DOM Customer Portal / Releases / Digi On-Prem Manager v26.04.1

Digi On-Prem Manager v26.04.1


Version 26.04.1 of Digi On-Prem Manager was released 2026-04-17. This is a major feature update.

The updated version is available in our APT repository.

55fecc75c07b7b527348fa438dfcf05ffd20bf36736e498eb88e13f4f59255a9  dom-server_26.04.1_amd64.deb

Changes from v25.12.2 to v26.04.1

  • Update DX DAL client to v6.15
    • Add fallback data counter source for devices that lack certain runt keys (34f15d942)
    • Add fileset delivery for DAL devices (f0cf05260, 43b401db8)
    • Check available disk space before firmware downloads (981dbfb72)
    • Consolidate device-side logging to /var/log/dx (09ac5e15c)
    • Experimental support for Advantech devices (#2281)
    • Fix CLI commands hanging on DAL devices (f66838cc0)
    • Fix data usage counters dropping to 0 on 32-bit devices (LR54, WR series) after >2 GB of cellular traffic (34f15d942)
    • Fix firmware download timeout on slow links (fdcfd8941)
    • Improve Python-to-Go upgrade resilience on devices with limited storage (#2263)
    • Improve terminal output handling for large bursts (28a4815d5, 67b52529c)
    • Improve update error reporting and firmware download robustness (be37feed6, d2cd1db05)
    • Use server-provided firmware size for space checks (e1ef91aa9)
  • Update DX SarOS client to v3.4
    • Fix SarOS enrollment placing new devices in the root group instead of the group set in the bootstrap script (DAL devices unaffected) (d78c662b4)
  • Security:
    • api: Stop storing raw API bearer tokens in the access log. Existing plaintext entries are scrubbed on upgrade (391b26ee3, 6fa1de1f5)
    • build: Bump the bundled Go toolchain to 1.26.2, picking up upstream security fixes (1c531eea3)
    • bundle: Update the shipped Mozilla CA bundle (curl.se cacert extract) to the 2026-03-19 snapshot, refreshing WebPKI trust anchors
    • dxserver: Rate-limit the auth fallback path per IP subnet and per (IP, serial) to bound brute-force attempts (d6f4f42b2)
    • dxserver: Reject malformed WebSocket payloads from connected devices that could temporarily disrupt the dxserver process (28b223d61)
    • dxserver: Validate the ref field in device WebSocket messages before using it as a Redis key component (defense-in-depth) (7993dac16)
    • http: Enforce CSRF validation on five state-changing POST routes where the server-side check was missing (forms were already sending the token) (d111e6a79, e72c72d7b)
    • http: Fix open redirect in the rtask postback parameter (d111e6a79)
    • http: Include session and user context in parameter-validation failure security log entries (98ea441df)
    • http: Validate request parameters and return 400 for invalid input instead of 500 (01abcdcc9)
    • sandboxing: Harden the runtime layout with per-service AppArmor profiles and tighter systemd restrictions on all services (defense-in-depth) (717f6b1c0, 20f31ba9c, 8eb5e31aa)
    • security: Validate IP and user-id filter parameters on the security log viewer (defense-in-depth) (421a1b612)
    • session: Invalidate the local session when the SSO session expires (previously the local session could outlive SSO expiry) (d48810d64)
    • shellinabox: Tighten terminal session authorization with short-lived, session-bound VT tickets (323658cec)
    • tooltip: Escape HTML attribute values in tooltip helpers as defense-in-depth (e6bdbef49)
  • Features:
    • dashboard: Replace the legacy React dashboard with Svelte (9af32e855)
    • dxserver: Replace the Node.js DX server with the Go implementation (477f7a822)
    • template: Introduce Dynamic Templates for DAL devices, with Dynamic Values, Custom Values on devices and groups, and Secret Values on devices (#2061)
  • Improvements:
    • config/compare: Hide “Compare Revisions” for JSON configs (#2349)
    • config/status: Show calculating and stale states, fix syntax error count (#2313, 88f5070eb)
    • config/view + config/diff: Fix sorting array indices numerically so ‘[10]’ appears after ‘[9]’ instead of after ‘[1]’ (#2368)
    • config: Automatically prune old config revisions, default limit 100 per type per device (#2286)
    • csv: Add Custom Values to device CSV upload and download (b2cccff13)
    • dashboard: Improve responsiveness by reducing redundant queries (fb3e5e393, 429852f94)
    • labels: Improve text contrast (#2390)
    • firmware: Improve firmware pages with minimum version support for update tasks (#2228)
    • group/create: Stop reloading the page when selecting a different parent group (#2102)
