From 77af695dd28ece0741dce90efa630e99f4e1101b Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 16:46:44 -0400 Subject: [PATCH 1/9] docs(release-notes): update 7.2.5 final notes - Purpose: prepare the 7.2.5 release notes from the latest Asana draft on a branch based on current main. - Before: main still carried the 7.2.5-rc.2 notes with an rc-by-rc structure and older package/kernel details. - Problem: those notes did not reflect the final-style release summary, package CVE coverage, Docker MAC address guidance, or updated API/kernel details. - Now: the 7.2.5 page is rewritten as final release notes with consolidated sections, updated package/version details, and the mover empty-disk documentation link. - How: replace the rc.2 delta structure with the current final changelog content while preserving the existing upgrade, known-issues, and rollback scaffolding. --- docs/unraid-os/release-notes/7.2.5.md | 67 ++++++++++++++++++--------- 1 file changed, 44 insertions(+), 23 deletions(-) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index cdc335d48a..dce16107f6 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -1,8 +1,8 @@ -# Version 7.2.5-rc.2 2026-04-20 +# Version 7.2.5 -This security and bugfix release updates Docker and the Linux kernel for Unraid 7.2.x users. It also includes targeted fixes for Docker, Tailscale, mover empty-disk workflows, login-page custom case images, and registration state handling. +This security and bugfix release updates Docker, the Linux kernel, ZFS, and selected base packages for Unraid 7.2.x users. It also includes targeted fixes for Docker, Tailscale, storage, mover empty-disk workflows, WebGUI security, login-page custom case images, Unraid API startup, and registration state handling. -The Docker update includes runc fixes for CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881. +This release addresses additional CVEs and security advisories in curl, GnuTLS, libpcap, libpng, libtasn1, libXpm, OpenSSL, p11-kit, xorg-server, xz, and related base packages. Several package changelogs also note security fixes without public CVE IDs. This release is recommended for all 7.2.x users. @@ -18,45 +18,66 @@ For other known issues, see the [7.2.4 release notes](/unraid-os/release-notes/7 If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-os/release-notes/7.2.4/). -## Changes from rc.1 +## BREAKING CHANGES -Only the Unraid API update, Linux kernel update, and rare-crash mitigation are new in rc.2. +- Docker containers may receive a new dynamically generated MAC address each time they are created. If a container needs a stable network identity for DHCP reservations, router or firewall rules, switch ACLs, monitoring, or similar workflows, set a fixed value in the new **MAC Address** field on the Docker template. This follows Docker Engine 28+ behavior for bridge and macvlan network endpoints; see the [Docker Engine 28 release notes](https://docs.docker.com/engine/release-notes/28/). -### Unraid API - -- dynamix.unraid.net 4.32.3 - [see changes](https://github.com/unraid/api/releases) - -### Linux kernel +## Changes vs. 7.2.4 -- version 6.12.82-Unraid -- Security: Pick up upstream fixes for CVE-2026-31430, a Linux X.509 out-of-bounds access issue triggered by specially crafted certificates. +### Security -### System - -- Fix: Add a mitigation for a rare crash. - -## Included from rc.1 +- Fixed three WebGUI security issues that required a logged-in session to exploit. Users are encouraged to upgrade. +- Security: Pick up upstream Linux kernel fixes for CVE-2026-31430, a Linux X.509 out-of-bounds access issue triggered by specially crafted certificates. +- Package CVE coverage as of Apr 29, 2026: 24 unique CVEs across 21 upstream advisories in 14 packages. Package-level details are listed in the base distro updates below. ### Containers / Docker - Improvement: Update Docker to version 29 for 7.2.x systems. +- New: