all: sync with master

CHANGELOG.md

@@ -15,6 +15,65 @@ and this project adheres to
 ## [v0.108.0] - TBA (APPROX.)
 -->
 
+## Security
+
+- Go version has been updated to prevent the possibility of exploiting the
+  CVE-2022-41716 Go vulnerability fixed in [Go 1.18.8][go-1.18.8].
+
+[go-1.18.8]: https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM
+
+## Added
+
+- The warning message when adding a certificate having no IP addresses
+  ([#4898]).
+- Several new blockable services ([#3972]).  Those will now be more in sync with
+  the services that are already blockable in AdGuard DNS.
+- A new HTTP API, `GET /control/blocked_services/all`, that lists all available
+  blocked services and their data, such as SVG icons ([#3972]).
+- The new optional `tls.override_tls_ciphers` property, which allows
+  overriding TLS ciphers used by AdGuard Home ([#4925], [#4990]).
+- The ability to serve DNS on link-local IPv6 addresses ([#2926]).
+- The ability to put [ClientIDs][clientid] into DNS-over-HTTPS hostnames as
+  opposed to URL paths ([#3418]).  Note that AdGuard Home checks the server name
+  only if the URL does not contain a ClientID.
+
+### Changed
+
+- DNS-over-TLS resolvers aren't returned anymore when the configured TLS
+  certificate contains no IP addresses ([#4927]).
+- Responses with `SERVFAIL` code are now cached for at least 30 seconds.
+
+### Deprecated
+
+- The `GET /control/blocked_services/services` HTTP API; use the new
+  `GET /control/blocked_services/all` API instead ([#3972]).
+
+### Fixed
+
+- ClientIDs not working when using DNS-over-HTTPS with HTTP/3.
+- Editing an enabled rule list's URL now also includes validation of the filter
+  contents preventing from saving a bad one ([#4916]).
+- The default value of `dns.cache_size` accidentally set to 0 has now been
+  reverted to 4 MiB ([#5010]).
+- Responses for which the DNSSEC validation had explicitly been omitted aren't
+  cached now ([#4942]).
+- Web UI not switching to HTTP/3 ([#4986], [#4993]).
+
+[#2926]: https://github.com/AdguardTeam/AdGuardHome/issues/2926
+[#3418]: https://github.com/AdguardTeam/AdGuardHome/issues/3418
+[#3972]: https://github.com/AdguardTeam/AdGuardHome/issues/3972
+[#4898]: https://github.com/AdguardTeam/AdGuardHome/issues/4898
+[#4916]: https://github.com/AdguardTeam/AdGuardHome/issues/4916
+[#4925]: https://github.com/AdguardTeam/AdGuardHome/issues/4925
+[#4927]: https://github.com/AdguardTeam/AdGuardHome/issues/4927
+[#4942]: https://github.com/AdguardTeam/AdGuardHome/issues/4942
+[#4986]: https://github.com/AdguardTeam/AdGuardHome/issues/4986
+[#4990]: https://github.com/AdguardTeam/AdGuardHome/issues/4990
+[#4993]: https://github.com/AdguardTeam/AdGuardHome/issues/4993
+[#5010]: https://github.com/AdguardTeam/AdGuardHome/issues/5010
+
+[clientid]: https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid
+
 
 
 <!--
@@ -22,7 +81,7 @@ and this project adheres to
 
 See also the [v0.107.17 GitHub milestone][ms-v0.107.17].
 
-[ms-v0.107.17]:   https://github.com/AdguardTeam/AdGuardHome/milestone/52?closed=1
+[ms-v0.107.17]: https://github.com/AdguardTeam/AdGuardHome/milestone/52?closed=1
 -->
 
 
@@ -64,7 +123,7 @@ experimental and may break or change in the future.
   explicitly enabled by setting the new property `dns.serve_http3` in the
   configuration file to `true`.
 - DNS-over-HTTP upstreams can now upgrade to HTTP/3 if the new configuration
-  file property `use_http3_upstreams` is set to `true`.
+  file property `dns.use_http3_upstreams` is set to `true`.
 - Upstreams with forced DNS-over-HTTP/3 and no fallback to prior HTTP versions
   using the `h3://` scheme.
 
@@ -80,7 +139,7 @@ experimental and may break or change in the future.
 [#4982]: https://github.com/AdguardTeam/AdGuardHome/issues/4982
 [#4983]: https://github.com/AdguardTeam/AdGuardHome/issues/4983
 
-[ms-v0.107.15]:   https://github.com/AdguardTeam/AdGuardHome/milestone/51?closed=1
+[ms-v0.107.15]: https://github.com/AdguardTeam/AdGuardHome/milestone/51?closed=1
 
 
 
@@ -90,9 +149,9 @@ See also the [v0.107.14 GitHub milestone][ms-v0.107.14].
 
