Adolf Belka [Sun, 2 Mar 2025 19:14:30 +0000 (20:14 +0100)]
vpnmain.cgi: Fixes bug13737 - increments the serial number to allow cert regen
- When the regeneration is carried out the existing cert, with serial number 01, is
revoked but when the new cert is created the serial number is still 01 causing error
messages about the new cert being revoked.
- This patch increments the serial number from 01 to 02 after the initial root/host
certificate set is created.
- Then when the olf cert is revoked the new one uses serial number 02 but also
automatically increments it again. So all future regenerations work without problems.
- Tested out on a physical IPFire system.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 1 Mar 2025 12:46:02 +0000 (13:46 +0100)]
exclude: Remove the urlfilter pl programs from a backup
- When dealing with the qos bug fix for backing up .pl programs I also then searched all
the /var/ipfire directory tree looking for any other .pl files that were being backed
up and found that there were two for the urlfilter.
- This patch adds the .pl files in the urlfilter/bin directory to the exclude list.
- In the same way as for the qos change the exclude addition also means that these files
will not be restorewd from any earlier backup.
- Also tested and confirmed on a physical IPFire system.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 1 Mar 2025 12:46:01 +0000 (13:46 +0100)]
exclude: Fix bug13736 - stop backup of qos perl programs
- The exclude file only had the qos.pl file from the bin directory excluded from the
backup. This meant that 5 other perl programs were being backed up and therefore
any restore would overwrite new updated versions such as the makeqosscripts.pl file.
- This addition to the backup exclude file now excludes all .pl files from the qos/bin
directory.
- This also means that any restore from earlier backups that included the other .pl files
will not restore thosde files.
- Tested out on an IPFire physical system.
Fixes: bug13736 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 1 Mar 2025 12:01:08 +0000 (13:01 +0100)]
samba: Update to version 4.21.4
- Update from version 4.21.3 to 4.21.4
- Update of rootfiles for x86_64, aarch64 and riscv64
- Changelog
4.21.4
* BUG 15780: Increasing slowness of sharesec performance with high number of
registry shares.
* BUG 15782: winbindd shows memleak in kerberos_decode_pac.
* BUG 15738: Creation of GPOs applicable to more than one group is impossible
with Samba 4.20.0 and later.
* BUG 15756: Replace `crypt` module in
python/samba/netcmd/user/readpasswords/common.py.
* BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
* BUG 15796: Spotlight search results don't show file size and creation date.
* BUG 15703: General improvements for vfs_ceph_new module.
* BUG 15777: net offlinejoin not working correctly.
* BUG 15780: Increasing slowness of sharesec performance with high number of
registry shares.
* BUG 15759: net ads create/join/winbind producing unix dysfunctional
keytabs.
* BUG 14213: Windows Explorer crashes on S-1-22-* Unix-SIDs when accessing
security tab.
* BUG 15769: The values from hresult_errstr_const and hresult_errstr are
reversed in 4.20 and 4.21.
* BUG 15778: Kerberos referral tickets are generated for principals in our
domain if we have a trust to a top level domain.
* BUG 15783: NETLOGON_NTLMV2_ENABLED is missing in the SamLogon* user_flags
field.
* BUG 15703: General improvements for vfs_ceph_new module.
* BUG 15784: Regression: stack-use-after-return in crypt_as_best_we_can().
* BUG 15788: libreplace:readline: gcc 15 complains about incompatible pointer
types.
* BUG 15703: General improvements for vfs_ceph_new module.
* BUG 15703: General improvements for vfs_ceph_new module.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 28 Feb 2025 16:59:46 +0000 (17:59 +0100)]
tcl: Update to version 9.0.1
- Update from version 8.6.14 to 9.0.1
- Update of rootfile
- Changelog
9.0.1
# Completed 9.0 Features and Interfaces
- [TIP 701 - Tcl_FSTildeExpand C API]
(https://core.tcl-lang.org/tips/doc/trunk/tip/701.md)
- [TIP 707 - ptrAndSize internal rep in Tcl_Obj]
(https://core.tcl-lang.org/tips/doc/trunk/tip/707.md)
- [Size modifiers j, q, z, t not implemented]
( https://core.tcl-lang.org/tcl/info/c4f365)
# Bug fixes
- [regression in tzdata, %z instead of offset TZ-name]
(https://core.tcl-lang.org/tcl/tktview/2c237b)
- [Tcl will not start properly if there is an init.tcl file in the current
dir](https://core.tcl-lang.org/tcl/tktview/43c94f)
- [clock scan "24:00", ISO-8601 compatibility]
(https://core.tcl-lang.org/tcl/tktview/aee9f2)
- [Temporary folder with file "tcl9registry13.dll" remains after "exit"]
(https://core.tcl-lang.org/tcl/tktview/6ce3c0)
- [Wrong result by "lsearch -stride -subindices -inline -all"]
(https://core.tcl-lang.org/tcl/info/5a1aaa)
- [TIP 609 - required Tcl_ThreadAlert() skipped with nested event loop]
(https://core.tcl-lang.org/tcl/info/c7e4c4)
- [buffer overwrite for non-BMP characters in utf-16]
(https://core.tcl-lang.org/tcl/tktview/66da4d)
- [zipfs info on mountpoint of executable returns zero offset in field 4"]
(https://core.tcl-lang.org/tcl/info/aaa84f)
- [zlib-8.8, zlib-8.16 fail on Fedora 40, gcc 14.1.1]
(https://core.tcl-lang.org/tcl/tktview/73d5cb)
- [install registry and dde in $INSTALL_DIR\lib always]
(https://core.tcl-lang.org/tcl/tktview/364bd9)
- [cannot build .chm help file (Windows)]
(https://core.tcl-lang.org/tcl/tktview/bb110c)
# Incompatibilities
- No known incompatibilities with the Tcl 9.0.0 public interface.
