Michael Tremer [Sat, 20 Sep 2025 14:02:01 +0000 (14:02 +0000)]
arpwatch: Fix the envelope sender
arpwatch invokes sendmail without passing the envelope sender
explicitely. This causes that mails can get rejected if the From: header
does not match the envelope sender.
This patch passes the correct address as the envelope sender.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Increase default to `num-queries-per-thread: 2048`, when unbound is compiled with libevent. It makes saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report.
Merge #1276: Auto-configure '-slabs' values.
Change default for so-sndbuf to 1m, to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report.
Adjusted so-sndbuf default to 4m.
Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to track the number of signature validation operations. Adds 'num.valops' to extended statistics.
Fix #1303: [FR] Disable TLSv1.2.
unbound-control cache_lookup <domains> prints the cached rrsets and messages for those.
unbound-control cache_lookup +t allows tld and root names. And subnet cache contents are printed.
Fix #1319: [FR] zone status for Unbound auth-zones.
Bug Fixes
Fix #1272: assertion failure testcode/unitverify.c:202.
Merge #1275: Use macros for the fr_check_changed* functions.
Fix for parallel build of dnstap protoc-c output.
Fix dnstap to use protoc.
Sync unbound and unbound-checkconf log output for unknown modules.
Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ." in 1.23.0, but worked in 1.22.0.
Fix #1283: Unsafe usage of atoi() while parsing the configuration file.
Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on broken auth zones that include unsigned out of zone (above apex) data. Could lead to hang while trying to prove a wildcard answer.
Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug) by adding a log_assert() to safeguard future development.
Fix #1282: log-destaddr fail on long ipv6 addresses.
Fix config of slab values when there is no config file.
Fix for cname chain length with qtype ANY and qname minimisation. Thanks to Jim Greenwood from Nominet for the report.
Merge #1285: RST man pages. It introduces restructuredText man pages to sync the online and source code man page documentation. The templated man pages (*.in) are still part of the repo but generated with docutils from their .rst counterpart. Documentation on how to generate those (mainly for core developers) is in README.man.
Add more checks about respip in unbound-checkconf. Also fixes #310: unbound-checkconf not reporting RPZ configuration error.
Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound program.
Small manpage corrections for the 'disable-dnssec-lame-check' option.
Fix unbound-anchor certificate file read for line ends and end of file.
Fix comment for the dname_remove_label_limit_len function.
iana portlist updated.
Fix bitwise operators in conditional expressions with parentheses.
Fix conditional expressions with parentheses for bitwise and.
Fix header return value description for skip_pkt_rrs and parse_edns_from_query_pkt.
Fix to check control-interface addresses in unbound-checkconf.
Fix #1295: Windows 32-bit binaries download seems to be missing dll dependency.
Fix for consistent use of local zone CNAME alias for configured auth zones. Now it also applies to downstream configured auth zones.
Fix #1296: DNS over QUIC depends on a very outdated version of ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
Fix rrset cache create allocation failure case.
Fix #1293: EDE 6 is attached to insecure cached answers when client sends the CD bit.
Fix #1247: forward-first: ssl handshake failed on root nameservers.
For #1247, turn off fetch-policy for delegation when looking into parent side name servers that may not update the addresses and hit NXNS limits.
For #1247, replay test (added tcp_transport to outnet_serviced_query).
Merge #1299: Fix typos.
Generate ltmain.sh and configure again.
Fix #1300: Is 'sock-queue-timeout' a linux only feature.
For #1300: implement sock-queue-timeout for FreeBSD as well.
Fix layout of comm_point_udp_ancil_callback.
Fix to improve dnstap discovery on Fedora.
Fix detection of SSL_CTX_set_tmp_ecdh function.
For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
For #1289: test num.valops in existing stat_values.tdir.
For #1289: add num.valops in the unbound-control man page.
Add unit tests for non-ecs aggregation.
Fix to not set rlimits in the unit tests.
iana portlist updated.
Redis checks for server down and throttles reconnects.
Fix redis cachedb module gettimeofday init failure.
Fix testbound test program to accurately output packets from hex.
Fix #1309: incorrectly reclaimed tcp handler can cause data corruption and segfault.
Fix to use assertions for consistency checks in #1309 reclaimed tcp handlers.
Fix edns subnet, so that the subquery without subnet is stored in global cache if the querier used 0.0.0.0/0 and the name and address do not receive subnet treatment. If the name and address are configured for subnet, it is stored in the subnet cache.
Fix dname_str for printout of long names. Thanks to Jan Komissar for the fix.
Fix that edns-subnet failure to create a subquery errors as servfail, and not formerror.
Fix to whitespace in dname_str.
Fix that unbound-control dump_cache releases the cache locks every so often, so that the server stays responsive.
Fix to remove debug from cache_lookup.
Fix to unlock cache_lookup message for malformed records.
Fix to increase responsiveness of dump_cache.
Fix to decouple file descriptor activity and cache lookups in dump_cache.
Fix cache_lookup subnet printout to wipe zero part of the prefix.
Fix cache_lookup subnet print to not print messages without rrsets and perform in-depth check on node in the addrtree.
Fix to check for extraneous command arguments for unbound-control, when the command takes no arguments but there are arguments present.
Fix #1317: Unbound starts too early. Add Wants=network-online.target under [Unit] in unbound.service.
Fix for #1317: Fix contrib/unbound.service comment path for systemd network configuration.
For #1318: Fix compile warnings for DoH compile on windows.
Fix sha1 enable environment variable in test code on windows.
Fix that the zone acquired timestamp is set after the zonefile is read.
Fix ports workflow to install expat for macos.
Fix unbound-control dump_cache for double unlock of lruhash table.
Fix setup_listen_sslctx warning for nettle compile.
Limit the number of consecutive reads on an HTTP/2 session. Thanks to Gal Bar Nahum for exposing the possibility of infinite reads on the session.
Fix for #1324: Fix to free edns options scratch in ratelimit case.
Fix #1235: Outdated Python2 code in unbound/pythonmod/examples/log.py.
Fix #1324: Memory leak in 'msgparse.c' in 'parse_edns_options_from_query(...)'.
Fix indentation in tcp-mss option parsing.
For #1328: make depend.
Update documentation for using "SET ... EX" in Redis.
Document max buffer sizes for Redis commands.
Update man pages.
Fix #1332: CNAME chains are sometimes not followed when RPZs add a local CNAME rewrite.
Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
Small debug output improvement when attaching an EDE.
Fix to print warning for when so-sndbuf setsockopt is not granted.
Too many quotes for the EDE message debug printout."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 8 Sep 2025 12:09:23 +0000 (14:09 +0200)]
cdrom: Install chroot into dracut environment
- dracut-058 had a commit for base to not require chroot inside initramfs
- However the install of an iso requires chroot to be available for some of the actions
such as the creation of the language cache etc.
- Adding the install of the chroot binary into the dracut command in the cdrom package
allowed thye full installation of IPFire to be carried out.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 8 Sep 2025 12:09:22 +0000 (14:09 +0200)]
dracut-ng: Replace dracut with dracut-ng
- dracut was at version 056 and the last version available was 059 from 2022.
- dracut-ng has been created as a fork from dracut with most of the same developers.
- From dracut-ng-100 onwards it was made to be a drop-in compatible replecement to
dracut.
- Update from version 056 to 108
- Update of rootfile. Number order was modified in version 108 bringing more modules
with unimportant ordering to order 70. Selection was done based on the rootfiles
entries used by dracut-056
- Patches no longer needed as the fixes are now part of the provided tarball.
- In update dracut-058 a change was made "do not require chroot inside initramfs" and
this caused the chroot commands when setting up the language cache to not work as the
binary was no longer available within dracut. To fix this a change was made to the
dracut command in the cdrom package so that chroot is available to the installer
package. Suggestion for this fix was provided by Stefan Schantle.
- Tested out this new package in my vm testbed. When combined with the cdrom change
an iso build was able to be successfully installed and a restore done resulting in a
fully working IPFire.
- Changelog
108
Performance
systemd-udevd: 99-systemd.rules added in two places (a8c0a15c)
watchdog: only install wdctl for the non-systemd case (ad0fd3a8)
Features
add Debian/Ubuntu specific Dracut configuration (cba1a2c2)
allow the use of $kernel in initrdname= config (696397dd)
add support for removing a space separated list of files (f8dfe3ee)
make variable set check work with "set -u" (ee8f4f9d)
support dracutsysrootdir being unset (348888b8)
tests are not packaged by default to simplify packaging (e65a87cf)
set hostonly_cmdline config to no by default (efaee447)
set hostonly config by default in configure (62fdf59c)
Makefile: explicitly list configs to install (f7416501)
base: add support for rd.driver.pre (5ca76df3)
crypt-gpg: handle multiple gpg pubkeys (28ad7910)
dracut:
drop DRACUT_PATH and rely on PATH (2606f985)
support SOURCE_DATE_EPOCH (dfcfa6fb)
allow users to choose which dlopen dependencies they want (96a91d04)
replace ldd with dracut-install --dry-run or header check (e8b733f7)
set systemdversion global var using pkg-config (ed80f9f4)
dracut-install:
add --dry-run option to replace external ldd usage (161153f9)
extend new ELF parsing code to replace ldd calls (aac5c914)
parse ELF .note.dlopen entries for extra deps (19b5faad)
initqueue: factor out initqueue into its own module (3daf6783)
network-manager: use upstream initrd services if available (83dffc58)
resume: do not depend on initqueue if systemd is used (34457e07)
rootfs-block-fallback: factor out rootfallback into its own module (2676f1a5)
watchdog: do not depend on initqueue if systemd is used (c8dbd9ec)
Bug Fixes
load essential storage kernel modules in sloppy hostonly mode (87304767)
increase deteminism by not relying on the default sorting from ls (c9f6b867)
network-manager dracut module no longer depends on systemd (8f063e23)
support DRACUT_SYSTEMD being unset (79ffbd28)
support hostonly being unset (c85c9324)
support DRACUT_RESOLVE_LAZY being unset (3d383ba4)
loongarch architecture support (38f44b35)
let check_vol_slaves_all return 1 when checks on all slaves fail (b117013b)
improve hostonly sloppy mode (53537ae7, closes #1321)
load more kernel modules in sloppy hostonly mode (de862885)
Makefile: remove test modules after renumbering (80961ee0)
base:
base module failure if root password is already set (e4551d40)
dracut-lib.sh soft depends on poweroff/reboot/halt (237108c3)
support PREFIX being unset (7bea9dfe)
only create nobody user for nfs dracut module (8934a8e5)
dmsquash-live: erofs collision with latest util-linux (950475e8)
dracut:
only call uname -r if it is safe to do (3f4497ed)
detect if systemd-detect-virt is available before calling it (5d3298ea)
consolidate reporting running in a container (000f5dbf)
ensure hardlink deduplication is reproducible (9fdf683f)
respect PKG_CONFIG env var instead of hardcoding pkg-config (0ee92dbb)
dracut-init: use sysroot when checking udev rule program existence (c1000cda)
dracut-init.sh:
support DRACUT_NO_XATTR being unset (d520252a)
initialize _files in inst_libdir_file (2311abeb)
dracut-initramfs-restore: check for Debian initrd.img symlink (f80128e9)
dracut-install:
sort output of --modalias (41e43068)
install all suppliers of a supplier's module (80574db7)
do not limit supplier handling to platform bus (e35c5173)
add sysfs node parents' modules as dependencies (3607cd8f)
rework broken destination existence logic (425e263b)
plug memory leak on kerneldir (082b6b0a)
deadcode.DeadStores static analyzer warnings (28041543)
dracut-lib.sh: initialize variables in getargs (ef60bd71)
dracut-logger.sh: initialize errmsg in dlog_init (f35a8c7f)
dracut.conf.d: reserve namespace 50 to out-of-tree configurations (d470b436)
dracut.sh:
do not use uname to detect kernel version in a container (2b2debd7)
initialize variables that get exported (50426818)
don't pass empty string as dir (758f3eaf, closes #1275)
fcoe-uefi: exit early on empty vlan (555b6e1d)
fips: make sha512hmac an optional requirement (3d319b55)
generic.conf: increase ordering for generic.conf (d823fd86)
i18n: add $dracutsysrootdir to systemd-vconsole-setup.service path (90956522)
livenet: drop stray command call (9135136d, closes #1240)
lsinitrd: resolve initrd to real path (22d93bc0)
man: document what to expect running dracut non-root (b853eba8)
modules:
free up range 00-09 to out of tree dracut modules (1edcb076)
document known module dependencies (2d98ddb5)
move more modules with unimportant ordering to 70 (c439438d)
all modules with 99 ordering should have a unique number (2199846f)
network-manager: depend on dbus only when using systemd (58baf861)
simpledrm: add =drivers/gpu/drm/panel (b7a2f8d0)
systemd:
systemd.volatile needs overlayfs kernel module (e1452003)
make checking for systemd availability consistent (8e575556)
systemd-cryptsetup: don't pull in fido2/pkcs11/tpm2-tss if omitted (01b369a5)
systemd-repart:
allow partition format (02201361)
copy systemd system drop-in configuration (bb8bf124)
systemd-sysext:
install the required kernel modules (7f524d3d)
make non-hostonly non-host (e42755c3)
systemd-sysusers:
maintain users and groups (50285645)
remove (g)shadow created by systemd-sysusers (97b5f91f, closes #1242)
systemd-udevd: handle root=gpt-auto for systemd-v258 (fa17b6fb)
test: renumber test modules to 70 (99ed458b)
107
Bug Fixes
improve hostonly sloppy mode (8519dcdb)
don't use command -v to find binaries in the sysroot (c0d3b120)
add $dracutsysrootdir to paths where it should be present (a3fea596)
90kernel-modules: explicitly include xhci-pci-renesas (20cc20d2)
base:
tighten /dev/pts permissions (5ec66e97)
only set ID to dracut if systemd is not used (82487fc8)
crypt: always install s390 crypto modules (dea50f64)
dracut:
kernel module name normalization in drivers lists (8674d84f)
protect existing output file against build errors (39a765de)
avoid mktemp collisions with find filter (9b822c31)
dracut-init:
do not detect virt environment in non-hostonly mode (b2c72e10)
assign real path to srcmods (bb6d0c11)
dracut-install: install compressed blobs that match wildcard fwpath (57911e76)
dracut-lib: support "set -e" in setdebug (89da4257)
hwdb: enable hwdb dracut module when hostonly is sloppy (5ff7dab0)
iscsi:
make sure services are shut down when switching root (fcde3355)
don't require network setup for qedi (3d5bab81)
man: --include can be specified multiple times (18375a5c)
mdraid: do not call mdadm with full path (b0c37531)
multipath:
disable user_friendly_names with mpathconf (1d7464cf)
skip default multipath.conf with mpathconf (c43b7905)
nfs:
add possible statd user and group (7eaa8536)
use DRACUT_CP instead of cp (2f5a759f)
libnfsidmap plugins not added in some distributions (6b30662e)
release: tagging and release generation is no longer automated (5c2864dc)
rngd:
adjust license to match the license of the whole project (da099c30)
do not check for +x perms (04841c42)
squash-erofs: adjust configuration in order to match SquashFS (e2f19b65)
systemd-sysusers:
make sure tss user for tpm2 is created (c6d38cb4)
silence "Creating " on stderr (cb8fb964)
always silence stdout (62c75393)
systemd-veritysetup: install dm-verity kernel module (f3fffa1e)
Features
strip out unused/unlikely AMDGPU firmware (c06f2481)
add simpledrm module (as subset of drm module) (2ae73d63)
UKI: use ukify when available to generate UKI (acfddd69)
btrfs: also install btrfstune (ddbeed81)
systemd: add new systemd-validatefs@.service (1b5669c1)
systemd-integritysetup: add remote-integritysetup.target (4402aeb2)
Performance
base: move the chmod dependency from base to systemd (ddc1f54d)
106
Bug Fixes
check if xx-lib.sh is needed before executing (8b71a80e)
check if dracut-lib.sh is needed before executing (8f249c2b)
add bash dependency when bash scripts are used in the module (3a04a139)
initqueue -> /sbin/initqueue (6f9b5a52)
set initrd-release in the base module (41f9e8f9)
remove extra bracket (512215c7)
01fips-crypto-policies: use /bin in shebang (f7ca0f3e)
35network-manager:
install nftables kernel modules needed (fca71490)
install nft binary during module installation (a6264d17)
ENC-RAID-LVM: correct test name and remove obsolete step (90f46fcb)
Makefile:
remove irrelevant testcases (5b58bbea)
path for make clean (a81782ce)
base:
fallback when shell-interpreter is not included (7f13ea21)
remove fallback for shell selection (e139edb8)
crypt: crypt-lib.sh optionally depends on stty (4532fb0f)
dm: remove 59-persistent-storage-dm.rules (d2ade8a6)
dmsquash-live-root.sh: support images with non-existing /proc (e37c67f6)
docs: correct spelling mistake of recommended (4e03ac7c)
dracut: rework timeout for devices added via --mount and --add-device (c79fc8fd)
dracut-functions.sh:
check_kernel_module go one dir further up (16abd45f)
check for modules in --kmoddir, not in --sysroot (b90eda4b)
dracut-init: add compatibility with Debian/Ubuntu for libdirs detection (8809b246)
dracut-lib: initialize getcmdline/getarg local variables (fc18d0b3)
dracut-systemd:
check SYSTEMD_SULOGIN_FORCE before allowing passwordless (27024d67)
check systemd-cryptsetup before including (484a8a23)
unquote variable in udev conf (3b753bf7)
dracut.sh:
do not add cmdline for force_drivers if --kernel-only (95fe9048)
ensure abs path for objcopy args (1579bb0c)
fips-crypto-policies: improve check for module inclusion (1ef60f9f)
i18n: make /etc/vconsole.conf optional (1246c4a1)
img-lib: trim required binaries (755c5c52)
iscsi:
attempt iSCSI login before all interfaces are up (f30cf46e)
don't require network setup for bnx2i (cc2c48a0)
do not install services when not using systemd (87fefd3c)
remove duplicate inst_multiple calls for iscsiadm and iscsid (73cdd31c)
include /usr/lib/open-iscsi/startup-checks.sh if needed (7fe7fa94)
kernel-network-modules: if running inside vm, include qemu-net (2ecdda2d)
lsinitrd: improve KERNEL_VERSION detection (37ce14fb)
lvmthinpool-monitor: make sure systemd is included (359e1e9a)
nfs:
do not set DRACUT_RESOLVE_LAZY for musl (9060fe6b)
use the same directory set ownership and permissions as the host (6c3b8b2f)
pcsc: add libpcsclite_real.so.* (bfa00c2a)
plymouth:
change severity of shutdown log messages (62c79128)
silence warnings (85bb1bc6)
do not depend on dpkg-architecture (1b374931)
qemu-net: align check logic between qemu modules (bb7425b8)
rngd: do not include the module if we can not start the service (3c727b60)
shell-interpreter: move later in the module ordering (8f247f2f)
systemd:
systemd dlopens libbpf (659c2681)
include dmi-sysfs (817dd612)
systemd-ask-password: do not half-install systemd-ask-password-wall (d8d11852)
systemd-networkd: depend on net-lib (80e9d891)
systemd-pcrphase: include systemd-pcrphase in hostonly mode (ea6a47ed)
systemd-sysext: install new initrd-specific units (68a09b43)
systemd-sysuser: add support for Gentoo (1c5f45a2)
systemd-sysusers: systemd.conf no longer exists (8f30a001)
systemd-tmpfiles:
passwd and group file management (4e520c88)
copy 20-systemd-stub.conf into the initrd (0df92885)
test: running tests on bare metal fail with syntax error (e26a4ab9)
test-root: dracut-getarg and dracut-lib are no longer used for test-root (97e502c4)
Performance
base: /etc/initrd-release is only for systemd (5bf724fa)
hwdb: only include when another module requires it in hostonly (7766da60)
systemd: remove crypto API kernel modules (fa45d844)
Features
default config profile (8c15bb61)
systemd-battery-check dracut module (7cf47b26)
create a documentation site (77e0571c)
Makefile:
roll cleaninstall target into the install target (9825dd7b)
cleaninstall target (dc40daa8)
base: create /proc if it does not exists (ff370f55)
configure:
allow dracut-cpio to be disabled (4a4ab928)
let's build dracut-cpio if cargo is installed (89a86dcb)
crypt: remove empty /etc/crypttab to allow creating it later (23ef35d3)
dmsquash-live: add support for rd.live.overlay.nouserconfirmprompt (6ac1033c)
dracut-init.sh: give --force-add precedence over --omit (a0d92d39)
dracut-systemd: install dracut-* into /usr/bin (00902e25)
dracut.install: force hostonly for kernel-install plugin (17706f9a)
fips: include openssl's fips.so and openssl.cnf (97c5d43c)
livenet: get live image size from TFTP servers (93df9ad2)
lsinitrd.sh: look for initrd in /usr/lib/modules/ (f01eec69)
nvmf: enable other shells (dash) not just bash (43707cab)
systemd-battery-check: always include the module if possible (961daa9d)
systemd-emergency: install rescue and emergency targets (be7e87fb)
systemd-sysusers: run systemd-sysusers as part of the build process (f3dacc01)
105
Resolve a regression in release v104 that impacts generated initrds when both systemd and i18n dracut modules are included.
