Adolf Belka [Thu, 19 Jun 2025 20:20:46 +0000 (22:20 +0200)]
qemu: Update to version 10.0.2
- Update from version 9.2.0 to 10.0.2
- Update of rootfile
- Removal of sched-attr patch as this is now built into the source tarball.
- Changelog
10.0
Removed features and incompatible changes
Consult the 'Removed features' page for details of suggested replacement
functionality.
New deprecated options and features
The -old-param option (used for booting some ancient Arm kernels) has been
deprecated, as none of the boards QEMU supports need it.
The Arm PXA2xx CPUs and the iwMMXt emulation have been deprecated and will
be removed in a future release.
Consult the "Deprecated Features" chapter of the QEMU System Emulation User's
Guide for further details of the deprecations and their suggested replacements.
Arm
iwMMXt emulation and the PXA2xx CPUs have been deprecated and will be
removed in a future release. (You were only using this if you explicitly
selected a pxa2xx CPU type on the command line or by environment variable.)
When emulating FEAT_PAUTH, the default pointer authentication algorithm
has been changed from the architected QARMA5 algorithm to QEMU's
implementation-defined algorithm. This is non-cryptographic but is
significantly faster, which is what most users will want. If you need the
architected algorithm you can select it with the 'pauth-qarma5'
CPU option, e.g. "-cpu max,pauth-qarma5=on".
The CPU now emulates the Secure EL2 physical and virtual timers
New CPU architectural features emulated:
FEAT_AFP
FEAT_RPRES
FEAT_XS
The Stellaris boards now model both I2C controllers
The 'virt' board now has a 'highmem-mmio-size' property to allow
configuring a larger PCIe MMIO region; this can be useful when passing
through a lot of PCI devices with large MMIO BARs to a VM.
New board models:
"npcm845-evb": NPCM845 Evaluation board
"imx8mp-evk": i.MX 8M Plus EVK board
HPPA
New SeaBIOS-hppa version 18 with lots of fixes and enhancements
Emulate up to 256 GB RAM on 64-bit guests
Speed up translation time
Improve virtual CPU reset function
Support space register hashing via diag registers as required by 64-bit HP-UX
Add emulation of Diva GSP ("Guardian Service Processor" / BMC) PCI boards
Artist graphic card can be disabled on command line with "-global
artist.disable=true"
Added Astro LLMIO support, which allows adding other graphic cards, e.g.
with "-device ati-vga"
LoongArch
KVM support cpu hotplug.
kVM support paravirt ipi.
KVM support kvm steal time.
KVM support virtual extioi feature.
ISA and Extensions
Support riscv-iommu-sys device
Introduce svukte ISA extension
Support ssstateen extension
Reduce the overhead for simple RISC-V vector unit-stride loads and stores
Add 'sha' support
Add traces for exceptions in user mode
Update Pointer Masking to Zjpm v1.0
Add Smrnmi support
Add RISC-V Counter delegation ISA extension support
Add support for Smdbltrp and Ssdbltrp extensions
Introduce a translation tag for the IOMMU page table cache
Support Supm and Sspm as part of Zjpm v1.0
Machines
Deprecate the default RISC-V machine
Add Tenstorrent Ascalon CPU
Support for RV64 Xiangshan Nanhu CPU
Add AIA userspace irqchip_split support
Add Microblaze V generic board
Support 64-bit address of initrd
Add V bit to GDB priv reg
Fixes and Misc
Correct the validness check of iova
Fix APLIC in_clrip and clripnum write emulation
Upgrade ACPI SPCR table to support SPCR table revision 4 format
Fix timebase-frequency when using KVM acceleration
Convert htif debug prints to trace event
s390x
Add feature definitions and CPU model for the generation 17 mainframe CPU
Add support for virtio-mem on s390x
Fix CPU emulation bugs with the PPNO and MCV instructions
Allow bypassing IOMMU for PCI devices for enhanced performance
x86
Faster emulation of string instructions.
ClearwaterForest cpu model
SierraForest-v2 cpu model (for changes vs V1 see commit c597ff5339)
ACPI / SMBIOS
Workaround 'PCI Label Id' Windows bug, which is normally harmless but on
localized versions can lead to guest hangs (commit 0b053391985)
Block devices
The 'virtio-scsi' device has gained true multiqueue support where different
queues of a single controller can be processed by different I/O threads
(this catches up to the `virtio-blk` support that was added in QEMU 9.0).
This can improve scalability in cases where the guest submitted enough
I/O to saturate the host CPU running a single I/O thread processing the
virtio-scsi requests. Multiple I/O threads can be configured using the
new 'iothread-vq-mapping' property.
Add new handshake-max-seconds optional parameter to nbd-server-start QMP
command, and counterpart --handshake-limit option to qemu-nbd. This
allows fine-tuning the duration allowed for client negotiation during
integration testing.
qemu-nbd no longer hangs on exit when run as a daemon (the --fork
command-line option) when qemu is built with the simple trace backend.
Graphics
Add new 'apple-gfx-pci' and 'apple-gfx-mmio' devices which use the macOS
host's ParavirtualizedGraphics.framework to provide accelerated graphics
to macOS guests. 'apple-gfx-pci' is intended for use on x86-64,
'apple-gfx-mmio' replicates the graphics device implemented by the
Virtualization.framework from the aarch64 version of macOS.
IPMI
Multiple different internal BMCs are now supported.
The "Get Channel Info" command is now implemented in the internal BMC.
Add support for the "don't log" flag in the set watchdog command. This
will prevent watchdog timer events being added to the IPMI event log.
Return an error if invalid bits are set in the "Set BMC Global Enables"
command in the internal BMC.
VFIO
Improved support for IGD passthrough on all Intel Gen 11 and 12 devices
Refactored dirty tracking engine to include VFIO state in calc-dirty-rate
Improved error reporting for MMIO region mapping failures
Improved property documentation
Implemented basic PCI PM capability backing
Added multifd support for VFIO migration
Added support for old ATI GPUs (x550)
Deprecated vfio-plaform
Misc fixes
virtio
virtio-mem is now also supported on s390x
virtio-balloon guests stats are now cleared (set to zero) upon
device/machine reset.
9pfs
Fix a regression regarding CVE-2023-2861 with security_model=passthrough
which caused certain sockets on guest to fail (bug #2337, commit b5e3f63a).
multidevs=remap is new default behaviour (see commit a2f17bd4).
Audio
-audio dbus learned "nsamples" option, to set number of samples per
read/write
Character devices
"hub": new chardev, aggregate multiple chardev backends
GUI
VC: add support for cursor DECSC and DECRC commands
VC: implement DCH (delete) and ICH (insert) commands
VC: various parsing/display fixes
GDBStub
linux-user processes can defer connection using -g <port>,suspend=n
TCG Plugins
core plugin code is now only built once
Migration
Fixed regressions in s390x (#2704) and pre-9.0 to post-9.1 migrations with
multifd capability (#2720)
Fixed long-standing bug with paused VMs (#686)
New migration mode "cpr-transfer" to support live updates (documentation).
Block device backends and tools
The Linux AIO and io_uring backends can now make use of the RWF_DSYNC flag
for FUA write requests instead of emulating it with a normal write
followed by an fdatasync() call. This can improve performance for guest
disks with disabled write cache significantly (cache=writethrough and
cache=directsync result in such configurations), in particular if the
host disk is already operating in a write through cache mode.
The user can now actively manage if nodes are active or inactive. Amongst
others, this is required to perform safe live migration with a
qemu-storage-daemon based backend. It also allows starting block device
operation on the live migration destination of a paused VM without first
resuming the VM (which was previously the only way to activate images).
The vpc block driver has been fixed to handle VHD images exported from
Azure more correctly
runtime
Improved networking emulation regarding netlink and multicast
PowerPC
Added /proc/cpuinfo file emulation
Guest agent
Implement a 'guest-get-load' command (Linux only)
Don't daemonize before the channel is initialized
This changes the exit code when QGA fails with the daemonize option
Optimize the freeze-hook script logic of logging errors
Log to syslog if the file log is unavailable
fsfreeze command: Skip bind mounts in the FS list
Documentation
All QEMU Machine Protocol (QMP) interface documentation (QEMU, QEMU Storage
Daemon, QEMU Guest Agent) pages have been drastically overhauled,
featuring a new look and layout.
New QMP reference indices have been added per-API: QEMU QMP Index,
QEMU Storage Daemon QMP Index, and QEMU Guest Agent QMP Index. The
indices are sorted both per-type (Commands, Events, data types) and
alphabetically; providing a convenient one-page reference for all
available Commands and Events for a given interface.
All Commands, Events, and all documentation-referenced types are now
cross-reference-able; with clickable cross-references inserted in many
cases to make navigating complex commands, events, and types much easier.
References that aren't generated from metadata but are instead
"hardcoded" in the source documentation have not yet been converted, but
all generated references have been. (i.e. all type names for
arguments/members, return values, and "The members of..." pointers are
now clickable.)
Some return types are still omitted where they are undocumented, but this
will be rectified for next release.
Some build-time conditional information ("if", "ifcond") is temporarily
missing from the new documentation. For commands, events, or
members/values/arguments that are only conditionally available, please
consult the runtime introspection data to determine availability for a
given binary, as per usual. This will also be rectified for the next
release.
Support for device models written in the Rust programming language is still
considered experimental, and does not have full feature parity compared to
QEMU binaries that are compiled with --disable-rust. However, it has matured
enough that developing new devices can (almost entirely) be done in the safe
subset of Rust.
For now, binaries compiled with --enable-rust link statically to Rust libstd.
This is not suitable for e.g. Linux distributions but could be okay for other,
special purpose distributions of QEMU.
The current minimum supported Rust version is 1.63.0, with plans to move to
1.77.0. This means that:
--enable-rust does not work with Debian bullseye's rustc packages.
in the future, --enable-rust will not support Debian bookworm's rustc for
the mips64el architecture, and will require the rustc-web package for
other architectures.