# Updated bundled packages, libraries, standards, data
- Itcl 4.3.2
- sqlite3 3.47.2
- Thread 3.0.1
- TDBC\* 1.1.10
- tcltest 2.5.9
- tzdata 2024b, corrected
9.0.0
# Major Features
## 64-bit capacity: Data values larger than 2 GB
- Strings can be any length (that fits in your available memory)
- Lists and dictionaries can have very large numbers of elements
## Internationalization of text
- Full Unicode range of codepoints
- New encodings: `utf-16`/`utf-32`/`ucs-2`(`le`|`be`), `CESU-8`, etc.
- `encoding` options `-profile`, `-failindex` manage encoding of I/O.
- `msgcat` supports custom locale search list
- `source` defaults to `-encoding utf-8`
## Zip filesystems and attached archives
- Packaging of the Tcl script library with the Tcl binary library,
meaning that the `TCL_LIBRARY` environment variable is usually not
required.
- Packaging of an application into a virtual filesystem is now a
supported
core Tcl feature.
## Unix notifiers available using `epoll()` or `kqueue()`
- This relieves limits on file descriptors imposed by legacy
`select()` and fixes a performance bottleneck.
# Incompatibilities
## Notable incompatibilities
- Unqualified varnames resolved in current namespace, not global.
Note that in almost all cases where this causes a change, the
change is actually the removal of a latent bug.
- No `--disable-threads` build option. Always thread-enabled.
- I/O malencoding default response: raise error (`-profile strict`)
- Windows platform needs Windows 7 or Windows Server 2008 R2 or later
- Ended interpretation of `~` as home directory in pathnames.
(See `file home` and `file tildeexpand` for replacements when you
need them.)
- Removed the `identity` encoding.
(There were only ever very few valid use cases for this; almost
all uses were systematically wrong.)
- Removed the encoding alias `binary` to `iso8859-1`.
- `$::tcl_precision` no longer controls string generation of doubles.
(If you need a particular precision, use `format`.)
- Removed pre-Tcl 8 legacies: `case`, `puts` and `read` variant
syntaxes.
- Removed subcommands [`trace variable`|`vdelete`|`vinfo`]
- Removed `-eofchar` option for write channels.
- On Windows 10+ (Version 1903 or higher), system encoding is always
utf-8.
- `%b`/`%d`/`%o`/`%x` format modifiers (without size modifier) for
`format` and `scan` always truncate to 32-bits on all platforms.
- `%L` size modifier for `scan` no longer truncates to 64-bit.
- Removed command `::tcl::unsupported::inject`.
(See `coroinject` and `coroprobe` for supported commands with
significantly more comprehensible semantics.)
## Incompatibilities in C public interface
- Extensions built against Tcl 8.6 and before will not work with
Tcl 9.0;
ABI compatibility was a non-goal for 9.0. In _most_ cases,
rebuilding against Tcl 9.0 should work except when a removed API
function is used.
- Many arguments expanded type from `int` to `Tcl_Size`, a signed
integer type large enough to support 64-bit sized memory objects.
The constant `TCL_AUTO_LENGTH` is a value of that type that
indicates that the length should be obtained using an appropriate
function (typically `strlen()` for `char *` values).
- Ended support for `Tcl_ChannelTypeVersion` less than 5
- Introduced versioning of the `Tcl_ObjType` struct
- Removed macros `CONST*`: Tcl 9 support means dropping Tcl 8.3
support.
(Replaced with standard C `const` keyword going forward.)
- Removed registration of several `Tcl_ObjType`s.