Bug Fixes
dmsquash-live: checkisomd5 is installed into /usr/bin (39887041)
man:
use US English spelling for initialization (c12a018e)
correct spelling of initramfs (b5ada6cc)
systemd: remove typo from the dracut module name (7d998705)
systemd-cryptsetup: change the ordering for consistency (43581cd0)
udev-rules: move relevant rules from systemd (1ef30c83)
104
New dracut modules:
shell-interpreter: meta package for improved shell selection
fips-crypto-policies: make c-p follow FIPS mode automatically
squash-lib: code shared by 95squash-{squashfs,erofs}
Removed dracut modules:
ifcfg: no longer needed for networking
mksh: lack of interest to maintain
Notable new features:
add --add-confdir option to dracut
new dracut configuration profiles under dracut.conf.d/ (e.g. for uki)
systemd-udevd: make systemd-sysctl, systemd-modules-load optional
Notable bug fixes:
crypt: include systemd-cryptsetup module when needed
udev-rules: move installation of libkmod to udev-rules module
busybox: install busybox symlinks later in the generation process
nvmf: install (only) required nvmf modules
systemd: include systemd config files from /usr/lib/systemd
systemd: trigger systemd-vconsole-setup.service only on demand
multipath: include module with "find_multipaths strict"
nfs: include also entries from /usr/lib/{passwd,group}
network: handle '-m network'
systemd-networkd: remove basename dependency
remove obsolete syntax for many command line options without the rd. prefix
Features
config example for cloud provider uki vm (cc0a0e42)
add common config when networking is not desired (9ffabd59)
busybox: use busybox --install to install itself (3975e26a)
dracut: detect kernel initrd support (b41c2401)
dracut-functions: check more paths (ede2a05a)
dracut-init.sh: allow changing the destination directory for inst et al (3ad7e6c2)
dracut-initramfs-restore: unpack erofs images (ce83d38d)
dracut.sh: add --add-confdir option (6107f5e5)
fips: add support for UKIs (1000265a)
fips-crypto-policies: make c-p follow FIPS mode automatically (bd3c1e1c)
lsinitrd: add support for erofs images (2a3bc5af)
pcmcia: only include when another module requires it (ea4199b3)
rescue: move command line arguments to 50-rescue.conf (d24917fa)
shell-interpreter: meta package for improved shell selection (e1fcfe64)
squash:
add module 95squash-erofs (ebc9e84d)
split 95squash-squashfs from 99squash (5d03cc3b)
move mksquashfs to 99squash/modules-setup (b5482f07)
systemd: always install libsystemd libraries (921792f2)
systemd: include systemd config files from /usr/lib/systemd (6c99c073)
test-root: only include debug module if V is set to 2 (8974fea2)
Bug Fixes
install test infrastructure (a0d12aa7)
typo in variable name (76b2f1a9)
Dockerfile-Gentoo: explicitly pull in all build dependencies (2f8ea1c9)
Makefile: install dracut config examples under /usr (0d369e3e)
base:
init from base is not needed when systemd is enabled (ae94b24f)
remove the undocumented real_init, realinitpath and rd.distroinit (b1dbe859)
busybox:
install busybox symlinks later in the generation process (4e78a870)
install busybox symlinks manually (95ba0327)
crypt:
include systemd-cryptsetup module when needed (8907ba12)
install dm_crypt module in non-hostonly mode as well (59af2fff)
dracut:
--list-modules should imply --no-kernel as well (bd7736e9)
don't apply aggressive strip to kernel modules (a1c51af1)
do not add all lib subdirs to LD_LIBRARY_PATH with --sysroot (d0c82322)
ldd output borked with --sysroot (e0b87682)
re-enable extended attributes in containers (c964a56f)
dracut-fuctions.sh: avoid reading the wrong kconfig (d8fb0ef8)
dracut-functions: allow for \ in get_maj_min file path (91b1574c)
dracut-functions.sh: only return block devices from get_persistent_dev (6611c6e4)
dracut-init.sh: add module to mods_to_load before checking dependencies (d0f8fde5)
dracut-install:
use correct data type for pid (36dc45ca)
handle correctly sysrootdir with trailing '/' (1c44cd71)
do not assume handled path starts with sysrootdir (7bc1f538)
resolve -Wextra warnings (8de0258d)
refuse empty DRACUT_LDD environment variable (a9e11447)
dracut-systemd: include systemd-cryptsetup module when needed (e0e5424a)
dracut.sh:
exit when installing the squash loader fails (abac41d0)
use only compressor that kernel supports (cc17951e)
account for the kernel being named kernel (c520f3a4)
fips-crypto-policies: make it depend on fips dracut module (a2096daf)
hwdb: only install /etc/udev/udev.hwdb in hostonly mode (f2b1491f)
lsinitrd: check skipcpio file directly (2815f021)
lvm: clean up whitespace in messages (5e9cb283)
man: update description of the --gzip option (206b5448)
multipath: include module with "find_multipaths strict" (1e802f15)
network:
call both check_module and module_check (c81c9552)
handle '-m network' (c4b57722)
nfs: include also entries from /usr/lib/{passwd,group} (d954e3a9)
nvmf:
install (only) required nvmf modules (3748ed4d)
require NVMeoF modules (41332702)
release: improve commit message (267d002c)
rescue: make rescue always no-hostonly (224c0091)
rngd: install system service file (a9528201)
squash:
remove cyclic dependency (5f6b6fa4)
use 99busybox instead of installing it manually (69ebcb58)
explicitly create required directories (d23b0eea)
squash-erofs: properly exclude $squashdir (323af181)
squash-lib: harden against empty $initdir (924e2e85)
systemd:
do not set unused target as the default (982735c7)
/sbin/init is not required inside initrd (a066b07f)
systemd-vconsole-setup has a dependency on loadkeys (55517460)
remove duplicate systemd cryptsetup targets (ad520855)
make nologin optional (953b48a7)
move installation of libkmod to udev-rules module (ef0972fe)
systemd-cryptsetup: install cryptsetup-pre.target (181e1f11)
systemd-initrd: add base as dependency (56c84cde)
systemd-networkd:
remove basename dependency (2bb74448)
make sure default network is always last (e1dfdaca, closes #618)
systemd-sysctl: systemd-modules-load is not a dependency (4fb67460)
systemd-udevd: make systemd-sysctl, systemd-modules-load optional (1de08390)
test: always install kernel modules (9c79e226)
udev-rules:
remove systemd-specific rules (6243b7b6)
move *-persistent-storage.rules to rootfs-block (d67251aa)
install dropins for udev.conf (bdaa4e5b)
watchdog: change the priority of watchdog kernel modules (0097ded1)
Performance
systemd-initrd:
do not depend on base module (06074459)
initrd.target is already the default (b7b4f039)
103
New dracut modules introduced by this release:
hwdb: separate out hwdb module
Notable new features:
erofs support for dmsquash-live module
install platform/chrome modules on ARM/RISC-V
force the inclusion of crypttab entries with x-initrd.attach
configuration files for common packaging options (50-hostonly.conf.example)
Commits that resolve notable regressions:
perf(dracut-install): memoize find_kmod_module_from_sysfs_node
perf(dracut-install): use driver/module sysfs dirs for module name
fix(crypt): decryption when rd.luks.name is set
fix(systemd-pcrphase): make tpm2-tss an optional dependency
Features
add common config for Integrity Measurement (5d9fe8c5)
add additional common configs (69e119da)
crypt: force the inclusion of crypttab entries with x-initrd.attach (61ab3386)
debug: add findmnt to help debugging (41d61114)
dmdquash-live: add support for using erofs (ca5ae5d3)
dracut: search for zstd compressor first (9663307c)
dracut-install:
configure if weak dep is still not supported in kmod (77c3efa6)
add weak dependencies support (8517a6be)
add hashmap_get_exists() (2b13d74d)
hwdb: separate out hwdb module (3c5d5e39)
kernel-modules: install platform/chrome modules on ARM/RISC-V (e69e4132)
lsinitrd.sh: support configurable initrd filenames (7c11c8cf)
multipath: warn if included with no multipath devices and no user conf (ae1b1003)
qemu: include the virtio_crypto kernel module (0fe20f85)
test:
add erofs-utils to the containers (e11bc8bf)
support V=2 without logtee (3f005c8a)
Bug Fixes
check for searched initrds to be present (9c396ce2)
rename dracut.conf.d .conf files to conf.example (ddc9e4e9)
disable SC2317 for calls by for_each_host_dev_and_slaves (23c9d85a)
quote single CTTY parameter (61d93421)
address shellcheck SC2166 (d3802b10)
move shellcheck SC3045 override to occurrences (e1728ee9)
01fips: replace read -d that is not supported by dash (15b94c44)
90kernel-modules: install blk modules using symbol blk_alloc_disk (194ef8eb)
Dockerfile-Gentoo: add requirements for systemd-pcrphase (f7e19b3a)
TEST-35-ISCSI-MULTI: increrase storage space (9f183a98)
TEST-40-NBD:
disable broken tests (eb32b30b)
return actual test run result from test_run() (cfe3ce3c)
enable serial console for test runs (1993786f)
don't double-pass test dir to marker check (5928c938)
TEST-NFS: use --add instead of --modules to create test-makeroot (0a94eab6)
convertfs:
drop unused find_mount function (04628fc4)
disable SC2317 for EXIT trap function (6668694d)
quote single CP_HARDLINK variable (00ba4dae)
crypt: decryption when rd.luks.name is set (015a0fa6)
dbus: drop unreachable return statement (c3764b92)
dbus-daemon: actually enable the dbus service and socket (71f2ff50)
dmsquash-live:
make sure erofs module is installed (e52cf3c1)
quote variables (5391fa2e)
dmsquash-live-autooverlay: quote variables (24ab9e66)
dracut:
microcode loading named .initramfs (cd3f04ab)
address shellcheck SC2004 (79e372de)
quote strip_cmd variable (538689bc)
dracut-catimages.sh: drop unused dwarning function (34bf2fe4)
dracut-functions: avoid awk in get_maj_min() (ec7efd57)
dracut-init: change lookup order for rules files (46932e33)
dracut-init.sh:
clarify the error message (f83d8f90)
quote dracutbasedir variable (5969b230)
dracut-initramfs-restore.sh: correct initrd globbing (cc5e8d6f)
dracut-install: copy xattr when use clone ioctl (3e1d0bc1)
dracut-lib:
quote _ctty variable (22910365)
quote var variable (7a277629)
quote _b variable (e4ec0d33)
dracut-logger.sh:
disable SC2317 for logger functions (c77365ce)
quote _dlogfd variable (89eddc42)
dracut.sh: drop unused read_arg function (a9ea0175)
fips: remove reference to kernel module zlib in fips module (22f451d5)
iscsi: address shellcheck SC2319 (54676c83)
lsinitrd.sh: disable SC2317 for cat functions (f62049b2)
lunmask: quote LUN variable (d20be112)
lvmthinpool-monitor: adress shellcheck SC2319 (199f4108)
man: clarify semantics for --kernel-cmdline (aba502f3)
mdraid: try to assemble the missing raid device (3fd43858)
multipath:
omit module if included with no multipath devices (377d52cb)
omit module if included with no multipath devices (4957ffa9)
net-lib: require and install only the necessary binaries (29609268)
network: deprioritize connman for network selection (dec4978f)
network-legacy: quote bridgename variable (bc166ece)
nfs:
support rpcbind user named _rpc (4a236f01)
quote rpcpipefspath variable (58a46715)
release: version lock clog (58d4d7d6)
rt: use singular argument for timeout value (e2e6579a)
shell-completion: remove hashbang from bash completions (c50e742c)
syslog: quote conf variable (28e1b17b)
systemd: check for systemd-vconsole-setup.service (5a3ad259)
systemd-hostnamed:
also enable socket units (133978d9)
add missing systemd-hostnamed.socket (f25bb1e2)
systemd-networkd:
remove default network if others were generated (02a1ea4b)
add support for proper netroot invocation (0e1e7871)
this module depends on systemd (1aa2e4ff)
systemd-pcrphase:
make tpm2-tss an optional dependency (a2193b71)
in hostonly mode do not try to include systemd-pcrphase (96d153fe)
test:
run test 14 with systemd again (43fa0c4e)
reenable extended tests for Arch (130f4dfc)
tests needs more storage space (96aa5073)
use --add instead of --modules to create test-makeroot (51d06540)
use -cpu max by default (44f5359f)
test-root: quote _terminfodir variable (db4ea5f3)
udev-rules: install all rules even if systemd is not installed (df8bf213)
zipl:
quote zipl_env variable (39b1ffa2)
quote ID_FS_TYPE variable (34da5799)
znet: quote initdir variable (79dbd435)
Performance
dracut-install:
use driver/module sysfs dirs for module name (d71bec4a)
memoize find_kmod_module_from_sysfs_node (6500e954)
preload kmod resources for quicker module lookup (5a3f3773)
102
This release includes fixes for compatibility with the latest Linux kernel (v6.9), Linux firmware, and systemd (v256).
New dracut modules introduced by this release:
pcmcia: factor out pcmcia support into its own module
systemd-bsod: display a blue screen which contains a message relating to a boot failure
numlock: module to turn Num Lock on
systemd-cryptsetup: factor out systemd-cryptsetup support into its own module
dracut modules removed by this release:
dasd_rules: remove dasd handling consolidated in s390-tools
qeth_rules: remove qeth handling consolidated in 95znet
zfcp_rules: remove zfcp handling consolidated in s390-tools
crypt: move more rules to systemd-cryptsetup (6325af42)
dracut-init.sh: stop parsing args in dracut_instmods if --silent is found (16863113)
dracut-systemd: check for systemd binary (51d0257b)
drm: group dracut_instmods calls (80f2caf4)
systemd:
remove duplicate rules (d6ba849b)
remove duplicate rules (45a65df3)
remove duplicate rules (db20908c)
remove duplicate rules (fb75d4a8)
remove duplicate rules (6c5520df)
systemd-udevd: remove duplicate rules (28846382)
Bug Fixes
/etc/modprobe.d --> /run/modprobe.d (424717af)
crypt-gpg-lib.sh (1ca38f04)
module-setup.sh missing stty (1af35319)
network-manager should include kernel-network-modules (cabd38d8)
clean Makefile rule (b89a0fb2)
01systemd-ldconfig: install ldconfig.real (125bb0a8)
35-network-manager: let the kernel generate a UUID for /etc/machine-id (1e2b5c30)
90kernel-modules: add psmouse for some Fujitsu laptops (343ce3bb)
Dockerfile-Gentoo:
resolve glibc/libxcrypt conflict (b6b8cf3e)
pull in virtual/pkgconfig (4d5e9079)
add --deep, --autounmask-continue, and depclean (b182af73)
base:
add support for rd.udev.log_level (a471ca60)
install /etc/udev/udev.conf in hostonly mode only (2ab9ecce)
log the full udev database in rdsosreport (3fc15986)
configure: resolve regression for crosscompiling (25dabef1)
cpio: eliminate compile time warning (18788930)
crypt:
unlock encrypted devices by default during boot (2339acfa)
add systemd-ask-password dependency if systemd is used (caafea4e)
dmsquash-live:
do not check ISO md5 if image filesystem (c6906fea)
use load_fstype to load driver for filesystems (541ae946)
update documentation (d2d41a36)
dracut:
microcode loading (16573680)
bsdcpio compatibility (572afed1)
add support for RISC-V EFI (136a9a10)
move hooks directory from /usr/lib to /var/lib (a45048b8, closes #2588)
dracut-fuctions.sh: correct wrong regex pattern for LVM dm devices (4c2f756f)
dracut-init.sh:
force to perform the actual action (ffeb32b2)
handle decompress with --sysroot (91cdd57f)
dracut-install:
release memory allocated for regular expressions (d93bac05)
continue parsing if ldd prints "cannot be preloaded" (ace9e1b5)
dracut-lib: only remove initqueue/finished scripts, not the hook dir (e8257deb, closes #2620)
dracut-systemd:
include systemd-ask-password module (0bfe0867)
replace rd.udev.log-priority with rd.udev.log_level (c1275d87)
dracut.sh:
include efi mountpoint for hostonly (4a6a4ac6)
don't unset LD_PRELOAD (1eff6933)
do not add device if find_block_device fails (0f6c46aa)
make uki's reproducible (aabb5a41)
omit compressed kernel modules from find searching exec files (ad36b61e)
fips: remove /dev/{random,urandom} pre-creation (5beda2ea)
github: add the recently introduced modules to the labeler (5957f5c5)
i18n: handle keymap includes with --sysroot (5b714d25)
install.d:
prevent failure when kernel-install command is not add (6fec7d39)
correctly install pre-genned image and die if no args (8388ad14)
simplify and use what kernel-install gives us (d4015538)
iscsi: do not add host's runtime iscsi configure files in initrd (292e79e8)
man: further clarify live-image overlay types & RAM usage (5fa405dd)
memstrack: move the console warning to be a comment (ee1c37e3)
multipath: explicitly check if hostonly_cmdline is yes (c262ec6d)
numlock:
use the same shebang as other dracut modules (67987959)
use the same shebang as other dracut modules (efa02688)
nvmf: move /etc/nvme/host{nqn,id} requirement to hostonly (54cd6479)
release: dracut --> dracut-ng for NEWS.md (6fb8fc8b)
systemd: explicitly install some libs that will not be statically included (04b362d7, closes #2642)
systemd-ask-password:
no graphical output in aarch64 (4cc962aa)
resolve regression (25c5cfa2)
systemd-cryptsetup: add potentially needed modules to generic initrd (9179ade8)
systemd-initrd:
systemd based initrd needs journald and tmpfiles (860b35c3)
only included if another module depends on it (6d3e69ac)
add systemd-udevd dependency (8910f8bb)
systemd-journald: add systemd dependency (06e4a854)
systemd-networkd:
drop networkctl as it has a dependency on dbus (7a1519bf)
dbus is not a mandatory dependency (6f764a1d)
systemd-sysext: handle confexts and correct extensions search path (30da2173)
systemd-udevd: add systemd-sysctl dependency (2c866733)
test:
add support for thin volumes in the Gentoo container (6fc87f5c)
fixup Gentoo CI (8bcd077d)
remove ib700wdt kernel module from tests (2526a92e)
do not omit dracut modules for initramfs.testing (5cb42481)
fixup Gentoo CI (3b9054a4)
znet: append to udev rules so each rd.znet_ifname is effective (22f51730)
Features
90dm: close crypt devices using cryptsetup (fba8622f, closes #204)
90systemd-cryptsetup: socket key files (80480a73)
dasd: minimize dasd handling consolidated in s390-tools (36e1f884)
dasd_mod: minimize dasd handling consolidated in s390-tools (2397c479)
dasd_rules: remove dasd handling consolidated in s390-tools (72c945ca)
dracut.sh: make initramfs-${kernel}.img filename configurable (28820e20)
ifcfg: minimize s390-specific network configuration aspects (457e66e6)
lsinitrd.sh:
print stored dracut cmdline (d10455ad)
enable unpacking files from squash-root.img (9b12ef98)
numlock: add module to turn Num Lock on (60b44261)
pcmcia: factor out pcmcia support into its own module (4b21d5f7)
qeth_rules: remove qeth handling consolidated in 95znet (198a86c2)
systemd-bsod: dracut module for systemd-bsod (d7ab919e)
systemd-cryptsetup: new module for systemd-cryptsetup (649e37bc)
systemd-pcrphase: include systemd-pcrphase if dependencies are met (c5cbdaf3)
tpm2-tss: add tpm2.target and systemd-tpm2-generator (edd870ed)
zfcp: minimize zfcp handling consolidated in s390-tools (7745a81a)
zfcp_rules: remove zfcp handling consolidated in s390-tools (b5a35f9d)
znet: use zdev for consolidated device configuration (658a21ac)
101
Release 101 resolves a regression introduced by release 100 - #130 .
Bug Fixes
dracut.sh: revert: "do not add device if find_block_device returns" (0885d6b2)
dmsquash-live: update documentation (d2d41a36)
dracut-install: continue parsing if ldd prints "cannot be preloaded" (ace9e1b5)
dracut-systemd: replace rd.udev.log-priority with rd.udev.log_level (c1275d87)
dracut.sh: omit compressed kernel modules from find searching exec files (ad36b61e)
improve Gentoo container (76963537)
100
Release 100 of dracut-ng serves as a drop-in replacement for the original\
dracut project.
This release marks a significant milestone in our commitment to providing an
alternative, community-driven solution for creating an initramfs image.
The original dracut project is no longer actively maintained (its last tagged
release dates back to 2022).
Forking allows the community to take ownership of the project and address
maintenance issues independently.
This release includes fixes for compatibility with the latest Linux kernel
(v6.8), Linux firmware, and systemd (v255).
A new dracut module named net-lib has been added to enhance networking support.
Support for new Linux kernel modules have been added to support new devices,
including the Surface Laptop 4 and MacBook Pro.
Bug Fixes
wait 12 hours before halt on media check fail (faa3db78)
do not use modprobe --all (5850486f)
45ifcfg: mark as deprecated and strictly opt-in (79e1def5)
90kernel-modules:
add surface_aggregator_registry for Surface Laptop 4 (8cc89664)
add intel_lpss_pci for MacBook Pro 2017 (f0526fde)
90multipath: drop unneeded dependencies from configure service (9ac195c1)
Makefile: release is now just made out of a git sha (71109aed)
TEST-62-SKIPCPIO: test always skipped due to buggy test_check (5b5d395a)
base: correct handling of quiet in loginit (49b9c219)
caps: return 1 if binary requirements are not met (243be951)
check_live_ram: increase /run tmpfs size, if needed (e12ad733)
configure: misleading error if C compiler is not installed (4980bad3)
dmsquash-live:
use the overlay size with thin provisioning (2e025eb2)
handle relative pathspec (0c6d257f)
dracut: correct regression with multiple rd.break= options (3d727a7d)
dracut-init.sh: do not print by default if a modules is not installed (d73cc24e)
dracut-initramfs-restore.sh: do not set selinux labels if disabled (4d594210)
dracut-install: file created without restricting permissions (3439d139)
dracut-lib: use poweroff instead of halt (0ca14da6)
dracut-systemd: use DRACUT_VERSION instead of VERSION (a2c64222)
dracut-util: do not call strcmp if the value argument is NULL (b5fb6e04)
dracut.sh:
recognize kernel file in /boot named vmlinux too (f2dfc257)
do not add device if find_block_device returns an error (18abcc53, closes #2592)
skip README for AMD microcode generation (9df35524, closes #2541)
github: update format of labeler (de8ac630)
i18n:
silence spurious setfont stderr warning (27f31c03)
handle symlinked keymap (1f73bc8b)
install: handle new -Walloc-size for GCC 14 (23b9ec22)
livenet:
split imgsize calculation to avoid misleading error message (4649b4c6)
check also content-length from live image header (6289d5f4)
propagate error code (61a00cf8)
man: rd.break parameter can be specified multiple times (5a99e671)
net-lib: add a new dracut module called net-lib (5e1fec16)
overlayfs:
to allow overlay on top of network device (nfs) (bedde0f1)
allow hostonly (929e3160)
split overlayfs mount in two steps (bddffeda)
pcsc:
add --disable-polkit to pcscd.service (2689123c)
add opensc load module file (882e9335)
pkcs11: delete trailing dot on libcryptsetup-token-systemd-pkcs11.so (1c762c0d)
plymouth: return 1 if binary requirements are not met (edb14009)
release:
maintain dracut.html in the source tree (7b05aa8b)
dracutdevs/dracut --> dracut-ng/dracut-ng (8906474b)
resume:
include in hostonly mode if resume= on cmdline (d2ff89e2)
add new systemd-hibernate-resume.service (b73b5e0f, closes #2513)
rootfs-block: remove support for [no]readonlyroot and fastboot (469935fc)
systemd-255: handle systemd-pcr{phase -> extend} rename (b63e90ab)
systemd-journald: add systemd-sysusers dependency (4971f443)
systemd-repart: correct undefined $libdir (1586af09)
test: running tests no longer requires to be root (3dad8237)
udev-rules: remove legacy persistent network device name rule (898ce135)
zfcp_rules: correct shellcheck regression when parsing ccw args (5d2bda46)
Features
dracut.sh: protect push_host_devs function (7b54d2fb)
kernel-modules:
Install SPMI modules on ARM/RISC-V (9491c285)
add Qualcomm IPC router to enable USB (dd9a4bc1)
network: include 98-default-mac-none.link if it exists (b7f09500)
060
Performance
dracut-install:
don't strdup() environment block (efd4ca27)
don't reallocate {src,dst}path in hmac_install() (77226cb4)
don't strdup() excessively for dracut_install() (a20556f0)
stat() w/unused buf -> access(F_OK) in dracut-install (e7ed8337)
multiple single-character strstr()s -> strpbrk() (751a110f)
Bug Fixes
codespell (ddf63231)
make iso-scan trigger udev events (7b530f26, closes #2183)
shellcheck 0.8.0 (88fe9205)
shellcheck 0.8.0 (08b63a25)
99base: adjust to allow mksh as initrd shell (a0d14d3b)
Makefile:
remove leftover rpm build rules (f5cc202e)
no longer upload to kernel.org (ffc766d2)
execute command -v instead of which (4235c035)
base: do not quote $CLINE in the set command (8b951d20)
bluetooth:
make bluetooth rules more strict (dfa408c9)
add missing files (e84d65c5)
include it if Appearance matches the value assigned for keyboard (8079ceaf)
warn user instead of including it by default (0ecb0388)
btrfs:
do not require module via cmdline when --no-kernel (7ed765dd)
add missing cmdline function (2b47a2ef)
crypt: add missing libraries (c5dca3d6)
crypt-gpg: do not use always --card-status (e3e8108e)
dmsquash-live:
allow other fstypes (4000a1ec)
restore compatibility with earlier releases (0e780720)
live:/dev/* (93339444)
dmsquash-live-autooverlay: specify filesystemtype when it is already known (179e1a99)
dracut-functions: avoid calling grep with PCRE (-P) (67591e88)
dracut-functions.sh: convert mmcblk to the real kernel module name (a62e895d)
dracut-init.sh:
module_check method ignores forced option (6c9f403f)
use the local _ret variable (1b53bb62)
correct check in is_qemu_virtualized function (3e2f685e)
correct typo in comment (1aafcab9)
dracut-initramfs-restore.sh: handle /etc/machine-id empty or uninitialized (260883d9)
dracut-install:
protect against broken links pointing to themselves (32f6f364)
prevent possible infinite recursion with suppliers (131822e2)
continue parsing if ldd prints "cannot execute binary file" (9a531ca0)
dracut-lib.sh: remove successful finished initqueue scripts (07af8d58)
dracut-systemd:
rootfs-generator cannot write outside of generator dir (86c8a5a7)
check and create generator dir outside of inner function (acfa793b)
do not hardcode the systemd generator directory (a7c04716)
remove unused argument (eb75861c)
dracut.sh:
remove microcode check based on CONFIG_MICROCODE_[AMD|INTEL] (6c80408c)
exit if resolving executable dependencies fails (b2c6b584)
shellcheck warning SC1004 (dbdab2d8)
use gawk for strtonum (33a66ed0)
also prevent fsfreeze for tmpfs (09d3ec16)
correct path for UEFI stub on split-usr systems (c1588995)
silence the output of hardlinking files by default (2a26eec5)
handle imagebase for uefi (6178a9d8)
handle /etc/machine-id empty or uninitialized (97fe0976)
use dynamically uefi's sections offset (f32e95bc)
kmoddir does not handle trailing / (1ddcb137)
handle sbsign errors for UEFI builds (a6dd5bfb)
handle out of space error for UEFI builds (8602df70)
--sysroot option broken if global variables not set in conf (6f4a5c90)
correct --help and --version exit codes (cda6b00a)
fido2: libfido2.so depends on libz.so (15970768)
fips:
move fips-boot script to pre-pivot (d777dd3d)
only unmount /boot if it was mounted by the fips module (ab26ad2c)
do not blindly remove /boot (1fabbb64)
fs-lib: remove quoting form the first argument of the e2fsck call (9aa332ca)
github: exempt issues in a milestone (c8a703aa)
install: do not undef _FILE_OFFSET_BITS (70aeb4c1)
install.d:
do not create initramfs if the supplied image is UKI (b2af8c8b)
respect even more kernel-install vars, plus style fixes (17b8649e)
respect more kernel-install env variables (a037634a)
integrity: do not require ls (a804945f)
iscsi:
prefix syntax for static iBFT IPv6 addresses (c3b65a49)
install 8021q module unconditionally (aa5d9526)
kernel-modules:
add interconnect drivers (afb5717e)
add UFS drivers (89269d23)
use modalias info in get_dev_module() (87a76dbb)
load_fstype: avoid false positive searchs (10cf8e46)
lsinitrd.sh:
handle /etc/machine-id empty or uninitialized (971b302d)
handle filenames with special characters (1f84ff88)
