Skip to content

Guard query-count counters against unsigned underflow#2815

Merged
DL6ER merged 1 commit into
developmentfrom
fix/underflow_memdb_queries
Mar 20, 2026
Merged

Guard query-count counters against unsigned underflow#2815
DL6ER merged 1 commit into
developmentfrom
fix/underflow_memdb_queries

Conversation

@DL6ER

@DL6ER DL6ER commented Mar 20, 2026

Copy link
Copy Markdown
Member

What does this implement/fix?

memdb_queries_count and diskdb_queries_count are unsigned counters tracking how many rows are in the in-memory and on-disk query databases. In delete_old_queries_from_db(), these counters are decremented by the number of rows GC just deleted.

The problem is a bit edge-case: if FTL's startup import (import_queries_from_disk()) fails or is interrupted while the database is being written to, it resets memdb_queries_count = 0. When GC then runs and deletes some rows, 0 - N on an unsigned silently wraps to UINT64_MAX (≈ 1.84×10¹⁹). That value is then returned by the /api/queries endpoint as recordsTotal, which is why the query log shows an astronomically large page count right after startup.

The fix clamps the subtraction to 0 instead of letting it underflow, so a stale counter can never produce a nonsensical result.

Related issue or feature (if applicable): Fixes #2805

Pull request in docs with documentation (if applicable): N/A

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

Checklist:

  • The code change is tested and works locally.
  • I based my code and PRs against the repositories development branch.
  • I signed off all commits. Pi-hole enforces the DCO for all contributions
  • I signed all my commits. Pi-hole requires signatures to verify authorship
  • I have read the above and my PR is ready for review.

@DL6ER
database: Guard query-count counters against uint64_t underflow
2ac9156 
memdb_queries_count and diskdb_queries_count are declared as uint64_t.
In delete_old_queries_from_db(), both counters are decremented by
`deleted` (int64_t from sqlite3_changes64). If the counter is already
at 0 — which can happen when import_queries_from_disk() fails and
resets the counter to 0 mid-import — subtracting any positive `deleted`
value wraps the counter to UINT64_MAX (≈1.84×10¹⁹).

db_counts() returns these counters as sqlite3_int64 (signed), so
UINT64_MAX becomes -1. The /api/queries endpoint then casts -1 to
unsigned long for recordsTotal, producing the observed
1.8446744073709552E+19 value and making the query log appear to have
millions of pages.

Fix: clamp the subtraction to 0 instead of allowing underflow, using
a guarded conditional assignment.

Signed-off-by: Dominik <dl6er@dl6er.de>
@DL6ER DL6ER requested a review from a team as a code owner March 20, 2026 14:58
@DL6ER DL6ER added the Bugfix label Mar 20, 2026
@DL6ER DL6ER mentioned this pull request Mar 20, 2026
Closed
@DL6ER DL6ER merged commit 01e5a12 into development Mar 20, 2026
24 of 25 checks passed
@DL6ER DL6ER deleted the fix/underflow_memdb_queries branch March 20, 2026 19:13
@yubiuser yubiuser linked an issue Mar 21, 2026 that may be closed by this pull request
Query log showing millions and millions of pages #2805
Closed
@PromoFaux PromoFaux mentioned this pull request Apr 2, 2026
Merged
@pralor-bot

pralor-bot commented Apr 3, 2026

Copy link
Copy Markdown

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-ftl-v6-6-web-v6-5-and-core-v6-4-1-released/85626/1

github-actions Bot pushed a commit to bigbeartechworld/big-bear-universal-apps that referenced this pull request Apr 5, 2026
@renovate
chore(deps): update jacklul/pihole docker tag to v2026.04.0
1c170b0 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [jacklul/pihole](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `2026.02.0` → `2026.04.0` |

---

### Release Notes

<details>
<summary>pi-hole/docker-pi-hole (jacklul/pihole)</summary>

### [`v2026.04.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.04.0)

[Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.02.0...2026.04.0)

<!-- Release notes generated using configuration in .github/release.yml at master -->

