# Security fixes
Some security issues has been fixed in this release and we advice to upgrade as soon as possible.
The details will be available later on.
# Device-types
## New device-types
* asus-CX3402CVA-brya
* lenovo-chrome-2in1-14iru10-brox
* mt8196-rauru-navi-sku1
* r9a07g043u11-smarc
* r9a07g044c2-smarc
* sc7180-trogdor-wormdingler-rev1-boe
# Documentation migration
Documentation v3 continues to be updated. All `deploy`, `boot` and `test` methods are now documented and published at
https://lava.readthedocs.io/en/latest under **Technical references**.
# Debian support
Debian 11 (Bullseye) is being phased out. 2026.02 is the last LAVA release to support it.
Starting from 2026.02 the oldest supported Debian release will be 12 (Bookworm)
# Docker
* All LAVA base images are now based on Debian 13 (Trixie) `slim`
* Debian 11 (Bullseye) was dropped from all CI jobs
* `wget` tool was added to lava-dispatcher-base image
# Job logs
## Secret filtering
LAVA is now filtering the job logs to remove sensitive data. This is still a work in progress that will be improved in the following releases.
With this new feature, values of the variables defined in `secrets` dictionary will be replaced in the job output log with string `[MASKED]`.
# Dispatcher changes
## Downloading artifacts
Set max_retries to 1 by default when downloading an artifacts.
The max_retries value can be set in the job definition using failure_retry key. Example:
```yaml
- deploy:
failure_retry: 2
images:
image:
url:
https://example.com/foo```
## Deploy character delay
Add support for `deploy_character_delay` to add delay between each character when interacting with the serial during deployment.
To use it add to the device dictionary (in milliseconds):
```jinja2
{% set deploy_character_delay = 30 %}
```
Defaults to 30ms delay for vexpress devices.
## fastboot
Improve fastboot device detection by making parsing more generic. This should now work with multiple fastboot versions.
## FVP
Use `find` to locate armlm binary instead of hardcoded path to provide compatibility with more FVP models.
## multinode
Fix `lava-role list` to properly match the documentation. Also fix multinode collate function used to replace placeholdeers like `$ipaddr` in synchronization messages.
## pyocd
Fix flashing with pyocd with latest pycocd versions.
## Transfer overlay
Allow to transfer the overlay using zmodem when network is not available.
In the job definition, add:
```yaml
- boot:
transfer_overlay:
transfer_method: zmodem
unpack_command: tar -C / -xzf
```
The worker and target device **must** have respectively the `sz` and `rz`
utilities installed. This is typically provided by: `lrzsz` package on Debian-based or Fedora-based systems.
## uuu
Allow to use `uniquify` parameter for uuu deployment action. This is useful when using `downloads://` urls.
# Server changes
## Restricting callback URLs
By default, notification callbacks can target any URL. Administrators can restrict which hosts are permitted by setting `CALLBACK_ALLOWED_HOSTS` in `/etc/lava-server/settings.yaml` or a file in `/etc/lava-server/settings.d/`:
```yaml
CALLBACK_ALLOWED_HOSTS:
- "
example.com"
- "*.
example.com"
- "*.
ci.example.com"
```