lvmthinpool-monitor: activate lvm thin pool before extend its size (e9b47742)
man:
add missing initrd-root-device.target to flow chart (f11e8fff)
remove duplicate entry (6af3fcfd)
modsign: load keys to correct keyring (b7ef1302)
multipath: remove dependency on multipathd.socket (297525c5)
network:
IPv6: don't wait for RA for static IPv6 assignments (726d56ca)
don't assume prefix length 64 by default (7ff255a4)
network,dbus: improve dependency checking (3f8f115a)
network-legacy:
typo (e2f961a2)
always include af_packet (b074216b)
network-manager: add "After" dependency on dbus.service (d8a9a73d)
nvmf:
support /etc/nvme/config.json (f07117d6)
install 8021q module unconditionally (902f3a8f)
plymouth: remove /etc/system-release dependency (d6cef3f2)
release: maintain dracut-version.sh in the source tree (b4e23ce4)
resolve-deps: check the existing file—not the source (5ac581ef)
systemd:
add new systemd-tmpfiles-setup-dev-early.service (7528d84d)
do not include systemd-random-seed.service (925febf8)
systemd-ac-power: correct systemd-ac-power binary path (df2458a6)
systemd-journald: do not include systemd-journal-flush.service (eff2a939)
systemd-networkd:
correct typos in override paths (f0dc7ec9)
add missing conf files and services (71e391eb)
systemd-pcrphase: only include systemd-pcrphase-initrd.service (cd6f683d)
systemd-resolved: correct typo in override path (2d083021)
systemd-timedated: correct typo in override path (765e69ce)
systemd-tmpfiles: do not include systemd-tmpfiles-clean.timer (1ef00735)
systemd-udevd: add missing override paths (570b9d40)
test:
only use QEMU machine q35 on x86 (f29e428b)
use bash for jobs -r parameter (9a18f133)
rename test 60 (3d7c0ffb)
improve test 60 (5e846cb1)
remove leftover link file from server rootfs (8f44740f)
assign fixed address to bridge (9fb64d96)
bump DHCP timeout to 30 seconds (462d9b92)
remove check on dhclient support for --timeout (da959483)
adapt multinic test for new NetworkManager versions (d3993c7d)
udev-rules:
remove firmware.rules (7310a641)
remove old eudev specific rule (6d554d9b)
remove old redhat specific rule (d648bf80)
remove old edd_id extra rules (6a33e677)
remove old debian specific rules (1edc41af)
url-lib.sh: nfs_already_mounted() with trailing slash in nfs path (966b6cec)
virtiofs: add virtio_pci kernel module to virtiofs (07b49a3e)
Features
Makefile: allow setting dracut version via environment variables (31c4d284)
dracut:
add --sbat option to add sbat policy to UKI (fffeaded)
use log level indicator in console output (ae88e029)
dracut-init.sh:
do not print by default if an udev rule is skipped (aa20bbb5)
specify if a module cannot be found or cannot be installed (a10078a5)
dracut-install: add fw_devlink suppliers as module dependencies (3de4c731)
fips: add progress messages (68d0653e)
install.d: allow using dracut in combination with ukify (16645633)
kernel-modules: driver support for macbook keyboards (df381b7e)
livenet: add memory size check depending on live image size (52351cfa)
lsinitrd: notify user on missing compressor (1300a930)
lvm: always include all drivers that LVM can use (a109c612)
network-wicked: remove module (9dbbebb1)
nvmf: add code for parsing the NBFT (b490f6f7)
resume: also consider resume= in the cmdline as enabling hibernation (e3a7112b, closes [#924](https://github.com/dracutdevs/dracut/issu
systemd: install systemd-executor (bee1c482)
systemd-creds: introducing the systemd-creds module (48c2cb45)
systemd-rfkill: remove module (c4e6eaf9)
test: nfs_fetch_url test into nfs test (8f9ad068)
059
Bug Fixes
NEWS.md: add missing entries (794ce5e3)
058
Bug Fixes
90kernel-modules:
MMC and NVMe on kernels 6.0+ (e0d57a8f)
add (nonstandard) NVMe drivers (415e5519)
90multipath:
use RemainAfterExit=yes for multipathd-configure.service (2334031a)
create /etc/multipath only (0940be90)
Makefile: reduce the number of shell invocations (ad7d5bc8)
base:
do not require chroot inside initramfs (51813371)
remove grep dependency (240a1d34)
dbus-broker: add missing sockets.target.wants/dbus.socket (7ed04618)
dmsquash-live:
add support for NFS (8caaad4f)
check kernel for built-in squashfs drivers (922c9e28)
run checkisomd5 on correct device (c8f819e6)
dmsquash-live-ntfs: remove unnecessary command (e78f71b9)
dmsquash-live-root: check kernel for built-in overlay drivers (d0cd7cd3)
dracut:
allow to set persistent policy based on /dev/mapper device names (9cc7ceec)
shellcheck regression in DRACUT_INSTALL calls (097dd367)
replace invalid lzo command with lzop for LZO compression (b2d7561b)
typo error 'aggresive' -> 'aggressive' (e4f1dbcc)
dracut-functions.sh:
check_kernel_module should follow dracutsysrootdir (6c42d378)
suppress findmnt error msg if /etc/fstab not exist (e9ed44c8)
dracut-init: make require_kernel_modules ignore no kernel build (d460941b)
dracut-init.sh:
instmods: wrong variable name (b12ee558)
add missing hostonly code in the inst_multiple function (e2fdb30b)
correct dracut-install source path (72b700e3)
propagate the result code returned by dracut-install (d2f6f445)
dracut-initramfs-restore.sh:
initramfs detection not working (481b87fa)
hide unpack errors (4f20ae26)
dracut-install:
use stripped kernel module path as hash key (2f791b40)
do not try to copy files from the root directory (ebbcf97d)
correctly waitpid() for cp (13736c50)
convert_abs_rel: return valid path on error (06d31617)
dracut-logger.sh: this fixes the dlog_init check for /dev/log (6b592f58)
dracut-systemd: run systemctl daemon-reload after remove_hostonly_files (e1058b07)
dracut.sh:
split drivers_dir check (d32d221e)
use DRACUT_ARCH instead of uname -m (a86aea65)
make omit-drivers option do exact match for names (444944ab)
correct wrong systemd variable paths (b9dc999f)
remove duplicate "dracut:" string in logger functions (8410ee22)
do not fail on irregular files (b72d0d7f)
dracut.spec: tpm2-tools is required for crypt module to work (8abffe7c)
drm: add video drivers needed on hyper-v and similar (85149b85)
github: yml syntax and commit message for dependabot (32f6dd1d)
i18n:
do not fail if FONT in /etc/vconsole.conf has the file extension (e1de5bd2)
add required includes for keymaps (fe8fa2b0)
install.d: add --verbose if KERNEL_INSTALL_VERBOSE=1 (846a8453)
integrity:
do not enable EVM if there is no key (90585c62)
remove unused variable (9d1004a4)
iscsi: don't install the module if kernel doesn't support iscsi (7917d797)
kernel-modules:
add sysctl to initramfs to handle modprobe files (33679fff)
always include nvmem driver on nvmem_on_arm (bc965cd8)
load_fstype: use $1 if $2 is missing (401158e5)
lsinitrd.sh:
add a missing path to image (e877be69)
correct skipcpio source path (5eb996a9)
lvm: drop dm-eventd binary and libs from initramfs (7d3184e4)
man:
correct typo (699e3945)
dracut.cmdline.7: clarify "rd.nvmf.discover=fc,auto" (a90efdd7)
dracut.cmdline(7): correct syntax for rd.nonvmf (4b69e63b)
point man pages to github.com instead of kernel.org (d6d55584)
correct typo (7fa0094c)
multipath: install multipathd.socket (02e646fc)
network:
check if ip command fails (52d14607)
two bugs which cause minutes long boot times (1d6f42c8)
avoid double brackets around IPv6 address (2c26b703)
don't use same ifname multiple times (f4e9ea87)
network-legacy:
check if dhclient has --timeout option (23654c50)
correct wrong local network configuration path (2eb733cc)
network-manager:
always install the library plugins directory (429f9de1)
correct wrong local network configuration path (744c6de5)
nfs,virtiofs: check kernel for builtin fs drivers (78cafe46)
nvmf:
run cmdline hook before parse-ip-opts.sh (a65fab69)
avoid calling "exit" in a cmdline hook (a93968b0)
make sure "rd.nvmf.discover=fc,auto" takes precedence (556ef46a)
don't use "finished" queue for autoconnect (e93e4652)
don't create did-setup file (03921ec0)
no need to load the nvme module (a3cf4ec9)
don't try to validate network connections in cmdline hook (b3ff3f3f)
nvme list-subsys prints the address using commas as separator (9664e98b)
shell-completion: add missing -p and --parallel options (b30a00c2)
skipcpio: ignore broken pipe (aa0369a4)
squash: build ld cache for squash loader (bc1b23c2)
systemd:
add missing modprobe@.service (928252a1)
set right permissions for the machine-id file (da55e266)
systemd-coredump: correct systemd-coredump binary path (4b931bfb)
systemd-hostnamed:
add missing dbus-org.freedesktop.hostname1.service (4fca292b)
correct sysusers configuration (a540c95b)
systemd-networkd: typo in systemd-networkd.socket local conf path (d4732be8)
systemd-timedated: add missing dbus-org.freedesktop.timedate1.service (b3d219b4)
systemd-timesyncd: typo in systemd-time-wait-sync.service local conf path (e3ec51e1)
test: remove unnecessary setup steps (22ab7979)
virtiofs:
make shebangs work on split-usr systems (27b316df)
ismounted has a dependency on the base module (c73e7b99)
zipl: remove trailing spaces from zipl boot device name (b4de9ee1)
Features
dmsquash-live:
add support for dash (862ba526)
add new dmsquash-live-autooverlay module (a3c67d27)
dracut-init.sh:
introduce a new helper require_kernel_modules (d3a5e631)
add inst_libdir_dir() helper (cc669250)
dracut-install: convert_abs_rel: canonicalise parent of from, too (53dd6a9b, closes #1781)
dracut.sh:
populate uefi_cmdline if no other cmdline is given (1157143d)
pass engine flag to sbsign allowing use with hardware devices (897e5eff)
fs-lib: fsck_single can now handle PARTLABEL and PARTUUID (d40617f7)
github: automating dependency updates (bdddfd56)
kernel-modules: exclude USB drivers in strict hostonly mode (7debf540)
multipath: install tmpfiles.d config file (cf31fcf8)
nvmf: set rd.neednet=1 if tcp records encountered (cf8986af)
overlayfs:
add new overlayfs module to dracut.spec (b55563f6)
add a new module called overlayfs (40dd5c90)
qemu: add efi_secret driver (8194f72a)
squash: use require_kernel_modules for better module checking (d4a9d6b4)
systemd: install systemd-sysroot-fstab-check (23684e4a)
systemd-pcrphase: introducing the systemd-pcrphase module (d345ca2e)
systemd-portabled: introducing the systemd-portabled module (03babd95)
systemd-pstore: introducing the systemd-pstore module (758f2e69)
test: add new module to share code between tests (f5689b42)
test-makeroot: add new module to share code between tests (54b963ca)
test-root: add new module to share code between tests (b17a3103)
Performance
90kernel-modules: use awk instead of shell monster (77ac95d9)
dracut-install:
convert_abs_rel: don't allocate target parent realpath (d2648f6d)
strdup()+[dirlen]=0 => strndup (e7d6a1e3)
dracut.sh: do not mkdir $initdir/lib/dracut within a loop (8d46cc01)
057
Bug Fixes
10i18n:
stop leaking shell options (f3441cc7)
stop leaking shell options (35064768)
Makefile: use of potentially unset variable (1354d633)
bluetooth:
accept compressed firmwares in inst_multiple (09a1e5af)
nullglob should not be needed (36aaa74f)
make $dbussystem/bluetooth.conf optional (a38d9ec0)
configure: check for SYS-gettid during configure (0ef40d88)
connman: copy netroot.sh from the network module and install it (f6d83f9f)
crypt: add missing is_keysource parameter to cryptroot-ask (6c11a8fc)
dmsquash-live:
mount live device with the correct type (08ed7b2d)
permanent overlay on the same drive as LiveCD .iso (9a884b3a)
dracut: default to correct firmware search paths (95aeed89)
dracut-functions.sh: correct wrong comment (0afa840e)
dracut-initramfs-restore.sh:
unpack uncompressed initrd as last option (46886956)
check if SELINUXTYPE is set (24d8f35b)
dracut-install:
copy files preserving ownership attributes (9ef73b6a)
do not fail when SOURCE is optional and missing (bd1a5ca9)
dracut-systemd:
drop misleading man page reference (77c28b30)
correct service dependencies (85fdff12)
dracut.cmdline.7: {=> must} also be specified (27071e9a)
dracut.sh:
format usage and add missing options (9bef7109)
always check that MACHINE_ID is not empty (527fdfa1)
avoid calling dfatal before dracut-logger is sourced (012d7db2)
add missing default output file paths (28ef3bc6)
add missing --libdirs usage (352e5917)
drop restorecon call (33859892)
error exporting sysctl variables (4c355d05)
dracut.spec: add connman module (d0c6ab21)
fedora.conf: vi binary is missing (48541362)
github: remove packit (8fd37d20)
ifcfg: avoid calling unavailable dracut-logger functions (7103c4bc)
install: restore musl support (ce55a85e)
integrity: do not display any error if there is no IMA certificate (f63f411d)
iscsi:
do not exit in handle_netroot() if discovery failed (319dc7fe)
remove unneeded iscsi NOP-disable code (a33a8df4)
kernel-network-modules: allow specifying empty --hostonly-nics (ab6f5733)
lsinitrd.sh:
always check that MACHINE_ID is not empty (d6343146)
add missing default paths (49ea6c42)
lvm:
add missing grep requirement (79f9d9e1)
ignore expected error message from lvm config (7e03d81f)
man:
add missing default paths (ffc1985c)
add missing --libdirs section (a90dbd95)
network-manager: avoid calling unavailable dracut-logger functions (b7059aef)
nfs:
give /run/rpcbind ownership to rpc user (d6159343)
require and install needed binaries (0e4df7a3)
nvmf:
deprecate old nvmf cmdline options (e405501e)
set executable bit on nvmf-autoconnect.sh (25a92885)
plymouth: hide dpkg-architecture stderr messages (42e9d188)
resume: correct call to block_is_netdevice function (a7a4b76c)
shell-completion: add missing options (1199f990)
systemd-coredump: add systemd-sysusers dependency (ce82e969)
systemd-journald: remove duplicate entry in inst_multiple (d3ab2061)
systemd-timesyncd: add systemd-sysusers dependency (28b6adcb)
test:
dmsquash-live test without an iso (6ee2baf3)
remove stale comments (b3ab3037)
add support for dpkg to pass the test on debian (a7dfdf6a)
nullglob should not be needed (c7b3ac2b)
udev-rules: add cdrom udev rules by default (aebeb2ec)
Features
add aarch64 uefi support (8391a993)
connman: introduce connman support module (f30d0351)
dracut:
support parallel execution with --parallel (6d923262)
add zfs detection (9582f027)
dracut-install: support ZSTD-compressed firmware with .zst suffix ([9d8387e](https://github.com/dracutdevs/dracut/commit/ 9d8387e))
dracut-systemd: use Documentation= to point to man page ([42e8f17](https://github.com/dracutdevs/dracut/commit/ 42e8f17))
gensplash: remove module (1befc641)
lvm: add new module lvmthinpool-monitor (d9812fc4)
man: add documentation for rd.luks.key.tout (65e41b54)
squash:
add shell completion for --squash-compressor option (e2aee2d4)
update the manual page for --squash-compressor (3693bfef)
decouple the compressor for dracut and dracut-squash (90d9ae8c)
url-lib.sh: add --retry-connrefused to default curl arguments ([90032a4](https://github.com/dracutdevs/dracut/commit/ 90032a4))
virtiofs: virtiofs root filesystem support (4632f799)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:40 +0000 (13:09 +0200)]
nfs: Update to version 2.8.4
- Update from version 2.8.3 to 2.8.4
- Update of rootfile not required
- Changelog is just a list of the commits. The details can be found in the changelog at
https://sourceforge.net/projects/nfs/files/nfs-utils/2.8.4/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:39 +0000 (13:09 +0200)]
lzip: Update to version 1.25
- Update from version 1.24.1 to 1.25
- Update of rootfile not required
- Changelog
1.25
lzip now exits with error status 2 if any empty member is found in a
multimember file.
lzip now exits with error status 2 if the first byte of the LZMA stream is
not 0.
Options '--empty-error' and '--marking-error' have been removed.
The chapter 'Syntax of command-line arguments' has been added to the manual.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:38 +0000 (13:09 +0200)]
libvirt: Update to version 11.7.0
- Update from version 11.4.0 to 11.7.0
- Update of rootfile
- Changelog
11.7.0
New features
* Allow setting the log level of Cloud Hypervisor
Users can now configure the verbosity of Cloud Hypervisor by setting
the "log_level" option in ch.conf
* bhyve: experimental NAT networking support
The bhyve driver now has experimental NAT networking support
using the Packet Filter (pf) firewall.
* bhyve: domain statistics reporting
The bhyve driver now supports querying domain block, interface,
and memory statistics. Not all statistics fields are supported though.
Improvements
* bhyve: improve 'efi' configuration autofill
When a domain is configured with ``<os firmware='efi'/>``, NVRAM
configuration is now autofilled.
11.6.0
New features
* Introduce VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag
This new flag for virConnectBaselineHypervisorCPU can be used for computing
a baseline CPU on any host. Without the VIR_CONNECT_BASELINE_CPU_IGNORE_HOST
flag the baseline API would return reasonable output only when run on one of
the hosts that the input CPU definitions were collected from.
* Allow control over QEMU TLS priority strings
The qemu.conf file now has multiple settings allowing control over the
QEMU TLS priority strings, for the different subsystems in QEMU that
can support TLS. This can be used to workaround a current bug in GNUTLS
that is liable to cause crashes of the source QEMU when performing long
running live migration operations with TLS enabled.
* Add support for disabling deprecated CPU model features by default for s390
domains. Starting an s390 domain with host-model will now default to
setting the ``deprecated_features`` attribute to ``off``, ensuring the
domain starts with a migration-compatible CPU model to newer systems. This
behavior can be modified by setting the ``default_cpu_deprecated_features``
option in the qemu.conf file.
* bhyve: Add TCP console support
TCP serial devices can now be configured with ``<serial type='tcp'>``::
<serial type='tcp'>
<source mode='bind' host='127.0.0.1' service='12345'/>
<target type='serial' port='0'/>
</serial>
Additionally, number of supported consoles increased to 4.
* qemu: Add support for RBD namespaces
Allow specifying the 'namespace' within a RBD image pool.
Improvements
* qemu: Change default SCSI controller model to ``virtio-scsi`` for ARM and
RISC-V The previous default of ``lsilogic`` is unsupported by modern
operating systems. ``virtio-scsi`` is a more suitable default for ARM and
RISC-V ``virt`` machine types.
* Clarify documentation of virConnectBaselineHypervisorCPU
The documentation makes it clear virConnectBaselineHypervisorCPU is
supposed to be called on one of the hosts represented in the input CPU
definitions. Otherwise the API will give unexpected results.
* Allow specifying zero discard granularity for block devices
This can be used to tell some guest operating systems (notably Windows) to
not trim the disk.
* bhyve: Add timeout handling for bhyveload
It is now possible to run ``bhyveload`` with the ``timeout`` tool, which
can send ``SIGTERM`` and ``SIGKILL`` signals when timeout is reached.
Timeout values are set using the ``bhyveload_timeout`` and
``bhyveload_timeout_kill`` configuration options in ``bhyve.conf``.
* nss: Improve debugging
Debugging messages from NSS modules can be now enabled by setting the
``LIBVIRT_NSS_DEBUG`` environment variable. So far, there is no special
meaning to its value.
* rpc: Removed requirement for TLS certificates to support 'key encipherment'
With TLS 1.3, key encipherment is not required even for RSA keys. Other key
types didn't even support it so they were wrongly refused even in cases when
they would work with libvirt. The TLS certificate validation now no longer
requires 'key encipherment' to be enabled.
Bug fixes
* bhyve: Fix resetting of the autostart flag of the domain on destroy.
* The nwfilter driver no longer recreates the base iptable/ip6tables chains
The nwfilter driver had a impl mistake causing it to recreate the
base chains for iptables/ip6tables every time a VM was started.
This allowed a small window where traffic might not be fully
filtered. It now handles iptables/ip6tables the same way as
ebtables, creating the base chains only if they did not already
exist.
* Fix systemd unit ordering for auto-shutdown of domains via the daemon
The ordering of systemd units created by libvirt for individual machines
needed to be adapted when the shutdown of VMs on host shutdown is done
via the virt daemon itself (rather than ``libvirt-guests.service``) to
ensure that the VMs are not terminated before the virt daemon can deal with
them.
11.5.0
Removed features
* qemu: Don't accept VIR_DUMP_LIVE flag in virDomainCoreDumpWithFormat()
Unfortunately, QEMU always pauses vCPUs when doing a core dump. Therefore,
there is no way for Libvirt to honor VIR_DUMP_LIVE flag semantics. Instead
of silently pretending the flag works, an appropriate error is now
reported.
New features
* vmx: Add support for reporting NVMe disks in the domain XML
* qemu: Add support for NVMe disks
NVMe disks can now be emulated by using an ``nvme`` bus, but require a
serial due to the hypervisor::
<target dev='nvme0n1' bus='nvme'/>
<serial>qwertyuiop</serial>
Multiple disks can be represented as different namespaces on the same
controller, but they cannot have a different serial number due to the fact
that it is the controller which ultimately has the serial number attached to
it, but for ease of use it is automatically copied from the disk serial.
* esx: Add support for specifying alternative CA bundle for remote peer
verification. Users can now use ``cacert`` parameter in the URI to specify
a file path with CA certificate(s) that will be used for remote peer
certificate validation.
* qemu: add support for AMD IOMMU device
The ``amd`` model for the ``<iommu>`` device is now supported.
New attributes ``passtrhough`` and ``xtsup`` are also supported for this
model.
Improvements
* Include supported console types in domain capabilities
Domain capabilities now include information about supported console types,
such as::
<console supported='yes'>
<enum name='type'>
<value>pty</value>
<value>tcp</value>
</enum>
</console>
* virsh: Add waiting for domain state via ``virsh await``
The new helper command ``virsh await`` simplifies waiting on domain state
which is normally announced via events. Currently two waiting conditions are
implemented: ``domain-inactive``, and ``guest-agent-available``.
Bug fixes
* qemu: Be more forgiving when acquiring QUERY job when formatting domain XML
Since ``libvirt-11.0.0`` the ``virDomainGetXMLDesc()`` API used to format
domain XML acquires QUERY job. But this caused a regression when the API
might timeout for incoming migration. This is now fixed.
* qemu: Fix shared filesystem detection on nonexistent paths
Since ``libvirt-11.1.0`` nonexistent paths within directories marked as
shared filesystem (via the ``shared_filesystems`` option in ``qemu.conf``
would not be properly detected as being on a shared filesystem.
* qemu: Properly emulate USB cdrom device
CD-ROM devices on USB bus are now properly emulated as such which was not
the case since libvirt switched to the modern qemu commandline syntax for
storage backends.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:37 +0000 (13:09 +0200)]
less: Update to version 679
- Update from version 678 to 679
- Update of rootfile not required
- Changelog
679
Fix bad parsing of lesskey file an env var is a prefix of another env var
(github #626).
Fix unexpected exit using -K if a key press is received while reading the
input file (github #628).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:36 +0000 (13:09 +0200)]
expat: Update to version 2.7.2
- Update from version 2.7.1 to 2.7.2
- Update of rootfile
- CVE fix
- Changelog
2.7.2
Security fixes:
CVE-2025-59375 -- Disallow use of disproportional amounts of
dynamic memory from within an Expat parser (e.g. previously
a ~250 KiB sized document was able to cause allocation of
~800 MiB from the heap, i.e. an "amplification" of factor
~3,300); once a threshold (that defaults to 64 MiB) is
reached, a maximum amplification factor (that defaults to
100.0) is enforced, and violating documents are rejected
with an out-of-memory error.
There are two new API functions to fine-tune this new
behavior:
- XML_SetAllocTrackerActivationThreshold
- XML_SetAllocTrackerMaximumAmplification .
If you ever need to increase these defaults for non-attack
XML payload, please file a bug report with libexpat.
There is also a new environment variable
EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
of allocations debugging at runtime, disabled by default.
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Distributors intending to backport (or cherry-pick) the
fix need to copy 99% of the related pull request, not just
the "lib: Implement tracking of dynamic memory allocations"
commit, to not end up with a state that literally does both
too much and too little at the same time. Appending ".diff"
to the pull request URL could be of help.
Other changes:
Autotools: Sync CMake templates with CMake 3.31 for macOS
CMake: Drop support for CMake <3.15
CMake: Fix off_t detection for -Werror
CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
Windows: Drop support for Visual Studio <=16.0/2019
xmlwf: Mention supported environment variables in
--help output
xmlwf: Fix (internal) help generator
docs: Promote the contract to call function
XML_FreeContentModel when registering a custom
element declaration handler (via a call to function
XML_SetElementDeclHandler)
docs: Add missing <p>..</p> wrap
docs: Drop AppVeyor badge
tests: Fix portable_strndup
Drop casts around malloc/free/realloc that C99 does not need
Replace empty for-loops with while loops
Add const with internal XmlInitUnknownEncodingNS
Drop an OpenVMS support leftover
Address more clang-tidy warnings
Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cover compilation on FreeBSD
CI: Upgrade Clang from 19 to 21
CI: Make calling Cppcheck without --suppress=objectIndex
and --suppress=unknownMacro possible
CI|Windows: Get off of deprecated image "windows-2019"
CI: Adapt to breaking changes in GitHub Actions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:35 +0000 (13:09 +0200)]
ed: Update to version 1.22.2
- Update from version 1.20.2 to 1.22.2
- Update of rootfile not required
- Changelog
1.22.2
* Newline characters are no longer allowed in file names even when
'--unsafe-names' is specified.
* The file name is now printed escaped also when replaced into a shell command.
1.22.1
* Ed now departs from POSIX and ignores SIGPIPE to prevent commands like 'w !:'
or ',!:' from terminating ed. A broken pipe is now detected as any other
write error. (Reported by Sergei Trofimovich).
1.22
* An ex(1) style filter has been implemented; the shell escape command (!) now
accepts line addresses to filter the addressed lines through a shell command.
(Suggested by Shawn Wagner, Andrew L. Moore, and John Cowan).
1.21.1
* Fixed a compilation failure caused by the inclusion of the unused and
obsolete header <sys/file.h>. (Reported by Michael Mikonos).
* Ed now reads the initial window size for the z command from the environment
variable LINES. (Suggested by Artyom Bologov).
1.21
* 'r !command' and 'w !command' ignore again the exit status of 'command'. Bug
introduced in version 1.6. (Reported by Andrew L. Moore).
* Include 'stdbool.h' instead of defining 'bool' to fix compilation in C23.
(Reported by Alexander Jones).
* The messages "Newline inserted" and "Newline appended" are now suppressed in
scripted mode (-s). (Reported by Artyom Bologov).