#### What's Changed (Docker Specific - all related to CI/build)

- Group dependabot PRs to reduce PR spam by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [#&#8203;2004](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2004)
- ci: switch image publishing to docker/github-builder by [@&#8203;crazy-max](https://redirect.github.com/crazy-max) in [#&#8203;2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008)
- Readme Rework by [@&#8203;PromoFaux](https://redirect.github.com/PromoFaux) in [#&#8203;1958](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1958)
- Replace Python test suite with BATS and consolidate workflows by [@&#8203;PromoFaux](https://redirect.github.com/PromoFaux) in [#&#8203;2009](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2009)
- Add timeout to curl command in branch validation by [@&#8203;RynoCODE](https://redirect.github.com/RynoCODE) in [#&#8203;2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011)
- Use bats-assert library functions in BATS test suite by [@&#8203;Copilot](https://redirect.github.com/Copilot) in [#&#8203;2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018)
- ci: run build job on pull request event by [@&#8203;crazy-max](https://redirect.github.com/crazy-max) in [#&#8203;2021](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2021)
- Update github-builder to v1.5.0 and enable fail-fast by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [#&#8203;2022](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2022)

#### New Contributors

- [@&#8203;crazy-max](https://redirect.github.com/crazy-max) made their first contribution in [#&#8203;2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008)
- [@&#8203;RynoCODE](https://redirect.github.com/RynoCODE) made their first contribution in [#&#8203;2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011)
- [@&#8203;Copilot](https://redirect.github.com/Copilot) made their first contribution in [#&#8203;2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018)

**Full Changelog**: <pi-hole/docker-pi-hole@2026.02.0...2026.04.0>

#### Component Release Notes

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (FTL v6.6)

- Fix possible resolver issue on armv5tel by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2781](https://redirect.github.com/pi-hole/FTL/pull/2781)
- Introduce CMake options for optional dependencies by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795)
- Fix build without mbedtls \[v2] by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2796](https://redirect.github.com/pi-hole/FTL/pull/2796)
- Fix overTime data when database.DBimport = false by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2788](https://redirect.github.com/pi-hole/FTL/pull/2788)
- Fix cross-compilation issues w/ custom toolchain by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2797](https://redirect.github.com/pi-hole/FTL/pull/2797)
- Add new option for controling name resolution via MAC address by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2790](https://redirect.github.com/pi-hole/FTL/pull/2790)
- Fix obtaining client groups by name by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2791](https://redirect.github.com/pi-hole/FTL/pull/2791)
- Ensure API sessions are restored before starting the HTTP server by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2803](https://redirect.github.com/pi-hole/FTL/pull/2803)
- Add form-action 'self' to Content-Security-Policy by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2804](https://redirect.github.com/pi-hole/FTL/pull/2804)
- Add query\_frequency to /padd endpoint by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2806](https://redirect.github.com/pi-hole/FTL/pull/2806)
- Guard query-count counters against unsigned underflow by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2815](https://redirect.github.com/pi-hole/FTL/pull/2815)
- Add universal crash backtrace via \_Unwind\_Backtrace by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2811](https://redirect.github.com/pi-hole/FTL/pull/2811)
- config: show totp\_secret presence in CLI output by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2813](https://redirect.github.com/pi-hole/FTL/pull/2813)
- Fix client count inflation for rate-limited queries by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2814](https://redirect.github.com/pi-hole/FTL/pull/2814)
- Fix stack buffer overflow in get\_process\_name() by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2821](https://redirect.github.com/pi-hole/FTL/pull/2821)
- Do not restart FTL while `pihole -g` is still ongoing by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2419](https://redirect.github.com/pi-hole/FTL/pull/2419)

#### Security Advisories

- [GHSA-r7g8-3fj7-m5qq - Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq) reported by [@&#8203;mzalzahrani](https://redirect.github.com/mzalzahrani)
- Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by [@&#8203;T0X1Cx](https://redirect.github.com/T0X1Cx)
  - [pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c)
  - [pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp)
  - [pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m)
  - [pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj)
  - [pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj)

#### New Contributors

- [@&#8203;aeolio](https://redirect.github.com/aeolio) made their first contribution in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795)

**Full Changelog**: <pi-hole/FTL@v6.5...v6.6>

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (Web v6.5)

