronger foundation for Home Assistant backups, and a clearer path forward for maintaining that security over time.

If you want to read about similar past efforts, see some of our other posts:

• One of our past security audits
• The upcoming release notes for Home Assistant 2026.4

By keeping Home Assistant secure, we make the platform safer, more trusted, and more enjoyable for the whole community. Thank you.

nginx-1.28.3 stable and nginx-1.29.7 mainline versions have been released, with fixes for buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753) and OCSP result bypass vulnerability in stream (CVE-2026-28755). Additionally, nginx-1.29.7 mainline version introduces support for Multipath TCP and upgrades the default proxy HTTP version to HTTP/1.1 with keep-alive enabled.

New uNmINeD development snapshot is available for download!

Changes:

• (GUI) Datapack and mod load errors are now ignored when opening a world
• (GUI) The log now include a stack trace of errors that occur when opening the world
• Improved handling of broken mods/datapacks

 The Stable channel has been updated to 147.0.7727.24/.25 for Windows and Mac as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.

• Halo Infinite: Texture corruption may occur on R595 drivers [5957741]
• HITMAN World of Assassination: Game stability issues when NVIDIA Smooth Motion is enabled [5849519]
• Game stability issues after enabling DLSS FG when Instant Replay is enabled [5732936]

• N/A

⚠️ Potential Breaking Changes

Added support for importing data in the background (#26914)
Imports now automatically time out after 1 hour, with a maximum of 20 running concurrently. These limits can be configured via IMPORT_TIMEOUT and IMPORT_MAX_CONCURRENCY, respectively.

Improved build times using tsdown’s oxc-transform (#26604)
Exports previously available from @directus/types/collab are now exported directly from @directus/types

Shrunk app UI to 90% and converted all px to rem (16px browser default) (#26826)
Potential breaking change: The app UI has been shrunk to 90% of its previous size. Extensions that rely on hardcoded px values or the old 14px root font-size may render incorrectly — all app sizing now uses rem based on the 16px browser default.

• @directus/api
  • Added support for importing data in the background (#26914 by @Nitwel)
• @directus/types
  • Improved build times using tsdown’s oxc-transform (#26604 by @Nitwel)
• @directus/specs
  • Updated fast-xml-parser, qs, minimatch, tar, undici, vue-split-panel and flatted dependencies (#26951 by @br41nslug)