* The chapter 'Syntax of command-line arguments' has been added to the manual.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Security #7881: detect/tls: keyword tls.subjectaltname leads to NULL Deref if tls.subjectaltname
contains zero(HIGH - CVE 2025-59150)
Security #7861: detect: Dynamic-stack-buffer-overflow in ShortenString(HIGH - CVE 2025-59149)
Security #7838: detect/entropy: segfault when not anchored to a sticky buffer(HIGH - CVE 2025-59148)
Security #7657: tcp: syn resend with different seq leads to detection bypasss(HIGH - CVE 2025-59147)
Bug #7891: unix-socket: memory leak when client disconnects during rule reload
Bug #7877: rust: build with RUSTC and CARGO variables fails
Bug #7865: detect/integers: u8 prefilter does not support all modes
Bug #7859: doc/userguide: build failure with read the docs theme
Bug #7843: http: dissection anomaly on `Content-Encoding: identity`
Bug #7836: util-byte: bad usage of StringParse function return codes
Bug #7828: util/hash: unexpected remove behavior
Bug #7827: app-layer: ippair.memcap counter shows memuse
Bug #7824: hyperscan: caching results in segfault with link time optimization (-flto=auto, etc)
Bug #7822: engine-analysis: SEGV on rule failure without rules-fast-pattern enabled
Bug #7821: engine-analysis: no report for failed rules without fast pattern
Bug #7820: app-layer/snmp: internal error if app-layer is disabled
Bug #7815: unix-socket: segfault in "pcap-file-list" command
Bug #7813: cppcheck: warnings in counters.c
Bug #7804: util-lua-sandbox.c undeclared identifier error for Suricata 8.0.0
Bug #7803: http: use transactions right get function
Bug #7802: detect/dsize: uninitialized value from SigParseRequiredContentSize
Bug #7741: http2: events can contain an empty response object
Bug #7740: doh2: events are always dns even if there is no DNS info (pure HTTP2 settings)
Bug #7651: decoder/pppoe: valid packets are getting dropped as decoder.ppp.unsup_proto
Bug #7636: tcp: assertion triggered in StreamTcpReassembleAppLayer
Bug #7611: eve: segv in stats.totals output
Bug #5689: eve: community id computed wrong for tcp and ipv4 when src_ip == dest_ip
Bug #4702: tcp: SYN/ACK dropped when client does not support timestamps
Bug #4178: alert-debug: DNS Query triggers alert but no output in alert-debug.log
Bug #3844: tcp: possible bypass with TCP ssn reuse
Optimization #7769: detect/file: remove redundant de_ctx->rule_file != NULL check
Feature #7869: detect/integers: support units like kib
Task #7857: schema/arp: fix invalid pkt event output
Task #7834: detect: remove unused non-pf stats counters
Documentation #7890: detect: tls.cert_subject incorrectly claims to support multi-buffer
Documentation #7867: detect/multi-buffers: complete list in userguide page on multi-buffer-matching
Documentation #7854: doc/lualib: fix flow timestamps() return value order
Documentation #7795: eve/schema: document stats.detect counters
Documentation #7794: eve/schema: document stats.flow counters
Documentation #7728: lua: fix all Lua documentation examples for new library format
Documentation #7648: rtd: set "latest" to last stable release starting with 8.0.0
Documentation #7639: dpdk: update Connect-X4 recommended fallback tx-descriptor count
Documentation #7631: userguide: document lua lib suricata.dnp3
Documentation #7190: detect/integers: document usage of units
Documentation #7081: userguide: add unix socket option to retrieve flow info
Documentation #6840: devguide/app-layer: section with conceptualized steps for adding parser
Documentation #6284: userguide: document what's the impact of `stream.inline`
Documentation #6270: userguide: document usage of Suricata as a firewall
Documentation #5690: userguide: document the differences between IPS and IDS mode
Documentation #5513: userguide: add a chapter for IPS mode
Documentation #5139: userguide: add a section for netflow event type
Documentation #5078: doc/userguide: improve rule reload documentation
Documentation #4351: doc: explain the engine logic to trigger inspection of TCP data"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:40:54 +0000 (19:40 +0200)]
nut: Update to version 2.8.4
- Update from version 2.8.3 to 2.8.4
- Update of rootfile
- sobump requires shipping of collectd
- Changelog
2.8.4
- Bug fixes for fallout possible due to "fightwarn" effort in 2.8.0+:
* In `usbhid-ups` sources, introduced optional `HU_FLAG_PARAM_REQUIRED` for
`setvar()` or `instcmd()` handling (and a `HU_TYPE_CMD_PARAM_REQUIRED`
shortcut) for setting in the mapping table flags, to specify variables
or instant commands that require an argument (either from caller or a
non-`NULL` default in the run-time table after device data discovery);
if the flag is not set, a zero value is assumed. Incomplete code was a
regression of NUT v2.8.3 causing some instant commands to fail. [#2860,
#2955]
- Fix fallout of development in NUT v2.8.0 and/or v2.8.1 and/or v2.8.2 and/or
v2.8.3:
* Fixed a regression in recipes of NUT v2.8.3 release (as compared to
v2.8.2), where `configure --with-docs=all` no longer failed a run
of the `configure` script when some of the required rendering tools
were not in fact available. [#2842, fixed by #2921]
* Some recipe improvements in earlier releases led to `make check` always
running a spelling check (if tools are available), even if the explicit
`configure --disable-spellcheck` option was used. Now it would not run
if disabled (e.g. to speed up CI builds in scenarios that focus on other
aspects of the code base), although developers can still use the explicit
`make spellcheck*` goals, when tools are in fact available. [#2973]
* A change in `Makefile.am` recipes to evaluate some driver names in the
`DRIVERLIST` variables inspected by `configure` script, rather than
having all their names hard-coded like before, led to inability to
`configure --with-drivers=dummy-ups`. [#2825, #2927, fixed by PR #2929]
* A problem noted with `upsdrvquery` (since NUT v2.8.1) message logging
at high debug verbosity levels (5+) with very large blocks of content
has exposed a deficiency in variable-argument handling, and specifically
adaptive resizing of the output buffer or truncation of logged inputs
(which is something NUT code tried to do since the beginning of time),
and could lead to "segmentation fault" crashes on some platforms.
[issue #2948, PR #2963]
* Documentation build recipes overly zealously pre-processed source files,
which was not applicable for each and every document type we have (e.g.
binary images for illustrations); this caused grief with some toolkits.
[issue #2989]
- common code:
* Revised common `writepid()` to use `altpidpath()` as location for the
PID file creation, if the default `rootpidpath()` is not accessible
(e.g. daemon was not initially started as `root`). Likewise updated
short PID file based signal sending to consult both locations. [#1717]
* Linux may report a `/proc/X/exe` symlink with an embedded "(deleted)"
suffix, if the binary was removed (or replaced) since the running process
started. This confused our code which verifies that when it is sending a
signal to a PID, that PID does reflect the expected NUT program. [#3021]
* Refactored NUT "common" sources to reference `nut_version.h` macros from
a smaller C source file, to minimize the compilation unit size impacted
by development iterations. [issue #2097]
* Common code hardening: added sanity-checking for dynamically constructed
or selected formatting strings with variable-argument list methods
(typically used with log printing, `dstate` setting, etc.) [#2450, #3016]
- Warn if `%n` formatting string is used -- it is deprecated in some
newer distros due to security concerns.
* Refactored repetitive implementations of `inet_ntopSS()` (nee
`inet_ntopW()` in `upsd.c`) and `inet_ntopAI()` methods into `common.c`,
so now they can be re-used or expanded more easily. [#2916]
- `upsd` updates:
* Fixed two bugs about printing the "further (ignored) addresses resolved
for this name": the way to extract IP address string was not portable
and misfired on some platforms, and the way to print had a theoretical
potential for buffer overflow. [#2915]
* Print arguments of a processed command into the debug log, to help track
down what unsupported queries are about, etc. (but only endeavor to spend
time, RAM and CPU on this if debug verbosity is high enough). Hide the
sensitive commands' parameters unless verbosity is unusually high. [#3023]
- `upsdrvquery` API updates [#2969]:
* Added `upsdrvquery_oneshot_conn()` for issuing one-shot queries using an
existing `udq_pipe_conn_t *` connection. The caller manages the
connection's lifecycle, and the function includes a best-effort call to
restore broadcast mode after the query to return the connection as it was.
* Added `upsdrvquery_oneshot_sockfn()` for initiating one-shot queries using
a socket filename. Shares internal logic with the existing
`upsdrvquery_oneshot()`, which uses a UPS and driver name, respectively.
* Introduced `upsdrvquery_restore_broadcast()` to explicitly restore
broadcast mode (`BROADCAST 1`) on a connection, helping return it to a
consistent and talkative state.
* Revised connection ownership handling: internal functions like
`upsdrvquery_prepare()` and `upsdrvquery_request()` no longer close
connections they do not own. Responsibility for cleanup is now delegated to
the caller to avoid unintended side effects and better align with expected
usage patterns.
- common driver code:
* Update reports of failed socket file creation, to help troubleshooting
some error cases in the field. [#2959]
* Removed workarounds trying to migrate legacy driver raised `ALARM`
status tokens into modern `alarm_*` function logic. Rather, we keep
supporting them as separate from the modern logic, seeing as `upsmon`
does not care where the token itself was raised for its notifications.
Driver-code related test-cases were updated to reflect these changes.
[issue #2928, PRs #2931 and #2934]
* Introduced some macros in `drivers/upshandler.h` for common syslog level
definitions and message wording for beginning and failing `instcmd()` or
`setvar()` operations consistently in different drivers. As a related
change, operations that intend to turn off or restart the load, or can
do that by side effect (e.g. calibration if batteries are old or dead),
would explicitly `upslogx(LOG_CRIT,...)` by default before commencing.
[#2957]
* Fixed a couple of ancient memory leaks: one "shared" during driver
program initialization, and one specific to `dummy-ups` wind-down. [#2972]
* Added a `suggest_NDE_conflict()` method so drivers which lack access
to the expected device can consistently suggest that this may be because
of running both an NDE-wrapped service unit and a manually launched
driver program at the same time. Currently added to `libusb{0,1}.c`
code, but may later be expanded to e.g. serial drivers and other media,
when their behavior in such situations gets identified. [follow-up to
issue #477, PR #3041]
- `apc_modbus` driver updates:
* The time stamp and inter-frame delay accounting was fixed, alleviating
one of the problems reported in issue #2609. [PR #2982]
* Fix missing variables due to mismatching format string. [PR #3013]
- `bcmxcp` driver updates:
* The latching on to a previous replace battery status was fixed, with its
alarm state variable now correctly being reset; previously a factually
replaced battery did not clear the alarm and the whole driver needed to
be restarted. [issue #2999, PR #3002]
- `clone`, `clone-outlet`, `nhs_ser` driver and `nutdrv_qx_ablerex`
subdriver updates:
* Refactored to follow modern handling of status and alarm conditions,
aligning with current driver design practices. This includes fixing
copy-paste related issues in alarm reporting and removing some alarm
messages that should instead be reflected as status flags. [#2936]
- `dummy-ups` driver updates:
* A new instruction `ALARM` was added for the `Dummy Mode` operation
of the driver, enabling simulation of UPS alarm states more closely
in line with modern, real-world UPS driver implementations. This
follows the updated principle of keeping alarm states decoupled from
the `ups.status` variable, with alarms now raised via common alarm
functions rather than direct manipulation. [issue #2928, PR #2936]
- `nutdrv_qx` driver updates:
* Added support for "preprocess"/"process" methods called from mapping tables
to report back to the driver that an argument value was not supported,
so `setvar()` or `instcmd()` can not proceed safely and should return
`STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017]
* Introduced `innovart33` protocol support for Ippon Innova RT 3/3 topology
UPSes. [#2938]
* Updated `megatec` protocol for more detailed responses to `I` query
which may return `ups.serial` (after a shorter `device.mfr`) and the
`battery.runtime` (after a shorter `device.model`). Note that the
expected response is shorter than in other dialects (38 vs. 39 bytes),
so if this change breaks anything for your UPS that reported the values
above correctly (e.g. the `ups.firmware` version becomes shorter or
none of these are reported), please let NUT developers know. [#2980]
* Revised `voltronic` protocol to suppress alarm "UPS is in ECO Mode",
using "buzzword mode" settings more correctly than in the previous
iteration, shipped in NUT v2.8.3 release (as PR #2750 for issue #2708).
[issue #2494]
* Introduced a `voltronic-axpert` subdriver for Voltronic Axpert inverters
which speak the P30 protocol, currently in a highly experimental state:
with initial support for query commands, but most values are "hidden"
from default NUT builds by being defined in `experimental.*` namespace,
and should also be enabled by `configure --with-unmapped-data-points`.
Development was based on work done in the Voltronic Sunny subdriver in
https://github.com/nickma82/nut/tree/nutdrv_qx_voltronic-sunny_rebased%2Bcommand
[#1407]
- `phoenixcontact_modbus` driver updates:
* Added more settings that can be tuned -- support for shutdown variables,
UPS mode selector, PC reset delay after main power recovers, and
automatic switch to battery mode (and back) if main power is below
or above a defined threshold (see the new "Configurable Values" section
in the man page). They can be configured via `default.*` values in
`ups.conf`. [#2986]
- `pijuice` driver updates:
* Converted to NUT standard use of `status_set()` with single-token values.
[issue #2708]
- `snmp-ups` driver updates:
* Added support for "fun"/"nuf" methods called from mapping tables to
report back to the driver that an argument value was not supported,
so `setvar()` or `instcmd()` can not proceed safely and should return
`STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017]
* Fixed `ups.test.date` to be semi-static in `apc-mib` mapping, so it
would be queried more than once per driver up-time. [issue #3011]
* Fixed debug-logging around `SU_FLAG_STATIC` entries to clarify when
they get skipped. [issue #3011]
- `usbhid-ups` driver updates:
* Added support for "fun"/"nuf" methods called from mapping tables to
report back to the driver that an argument value was not supported,
so `setvar()` or `instcmd()` can not proceed safely and should return
`STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017]
* `hid_ups_walk(HU_WALKMODE_INIT)`: report if exactly one of "fun" or "nuf"
dynamic value mapping methods is defined in a one-line table, and this
may preclude reads/writes of that variable. [#2956]
* The `cps-hid` subdriver's existing mechanism for fixing broken report
descriptors was extended to cover a newly reported case of nominal UPS
power being incorrectly reported due to an unrealistically low maximum
threshold, as seen with a EC850LCD device. [issue #2917, PR #2919]
* Further revision of "ECO mode" related code in `mge-hid` subdriver,
following up from work started for NUT v2.8.3 release. [PR #2956]
* Added APC BVKxxxM2 and BKxxxM2-CH to list of devices where
`lbrb_log_delay_sec=N` may be necessary to address spurious LOWBATT
and REPLACEBATT events. [PR #2942, PR #3007, issue #2347, issue #3006]
- New NUT drivers:
* Introduced a `ve-direct` driver for Victron Energy UPS/solar panels
monitoring. Most specific reported values are in an `experimental.*`
namespace, as a community we need to come up with standard naming for
those via `docs/nut-names.txt`. [#440]
* Introduced a `nutdrv_hashx` driver for numerous devices from Ablerex,
Atlantis Land, Epyc, Infosec, ION, PowerWalker, Right Power Technology,
Salicru, UPS Solutions and other vendors (originally shipped with a
"PowerMaster+", "PowerMaster" or "PowerGuide" software companion suite).
This seems to be a protocol developed by Cyber Energy for serial-port
devices, subsequently used by different vendors in their own products
or re-branded Cyber Energy creations. [#2940]
* Introduced a `failover` driver for monitoring multiple UPS driver sockets
and seamless switching out of UPS data in a failover situation, includes
support for end-to-end tracked instant commands and also variable updating.
[#2962]
* Introduced USB (`powervar_cx_usb`) and Serial (`powervar_cx_ser`) drivers
for Powervar CUSPP protocol, tested with GTS (USB) and UPM (USB, Serial)
models. [#2988]
- The `nut-driver-enumerator.sh` script (NDE) updates:
* Now NDE internally tracks dependency of one driver on another one that
should be locally running to serve the "original" data points (`clone`,
`clone-outlet`, `dummy-ups`, `failover`). It should create "soft"
dependencies between respective service instances to order their
start-up sequence. [#2962]
* Fixed NDE to not consider "masked" systemd units as non-existent or
as syntactically failed instantiated unit names. [#3033]
- NUT Monitor GUI:
* Ported Python 3 version to Qt6, now shipped alongside Qt5 for systems
with either or both, maximizing compatibility with old and new setups.
[#2946]
- `upsmon` client:
* Clearer debug logging of `SHUTDOWNCMD` and `NOTIFYCMD` that would be used
(or warnings that none was set); flush output buffers after these messages
and after each main loop cycle, so any emitted text is seen in a timely
manner. [issue #3003, PR #3008]
- The `nutshutdown` script (end-game integration for UPS power-off in case
of FSD initiated by `upsmon`) was updated to consider `MODE=none` set in
`nut.conf` and bail out quietly. [issue #2935, PR #3008]
- Manual page recipes and contents:
* Introduced handling (possibly rewriting) for man page section "Overviews,
conventions, and miscellaneous" (commonly number 7), to deliver support
for `man nut` queries (NUT overview manual page also created). [#2945]
* A new `configure --with-docs-man-dir-as-base` option was introduced so
that directories for man page sections can now be automatically named
as either "base" number of the section (e.g. `man1`) or by full section
name (`man1m`), as different OS distributions have different preferences
in this regard. [#2950]
* Option to `configure --enable-docs-man-for-progs-built-only` was added,
to differentiate NUT builds that deliver man pages for only built programs
(legacy default) or for all of them (as needed for docs sites). [#2976]
* Option to `configure --enable-docs-changelog` was added, specifically
to allow developer iterations to not waste CPU time rebuilding the huge
`ChangeLog*` files whenever their Git index changes. [#3019]
* Options to `configure --with-docs-changelog-start` and/or
`configure --with-docs-changelog-end` were added to allow developers
to customize the size of `ChangeLog*` files when they are generated.
Default starting value is `auto` which applies the legacy default
`v2.6.0` to release/pre-release builds, or when local Git version info
could not be retrieved, and the most-recent release tag (or `master`
as fallback) for usual build iterations. Default ending value is `HEAD`
for the current git commit at the moment the ChangeLog is (re-)generated.
Balancing against the option to not build `ChangeLog*` files at all,
this couple allows quicker builds that exercise all relevant recipe
code paths. [#3019]
- Extended the `gitlog2changelog.py` helper script to report start/end commits
actually used, and to allow callers to tweak them better (not only `HEAD`
for the end of range); this may be of interest to other projects which use
this script. Allow `configure` to disable generation of either certain
`ChangeLog*` rendering formats or completely, to speed up developer
iterations (much time is wasted when dev-testing new code, due to git
index changes if NUT was configured to build with documentation). [#3019]
- The `BUILD_TYPE=default-all-errors ci_build.sh` script handling was
revised to simplify code, and to default in CI builds to a quicker
mode which randomly mixes the selected SSL, USB and UNMAPPED variants
(and relies on the dozens of NUT CI farm runs per iteration to likely
cover all possible combinations), which should roughly halve the CI
build times. Default activity for developer builds should remain as
it was -- to try each such "axis" sequentially. [#2973]
- Revised generation of links to external manual pages in HTML rendering
of NUT manual pages (previous recipe iterations left DocBook XML `ulink`
tag "as is", which was not understood by web browsers).
[follow-up to PR #2797]
- Made the distro-dependent URL template for man pages configurable.
[follow-up to PR #2797]
- Revised `make install-as-root` to fall back to legacy ways of enabling
services, if `systemctl preset-all` fails (assumed due to a systemd 252
bug). [#3022]
- Added a `make check-parallel-builds` recipe to help troubleshoot recipes
in sub-directories, and improved build-ability of existing NUT sources
starting from scratch there. This is a workflow useful for NUT development
(e.g. to focus only on drivers, or tests, or nut-scanner) but not so much
for end-user packaging where everything builds from the root directory.
[PR #3030, follows up from PR #2825, highlights why issue #2584 better
be solved]
- Revised `appveyor.yml` to run CI builds faster (forfeit MSYS2 ecosystem
updates and some other steps) and more likely fit in one-hour allocation.
Also have it install `mingw-w64-x86_64-python-pyqt6` so the `NUT-Monitor`
application can get packaged (would need a capable Python run-time though).
[#3046]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:29 +0000 (19:46 +0200)]
lvm2: Update to version 2.03.35
- Update from version 2.03.33 to 2.03.35
- Update of rootfile
- Changelog
2.03.35
Fix unlocking devices file only after all PVs are processed.
Avoid creating system.devices when deleting entries.
Fix existing issues with persistent reservations.
Fix possible report output format inconsistencies while processing PVs.
Allow report options for pv/vg/lvdisplay only if used with -C|--columns.
Fix vgsplit failing to split a VG with RAID+integrity or cache with cachevol.
Fix --lockopt handling in lvmlockd when --nolocking is used.
Optimize dmeventd when remonitoring active devices.
2.03.34
Support dmeventd restart when there are no monitored devices.
Dmeventd no longer calls 'action commands' on removed devices.
Fix reader of VDO metadata on 32bit architecture.
Fix lvmdevices --deldev/--delpvid to error out if devices file not writeable.
Fix lvresize corruption in LV->crypt->FS stack if near crypt min size limit.
Enhanced lvresize -r support for btrfs.
Use glibc standard functions htoX, Xtoh functions for endian conversion.
Fix structure copying within sanlock's release_rename().
Fix autoactivation on top of loop dev PVs to trigger once for change uevents.
Add lvmlockd --lockopt repair to reinitialize corrupted sanlock leases.
Fix support for lvcreate -T --setautoactivation.
Add lvm.conf global/lvresize_fs_helper_executable.
Enable lvm to use persistent reservations on a VG.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:28 +0000 (19:46 +0200)]
libxml2: Update to version 2.14.6
- Update from version 2.14.4 to 2.14.6
- Update of rootfile
- 5 CVE fixes in version 2.14.5
- Changelog
2.14.6
Regressions
valid: Don't add ids when validating entity content
Fix initGenericErrorDefaultFunc(NULL) (Samuel Thibault)
valid: Undeprecate xmlAdd*Decl
globals: Include HTMLparser.h, fixing Windows build
io: Fix reading from pipes like stdin on Windows
Security
regexp: Avoid integer overflow and OOB array access
tree: Guard against atype corruption
Improvements
parser: Fix xmlSaturatedAddSizeT argument type
2.14.5
Regressions
valid: Don't add ids when validating entity content
io: Fix reading from pipes like stdin on Windows
parser: Fix handling of invalid char refs in recovery mode
Security
regexp: Avoid integer overflow and OOB array access
tree: Guard against atype corruption
[CVE-2025-49794] [CVE-2025-49796] schematron: Fix xmlSchematronReportOutput
[CVE-2025-49795] schematron: Fix null pointer dereference leading to DoS
(Michael Mann)
[CVE-2025-6170] Fix potential buffer overflows of interactive shell
(Michael Mann)
[CVE-2025-6021] tree: Fix integer overflow in xmlBuildQName
Bug fixes
save: Fix serialization of attribute defaults containing <
Improvements
parser: Fix xmlSaturatedAddSizeT argument type
Build systems and portability
meson: Add libxml2 part of include dir to pc file (Heiko Becker)
cmake: Fix installation directories in libxml2-config.cmake
io: Fix linkage of __xml*BufferCreateFilename functions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:27 +0000 (19:46 +0200)]
libssh: Update to version 0.11.3
- Update from version 0.11.2 to 0.11.3
- Update of rootfile
- Changelog
0.11.3
* Security:
* CVE-2025-8114: Fix NULL pointer dereference after allocation failure
* CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated
wrong KEX
* Potential UAF when send() fails during key exchange
* Fix possible timeout during KEX if client sends authentication too early (#311)
* Cleanup OpenSSL PKCS#11 provider when loaded
* Zeroize buffers containing private key blobs during export
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:26 +0000 (19:46 +0200)]
libffi: Update to version 3.5.2
- Update from version 3.5.1 to 3.5.2
- Update of rootfile not required
- Changelog
3.5.2
fix: enable FFI_MMAP_EXEC_WRIT for DragonFly BSD by @liweitianux in #930
Emscripten: Add wasm64 target by @ktock in #927
fix: Ensure trampoline file descriptors are closed on exec.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:25 +0000 (19:46 +0200)]
haproxy: Update to version 3.2.4
- Update from version 3.2.2 to 3.2.4
- Update of rootfile not required
- Changelog
3.2.4
- DOC: deviceatlas build clarifications
- BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no
ECDSA ciphers
- BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources
- MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead
- BUG/MINOR: acme: allow "processing" in challenge requests
- CLEANUP: acme: fix wrong spelling of "resources"
- MINOR: acme: add ACME to the haproxy -vv feature list
- MINOR: acme: implement traces
- BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet
- BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket
- BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket
- BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally
established
- BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options
- BUG/MINOR: hlua: take default-path into account with lua-load-per-thread
- BUG/MEDIUM: mux-quic: ensure Early-data header is set
- CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h
- BUILD: acme: avoid declaring TRACE_SOURCE in acme-t.h
- BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list
iterator
- MINOR: acme: emit a log for DNS-01 challenge response
- MINOR: acme: emit the DNS-01 challenge details on the dpapi sink
- MEDIUM: acme: allow to wait and restart the task for DNS-01
- MINOR: acme: update the log for DNS-01
- BUG/MINOR: acme: possible integer underflow in acme_txt_record()
- MEDIUM: acme: use lowercase for challenge names in configuration
- DOC: management: clarify usage of -V with -c
- MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory
- BUG/MINOR: listener: really assign distinct IDs to shards
- MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version
< 3.5.1
- BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration
(OpenSSL 3.5)
- BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was
xferred
- BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are
xferred
- BUG/MEDIUM: http-client: Ask for more room when request data cannot be
xferred
- BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode
- BUG/MINOR: http-client: Reject any 101-switching-protocols response
- BUG/MEDIUM: http-client: Drain the request if an early response is received
- BUG/MEDIUM: http-client: Notify applet has more data to deliver until
the EOM
- MINOR: h1-htx: Add function to format an HTX message in its H1
representation
- BUG/MINOR: mux-h1: Use configured error files if possible for early H1
errors
- BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg function
- BUG/MEDIUM: h3: do not overwrite interim with final response
- BUG/MINOR: h3: properly realloc buffer after interim response encoding
- BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side)
- MINOR: qmux: change API for snd_buf FIN transmission
- BUG/MEDIUM: h3: handle interim response properly on FE side
- BUG/MINOR: quic: Wrong source address use on FreeBSD
- MINOR: h3: remove unused outbuf in h3_resp_headers_send()
- BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init
- BUG/MINOR: halog: exit with error when some output filters are set
simultaneosly
- BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS
- BUG/MINOR: logs: fix log-steps extra log origins selection
- BUG/MINOR: hq-interop: fix FIN transmission
- BUG/MINOR mux-quic: apply correctly timeout on output pending data
- BUG/MINOR: mux-quic: ensure close-spread-time is properly applied
- CLEANUP: http-client: Remove useless indentation when sending request body
- DOC: list missing global QUIC settings
- BUILD: compat: provide relaxed versions of the MIN/MAX macros
- BUILD: compat: always set _POSIX_VERSION to ease comparisons
- BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr
instead of MAX_SESS_STKCTR
- MINOR: sock: update broken accept4 detection for older hardwares.