- Amend teleporter help text that the long-term data is not included by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3721](https://redirect.github.com/pi-hole/web/pull/3721)
- Do not use 3 columns when boxed layout is used by [@&#8203;rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/web#3722](https://redirect.github.com/pi-hole/web/pull/3722)
- Use <kbd>ENTER</kbd> instead of <kbd>⏎</kbd> by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3727](https://redirect.github.com/pi-hole/web/pull/3727)
- Don't link to github releases if docker tag is nightly by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3718](https://redirect.github.com/pi-hole/web/pull/3718)
- Do not try to compare component version when remote version info is not available by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3729](https://redirect.github.com/pi-hole/web/pull/3729)
- Show loading overlay when adding/removing CNAME records as it requires a FTL restart by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3742](https://redirect.github.com/pi-hole/web/pull/3742)
- fix: check on responseJSON when wrong password by [@&#8203;guybrush2105](https://redirect.github.com/guybrush2105) in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693)
- Remove the loggingButton from Settings > System > Actions by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3747](https://redirect.github.com/pi-hole/web/pull/3747)

#### Security Advisories

- Multiple Stored HTML Injections and XSS in different web interface pages reported by [@&#8203;andrejtomci](https://redirect.github.com/andrejtomci)

  - [GHSA-jx8x-mj2r-62vq - Stored HTML Injection in queries.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq)

  - [GHSA-9rfm-c5g6-538p - Stored HTML attribute injection](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p)

  - [GHSA-px6w-85wp-ww9v - Stored XSS / HTML injection in the Network page/Dashboard](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v)

  - [GHSA-7xqw-r9pr-qv59 - Reflected XSS / HTML injection in taillog.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59) (Also reported by [@&#8203;n1rwhex](https://redirect.github.com/n1rwhex) and [@&#8203;mzalzahrani](https://redirect.github.com/mzalzahrani))

#### New Contributors

- [@&#8203;guybrush2105](https://redirect.github.com/guybrush2105) made their first contribution in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693)

**Full Changelog**: <pi-hole/web@v6.4.1...v6.5>

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (Core v6.4.1)

- Remove additional ':' from debug log system time output by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6551](https://redirect.github.com/pi-hole/pi-hole/pull/6551)
- Remove `readonly` from piholeNetworkFlush.sh to avoid error message by [@&#8203;rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6554](https://redirect.github.com/pi-hole/pi-hole/pull/6554)
- Add antigravity index by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/pi-hole#6573](https://redirect.github.com/pi-hole/pi-hole/pull/6573)
- Fix return status capture of FTL check\_download exists by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6572](https://redirect.github.com/pi-hole/pi-hole/pull/6572)
- Remove misleading TODO comment for SetWebPassword by [@&#8203;10adnan75](https://redirect.github.com/10adnan75) in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531)

#### Security Advisories

- [GHSA-c935-8g63-qp74 – Local Privilege Escalation](https://redirect.github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74) reported by [@&#8203;smittix](https://redirect.github.com/smittix)

#### New Contributors

- [@&#8203;10adnan75](https://redirect.github.com/10adnan75) made their first contribution in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531)
- [@&#8203;Copilot](https://redirect.github.com/Copilot) made their first contribution in [pi-hole/pi-hole#6580](https://redirect.github.com/pi-hole/pi-hole/pull/6580)

**Full Changelog**: <pi-hole/pi-hole@v6.4...v6.4.1>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsInJlbm92YXRlIl19-->
github-actions Bot pushed a commit to bigbeartechworld/big-bear-universal-apps that referenced this pull request Apr 5, 2026
@renovate
chore(deps): update pihole/pihole docker tag to v2026.04.0
4bc2954 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [pihole/pihole](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `2026.02.0` → `2026.04.0` |

---

### Release Notes

<details>
<summary>pi-hole/docker-pi-hole (pihole/pihole)</summary>

### [`v2026.04.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.04.0)

[Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.02.0...2026.04.0)

<!-- Release notes generated using configuration in .github/release.yml at master -->

#### What's Changed (Docker Specific - all related to CI/build)

- Group dependabot PRs to reduce PR spam by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [#&#8203;2004](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2004)
- ci: switch image publishing to docker/github-builder by [@&#8203;crazy-max](https://redirect.github.com/crazy-max) in [#&#8203;2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008)
- Readme Rework by [@&#8203;PromoFaux](https://redirect.github.com/PromoFaux) in [#&#8203;1958](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1958)
- Replace Python test suite with BATS and consolidate workflows by [@&#8203;PromoFaux](https://redirect.github.com/PromoFaux) in [#&#8203;2009](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2009)
- Add timeout to curl command in branch validation by [@&#8203;RynoCODE](https://redirect.github.com/RynoCODE) in [#&#8203;2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011)
- Use bats-assert library functions in BATS test suite by [@&#8203;Copilot](https://redirect.github.com/Copilot) in [#&#8203;2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018)
- ci: run build job on pull request event by [@&#8203;crazy-max](https://redirect.github.com/crazy-max) in [#&#8203;2021](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2021)
- Update github-builder to v1.5.0 and enable fail-fast by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [#&#8203;2022](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2022)