Debian bullseye and bookworm otherwise remains supported platforms for QEMU;
Debian bullseye will cease to be a supported platform as soon as Debian
trixie is released.
Testing and CI
updated baseline tuxrun tests to 19/11/2024 images
added new test for virtio-vulkan (needs upto date build with access to dri)
qtest clock_set and clock_step now check return values
riscv64 cross compile now based on trixie
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 19 Jun 2025 20:20:44 +0000 (22:20 +0200)]
libvirt: Update to version 11.4.0
- Update from version 10.10.0 to 11.4.0
- Update of rootfile
- Changelog
11.4.0
New features
qemu: ppc64 POWER11 processor support
Support for the recently released IBM POWER11 processor was added.
Packaging changes
All helper programs are now detected from $PATH during runtime
All of the code was now converted to dynamically look up helper programs in
$PATH rather than doing the lookup at build time and then compiling in the
result.
Programs mount, umount, mkfs, modprobe, rmmod, numad, dmidecode, ip, tc,
mdevctl, mm-ctl, iscsiadm, ovs-vsctl, pkttyagent, bhyveload, bhyvectl, bhyve,
ifconfig, vzlist, vzctl, vzmigrate, and the tools from the lvm suite
(vgchange, lvcreate, etc..) are now not needed during build and will still
work properly if placed in $PATH.
This also ensures that libvirt works correctly on distros that are
transitioning /sbin into /bin and upgraded installations have a different
layout from fresh installations.
Improvements
virsh: Add option --no-pkttyagent
That option suppresses registration of pkttyagent with polkitd.
bhyve: support NVRAM configuration for UEFI firmwares
The bhyve driver now supports specifying NVRAM store file, such as:
<os firmware='efi'>
<nvram/>
</os>
qemu: Improve accuracy of FDC/floppy device support statement in capabilities XML
The data is now based on the presence of the controller in qemu rather than
just a denylist of machine types where floppies not work.
Bug fixes
qemu: Fix failure when reverting to internal snapshots
A regression in libvirt-11.2 and libvirt-11.3 prevents reverting to an
internal snapshot. Attempts to revert would produce the following error:
error: operation failed: load of internal snapshot 'foo1' job failed: Device
'libvirt-1-format' is writable but does not support snapshots
The only workaround is to avoid the broken versions.
qemu: Fix virtqemud crash when resuming failed post-copy migration
A regression introduced in libvirt-11.2.0 caused virtqemud on the destination
host to crash when trying to resume failed post-copy migration.
qemu: Treat the queues configuration of virtio-net as guest ABI
The queue count itself isn't a device frontend property but libvirt uses it to
calculate vectors option of the device which is a guest OS visible property,
thus queues must not change during migration. The ABI stability check now
handles this properly.
11.3.0
Removed features
Support for AppArmor versions prior to 3.0.0 has been dropped.
New features
xen: Support configuration of <hyperv/> flags for Xen domains.
The following flags are now configurable for Xen: vapic, synic, stimer,
frequencies, tlbflush and ipi.
bhyve: Support virtio random number generator devices
Domain XMLs can now include virtio random number generator devices. They are
configured with:
<rng model='virtio'>
<backend model='random'/>
</rng>
bhyve: Support <interface type='network'>
At the moment it doesn't provide any new features compared to
<interface type='bridge'>, but allows a more flexible configuration.
Bug fixes
cpu_map: Install Ampere-1 ARM CPU models
The Ampere-1 CPU models added in the previous release were not properly
installed and thus every attempt to start an ARM domain with custom CPU
definition would fail.
storage: Fix new volume creation
No more errors occur when new storage volume is being created using virsh
vol-create with --validate option and/or virStorageVolCreateXML() with
VIR_VOL_XML_PARSE_VALIDATE flag.
Don't spam logs with error about qemu-rdp when starting a qemu VM
On hosts where the qemu-rdp binary is not installed a start of a VM would
cause an error such as
error : qemuRdpNewForHelper:103 : 'qemu-rdp' is not a suitable qemu-rdp helper
name: No such file or directory
to be logged in the system log. It is safe to ignore the error. The code was
fixed to avoid the message when probing for support.
Fix libvirt daemon crash on failure to hotplug a disk into a qemu VM
Some failures of disk hotplug could cause the libvirt daemon to crash due to a
bug when rolling back disk throttling filters.
11.2.0
Removed features
Remove support for qemu-6.1 and older
Libvirt now requires qemu-6.2 or newer based on our platform support policy.
New features
qemu: Add new 'image_format' parameter to virDomainSaveParams
virDomainSaveParams now supports an image_format parameter for specifying the
save image format on a per-domain basis. The parameter accepts the same
values as the driver-wide save_image_format setting in qemu.conf. An image
format specified via virDomainSaveParams takes precedence over the
driver-wide setting.
qemu: Added guest load averages to the output of virDomainGetGuestInfo
This feature will be available with qemu guest agent 10.0 onwards.
qemu: Add support for multiple iothreads for virtio-scsi controller
It's now possible to map multiple iothreads to the virtio-scsi controller or
even map them to specific virtqueues similarly to the virtio-blk device
allowing for better performance in certain scenarios.
qemu: integrate support for VM shutdown on host shutdown
It is now possible to instruct the QEMU driver to automatically perform
managed save, graceful shutdown, or hard poweroff on running VMs, when a host
shutdown is requested. This feature is intended to eventually replace usage
of the libvirt-guests script. The new approach improves on the libvirt-guests
script, by proactively monitoring logind for a signal that a host shutdown
has been requested. It will initiate the chosen action on running guests
immediately, allowing shutdown inhibitors to be released sooner. The new
solution is also able to iteratively try multiple actions until one of them
succeeds in shutting down the VM.
Since it must be mutually exclusive with the libvirt-guests script, this
feature currently requires a manual opt-in through editing of the
/etc/libvirt/qemu.conf configuration file. The libvirt-guests script must be
disabled before doing this.
qemu: Add 'sparse' as a new save image format
QEMU's file migration has been supplemented with the new stream format
mapped-ram, where RAM pages are mapped directly to offsets in the migration
file. mapped-ram is now supported by augmenting the existing save image
formats with the sparse format.
qemu: Add support for parallel save/restore
The sparse image format can support reading and writing by multiple channels.
virDomainSaveParams and virDomainRestoreParams now support specifying the
number of IO channels used for parallel save and restore. Using multiple
channels can reduce the time required to save and restore domains.
virsh: Introduce new hypervisor-cpu-models command
Added a new virsh command hypervisor-cpu-models. The command pulls from the
existing domcapabilities XML and uses xpath to parse CPU model strings. By
default, only models reported as usable by the hypervisor on the host system
are printed. A user may specify --all to also print models which are not
supported on the host.
qemu: Introduce os/shim element
For secure boot environments where <loader/> is signed, it may be unfeasible
to keep the binary up to date (esp. when revoking certificates contained
within). To address that, new <shim/> element is introduced which allows
hypervisor to side load another UEFI binary, which can then contain new
certification authorities and/or list of revocations.
ch: Enable SEV SNP support
Cloud Hypervisor guests can be now started with SEV SNP enabled.
qemu: Support for Block Disk Along with Throttle Filters
Introduce support for multiple throttle groups per block disk in QEMU,
enhancing I/O control and performance optimization. This update builds on the
existing throttling functionality by allowing more granular control with the
ability to assign different throttle groups to multiple block devices,
improving shared throttling across devices.
Improvements
qemu: Improved guest agent corner case error reporting
The APIs using the guest agent now report two specific error codes aimed at
helping management applications/users to differentiate between timeout while
libvirt was synchronizing with the guest agent and timeout after a command
was already sent.
The new error codes are VIR_ERR_AGENT_COMMAND_TIMEOUT and
VIR_ERR_AGENT_COMMAND_FAILED.
qemu: Use common check for shared memory use for vhost-user network devices
Historically libvirt printed only a warning if the vhost-user network was
misconfigured. Since we enforce proper configuration for other device types
using vhost-user it is now enforced also for network devices and prints an
actual error on misconfiguration.
Introduce constants for discoverability of entries in bulk stats APIs
Libvirt introduced constants exposed by our API description XML which allows
discoverability of new entries in typed parameter names returned by
virConnectGetAllDomainStats, virDomainListGetStats, and virDomainGetGuestInfo.
qemu: Reflect MAC address change in live domain XML
When a guest changes MAC address on one of its vNICs the new MAC address is
now visible in the live XML under currentAddress attribute of <mac/> element.
At the same time, VIR_DOMAIN_EVENT_ID_NIC_MAC_CHANGE event is emitted so that
management applications can update their internal state.
Bug fixes
qemu: attach virtio-mem with CCW address
Attaching a virtio-mem device on s390 without an address type now gets a
default type CCW address assigned. A specified CCW address is now used for
the virtio-mem device instead of getting overwritten by a PCI address.
ch: Various memory leak fixes
There were some memory leaks identified in the Cloud Hypervisor driver. They
are fixed now.
11.1.0
Packaging changes
De-modularize the 'fs' storage file backend
The storage file backend for local files uses only code which we compile into
the internal libraries anyways so there's no point in having it as a loadable
module. The storage-file/libvirt_storage_file_fs.so module no longer exists
and its functionality is embedded directly.
Removed features
vbox: removed support for version 6.1 APIs
Libvirt no longer supports use of VirtualBox 6.1 since this version reached
its end of life on 2024/01.
New features
nodedev: Support ccwgroup based qeth devices
CCW group devices are devices that use multiple subchannels on the mainframe's
channel subsystem. A qeth group device maps to subchannels and their
corresponding device numbers and device bus-IDs. The ccwgroup device nodes
are placed besides the subchannel nodes under computer and list the group
members within a new ccwgroup capability. A new capability ccwgroup_member is
added into capability ccw to represent a device membership to a ccwgroup.