- BUG/MEDIUM: ssl: Fix 0rtt to the server
- BUG/MEDIUM: ssl: fix build with AWS-LC
- BUG/MINOR: init: Initialize random seed earlier in the init process
- DOC: management: fix typo in commit f4f93c56
- DOC: config: recommend single quoting passwords
- BUG/MEDIUM: mux-quic: adjust wakeup behavior
- BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX
buffer
3.2.3
- CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0
- CI: github: add an OpenSSL 3.5.0 job
- CI: github: update the stable CI to ubuntu-24.04
- BUILD: quic: QUIC build against OpenSSL 3.5 broken
- BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5
- CI: github: update to OpenSSL 3.5.1
- BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits
(OpenSSL 3.5 QUIC API)
- BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init()
- BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle
connections
- BUG/MINOR: http-act: Fix parsing of the expression argument for pause
action
- BUILD/MEDIUM: deviceatlas: fix when installed in custom locations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:24 +0000 (19:46 +0200)]
freetype: Update to version 2.14.1
- Update from version 2.13.3 to 2.14.1
- Update of rootfile
- Changelog
2.14.1
This is an emergency release that fixes a couple of severe bugs introduced in
version 2.14.0 and discovered right after the release;
see issues #1349, #1353, #1354, #1355, and #1356.
2.14.0
IMPORTANT CHANGES
- A new configuration macro `FT_CONFIG_OPTION_USE_HARFBUZZ_DYNAMIC`
is available to load the HarfBuzz library dynamically (in addition
to the standard static and dynamic linking modes); cmake, meson,
and autotools support have been updated accordingly. Using this
new feature makes it possible to avoid the circular dependency
between HarfBuzz and FreeType.
A side effect of this change is that FreeType no longer uses
HarfBuzz header files (if HarfBuzz support is activated).
This code was contributed by Behdad Esfahbod.
- The auto-hinter got new abilities.
. It can now better separate diacritic glyphs from base glyphs at
small sizes by artificially moving diacritics up (or down) if
necessary.
. Tilde accent glyphs get vertically stretched at small sizes so
that they don't degenerate to horizontal lines.
. Diacritics directly attached to a base glyph (like the ogonek in
character 'ę') no longer distort the shape of the base glyph.
These features use a database (which currently has entries for
Unicode characters up to U+FFFF, based on Unicode 17.0), handling
scripts like Latin, Cyrillic, or Greek, but not Arabic or Indic
scripts. FreeType needs to access a proper Unicode character map
(or must be able to construct such a cmap) of a given font to make
this work.
The central algorithm and the foundation of this feature was Craig
White's GSoC 2023 project.
- Bitmap-only TrueType fonts now ignore the `FT_LOAD_NO_BITMAP` flag
and proceed loading bitmaps instead of giving an error. This
behavior is documented and implemented for other bitmap-only
fonts. The flag was always meant to suppress the bitmap strikes
in favor of outlines, not to ban them completely.
IMPORTANT BUG FIXES
- Users of the `TT_CONFIG_OPTION_GPOS_KERNING` configuration option
should update; the 'GPOS' table wasn't correctly validated before
access, which could lead to crashes with malformed font files.
MISCELLANEOUS
- `FT_Set_Var_Design_Coordinates` and `FT_Set_MM_Blend_Coordinates`
now set the `FT_FACE_FLAG_VARIATION` bit in the `face_flag` field
of `FT_Face` (i.e., the macro `FT_IS_VARIATION` returns true) also
if any of the provided coordinates is different from the face's
default value for the corresponding axis, that is, the set up face
is not at its default position.
- `FT_Load_Sfnt_Table` can now also load a font's table directory.
- The TrueType instruction interpreter was optimized to produce a
15% gain in the glyph loading speed.
- Handling of Variation Fonts is now considerably faster, thanks to
contributions by Behdad Esfahbod.
- TrueType and CFF glyph loading speed has been improved by 5-10% on
modern 64-bit platforms as a result of better handling of fixed-
point multiplication.
- The BDF driver now loads fonts 75% faster.
- 'GPOS' kern table handling (if the `TT_CONFIG_OPTION_GPOS_KERNING`
configuration option is active) is now about 3.5 times faster than
before.
- Support for the (currently undocumented) 'flip' graphic type in
the 'sbix' SFNT table as used in the `Apple Color Emoji.ttc` font
(code provided by Andrew Murray).
- `ftmulti` can now scroll through named instances and gracefully
show static fonts.
- The build file on OpenVMS now also creates a 32-bit version of the
library.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:23 +0000 (19:46 +0200)]
ethtool: Update to version 6.15
- Update from version 6.9 to 6.15
- Update of rootfile
- Changelog
6.15
* Feature: support OR-XOR symmetric RSS hash type (-x/-X)
* Feature: dump registers for hibmcge driver (-d)
* Feature: configure header-data split threshold (-g/-G)
* Feature: dump registers for fbnic driver (-d)
* Feature: JSON output for channels info (-l)
* Fix: incorrect data in appstream metainfo XML
* Fix: prevent potential null pointer dereferences
* Fix: more consistent and better parseable per lane signal info (-d)
6.14
* Feature: list PHYs (--show-phys)
* Feature: target a specific PHY with some commands (--phy)
* Feature: more attributes for C33 PSE (--show-pse, --set-pse)
* Feature: source information for cable tests (--cable-test[-tdr])
* Feature: JSON output for module info (-m)
* Feature: misc RSS hash info improvements (-x)
* Feature: tsinfo hwtstamp provider (--{get,set}-hwtimestamp-cfg)
* Fix: fix wrong auto-negotiation state (no option)
* Fix: more explicit RSS context action (-n)
* Fix: print PHY address as decimal (no option)
* Fix: fix return value on flow hashing error (-N)
* Fix: fix JSON output for IRQ coalescing
* Fix: fix MDI-X info output (no option)
* Misc: code cleanup in module parsers
* Misc: provide module_info JSON schema
* Misc: add '-j' alias for --json
* Misc: provide AppStream metainfo XML
* Misc: update message descriptions for debugging output
6.11
* Feature: cmis: print active and inactive firmware versions
* Feature: flash transceiver module firmware (--flash-module-firmware)
* Feature: add T1BRR 10Mb/s mode to link mode tables
* Feature: support for disabling netlink from command line
* Fix: fix lanes parameter format specifier
* Fix: add missing clause 33 PSE manual description
* Fix: qsf: Better handling of Page A2h netlink read failure
* Fix: rss: retrieve ring count using ETHTOOL_GRXRINGS ioctl (-x)
* Misc: man page formatting fix
6.10
* Feature: suport for PoE in PSE (--show-pse and --set-pse)
* Feature: add statistics support to tsinfo (-T)
* Feature: add JSON output to base command (no option)
* Feature: add JSON output to EEE info (--show-eee)
* Fix: qsfp: better handling on page 03h read failure (-m)
* Fix: handle zero arguments for module eeprom dump (-m)
* Fix: check for missing arguments in do_srxfh() (-X)
* Misc: compiler warnings in "make check"
* Misc: more descriptive error when JSON output is not available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 15:47:27 +0000 (17:47 +0200)]
cmake: Add patch to avoid using undocumented type for CURLOPT_PROXYTYPE values
- Update of rootfile
- With the new update of curl changes were made to CURLOPT which resulted in cmake using
an undocumented type.
- This patch has been merged in the cmake git repo and will become available in version
cmake-4.1.2 so the patch will be able to be removed when that version is released
and updated in IPFire.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 15:47:25 +0000 (17:47 +0200)]
curl: Update to version 8.16.0
- Update from version 8.15.0 to 8.16.0
- Update of rootfile
- Changelog
8.16.0
changes:
o build: bump minimum required mingw-w64 to v3.0 (from v1.0) [33]
o curl: add --follow [129]
o curl: add --out-null [101]
o curl: add --parallel-max-host to limit concurrent connections per host [81]
o curl: make --retry-delay and --retry-max-time accept decimal seconds [112]
o hostip: cache negative name resolves [175]
o ip happy eyeballing: keep attempts running [80]
o mbedtls: bump minimum version required to 3.2.0 [180]
o multi: add curl_multi_get_offt [56]
o multi: add CURLMOPT_NETWORK_CHANGED to signal network changed [84]
o netrc: use the NETRC environment variable (first) if set [70]
o smtp: allow suffix behind a mail address for RFC 3461 [127]
o tls: make default TLS version be minimum 1.2 [71]
o tool_getparam: add support for `--longopt=value` [69]
o vquic: drop msh3 [8]
o websocket: support CURLOPT_READFUNCTION [193]
o writeout: add %time{} [74]
bugfixes:
o _PROTOCOLS.md: mention file:// is only for absolute paths [102]
o acinclude: --with-ca-fallback only works with OpenSSL [217]
o alpn: query filter [104]
o ares: destroy channel on shutdown [178]
o ares: use `ares_strerror()` to retrieve error messages [236]
o asyn-thrdd: fix --disable-socketpair builds [235]
o asyn-thrdd: fix Curl_async_pollset without socketpair [205]
o asyn-thrdd: fix no `HAVE_GETADDRINFO` builds [214]
o asyn-thrdd: manage DEFERRED and locks better [228]
o autotools: make curl-config executable [253]
o aws-lc: do not use large buffer [250]
o BINDINGS.md: add LibQurl [156]
o bufq: add integer overflow checks before chunk allocations [108]
o bufq: removed "Useless Assignment" [188]
o bufq: simplify condition [207]
o build: allow libtests/clients to use libcurl dependencies directly [87]
o build: disable `TCP_NODELAY` for emscripten [176]
o build: enable _GNU_SOURCE on GNU/Hurd [27]
o build: extend GNU C guards to clang where applicable, fix fallouts [61]
o build: fix build errors/warnings in rare configurations [7]
o build: fix disable-verbose [48]
o build: fix mingw-w64 version guard for mingw32ce [124]
o build: if no perl, fix to use the pre-built hugehelp, if present [144]
o build: link to Apple frameworks required by static wolfSSL [40]
o build: support LibreSSL native crypto lib with ngtcp2 1.15.0+ [209]
o build: tidy up compiler definition for tests [37]
o cf-https-connect: delete unused declaration [15]
o clang-tidy: disable `clang-analyzer-security.ArrayBound` [265]
o cmake: `CURL_CA_FALLBACK` only works with OpenSSL [215]
o cmake: capitalize 'Rustls' in the config summary
o cmake: defer building `unitprotos.h` till a test target needs it [75]
o cmake: define `WIN32_LEAN_AND_MEAN` for examples [159]
o cmake: drop redundant unity mode for `curlinfo` [155]
o cmake: enable `-Wall` for MSVC 1944 [128]
o cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
o cmake: fix setting LTO properties on the wrong targets [258]
o cmake: fix to disable Schannel and SSPI for non-Windows targets
o cmake: fix to restrict `SystemConfiguration` to macOS [139]
o cmake: honor `CMAKE_C_FLAGS` in test 1119 and 1167 [206]
o cmake: improve error message for invalid HTTP/3 MultiSSL configs [187]
o cmake: keep websockets disabled if HTTP is disabled
o cmake: make `runtests` targets build the curl tool [32]
o cmake: make the ExternalProject test work [183]
o cmake: omit linking duplicate/unnecessary libs to tests & examples [45]
o cmake: re-add simple test target, and name it `tests` [142]
o cmake: set `CURL_DIRSUFFIX` automatically in multi-config builds [154]
o CODE_STYLE: sync with recent `checksrc.pl` updates [49]
o config-win32.h: do not use winsock2 `inet_ntop()`/`inet_pton()` [58]
o configure: if no perl, disable unity and shell completion, related tidy ups
[137]
o configure: tidy up internal names in ngtcp2 ossl detection logic [212]
o connectdata: remove primary+secondary ip_quadruple [126]
o connection: terminate after goaway [62]
o contrithanks: fix for BSD `sed` tool [98]
o cookie: don't treat the leading slash as trailing [185]
o cookie: remove expired cookies before listing [158]
o curl-config: remove X prefix use [138]
o curl/system.h: fix for GCC 3.3.x and older [38]
o curl: make the URL indexes 64 bit [117]
o curl: tool_read_cb fix of segfault [18]
o curl_addrinfo: drop workaround for old-mingw [14]
o curl_easy_ssls_export: make the example more clear [78]
o curl_fnmatch, servers: drop local macros in favour of `sizeof()` [21]
o curl_mime_data_cb.md: mention what datasize is for [107]
o curl_ossl: extend callback table for nghttp3 1.11.0 [46]
o curl_setup.h: include `stdint.h` earlier [260]
o curl_setup.h: move UWP detection after `config-win32.h` (revert) [51]
o curl_setup.h: move UWP detection after `config-win32.h` [23]
o CURLINFO_FILETIME*.md: correct the examples [242]
o CURLOPT: bump `CURL_REDIR_*` macros to `long` [110]
o CURLOPT: bump `CURL_SSLVERSION_*` macros to `long` [149]
o CURLOPT: bump `CURLALTSVC_*` macros to `long` [96]
o CURLOPT: bump `CURLFTP*` enums to `long`, drop casts [54]
o CURLOPT: bump `CURLHEADER_*` macros to `long`, drop casts [94]
o CURLOPT: bump `CURLPROTO_*` macros to `long` [148]
o CURLOPT: bump `CURLPROXY_*` enums to `long`, drop casts [95]
o CURLOPT: bump `CURLWS_NOAUTOPONG`, `CURLWS_RAW_MODE` macros to `long` [150]
o CURLOPT: bump remaining macros to `long` [147]
o CURLOPT: drop redundant `long` casts [55]
o CURLOPT: replace `(long)` cast with `L` suffix for `CURLHSTS_*` macros
o CURLOPT_HTTP_VERSION: mention new default value [179]
o CURLOPT_SSL_CTX_*: replace the base64 with XXXX [171]
o delta: fix warnings, fix for non-GNU `date` tool [99]
o DEPRECATE.md: drop old OpenSSL versions [266]
o DEPRECATE.md: drop support for c-ares versions before 1.16.0 [191]
o DEPRECATE.md: drop support for Windows XP/2003 [31]
o DEPRECATE.md: remove leftover "nothing" [57]
o DISTROS.md: add Haiku [39]
o docs/cmdline-opts: the auth types are not mutually exclusive [103]
o docs: add CURLOPT type change history, drop casts where present [143]
o docs: add major incident section to vuln disclosure policy [271]
o docs: fix link CONTRIBUTE.md link [192]
o docs: fix name in curl_easy_ssls_export man page [12]
o docs: fix typo (staring -> starting) [211]
o docs: point two broken links to archive.org [134]
o docs: put `<>` within backticks in titles [261]
o doh: rename symbols to avoid collision with mingw-w64 headers [66]
o easy handle: check validity on external calls [28]
o examples: drop long cast for `CURLALTSVC_*`
o examples: make `CURLPIPE_MULTIPLEX` fallback `long` [233]
o examples: remove base64 encoded chunks from examples [189]
o examples: remove href_extractor.c [186]
o ftp: store dir components as start+len instead of memdup'ing [198]
o ftp: use 'conn' instead of 'data->conn' [208]
o gnutls: fix building with older supported GnuTLS versions [241]
o gnutls: some small cleanups [41]
o hmac: return error if init fails [2]
o hostip: do DNS cache pruning in milliseconds [132]
o HTTP3.md: avoid `configure` issue for ngtcp2 1.14.0+ compatibility [182]
o http: const up readonly H2_NON_FIELD [10]
o http: do the cookie list access under lock [270]
o http: silence `-Warray-bounds` with gcc 13+ [44]
o idn: reject conversions that end up as a zero length hostname [273]
o inet_pton, inet_ntop: drop declarations when unused [59]
o lib1560: fix memory leak when run without UTF-8 support [17]
o lib1560: replace an `int` with `bool` [97]
o lib2700: use `testnum` [151]
o lib517: use `LL` 64-bit literals & re-enable a test case (`time_t`) [100]
o lib: drop `UNUSED_PARAM` macro [259]
o libcurl: reset rewind flag in curl_easy_reset() [184]
o libssh: Use sftp_aio instead of sftp_async for sftp_recv [92]
o libtests: update format strings to avoid casts, drop some macros [109]
o libtests: use `FMT_SOCKET_T`, drop more casts [136]
o managen: reset text mode at end of table marker [145]
o mbedtls: check for feature macros instead of version [166]
o mdlinkcheck: handle links with a leading slash properly [195]
o memanalyze: fix warnings [22]
o memory: make function overrides work reliably in unity builds [93]
o multi event: remove only announced [25]
o multi: don't insert a node into the splay tree twice [68]
o multi: fix assert in multi_getsock() [53]
o multi: fix bad splay management [133]
o multi: process pending, one by one [90]
o multi: replace remaining EXPIRE_RUN_NOW [67]
o multissl: initialize when requesting a random number [30]
o ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0 [47]
o ngtcp2: handshake timeout should be equal to --connect-timeout [262]
o ngtcp2: use custom mem funcs [204]
o openldap: fix `-Wtentative-definition-compat` [268]
o openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro [222]
o openssl: add and use `HAVE_OPENSSL3` internal macro [223]
o openssl: assume `OPENSSL_VERSION_NUMBER` [181]
o openssl: auto-pause on verify callback retry [167]
o openssl: check SSL_write() length on retries [152]
o openssl: clear errors after a failed `d2i_X509()` [161]
o openssl: drop more legacy cruft [224]
o openssl: drop redundant `HAVE_OPENSSL_VERSION` macro [221]
o openssl: drop redundant version check [246]
o openssl: drop single-use interim macro `USE_OPENSSL_SRP` [201]
o openssl: enable `HAVE_KEYLOG_CALLBACK` for AWS-LC [220]
o openssl: merge two `#if` blocks [218]
o openssl: output unescaped utf8 x509 issuer/subject DNs [169]
o openssl: remove legacy cruft, document macro guards [231]
o openssl: save and restore OpenSSL error queue in two functions [172]
o openssl: some small cleanups [42]
o openssl: split cert_stuff into smaller sub functions [72]
o openssl: sync an AWS-LC guard with BoringSSL [199]
o openssl: use `RSA_flags()` again with BoringSSL [219]
o parallel-max: bump the max value to 65535 [86]
o parsedate: make Curl_getdate_capped able to return epoch [229]
o processhelp.pm: fix to use the correct null device on Windows [164]
o processhelp.pm: use `Win32::Process*` perl modules if available [200]
o projects: drop unused logic from `generate.bat` [157]
o projects: fix Windows project 'clean' function [203]
o pytest: add SOCKS tests and scoring [9]
o pytest: fix test_17_09_ssl_min_max for BoringSSL [197]
o pytest: increase server KeepAliveTimeout [26]
o pytest: relax error check on test_07_22 [16]
o resolving: dns error tracing [196]
o runtests: assume `Time::HiRes`, drop Perl Win32 dependency [163]
o runtests: remove warning message [230]
o runtests: replace `--ci` with `--buidinfo`, show OS/Perl version again [247]
o runtests: show still running tests when nothing has happened for a while [227]
o schannel: add an error message for client cert not found [165]
o schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN` [114]
o schannel: drop fallbacks for 4 macros [121]
o schannel: drop fallbacks for unused `BCRYPT_*` macros [122]
o schannel: drop old-mingw special case [77]
o schannel: fix recent update for mingw32ce [123]
o schannel: fix renegotiation [202]
o schannel: improve handshake procedure [239]
o schannel: not supported with UWP, drop redundant code [105]
o schannel: use if(result) like the code style says [125]
o scripts: enable strict warnings in Perl where missing, fix fallouts [63]
o scripts: fix two Perl uninitialized value warnings [60]
o sendf: getting less data than "max allowed" is okay [170]
o servers: convert two macros to scoped static const strings [89]
o setopt: refactor out the booleans from setopt_long to setopt_bool [83]
o setopt: split out cookielist() and cookiefile() [130]
o socks: do_SOCKS5: Fix invalid buffer content on short send [43]
o socks_sspi: simplify, clean up Curl_SOCKS5_gssapi_negotiate [237]
o spacecheck.pl: when detecting unicode, mention line number [85]
o spacecheck: warn for 3+ empty lines in a row, fix fallouts [240]
o spelling: file system [232]
o test1148: drop redundant `LC_NUMBER=` env setting [13]
o test1557: pass `long` type to `multi_setopt()` [234]
o test1560: set locale/codeset with `LC_ALL` (was: `LANG`), test in CI [19]
o test1560: skip some URLs if UTF-8 is not supported [34]
o test1: raise alloc limits [11]
o test428: re-enable for Windows [5]
o test436: fix running on Windows with `_curlrc` present [153]
o test: add `cygwin` feature and use it (test 1056, 1517) [249]
o tests/ech_tests.sh: indent, if/for style, inline ifs [131]
o tests: constify command-line arguments [82]
o tests: delete unused commands [177]
o tests: drop unused `BLANK` envs, unset `CURL_NOT_SET` [248]
o tests: drop unused `CURL_FORCEHOST` envs [36]
o tests: fix perl warnings in http2-server, http3-server [119]
o tests: fix prechecks to call the bundle libtest tool [120]
o tests: fix UTF-8 detection, per-test `LC_*` settings, CI coverage [6]
o tests: merge clients into libtests, drop duplicate code [76]
o tests: remove the QUIT filters [210]
o tests: set `CURL_ENTROPY` per test, not globally [35]
o tests: unset some envs instead of blanking them [4]
o threaded-resolver: fix shutdown [252]
o tidy-up: `Curl_thread_create()` callback return type [20]
o tidy-up: move literal to the right side of comparisons [65]
o tidy-up: prefer `ifdef`/`ifndef` for single checks [64]
o tls: CURLINFO_TLS_SSL_PTR testing [79]
o TODO: remove session export item [194]
o TODO: remove the expand ~ idea [216]
o tool_cb_wrt: stop alloc/free for every chunk windows console output [140]
o tool_filetime: accept setting negative filetime [256]
o tool_getparam: let --trace-config override -v [238]
o tool_getparam: warn on more unicode prefixes [275]
o tool_operate: avoid superfluous strdup'ing output [1]
o tool_operate: use stricter curl_multi_setopt() arguments [225]
o tool_operate: use the correct config pointer [115]
o tool_paramhlp: fix secs2ms() [116]
o tool_parsecfg: use dynbuf for quoted arguments [162]
o tool_urlglob: add integer overflow protection [244]
o tool_urlglob: polish, cleanups, improvements [141]
o typecheck-gcc: add type checks for curl_multi_setopt() [226]
o unit-tests: build the unitprotos.h from here [73]
o unit2604: avoid `UNCONST()` [135]
o URL-SYNTAX.md: drop link to codepoints.net to pass linkcheck [190]
o urlapi: allow more path characters "raw" when asked to URL encode [146]
o urldata: reduce two long struct fields to unsigned short [174]
o urlglob: only accept 255 globs
o vquic-tls: fix SSL backend type for QUIC connections using gnutls [29]
o vquic: replace assert [254]
o vquic: use curl_getenv [168]
o vtls: set seen http version on successful ALPN [160]
o websocket example: cast print values to unsigned int [251]
o websocket: handling of PONG frames [213]
o websocket: improve handling of 0-len frames [269]
o websocket: reset upload_done when sending data [245]
o windows: assume `ADDRESS_FAMILY`, drop feature checks [88]
o windows: document toolchain support for `CERT_NAME_SEARCH_ALL_NAMES_FLAG`
o windows: document toolchain support for some macros (cont.) [111]
o windows: document toolchain support for some macros [113]
o windows: drop `CRYPT_E_*` macro fallbacks, limit one to mingw32ce [118]
o windows: drop two interim, single-use macros [106]
o windows: drop unused `curlx/version_win32.h` includes [52]
o windows: fix `if_nametoindex()` detection with autotools, improve with
cmake [24]
o windows: include `wincrypt.h` before `iphlpapi.h` for mingw-w64 <6 [50]
o windows: target version macro tidy-ups [3]
o wolfssl: rename ML-KEM hybrids to match IETF draft [173]
o write-out.md: header_json is not included the json object [243]
o ws: avoid NULL pointer deref in curl_ws_recv [91]
o ws: get a new mask for each new outgoing frame [255]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 12:07:24 +0000 (14:07 +0200)]
wio: Update openvpn.pid to openvpn-rw.pid
- This change was needed together with the log file name change to have wio show the
openvpn statuses.
- Tested and confirmed on my vm testbed.