Add an optional **MAC Address** field to Docker templates for containers that need a stable network identity across restarts. This field preserves configured fixed MAC addresses through Docker restarts, full host reboots, container recreates, and delete/re-add from the saved template for bridge, custom macvlan/ipvlan, WireGuard, and user-defined Docker networks. +- Fix: Migrate legacy `--mac-address=` values from Extra Parameters into the new fixed MAC field where safe, while leaving templates unchanged when networking is still owned by Extra Parameters. +- Improvement: Show each running Docker container's actual MAC address in Docker Advanced View alongside the existing network and IP details. - Fix: Hide stale dead or uninspectable "ghost" containers from the Docker page without deleting containers or mutating Docker state. - Fix: Clear stale Tailscale Serve/Funnel state when a Docker container restarts, then reapply only the Serve/Funnel mode currently configured in the Docker template. This prevents a container changed from Funnel or Serve to No from keeping the old exposure active after restart. ### Storage -- Fix: Keep the mover empty-disk action available on systems with user shares enabled but no pool devices assigned, while still disabling it during parity, mover, and BTRFS operations. +- Fix: Keep the [mover empty-disk action](/unraid-os/using-unraid-to/manage-storage/file-systems/#converting-to-a-new-file-system-type) available on systems with user shares enabled but no pool devices assigned, while still disabling it during parity, mover, and BTRFS operations. +- Fix: Preserve an array disk's existing non-standard partition layout when the disk is unassigned and reassigned. This prevents Unraid from rewriting an unaligned sector-63 partition at sector 64 and making the existing filesystem unmountable. ### WebGUI -- Fix: Restore custom case-model images on the login page +- Fix: Restore custom case-model images on the login page. ### Unraid API +- Update Unraid API to dynamix.unraid.net 4.32.3. +- Fix: Resolve an API startup failure where the API could time out while bootstrapping and remain in a restart loop. - Fix: Improve registration-state refresh after license updates so the WebGUI reflects the current license state more reliably. -### Base distro updates +### Linux kernel -- docker: version 27.5.1 -> 29.3.1 (CVE-2026-34040, CVE-2026-33997, CVE-2026-33748, CVE-2026-33747, CVE-2025-61729, CVE-2025-61727, CVE-2025-31133, CVE-2025-52565, CVE-2025-52881, CVE-2025-54388, CVE-2024-45341, CVE-2024-45336, CVE-2025-27144) -- libpng: version 1.6.50 -> 1.6.57 (CVE-2026-34757) -- php: version 8.3.26 -> 8.3.29 (CVE-2025-14177 CVE-2025-14178 CVE-2025-14180) +- version 6.12.85-Unraid + +### Base distro updates and CVEs + +- bind: 9.20.15-x86_64-1 -> 9.20.22-x86_64-1 (security fix noted; no CVE IDs listed) +- curl: 8.16.0-x86_64-1 -> 8.19.0-x86_64-1 (CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-3805) +- docker: 27.5.1-x86_64-1_LT -> 29.3.1-x86_64-1_LT +- dynamix.unraid.net: 4.29.2-x86_64-1 -> 4.32.3-x86_64-2 +- gnutls: 3.8.10-x86_64-1 -> 3.8.12-x86_64-1 (CVE-2025-14831, CVE-2026-1584) +- libXpm: 3.5.17-x86_64-1 -> 3.5.19-x86_64-1 (CVE-2026-4367) +- libarchive: 3.8.2-x86_64-1 -> 3.8.7-x86_64-1 (security fix noted; no CVE IDs listed) +- libpcap: 1.10.5-x86_64-1 -> 1.10.6-x86_64-1 (CVE-2025-11961, CVE-2025-11964) +- libpng: 1.6.50-x86_64-1 -> 1.6.57-x86_64-1 (CVE-2026-34757) +- libtasn1: 4.20.0-x86_64-1 -> 4.21.0-x86_64-1 (CVE-2025-13151) +- libvirt-php: 0.5.8-x86_64-8.3.26_LT -> 0.5.8-x86_64-8.3.29_LT +- libxml2: 2.14.6-x86_64-1 -> 2.15.3-x86_64-1 (security fix noted; no CVE IDs listed) +- libxslt: 1.1.43-x86_64-2 -> 1.1.45-x86_64-1 +- openssl: 3.5.4-x86_64-1 -> 3.5.6-x86_64-2 (CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790) +- p11-kit: 0.25.10-x86_64-1 -> 0.26.2-x86_64-1 (CVE-2026-2100) +- php: 8.3.26-x86_64-1_LT -> 8.3.29-x86_64-1_LT +- xorg-server: 21.1.18-x86_64-1 -> 21.1.22-x86_64-2 (CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003) +- xz: 5.8.1-x86_64-1 -> 5.8.3-x86_64-1 (CVE-2026-34743) +- zfs: 2.3.4_6.12.54_Unraid-x86_64-2_LT -> 2.3.4_6.12.82_Unraid-x86_64-2_LT +- zlib: 1.3.1-x86_64-1 -> 1.3.2-x86_64-1 (security fix noted; no CVE IDs listed) +- ngtcp2: added 1.22.1-x86_64-1 From dd2c13b9c14bc227d046e4dfc700017ceff40191 Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 16:49:29 -0400 Subject: [PATCH 2/9] docs(release-notes): mention Copy Fail kernel fix - Purpose: call out the Linux kernel upgrade for the newly disclosed Copy Fail vulnerability. - Before: the 7.2.5 notes mentioned the kernel version and CVE-2026-31430 but did not name CVE-2026-31431 or Copy Fail. - Problem: readers would miss that the release also includes kernel coverage for the new local privilege escalation issue. - Now: the opening release body, security section, and Linux kernel section all mention CVE-2026-31431, the Copy Fail local privilege escalation vulnerability. - How: add the Copy Fail language to the existing final release-note draft without changing unrelated sections. --- docs/unraid-os/release-notes/7.2.5.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index dce16107f6..caecd6f1db 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -2,7 +2,7 @@ This security and bugfix release updates Docker, the Linux kernel, ZFS, and selected base packages for Unraid 7.2.x users. It also includes targeted fixes for Docker, Tailscale, storage, mover empty-disk workflows, WebGUI security, login-page custom case images, Unraid API startup, and registration state handling. -This release addresses additional CVEs and security advisories in curl, GnuTLS, libpcap, libpng, libtasn1, libXpm, OpenSSL, p11-kit, xorg-server, xz, and related base packages. Several package changelogs also note security fixes without public CVE IDs. +This release also includes a Linux kernel upgrade that addresses CVE-2026-31431, the Copy Fail local privilege escalation vulnerability. It addresses additional CVEs and security advisories in curl, GnuTLS, libpcap, libpng, libtasn1, libXpm, OpenSSL, p11-kit, xorg-server, xz, and related base packages. Several package changelogs also note security fixes without public CVE IDs. This release is recommended for all 7.2.x users. @@ -27,7 +27,7 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o ### Security - Fixed three WebGUI security issues that required a logged-in session to exploit. Users are encouraged to upgrade. -- Security: Pick up upstream Linux kernel fixes for CVE-2026-31430, a Linux X.509 out-of-bounds access issue triggered by specially crafted certificates. +- Security: Upgrade the Linux kernel to address CVE-2026-31431, the Copy Fail local privilege escalation vulnerability, and pick up upstream fixes for CVE-2026-31430, a Linux X.509 out-of-bounds access issue triggered by specially crafted certificates. - Package CVE coverage as of Apr 29, 2026: 24 unique CVEs across 21 upstream advisories in 14 packages. Package-level details are listed in the base distro updates below. ### Containers / Docker @@ -57,6 +57,7 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o ### Linux kernel - version 6.12.85-Unraid +- Security: Addresses CVE-2026-31431, the Copy Fail local privilege escalation vulnerability. ### Base distro updates and CVEs From 4e703131f1d22485bbb5c18e5491141fcda3693b Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 16:50:59 -0400 Subject: [PATCH 3/9] docs(release-notes): mention runc security fixes - Purpose: make the 7.2.5 notes explicitly reference the runc security fixes included with the Docker update. - Before: the final release-note draft mentioned Docker 29 but did not call out the runc CVEs from the earlier release-note body. - Problem: readers could miss that the Docker update includes runc fixes for CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881. - Now: the opening release body and Containers / Docker section both include the runc CVE references. - How: add one summary sentence near the top and one Docker security bullet without changing unrelated sections. --- docs/unraid-os/release-notes/7.2.5.