- Removed API functions:
- `Tcl_Backslash()`
- `Tcl_*VA()`
- `Tcl_*MathFunc*()`
- `Tcl_MakeSafe()`
- `Tcl_(Save|Restore|Discard|Free)Result()`
- `Tcl_EvalTokens()`
- `Tcl_(Get|Set)DefaultEncodingDir()`
- `Tcl_UniCharN(case)cmp()`
- `Tcl_UniCharCaseMatch()`
- Revised many internals; beware reliance on undocumented behaviors.
# New Features
## New commands
- `array default` — Specify default values for arrays (note that
this alters the behaviour of `append`, `incr`, `lappend`).
- `array for` — Cheap iteration over an array's contents.
- `chan isbinary` — Test if a channel is configured to work with
binary data.
- `coroinject`, `coroprobe` — Interact with paused coroutines.
- `clock add weekdays` — Clock arithmetic with week days.
- `const`, `info const*` — Commands for defining constants (variables
that can't be modified).
- `dict getwithdefault` — Define a fallback value to use when
`dict get` would otherwise fail.
- `file home` — Get the user home directory.
- `file tempdir` — Create a temporary directory.
- `file tildeexpand` — Expand a file path containing a `~`.
- `info commandtype` — Introspection for the kinds of commands.
- `ledit` — Equivalent to `lreplace` but on a list in a variable.
- `lpop` — Remove an item from a list in a variable.
- `lremove` — Remove a sublist from a list in a variable.
- `lseq` — Generate a list of numbers in a sequence.
- `package files` — Describe the contents of a package.
- `string insert` — Insert a string as a substring of another string.
- `string is dict` — Test whether a string is a dictionary.
- `tcl::process` — Commands for working with subprocesses.
- `*::build-info` — Obtain information about the build of Tcl.
- `readFile`, `writeFile`, `foreachLine` — Simple procedures for
basic working with files.
- `tcl::idna::*` — Commands for working with encoded DNS names.
## New command options
- `chan configure ... -inputmode ...` — Support for raw terminal
input and reading passwords.
- `clock scan ... -validate ...`
- `info loaded ... ?prefix?`
- `lsearch ... -stride ...` — Search a list by groups of items.
- `regsub ... -command ...` — Generate the replacement for a regular
expression by calling a command.
- `socket ... -nodelay ... -keepalive ...`
- `vwait` controlled by several new options
- `expr` string comparators `lt`, `gt`, `le`, `ge`
- `expr` supports comments inside expressions
## Numbers
- <code>0<i>NNN</i></code> format is no longer octal interpretation.
Use <code>0o<i>NNN</i></code>.
- <code>0d<i>NNNN</i></code> format to compel decimal interpretation.
- <code>NN_NNN_NNN</code>, underscores in numbers for optional
readability
- Functions: `isinf()`, `isnan()`, `isnormal()`, `issubnormal()`,
`isunordered()`
- Command: `fpclassify`
- Function `int()` no longer truncates to word size
## TclOO facilities
- private variables and methods
- class variables and methods
- abstract and singleton classes
- configurable properties
- `method -export`, `method -unexport`
8.6.16
Bug fixes and corrections to erratic behavior
* Regression in [clock] timezones due to revised tzdata format
* Improper startup if [pwd] contains a file named init.tcl
* Fix crashes or hangs in...
- TclOO + coroutine, oo-1.25
- lifecycle management of the attributes of a menu entry
- [grid] and [pack] handling of half-dead argument
- Tk_DeleteErrorHandler()
- overwrite of thread data by Tk initialization in second interp
* Prevent negative zlib stream checksums, zlib-15.1
* Filesystem path efficiency from skipping unnecessary normalization
* Revised [clock scan] consistent with leap second timestamp validation
* Updated bundled packages, libraries, standards, data
- Itcl 4.3.2
- sqlite3 3.47.2
- Thread 2.8.11
- TDBC* 1.1.10
- tcltest 2.5.9
- tzdata 2024b, corrected
8.6.15
Bug fixes and corrections to erratic behavior
* [TIP 692] Deprecate Tcl_GetAlias(). Migrate to Tcl_GetAliasObj()
* Invoke binding scripts for events with detail field NotifyInferior
*** POTENTIAL INCOMPATIBILITY ***
* Tcl_NewObjectInstance() errors on namespace re-use.
*** POTENTIAL INCOMPATIBILITY -- breaks Itcl 4.2 ***
* TCL_PACKAGE_PATH change from Tcl list to platform path convention
*** POTENTIAL INCOMPATIBILITY ***
* Make [self] work inside [$obj eval]
* Fix [$obj varname] for linked varnames
* Restore access to alternate data streams (ADS) in NTFS filesystems.