- Will leave it to be decided if this gets merged into CU197 Testing or waits for CU198
Either is fine for me.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 15 Sep 2025 10:17:01 +0000 (12:17 +0200)]
ovpnmain.cgi: Never write ncp-disable
This was some compatibility code which was supposed to help us with the
transition towards NCP. Since we are now on OpenVPN 2.6, this version no
longer supports the "ncp-disable" switch and we cannot write it to the
configuration any more. There should always be a default value for data
ciphers.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 08:56:33 +0000 (10:56 +0200)]
python3: Remove bundled setuptools
- python3-pillow was finding the bundled setuptools version 63.2.0 and not the
installed version of 80.9.0 and the bundled version failed the pillow requirement of
>=77
- The bundled version install can not be disabled so this patch removes all the
setuptools directories at the end of the python3 install so that only the IPFire
installed version of setuptools will be available.
- This resolved the problem of python3-pillow failing to build
- The bundled setuptools has been removed in python-3.12 so when that version is
released in IPFire the removal lines added in this patch will be able to be removed.
- The removal of the bundled version of setuptools also caused changes in the rootfiles
of 6 other python modules, so it looks like those were also building with the older
bundled version but had no version requirement failure. This patch set also includes
the changed rootfiles for each of those packages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 14 Sep 2025 10:01:34 +0000 (12:01 +0200)]
ovpnmain.cgi: Manually push a different gateway for static pools
This is because in "topology subnet", ifconfig-push is massively broken.
The client is not able to configure any routes correctly by pointing
them to the interface. Instead it is trying to use the gateway address
from the dynamic pool as gateway which cannot be reached if the client
only has an IP address from another subnet. Pushing host routes is not
supported, so we have to create a hack here and pretend that there is a
gateway in the static pool somewhere.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When enabled, named will not modify DNSSEC keys or key states
automatically. The proposed change will be logged and only after manual
confirmation with rndc dnssec -step will the modification be made. [GL
#4606]
Add a new option servfail-until-ready to response-policy zones.
By default, when named is started, it starts answering queries before
all response policy zones are completely loaded and processed. This new
option instructs named to respond with SERVFAIL until all the response
policy zones are processed and ready. Note that if one or more response
policy zones fail to load, named starts responding to queries according
to those zones that did load.
Note, that enabling this option has no effect when a DNS Response
Policy Service (DNSRPS) interface is used. [GL #5222]
Support for parsing HHIT and BRID records has been added.
[GL #5444]
Removed Features
Deprecate the tkey-gssapi-credential statement.
The tkey-gssapi-keytab statement allows GSS-TSIG to be set up in a
simpler and more reliable way than using the tkey-gssapi-credential
statement and setting environment variables (e.g. KRB5_KTNAME).
Therefore, the tkey-gssapi-credential statement has been deprecated;
tkey-gssapi-keytab should be used instead.
For configurations currently using a combination of both
tkey-gssapi-keytab and tkey-gssapi-credential, the latter should be
dropped and the keytab pointed to by tkey-gssapi-keytab should now only
contain the credential previously specified by tkey-gssapi-credential.
[GL #4204]
Obsolete the “tkey-domain” statement.
Mark the tkey-domain statement as obsolete because it has not had any
effect on server behavior since support for TKEY Mode 2
(Diffie-Hellman) was removed (in BIND 9.20.0). [GL #4204]
Bug Fixes
Prevent spurious SERVFAILs for certain 0-TTL resource records.
Under certain circumstances, BIND 9 can return SERVFAIL when updating
existing entries in the cache with new NS, A, AAAA, or DS records that
have a TTL of zero. [GL #5294]
Fix unexpected termination if catalog-zones had undefined
default-primaries.
The issue manifested only if the server was reloaded or reconfigured
twice. [GL #5494]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:10:18 +0000 (22:10 +0200)]
lynis: Update to version 3.1.5
- Update from version 3.1.3 to 3.1.5
- Update of rootfile
- Changelog
3.1.5
Added
- Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll
Changed
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
- Check modules also under /usr/lib/modules.d
3.1.4
Changed
- Update of translations: Portuguese
- Add macOS Sequoia
- Update of EOL database
- Bugfix for using slashes in parameters (SafeInput function)
- Simplified copyright line and meta data in files
- Support for powerpc64le in authentication section
- Don't show error "kadmin.local: unable to get default realm"
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:14 +0000 (22:08 +0200)]
strace: Update to version 6.16
- Update from 6.12 to 6.16
- Update of rootfile not required
- Changelog
6.16
* Improvements
* Added -N/--arg-names option for printing syscall argument names.
* Implemented setting of system call information using
PTRACE_SET_SYSCALL_INFO ptrace API introduced in Linux 6.16.
* Implemented decoding of SO_RCVPRIORITY and SO_PASSRIGHTS socket options.
* Implemented decoding of RTA_NH_ID and RTA_FLOWLABEL netlink attributes.
* Updated decoding of statx syscall.
* Updated lists of BR_*, CRYPTOCFGA_*, FUTEX2_*, IORING_*, IPSET_*, KVM_*,
MDB_*, NETDEV_*, PR_*, RXRPC_*, SW_*, THERMAL_*, and V4L2_*
constants.
* Updated lists of ioctl commands from Linux 6.16.
6.15
* Improvements
* Implemented decoding of open_tree_attr syscall.
* Implemented decoding of AF_TIPC socket addresses and socket options.
* Updated decoding of statmount syscall.
* Updated lists of AUDIT_*, BPF_*, BTRFS_*, COUNTER_*, FAN_*, FRA_*, IFLA_*,
IORING_*, KVM_*, LANDLOCK_*, PKEY_*, RTPROT_*, TCP_*, and V4L2_* constants.
* Updated lists of ioctl commands from Linux 6.15.
6.14
* Improvements
* Added -e namespace=new option for printing the namespaces entered
by the tracee.
* Implemented decoding of FRA_FLOWLABEL and FRA_FLOWLABEL_MASK netlink
attributes of RTM_{NEW,DEL,GET}RULE NETLINK_ROUTE messages.
* Implemented decoding of RTM_{NEW,DEL}MULTICAST and RTM_{NEW,DEL}ANYCAST
NETLINK_ROUTE messages.
* Updated decoding of statx syscall.
* Updated lists of AT_*, AUDIT_*, ETHTOOL_*, FAN_*, IORING_*, IPPROTO_*,
KEY_*, NL80211_*, RWF_*, and SECBIT_* constants.
* Updated lists of ioctl commands from Linux 6.14.
6.13
* Improvements
* Implemented decoding of getxattrat, setxattrat, listxattrat,
and removexattrat syscalls.
* Updated decoding of struct io_uring_clone_buffers, struct io_uring_napi,
and struct perf_event_attr.
* Updated decoding of crypto_user_alg netlink attributes of NETLINK_CRYPTO.
* Implemented decoding of IFLA_MCTP_PHYS_BINDING netlink attribute.
* Updated lists of AT_*, BPF_*, FAN_*, IORING_*, MADV_*, NT_*, and SCM_*
constants.
* Updated lists of ioctl commands from Linux 6.13.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:13 +0000 (22:08 +0200)]
nginx: Update to version 1.29.1
- Update from version 1.26.2 to 1.29.1
- Update of rootfile not required
- One CVE fix in 1.27.4, one CVE fix in 1.27.1, four CVE fixes in 1.27.0
- Changelog
1.29.1
*) Change: now TLSv1.3 certificate compression is disabled by default.
*) Feature: the "ssl_certificate_compression" directive.
*) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.
*) Bugfix: the 103 response might be buffered when using HTTP/2 and the
"early_hints" directive.
*) Bugfix: in handling "Host" and ":authority" header lines with equal
values when using HTTP/2; the bug had appeared in 1.17.9.
*) Bugfix: in handling "Host" header lines with a port when using
HTTP/3.
*) Bugfix: nginx could not be built on NetBSD 10.0.
*) Bugfix: in the "none" parameter of the "smtp_auth" directive.
1.29.0
*) Feature: support for response code 103 from proxy and gRPC backends;
the "early_hints" directive.
*) Feature: loading of secret keys from hardware tokens with OpenSSL
provider.
*) Feature: support for the "so_keepalive" parameter of the "listen"
directive on macOS.
*) Change: the logging level of SSL errors in a QUIC handshake has been
changed from "error" to "crit" for critical errors, and to "info" for
the rest; the logging level of unsupported QUIC transport parameters
has been lowered from "info" to "debug".
*) Change: the native nginx/Windows binary release is now built using
Windows SDK 10.
*) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or
ngx_http_v3_module modules were used.
*) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto
optimization if ngx_http_v3_module was used.
*) Bugfixes and improvements in HTTP/3.
1.27.5
*) Feature: CUBIC congestion control in QUIC connections.
*) Change: the maximum size limit for SSL sessions cached in shared
memory has been raised to 8192.
*) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file",
and "uwsgi_ssl_password_file" directives when loading SSL
certificates and encrypted keys from variables; the bug had appeared
in 1.23.1.
*) Bugfix: in the $ssl_curve and $ssl_curves variables when using
pluggable curves in OpenSSL.
*) Bugfix: nginx could not be built with musl libc.
Thanks to Piotr Sikora.
*) Performance improvements and bugfixes in HTTP/3.
1.27.4
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache",
"proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and
"uwsgi_ssl_certificate_cache" directives.
*) Feature: the "keepalive_min_timeout" directive.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: QUIC connection might not be established when using 0-RTT;
the bug had appeared in 1.27.1.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
1.27.3
*) Feature: the "server" directive in the "upstream" block supports the
"resolve" parameter.
*) Feature: the "resolver" and "resolver_timeout" directives in the
"upstream" block.
*) Feature: SmarterMail specific mode support for IMAP LOGIN with
untagged CAPABILITY response in the mail proxy module.
*) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.
*) Change: an IPv6 address in square brackets and no port can be
specified in the "proxy_bind", "fastcgi_bind", "grpc_bind",
"memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as
client address in ngx_http_realip_module.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Bugfix: the "so_keepalive" parameter of the "listen" directive might
be handled incorrectly on DragonFly BSD.
*) Bugfix: in the "proxy_store" directive.
1.27.2
*) Feature: SSL certificates, secret keys, and CRLs are now cached on
start or during reconfiguration.
*) Feature: client certificate validation with OCSP in the stream
module.
*) Feature: OCSP stapling support in the stream module.
*) Feature: the "proxy_pass_trailers" directive in the
ngx_http_proxy_module.
*) Feature: the "ssl_client_certificate" directive now supports
certificates with auxiliary information.
*) Change: now the "ssl_client_certificate" directive is not required
for client SSL certificates verification.
1.27.1
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
*) Change: now the stream module handler is not mandatory.
*) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old
worker processes.
Thanks to Kasei Wang.
*) Bugfixes in HTTP/3.
1.27.0
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
*) Feature: variables support in the "proxy_limit_rate",
"fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate"
directives.
*) Bugfix: reduced memory consumption for long-lived requests if "gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-libatomic
option was used.
Thanks to Edgar Bonet.
*) Bugfixes in HTTP/3.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:12 +0000 (22:08 +0200)]
mympd: Update to version 22.0.4
- Update from version 21.0.1 to 22.0.4
- Update of rootfile not required
- Changelog
22.0.4
- Upd: Restrict sticker names (forbid equal sign)
- Fix: Really shuffle the playlist #1455
- Fix: Relax search expression validation #1455
- Fix: Alpine packaging
- Fix: Detection of local playback features #1452
22.0.3
- Upd: Create cache und workdir in init script
- Upd: Feature detection for local playback output selection #1452
22.0.2
- Fix: MYMPD_API_JUKEBOX_RESTART requires MPD connection #1448
22.0.1
- Fix: Respect backgroundImage setting #1446
- Fix: Alpine packaging
22.0.0
Notes
- This release enables certificate checking for outgoing https connections. The system CA cert store should be autodetected, open an issue if it fails.
- The startup process of myMPD was reworked. myMPD no longer drops privileges, the included startup scripts are using now the init system to do this.
- The default listening ports are now 8080 for HTTP and 8443 for HTTPS.
API changes
- MYMPD_API_SCRIPT_VERIFY_SIG: new
- MYMPD_API_HOME_WIDGET_IFRAME_SAVE: new
- MYMPD_API_HOME_WIDGET_SCRIPT_SAVE: new
- MYMPD_API_HOME_WIDGET_SAVE: removed
Scripting changes
- Feat: `mympd.tblvalue_in_list()` - Checks a Lua table of tags against a comma separated list.
- Upd: Executing external scripts is now disabled by default.
Changelog
- Feat: iFrames for home screen #1429
- Feat: Feat: Add custom css and js #1428
- Feat: Use system provided ca store for ssl certificate checking #1427
- Feat: Sign and verify scripts from mympd-scripts repository #1426
- Feat: Add trigger `mympd_playlistart`, `mympd_folderart`
- Feat: Sort list of timers and triggers #1425
- Feat: Allow changing output device with local playback #1434
- Upd: Improve "Edit Script"-Layout
- Upd: Bootstrap v5.3.7
- Upd: Mongoose 7.18
- Upd: libmympdclient 1.0.34 (libmpdclient 2.24.0)
- Upd: Incbin
- Upd: Replaced mjson with mongoose implementation
- Fix: Improve MPD search expression validation #1435
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:11 +0000 (22:08 +0200)]
mtr: Update to version 0.96
- Update from version 0.95 to 0.96
- Update of rootfile not required
- Changelog
0.96
Merge branch 'traviscross:master' into master
Change UDP and ICMP sockets binding to accept a source IP from the -a CLI option
Adjust MIN_PORT to match other implementations
Handle EHOSTDOWN and refine error handling better granularity
add braille graph support with --displaymode 3
fix legend for braille display
fix documentation/comment for ENABLE_BRAILLE
use addrs for static host ordering in curses
add --max-display-paths option
Add a compact mode in curses
mtr.8.in: spell --mark argument type properly
Fix tiny typo in target
Implement ASN lookups in well-known nat64 prefix
net: implement addrcmp for AF_UNSPEC
Initialize lines to empty string in split mode
Add error code ETIMEOUT(110) handle logic
fixed the sizes passed into snprintf
Allow signed integers in the utils function
Split the strtonum function into two parts to create a better structure
Remove redundant code
Fix https://github.com/traviscross/mtr/issues/475
xml report: remove leading spaces
Set UTF-8 encoding for XML reports
Update Cygwin ICMP service thread for asynchronous pipes
Prevent icmp_socket leak on error
Markus pointed out useless statement.
merged
Merge branch 'master' of github.com:traviscross/mtr
Fixed typo noted by @szczot3k
Changed how conflicitng first/max TTL works.
Increased max probes
Added protection against use of MTR_PACKET under special circumstances
Merge branch 'master' of github.com:traviscross/mtr
Added Arad Cohen to NEWS
Set SO_BINDTODEVICE for -I
Check if SO_BINDTODEVICE is defined
ui: make interactive and non-interactive exit code the same
Add WSL method to Windows Install
Add Ubuntu as specific distribution
Update section title
Github actions added to perform lint and compile
configure.ac: fix broken cap check
Add option to use custom ipinfo provider
Fix Capability Management, Retain CAP_NET_ADMIN
Fix interface binding by retaining CAP_NET_RAW
Linux-Only Interface, Marking, and IP Unit Tests
Annotate `set_privileged_socket_opt` with UNUSED
Drop capabilities when `setsockopt` errors
Fix flake8 linting
Change B101->S101 to reflect flake8
Use a uint32 for the type of a Linux mark
Use Packet Marking for IP Address Selection
Support Hexadecimal Arguments for Packet Marking
ipv6 udp checksums like ipv4 but with ipv6 pseudoheader
fix typo
Merge branch 'master' into compact-layout
Add help info for option -E
Brought an unlikely privilege escalation scenario to my attention.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:09 +0000 (22:08 +0200)]
frr: Update to version 10.4.1
- Update from version 10.3.1 to 10.4.1
- Update of rootfile
- Changelog
10.4.1
bgpd: initialize local variable (backport #19233)
ospfd: Use after free cleanup of lsa (backport #19224)
vtysh: copy config from file should actually apply (backport #19242)
Revert PR #18358: BGP evpn testing and bug fixes related to non default EVPN
backbone (backport #19241)
topotests: improve embedded RP test reliability (backport #19240)
lib, zebra: mark singleton nexthops inactive/active on link state changes for
wecmp (backport #18947)
bgpd: LL next-hop capabilty fixes (backport #19261)
eigrp: validate hello packets and tlvs better (backport #19251)
bgpd : Fix compilation error in bgpd module: Update TP_ARGS for bgp
(backport #19266)
bgpd: Ensure addpath does not withdraw selected route in some situations
(backport #19210)
bgpd: [GR] fixed selectionDeferralTimer to display select_defer_time val (#19282)
bgpd: LL next-hop capabilty fixes (round 2) (backport #19277)
lib: compute link-state zapi message size (backport #19290)
zebra: Fix buffer overflows found by fuzzing. (backport #19303)
10.4.0
New Features Highlight
BGP BFD Strict-Mode
neighbor PEER bfd strict [hold-time N]
BGP Link-Local Next Hop Capability (draft-ietf-idr-linklocal-capability)
neighbor PEER capability link-local
BGP Transparent mode
neighbor PEER ip-transparent
BGP Next Hop Dependent Characteristics Attribute (draft-ietf-idr-entropy-label)
neighbor PEER send-nexthop-characteristics
IGMP and MLD group/source limits
ip igmp max-groups
ip igmp max-sources
ipv6 mld max-groups
ipv6 mld max-sources
PIM dense and sparse-dense mode support (RFC3973)
new interface mode: dense ip pim dm
new interface mode: sparse-dense ip pim sm-dm
IGMPv2/MLDv1 immediate leave
v4-via-v6 nexthop support for static routes
Timeout for vtysh
exec-timeout
Discover PREF64 in Router Advertisements (RFC8781)
ipv6 nd nat64
What's Changed
bgpd: Do not start BGP session if BGP identifier is not set
by @ton31337 in #17959
bgpd: fix add label support to EVPN AD routes by @pguibert6WIND in #17985
isisd: 'tiebreaker' command line funtionality is inconsistent with its
implementation by @baozhen-H3C in #16593
bgpd: Send non-transitive extended communities from/to OAD peers
by @ton31337 in #17896
Add bgpevpn route type-2 route map filter tests by @lsang6WIND in #17918
lib: Remove System routes from ip protocol route map choices
by @donaldsharp in #17953
staticd: Add CLI to support steering of IPv4 traffic over SRv6 SID list
by @cscarpitta in #17988
Fpm problems by @donaldsharp in #17962
bgpd: Fix up memory leak in processing eoiu marker by @donaldsharp in #18000
doc: fix sbfd.rst doc warnings by @forrestchu in #18018
Nexthop leak by @donaldsharp in #18014
lib: actually hash all 16 bytes of IPv6 addresses, not just 4
by @eqvinox in #17901
bgpd: add L2 attr community support as per RFC8214 by @pguibert6WIND
in #17987
tests: Remove improper pymark by @donaldsharp in #18025
tools: Add some more support bundle commands by @donaldsharp in #18029
Coverity 2024 new hotness by @donaldsharp in #17865
pimd: fix memory leak and assign allocation type by @rzalamena in #18038
isisd: Do not leak a linked list in the circuit by @donaldsharp in #18033
pimd: Fix for FHR mroute taking longer to age out by @routingrocks in #14105
pimd: fix DR election race on startup by @rzalamena in #18048
bgpd: rfapi: fix mem leak when killed by @gpziemba in #18045
bgpd: Implement Link-Local Next Hop capability by @ton31337 in #17871
Fix journald logging via "log stdout" by @gromit1811 in #17775
babeld: Improve code clarity and maintainability by @y-bharath14 in #18077
bgpd: fix for the validity and the presence of prefixes in the BGP VPN
table. by @louis-6wind in #17370
bgpd: Show internal data for BGP routes by @ton31337 in #17870
isisd: Remove unneeded modify functions by @donaldsharp in #18034
bgpd: fix bgp vrf instance creation from implicit by @chiragshah6 in #18081
lib: crash handlers must be allowed on threads by @eqvinox in #18060
Bmp bgp open router id and as val by @pguibert6WIND in #18037
nhrpd: fix dont consider incomplete L2 entry by @pguibert6WIND in #18078
bgpd: Request SRv6 locator after zebra connection by @cscarpitta in #18069
zebra: Allow fpm_listener to continue to try to read by @donaldsharp
in #18049
lib (+bfd): improve late timer warnings by @eqvinox in #18094
bgpd: Do not check for capability length for Link-Local Next Hop
capability by @ton31337 in #18068
Cid 1636504 by @pguibert6WIND in #18062
Bfd fixups by @donaldsharp in #18026
tests: clear -Wcalloc-transposed-args warnings by @ariel-anieli in #17649
bfdd: 0 is a valid fd. by @donaldsharp in #18125
yang: Reorder the revision statements by @y-bharath14 in #18118
bgpd: fix incorrect JSON in bgp_show_table_rd by @louis-6wind in #18120
pimd,pim6d: implement GMP group / source limits by @rzalamena in #18032
ospfd: Replace LSDB callbacks with LSA Update/Delete hooks.
by @aceelindem in #18046
bgpd: Fix crash in bgp_labelpool by @donaldsharp in #18079
lib: fix false context information for SRv6 route by @pguibert6WIND in #18023
staticd: Fix SRv6 SID installation and deletion by @cscarpitta in #18064
Vrf tableid debugs by @donaldsharp in #18142
bgpd: Some fixes/improvements for Link-Local Next Hop capability
by @ton31337 in #18080
bgpd: release manual vpn label on instance deletion by @louis-6wind in #18121
watchfrr: Allow -w option to be ignored by @donaldsharp in #18127
bgpd: factorize bgp_table_cleanup() by @louis-6wind in #18122
bgpd: When removing the prefix list drop the pointer by @donaldsharp
in #18160
sharpd: add crashme commands by @eqvinox in #18163
isisd: Request SRv6 locator after zebra connection by @cscarpitta in #18178
bgpd: fix vty output of evpn route-target AS4 by @mjstapp in #18109
tests: Fix intermittent failures in srv6_encap_src_addr topotest
by @cscarpitta in #18187
yang: Default value for a key leaf to be ignored by @y-bharath14 in #18139
tools: add logfmt option for frr-reload.py by @gtataranni in #16796
lib: nb: call child destroy CBs when YANG container is deleted
by @choppsv1 in #18082
isisd, lib: add some codepoints usually shared with other vendors
by @pguibert6WIND in #17957
Use ipv4 class E addresses (240.0.0.0/4) as connected routes by default
by @davischw in #18095
doc: correct ip rip split-horizon command in the documentation
by @Shbinging in #18189
staticd: Failed to register nexthop after networking restart
by @Pdoijode in #18164
pimd,pim6d: support IGMPv2/MLDv1 immediate leave by @rzalamena in #18111
zebra: Do not flush an existing vni configuration trying to remove wrong
vni by @ton31337 in #18108
pimd: filter neighbors by address by @rzalamena in #17914
tests: Remove warning about passive command by @donaldsharp in #18197
bgpd: Fix another crash in orf by @donaldsharp in #18194
pimd: Fix for data packet loss when FHR is LHR and RP by @routingrocks
in #14227
pimd: During prefix-list update, behave as PIM_UPSTREAM_NOTJOINED sta…
by @routingrocks in #17666
*: Remove unneeded IPV6_JOIN|LEAVE_GROUP by @donaldsharp in #18213
yang: Corrected Pyang errors or warnings by @y-bharath14 in #18218
doc: update mgmtd list of converted by @choppsv1 in #18223
tests: add docstrings to frontend mgmtd client by @choppsv1 in #18224
bgpd: remove dmed check not required in bestpath selection
by @donaldsharp in #18210
Fix oper-state queries that involve choice/case nodes by @choppsv1 in #18231
zebra: Add operational retrieval of Multipath Number by @donaldsharp
in #18236
pim: Fix autorp group joins by @nabahr in #18225
pim: Fix vrf binding of autorp and mroute socket by @nabahr in #18226
pimd: Fix PIM VRF support (send register/register stop in VRF)
by @gromit1811 in #18216
Drop unused code by @dksharp5 in #18243
bgpd: fix default instance when leaving the hidden state. by @louis-6wind
in #18119
ripd: fix no ip rip split-horizon poisoned-reverse command by @Shbinging
in #18256
staticd: Fix crash because registering unknown vrf by @donaldsharp in #18235
staticd: Add support for SRv6 uA behavior by @cscarpitta in #18198
fabricd: add option to treat dummy interfaces as loopback interfaces
by @kaffarell in #18242
support pre-built oper state in libyang tree by @choppsv1 in #18237
tests: Fixed input dict at create_router_bgp by @y-bharath14 in #18261
ospf6d: Fix use after free of router in OSPFv3 ABR route calculation.
by @aceelindem in #18254
staticd: Do not log uninitialized nexthop variable by @cscarpitta in #18271
lib: Prevent crash in getting label chunk by @donaldsharp in #18270
mgmtd: Prevent use after free by @donaldsharp in #18264
Bgp ecommlist count by @pguibert6WIND in #18159
staticd: Add no form for static-sids command by @cscarpitta in #18263
pimd: fix null memory access on IGMP source limit by @rzalamena in #18285
tools: Fix frr-reload.py error related to static-sids by @cscarpitta
in #18290
staticd: Fix no srv6 command by @cscarpitta in #18289
isisd: Correct edge insertion into TED by @odd22 in #18294
zebra: reduce memory usage by streams when redistributing routes
by @fdumontet6WIND in #18030
bgpd: Do not advertise aggregate routes to contributing ASes
by @ton31337 in #17961
Allow retrieval of v4/v6 forwarding state via NB by @dksharp5 in #18253
Vpn prefix aggregate export and accept by @pguibert6WIND in #18301
bfdd: Add "log-session-changes" command to BFD configuration and
operational state via YANG Northbound API. by @aceelindem in #18306
yang: Imported modules are not in use by @y-bharath14 in #18293
lib: Correct handling of /frr-vrf:lib/vrf/state/active by @donaldsharp
in #18268
configure.ac: fix sed failure on FreeBSD by @rzalamena in #18310
More connection cleanup by @donaldsharp in #18195
doc: don't override automake builtin targets by @qlyoung in #18319
lib: Document --command-log-always in help by @donaldsharp in #18313
zebra: Bring up 514 BGP neighbor sessions by @soumyar-roy in #18214
pimd: Fix PIM6 MLD VRF support (use recvmsg() pktinfo) by @gromit1811
in #18315
bgpd: Fix dead code in bgp_route.c #1637664 by @donaldsharp in #18327
Revert "bgpd: Make keepalive pthread be connection based."