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index caecd6f1db..45be9f4e18 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -4,6 +4,8 @@ This security and bugfix release updates Docker, the Linux kernel, ZFS, and sele This release also includes a Linux kernel upgrade that addresses CVE-2026-31431, the Copy Fail local privilege escalation vulnerability. It addresses additional CVEs and security advisories in curl, GnuTLS, libpcap, libpng, libtasn1, libXpm, OpenSSL, p11-kit, xorg-server, xz, and related base packages. Several package changelogs also note security fixes without public CVE IDs. +The Docker update includes runc fixes for CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881. + This release is recommended for all 7.2.x users. ## Upgrading @@ -33,6 +35,7 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o ### Containers / Docker - Improvement: Update Docker to version 29 for 7.2.x systems. +- Security: Include runc fixes for CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881. - New: Add an optional **MAC Address** field to Docker templates for containers that need a stable network identity across restarts. This field preserves configured fixed MAC addresses through Docker restarts, full host reboots, container recreates, and delete/re-add from the saved template for bridge, custom macvlan/ipvlan, WireGuard, and user-defined Docker networks. - Fix: Migrate legacy `--mac-address=` values from Extra Parameters into the new fixed MAC field where safe, while leaving templates unchanged when networking is still owned by Extra Parameters. - Improvement: Show each running Docker container's actual MAC address in Docker Advanced View alongside the existing network and IP details. From b99903ad1a7e632f0152c75bc000cd70efc52b1f Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 16:54:08 -0400 Subject: [PATCH 4/9] docs(release-notes): simplify package update versions - Purpose: align the 7.2.5 package update list with the preferred release-note format. - Before: package entries included architecture suffixes and an extra ngtcp2 added-package line. - Problem: the section was noisier than the source package summary and did not preserve the preferred upgrade arrow marker. - Now: the package list uses simplified version strings, keeps the upgrade arrow glyph, and removes the ngtcp2 entry. - How: update only the Base distro updates and CVEs section. --- docs/unraid-os/release-notes/7.2.5.md | 41 +++++++++++++-------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index 45be9f4e18..f353c67243 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -64,24 +64,23 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o ### Base distro updates and CVEs -- bind: 9.20.15-x86_64-1 -> 9.20.22-x86_64-1 (security fix noted; no CVE IDs listed) -- curl: 8.16.0-x86_64-1 -> 8.19.0-x86_64-1 (CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-3805) -- docker: 27.5.1-x86_64-1_LT -> 29.3.1-x86_64-1_LT -- dynamix.unraid.net: 4.29.2-x86_64-1 -> 4.32.3-x86_64-2 -- gnutls: 3.8.10-x86_64-1 -> 3.8.12-x86_64-1 (CVE-2025-14831, CVE-2026-1584) -- libXpm: 3.5.17-x86_64-1 -> 3.5.19-x86_64-1 (CVE-2026-4367) -- libarchive: 3.8.2-x86_64-1 -> 3.8.7-x86_64-1 (security fix noted; no CVE IDs listed) -- libpcap: 1.10.5-x86_64-1 -> 1.10.6-x86_64-1 (CVE-2025-11961, CVE-2025-11964) -- libpng: 1.6.50-x86_64-1 -> 1.6.57-x86_64-1 (CVE-2026-34757) -- libtasn1: 4.20.0-x86_64-1 -> 4.21.0-x86_64-1 (CVE-2025-13151) -- libvirt-php: 0.5.8-x86_64-8.3.26_LT -> 0.5.8-x86_64-8.3.29_LT -- libxml2: 2.14.6-x86_64-1 -> 2.15.3-x86_64-1 (security fix noted; no CVE IDs