SECURITY: [Composer] CVE-2021-29472 command injection vulnerability. NEW: [admin] collect() now accepts domains for $site parameter. [Bootstrapper] sshd_permit_root_login, fine tune always permitting or rejecting root login. [cgroup] CPU pinning via cpupin service variable. [cgroup] Freezer support, cgroup:freeze($anything). Freezing a site immediately suspends any userspace code for the affected site. Compare with suspending an account, which allows userspace code to complete but does not permit further logins or site interactivity. [Dashboard] User Administrators may now unban selves when [rampart] => user_discovery=true (default=True). [Nexus] Resource sorting. [Settings] "external opener" feature now configurable under Account > Settings > Theme. [Web Apps] Default update notification policy configurable via [webapps] => notify_update. FIXED: [Aliases] Removing a domain from aliases,aliasesd preserves the domain in the account's domainmap. [apnscpd] Backend boundary writes result in hang. [Argos] ruamel incompatibility on CentOS 7. [Bootstrapper] Dormant IPv4/6 configuration. [Datastream] Incomplete writes on transitional buffers that would result in a hang. [email] Renaming an inbox for a non-numeric destination performs an incorrect default substitution. [PageSpeed] TTFB response variable renamed. [PHP] Creating a site without a dedicated webuser prevents switching to one later. [rspamd] Dictionary key interpolation breaks resulting in literal templated key writes. [Scopes] apache.system-directive strips surrounding whitespace. [UI] invalid null coalescence check break comparison. [Web Apps] Circular references restrict snapshot intake. [Web Apps] Busted transient property check. [Web Apps] Bogus index checks results in duplicate listings. [Web Apps] Various transient property checks. CHANGED: [apnscp] Additional checks to confirm frontend responsiveness on restart via cp.restart. [apnscp] Apply restart synchronously. [apnscp.js] apnscp.highlight() supports live binding events. [build] disable apnscp repos at dessication stage. Prevents false alarms during image checks from unreachable repos. [Dovecot] 2.3 compatibility [helpers] deferred() is now queue-based working off an SplStack-derived class, \Deferred. [FTP] user_enabled() checks [ftp] => enabled. [Metrics] TimescaleDB v2 compatibility. [multiPHP] Prevent multiPHP builds that duplicate system_php_version. [Network] my_ip()- cleanup output when multiple records are returned from NAT'd interface. [Nexus] memory usage normalized to site configuration in Nexus. [rampart] User Administrators may now query is_banned(). Corresponding Dashboard feature added. [Storage Usage] include /tmp in storage list. [Theme] @lang macro is now reserved. [UI] Improve "Select" verbiage. [WordPress] Raise WP-CLI memory limit from 128 => 256 (constrained by cgroup usage) to allow large WooCommerce catalogs to update. [WordPress] wp-content/cache/ fortified in max mode. Create directory automatically to facilitate usage REMOVED: [cgroup] Cleanup API requirement of passing afi instance on account import. [Dispatcher] Handling of svg/css/js/png requests, ~25% speedup. [file] Top-level pollution courtesy a naieve caching strategy.