    • maintenance: Rename “Maintenance Mode” to “Maintenance Flag” (#2328)
    • map: Add dark-mode tiles and attribution (#2299)
    • map: Improve map GUI on the router index and full-screen views (#2307, #2362)
    • map: Move map controls from User Profile to the Dashboard (#2308)
    • nav: Rename “Config Template Status” to “Template Status” (#2360)
    • nav: Replace the hard-coded sidebar menu with a data-driven JSON menu (#2307)
    • report: Add direct navigation between Dashboard and RTask list (#2006)
    • rtask: Improve config and file resolution reliability (dbce651fe)
    • rtask: Link “Created by” user to their profile when the viewer has permission (#2269)
    • rtask: Skip ineligible routers when creating bulk tasks (5eb7dce26)
    • sample_processor: Improve throughput by about 68% (56a0a90ad)
    • template: Add live DAL schema validation while editing and compiling (#2061)
    • template: Recalculate compliance immediately on input changes instead of waiting for the next profile loop (8052fe704, fdb90cbc8)
    • timeline: Add annotations endpoint (268eee3e6)
    • ui: Add dedicated 400/403/404/500 error pages (#1625)
  • Bugfixes:
    • audit-log: Return 404 for non-existent audit log entries instead of a 500 (68780abb0)
    • config/view: Fix empty SarOS config views (#2330)
    • config/view: Hide “Create Config Template” button when viewing config as JSON (#2380)
    • firmware: Fix DAL download URLs becoming stale after hostname changes (e8b98b904)
    • firmware: Fix download failures on large files (e1ef91aa9)
    • maintenance: Prevent a false security log entry from being created when opening the “Activate Maintenance Flag” page (#2366)
    • rtask: Fix firmware and DX update reporting showing success on partial failures (e4753c248, 582d45618)
    • rtask: Fix Redo/Retry for Run Commands tasks not copying commands (#2270)
    • session: Fix crash when a “become” session references a deleted user (5d6707ddc)
    • session: Fix the session time-left banner to fail closed on refresh failures and session expiry instead of showing stale time remaining (a8a39053e)
    • system/edit: Fix blank syslog port on page load (#2384)
    • template: Fix config schema validation incorrectly removing default values when a dependency condition is inactive (#2240)
    • template: Fix stale compliance state after template deletion (#2327)
    • template: Use group as compile target when creating a new template without copying from a device (#2380)
    • terminal: Redirect to device page instead of 500 when opening Terminal for an offline device (1c1afeca5)
    • tooltip: Fix duplicate data-line1 attribute and a variable-masking bug in the date-period tooltip helper (387f4fb91, 201f886f0)
    • ui: Fix malformed HTML in device CSV download and router update limits pages (#2305, #2329)
    • user: Fix password change confirmation email not being sent due to stale debug code (d111e6a79)
    • user: Fix password reset to show the generated password correctly to the operator (#2283)
  • System:
    • apparmor: Add packaged AppArmor profiles for the hardened service layout (717f6b1c0)
    • bootstrap: Add optional plaintext HTTP bootstrap support for legacy SarOS devices via dx.legacy_plaintext_bootstrap_enabled and dx.legacy_plaintext_bootstrap_port (cf2e3d523)
    • bootstrap: Add the optional nginx server-plaintext.conf include for port 80 DX bootstrap routes
    • bootstrap: Cap legacy bootstrap/download reads to the expected payload length
    • db: Advance schema from 42 to 52, including Dynamic Template fields, performance indexes, and the firmware blob-to-disk migration
    • dxserver: Add Redis-backed auth cache with startup prewarm service, reducing auth latency and internal API load (04b861856)
    • firmware: Move firmware storage from the database to disk, improving download performance and reducing memory usage during firmware delivery (eaec82afa, 8c9e3d3e4)
    • nginx: Serve firmware downloads directly from disk for improved performance (eaec82afa)
    • redis: Add kernel-level network restrictions to the Redis service unit as defense-in-depth (965d92907)
    • redis: Fix Redis connection recovery so transient failures no longer require a service restart (a77f9cfc7)
    • redis: Move the bundled Redis instance to a dedicated service with local socket communication (865455b13)
    • redis: Regenerate Redis access controls at startup with compatibility for Redis 6, 7 and 8 (8052fe704)
  • Removed:
    • dashboard/share: Remove group dashboard sharing (/rg/<token> and related UI). Per-device sharing (/r/<token>) is unchanged (5743389c5)