* Fix crashes or hangs in...
- TclOO + coroutine, oo-22.[34]
- entangled destructor and namespace deletion, oo-35.7.*
- destruction of reflected channel, iocmd-32.3.*
- select notifier with file descriptor >= FD_SETSIZE
- [child invokehidden info frame], info-40.0
- [focus -force], focus-8.1
- [$canvas dchars], canvas-11.4
- [$menubutton destroy]
* Appearance improvements for...
- focus ring, arrows, and classic theme.
- last item in a [ttk::treeview].
- down arrow in [ttk::combobox].
* Repair [$photo read -from] flaws in GIF,PNG formats. imgPhoto-19.*
* [$photo copy] coordinate check error. See imgPhoto-12.5
* Detect corrupt GIF file and raise error. See imgPhoto-18.6.1
* Fixes to [ttk::treeview] subcommands 'see' and 'bbox'.
* Fix default font detection for high DPI
* [treeview identify] now point aware
* Fix broken undo/redo in [text] widget.
* Fix GENFUNC mode of Tcl_ParseArgsObjv(). See tests indexObj-7.*
* Fix removal of oo variable by [info exists]. See oo-19.4
* Fix byte compiled [incr] with wide int increment. See incr-1.31
* Repair encoding flaws in [info hostname] visible for non-ASCII names.
* Fix incorrect [string is control] results on some private codepoints
* Autoload of [::tcl::tm::path]
* Fix missing error message in some [interp limit] failures.
* Improved hash performance for some hash tables.
* Performance optimizations in several encoding primitives.
* Correction to rare failed startup search for system encoding
* Add encodings: koi8-ru, koi8-t
* Add keycodes ISO_Group_Shift and dead_hamza
* Updated bundled packages, libraries, standards, data
- Itcl 4.3.0 -- supports multi-thread operations
- sqlite3 3.45.3
- Thread 2.8.10
- TDBC* 1.1.9
- tcltest 2.5.8
- libtommath 1.3.0
- Unicode 16
- tzdata 2024b
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 28 Feb 2025 14:04:00 +0000 (15:04 +0100)]
dhcpcd: Update to version 10.2.2
- Update from version 10.2.1 to 10.2.2
- Update of rootfile not required
- Changelog is not provided. Details are from the commits from this linlk
https://github.com/NetworkConfiguration/dhcpcd/compare/v10.2.1...v10.2.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 28 Feb 2025 11:27:31 +0000 (12:27 +0100)]
firewallog.dat: Fix bug13068 - remove blocklist entries from firewall log
- The blocklist log entries are also under kernel: and so currently also show up in the
firewall logs as well as in the ip blocklist logs menus. If there are a lot of
blocklist entries it can make it very difficult to go through the firewall logs.
- This bugfix excxludes any kernel: log entries that have a chain starting with BLKLST.
- Tested out on physical and vm IPFire systems.
Fixes: bug13068 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 27 Feb 2025 15:52:48 +0000 (16:52 +0100)]
vim: Update to version 9.1.1153
- Update from version 9.1.0886 to 9.1.1153
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 27 Feb 2025 13:27:53 +0000 (14:27 +0100)]
kmod: Update to version 34
- Update from version 33 to 34
- Update of rootfile
- build of kmod has been moved to meson. Autotools option is still available in this
version but in the next version it will only be meson so it seemed sensible to change
it now.
- Back in version 32 they decided to automatically make the symlinks for all the tools
in the install script but to place those symlinks in /bin defined by $bindir. So the
rootfile for version 32 ended up with the tool symlinks both in /bin and /sbin.
- In this version (34) they have decided to change it to being /sbin by default. Distros
that want to have them in /bin just have to set the sbindir to /bin. So the symlink
creation lines are no longer required as the install craetes them for us. The
symlinks in /bin have been removed and I don't see any reason to put them back in as
they were only introduced in version 32 and previously the symlinks were always in
/sbin.
- The sbindir location has to be specified otherwise the deafult would end up with
/usr/sbin
- Changelog
34
- Improvements
- Drop pre-built .ko modules from git - distros/packages will need the
linux-headers to be able to run the testsuite. There was limited use
of the feature, while linters complained about "source-not-included"
or "source-contains-prebuilt-binary".
- Switch build system to meson: autotools is still supported but slated
for removal on next release. This is the transition release to help
distros and integrators to move to the new build system. Default options
target distros while developers can use the build-dev.ini configuration
file.
- Allow to load decompression libraries ondemand: liblzma.so, libz.so,
libxz.so and libzstd.so can now be loaded ondemand, only when there is
such a need. For use during early boot for loading modules, if
configured well it means none of these libraries are loaded: the
module loading logic via finit_module() will just hand over to kernel
the open file descriptor and kernel will use its own decompress routine.