 ### Security
 
-A Cross-Site Request Forgery (CSRF) vulnerability has been discovered.  The CVE
-number is to be assigned.  We thank Daniel Elkabes from Mend.io for reporting
-this vulnerability to us.
+A Cross-Site Request Forgery (CSRF) vulnerability has been discovered.  We thank
+Daniel Elkabes from Mend.io for reporting this vulnerability to us.  This is
+[CVE-2022-32175].
 
 #### `SameSite` Policy
 
@@ -141,6 +200,7 @@ All JSON APIs that expect a body now check if the request actually has
 [#4927]: https://github.com/AdguardTeam/AdGuardHome/issues/4927
 [#4930]: https://github.com/AdguardTeam/AdGuardHome/issues/4930
 
+[CVE-2022-32175]: https://www.cvedetails.com/cve/CVE-2022-32175
 [ms-v0.107.14]:   https://github.com/AdguardTeam/AdGuardHome/milestone/50?closed=1
 
 
@@ -168,7 +228,7 @@ See also the [v0.107.13 GitHub milestone][ms-v0.107.13].
 [#4722]: https://github.com/AdguardTeam/AdGuardHome/issues/4722
 [#4904]: https://github.com/AdguardTeam/AdGuardHome/issues/4904
 
-[ms-v0.107.13]:   https://github.com/AdguardTeam/AdGuardHome/milestone/49?closed=1
+[ms-v0.107.13]: https://github.com/AdguardTeam/AdGuardHome/milestone/49?closed=1
 
 
 
@@ -178,7 +238,7 @@ See also the [v0.107.12 GitHub milestone][ms-v0.107.12].
 
 ### Security
 
-- Go version was updated to prevent the possibility of exploiting the
+- Go version has been updated to prevent the possibility of exploiting the
   CVE-2022-27664 and CVE-2022-32190 Go vulnerabilities fixed in
   [Go 1.18.6][go-1.18.6].
 
@@ -299,7 +359,7 @@ See also the [v0.107.9 GitHub milestone][ms-v0.107.9].
 
 ### Security
 
-- Go version was updated to prevent the possibility of exploiting the
+- Go version has been updated to prevent the possibility of exploiting the
   CVE-2022-32189 Go vulnerability fixed in [Go 1.18.5][go-1.18.5].  Go 1.17
   support has also been removed, as it has reached end of life and will not
   receive security updates.
@@ -342,7 +402,7 @@ See also the [v0.107.8 GitHub milestone][ms-v0.107.8].
 
 ### Security
 
-- Go version was updated to prevent the possibility of exploiting the
+- Go version has been updated to prevent the possibility of exploiting the
   CVE-2022-1705, CVE-2022-32148, CVE-2022-30631, and other Go vulnerabilities
   fixed in [Go 1.17.12][go-1.17.12].
 
@@ -378,7 +438,7 @@ See also the [v0.107.7 GitHub milestone][ms-v0.107.7].
 
 ### Security
 
-- Go version was updated to prevent the possibility of exploiting the
+- Go version has been updated to prevent the possibility of exploiting the
   [CVE-2022-29526], [CVE-2022-30634], [CVE-2022-30629], [CVE-2022-30580], and
   [CVE-2022-29804] Go vulnerabilities.
 - Enforced password strength policy ([#3503]).
@@ -535,7 +595,7 @@ See also the [v0.107.6 GitHub milestone][ms-v0.107.6].
 ### Security
 
 - `User-Agent` HTTP header removed from outgoing DNS-over-HTTPS requests.
-- Go version was updated to prevent the possibility of exploiting the
+- Go version has been updated to prevent the possibility of exploiting the
   [CVE-2022-24675], [CVE-2022-27536], and [CVE-2022-28327] Go vulnerabilities.
 
 ### Added
@@ -590,7 +650,7 @@ were resolved.
 
 ### Security
 
-- Go version was updated to prevent the possibility of exploiting the
+- Go version has been updated to prevent the possibility of exploiting the
   [CVE-2022-24921] Go vulnerability.
 
 [CVE-2022-24921]: https://www.cvedetails.com/cve/CVE-2022-24921
@@ -603,7 +663,7 @@ See also the [v0.107.4 GitHub milestone][ms-v0.107.4].
 
 ### Security
 
-- Go version was updated to prevent the possibility of exploiting the
+- Go version has been updated to prevent the possibility of exploiting the
   [CVE-2022-23806], [CVE-2022-23772], and [CVE-2022-23773] Go vulnerabilities.
 
 ### Fixed