#### New Contributors

- [@&#8203;crazy-max](https://redirect.github.com/crazy-max) made their first contribution in [#&#8203;2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008)
- [@&#8203;RynoCODE](https://redirect.github.com/RynoCODE) made their first contribution in [#&#8203;2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011)
- [@&#8203;Copilot](https://redirect.github.com/Copilot) made their first contribution in [#&#8203;2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018)

**Full Changelog**: <pi-hole/docker-pi-hole@2026.02.0...2026.04.0>

#### Component Release Notes

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (FTL v6.6)

- Fix possible resolver issue on armv5tel by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2781](https://redirect.github.com/pi-hole/FTL/pull/2781)
- Introduce CMake options for optional dependencies by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795)
- Fix build without mbedtls \[v2] by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2796](https://redirect.github.com/pi-hole/FTL/pull/2796)
- Fix overTime data when database.DBimport = false by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2788](https://redirect.github.com/pi-hole/FTL/pull/2788)
- Fix cross-compilation issues w/ custom toolchain by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2797](https://redirect.github.com/pi-hole/FTL/pull/2797)
- Add new option for controling name resolution via MAC address by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2790](https://redirect.github.com/pi-hole/FTL/pull/2790)
- Fix obtaining client groups by name by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2791](https://redirect.github.com/pi-hole/FTL/pull/2791)
- Ensure API sessions are restored before starting the HTTP server by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2803](https://redirect.github.com/pi-hole/FTL/pull/2803)
- Add form-action 'self' to Content-Security-Policy by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2804](https://redirect.github.com/pi-hole/FTL/pull/2804)
- Add query\_frequency to /padd endpoint by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2806](https://redirect.github.com/pi-hole/FTL/pull/2806)
- Guard query-count counters against unsigned underflow by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2815](https://redirect.github.com/pi-hole/FTL/pull/2815)
- Add universal crash backtrace via \_Unwind\_Backtrace by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2811](https://redirect.github.com/pi-hole/FTL/pull/2811)
- config: show totp\_secret presence in CLI output by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2813](https://redirect.github.com/pi-hole/FTL/pull/2813)
- Fix client count inflation for rate-limited queries by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2814](https://redirect.github.com/pi-hole/FTL/pull/2814)
- Fix stack buffer overflow in get\_process\_name() by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2821](https://redirect.github.com/pi-hole/FTL/pull/2821)
- Do not restart FTL while `pihole -g` is still ongoing by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2419](https://redirect.github.com/pi-hole/FTL/pull/2419)

#### Security Advisories

- [GHSA-r7g8-3fj7-m5qq - Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq) reported by [@&#8203;mzalzahrani](https://redirect.github.com/mzalzahrani)
- Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by [@&#8203;T0X1Cx](https://redirect.github.com/T0X1Cx)
  - [pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c)
  - [pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp)
  - [pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m)
  - [pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj)
  - [pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj)

#### New Contributors

- [@&#8203;aeolio](https://redirect.github.com/aeolio) made their first contribution in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795)

**Full Changelog**: <pi-hole/FTL@v6.5...v6.6>

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (Web v6.5)

- Amend teleporter help text that the long-term data is not included by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3721](https://redirect.github.com/pi-hole/web/pull/3721)
- Do not use 3 columns when boxed layout is used by [@&#8203;rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/web#3722](https://redirect.github.com/pi-hole/web/pull/3722)
- Use <kbd>ENTER</kbd> instead of <kbd>⏎</kbd> by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3727](https://redirect.github.com/pi-hole/web/pull/3727)
- Don't link to github releases if docker tag is nightly by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3718](https://redirect.github.com/pi-hole/web/pull/3718)
- Do not try to compare component version when remote version info is not available by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3729](https://redirect.github.com/pi-hole/web/pull/3729)
- Show loading overlay when adding/removing CNAME records as it requires a FTL restart by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3742](https://redirect.github.com/pi-hole/web/pull/3742)
- fix: check on responseJSON when wrong password by [@&#8203;guybrush2105](https://redirect.github.com/guybrush2105) in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693)
- Remove the loggingButton from Settings > System > Actions by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3747](https://redirect.github.com/pi-hole/web/pull/3747)