If kernel doesn't handle decompression or if the module is compressed
with a different algorithm than the one configured in the kernel,
libkmod can still open the module by dynamically loading the
correspondent library.
Tools inspecting the module contents, like modinfo, will load that
single decompression library instead all of them.
For distros building with meson it's possible to choose the behavior
per library. Examples: a) -Ddlopen=all uses dlopen behavior for all
the libraries; b) -Ddlopen=xz, will make only xz to be dlopen'ed
while other enabled libraries will be linked in at build time.
The use of dlopen is annotated in the ELF file by using the ELF
Package Metadata spec as documented in
https://systemd.io/ELF_PACKAGE_METADATA/. Example:
$ dlopen-notes.py libkmod.so
# build/libkmod.so
[
{
"feature": "xz",
"description": "Support for uncompressing xz-compressed modules",
"priority": "recommended",
"soname": [
"liblzma.so.5"
]
}
]
- Add -m / --moduledir to depmod to override in runtime the module
directory that was already possible to set on build time. Document
the interaction between the dir options: base, module and output.
- Better error propagation in libkmod for its internal APIs and libc
functions up to the callers.
- Improve libkmod API documentation by adding new sections, documenting
functions previously missing, rewording existing ones, adding version
information, cross-referencing, etc.
- Remove deprecated arguments for depmod: --unresolved-error, --quiet,
--root and --map.
- Remove deprecated arguments for rmmod: -w.
- Remove deprecated arguments for insmod: -p and -s.
- Add --syslog and --force for insmod to normalize it with other tools.
- Add bash, fish and zsh shell-completion for insmod, rmmod and lsmod.
- Remove depmod_module_directory_override from .pc as the kernel side
is not making use of it and will likely not need it.
- Improve builtin module listing and retrieving information from its
modinfo index which reduces the amount of needed syscalls by 90%.
- Improve zstd decompression by using streaming bufferless mode which
reduces the amount of syscalls by 65%.
- Increase use of pread while parsing ELF and indexes in order to reduce
syscalls and improve performance.
- Improve module sorting in depmod to speedup the use of the
modules.order index and support duplicate lines in it.
- Avoid misaligned memory access while reading module signature in
libkmod.
- Add more documentation for contributing to kmod. New developers are
welcome to look at the new README.md and CONTRIBUTING.md files for
information on process, coding style, build/installation, etc.
- Overhaul man pages with multiple clarifications, section rewrites and
additional documentation.
- Drop --with-rootlibdir as it's seldom used and was partially broken.
- Drop strndupa() and alloca() for increased libc compatibility.
- Better handling of LFS for increased compatibility with libc.
- Protect kmod_get_dirname() and kmod_new() against NULL argument.
- Normalize --version / --help output across all tools.
- Always include log priority in messages, even when building with debug.
- Optimize index reading by lazily reading nodes on demand, reducing
FILE overhead and reducing code duplication wrt FILE vs mmap
implementations, etc.
- Switch index to pre-order to improve performance in both read and
write, meaning faster lookup and faster depmod. Some examples:
a) traversing all indexes via configuration dump shows a 9%
improvement on Raspberry Pi 2. b) writing the indexes takes 90% less
lseek() calls, leading to a performance gain of 13%.
- Make symlink install locations more similar to what distros are
using: by default it installs the kmod binary as bin/kmod and the
symlinks are located in e.g. `sbin/depmod -> ../bin/kmod`. Changing
the sbin location is sufficient to move the symlinks to the
appropriate place, so distros using `--sbin /usr/bin` will have them
installed in that directory. This avoids distros having to remove the
symlink and add the symlinks by themselves. (meson only)
- Install configuration directories,
/{etc,usr/lib}/{depmod,modprobe}.d/ as part of installation, matching
what several distros do during packaging. (mson only)
- Bug fixes
- Fix testsuite using when using configurable module dir.
- Fix typos on documentation and source code.
- Fix out of bound access in multiple places when using long paths,
synthetic huge files, or handling memory allocation errors, or
inconsistent variable types, particularly on 32b builds.
- Fix internal array APIs, with better error checking: improve execution on
very memory-constrained scenarios or very long paths.
- Fix absolute path handling in depmod.
- Fix libkmod memory leaks on error handling when getting builtin
module list.
- Do not crash on invalid modules.builtin.modinfo file.
- Fix link with lld resulting in empty testsuite.
- Fix testsuite build/execution with musl.
- Others
- Adopt clang-format and editorconfig for coding style and setup CI
action to keep the codebase consistent.
- Adopt codespell in CI.
- Adopt CodeQL integration in CI.
- Adopt Codecov in CI.