by @donaldsharp in #18337
Documentation typesafe by @donaldsharp in #18338
tests: bgp_evpn_route_map_match fix invalid escape sequence
by @donaldsharp in #18344
lib: use memcpy in bf_copy by @karthikeyav in #18335
Topotest startup order by @donaldsharp in #18348
ospfd: minor change for style by @anlancs in #18342
Clean up some code and bad assumptions in zebra by @donaldsharp in #18346
tests: Fixed NameError at bmpserver.py by @y-bharath14 in #18362
zebra: fix table heap-after-free crash by @louis-6wind in #16614
zebra: Fix neigh delete causing heap-use-after-free error
by @routingrocks in #18336
Revert "bgpd: upon if event, evaluate bnc with matching nexthop"
by @donaldsharp in #18368
staticd: Install known nexthops upon connection with zebra
by @donaldsharp in #18367
Add Testing for community and Extended community match limit zero
by @pguibert6WIND in #18366
bgpd: Show bgp shouldn't display peers in groups by @donaldsharp in #18380
yang: Fixed pyang errors at frr-bgp-common.yang by @y-bharath14 in #18388
isisd: fix bit flag collision in options field by @kaffarell in #18377
Fix bug with oper-state queries including list node by @choppsv1 in #18383
zebra: ensure proper return for failure for Sid allocation
by @raja-rajasekar in #18360
ospf6d: Disable and delete OSPFv3 areas that no longer have interfaces or
configuration. by @aceelindem in #18393
bgpd: Remove unnecessary stream_new/stream_copies in bgp_open_make
by @donaldsharp in #18395
zebra: add ability to specify output file with fpm_listener
by @donaldsharp in #18394
bgpd: Fixed crash upon bgp network import-check command by @Manpreet-k0
in #18387
lib: suppress libyang logs during expected error result by @choppsv1
in #18384
2 unit-test fixes by @choppsv1 in #18399
bgpd: Do not keep stale paths in Adj-RIB-Out if not addpath aware
by @ton31337 in #18275
bgpd, zebra, tests: disable rtadv when bgp instance unconfiguration.
by @dmytroshytyi-6WIND in #18364
fix(vrrp): display vrrp version by default by @echkenluo in #18407
bgpd: Print the real reason why the peer is not accepted (incoming)
by @ton31337 in #18410
tests: Corrected input dict at pim.py by @y-bharath14 in #18414
More yang state by @donaldsharp in #18349
babled: reset wired/wireless internal only when wired/wireless status
changed by @Shbinging in #18413
doc: Modify typesafe documentation by @donaldsharp in #18419
ripngd: Access and Prefix lists are being leaked on shutdown
by @donaldsharp in #18418
zebra: Fix reinstalling nexthops in NHGs upon interface flaps
by @raja-rajasekar in #18374
RedHat: Fixing for PR17793 - Allow RPM build without docs and/or rpki
by @mwinter-osr in #18426
lib: Create VRF if needed by @nabahr in #18430
bgpd: fix "delete in progress" flag on default instance by @lsang6WIND
in #18412
Fix topotest to wait for zebra connection by @donaldsharp in #18432
bgpd: Fix leaked memory when showing some bgp routes by @donaldsharp
in #18435
Fpm listener reject by @donaldsharp in #18431
topotests: Add EVPN RT5 multipath flap test by @chdxD1 in #18325
Typesafe zclient by @donaldsharp in #18409
pimd: Skip RPF check for SA message from mesh group peer
by @usrivastava-nvidia in #18330
tests: Catch specific exceptions by @y-bharath14 in #18277
lib: fix static analysis error by @dmytroshytyi-6WIND in #17986
zebra: zebra crash for zapi stream by @soumyar-roy in #18359
yang: Code inline with RFC 8407 rules by @y-bharath14 in #18442
tests: Change up start order of bmp tests by @donaldsharp in #18452
tests: add bfd_static_vrf by @louis-6wind in #18446
tests: Corrected typo at path_attributes.py by @y-bharath14 in #18339
bgpd: fix set evpn gateway-ip ipv[46] route-map by @Tuetuopay in #18378
tests: add another directory to search path for pylint by @choppsv1 in #18475
tests: high_ecmp creates 2 update groups by @donaldsharp in #18469
staticd: Fix a crash that occurs when modifying an SRv6 SID
by @cscarpitta in #18467
babeld: Missing Validation for AE=0 and Plen!=0 by @zmw12306 in #18473
Bgp clear batch by @donaldsharp in #18447
bgpd: fix handling of configured route-targets for l2vni, l3vni
by @mjstapp in #18484
bgpd: Fix holdtime not working properly when busy by @donaldsharp in #18483
babeld: add check incorrect AE value for NH TLV. by @zmw12306 in #18471
isisd:IS-IS hello packets not sent with configured hello timer
by @Z-Yivon in #18311
isisd: Fix the issue where redistributed routes do not change when th…
by @huchaogithup in #18369
babeld: Hop Count must not be 0. by @zmw12306 in #18474
lib: Return duplicate prefix-list entry test by @ton31337 in #18494
bgpd: fix SA warning in bgp clearing code by @mjstapp in #18496
tests: Handling potential errors gracefully by @y-bharath14 in #18476
babeld: fix hello packets not sent with configured hello timer
by @Shbinging in #18448
Eigrp typesafe by @donaldsharp in #18482
ospf6d: Fix LSA memory leaks related to graceful restart by @gromit1811
in #18503
tests: Add ripng aggregate address testing by @donaldsharp in #18506
yang: Fixed pyang errors at frr-isisd.yang by @y-bharath14 in #18500
bgpd: Set the label for MP_UNREACH_NLRI 0x800000 instead of 0x000000
by @ton31337 in #18502
tests: Modify simple_snmp_test to use frr.conf by @donaldsharp in #18508
bgpd: Retain the routes if we do a clear with N-bit set for
Graceful-Restart by @ton31337 in #18498
lib: show route-map should not print (null) by @donaldsharp in #18515
tests: Fix potential issues at send_bsr_packet.py by @y-bharath14 in #18520
tests: Irrelevant code in lutil.py by @y-bharath14 in #18532
tools: Add option to frr-reload to specify alternate logfile
by @mwinter-osr in #15471
Memory leaks all over by @donaldsharp in #18544
Bgp packet reads conversion to a FIFO by @donaldsharp in #18450
babeld: Add next hop initialization by @zmw12306 in #18470
yang: Limit eigrp to just 1 instance per vrf by @donaldsharp in #18524
yang: Corrected pyang errors in frr-zebra.yang by @y-bharath14 in #18543
bgpd: optimize attrhash_cmp calls by @louis-6wind in #18097
lib: Return duplicate ipv6 prefix-list entry test by @ton31337 in #18561
eigrpd: Fix possible use after free in nbr deletion by @donaldsharp in #18525
bgpd: Skip EVPN MAC processing for non-EVPN peers by @routingrocks in #18564
tests: Resource leaks in test_all_protocol_startup by @y-bharath14 in #18553
Add BGP redistribution in SRv6 BGP by @pguibert6WIND in #18396
bgpd: rfapi: track outstanding rib and import timers, free mem at exit
by @gpziemba in #18546
tests: Fix typo when configuring delayopen timer by @ton31337 in #18572
pimd: Initialize gm proxy to false by @nabahr in #18567
bgpd: Treat the peer as not active due to BFD down only if established
by @ton31337 in #18562
bgpd: flowspec: remove sizelimit check applied to the wrong length field
(issue 18557) by @spoignant-proton in #18558
staticd: Avoid requesting SRv6 sid from zebra when loc and sid block dont
match by @raja-rajasekar in #18580
babeld: Hop Count must not be 0. by @zmw12306 in #18547
babeld: Request forwarding does not prioritize feasible routes
by @zmw12306 in #18581
babeld: Fix starvation handling on route loss per RFC 8966 §3.8.2.1
by @zmw12306 in #18582
babeld: Add a check to prevent all-ones case by @zmw12306 in #18584
babel: fix incorrect check in known_ae() by @zmw12306 in #18585
doc: add a diagram for config datastore cleanup on file reads
by @choppsv1 in #18602
pimd: Fix memory leak on shutdown by @donaldsharp in #18526
nhrpd: Add Hop Count Validation Before Forwarding in nhrp_peer_recv()
by @zmw12306 in #18598
babeld: check valid babel port by @zmw12306 in #18583
bgpd: On shutdown free up memory leak found by topotest by @donaldsharp
in #18614
*: expose and fix variable shadowing warnings by @mjstapp in #17915
yang: Pyang errors in frr-bfdd.yang by @y-bharath14 in #18604
mgmtd: remove bogus "hedge" code which corrupted active candidate DS
by @choppsv1 in #18601
zebra: Fix shadow warning in irdp_packet.c by @donaldsharp in #18627
bgpd: On shutdown free up table for static routes by @donaldsharp in #18625
bgpd: Paths not deleted received from shutdown peer by @soumyar-roy in #18594
bgpd: remove useless calls to afi2family by @louis-6wind in #18624
bfdd: Fix demultiplexing to rely solely on Your Discriminator
by @zmw12306 in #18586
babeld: fix incorrect type assignment in parse_request_subtlv
by @zmw12306 in #18548
babeld: Add input validation for update TLV. by @zmw12306 in #18472
bgpd: add usid behavior for bgp srv6 instructions by @pguibert6WIND in #18611
bgpd: fix add prefix sent in 'show bgp neighbor' by @pguibert6WIND in #18376
tools: Add pathspace option to generate_support_bundle by @mwinter-osr
in #18635
tests: Fix potential issues in mcast-tester.py by @y-bharath14 in #18633
babeld: Add MBZ and Reserved field checking by @zmw12306 in #16735
isisd: fix asla memory leak by @louis-6wind in #18642
lib, staticd, isisd: add B6.ENCAPS codepoint extensions by @pguibert6WIND
in #18597
zebra: modify fpm_listener to display data about nhgs by @donaldsharp
in #18640
tools: fix reload script for SRv6 locators and formats by @raja-rajasekar
in #18628
tests: Shadowing the built-in function by @y-bharath14 in #18574
zebra: fix pbr_iptable memory leak by @louis-6wind in #18645
Rpki testing and bug fix by @donaldsharp in #18649
pim6d: fix missing 'use-source' interface command by @ak503 in #18578
zebra: Add ability to dump routes received from fpm_listener
by @donaldsharp in #18641
Add v4-via-v6 nexthop support to staticd by @chdxD1 in #18654
lib,bgpd: clean up clang warnings by @mjstapp in #18655
bgpd: fix pbr memory leaks by @louis-6wind in #18653
fix yang commands that don't have yang attr by @lsang6WIND in #18610
lib: nb: add list_entry_done() callback to free resources by @choppsv1
in #18540
bfdd: Set bfd.LocalDiag when transitioning to AdminDown by @zmw12306
in #18592
tests: Fix northbound endian use in a unit-test by @mjstapp in #18662
isisd: fix srv6_sid memory leak by @louis-6wind in #18667
zebra: change fpm_read to batch the messages by @krishna-samy in #18579
zebra: show command to display metaq info by @krishna-samy in #18497
yang: Corrected pyang errors in frr-pathd.yang by @y-bharath14 in #18665
bgpd: fix misused rfapi conditional by @eqvinox in #18669
pimd: Only create and bind the autorp socket when really needed
by @nabahr in #18538
tests: Resource leak in common_config.py by @y-bharath14 in #18658
lib,pimd,bgpd,bfdd: Fix clang 18 warnings by @mjstapp in #18675
zebra: Save event pointer for rib sweeping by @donaldsharp in #18692
bgpd: ensure that bgp_generate_updgrp_packets shares nicely
by @donaldsharp in #18689
Implement RFC8781 (NAT64 prefix in RA's) by @donaldsharp in #18626
zebra: implement RFC8781 (NAT64 prefix in RAs) by @eqvinox in #11224
Update EVPN prefix routes properly instead of withdraw/install
by @chdxD1 in #18158
bgpd: fix vty's version of show advertised-routes by @askorichenko in #18695
Improve notification selectors (sort, eliminate dups) by @choppsv1 in #18683
tests: Shadowing the built-in function by @y-bharath14 in #18698
bgpd: Fix deref after free in bgp_vrf_unlink by @petrvaganoff in #18694
doc: line vty was not documented by @donaldsharp in #18703
bgpd: Clean extended communities for VRF routes imported from EVPN
by @leonshaw in #18656
zebra: Add CLI to display SRv6 SIDs allocated by @cscarpitta in #16836
zebra: add vtep_ip to rmac nh_list in all cases by @chdxD1 in #18677
doc: state correct default behaviour of VTYSH_PAGER env if unset
(vtysh manpage) by @valentinbinotto in #18691
pimd: Fix for crash during networking restart by @usrivastava-nvidia
in #18672
yang: Fix pyang errors in frr-interface.yang by @y-bharath14 in #18716
Fix Pim ssmpingd by @donaldsharp in #18652
change to 18652 to test by @choppsv1 in #18713
topotests: clarify bgp evpn rt5 by @louis-6wind in #18708
zebra: Display nhg's afi as No Afi by @donaldsharp in #18709
*: enable the missing-noreturn compiler warning by @mjstapp in #18720
*: Fix MULTIPATH_NUM check in nhg encode by @karthikeyav in #18690
zebra: Cancel new client accept events after zsock is closed by @Pdoijode
in #18704
tests: Proper handling of resource allocation by @y-bharath14 in #18730
*: Allow returns to work with --enable-undefined-behavior by @donaldsharp
in #18731
zebra: use nexthop instead of route vrf_id for EVPN by @chdxD1 in #18309
bgpd: fix bmp heap use after free on non connected session
by @pguibert6WIND in #18700
ldpd: Option for disabled LDP hello message during TCP by @AndriiFullroot
in #18417
Add sharp support for seg6local routes with uSID flavor by @pguibert6WIND
in #18605
doc: add commit message guidelines to the dev guide by @Jafaral in #18657
tests: Unidiomatic-typecheck in bgp.py by @y-bharath14 in #18738
*: Remove deprecated EVENT_OFF macro by @mjstapp in #18739
Isis run level issue by @donaldsharp in #18734
staticd: Add support for other SRv6 Headend Behaviors by @cscarpitta
in #18623
zebra: Fixes allowing SRv6 func-bits length 0 by @raja-rajasekar in #18737
add total path count for bgp net in json output by @soumyar-roy in #18740
show ipv6 route [json] displays seg6local flavors by @pguibert6WIND in #18563
ospf6d: Remove dead code by @donaldsharp in #18752
yang: Fix pyang errors in frr-ospfd.yang by @y-bharath14 in #18756
Remove dead code found by @donaldsharp in #18757
yang: Correct unidiomatic-typecheck in pim.py by @y-bharath14 in #18764
zebra: show nexthops count in nexthop-group command by @krishna-samy
in #18762
Move where nhe_installed_id is set in zebra by @donaldsharp in #18749
staticd: Fix an issue where SRv6 SIDs may not be allocated on heavily
loaded systems by @cscarpitta in #18317
Allow using reserved ranges in RIP by @ton31337 in #18768
Remove unused functions as well as cleanup a header file by @donaldsharp
in #18766
build: fail on docstring problems by @eqvinox in #18765
Fix spelling error in bgp as well as clean up bgp documentation
by @donaldsharp in #18770
tests: Unreachable code in ospf.py by @y-bharath14 in #18767
docker: Build with 256 way ecmp by @donaldsharp in #18779
eigrpd: Clean up comment to reflect reality by @donaldsharp in #18780
zebra: Allow show ip route table X A.B.C.D/M to work by @donaldsharp
in #18776
bgpd: restart R-bit startup timer on no shutdown by @ton31337 in #18773
Add initial state dump on frontend datastore notify subscribe
by @choppsv1 in #18778
Gather vtysh return codes up to report to operator by @donaldsharp in #18783
BGP should stay in Idle if BFD profile is in admin shutdown state
by @ton31337 in #18763
bfdd: Adding my discriminator id in show bfd peers counters json
by @sougata-github-nvidia in #18772
mgmtd: need to set default notify_format for protobuf message too
by @choppsv1 in #18788
zebra: Allow nhg's to be reused when multiple interfaces are going amuck
by @donaldsharp in #18723
Replace use of __ as identifier prefix by @choppsv1 in #18790
lib/clippy: pointer offsets are signed by @eqvinox in #18792
zebra: Prevent vrf table 254 being used by non-default vrf
by @donaldsharp in #18702
*: some gcc warnings clean up by @rzalamena in #18794
bgpd: Remove linklist.h inclusion in bgp_mpath.c by @donaldsharp in #18800
bgpd: fix second router-id of loc-rib peer-up message set to 0.0.0.0
by @pguibert6WIND in #18799
bgpd: Not advertised to any peer in peer-group by @soumyar-roy in #18587
bgpd: Add support for BGP to use SRv6 SID in an explicit way
by @GaladrielZhao in #18519
bgpd: fix show bgp vpn rd json by @louis-6wind in #18802
bgpd: Fix flag issue in delete_vrf_tovpn_sid_per_vrf by @GaladrielZhao
in #18808
ripd, ripngd: Timer values by @ton31337 in #18805
zebra: guard against use of zapi client data during close by @mjstapp
in #18721
docker: install correct python protobuf in ubuntu docker images
by @choppsv1 in #18816
tests: Fix unreachable code in pim.py by @y-bharath14 in #18817
tests: bgp_evpn_rt5 add route-reflector by @louis-6wind in #18733
bgpd: Rename bgp_path_info_delete to bgp_path_info_mark_for_delete
by @donaldsharp in #18818
isid, lib: Fix gcc 15 warnings by @mjstapp in #18820
Fix bestpath reason being incorrectly set in some cases by @donaldsharp
in #18819
tests: Remove version (BGP version) from JSON by @ton31337 in #18831
ci: harden wget from github servers by @vjardin in #18833
doc: topotest add missing media type MIB by @vjardin in #18832
Ipforwarding modify by @donaldsharp in #18316
Prefix list leak bfdd ldpd by @donaldsharp in #18830
Bgp encaps reduced by @pguibert6WIND in #18803
End psp flavor by @pguibert6WIND in #18647
Fix up from a bunch of ubsan issues found. by @donaldsharp in #16074
Add PIC support in the srv6 VPN scenario. by @zice312963205 in #16879
bgpd: Implement BGP Next Hop Dependent Characteristics Attribute
(NNHN only) by @ton31337 in #18729
bgpd: fix view deletion and main socket deletion by @rzalamena in #18758
SRv6: Allow configuring node-len 0 by @raja-rajasekar in #18774
bgpd: fix to show exist/non-exist-map in 'show run' properly
by @krishna-samy in #18828
zebra: finish moving ip[v6] forwarding to NB/mgmtd by @choppsv1 in #18845
mgmtd top level root query by @choppsv1 in #18835
Clang-19 cleanup and removal of scheduled functionality by @donaldsharp
in #18821
pimd: add support for group range prefix-list filter for v6 by @rzalamena
in #18260
pimd,pim6d: require router alert configuration by @rzalamena in #18202
zebra: V6 RA not sent anymore after interface up-down-up by @soumyar-roy
in #18451
redhat: Add Workaround for inet_ntop replacement which breaks rpms
by @mwinter-osr in #18864
staticd, bgp: fix srv6 encap-value displayed with _ instead of .