#### Security Advisories

- Multiple Stored HTML Injections and XSS in different web interface pages reported by [@&#8203;andrejtomci](https://redirect.github.com/andrejtomci)

  - [GHSA-jx8x-mj2r-62vq - Stored HTML Injection in queries.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq)

  - [GHSA-9rfm-c5g6-538p - Stored HTML attribute injection](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p)

  - [GHSA-px6w-85wp-ww9v - Stored XSS / HTML injection in the Network page/Dashboard](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v)

  - [GHSA-7xqw-r9pr-qv59 - Reflected XSS / HTML injection in taillog.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59) (Also reported by [@&#8203;n1rwhex](https://redirect.github.com/n1rwhex) and [@&#8203;mzalzahrani](https://redirect.github.com/mzalzahrani))

#### New Contributors

- [@&#8203;guybrush2105](https://redirect.github.com/guybrush2105) made their first contribution in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693)

**Full Changelog**: <pi-hole/web@v6.4.1...v6.5>

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (Core v6.4.1)

- Remove additional ':' from debug log system time output by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6551](https://redirect.github.com/pi-hole/pi-hole/pull/6551)
- Remove `readonly` from piholeNetworkFlush.sh to avoid error message by [@&#8203;rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6554](https://redirect.github.com/pi-hole/pi-hole/pull/6554)
- Add antigravity index by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/pi-hole#6573](https://redirect.github.com/pi-hole/pi-hole/pull/6573)
- Fix return status capture of FTL check\_download exists by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6572](https://redirect.github.com/pi-hole/pi-hole/pull/6572)
- Remove misleading TODO comment for SetWebPassword by [@&#8203;10adnan75](https://redirect.github.com/10adnan75) in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531)

#### Security Advisories

- [GHSA-c935-8g63-qp74 – Local Privilege Escalation](https://redirect.github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74) reported by [@&#8203;smittix](https://redirect.github.com/smittix)

#### New Contributors

- [@&#8203;10adnan75](https://redirect.github.com/10adnan75) made their first contribution in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531)
- [@&#8203;Copilot](https://redirect.github.com/Copilot) made their first contribution in [pi-hole/pi-hole#6580](https://redirect.github.com/pi-hole/pi-hole/pull/6580)

**Full Changelog**: <pi-hole/pi-hole@v6.4...v6.4.1>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsInJlbm92YXRlIl19-->
github-actions Bot pushed a commit to bigbeartechworld/big-bear-universal-apps that referenced this pull request Apr 7, 2026
@renovate
chore(deps): update bigbeartechworld/big-bear-pihole-unbound docker t…
6fdd410 
…ag to v2026.04.0

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [bigbeartechworld/big-bear-pihole-unbound](https://redirect.github.com/pi-hole/docker-pi-hole) | minor | `2026.02.0` → `2026.04.0` |

---

### Release Notes

<details>
<summary>pi-hole/docker-pi-hole (bigbeartechworld/big-bear-pihole-unbound)</summary>

### [`v2026.04.0`](https://redirect.github.com/pi-hole/docker-pi-hole/releases/tag/2026.04.0)

[Compare Source](https://redirect.github.com/pi-hole/docker-pi-hole/compare/2026.02.0...2026.04.0)

<!-- Release notes generated using configuration in .github/release.yml at master -->