- Adopt SPDX copyright and license identifiers throughout the project.
- Add more distros to CI, 32b builds, clang as compiler and lld as
linker.
- Add support for clang sanitizers and squelch warnings.
- Add tests for builtin modules from modinfo index file.
- Multiple testsuite refactors and fixes to make it simpler to write tests.
- Add CI coverage for docs
- Improve strbuf implementation with more error checks and generalize
it to cover the role of scratchbuf. This allows to remove the
scratchbuf implementation.
- Use common array and strbuf code in depmod to remove duplication.
- Add abstraction and use more compiler builtins for addition and
multiplication with overflow checking.
- Normalize use of C attributes throughout the project.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:50 +0000 (19:12 +0100)]
zstd: Update to version 1.5.7
- Update from version 1.5.6 to 1.5.7
- Update of rootfile
- Changelog
1.5.7
fix: compression bug in 32-bit mode associated with long-lasting sessions
api: new method `ZSTD_compressSequencesAndLiterals()` (#4217, #4232)
api: `ZSTD_getFrameHeader()` works on skippable frames (#4228)
perf: substantial compression speed improvements (up to +30%) on small data,
by @TocarIP (#4144) and @cyan4973 (#4165)
perf: improved compression speed (~+5%) for dictionary compression at low
levels (#4170)
perf: much faster speed for `--patch-from` at high compression levels (#4276)
perf: higher `--patch-from` compression ratios, notably at high levels (#4288)
perf: better speed for binaries on Windows (@pps83) and when compiled with
Visual Studio (@MessyHack)
perf: slight compression ratio improvement thanks to better block boundaries
(#4136, #4176, #4178)
perf: slight compression ratio improvement for `dfast`, aka levels 3 and 4 (#4171)
perf: runtime bmi2 detection enabled on x86 32-bit mode (#4251)
cli: multi-threading as default CLI setting, by @daniellerozenblit
cli: new `--max` command (#4290)
build: improve `msbuild` version autodetection, support VS2022, by @ManuelBlanc
build: fix `meson` build by @artem and @Victor-C-Zhang, and on Windows by
@bgilbert
build: compatibility with Apple Framework, by @Treata11
build: improve icc/icx compatibility, by @josepho0918 and @luau-project
build: improve compatibility with Android NDK, by Adenilson Cavalcanti
portability: linux kernel branch, with improved support for Sequence producers
(@embg, @gcabiddu, @cyan4973)
portability: improved qnx compatibility, suggested by @rainbowball
portability: improved install script for FreeBSD, by @sunpoet
portability: fixed test suite compatibility with gnu hurd, by @diegonc
doc: clarify specification, by @elasota
misc: improved tests/decodecorpus validation tool (#4102), by antmicro
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:49 +0000 (19:12 +0100)]
xfsprogs: Update to version 6.13.0
- Update from version 6.11.0 to 6.13.0
- Update of rootfile
- Changelog is not provided in the source tarball. Detasils can be found from the git log
https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:48 +0000 (19:12 +0100)]
which: Update to version 2.23
- Update from version 2.21 to 2.23
- Update of rootfile not required
- Changelog
2.23
Bug fix; cleaning up a path like "/path/a/../b/foo" before printing was broken
in 2.22.
2.22
Improved Windows support (by Mitch Capper).
The function that decides if a found path is executable (file_status)
was updated to that of bash version 5.2.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:47 +0000 (19:12 +0100)]
tshark: Update to version 4.4.5
- Update from version 4.4.4 to 4.4.5
- Update of rootfile
- Changelog
4.4.5
Bug Fixes
GRPC: protobuf_json only displays the truncated string value. Issue 20392.
Wireshark crashes when clicking on a column title/header. Issue 20403.
Updated Protocol Support
GNW, IPv4, NFAPI, and ProtoBuf
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:46 +0000 (19:12 +0100)]
postfix: Update to version 3.10.1
- Update from version 3.9.1 to 3.10.1
- Update of rootfile not required
- Changelog
3.10.1
Bugfix (defect introduced: 20250210): a recent 'fix' for the default
smtp_tls_dane_insecure_mx_policy setting resulted in unnecessary 'dnssec_probe'
warnings, on systems that disable DNSSEC lookups (which is the default).
3.10.0
Changes that need a restart:
Internal protocol change: Postfix needs "postfix reload" (or "postfix stop"
and "postfix start") after upgrade, because of a change in the delivery
agent protocol. If this step is skipped, Postfix delivery agents will
log a warning:
unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
where xxx is the delivery agent service name.
Changes in TLS support:
Forward compatibility: Support for OpenSSL 3.5 post-quantum cryptography.