Filters are added to find ccwgroups as well as ccwgroup members.
ch: Support handling events from cloud-hypervisor
The ch driver now supports handling events from the cloud-hypervisor. Events
include VM lifecyle operations such as shutdown, pause, resume, etc. Libvirt
will now read these events and take actions such as updating domain state, etc.
Introduce virtio-mem <memory/> model for s390 guests
The virtio-mem model of <memory/> device can now be used with s390 guests.
Support using passt as the backend for interface type='vhostuser'
The combination of vhostuser transport with passt as the backend provides high
performance, fully featured networking without the need for libvirt or QEMU
to have any elevated privileges or capabilities. Configuration and features
are identical to the configuration for type='user' with the passt backend.
Improvements
qemu: I/O error messages can be queried via virDomainGetMessages()
The qemu hypervisor driver now preserves the last I/O error message along with
the timestamp when it was recorded and preserves it to be queried via
virDomainGetMessages().
Bug fixes
tools: ssh-proxy: Check if domain is running before connecting to it
If domain is not running but has a static CID configured for its VSOCK then
the ssh-proxy parsed it anyways. This may have resulted in mistakenly
connecting to a different domain. Domain status is checked before parsing its
CID.
apparmor: Allow SGX if configured
If domain has <memory model='sgx-epc'\> configured then libvirt now adds
corresponding devices into a per-domain profile so that AppArmor does not
deny QEMU access to them.
qemu: Fix crash when starting a domain on a host with unknown host CPU
On hosts where we cannot detect a host CPU model (mostly aarch64 hosts)
starting a domain with a custom CPU model caused a crash of virtqemud.
The bug was introduced in libvirt-10.9.0
11.0.0
New features
network/qemu/lxc: support vlans on standard Linux host bridges
The network, qemu, and lxc drivers now support (using the <vlan> subelement)
vlan tagging and trunking on network interfaces connected to a standard Linux
host bridge.
qemu: Add support for direct and extended tlbflush features
Domains can now utilise more tlbflush hyperv features.
Improvements
ch: Enable user aliases
User can now specify custom aliases for devices in domain XML
qemu: Grab a QUERY job when formatting domain XML
Under some specific conditions it might have happened that domain XML did not
contain runtime information or returned an XML that's in process of changing
(e.g. by a thread that's hotplugging a device). Formatting domain XML now
serializes properly with other threads.
virtiofs: Allow read only mode
The <filesystem/> with virtiofsd backend can now use <readonly/> tag to export
underlying filesystem in read only mode.
qemu: allow migration of vGPU from mdev device <-> SRIOV VF device
Some GPU vendors are switching from using vGPUs creating using mdev and
identified with a uuid, to vGPUs created as SRIOV VFs and identified by their
PCI address, and want to support live migration from a host using one type of
vGPU to the other type. This is now possible.
Bug fixes
qemu: tpm: do not update profile name for transient domains
Fix a possible crash when starting a transient domain which was introduced in
the previous release.
qemu: Fix snapshot to not delete disk image with internal snapshot
When a VM has internal snapshot that is parent to external snapshot and user
reverts to the internal snapshot and deletes the external snapshot libvirt
would delete the disk image containing the internal snapshot. This would
result in data loss.
qemu: Do not format invalid XML with hyperv features in passthrough mode
When hyperv features were specified together with mode="passthrough" libvirt
parsed and formatted such features in the domain XML even though they were
not used at all, resulting in XML that is not valid based on our schema. This
is now fixed by not parsing any specified features when the passthrough mode
is used.
qemu: Fix a crash when starting a domain with ovs bridge and QOS
cpu: Add missing -v1 variants for CPU models
Some CPU models (mostly old ones) were missed when versioned CPU model names
were introduced in the previous release.
qemu: Fix false error when recovering failed post-copy migration
In some cases libvirt would report a failure to recover post-copy migration
even though the recovery started just fine and migration would eventually
successfully finish.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 19 Jun 2025 12:03:29 +0000 (14:03 +0200)]
clamav: Update to version 1.4.3
- Update from version 1.4.2 to 1.4.3
- Update of rootfile not required
- Changelog
1.4.3
- [CVE-2025-20260](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20260):
Fixed a possible buffer overflow write bug in the PDF file parser that could
cause a denial-of-service (DoS) condition or enable remote code execution.
This issue only affects configurations where both:
1. The max file-size scan limit is set greater than or equal to 1024MB.
2. The max scan-size scan limit is set greater than or equal to 1025MB.
The code flaw was present prior to version 1.0.0, but a change in version
1.0.0 that enables larger allocations based on untrusted data made it
possible to trigger this bug.
This issue affects all currently supported versions.
Thank you to Greg Walkup at Sandia National Labs for identifying this issue.
- [CVE-2025-20234](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20234):
Fixed a possible buffer overflow read bug in the UDF file parser that may
write to a temp file and thus disclose information, or it may crash and
cause a denial-of-service (DoS) condition.
This issue was introduced in version 1.2.0. It will be fixed in 1.4.3.
Thank you to volticks (@movx64 on Twitter/X), working with Trend Micro Zero
Day Initiative, for identifying this issue.
- Fixed a possible use-after-free bug in the Xz decompression module in the
bundled lzma-sdk library.
This issue was fixed in the lzma-sdk version 18.03. ClamAV bundles a copy
of the lzma-sdk with some performance changes specific to libclamav, plus
select bug fixes like this one in lieu of a full upgrade to newer lzma-sdk.
This issue affects all ClamAV versions at least as far back as 0.99.4.
Thank you to OSS-Fuzz for identifying this issue.
- Windows: Fixed a build install issue when a DLL dependency such as libcrypto
has the exact same name as one provided by the Windows operating system.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 17 Jun 2025 20:39:16 +0000 (22:39 +0200)]
nano: Update to 8.5
For details see:
https://www.nano-editor.org/news.php
"Anchors are now saved when a file is closed, and restored when
the file is reopened -- if and when --positionlog is active.
Nano exits with an error status upon keystrokes ^O^Q and ^X^Q.
Keystroke ^L just centers the cursor, while M-% cycles it.
Option --whitespace is accepted, but left undocumented.
Syntax coloring now works correctly in more locales."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 15 Jun 2025 12:52:28 +0000 (13:52 +0100)]
wireguard: Don't use fwmarks for the gateways
This slightly conflicts with the reverse path filter which does not seem
to consider the mark and therefore does not resolve to the correct route.
There is not too much benefit of using the mark, except its elegance, a
more accurate lookup and that we were hiding a direct route to the
gateway from the clients.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 9 Jun 2025 13:32:28 +0000 (15:32 +0200)]
red: Update to use ip in place of deprecated vconfig
- I noticed that the vlan package was last updated in 2005 and that the vconfig site said
that 802.1Q VLAN code is part of the official kernel, and has been for years and
years. It is very unlikely that you need to download anything from this site, the
packages are left here for posterity's sake. 802.1Q VLANs can be created with the
'ip' utility (vconfig works for vlans, but is crufty and deprecated).
- Based on this it seemed appropriate to replace the vconfig commands with ip commands.
- This patch set has been sent as an RFC PATCH as my replacement ip commands may or may
not be correct and I am unable to test the effect as I do not have a pppoe connection
using vlans.
- I am open to any modifications or any other decision with reagard to the vlan package
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Jun 2025 15:43:45 +0000 (17:43 +0200)]
libffi: Update to version 3.5.1
- Update from version 3.4.8 to 3.5.1
- Update of rootfile
- Changelog
3.5.1
Downgrade Autoconf requirement to version 2.68 by @kleisauke in #922
Fix symbol versioning error.
3.5.0
Add FFI_VERSION_STRING and FFI_VERSION_NUMBER macros, as well
as ffi_get_version() and ffi_get_version_number() functions.
Add ffi_get_default_abi() and ffi_get_closure_size() functions.
Fix closures on powerpc64-linux when statically linking.
Mark the PA stack as non-executable.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Jun 2025 15:43:44 +0000 (17:43 +0200)]
fetchmail: Update to version 6.5.3
- Update from version 6.5.2 to 6.5.3
- Update of rootfile not required
- Changelog
6.5.3
BUGFIXES:
* IMAP: Reinstate workaround for missing IDLE support if --idle is requested.
This had been a long-standing feature but got broken in fetchmail 6.4.22
(commit 616e8c70). Thanks to Lukáš Tesař for the detailed report including
a Git bisect that identified this faulty commit. Fixes Gitlab issue #69.
* IMAP: Only print 'will idle after poll' if --idle is enabled
and either offered by the server, or forced through --forceidle.
This fixes a regression introduced in fetchmail 6.4.22 (commit 616e8c70).
TRANSLATIONS: fetchmail's translation was updated, courtesy of:
* es: Cristian Othón Martínez Vera [Spanish]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 12 Jun 2025 16:27:01 +0000 (18:27 +0200)]
fort-validator: New package
FORT Validator is an open source RPKI validator. It allows operators to validate BGP routing information
against the RPKI repository for use in router configuration and resolution.
This patch includes the LFS and rootfile to build the validator,
an initscript, required definitions for backup and an empty config file
for user customization.
Fixes #13845.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 10 Jun 2025 09:44:57 +0000 (11:44 +0200)]
samba: Update to version 4.22.2
- Update from version 4.22.0 to 4.22.2
- Update of rootfiles not required. Confirmed on all three architectures
- CVE fix in 4.22.2
- Changelog
4.22.2
* BUG 15707: (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick up
group membership changes when re-authenticating an expired SMB
session.
* BUG 15861: Profile sync fails due to Directory Leases.
* BUG 15727: net ad join fails with "Failed to join domain: failed to create
kerberos keytab".
* BUG 15851: dcerpcd not able to bind to listening port.
* BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
level beyond share root.
* BUG 15858: CTDB does not put nodes running NFS into grace on graceful
shutdown.