✨ New Features & Improvements

• @directus/app
  • Added support for importing data in the background (#26914 by @Nitwel)
  • Added utility endpoint and UI to generate translations collections and fields. (#26742 by @bryantgillespie)
  • Added deployment provider link on the run detail page, opening deployments directly in Vercel or Netlify dashboards. (#26888 by @LZylstra)
  • Shrunk app UI to 90% and converted all px to rem (16px browser default) (#26826 by @formfcw)
• @directus/api
  • Added tool search tool for Anthropic AI provider to reduce context usage (#26864 by @bryantgillespie)
  • Added support for setting the secure attribute on OpenID/OAuth2 cookies via the AUTH_<PROVIDER>_COOKIE_SECURE environment variable (#26628 by @dstockton)
  • Updated FilesService.uploadOne to support an optional storage parameter (#26882 by @gaetansenn)
  • Added AI SDK Devtools middleware support for debugging AI Assistant in development only. Added AI telemetry provider (#26678 by @bryantgillespie)
    config for Braintrust and Langfuse, enabling sending traces for observability, usage, and token costs.
  • Added utility endpoint and UI to generate translations collections and fields. (#26742 by @bryantgillespie)
  • Added support for Redis namespace control (#26943 by @dstockton)
• @directus/errors
  • Added support for importing data in the background (#26914 by @Nitwel)
• @directus/env
  • Added support for importing data in the background (#26914 by @Nitwel)
  • Added support for Redis namespace control (#26943 by @dstockton)
• @directus/system-data
  • Added utility endpoint and UI to generate translations collections and fields. (#26742 by @bryantgillespie)
• @directus/constants
  • Added utility endpoint and UI to generate translations collections and fields. (#26742 by @bryantgillespie)
• @directus/extensions-sdk
  • Shrunk app UI to 90% and converted all px to rem (16px browser default) (#26826 by @formfcw)
• @directus/themes
  • Shrunk app UI to 90% and converted all px to rem (16px browser default) (#26826 by @formfcw)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fix file renaming (#26946 by @br41nslug)
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Fixed filtering out preRegisterCheck === false modules from settings module bar config (#26953 by @AlexGaillard)
  • Prevented uncaught exception when v-menu has no tabbable elements (#26922 by @robluton)
  • Fixed a bug where global draft updates failed for singleton collections (#26910 by @formfcw)
  • Refactored "Clear value(s) on save when hidden" condition so it's applied inside a drawer (#26925 by @AlexGaillard)
  • Added functionality to duplicate access policies (#26889 by @robluton)
  • Reduced width of split panel resize handle to prevent scrollbar interference (#26908 by @robluton)
  • Updated Vite to version 8.0.0 (#26887 by @Nitwel)
  • Corrected field editability for conditional update policies and version items (#26815 by @HZooly)
  • Fixed date picker not emitting value after month/year change. (#26880 by @powerseed)
  • Fixed inconsistent dropdown arrows in visual editor header bar (#26904 by @formfcw)
• @directus/api
  • Added API request counting to telemetry reports. Requests are tracked by HTTP method and cache status. (#26738 by @connorwinston)
  • Fix file renaming (#26946 by @br41nslug)
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Fixed errors during import not propagated while the file is streaming (#26881 by @Nitwel)
  • Added cache clear CLI command with --system and --data flags (#26898 by @gaetansenn)
  • Improved build times using tsdown’s oxc-transform (#26604 by @Nitwel)
  • Preserved M2A type info when using named GraphQL fragments (#26920 by @gaetansenn)
  • Added GraphQL resolver deduplication (#26949 by @br41nslug)
  • Fixed aggregation sanitization (#26948 by @br41nslug)
  • Added cross origin opener policy settings (#26947 by @br41nslug)
  • Fixed revisions not using prepareDelta (#26867 by @br41nslug)
• @directus/types
  • Fix file renaming (#26946 by @br41nslug)
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Updated FilesService.uploadOne to support an optional storage parameter (#26882 by @gaetansenn)
  • Added GraphQL resolver deduplication (#26949 by @br41nslug)
  • Fixed revisions not using prepareDelta (#26867 by @br41nslug)
• @directus/env
  • Fix file renaming (#26946 by @br41nslug)
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Added support for setting the secure attribute on OpenID/OAuth2 cookies via the AUTH_<PROVIDER>_COOKIE_SECURE environment variable (#26628 by @dstockton)
  • Added AI SDK Devtools middleware support for debugging AI Assistant in development only. Added AI telemetry provider (#26678 by @bryantgillespie)
    config for Braintrust and Langfuse, enabling sending traces for observability, usage, and token costs.
  • Added cross origin opener policy settings (#26947 by @br41nslug)
• @directus/ai
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/composables
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/constants
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/errors
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/extensions
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/extensions-registry
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/extensions-sdk
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Updated Vite to version 8.0.0 (#26887 by @Nitwel)
• @directus/format-title
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/memory
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/pressure
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/release-notes-generator
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Fixed generated build (#26959 by @AlexGaillard)
• @directus/schema
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/schema-builder
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-azure
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-cloudinary
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-gcs
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-local
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-s3
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/storage-driver-supabase
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/stores
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/system-data
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/themes
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/update-check
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/utils
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Preserved M2A type info when using named GraphQL fragments (#26920 by @gaetansenn)
  • Fixed revisions not using prepareDelta (#26867 by @br41nslug)
• @directus/validation
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
• @directus/sdk
  • Updated @directus/tsconfig dependency from 3.0.0 to 4.0.0 (#26879 by @AlexGaillard)
  • Improved build times using tsdown’s oxc-transform (#26604 by @Nitwel)
  • Fixed function typing in sdk for date and time fields. (#26936 by @costajohnt)

