Pi-Hole Security Udpdates

wolfi11 pts0 comments

Pi-hole FTL v6.7, Web v6.6 and Core v6.4.3 Released! – Pi-hole

Skip to content

GitHubCore<br>Web<br>FTL<br>Docker

CommunityDiscourse<br>Reddit<br>Twitter

AboutDocumentation<br>Contact<br>Privacy<br>Brand Guidelines<br>Developing Apps For Pi-hole

Blog

Pi-hole FTL v6.7, Web v6.6 and Core v6.4.3 Released!

Pi-hole FTL v6.7, Web v6.6 and Core v6.4.3 Released!<br>As always, please read through the changelogs before updating with pihole -up<br>Don’t forget, you can use Teleporter to export your configuration. It can be found under the settings menu of the web interface or on the command line with pihole-FTL --teleporter<br>Docker has been tagged as 2026.07.0<br>Highlights<br>Security<br>This release closes out six advisories across Core and FTL. We’d like to thank all of the researchers who took the time to responsibly disclose these issues — several are related to work covered in previous releases, and we’re grateful for the continued scrutiny.<br>Thank you to supperhellokitty20 , rrobgill , T0X1Cx and SakusenSec for responsibly disclosing these issues. Full details for all advisories can be found at the following links:<br>pi-hole/pi-hole/security/advisories/GHSA-h8w9-qx2v-wrww — Local privilege escalation from pihole user to root via /etc/pihole/logrotate (High) reported by supperhellokitty20<br>pi-hole/FTL/security/advisories/GHSA-q6fm-xwxf-37r5 — WebUI (& API) DoS via lack of rate limiting (High) reported by rrobgill<br>pi-hole/FTL/security/advisories/GHSA-w8cr-2cwg-92cg — Session expiration bypass (High) reported by T0X1Cx<br>pi-hole/FTL/security/advisories/GHSA-8j7w-m3cr-6q6x — Remote Code Execution via CivetWeb configuration injection (High) reported by SakusenSec<br>pi-hole/FTL/security/advisories/GHSA-g7v8-8q8f-hprp — Log injection in the access-log writer chaining to RCE via Lua-server-page evaluation (Moderate)<br>pi-hole/FTL/security/advisories/GHSA-r5vh-5q82-jg7q — CRLF injection / HTTP header injection via group name (Low) reported by T0X1Cx<br>Updated embedded components<br>FTL now ships with an updated embedded dnsmasq v2.93 and SQLite3 v3.53.1 , keeping the core resolver and database layer current. (FTL #2890, FTL #2891)<br>A brand new DHCP static leases editor<br>Managing DHCP leases from the web interface has been one of the most frequently requested improvements since we released v6, and this release finally delivers it. The static leases interface has been completely reworked into a proper editor: adding, editing and removing reserved leases should now feel more intuitive. (Web #3766)<br>Thank you to everyone who’s asked for this over the years and to @rdwebdesign for making it happen.<br>iCloud Private Relay and better MAC vendor resolution<br>A fix landed for iCloud Private Relay zones (FTL #2919), and MAC vendor lookups now resolve sub-allocated blocks (MA-M / MA-S) via longest-prefix match, so more devices are correctly identified (FTL #2907).<br>Other web interface improvements<br>Editing reverse DNS servers (dns.revServers) now has a much friendlier interface, and the Lists page has clearer hints and help text. (Web #3769, Web #3798)<br>Friendlier error messages<br>Error messages across FTL have been made more human friendly, including a custom message for UNIQUE constraint errors, so it’s clearer what’s gone wrong when something does. (FTL #2878, FTL #2879)<br>Details of all other fixes can be found below!<br>FTL v6.7<br>What’s Changed<br>Performance optimizations and bug fixes by @DL6ER in #2816<br>fix: check NULL returns from strdup/calloc in rotate_files() by @jluzzi123 in #2875<br>Make error messages more human friendly by @yubiuser in #2878<br>Harden API/database races in civetweb and DB threads by @DL6ER in #2881<br>Update embedded SQLite3 to v3.53.1 by @DL6ER in #2891<br>Fix build on Fedora 44 by @darkexplosiveqwx in #2893<br>macvendor: resolve sub-allocated blocks (MA-M/MA-S) via longest-prefix match by @RamSet in #2907<br>Update embedded dnsmasq to v2.93 by @DL6ER in #2890<br>fix OOB write in FTL_parse_pseudoheaders when optlen is 0 by @rdevshp in #2910<br>Update a single text description "PRIVATE KEY" by @DoctorD90 in #2884<br>add optional dnsmasq features to cmake by @darkexplosiveqwx in #2874<br>Fix building on alpine 3.24 by @yubiuser in #2911<br>Bats by @yubiuser in #2872<br>Improve crash backtraces for non-reproducible faults by @DL6ER in #2880<br>Fix gzip.c inflate_buffer CRC signed left shift undefined behavior by @rdevshp in #2916<br>Fix for iCloud Private Relay zones by @DL6ER in #2919<br>fix tar parsing by @rdevshp in #2914<br>Allow using local manufs to generate macvendor.db by @darkexplosiveqwx in #2918<br>Use custom message for UNIQUE constraint error message by @rdwebdesign in #2879<br>Re-resolve client groups event-driven, drop periodic recheck by @DL6ER in #2922<br>Guard against invalid gzip data in gzip.c inflate_buffer by @rdevshp in #2915<br>Fix BATS test of no ERRORS in FTL.log to allow capturing the output by @yubiuser in #2927<br>fix(cli): warn when –config cannot read pihole.toml (#2849) by @DL6ER in #2930<br>fix(api-docs): correct three OpenAPI spec issues (#2867) by @DL6ER in #2929<br>fix: avoid segfault in dnsmasq-test on...

hole dl6er security advisories ghsa core

Related Articles