listed) -- libxslt: 1.1.43-x86_64-2 -> 1.1.45-x86_64-1 -- openssl: 3.5.4-x86_64-1 -> 3.5.6-x86_64-2 (CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790) -- p11-kit: 0.25.10-x86_64-1 -> 0.26.2-x86_64-1 (CVE-2026-2100) -- php: 8.3.26-x86_64-1_LT -> 8.3.29-x86_64-1_LT -- xorg-server: 21.1.18-x86_64-1 -> 21.1.22-x86_64-2 (CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003) -- xz: 5.8.1-x86_64-1 -> 5.8.3-x86_64-1 (CVE-2026-34743) -- zfs: 2.3.4_6.12.54_Unraid-x86_64-2_LT -> 2.3.4_6.12.82_Unraid-x86_64-2_LT -- zlib: 1.3.1-x86_64-1 -> 1.3.2-x86_64-1 (security fix noted; no CVE IDs listed) -- ngtcp2: added 1.22.1-x86_64-1 +- ↑ bind: 9.20.15 -> 9.20.22 (security fix noted; no CVE IDs listed) +- ↑ curl: 8.16.0 -> 8.19.0 (CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-3805) +- ↑ docker: 27.5.1-1_LT -> 29.3.1-1_LT +- ↑ dynamix.unraid.net: 4.29.2 -> 4.32.3-2 +- ↑ gnutls: 3.8.10 -> 3.8.12 (CVE-2025-14831, CVE-2026-1584) +- ↑ libXpm: 3.5.17 -> 3.5.19 (CVE-2026-4367) +- ↑ libarchive: 3.8.2 -> 3.8.7 (security fix noted; no CVE IDs listed) +- ↑ libpcap: 1.10.5 -> 1.10.6 (CVE-2025-11961, CVE-2025-11964) +- ↑ libpng: 1.6.50 -> 1.6.57 (CVE-2026-34757) +- ↑ libtasn1: 4.20.0 -> 4.21.0 (CVE-2025-13151) +- ↑ libvirt-php: 0.5.8-8.3.26_LT -> 0.5.8-8.3.29_LT +- ↑ libxml2: 2.14.6 -> 2.15.3 (security fix noted; no CVE IDs listed) +- ↑ libxslt: 1.1.43-2 -> 1.1.45 +- ↑ openssl: 3.5.4 -> 3.5.6-2 (CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790) +- ↑ p11-kit: 0.25.10 -> 0.26.2 (CVE-2026-2100) +- ↑ php: 8.3.26-1_LT -> 8.3.29-1_LT +- ↑ xorg-server: 21.1.18 -> 21.1.22-2 (CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003) +- ↑ xz: 5.8.1 -> 5.8.3 (CVE-2026-34743) +- ↑ zfs: 2.3.4_6.12.54_Unraid-2_LT -> 2.3.4_6.12.82_Unraid-2_LT +- ↑ zlib: 1.3.1 -> 1.3.2 (security fix noted; no CVE IDs listed) From cb195a108665fc7143098b3b8ecf29646c6a9cb1 Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 16:54:58 -0400 Subject: [PATCH 5/9] docs(release-notes): restore ngtcp2 package entry - Purpose: include the ngtcp2 package addition in the 7.2.5 base distro update list. - Before: the simplified package update pass removed ngtcp2 from the public release notes. - Problem: the package section was missing an added package that should remain visible in the release summary. - Now: the package list includes an arrow-marked ngtcp2 entry with the simplified added version. - How: add to the Base distro updates and CVEs section. --- docs/unraid-os/release-notes/7.2.5.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index f353c67243..024f21e6f7 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -84,3 +84,4 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o - ↑ xz: 5.8.1 -> 5.8.3 (CVE-2026-34743) - ↑ zfs: 2.3.4_6.12.54_Unraid-2_LT -> 2.3.4_6.12.82_Unraid-2_LT - ↑ zlib: 1.3.1 -> 1.3.2 (security fix noted; no CVE IDs listed) +- ↑ ngtcp2: added 1.22.1 From 364d44c7521e84c030a35bf6d0ad4086e886caef Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 16:55:44 -0400 Subject: [PATCH 6/9] docs(release-notes): use arrow version separators - Purpose: match the preferred package update notation in the 7.2.5 notes. - Before: package update entries used ASCII arrows between old and new versions. - Problem: the section did not match the requested visual format for package changes. - Now: package update entries use the right-arrow glyph between versions while keeping the existing upgrade glyph on each line. - How: replace version separator arrows in the Base distro updates and CVEs section. --- docs/unraid-os/release-notes/7.2.5.md | 40 +++++++++++++-------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index 024f21e6f7..4d4291bed2 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -64,24 +64,24 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o ### Base distro updates and CVEs -- ↑ bind: 9.20.15 -> 9.20.22 (security fix noted; no CVE IDs listed) -- ↑ curl: 8.16.0 -> 8.19.0 (CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-3805) -- ↑ docker: 27.5.1-1_LT -> 29.3.1-1_LT -- ↑ dynamix.unraid.net: 4.29.2 -> 4.32.3-2 -- ↑ gnutls: 3.8.10 -> 3.8.12 (CVE-2025-14831, CVE-2026-1584) -- ↑ libXpm: 3.5.17 -> 3.5.19 (CVE-2026-4367) -- ↑ libarchive: 3.8.2 -> 3.8.7 (security fix noted; no CVE IDs listed) -- ↑ libpcap: 1.10.5 -> 1.10.6 (CVE-2025-11961, CVE-2025-11964) -- ↑ libpng: 1.6.50 -> 1.6.57 (CVE-2026-34757) -- ↑ libtasn1: 4.20.0 -> 4.21.0 (CVE-2025-13151) -- ↑ libvirt-php: 0.5.8-8.3.26_LT -> 0.5.8-8.3.29_LT -- ↑ libxml2: 2.14.6 -> 2.15.3 (security fix noted; no CVE IDs listed) -- ↑ libxslt: 1.1.43-2 -> 1.1.45 -- ↑ openssl: 3.5.4 -> 3.5.6-2 (CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790) -- ↑ p11-kit: 0.25.10 -> 0.26.2 (CVE-2026-2100) -- ↑ php: 8.3.26-1_LT -> 8.3.29-1_LT -- ↑ xorg-server: 21.1.18 -> 21.1.22-2 (CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003) -- ↑ xz: 5.8.1 -> 5.8.3 (CVE-2026-34743) -- ↑ zfs: 2.3.4_6.12.54_Unraid-2_LT -> 2.3.4_6.12.82_Unraid-2_LT -- ↑ zlib: 1.3.1 -> 1.3.2 (security fix noted; no CVE IDs listed) +- ↑ bind: 9.20.15 → 9.20.22 (security fix noted; no CVE IDs listed) +- ↑ curl: 8.16.0 → 8.19.0 (CVE-2026-1965, CVE-2026-3783, CVE-2026-3784, CVE-2026-3805) +- ↑ docker: 27.5.1-1_LT → 29.3.1-1_LT +- ↑ dynamix.unraid.net: 4.29.2 → 4.32.3-2 +- ↑ gnutls: 3.8.10 → 3.8.12 (CVE-2025-14831, CVE-2026-1584) +- ↑ libXpm: 3.5.17 → 3.5.19 (CVE-2026-4367) +- ↑ libarchive: 3.8.2 → 3.8.7 (security fix noted; no CVE IDs listed) +- ↑ libpcap: 1.10.5 → 1.10.6 (CVE-2025-11961, CVE-2025-11964) +- ↑ libpng: 1.6.50 → 1.6.57 (CVE-2026-34757) +- ↑ libtasn1: 4.20.0 → 4.21.0 (CVE-2025-13151) +- ↑ libvirt-php: 0.5.8-8.3.26_LT → 0.5.8-8.3.29_LT +- ↑ libxml2: 2.14.6 → 2.15.3 (security fix noted; no CVE IDs listed) +- ↑ libxslt: 1.1.43-2 → 1.1.45 +- ↑ openssl: 3.5.4 → 3.5.6-2 (CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790) +- ↑ p11-kit: 0.25.10 → 0.26.2 (CVE-2026-2100) +- ↑ php: 8.3.26-1_LT → 8.3.29-1_LT +- ↑ xorg-server: 21.1.18 → 21.1.22-2 (CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, CVE-2026-34003) +- ↑ xz: 5.8.1 → 5.8.3 (CVE-2026-34743) +- ↑ zfs: 2.3.4_6.12.54_Unraid-2_LT → 2.3.4_6.12.82_Unraid-2_LT +- ↑ zlib: 1.3.1 → 1.3.2 (security fix noted; no CVE IDs listed) - ↑ ngtcp2: added 1.22.1 From 65b416653b4c85683eda97f5f26b9f6d174bc3de Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 16:57:17 -0400 Subject: [PATCH 7/9] docs(release-notes): mark ngtcp2 as added package - Purpose: distinguish added packages from upgraded packages in the 7.2.5 package update list. - Before: ngtcp2 used the same upgrade arrow marker as packages with old and new versions. - Problem: that implied ngtcp2 was upgraded rather than newly added. - Now: ngtcp2 uses a plus marker while upgraded packages keep the up-arrow marker. - How: change only the ngtcp2 package list marker in the release notes. --- docs/unraid-os/release-notes/7.2.5.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index 4d4291bed2..a3c8141d50 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -84,4 +84,4 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o - ↑ xz: 5.8.1 → 5.8.3 (CVE-2026-34743) - ↑ zfs: 2.3.4_6.12.54_Unraid-2_LT → 2.3.4_6.12.82_Unraid-2_LT - ↑ zlib: 1.3.1 → 1.3.2 (security fix noted; no CVE IDs listed) -- ↑ ngtcp2: added 1.22.1 +- \+ ngtcp2: added 1.22.1 From 0d9d72d201d1c9a08b410ad26132a2626bb2a3f2 Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 17:06:01 -0400 Subject: [PATCH 8/9] docs(release-notes): restore API release link - Purpose: restore the Unraid API release link and clean up redundant security wording. - Before: the Unraid API line no longer linked to the API releases page, and the Security section repeated the word Security in the kernel bullet. - Problem: readers lost a useful source link and the kernel security entry read awkwardly under its own Security heading. - Now: the API update links to the upstream releases page, and the kernel bullet starts directly with the upgrade action. - How: update only the Unraid API bullet and the Security section kernel bullet. --- docs/unraid-os/release-notes/7.2.5.