4.22.1
* BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
* BUG 15829: samba-tool gpo backup creates entity backups it can't read.
* BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
prepended 0's.
* BUG 15767: Deadlock between two smbd processes.
* BUG 15823: Subnet based interfaces definition not listening on all covered
IP addresses.
* BUG 15836: PANIC: assert failed at source3/smbd/smb2_oplock.c(156):
sconn->oplocks.exclusive_open>=0.
* BUG 15727: net ad join fails with "Failed to join domain: failed to create
kerberos keytab".
* BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
* BUG 15822: Enable support for cephfs case insensitive behavior.
* BUG 15791: Remove of file or directory not possible with vfs_acl_tdb.
* BUG 15841: Wide link issue in samba 4.22.
* BUG 15767: Deadlock between two smbd processes.
* BUG 15845: NT_STATUS_INVALID_PARAMETER: Can't create folders on share of an
exfat file system.
* BUG 15849: Lease code is not endian-safe.
* BUG 15818: vfs_ceph_new module does not work with other modules for
snapshot management.
* BUG 15834: vfs_ceph_new: Add path based fallback for SMB_VFS_FCHOWN,
SMB_VFS_FCHMOD and SMB_VFS_FNTIMES.
* BUG 15810: Add async io API from libcephfs to ceph_new VFS module.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 8 Jun 2025 20:35:07 +0000 (22:35 +0200)]
postfix: Update to version 3.10.2
- Update from version 3.10.1 to 3.10.2
- Update for rootfile not required
- Changelog
3.10.2
Bugfix (defect introduced: date 19991116): when appending a setting to a
main.cf or master.cf file that did not end in a newline character, the
"postconf -e" command did not add an extra newline character before
appending the new setting, causing information to become garbled. Fix
by Michael Tokarev.
Bugfix (defect introduced: Postfix 2.3, date 20051222): the Dovecot auth
client did not attempt to create a new connection after an I/O error on
an existing connection. Reported by Oleksandr Kozmenko.
Improved and corrected error messages when converting (host or service)
information to (symbolic text, numerical text, or binary) form.
Documentation: updated link to Dovecot documentation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 8 Jun 2025 20:35:06 +0000 (22:35 +0200)]
libusb: Update to version 1.0.29
- Update from version 1.0.28 to 1.0.29
- Update of rootfile not required
- Changelog
1.0.29
* Fix regression on macOS leading to timeouts in enumeration
* LIBUSB_API_VERSION bump for the new functions in 1.0.28
* Fix xusb regression displaying wrong error on claim failure
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 8 Jun 2025 20:35:03 +0000 (22:35 +0200)]
curl: Update to version 8.14.1
- Update from version 8.14.0 to 8.14.1
- Update of rootfile not required
- Changelog
8.14.1
Bugfixes:
o asyn-thrdd: fix cleanup when RR fails due to OOM [20]
o autotools: recognize more Linux targets when setting `-D_GNU_SOURCE` [35]
o BUG-BOUNTY.md. mention the medium bounty amount in 2025 [5]
o cmake: fix missed version number for multi-pkg-config detections [14]
o cmdline-docs: mention HTTP resumed uploads to be shaky [21]
o curl: make -N handled correctly [34]
o curl: upload from '.' fix [9]
o dllmain: exclude from Cygwin builds [32]
o docs/tests: remove mention of hyper [23]
o docs: fix typos [12]
o ftp: fix teardown of DATA connection in done [31]
o http: fail early when rewind of input failed when following redirects [2]
o license: update some copyright links to curl.se [24]
o memanalyze.pl: fix getaddrinfo/freeaddrinfo checks [25]
o misc: fix spelling [15]
o misc: we write *an* IPv6 address [10]
o multi: fix add_handle resizing [3]
o spelling: 'a' vs 'an' [8]
o spelling: call it null-terminate consistently [6]
o test1510: fix expectation [19]
o tests: await portfile to be complete [1]
o tests: fix checks for https-mtls proto [30]
o tests: improve server start reliability [18]
o tests: move test docs into /docs [16]
o tests: re-enable 1510, document heimdal memleak [22]
o tests: test mtls also w/ clientAuth EKU only [28]
o tests: test mtls with --insecure [29]
o tls BIOs: handle BIO_CTRL_EOF correctly [33]
o tool_getparam: make --no-anyauth not be accepted [13]
o tool_getparam: refactored, simplified [4]
o tool_getparam: remove two nextarg NULL checks [11]
o VULN-DISCLOSURE-POLICY.md: the distros list wants <= 7 days embargo [26]
o wolfssl: fix sending of early data [7]
o ws: handle blocked sends better [27]
o ws: tests and fixes [17]
Planned upcoming removals include:
o Support for the msh3 HTTP/3 backend
o Supporting curl builds using VS2008
o The Secure Transport and BearSSL TLS backends
o The winbuild build system
o Windows CE support
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 8 Jun 2025 20:35:02 +0000 (22:35 +0200)]
automake: Update to version 1.18
- Update from version 1.17 to 1.18
- Update of rootfile
- Changelog
1.18
* New features added
- Default tar format is now ustar, mainly to support longer filenames;
the tar-v7 and other explicit options to force a particular tar
format are unchanged and still override the default. (bug#74847)
- The mdate-sh auxiliary script generally used with Texinfo now uses
SOURCE_DATE_EPOCH, if set, instead of the source file's mtime. (bug#77805)
- New option dist-bzip3 for bzip3 compression of distributions. (bug#73795)
- New option --stderr-prefix for tap-driver.sh, to prefix each line of
stderr from a test script with a given string. (bug#72536)
- Support for Algol 68 added, based on the GNU Algol 68 compiler. (bug#75807)
* Bugs fixed
- Do not make Perl warnings fatal, per Perl's recommendation.
(https://lists.gnu.org/archive/html/automake/2025-01/msg00003.html)
- Avoid Perl 5.41.8+ precedence warning for use of !!.
(https://lists.gnu.org/archive/html/automake/2025-01/msg00000.html)
- a Perl path containing whitespace now emits a warning instead of
an error, so ./configure PERL='/usr/bin/env perl' can work. (bug#74453)
- The py-compile script once again does nothing (successfully) if the
PYTHON environment variable is set to ":", or anything that isn't a
Python interpreter (according to $PYTHON -V). Exception: if PYTHON
is set to "false", do nothing but exit unsuccessfully, also to match
previous behavior. (bug#74434)
- The no-dist-built-sources Automake option now operates (hopefully) as
intended, i.e., omits the dependency on $(BUILT_SOURCES) for the
distdir target. (bug#69908)
- Only warn about install.sh being found, instead of it being a fatal
error. (bug#19964)
- The compile script is more robust to Windows configurations;
specifically, avoids double-path translation on MSYS. (bug#75939)
- The test infrastructure sets the CONFIG_SITE environment variable to
/dev/null, to avoid the local system's Autoconf site defaults from
breaking the test environment. (bug#76622)
- AM_SILENT_RULES once again always ends with a newline. (bug#72267)
- AM_SANITY_CHECK now outputs "no" on failure, so that a complete line
is written to stdout before the error message is written to stderr.
(bug#76448)
* Miscellaneous changes
- Only require the presence of an ABOUT-NLS file at the 'gnits'
strictness level.
(https://lists.gnu.org/archive/html/automake/2024-10/msg00006.html)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 7 Jun 2025 21:38:51 +0000 (23:38 +0200)]
sqlite: Update to version 3.50.1
- Update from version 3.50.0 to 3.50.1
- Update of rootfile
- Changelog
3.50.1
Fix a long-standing bug in jsonb_set() and similar that was exposed by new
optimizations added in version 3.50.0.
Fix an apparently harmless ASAN warning that can occur on builds that use
-DSQLITE_DEFAULT_MEMSTATUS=0.
Fix an off-by-one bug in sqlite3_rsync that can result in the last page not
being transferred for the replicate database.
Query planner optimization: Allow the right-hand side of a LEFT JOIN to be
flattened even if it is a virtual table.
Fix sqlite3_setlk_timeout() to use a blocking lock when opening a snapshot
transaction and when block by another process running recovery.
Other minor fixes that were reported after the 3.50.0 release.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 12 Jun 2025 11:56:43 +0000 (13:56 +0200)]
es.pl: Change back all html &codes in the Spanish lang file to accented chars
- An issue was identified in the forum by @Roberto pressing the Locations Group page
button on the Firewall Groups page caused the Locations Group page to not be shown
correctly in CU195 Testing.
- After investigation I found that the CU195 Spanish language file patch set had changed
many, if not all, of the characters with accents into their html & codes. This worked
in terms of showing the correct text in the WUI page but when the cgi page did a
string comparison with the text that was displayed on the html page with the text in
the language file they did not match as Grupos de ubicación was compared with
Grupos de ubicación which of course did not match.
- To keep all of @Robertos WireGuard Spanish translations this patch set changes all the
html & codes back to the actual accented characters.
- Tested out on my vm testbed and the cgi code worked again.
- None of the other language files that I looked at (French, German, Italian and
Turkish) are using the html & codes for accented characters. They are all using the
actuall accented characters themselves.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 26 Apr 2025 14:36:18 +0000 (14:36 +0000)]
cdrom: Disable modesetting in text mode
This is just a precaution for users which have broken graphics. This
way, the kernel should keep the simple VGA text console without actually
switching on high resolutions.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Jun 2025 10:29:29 +0000 (12:29 +0200)]
tshark: Update to version 4.4.7
- Update from version 4.4.6 to 4.4.7
- Update of rootfile
- CVE fix in this release
- Changelog
4.4.7
The following vulnerabilities have been fixed:
wnpa-sec-2025-02 Dissection engine crash. Issue 20509. CVE-2025-5601.
The following bugs have been fixed:
Wireshark does not correctly decode LIN "go to sleep" in TECMP and CMP.
Issue 20463.