by @pguibert6WIND in #18858
bgpd: fix PEER_FLAG_CONFIG_DAMPENING to be ULL by @vjardin in #18869
Revert 16879 by @ton31337 in #18856
build: the great war against config.h, issue 0 of ∞ by @eqvinox in #18860
yang: Fix pyang errors in frr-staticd.yang by @y-bharath14 in #18857
Keep the original NHE associated with a re around by @donaldsharp in #18751
build: the war against config.h continues, 1 of ∞ by @eqvinox in #18874
bgpd: fix import all adj-rib-in and loc-rib after bmp connects
by @pguibert6WIND in #18843
lib: fix mis-done endian check by @eqvinox in #18875
Eliminate protobuf from mgmtd backend (daemon) messaging by @choppsv1
in #18878
*: SPDX license spring cleaning by @eqvinox in #18883
build: the war on config.h is a war of attrition, 2 of ∞ by @eqvinox
in #18877
bgpd: two minor fixes for command by @anlancs in #18882
bfdd: Only apply increased transmission interval after Poll Sequence
by @zmw12306 in #18589
bfdd: Check for passive mode with zero discriminator by @zmw12306 in #18591
ospfd: Fix crash when ospf client connects before configuring an OSPF
instance by @Jafaral in #18785
lib: fix copying of resolved addresses by @kunkku in #18871
*: oh no, config.h is mobilizing its forces! - 3 of ∞ by @eqvinox in #18884
doc/developer: update instructions for NetBSD by @eqvinox in #18879
yang: Correct pyang errors in frr-bgp-route-map.yang by @y-bharath14
in #18781
nhrpd: ignore non-host addresses on NHRP interfaces by @kunkku in #18873
staticd: fix deref of NULL pointer in srv6 code by @mjstapp in #18890
vtysh,doc: add an idle timeout for vtysh by @mjstapp in #18711
pimd: add support for PIM dense and sparse-dense modes by @Jafaral in #18648
doc: add a note about dplane API version to the release docs by @mjstapp
in #18896
zebra: bump the dplane api version for FRR 10.4 by @mjstapp in #18893
lib: fix coverity defect CID 1643927 by @choppsv1 in #18892
bgpd: add neighbor ip-transparent by @vjardin in #18789
pimd, yang: move bsr xpath to be consistent with other rp implementations
by @Jafaral in #18898
lib: fix build failure in darr by @eqvinox in #18863
github: Do not cache docker foobar by @ton31337 in #18909
bgpd: Drop deprecated JSON field gracefulRestartCapability by @ton31337
in #18900
pimd: fix a coverity issue with state refresh by @Jafaral in #18902
pbrd: Fix memory leak when destroying an interface by @ton31337 in #18906
zebra: [SRv6] persist func-len 0 across frr restart by @raja-rajasekar
in #18847
bgpd: correct no form commands by @anlancs in #18911
mgmtd simplify frontend CLI config path by @choppsv1 in #18888
build: check for libunwind.h, not unwind.h by @eqvinox in #18912
mgmtd: remove unused and unneeded code. by @choppsv1 in #18927
zebra: Add some more debugging when netlink read fails for a route
by @donaldsharp in #18914
build: autoconf cleanup pass by @eqvinox in #18913
Revert "tools: ignore spaces only in macro empty line." by @donaldsharp
in #18934
tests: Address resource leaks in bmpserver.py by @y-bharath14 in #18935
bgpd: do not accept a host route that matches a local address
by @enkechen-panw in #17976
bgpd: Add Hold Time(r) for BFD strict mode by @ton31337 in #18901
tools: ignore spaces only in macro empty line. by @choppsv1 in #18937
redhat: make FRR RPM build to work on RedHat 10 by @mwinter-osr in #18920
tools: Fix VRF static routes deletion on config reload instead of update
by @dendergunov in #18908
Handle VRF blackhole routes in SRv6 L3VPN setup with static routes
by @pguibert6WIND in #18931
bgpd: use AS4B format for BGP loc-rib messages. by @pguibert6WIND in #18936
BGP evpn testing and bug fixes related to non default EVPN backbone
by @pguibert6WIND in #18358
bgpd: Supporting Graceful Shutdown feature for Peer-Group
by @Manpreet-k0 in #18659
*: fix a bunch of header file / #include loops by @eqvinox in #18953
Fix up dplane handling of some edge cases by @donaldsharp in #18919
pimd, tests: Fix dense mode flooding/grafting, expand dense/mixed mode
testing by @nabahr in #18903
lib: use forward-refs to remove bgp header from lib header by @mjstapp
in #18960
zebra: Do not show SRv6 locator params when they are set to default
by @cscarpitta in #18961
tools: Ensure that checkpatch.sh checks return code of checkpatch.pl
by @donaldsharp in #18938
bgpd: Force adj-rib-out updates if MRAI is kicked in by @ton31337 in #18959
zebra: add ability to dump fpm listener nhg by @donaldsharp in #18676
Replace lock and commit protobuf messages with native variants
by @choppsv1 in #18928
bgpd: Unset TOVPN_SID_EXPLICIT flag to ensure BGP can release SRv6 SIDs
by @cscarpitta in #18969
Remove last bits of protobuf from MGMTD by @choppsv1 in #18948
zebra: Provide SID value when sending SRv6 SID release notify message
by @cscarpitta in #18971
lib: fix coverity "free address-of" issues by @choppsv1 in #18968
zebra: Allow routes that could be considered connected to exist
by @donaldsharp in #18967
pimd: fix coverity issues by @Jafaral in #18985
bgpd: Free up leaked memory in case where routemap is not used
by @donaldsharp in #18529
bgpd: Don't send notification if IPv6 Link-Local is not assigned on the
interface by @ton31337 in #18930
zebra: Cleanup SRv6 output of show running-config by @cscarpitta in #18970
bgpd: Set atomic aggregate attribute if we drop AS_SETs by @ton31337
in #18983
bgpd: Add new CLI to show the counters of each attribute by @ton31337
in #18984
yang: Fix pyang errors in frr-pim-rp.yang by @y-bharath14 in #18992
pimd: use the correct vrf with recv prune and state refresh by @Jafaral
in #18986
bgpd: Clean up evpn mac hash on shutdown. (backport #18996)
by @mergify[bot] in #18998
bgpd: Do not reuse the same adj->adv when flushing fifo (attributes too
long) (backport #18993) by @mergify[bot] in #18999
pimd: add boundary checks when parsing join/graft source lists (coverity)
(backport #18989) by @mergify[bot] in #19006
bgpd: Fix crash when fetching statistics for bgp instance
(backport #19003) by @mergify[bot] in #19004
tests: add new /run/netns tmpfs to each topotest router namespace
(backport #19007) by @mergify[bot] in #19012
Fix some coverity issues (backport #18897) by @mergify[bot] in #19021
Add frr-host yang module - fix bug with reserved IP range config
(backport #19019) by @mergify[bot] in #19026
static: [SRv6] Fixing uninstall and reinstall uA Sids upon Intf flaps
(backport #19027) by @mergify[bot] in #19032
nhrpd: fix crash when accessing invalid memory zone (backport #18994)
by @mergify[bot] in #19035
bgpd: [TOPOTEST] stabilize bgp_peergroup_gshut test case (backport #18991)
by @mergify[bot] in #19046
pathd: fix compare function overflow (backport #19050) by @mergify[bot]
in #19053
Nhrp redundancy ping (backport #19048) by @mergify[bot] in #19052
zebra: Initialize RB tree for router tables (backport #19049)
by @mergify[bot] in #19055
tests: Fix bgp_srv6_sid_explicit test failures (backport #19068)
by @mergify[bot] in #19075
debian, redhat: add missing info to changelog by @Jafaral in #19072
zebra: fix null pointer dereference in zebra_evpn_sync_neigh_del
(backport #19054) by @mergify[bot] in #19081
zebra: fix stale NHG in kernel (backport #18899) by @mergify[bot] in #19085
Doc and test update (backport #19070) by @mergify[bot] in #19084
bgpd: Fix incorrect stripping of transitive extended communities due …
(backport #19065) by @mergify[bot] in #19093
lib: Fix no on-match goto NUM command (backport #19108) by @mergify[bot]
in #19112
bgpd: fix missing BGP_ROUTE_AGGREGATE for announcing to zebra
(backport #19105) by @mergify[bot] in #19130
bgpd: Fix extended community check for IP non-transitive type
(backport #19097) by @mergify[bot] in #19133
bgpd: Fix DEREF_OF_NULL.EX.COND in bgp_updgrp_packet (backport #19126)
by @mergify[bot] in #19142
zebra: zebra core with v6 RA (backport #19000) by @mergify[bot] in #19152
lib: revert addition of vtysh_flush() call in vty_out() (backport #19109)
by @mergify[bot] in #19153
bgpd: free json objects in error paths (backport #19158) by @mergify[bot]
in #19163
bgpd: Extract link bandwidth value from extcommunity before using for
WCMP (backport #19165) by @mergify[bot] in #19169
lib,bgpd,ospf6d,zebra: Free json objects in error paths (backport #19182)
by @mergify[bot] in #19184
zebra: clean up a json object leak (backport #19192) by @mergify[bot]
in #19195
bgpd: Do not try to reuse freed route-maps (backport #19191) by
@mergify[bot] in #19200
10.3.2
What's Changed
bgpd: correct no form commands (backport #18911)
bgpd: fix to show exist/non-exist-map in 'show run' properly
redhat: make FRR RPM build to work on RedHat 10 (backport #18920)
build: check for libunwind.h, not unwind.h (backport #18912)
bgpd: use AS4B format for BGP loc-rib messages. (backport #18936)
bgpd: fix for the validity and the presence of prefixes in the BGP VPN
table. (backport #17370)
bgpd: Force adj-rib-out updates if MRAI is kicked in (backport #18959)
github: Do not cache docker foobar (backport #18909)
zebra: Provide SID value when sending SRv6 SID release notify message
(backport #18971)
bgpd: Fix crash when fetching statistics for bgp instance (backport #19003)
tests: add new /run/netns tmpfs to each topotest router namespace
(backport #19007)
nhrpd: fix crash when accessing invalid memory zone (backport #18994)
zebra: Initialize RB tree for router tables (backport #19049)
zebra: fix null pointer dereference in zebra_evpn_sync_neigh_del
(backport #19054)
zebra: fix stale NHG in kernel (backport #18899)
bgpd: Fix incorrect stripping of transitive extended communities
(backport #19065)
lib: Fix no on-match goto NUM command (backport #19108)
bgpd: Fix extended community check for IP non-transitive type
(backport #19097)
bgpd: Fix DEREF_OF_NULL.EX.COND in bgp_updgrp_packet (backport #19126)
lib: revert addition of vtysh_flush() call in vty_out() (backport #19109)
bgpd: Extract link bandwidth value from extcommunity before using for WCMP
(backport #19165)
Use ipv4 class E addresses (240.0.0.0/4) as connected routes by default
(backport #18095)
bfdd: Set bfd.LocalDiag when transitioning to AdminDown (backport #18592)
zebra: clean up a json object leak (backport #19192)
bgpd: Do not try to reuse freed route-maps (backport #19191)
lib: fix routemap crash (backport #19127)
bgpd: initialize local variable (backport #19233)
ospfd: Use after free cleanup of lsa (backport #19224)
vtysh: copy config from file should actually apply (backport #19242)
bgpd : Fix compilation error in bgpd module: Update TP_ARGS for bgp
(backport #19266)
bgpd: Ensure addpath does not withdraw selected route in some situations
(backport #19210)
lib, zebra: mark singleton nexthops inactive/active on link state changes
for wecmp (backport #18947)
eigrp: validate hello packets and tlvs better (backport #19251)
bgpd: [GR] fixed selectionDeferralTimer to display select_defer_time val
(#19283)
zebra: Fix buffer overflows found by fuzzing. (backport #19303)
lib: compute link-state zapi message size (backport #19290)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:08 +0000 (22:08 +0200)]
dehydrated: Update to version 0.7.2
- Update from version 0.7.1 to 0.7.2
- Update of rootfile not required
- Changelog
0.7.2
Added
- Implemented support for certificate profile selection
- Added a configuration parameter to allow for timeouts during order processing
(`ORDER_TIMEOUT`, defaults to 0 = no timeout)
- Allowed for automatic deletion of old files (`AUTO_CLEANUP_DELETE`, disabled
by default)
Changed
- Renew certificates with 32 days remaining (instead of 30) to avoid issues
with monthly cronjobs (`RENEW_DAYS=32`)
Fixed
- Changed behaviour of `openssl req` stdin handling to fix compatibility with
OpenSSL version 3.2+
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 19:54:46 +0000 (21:54 +0200)]
nmap: Update to version 7.98
- Update from version 7.95 to 7.98
- Update of rootfile
- Changelog
7.98
o Updated liblua to 5.4.8
o Fixed an issue in FTP bounce scan where a single null byte is written past
the end of the receive buffer. The issue is triggered by a malicious server
but does not cause a crash with default builds. [Tyler Zars]
o [GH#3130] Fix a crash (stack exhaustion due to excessive recursion) in the
parallel DNS resolver. Additionally, improved performance by processing
responses that come after the request has timed out. [Daniel Miller]
o [GH#2757] Fix a crash in traceroute when using randomly-generated decoys:
"Assertion `source->ss_family == AF_INET' failed" [Daniel Miller]
o [GH#2899] When IP protocol scanning on IPv6 (-sO -6), skip protocol numbers
that are registered as Extension Header values. When the --data option was
used, these would fail the assertion "len == (u32) ntohs(ip6->ip6_plen)"
[Daniel Miller]
o [NSE][GH#3133] Fix the error "nse_nsock.cc:637: void
receive_callback(nsock_pool, nsock_event, void*): Assertion `lua_status(L)
== 1' failed."
when reading from an SSL connection. [Daniel Miller]
o [GH#3086] Prevent TCP Connect scan (-sT) from leaking one socket per
hostgroup, which led to progressively slower scans and assertion failures in
other scan phases. [Daniel Miller]
o [NSE] Added NSE bindings for more libssh2 functions: channel_request,
channel_request_pty_ex, channel_shell, and userauth_keyboard_interactive.
ssh-brute will now use keyboard-interactive auth if password auth is not
offered. [Daniel Miller, CrowdStrike]
o Fix a bug that was causing Nmap to send empty DNS packets for each target
that was not found up instead of just skipping them for reverse DNS.
o [macOS][GH#3127] Fix "dnet: Failed to open device en0" errors on macOS since
Nmap 7.96. [Daniel Miller]
o [NSE] Fix/update/enhance tls.lua for newer TLSv1.3 ciphers, including
post-quantum ciphersuites.
o [GH#3114][Windows] Use only the DNS servers for up and configured interfaces
for forward and reverse DNS lookups. When -e or -S are used, use only DNS
servers that can be connected via that interface or source address.
[Daniel Miller]
o [Ndiff][GH#3115] Have configure script check for PyPA 'build' module.
[Daniel Miller]
o [Zenmap] Updated Spanish and Chinese language strings for Zenmap to cover
latest strings.
o [Zenmap][GH#2718] Zenmap language translation (i18n) files were not being
installed. [Daniel Miller]
o [Zenmap][GH#3066] Fix Zenmap error "ValueError: I/O operation on closed file"
when Nmap crashes or fails. [Daniel Miller]
o [Zenmap][GH#3084][GH#3127] Fix UnicodeDecodeError issues in ScriptMetadata
and UmitConfigParser. [Daniel Miller]
o [NSE][GH#3123] WS-Discovery parsing would error out if the MessageID UUID
was not prefixed with "urn:". [nnposter]
7.97
o [Zenmap][GH#3087] Fix a crash when starting a scan on Windows in locales that
use non-latin character sets. Also changed Nmap to print the time zone as an
offset from UTC instead of as a localized string. [Daniel Miller]
o Fixed an issue with the parallel forward DNS resolver: it had not been
consulting /etc/hosts, nor did it correctly handle the 'localhost' name.
[Daniel Miller]
o [GH#3088] Mitigate a false-positive detection by replacing a malicious URL in
the example output of http-malware-host [nnposter]
7.96
o Upgraded included libraries: OpenSSL 3.0.16, Lua 5.4.7, libssh2 1.11.1,
libpcap 1.10.5, libpcre2 10.45, libdnet 1.18.0
o [Windows] Upgraded the included version of Npcap from version 1.79 to the
latest version 1.82, bringing faster packet injection, VLAN header capture,
and support for SR-IOV adapters, along with many other bug fixes and feature
enhancements described at https://npcap.com/changelog
o [GH#1451] Nmap now performs forward DNS lookups in parallel, using the same
engine that has been reliably performing reverse-DNS lookups for nearly a
decade. Scanning large lists of hostnames is now enormously faster and avoids
the unresponsive wait for blocking system calls, so progress stats can be
shown. In testing, resolving 1 million website names to both IPv4 and IPv6
took just over an hour. The previous system took 49 hours for the same data
set! [Daniel Miller]
o [Nping][GH#2862] Promoted Nping version number from a 0.7.95 alpha release to
the same release version as Nmap.
o [Zenmap][GH#2358] Added dark mode, accessed via Profile->Toggle Dark Mode or
window::dark_mode in zenmap.conf. [Daniel Miller]
o [NSE] Added 3 new scripts, for a total of 612 NSE scripts:
+ [GH#2973] mikrotik-routeros-version queries MikroTik's WinBox router admin
service to get the RouterOS version. New service probes were also added for
this service. [deauther890, Daniel Miller]
+ mikrotik-routeros-username-brute brute-forces WinBox usernames for the
router using CVE-2024-54772. [deauther890]
+ targets-ipv6-eui64 generates target IPv6 addresses from a user-provided
file of MAC addresses, using the EUI-64 method. [Daniel Miller]
o [GH#2982] Fixed an issue preventing the Nmap OEM 7.95 uninstaller from
correctly uninstalling Nmap OEM.
o [GH#2139][Nsock][Windows] Fixed the IOCP Nsock engine, which had been demoted
since Nmap 7.91 due to unresolved issues around SSL sockets and IPv6.
[Daniel Miller]
o [GH#2113] Fixed the issue where TCP Connect scans (-sT) on Windows would show
'filtered' instead of 'closed', due to differences in understanding timeouts.
o [GH#2900][GH#2896][GH#2897] Nmap is now able to scan IP protocol 255.
[nnposter]
o Nmap will now allow targets to be specified both on the command line and in
an input file with -iL. Previously, if targets were provided in both places,
only the targets in the input file would be scanned, and no notice was given
that the command-line targets were ignored. [Daniel Miller]
o [Zenmap][GH#2854] Fixed a Zenmap crash in DiffViewer when Ndiff exits with
error.
o [Zenmap] Fixed several UnicodeDecodeError or UnicodeEncodeError crashes
throughout Zenmap.
o [Zenmap][GH#1696] Fixed an issue preventing Zenmap from launching if nmap was
not in the PATH. The issue primarily affected macOS users. [Daniel Miller]
o [GH#2838][GH#2836] Fixed a couple of issues with parsing the argument to the
-iR option.
o [NSE][GH#2852] Added TLS support to redis.lua and improved -sV detection of
redis.
o [GH#2954] Fix 2 potential crashes in parsing IPv6 extension headers
discovered using AFL++ fuzzer. [Domen Puncer Kugler, Daniel Miller]
o [Nping] Bind raw socket to device when possible. This was already done for
IPv6, but was needed for IPv4 L3 tunnels. [ValdikSS]
o [Ncat] Ncat in connect mode no longer defaults to half-closed TCP
connections. This makes it more compatible with other netcats. The -k option
will enable the old behavior. See https://seclists.org/nmap-dev/2013/q1/188
[Daniel Miller]
o [Nsock][GH#2788] Fix an issue affecting Ncat where unread bytes in the SSL
layer's buffer could not be read until more data arrived on the socket, which
could lead to deadlock. [Daniel Miller]
o [Ncat][GH#2422] New Ncat option -q to delay quit after EOF on stdin, the
same as traditional netcat's -q option. [Daniel Miller]
o [Ncat][GH#2843] Ncat in listen mode with -e or -c correctly handles error and
EOF conditions that had not been being delivered to the child process.
o [Ncat][Windows] All Nsock engines now work correctly. The default is still
'select', but others can be set with --nsock-engine=iocp or
--nsock-engine=poll [Daniel Miller]
o [NSE][GH#1014][GH#2616] SSH NSE scripts now catch connection errors thrown by
the libssh2 Lua binding, providing useful output instead of a backtrace.
[Joshua Rogers, Daniel Miller]
o [NSE] Several fixes and extensions to the libssh2 NSE bindings: fixed
libssh2.channel_read_stderr, which was reading stdout instead; add binding
for libssh2_userauth_publickey_frommemory; allow open_channel to avoid
allocating a pty;
o [Nsock] Improvements for platforms without selectable pcap handles (e.g.
Windows). Interleaved pcap and socket events were favoring pcap reads,
possibly resulting in timeouts of the socket events. [Daniel Miller]
o [Nsock] Improved memory performance of poll engine on Windows. [Daniel Miller]
o [Nsock][GH#187][GH#2912] Improvements to Nsock event list management, fixing
errors like "could not find 1 of the purportedly pending events on that IOD."
[Daniel Miller]
o When Nmap is used with --disable-arp-ping, a local IP that cannot be
ARP-resolved will use the "no-route" reason instead of the "unknown-response"
reason, since no response was received.
o [NSE][GH#2571][GH#2572][GH#2622][GH#2784] Various bug fixes in the mssql NSE
library. [johnjaylward, nnposter]
o [NSE][GH#2925][GH#2917][GH#2924] Testing for acceptance of SSH keys for
a given username caused heap corruption. [Julijan Nedic, nnposter]
o [NSE][GH#2919][GH#2917] Scripts were not able to load SSH public keys.
from a file. [nnposter]
o [NSE][GH#2928][GH#2640] Encryption/decryption performed by the OpenSSL NSE
module did not work correctly when the IV started with a null byte.
[nnposter]
o [NSE][GH#2901][GH#2744][GH#2745] Arbitrary separator in stdnse.tohex() is now
supported. Script smb-protocols now reports SMB dialects correctly.
[nnposter]
o [NSE] ether_type inconsistency in packet.Frame has been resolved. Both
Frame:new() and Frame:build_ether_frame() now use an integer. [nnposter]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 16:45:02 +0000 (18:45 +0200)]
python3-msgpack: Update to version 1.1.0
- Update from version 1.0.8 to 1.1.0
- Update of rootfile
- borgbackup requires python3-msgpack and has updated the version to be up to 1.1.0
- Changelog
1.1.0
use PyLong_* instead of PyInt_* for compatibility with future Cython. (#620)
1.1.0rc2
Update Cython to 3.0.11 for better Python 3.13 support.
Update cibuildwheel to 2.20.0 to build Python 3.13 wheels
1.1.0rc1
Update Cython to 3.0.10 to reduce C warnings and future support for Python 3.13.
Stop using C++ mode in Cython to reduce compile error on some compilers.
Packer() has buf_size option to specify initial size of internal buffer to
reduce reallocation.
The default internal buffer size of Packer() is reduced from 1MiB to 256KiB to
optimize for common use cases. Use buf_size if you are packing large data.
Timestamp.to_datetime() and Timestamp.from_datetime() become more accurate by
avoiding floating point calculations. (#591)
The Cython code for Unpacker has been slightly rewritten for maintainability.
The fallback implementation of Packer() and Unpacker() now uses keyword-only
arguments to improve compatibility with the Cython implementation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 16:45:01 +0000 (18:45 +0200)]
borgbackup: Update to version 1.4.1
- Update from version 1.4.0 to 1.4.1
- Update of rootfile
- Changelog
1.4.1
New features:
- prune: add 13weekly and 3monthly quarterly pruning strategies, #8337
- add BORG_USE_CHUNKS_ARCHIVE env var as a cleaner way to control whether
borg shall use chunks.archive.d/ cache directory. the previous "hack" to
create a non-directory file at that place is still supported.
- compact: support --dry-run (do nothing) to simplify scripting, #8300
- add {unixtime} placeholder, #8522
- macOS: retrieve birthtime in nanosecond precision via system call, #8724
- implement padme chunk size obfuscation (SPEC 250), #8705
Fixes:
- borg exits when assertions are disabled with Python optimizations, #8649
- fix remote repository exception handling / modern exit codes, #8631
- config: fix acceptance of storage_quota 0, #8499
- config: reject additional_free_space < 10M (but accept 0), #6066
- check: more consistent messaging considering --repair, #8533
- yes: deal with UnicodeDecodeError in input(), #6984
- fix WORKAROUNDS=authenticated_no_key support for archive TAM authentication,
#8400
- diff: do not assert on diff if hard link sources are not found due to
exclusions, #8344
- diff:
- suppress modified changes for files which weren't actually modified in JSON
output, #8334
- ensure that 0B changes are hidden from text diffs, too.
- remove 0-added,0-removed modified entries from JSON output.
- try to rebuild cache if an exception is raised, #5213
- freebsd: fix nfs4 acl processing, #8756.
This issue only affected borg extract --numeric-ids when processing NFS4
ACLs, it didn't affect POSIX ACL processing.
Other changes:
- support and test on Python 3.13
- use Cython 3.0.12
- filter LibreSSL related warnings on OpenBSD
- docs:
- update install docs, nothing bundled anymore, #8342
- clarify excluded and included flags for dry-run, #8556
- small changes regarding compression, #8542
- clean up entries regarding SSH settings, link to recommended ones, #8542
- borg/borgfs detects internally under which name it was invoked, #8207
- binary: using the directory build is faster, #8008
- add readme of the binaries
- mount: document on-demand loading, perf tips, #7173
- better link modern return codes, #8370
- update repository URLs in docs to use new syntax, #8361
- align /etc/backups path references in automated backups deployment guide
- mount docs: apply jdchristensen's suggestion, better phrasing.
- FAQ: Why is backing up an unmodified FAT filesystem slow on Linux?
- FAQ: Why are backups slow on a Linux server that is a member of a windows domain?
- FAQ: add entry about pure-python msgpack warning, #8323
- modify docs for automated backup to append to SYSTEMD_WANTS rather than overwrite, #8641
- fix udev rule priority in automated-local.rst, #8639
- clarify requirements when using command line options with special characters within a shell, #8628
- work around sudden failure of sphinx ini lexer
- readthedocs theme fixes
- bring back highlighted content preview in search results.
- fix erroneous warning about missing javascript support.
- tests:
- github CI: windows msys2 build: broken, disable it for now, #8264
- improve borg check --repair healing tests, #8302
- fix hourly prune test failure due to local timezone
- ignore `com.apple.provenance` xattr (macOS specific)
- vagrant:
- pyenv: only use Python 3.11.12, use this for binary build
- macos: give more memory
- install rust on BSD
- add FreeBSD 13 box, for #8266
- fix OpenBSD box, #8506
- use a bento/ubuntu-24.04 box for now
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 10:10:45 +0000 (12:10 +0200)]
qemu: Update to version 10.1.0
- Update from version 10.0.2 to 10.1.0
- Update of rootfile
- Changelog for 10.1 can be found at https://wiki.qemu.org/ChangeLog/10.1
- Changelog for 10.0 can be found at https://wiki.qemu.org/ChangeLog/10.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 10:10:43 +0000 (12:10 +0200)]
opus: Update to version 1.5.2
- Update from version 1.5.1 to 1.5.2
- Update of rootfile
- Changelog
1.5.2
fixes several build issues that were discovered since the 1.5 release. It also
fixes a misalignment issue in the AVX2 code that could cause crashes under
Windows.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 10:10:42 +0000 (12:10 +0200)]
nagios_nrpe: Update to version 4.1.3
- Update from version 4.1.0 to 4.1.3
- Update of rootfile not required
- Changelog
4.1.3
**FIXES**
- Change of ssl.c and ssl.h to nrpe-ssl.c and nrpe-ssl.h
4.1.2
**FIXES**
- Fixed printing of incorrect packet version to just logging the error
- Fixed and updated SSL
4.1.1
**FIXES**
- Use correct HUP signal for Solaris
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 10:10:40 +0000 (12:10 +0200)]
libslirp: Update to version 4.9.1
- Update from version 4.7.0 to 4.9.1
- Update of rootfile not required
- 2 security fixes in version 4.8.0
- Changelog
4.9.1
Fixed
- meson: use boolean defaults for boolean options !149
- meson: specify that C++ is only used for host binaries !149
- meson: add dependency override for libslirp !150
- Do not link tests with libslirp.map #84
- apple: Fix getting IPv4 DNS server address when IPv4 and IPv4 are
interleaved #85
- Windows: Fix ICMP generation #87 #88
- tcp: Fix starting the linger2 timer on socket shutdown #86
Changed
- tcp: on input, reset TCPT_KEEP to TCPTV_KEEP_IDLE rather than
TCPTV_KEEPINTVL
- tcp: on input during init, reset TCPT_KEEP to TCPTV_KEEP_INIT
- tcp: Reduce linger time to two minutes
4.9.0
Added
- Add SlirpAddPollSocketCb and {,un}register_poll_socket that can be used from
SLIRP_CONFIG_VERSION_MAX 6 to properly support socket handles on win64.
Fixed
- bootp: Fill siaddr with tftp addr as per RFC2131 !135
- tcp_listen: Fix host forwarding on Windows !137
- tftp: Fix address returned in proxying #82 !147
Changed
- Fix build on mold #77
- Fix static linking !134
- slirp_os_socket abstraction for Windows !136
- cksum: Update implementation to include 64-bit computation support !144
- reduce compilation warnings on Windows !143
4.8.0
Security
- tcp: Fix testing for last fragment
- tftp: Fix use-after-free
Added
- Add support for Haiku !123
- ncsi: Add manufacturer's ID !122
- ncsi: Add Get Version ID command !122
- ncsi: Add out-of-band ethernet address !125
- ncsi: Add Mellanox Get Mac Address handler !125
- icmp6: Add echo request forwarding support
- Add fuzzing infrastructure
Fixed
- Fix missing cleanups
- windows: Build fixes
- ipv6: Use target address from Neighbor Advertisement !129
- dns: Reject domain-search when any entry ends with ".."
- dns: Use localhost as dns when /etc/resolv.conf empty !130
- icmp: Handle ICMP packets as IPPROTO_IP on BSD !133
- eth: pad ethernet frames to 60 bytes #34
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 10:10:39 +0000 (12:10 +0200)]
iptraf-ng: Update to version 1.2.2
- Update from version 1.2.1 to 1.2.2
- Update of rootfile not required
- CVE fix in this version
- Changelog
1.2.2
- small cleanups: remove unused code/variable, correct format specifiers
- serv.c: fix and validate port/ranges entering/loading/saving
- SECURITY FIX: CVE-2024-52949: interface names: limit length to IFNAMSIZ
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 10:10:38 +0000 (12:10 +0200)]
iotop: Update to version 1.30
- Update from version 1.26 to 1.30
- Update of rootfile not required
- Changelog
1.30
kernel commit 0bf2d83 fixes the problem with struct taskstats, now iotop
1.30 handles only v15 of the struct in a different way, retaining
compatibility with both old and new kernels
show zero current values for exited processes
flush stdout after each batch run
1.29
Fix Linux kernel incompatible struct taskstats
1.28
add option to specify bin directory by @mhlavink in #78
fix batch mode
1.27
src/iotop: correct pg_cb signature by @mikoxyz in #64
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 10:10:36 +0000 (12:10 +0200)]
dtc: Update to version 1.7.2
- Update from version 1.7.1 to 1.7.2
- Update of rootfile
- Changelog
1.7.2
Build
- Fix automatic dependency handling for paths with spaces in them
- Fix to allow compilation with swig 4.3.0
- Disable pointless warnings on swig generated code
fdtoverlay
- Improve error message with missing /__symbols__
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