To manage algorithm selection, OpenSSL introduces new TLS group syntax
that Postfix will not attempt to imitate. Instead, Postfix now allows
the tls_eecdh_auto_curves and tls_ffdhe_auto_groups parameter values to
have an empty value. When both are set empty, the algorithm selection
can be managed through OpenSSL configuration. For more, look for
"Post-quantum" in the postconf(5) manpage.
Support for the RFC 8689 "TLS-Required: no" message header to request
delivery of messages (such as TLSRPT summaries) even if the preferred
TLS security policy cannot be enforced. This limits the Postfix SMTP
client to "smtp_tls_security_level = may" which does not authenticate
server certificates and which allows falling back to plaintext.
Support for the REQUIRETLS SMTP service extension will evolve in Postfix 3.11.
Support for the TLSRPT protocol (defined in RFC 8460). With this, a domain
can publish a policy in DNS that requests daily summary reports for
successful and failed SMTP-over-TLS connections to that domain's MX
hosts. This supports both DANE (built-in) and MTA-STS (via an
smtp_tls_policy_maps plugin). The implementation uses a TLSRPT library
and reporting infrastructure that are maintained by sys4. For details,
see TLSRPT_README.
Miscellaneous changes:
Privacy: With "smtpd_hide_client_session = yes", the Postfix SMTP server
generates a Received: header without client session info. This setting
may be used with the MUA submission services (port 465 and 587).
Support for RFC 2047 encoding of non-ASCII "full name" information in
Postfix-generated From: message headers. Encoding non-ASCII full names
can avoid the need to use SMTPUTF8, and therefore can avoid
incompatibility with sites that do not support SMTPUTF8. See the
full_name_encoding_charset parameter description for details.
Database performance: When mysql: or pgsql: configuration specifies a
single host, assume that it is a load balancer and reconnect
immediately after a single failure, instead of failing all requests
for 60s.
Changes in logging:
The Postfix Milter implementation now logs the reason for a 'quarantine'
action, instead of "milter triggers HOLD action".
The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
ends abnormally (timeout, lost connection, or too many errors), and
the cleanup server now logs "queueid: canceled" when a message
transaction is started but not completed. These changes simplify
logfile analysis.
Dovecot SASL client logging for "Invalid authentication mechanism" now
includes the name of that mechanism.
Postfix SMTP server 'reject' logging now shows the sasl_method,
sasl_username, and sasl_sender if available.
3.9.2
Forward compatibility: Support for OpenSSL 3.5 post-quantum cryptography.
To manage algorithm selection, OpenSSL introduces new TLS group syntax
that Postfix will not attempt to imitate. Instead, Postfix now allows
the tls_eecdh_auto_curves and tls_ffdhe_auto_groups parameter values
to have an empty value. When both are set empty, the algorithm
selection can be managed through OpenSSL configuration. Viktor Dukhovni.
Forward compatibility: ignore new queue file flag bits that may be used
with Postfix 3.10 and later. This is a safety in case a Postfix 3.10
upgrade needs to be rolled back, after the new TLS-Required feature
has been used.
Performance: when a mysql: or pgsql: configuration specifies a single
host, assume that it is a load balancer and reconnect immediately
after a single failure, instead of failing all requests for 60s.
Bugfix (defect introduced: Postfix 3.4, date 20181113): a server with
multiple TLS certificates could report, for a resumed TLS session, the
wrong server-signature and server-digest names in logging and
Received: message headers. Viktor Dukhovni.
Bugfix (defect introduced: Postfix 3.3, date 20180107) small memory leak
in the cleanup daemon when generating a "From: full-name " message
header. The impact is limited because the number of requests is
bounded by the "max_use" configuration parameter. Found during code
maintenance.
Bugfix (defect introduced: Postfix 3.0): the bounce daemon mangled a
non-ASCII address localpart in the "X-Postfix-Sender:" field of a
delivery status notification. It backslash-escaped each byte in a
multi-byte character. This behavior was implemented in Postfix 2.1 (no
support for UTF8 local-parts), but it became incorrect after SMTPUTF8
support was implemented in Postfix 3.0.
Bugfix (defect introduced: Postfix 3.6): Reverted the default
smtp_tls_dane_insecure_mx_policy setting to "dane" as of
Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and 3.10.0. By mistake the
default was dependent on the smtp_tls_security_level setting. Problem
reported by Ömer Güven.
Portability: added "include <sys_socket.h>" for a SUNOS5 workaround. Gary
R. Schmidt.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:45 +0000 (19:12 +0100)]
pcre2: Update to version 10.45
- Update from version 10.44 to 10.45
- Update of rootfile
- Changelog
10.45
This is a comparatively large release, incorporating new features, some
bugfixes, and a few changes with slight backwards compatibility implications.
Please see the ChangeLog and Git log for further details.