Dissector bug, Protocol CIGI. Issue 20496.
Green power packets are not dissected when
proto_version == ZBEE_VERSION_GREEN_POWER. Issue 20497.
Packet diagrams misalign or drop bitfields. Issue 20507.
Corruption when setting heuristic dissector table UI name from Lua.
Issue 20523.
LDAP dissector incorrectly displays filters with singleton "&" Issue 20527.
WebSocket per-message compression extentions: fail to decompress server
messages (from the 2nd) due to parameter handling. Issue 20531.
The LL_PERIODIC_SYNC_WR_IND packet is not properly dissected
(packet-btle.c) Issue 20554.
Updated Protocol Support
AT, BT LE LL, CIGI, genl, LDAP, LIN, Logcat Text, net_dm, netfilter,
nvme, SSH, TCPCL, TLS, WebSocket, ZigBee, and ZigBee ZCL
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/NetworkConfiguration/dhcpcd/releases/tag/v10.2.4
"compat: use timingsafe_bcmp if available
IPv6: Sort routers by reachability correctly.
definitions: define ND Route Information option
IPv6: Clear previous address RA flags on receipt of a RA."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Jun 2025 12:18:35 +0000 (14:18 +0200)]
sqlite: Update to version 3.50.0
- Update from version 3.49.2 to 3.50.0
- Update of rootfile
- Changelog
3.50.0
Add the sqlite3_setlk_timeout() interface which sets a separate timeout,
distinct from the sqlite3_busy_timeout(), for blocking locks on builds that
support blocking locks.
The SQLITE_DBCONFIG_ENABLE_COMMENTS constraint (added in the previous release)
is relaxed slightly so that comments are always allowed when reading the
schema out of a pre-existing sqlite_schema table. Comments are only blocked
in new SQL.
New SQL functions:
unistr()
unistr_quote()
For the %Q and %q conversions in the built-in printf() (which covers the
sqlite3_mprintf() API and the format() SQL function and similar) the
alternate-form-1 flag ("#") causes control characters to be converted into
backslash-escapes suitable for unistr().
CLI enhancements:
Avoids direct output of most control characters.
The output of the .dump command makes use of the new unistr() SQL funtion
to encode special characters, unless the --escape mode is set to off.
Better formatting of complex partial indexes in the output from the
".schema --indent" command.
Enhancements to sqlite3_rsync:
The requirement that the database be in WAL mode has been removed.
The sync protocol is enhanced to use less network bandwidth when both
sides start out being very similar to one another.
The sqlite3_rsync program now works on Macs without having to specify the
full pathname of the sqlite3_rsync executable on the remote side as long
as you install the sqlite3_rsync executable in one of these directories:
$HOME/bin:/usr/local/bin:/opt/homebrew/bin
Changes to JSON functions:
Bug fix: Enforce the JSON5 restriction that the "\0" escape must not be
followed by a digit.
Bug fix: When the LABEL argument to json_group_object(LABEL,VALUE) is NULL,
that element of the resulting object is omitted.
Optimization: If the jsonb_set() or jsonb_replace() functions make a change
in the interior of a large JSONB object, they strive to keep the size of
the JSONB object unchanged and to modify as few bytes as possible on the
interior of the object. This helps reduce I/O as it allows SQLite to write
only the page that contains the changed bytes and not all the surrounding
pages.
Improved support for building on Cygwin and MinGW and similar, as well as Termux.
Typo fixes in the documentation and in the source code comments.
Miscellaneous performance improvements.
JavaScript/WASM:
Fix a long-standing filename digest calculation bug in the OPFS SAHPool VFS.
Databases created in that VFS by 3.50.0+ cannot be read by older
versions of the VFS, but 3.50.0 can backwards-compatibly work with
existing databases created by older versions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Jun 2025 12:18:34 +0000 (14:18 +0200)]
smartmontools: Update to version 7.5
- Update from version 7.4 to 7.5
- Update of rootfile not required
- Changelog
7.5
- CI and release builds are now reproducible if same SOURCE_DATE_EPOCH,
build recipes and toolchains are used.
- smartctl '-j -A': New JSON value 'endurance_used' (ATA/SCSI/NVMe).
- smartctl '-j -A': New JSON value 'spare_available' (ATA/NVMe).
- smartctl '-j -i': Re-added the JSON value 'model_name' also for SCSI
devices (regression).
- smartctl '-j -c': NVMe support.
- smartctl '-j -n ...': New JSON values 'power_mode.*' (ATA only).
- smartctl '-H -A': Support for NVMe SMART/Health Information per
namespace.
- smartctl '-i': ATA ACS-6 updates.
- smartctl '-x': No longer includes '-g wcreorder'.
- smartctl '-x', '-l scterc': No longer returns exit status 4 if SCT ERC
is not supported by the device.
- smartctl '-l error': No longer prints bogus ATA error log entries if
the error index is nonzero but the error count is zero.
- smartctl '-l ssd': Fixed corruption of the output of the SCSI Format
Status log page.
- smartctl '-l ssd': Now detects 'no format since manufacture' from the
SCSI Format Status log page.
- smartctl '-l farm': Fixed the unit of 'Write Power On' time.
- smartctl '-l farm': Fixed the byte order of ATA 'Assembly Date'.
- smartctl '-l farm': Fixed a possible segfault.
- smartctl '-l farm -q noserial': Suppresses serial and WWN also from FARM.
- smartctl '-l farm -T permissive': Overrides false negative FARM support
check for rebranded drives.
- smartctl '-t TEST': Fixed self-tests of single namespace NVMe devices.
- smartd '-A': NVMe attribute log support.
- smartd: Ignores NSID in duplicate check of single namespace devices.
- smartd: No longer issues LOG_CRIT warnings for 'Set Feature' related
NVMe error information log entries.
- smartd: No longer hangs on systems with large file descriptor limits.
- smartd: No longer logs invalid "old test ... not run" messages if
staggered self-tests are used.
- smartd.conf '-l selftest[sts] -s ...': NVMe self-test support.
- smartd.conf '-H MASK': Ability to ignore specific bits of NVMe
SMART/Health value 'Critical Warning'.
- smartd.conf '-p': Checks NVMe SMART/Health value 'Available Spare'.
- smartd.conf '-u [-f]': Checks NVMe SMART/Health values 'Percentage Used'
and 'Media and Data Integrity Errors'.
- smartd.conf '-W ...': No longer includes individual sensors in NVMe
temperature check as some devices report other values there.
- ATA: Device type '-d jmb39x-q2,N' for another JMB39x protocol variant
used by QNAP-TR002 NAS devices.
- SCSI: Fixed range checks of mode page offset and VPD inquiry.
- SCSI: Fixed buffer overflow parsing of VPD page.
- SCSI: Fixed handling of multiple designators in VPD page.
- USB/NVMe: '-d sntjmicron' no longer triggers USB resets on queries of
the self-test log.
- USB/NVMe: '-d sntasmedia' now supports log pages > 512 bytes.
- USB/NVMe/SAT: New experimental NVMe/SAT autodetection options
'-d snt*/sat'.
- Fixed segfault on missing option argument on systems using musl libc.
- HDD, SSD and USB additions to drive database.
- automake < 1.13 are no longer supported.
- Custom make rules are now silenced if 'make V=0' is used.
- Enhanced makefile targets 'dist-*' to create reproducible source
tarballs if SOURCE_DATE_EPOCH is set.
- The makefile no longer uses GNU make specific syntax elements
(exception: reproducible builds for macOS).
- Dropped support for platforms without 'sigaction()'.
- configure: Now also detects MidnightBSD.
- configure: Dropped option '--with-signal-func'.
- configure: Default for '--with-nvme-devicescan' is now 'yes' also on
NetBSD.
- Version information is now also set if build from GH R/O mirror.
- Linux: 'smartd.service' now avoids a warning about an unset environment
variable.
- Linux: Dropped autodetection of deprecated device type '-d marvell'.
- macOS: Support for reproducible builds of the DMG image.
- OpenBSD: NVMe support.
- Windows: Increased WMI timeout.
- Windows: Support for reproducible builds of the installer.
- Windows: Uninstaller is no longer damaged if the installer is signed.
- Windows 'update-smartd-drivedb.ps1': Fixed call of 'gpg.exe' if it
appears more than once in the PATH.
- Windows 'update-smartd-drivedb.ps1 -Verbose': Now also prints the
download command.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Jun 2025 12:18:33 +0000 (14:18 +0200)]
kbd: Update to version 2.8.0
- Update from version 2.7.1 to 2.8.0
- Update of rootfile
- Changelog
2.8.0
keymaps:
Add Georgian font (LatCyrHebKa-16_GIA.psfu) and keymap (i386/qwerty/ge).
Add new i386 azerty afnor keymap (i386/azerty/fr-afnor).
Disable characters >=U+F000 in qwertz/de_alt_UTF-8.
libkeymap:
Support KT_DEAD2 diacritics.