#### What's Changed (Docker Specific - all related to CI/build)

- Group dependabot PRs to reduce PR spam by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [#&#8203;2004](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2004)
- ci: switch image publishing to docker/github-builder by [@&#8203;crazy-max](https://redirect.github.com/crazy-max) in [#&#8203;2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008)
- Readme Rework by [@&#8203;PromoFaux](https://redirect.github.com/PromoFaux) in [#&#8203;1958](https://redirect.github.com/pi-hole/docker-pi-hole/pull/1958)
- Replace Python test suite with BATS and consolidate workflows by [@&#8203;PromoFaux](https://redirect.github.com/PromoFaux) in [#&#8203;2009](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2009)
- Add timeout to curl command in branch validation by [@&#8203;RynoCODE](https://redirect.github.com/RynoCODE) in [#&#8203;2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011)
- Use bats-assert library functions in BATS test suite by [@&#8203;Copilot](https://redirect.github.com/Copilot) in [#&#8203;2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018)
- ci: run build job on pull request event by [@&#8203;crazy-max](https://redirect.github.com/crazy-max) in [#&#8203;2021](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2021)
- Update github-builder to v1.5.0 and enable fail-fast by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [#&#8203;2022](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2022)

#### New Contributors

- [@&#8203;crazy-max](https://redirect.github.com/crazy-max) made their first contribution in [#&#8203;2008](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2008)
- [@&#8203;RynoCODE](https://redirect.github.com/RynoCODE) made their first contribution in [#&#8203;2011](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2011)
- [@&#8203;Copilot](https://redirect.github.com/Copilot) made their first contribution in [#&#8203;2018](https://redirect.github.com/pi-hole/docker-pi-hole/pull/2018)

**Full Changelog**: <pi-hole/docker-pi-hole@2026.02.0...2026.04.0>

#### Component Release Notes

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (FTL v6.6)

- Fix possible resolver issue on armv5tel by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2781](https://redirect.github.com/pi-hole/FTL/pull/2781)
- Introduce CMake options for optional dependencies by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795)
- Fix build without mbedtls \[v2] by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2796](https://redirect.github.com/pi-hole/FTL/pull/2796)
- Fix overTime data when database.DBimport = false by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2788](https://redirect.github.com/pi-hole/FTL/pull/2788)
- Fix cross-compilation issues w/ custom toolchain by [@&#8203;aeolio](https://redirect.github.com/aeolio) in [pi-hole/FTL#2797](https://redirect.github.com/pi-hole/FTL/pull/2797)
- Add new option for controling name resolution via MAC address by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2790](https://redirect.github.com/pi-hole/FTL/pull/2790)
- Fix obtaining client groups by name by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2791](https://redirect.github.com/pi-hole/FTL/pull/2791)
- Ensure API sessions are restored before starting the HTTP server by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2803](https://redirect.github.com/pi-hole/FTL/pull/2803)
- Add form-action 'self' to Content-Security-Policy by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2804](https://redirect.github.com/pi-hole/FTL/pull/2804)
- Add query\_frequency to /padd endpoint by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/FTL#2806](https://redirect.github.com/pi-hole/FTL/pull/2806)
- Guard query-count counters against unsigned underflow by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2815](https://redirect.github.com/pi-hole/FTL/pull/2815)
- Add universal crash backtrace via \_Unwind\_Backtrace by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2811](https://redirect.github.com/pi-hole/FTL/pull/2811)
- config: show totp\_secret presence in CLI output by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2813](https://redirect.github.com/pi-hole/FTL/pull/2813)
- Fix client count inflation for rate-limited queries by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2814](https://redirect.github.com/pi-hole/FTL/pull/2814)
- Fix stack buffer overflow in get\_process\_name() by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2821](https://redirect.github.com/pi-hole/FTL/pull/2821)
- Do not restart FTL while `pihole -g` is still ongoing by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/FTL#2419](https://redirect.github.com/pi-hole/FTL/pull/2419)

#### Security Advisories

- [GHSA-r7g8-3fj7-m5qq - Authorization bypass: CLI API sessions can import Teleporter archives and modify configuration](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq) reported by [@&#8203;mzalzahrani](https://redirect.github.com/mzalzahrani)
- Remote Code Execution (RCE) via Newline Injection in Multiple Configuration Parameters reported by [@&#8203;T0X1Cx](https://redirect.github.com/T0X1Cx)
  - [pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c)
  - [pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp)
  - [pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m)
  - [pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj)
  - [pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj](https://redirect.github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj)

#### New Contributors

- [@&#8203;aeolio](https://redirect.github.com/aeolio) made their first contribution in [pi-hole/FTL#2795](https://redirect.github.com/pi-hole/FTL/pull/2795)

**Full Changelog**: <pi-hole/FTL@v6.5...v6.6>

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (Web v6.5)