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index a3c8141d50..bd9623d60f 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -29,7 +29,7 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o ### Security - Fixed three WebGUI security issues that required a logged-in session to exploit. Users are encouraged to upgrade. -- Security: Upgrade the Linux kernel to address CVE-2026-31431, the Copy Fail local privilege escalation vulnerability, and pick up upstream fixes for CVE-2026-31430, a Linux X.509 out-of-bounds access issue triggered by specially crafted certificates. +- Upgrade the Linux kernel to address CVE-2026-31431, the Copy Fail local privilege escalation vulnerability, and pick up upstream fixes for CVE-2026-31430, a Linux X.509 out-of-bounds access issue triggered by specially crafted certificates. - Package CVE coverage as of Apr 29, 2026: 24 unique CVEs across 21 upstream advisories in 14 packages. Package-level details are listed in the base distro updates below. ### Containers / Docker @@ -53,7 +53,7 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o ### Unraid API -- Update Unraid API to dynamix.unraid.net 4.32.3. +- Update Unraid API to dynamix.unraid.net 4.32.3 - [see changes](https://github.com/unraid/api/releases). - Fix: Resolve an API startup failure where the API could time out while bootstrapping and remain in a restart loop. - Fix: Improve registration-state refresh after license updates so the WebGUI reflects the current license state more reliably. From fda9cf99f4ed1c6353999944082de3649597908b Mon Sep 17 00:00:00 2001 From: Eli Bosley Date: Thu, 30 Apr 2026 17:07:59 -0400 Subject: [PATCH 9/9] docs(release-notes): date 7.2.5 changelog - Purpose: align the 7.2.5 changelog heading and CVE coverage note with the release date. - Before: the 7.2.5 heading lacked a date, and the package CVE coverage note said Apr 29, 2026. - Problem: neighboring changelogs include dates in the heading, and the CVE coverage note needed the Apr 30 date. - Now: the heading reads Version 7.2.5 2026-04-30, and the package CVE coverage note says Apr 30, 2026. - How: update the release-note heading and the Security section CVE coverage sentence. --- docs/unraid-os/release-notes/7.2.5.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/unraid-os/release-notes/7.2.5.md b/docs/unraid-os/release-notes/7.2.5.md index bd9623d60f..c614cbd8d5 100644 --- a/docs/unraid-os/release-notes/7.2.5.md +++ b/docs/unraid-os/release-notes/7.2.5.md @@ -1,4 +1,4 @@ -# Version 7.2.5 +# Version 7.2.5 2026-04-30 This security and bugfix release updates Docker, the Linux kernel, ZFS, and selected base packages for Unraid 7.2.x users. It also includes targeted fixes for Docker, Tailscale, storage, mover empty-disk workflows, WebGUI security, login-page custom case images, Unraid API startup, and registration state handling. @@ -30,7 +30,7 @@ If rolling back earlier than 7.2.4, also see the [7.2.4 release notes](/unraid-o - Fixed three WebGUI security issues that required a logged-in session to exploit. Users are encouraged to upgrade. - Upgrade the Linux kernel to address CVE-2026-31431, the Copy Fail local privilege escalation vulnerability, and pick up upstream fixes for CVE-2026-31430, a Linux X.509 out-of-bounds access issue triggered by specially crafted certificates. -- Package CVE coverage as of Apr 29, 2026: 24 unique CVEs across 21 upstream advisories in 14 packages. Package-level details are listed in the base distro updates below. +- Package CVE coverage as of Apr 30, 2026: 24 unique CVEs across 21 upstream advisories in 14 packages. Package-level details are listed in the base distro updates below. ### Containers / Docker