Fix memory leaks.
utils:
kbd_mode: support Disabled mode (K_OFF).
build-sys:
configure: Restore the old behavior when using gzip.
configure: Disable lex implementations other than flex.
other:
tests: Fix tests on powerpc.
tests: Add build and check on other architectures (x86_64, s390x, ppc64el).
tests: Add valgrind check in unit tests.
tests: Add sparse check and fix detected warnings.
tests: Add tests to increase code coverage.
tests: Check all distributed keymaps for loadability.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Jun 2025 12:18:32 +0000 (14:18 +0200)]
iproute2: Update to version 6.15.0
- Update from version 6.14.0 to 6.15.0
- Update of rootfile not required
- Changelog is not provided. Details of changes can be found from the git commit changes
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Jun 2025 12:18:31 +0000 (14:18 +0200)]
curl: Update to version 8.14.0
- Update from version 8.13.0 to 8.14.0
- Update of rootfile
- Changelog
8.14.0
Changes:
mqtt: send ping at upkeep interval
schannel: handle pkcs12 client certificates containing CA certificates
TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
vquic: ngtcp2 + openssl support
wcurl: import v2025.04.20 script + docs
websocket: add option to disable auto-pong reply
Bugfixes:
_SEEALSO.md: remove spaces around command and man page section
asny-thrdd: fix detach from running thread
asnyc-thrdd: explain how this is okay with a comment
asyn resolver code improvements
async-threaded resolver: use ref counter
async: DoH improvements
autotools: detect `wolfSSL_set_quic_use_legacy_code` like cmake does
autotools: install shell completion files on cross build
aws-sigv4: allow a blank string
build: check required rustls-ffi version
build: enable gcc-12/13+, clang-10+ picky warnings
build: enable gcc-15 picky warnings
certs: drop unused `default_bits` from `.prm` files
cf-https-connect: use the passed in dns struct pointer
cf-socket: fix FTP accept connect
cfilters: remove assert
cmake/FindNGTCP2: simplify multi-pkg-config detection
cmake: append picky warnings to `CMAKE_REQUIRED_FLAGS` as string
cmake: avoid 'target is imported but not globally visible' when consuming
libcurl with old cmake
cmake: do not install `mk-ca-bundle` script and manpage
cmake: enable `-Wall` for MSVC when `PICKY_COMPILER=ON`
cmake: extend integration tests
cmake: fix `fish` install directory detection via `pkg-config`
cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
cmake: fix option() and mark_as_advanced() mixed order
cmake: fix shell completion install when just one flavor is enabled
cmake: honor individual picky option overrides found in `CMAKE_C_FLAGS`
cmake: install shell completions for cross-builds
cmake: link `crypt32` for OpenSSL feature detection
cmake: merge `CURL_WERROR` logic into `PickyWarnings.cmake`
cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
cmake: quotes, whitespace, use `VERSION_GREATER_EQUAL`
cmake: revert `CURL_LTO` behavior for multi-config generators
cmake: set `BUILDING_LIBCURL` directly for unit test targets
cmake: stop deleting `-W<n>` from `CMAKE_C_FLAGS` (MSVC)
cmake: tidy up and document feature detections in dependencies
cmake: use `CMAKE_COMPILE_WARNING_AS_ERROR` if available
cmake: use `INCLUDE_DIRECTORIES` prop to specify local header dirs
cmake: use `LIB_NAME` in `curl-config.cmake.in`
cmake: use absolute paths for completion targets
cmake: use the `LINK_OPTIONS` property with CMake 3.13+
configure: catch asking for double resolver without https-rr
configure: fix --disable-rt
configure: restore link checks
configure: suppress command not found for brew
conncache: make Curl_cpool_init return void
connect: shutdown timer fix
content_encoding: Transfer-Encoding parser improvements
CONTRIBUTE: add project guidelines for AI use
contrithanks.sh: drop set -e
cpool/cshutdown: force close connections under pressure
curl: fix memory leak when -h is used in config file
curl: only warn once for --manual in manual-disabled build
curl_get_line: handle lines ending on the buffer boundary
curl_krb5: only use functions if FTP is still enabled
curl_multibyte: fixup low-level calls, include in unity builds
curl_osslq: remove a leftover debug fprintf() call
curl_version_info.md: clarify ssl_version for MultiSSL
CURLMOPT_TIMERFUNCTION.md: correct the example
CURLOPT_ERRORBUFFER.md: buffer is read only after curl takes ownership
CURLOPT_FOLLOWLOCATION.md: switch to GET => no body
CURLOPT_READFUNCTION.md: mention the seek callback
CURLOPT_XFERINFOFUNCTION.md: fix the callback return type in example
curlx: move the docs to docs/internals/
DEPRECATE.md: drop support for VS2008
DEPRECATE.md: drop Windows CE support
dist: drop duplicate entry from `CMAKE_DIST`
dns_entry: move from conn to data->state
Dockerfile: update debian:bookworm-slim Docker digest to 90522ee
docs/INSTALL.md: drop reference to removed configure option
docs/libcurl: fix type and prototype problems in examples
docs/libcurl: make examples build with picky compiler options
docs/libcurl: mention sensitive data/headers
docs: add missing return statement in examples
docs: fix incorrect shell substitution in docker run example command
docs: fix typo in retry.md
docs: update distros links
doh: httpsrr fix
doh: make sure CURLOPT_PROTOCOLS is set a with a "long" arg
doh: reduce the DNS request buffer size
easy_reset: fix dohfor_mid member
ECH: reference the OpenSSL ECH feature branch
etag-save.md: mention how using both options is a good idea
eventfd: fix feature guards
formdata: cleanups
ftp: fix bug in failed init
ftp: fix race in upload handling
ftplistparser: add two overflow preventions
ftplistparser: split up into more functions
generate.bat: exclude curlinfo.c from legacy VS projects
genserv.pl: fail with a message if `openssl` is missing or failing
headers: enforce a max number of response header to accept
headers: set an error message on illegal response headers
hostip: fix build without threaded-resolver and without DoH
hostip: show the correct name on proxy resolve error
http2: fix stream window size after unpausing
HTTP3.md: fix incorrect variable placeholders
http: fix a build error when all auths are disabled
http: fix HTTP/2 handling of TE request header using "trailers"
http: in alt-svc negotiation only allow supported HTTP versions
http_aws_sigv4: add additional verbose log statements
http_aws_sigv4: improve sigv4 url encoding and canonicalization
http_chunks: narrow variable scope for 'trlen'
http_negotiate: fix non-SSL build with GSSAPI
https-connect: fix httpsrr target check
HTTPSRR.md: clarify somewhat
if2ip: build the function also if FTP is present
imap: remove redundant condition
INSTALL-CMAKE.md: fix typo
INSTALL.md: update the minimal libcurl size example
KNOWN_BUGS: fix link in sivg4 issue 16.3
lib/src/docs/test: improve curl_easy_setopt() calls
lib1560: use hex notation, drop non-ASCII exception
lib3026: drop DLL pre-load perf mitigation for old mingw
lib: add const to clientwriter tables
lib: drop curlx_getpid, use fake pid in SMB
lib: include files using known path
lib: make Curl_easyopts const
lib: unify conversions to/from hex
libcurl-tutorial.md: fix read callback explanation
libssh: add NULL check for Curl_meta_get()
libssh: fix memory leak
libssh: remove a condition that always equals false
libtest/first: stop defining MEMDEBUG_NODEFINES
libtests: define CURL_DISABLE_DEPRECATION first
make: clean tests better
mbedtls: TLS 1.3 is max when mbedtls has 1.3 support
metahash: add asserts to help analyzers
mk-ca-bundle.pl: follow redirects
mk-ca-bundle: switch URLs to GitHub versions
mkhelp: fix to not generate a line-ending space in some cases
mqtt: use conn/easy meta hash
multi: do transfer book keeping using mid
multi: init_do(): check result
netrc: avoid NULL deref on weird input
netrc: avoid strdup NULL
netrc: deal with null token better
ngtcp2: clarify ignoring of result
openssl-quic: avoid potential `-Wnull-dereference`, add assert
openssl-quic: fix printf mask
openssl-quic: fix shutdown when stream not open
openssl: enable builds for *both* engines and providers
openssl: set the cipher string before doing private cert
parsedate: provide Curl_wkday also for GnuTLS builds
processhelp.pm: always call `taskkill` with `-f` (force)
processhelp.pm: avoid potential endless loop, log more (Windows)
progress: avoid integer overflow when gathering total transfer size
pytest tls: extend coverage
pytest-xdist: pytest in parallel
pytest: add pinnedpubkey test cases
pytest: give parameterised tests better ids for read- and parsability
pytest: make test_07_22 more lenient to exit codes
quic: no local idle connection timeout, ngtcp2 keep-alive
rand: update comment on Curl_rand_bytes weak random
RELEASE-PROCEDURE.md: release candidate git tagging explained
rtsp: remove redundant condition
runtests: add retry option to reduce flakiness
runtests: fix indentation
runtests: recognize lowercase `windows` in `curl -V`
runtests: remove server verification after start
runtests: split `SSH_PWD` into `SCP_PWD` and `SFTP_PWD`, and more
rustls: make max size of cert and key reasonable
sasl: give help when unable to select AUTH
scripts: completion.pl: sort the completion file for all shells
scripts: drop unused import, formatting
scripts: fix --opts-dir help in completion.pl
scripts: fix perl indentation, whitespace, semicolons
sectransp: fix building for macOS Sierra and older
setopt: provide info for CURLE_BAD_FUNCTION_ARGUMENT
smb: avoid integer overflow on weird input date
socket: use accept4 when available
socketpair: support pipe2 where available
spacecheck.pl: check for non-ASCII chars, fix fallouts
spacecheck.pl: verify `tests/data/test*` for non-ASCII chars
src: drop strcase.[ch] from tool builds
src: include memdebug.h consistently with angle brackets <>
src: rename curlx_safefree to tool_safefree
test1173.pl: whitelist some option-looking names that aren't options
test1658: add unit test for the HTTPS RR decoder
test: make unittest 1308 into a libtest
tests/ech_tests.sh: sync shebang with rest of bash scripts
tests/FILEFORMAT.md: clarify %hex[] formatting
tests/FILEFORMAT.md: document the aws feature
tests/README.md: document --test-duphandle
tests/README.md: list the openssl tool among the prerequisites
tests/server/dnsd: basic DNS server for test suite
tests/server: check for `stream != NULL` in mqttd
tests/server: fix typo in comment
tests/server: stop using libcurl string comparisons
tests/server: stop using libcurl's printf functions
tests/serverhelp: remove last remnants of http-pipe server
tests/tunit: make a separate directory for tool-based unit tests
tests: add aws feature to the related tests
tests: Add https-mtls server to force client auth
tests: fix some test tag mismatches
tests: mark ipfs tests to require ipfs
tests: move a boolean variable out of the path section
tests: prefer `--insecure` over `-k`
tests: provide all non-ascii data hex encoded
tests: remove some unused test case sections
tests: require IPv6 for 1265, 1324, 2086
tests: separate tunit tests from unit tests more
tests: stop using libcurl's strdup
tests: unify test case keywords
tests: use a more portable null device path
TODO: remove "nicer lacking perl message"
tool_cb_write.c: handle EINTR on flush
tool_getparam: clear argument only when needed
tool_operate: make retrycheck() a separate function
tool_operate: when retrying, only truncate regular files
tool_paramhlp: avoid integer overflow in secs2ms()
tool_parsecfg: make get_line handle lines ending on the buffer boundary
typecheck-gcc.h: fix the typechecks
urlapi: redirecting to "" is considered fine
urlapi: remove unneeded guards around PUNY2IDN
urldata: remove the unused struct field 'hide_progress'
VERSIONS: list all past releases
vquic: consistent name for the stream struct across backends
vquic: init for every call to recvmsg
vtls: avoid NULL deref on bad PEM input
vtls: fix build with ssl but without http
VULN-DISCLOSURE-POLICY: use of weak algos
winbuild: add the deprecation warning to the README
winbuild: curl_get_line is not used for tool builds
windows: fix builds targeting WinXP, test it in CI
wolfssl: fix to enable ALPN when available
ws: fix the header replace check
ws: store protocol context as connection meta data
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 2 Jun 2025 18:41:58 +0000 (18:41 +0000)]
core196: Ship OpenSSL
This is being shipped because it has been rebuilt with GCC 15. There has
been reports on some systems that OpenSSL triggers some compiler bug and
therefore the openssl command tends to segfault a lot.