📦 Published Versions

• @directus/app@15.6.0
• @directus/api@35.0.0
• @directus/ai@1.3.1
• @directus/composables@11.2.16
• @directus/constants@14.3.0
• create-directus-extension@11.0.32
• @directus/env@5.7.0
• @directus/errors@2.3.0
• @directus/extensions@3.0.22
• @directus/extensions-registry@3.0.22
• @directus/extensions-sdk@17.1.0
• @directus/format-title@12.1.2
• @directus/memory@3.1.5
• @directus/pressure@3.0.20
• @directus/release-notes-generator@2.0.4
• @directus/schema@13.0.6
• @directus/schema-builder@0.0.17
• @directus/specs@13.0.0
• @directus/storage@12.0.4
• @directus/storage-driver-azure@12.0.20
• @directus/storage-driver-cloudinary@12.0.20
• @directus/storage-driver-gcs@12.0.20
• @directus/storage-driver-local@12.0.4
• @directus/storage-driver-s3@12.1.6
• @directus/storage-driver-supabase@3.0.20
• @directus/stores@2.0.1
• @directus/system-data@4.4.0
• @directus/themes@1.3.0
• @directus/types@15.0.0
• @directus/update-check@13.0.5
• @directus/utils@13.3.2
• @directus/validation@2.0.20
• @directus/sdk@21.2.1

nginx-1.28.3 stable and nginx-1.29.7 mainline versions have been released, with fixes for buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753) and OCSP result bypass vulnerability in stream (CVE-2026-28755). Additionally, nginx-1.29.7 mainline version introduces support for Multipath TCP and upgrades the default HTTP version to HTTP/1.1 with keep-alive enabled.

New uNmINeD development snapshot is available for download!

Changes:

• (Hytale) Added texture average color calculation for vanilla blocks from the latest installed game assets
• (Hytale) Added texture average color calculation for custom blocks added by mods
• (Hytale) Updated vanilla stylesheet to version 2026-03-23
• (Minecraft) Fixed an issue where the Bedrock vanilla resource pack would not load in some cases
• (GUI) Fixed a zoom glitch when a map marker was under the mouse cursor

Below are development builds for testing purposes.

Latest development build: 2.6.4.36 (April 3rd 2026)

Latest stable release build: 2.6.4
https://github.com/clsid2/mpc-hc/releases/tag/2.6.4

What's Changed

Security & Fixes

• Fixed proxy config validation to ensure stored config matches the current proxy type (#9146, fixes #9127)
• Fixed environment variables being incorrectly resolved in compose files instead of preserving ${VAR} references (#9147, fixes #9136)
• Fixed deployment issues with shell argument escaping in nixpacks commands (#9122, fixes #9042)
• Fixed GitHub webhook errors for unsupported event types (#9119, fixes #9090)
• Fixed server limit checks when using API tokens (#9123, fixes #9116)
• Fixed hostname validation to be case-insensitive and allow more characters (#9134, fixes #9131)
• Fixed duplicate subscription creation
• Fixed environment variable refresh when variables are missing or stale
• Fixed Docker cleanup logging when server is unreachable

New Services & Templates

• Added EspoCRM one-click service template (#8658)

Improvements

• Improved mobile responsiveness for confirmation modals
• Simplified Docker installation process
• Added storage API endpoints with UUID support for databases and services
• Added Nightwatch monitoring support
• Disabled Booklore service template (#9105)
• Bumped Sentinel and Traefik versions

What's Changed (Github)

• fix(github-webhook): handle unsupported event types gracefully by @andrasbacsai in #9119
• fix(deployment): properly escape shell arguments in nixpacks commands by @andrasbacsai in #9122
• fix(validation): make hostname validation case-insensitive and expand allowed name characters by @andrasbacsai in #9134
• fix(team): resolve server limit checks for API token authentication by @andrasbacsai in #9123
• chore(service): disable Booklore service by @Cinzya in #9105
• Add EspoCRM, provided by the official team by @tmachyshyn in #8658
• fix(parsers): preserve ${VAR} references in compose instead of resolving to DB values by @andrasbacsai in #9147
• fix(proxy): validate stored config matches proxy type by @andrasbacsai in #9146
• v4.0.0-beta.470 by @andrasbacsai in #9139

New Contributors

• @tmachyshyn made their first contribution in #8658

Full Changelog: v4.0.0-beta.469...v4.0.0-beta.470

nginx-1.28.3 stable and nginx-1.29.7 mainline versions have been released, with fixes for buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753) and OCSP result bypass vulnerability in stream (CVE-2026-28755)