- Amend teleporter help text that the long-term data is not included by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3721](https://redirect.github.com/pi-hole/web/pull/3721)
- Do not use 3 columns when boxed layout is used by [@&#8203;rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/web#3722](https://redirect.github.com/pi-hole/web/pull/3722)
- Use <kbd>ENTER</kbd> instead of <kbd>⏎</kbd> by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3727](https://redirect.github.com/pi-hole/web/pull/3727)
- Don't link to github releases if docker tag is nightly by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3718](https://redirect.github.com/pi-hole/web/pull/3718)
- Do not try to compare component version when remote version info is not available by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3729](https://redirect.github.com/pi-hole/web/pull/3729)
- Show loading overlay when adding/removing CNAME records as it requires a FTL restart by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3742](https://redirect.github.com/pi-hole/web/pull/3742)
- fix: check on responseJSON when wrong password by [@&#8203;guybrush2105](https://redirect.github.com/guybrush2105) in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693)
- Remove the loggingButton from Settings > System > Actions by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/web#3747](https://redirect.github.com/pi-hole/web/pull/3747)

#### Security Advisories

- Multiple Stored HTML Injections and XSS in different web interface pages reported by [@&#8203;andrejtomci](https://redirect.github.com/andrejtomci)

  - [GHSA-jx8x-mj2r-62vq - Stored HTML Injection in queries.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq)

  - [GHSA-9rfm-c5g6-538p - Stored HTML attribute injection](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p)

  - [GHSA-px6w-85wp-ww9v - Stored XSS / HTML injection in the Network page/Dashboard](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v)

  - [GHSA-7xqw-r9pr-qv59 - Reflected XSS / HTML injection in taillog.js](https://redirect.github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59) (Also reported by [@&#8203;n1rwhex](https://redirect.github.com/n1rwhex) and [@&#8203;mzalzahrani](https://redirect.github.com/mzalzahrani))

#### New Contributors

- [@&#8203;guybrush2105](https://redirect.github.com/guybrush2105) made their first contribution in [pi-hole/web#3693](https://redirect.github.com/pi-hole/web/pull/3693)

**Full Changelog**: <pi-hole/web@v6.4.1...v6.5>

<!-- Release notes generated using configuration in .github/release.yml at development -->

#### What's Changed (Core v6.4.1)

- Remove additional ':' from debug log system time output by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6551](https://redirect.github.com/pi-hole/pi-hole/pull/6551)
- Remove `readonly` from piholeNetworkFlush.sh to avoid error message by [@&#8203;rdwebdesign](https://redirect.github.com/rdwebdesign) in [pi-hole/pi-hole#6554](https://redirect.github.com/pi-hole/pi-hole/pull/6554)
- Add antigravity index by [@&#8203;DL6ER](https://redirect.github.com/DL6ER) in [pi-hole/pi-hole#6573](https://redirect.github.com/pi-hole/pi-hole/pull/6573)
- Fix return status capture of FTL check\_download exists by [@&#8203;yubiuser](https://redirect.github.com/yubiuser) in [pi-hole/pi-hole#6572](https://redirect.github.com/pi-hole/pi-hole/pull/6572)
- Remove misleading TODO comment for SetWebPassword by [@&#8203;10adnan75](https://redirect.github.com/10adnan75) in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531)

#### Security Advisories

- [GHSA-c935-8g63-qp74 – Local Privilege Escalation](https://redirect.github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74) reported by [@&#8203;smittix](https://redirect.github.com/smittix)

#### New Contributors

- [@&#8203;10adnan75](https://redirect.github.com/10adnan75) made their first contribution in [pi-hole/pi-hole#6531](https://redirect.github.com/pi-hole/pi-hole/pull/6531)
- [@&#8203;Copilot](https://redirect.github.com/Copilot) made their first contribution in [pi-hole/pi-hole#6580](https://redirect.github.com/pi-hole/pi-hole/pull/6580)

**Full Changelog**: <pi-hole/pi-hole@v6.4...v6.4.1>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bigbeartechworld/big-bear-universal-apps).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsInJlbm92YXRlIl19-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdwebdesign rdwebdesign rdwebdesign approved these changes

Assignees

No one assigned

Labels

Bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Query log showing millions and millions of pages

3 participants

@DL6ER @pralor-bot @rdwebdesign