This is now being resolved with GCC 15.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 1 Jun 2025 14:58:28 +0000 (14:58 +0000)]
linux: Backport support for BIG TCP GSO on WireGuard
Advertise GSO_MAX_SIZE as TSO max size in order support BIG TCP for wireguard.
This helps to improve wireguard performance a bit when enabled as it allows
wireguard to aggregate larger skbs in wg_packet_consume_data_done() via
napi_gro_receive(), but also allows the stack to build larger skbs on xmit
where the driver then segments them before encryption inside wg_xmit().
We've seen a 15% improvement in TCP stream performance.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 1 Jun 2025 15:00:51 +0000 (17:00 +0200)]
wireguard: Don't try to delete any interfaces that don't exist
When the WireGuard interfaces are being destroyed, we are using some
globbing to identify the right interfaces. If there are no interfaces
the globbing string does not match anything and is returned itself. To
avoid an error when trying to delete an interface that never existed, we
configure the shell to never expand empty globbings.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 30 May 2025 12:38:17 +0000 (14:38 +0200)]
ruby: Update to version 3.4.4
- This v2 version keeps the CFLAGS line in place
- Update from version 3.4.1 to 3.4.4
- Update of rootfile
- Changelog
3.4.4
YJIT: Split the block on optimized getlocal/setlocal by k0kubun · Pull
Request #13331
Bug #21257: YJIT can generate infinite loop when OOM - Ruby - Ruby Issue
Tracking System
Bug #21286: Windows - MSYS2 just updated to GCC 15.1.0, builds failing -
Ruby - Ruby Issue Tracking System
Bug #21327: Windows builds seem broken after clock_gettime changes? -
Ruby - Ruby Issue Tracking System
Bug #21331: heap-use-after-free caused by rehash during
transform_values! - Ruby - Ruby Issue Tracking System
Bug #21289: Fix C level backtraces for USE_ELF - Ruby - Ruby Issue
Tracking System
3.4.3
Bug #21145: Prism accepts newlines in-between curly unicode escape -
Ruby - Ruby Issue Tracking System
Bug #21153: ::Foo ||= p 1 should parse - Ruby - Ruby Issue Tracking System
Bug #21030: Bug: #step with Range<ActiveSupport::Duration> behavior
broken on Ruby 3.4.1 - Ruby - Ruby Issue Tracking System
Bug #21131: IO.copy_stream: yielded string changes value when duped -
Ruby - Ruby Issue Tracking System
Feature #19521: Support for Module#name= and Class#name=. - Ruby - Ruby
Issue Tracking System
Bug #21159: Module#set_temporary_name should freeze given name - Ruby -
Ruby Issue Tracking System
Bug #21161: Crash when locale is set to Turkish tr_TR.UTF-8 - Ruby - Ruby
Issue Tracking System
Bug #21144: Win32: Use Windows time zone ID as the time zone name if TZ
is not set - Ruby - Ruby Issue Tracking System
Bug #21170: Corrupted Hash (bad VALUE and missing entry) when -1 returned
from .hash - Ruby - Ruby Issue Tracking System
Bug #21172: Race condition in register_fstring - Ruby - Ruby Issue
Tracking System
Bug #21163: Inconsistencies in Kernel.Float compared to other number
parsing methods - Ruby - Ruby Issue Tracking System
Bug #21173: RUBY_FREE_AT_EXIT does not work when error in -r - Ruby -
Ruby Issue Tracking System
Bug #21179: Introduction Happy Eyeballs Version 2 broke Socket.tcp from
secondary Ractors - Ruby - Ruby Issue Tracking System
Bug #19841: Marshal.dump stack overflow with recursive Time - Ruby - Ruby
Issue Tracking System
Bug #21180: SEGV while marking imemo_env->iseq - Ruby - Ruby Issue
Tracking System
Bug #21186: Inconsistent parsing of ?あand 0 - Ruby - Ruby Issue Tracking
System
Bug #21094: Module#set_temporary_name does not affect a name of a nested
module - Ruby - Ruby Issue Tracking System
Bug #21195: Crash when using IO#timeout - Ruby - Ruby Issue Tracking System
Bug #21196: Ruby 3.4 ignores visibility when passing arguments using ... -
Ruby - Ruby Issue Tracking System
Bug #21141: Time#utc? does not work with a timezone object - Ruby - Ruby
Issue Tracking System
Bug #21211: Incomplete Backtrace for Socket Errors in Ruby 3.4+ - Ruby -
Ruby Issue Tracking System
Bug #21197: Prism does not accept newline after defined? keyword - Ruby -
Ruby Issue Tracking System
Bug #21183: Ractor error with Prism::VERSION - Ruby - Ruby Issue Tracking
System
Bug #21217: Integer.sqrt produces wrong results even on input <= 1e18 -
Ruby - Ruby Issue Tracking System
Bug #21220: Memory corruption in update_line_coverage()
[write at index -1] - Ruby - Ruby Issue Tracking System
3.4.2
Bug #21024: Ruby including generates compilation warning with GCC 15,
header is deprecated in C++17,
Bug #21021: "try to mark T_NONE object" with 3.4.1
Bug #20997: YJIT panic assertion left == right failed: leave instruction
expects stack size 1, but was: 2
Bug #20981: rb_undefine_finalizer is missing
Bug #20989: Segmentation fault in Ripper when lexing /#{"\xcd"}/
Bug #21003: unexpected warning about ignored block
Bug #21002: Please include license information of turbo_tests
Bug #21001: unexpected nil result from proc with ensure and next
Bug #21010: Endless method definition of []= is SyntaxError in parse.y but
allowed in Prism
Bug #20992: eval(ascii_encoded_code) raises EncodingError when multibyte
local variable exists
Bug #21017: --with-parser=parse.y configure option does not work
Bug #21014: Prism doesn't set node_id on iseqs correctly
Bug #21027: not() receiver should be nil
Bug #20995: exception escapes block given to IO.popen("-") in child process
Bug #21008: Array#sum, Enumerator#sum, Numeric subclass
Bug #21044: Prism maximum recursion depth is 1_000, parse.y is 10_000
Bug #21031: Incompatibility with prism and parse.y when eval'ing unnamed
forwarding variables
Bug #21085: [BUG] Stack consistency error with -ne
Bug #21048: [Prism] rescue in modifier form with condition behaves
differently
Bug #21046: Backport: TLS fix for ARM64
Bug #21012: Compiling a['a','b'],=1 with parse.y fails
Bug #21038: Preserve errno in rb_fiber_scheduler_unblock
Bug #21032: Module#autoload? is slow when $LOAD_PATH contains a relative path
Bug #21092: error building ruby 3.4.1 on cygwin/msys2
Bug #21095: Prefer uname -n over hostname in tests.
Bug #21103: Binding problem with delegate methods
Bug #21088: TCPSocket.new raises Socket::ResolutionError instead of
Errno::ECONNREFUSED for hosts defined in /etc/hosts
Bug #21112: Typo in error message when an incorrect key is used with
WeakKeyMap
Bug #21117: Inconsistent behaviour between "_1" and "it" variables
Bug #21114: Prism hangs up while parsing deeply nested def
Bug #20984: ENV.inspect is not encoding aware
Bug #20982: Inconsistency between Hash#inspect and ENV.inspect in Ruby 3.4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stephen Cuka [Thu, 29 May 2025 01:31:38 +0000 (19:31 -0600)]
manualpages: Fixbug13858 - Add doc link for Network/Aliases
- Add missing documentation link for 'Network/Aliases'.
Signed-off-by: Stephen Cuka <stephen@firemypi.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:54 +0000 (16:36 +0200)]
vim: Update to version 9.1.1406
- Update from version 9.1.1153 to 9.1.1406
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 26 May 2025 18:28:00 +0000 (18:28 +0000)]
Core Update 196: Adjust existing IPsec connections using ML-KEM
This causes existing IPsec connections using ML-KEM to always use it in
conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
implements for newly configured IPsec connections.
Again, we can reasonably assume an IPsec peer supporting ML-KEM also
supports Curve 25519. In case such a peer does not support RFC 9370, and
the IPsec connection was created using our default ciphers, it will fall
back to Curve 448, Curve 25519, or any other traditional algorithm.
This patch will break existing IPsec connections only if they are
exclusively using ML-KEM (which means the IPFire user reconfigured them
manually using the "advanced connection settings" section in the WebUI),
and the IPsec peer is configured in the same manner, and/or is an IPFire
machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
IPsec connection will continue working, potentially falling back to
Curve 448 or 25519 until both peers are updated to Core Update 196,
after which ML-KEM in conjunction with Curve 25519 will be used again.
The second version of this patch modifies IPFire's own configuration
file for IPsec connections, rather than applying these changes directly
to /etc/ipsec.conf, where they would have been overwritten by the next
WebUI change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 26 May 2025 18:27:00 +0000 (18:27 +0000)]
vpnmain.cgi: Use ML-KEM only as a hybrid with Curve 25519
In commit 887778e0888d51eb9942ae310a43f6d2813efad3, the post-quantum
key exchange algorithm ML-KEM was introduced, due to its support being
added in strongSwan 6.0. However, using PQC key exchanges is commonly
recommended only in conjunction with a traditional one, to avoid
encrypted traffic becoming subject to trivial decryption in case a PQC
algorithm proves weak, broken, or backdoored. OpenSSH, for instance,
combines ML-KEM 768 with Curve 25519 (mlkem768x25519-sha256), rather
than using ML-KEM alone.
This patch changes the cipher suites offered for IPsec connections to
always use ML-KEM as a hybrid with Curve 25519. This is possible due to
strongSwan 6.0 having added support for IKE intermediary key exchanges
(RFC 9370); see https://docs.strongswan.org/docs/latest/config/proposals.html#_key_exchange_methods
for additional information.
We can reasonably assume an IPsec peer supporting ML-KEM will also
support Curve 25519, as this has been around for much longer, and is
used quite commonly. Even if this is not the case, or if the IPsec peer
does not implement RFC 9370, any IPsec connection using our default
cipher selection will fall back to Curve 448, Curve 25519, or other,
hence continue working.
IPsec connections already created will need their ciphers to be changed
once during the Core Update routine where this patch will be
incorporated.
Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 23 May 2025 15:23:25 +0000 (15:23 +0000)]
dnsdist: Update to 1.9.10
We released PowerDNS DNSdist 1.9.10 today, fixing several bugs including a security issue tracked as CVE-2025-30193 where a remote, unauthenticated attacker can cause a denial of service via a crafted TCP connection. The issue was reported to us via our public IRC channel so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible.
While we advise upgrading to a fixed version, a work-around is to temporarily restrict the number of queries that DNSdist is willing to accept over a single incoming TCP connection, via the setMaxTCPQueriesPerConnection directive. Setting it to 50 is a safe choice that does not impact performance in our tests.
Adolf Belka [Tue, 27 May 2025 14:25:10 +0000 (16:25 +0200)]
boost: Update to version 1.88.0
- Update from version 1.83.0 to 1.88.0
- Update of rootfiles for all architectures
- Changelogs are very large so urls provided for each release changelog
1.88.0
https://www.boost.org/releases/1.88.0/
1.87.0
https://www.boost.org/releases/1.87.0/
1.86.0
https://www.boost.org/releases/1.86.0/
1.85.0
https://www.boost.org/releases/1.85.0/
1.84.0
https://www.boost.org/releases/1.84.0/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 25 May 2025 11:35:01 +0000 (13:35 +0200)]
index.cgi: Add wireguard status to home screen
- This fix adds a wireguard line to show when it is enabled.
- This fix does not show a table for any net2net connections that are enabled. I have
started working on that but as I only have an OpenVPN n2n connection in place, I can't
test out the copy of the ipsec n2n code section that I have made. I need to get ipsec
and wireguard n2n connections working first.
- If someone else wants to provide a patch for the wireguard n2n connections tables I have
no problems with that. If not then I will submit one when I have been able to test it.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 17 May 2025 12:12:17 +0000 (14:12 +0200)]
manualpages: Fixes bug13849 - adds manual link to wireguard page
Fixes: bug13849 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:53 +0000 (16:36 +0200)]
texinfo: Update to version 7.2
- Update from version 7.1.1 to 7.2
- Update of rootfile
- Changelog
7.2
* Build
. "make install" installs files for texi2any under $datadir/texi2any, not
$datadir/texinfo.
* texinfo.tex
. use @ as the escape character in all index files. this requires
new enough texi2dvi (Texinfo 6.7, 2019) for index files to be
properly processed.
. a bug has been fixed where a mangled PDF outline could be produced for
a document using @unnumberedsec
. you can call @unmacro with an undefined macro name, matching the
behavior of texi2any
* texi2any
. set CHECK_NORMAL_MENU_STRUCTURE by default. this means texi2any
again checks menu structure by default (changed in 6.8 release, 2021).
. only allow @definfoenclose to be used to redefine highlighting commands
. sorting of indices is now independent of the input or output encodings
. new customization variable COLLATION_LANGUAGE to allow linguistic
tailoring of index sorting
. new variable DOCUMENTLANGUAGE_COLLATION to use @documentlanguage for
linguistic tailoring of index sorting
. new variable USE_UNICODE_COLLATION to allow turning off the slower
use of Unicode collation when sorting indices
. rename BODYTEXT customization variable to BODY_ELEMENT_ATTRIBUTES
. rename COMPLEX_FORMAT_IN_TABLE customization variable to
INDENTED_BLOCK_COMMANDS_IN_TABLE
. remove the following variables: AVOID_MENU_REDUNDANCY, FRAMES,
FRAMESET_DOCTYPE, NO_USE_SETFILENAME, SILENT, USE_UP_NODE_FOR_ELEMENT_UP
. remove SIMPLE_MENU variable and tree transformation
. the use of the directories ~/.texinfo and ~/.texi2any for configuration
files is deprecated, and should be replaced by texinfo or texi2any
directories under XDG_CONFIG_HOME (usually ~/.config/). the new
locations are compatible with the XDG Base Directory Specification.
in future versions, the ~/.texinfo and ~/.texi2any directories will
not be in search paths.
. do not try the us-ascii encoding anymore as a locale for translated
document strings.
. some unused translation files have been removed for the
`texinfo_document' domain
. Info output:
. output Info-documentlanguage in Local Variables section of output
file if @documentlanguage is given
. HTML, Texinfo and raw text output:
. an implementation of the conversion in C has been included, which
is much faster than the code in Perl. set the `TEXINFO_XS_CONVERT'
environment variable to 1 to use.
. HTML output:
. CHECK_HTMLXREF set by default for warnings about links to unknown
external manuals
. you can use the MATHJAX_CONFIGURATION customization variable to add
data to the MathJax configuration object
. warn if there is a .inf or .info suffix for cross-reference manual
. use <pre> instead of <div><em> for output of @displaymath
. remove border, cellpadding, cellspacing and align attributes. add
classes and use CSS when needed.
. EPUB output:
. stricter conformance for conformance checkers
* info
. check for init file under XDG_CONFIG_HOME/texinfo/infokey after
checking ~/.infokey, in accordance with the XDG Base Directory
Specification
* Distribution
. automake 1.17, autoconf 2.72, gettext 0.22.5, libtool 2.5.3
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:48 +0000 (16:36 +0200)]
gperf: Update to version 3.3
- Update from version 3.1 to 3.3
- Update of rootfile not required
- Changelog
3.3
* Speedup: gperf is now between 2x and 2.5x faster.
3.2.1
* The generated code avoids -Wundef warnings in C++ mode.
3.2
* The input file may now use Windows line terminators (CR/LF) instead of
Unix line terminators (LF).
Note: This is an incompatible change. If you want to use a keyword that
ends in a CR byte, such as xyz<CR>, write it as "xyz\r".
* The generated code avoids several types of warnings:
- "implicit fallthrough" warnings in 'switch' statements.
- "unused parameter" warnings regarding 'str' or 'len'.
- "missing initializer for field ..." warnings.
- "zero as null pointer constant" warnings.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:47 +0000 (16:36 +0200)]
elfutils: Update to version 0.193
- Update from version 0.192 to 0.193
- Update of rootfile
- Changelog
0.193
debuginfod: Add CORS (webapp access) support to webapi and --cors option.
Add --listen-address option for binding the HTTP listen socket
to a specific IPv4 or IPv6 address.
debuginfod client now caches x-debuginfod-* HTTP headers
alongside downloaded files.
libdw: Add dwarf_language and dwarf_language_lower_bound functions.
Improved support for DWARF6 language metadata as well as DWARF
language constants for Nim, Dylan, Algol68, V and Mojo.
dwarf_srclang is now forward-compatible with DWARF6 language
constants.
libdwfl_stacktrace: Experimental new library interface for unwinding
stack samples into call chains, and tracking and
caching Elf data for multiple processes, building
on libdwfl. Initially supports perf_events stack
sample data.
libelf: elf_scnshndx has been rewritten to be more robust, particularily
for ELF files with more than 64K sections.
readelf: Improved handling of corrupt ELF data.
--section-headers output now includes a "Key to Flags" explaining
section flag meanings.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package FTBFS on riscv64. A header file with special SIMD functions
has not been shipped with the release tarball. This has been fixed
upstream, but a new tarball has not been released. yet:
Adolf Belka [Fri, 23 May 2025 16:03:44 +0000 (18:03 +0200)]
screen: Update to version 5.0.1
- This v2 version is with the correct tarball, without the binary object files.
- Update from version 5.0.0 to 5.0.1
- Update of rootfile
- 5 CVE fixes included in this version
- Changelog
5.0.1
Security fix
CVE-2025-46805: do NOT send signals with root privileges
CVE-2025-46804: avoid file existence test information leaks
CVE-2025-46803: apply safe PTY default mode of 0620
CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
CVE-2025-23395: reintroduce lf_secreopen() for logfile
buffer overflow due bad strncpy()
uninitialized variables warnings
typos
combining char handling that could lead to a segfault
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