Only changes to behaviour, changes to the API, and major changes to the pattern
syntax are described here.
This release is the first to be available as a (signed) Git tag, or
alternatively as a (signed) tarball of the Git tag.
This is also the first release to be made by the new maintainers of PCRE2, and
we would like to thank Philip Hazel, creator and maintainer of PCRE and PCRE2.
* (Git change) The sljit project has been split out into a separate Git
repository. Git users must now run `git submodule init; git submodule update`
after a Git checkout.
* (Behaviour change) Update Unicode support to UCD 16.
* (Match behaviour change) Case-insensitive matching of Unicode properties
Ll, Lt, and Lu has been changed to match Perl. Previously, /\p{Ll}/i would
match only lower-case characters (even though case-insensitive matching was
specified). This also affects case-insensitive matching of POSIX classes such
as [:lower:].
* (Minor match behaviour change) Case-insensitive matching of backreferences now
respects the PCRE2_EXTRA_CASELESS_RESTRICT option.
* (Minor pattern syntax change) Parsing of the \x escape is stricter, and is
no longer parsed as an escape for the NUL character if not followed by '{' or
a hexadecimal digit. Use \x00 instead.
* (Major new feature) Add a new feature called scan substring. This is a new
type of assertion which matches the content of a capturing block to a
sub-pattern.
Example: to find a word that contains the rare (in English) sequence of
letters "rh" not at the start:
\b(\w++)(*scan_substring:(1).+rh)
The first group captures a word which is then scanned by the
(*scan_substring:(1) ... ) assertion, which tests whether the pattern ".+rh"
matches the capture group "(1)".
* (Major new feature) Add support for UTS#18 compatible character classes,
using the new option PCRE2_ALT_EXTENDED_CLASS. This adds '[' as a
metacharacter within character classes and the operators '&&', '--' and '~~',
allowing subtractions and intersections of character classes to be easily
expressed.
Example: to match Thai or Greek letters (but not letters or other characters
in those scripts), use [\p{L}&&[\p{Thai}||\p{Greek}]].
* (Major new feature) Add support for Perl-style extended character classes,
using the syntax (?[...]). This also allows expressing subtractions and
intersections of character classes, but using a different syntax to UTS#18.
Example: to match Thai or Greek letters (but not letters or other characters
in those scripts), use (?[\p{L} & (\p{Thai} + \p{Greek})]).
* (Minor feature) Significant improvements to the character class match engine.
Compiled character classes are now more compact, and have faster matching
for large or complex character sets, using binary search through the set.
* JIT compilation now fails with the new error code PCRE2_ERROR_JIT_UNSUPPORTED
for patterns which use features not supported by the JIT compiler.
* (Minor feature) New options PCRE2_EXTRA_NO_BS0 (disallow \0 as an escape for
the NUL character); PCRE2_EXTRA_PYTHON_OCTAL (use Python disambiguation rules
for deciding whether \12 is a backreference or an octal escape);
PCRE2_EXTRA_NEVER_CALLOUT (disable callout syntax entirely);
PCRE2_EXTRA_TURKISH_CASING (use Turkish rules for case-insensitive matching).
* (Minor feature) Add new API function pcre2_set_optimize() for controlling
which optimizations are enabled.
* (Minor new features) A variety of extensions have been made to
pcre2_substitute() and its syntax for replacement strings. These now support:
\123 octal escapes; titlecasing \u\L; \1 backreferences; \g<1> and $<NAME>
backreferences; $& $` $' and $_; new function
pcre2_set_substitute_case_callout() to allow locale-aware case transformation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:44 +0000 (19:12 +0100)]
libffi: Update to version 3.4.7
- Update from version 3.4.6 to 3.4.7
- Update of rootfile not required
- Changelog
3.4.7
Add static trampoline support for Linux on s390x.
Fix BTI support for ARM64.
Support pointer authentication for ARM64.
Fix ASAN compatibility.
Fix x86-64 calls with 6 GP registers and some SSE registers.
Miscellaneous fixes for ARC and Darwin ARM64.
Fix OpenRISC or1k and Solaris 10 builds.
Remove nios2 port.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:43 +0000 (19:12 +0100)]
diffutils: Update to version 3.11
- Update from version 3.10 to 3.11
- Update of rootfile not required
- Changelog
3.11
Improvements
Programs now quote file names more consistently in diagnostics.
For example; "cmp 'none of' /etc/passwd" now might output
"cmp: EOF on ‘none of’ which is empty" instead of outputting
"cmp: EOF on none of which is empty". In diagnostic messages
that traditionally omit quotes and where backward compatibility
seems to be important, programs continue to omit quotes unless
a file name contains shell metacharacters, in which case programs
use shell quoting. For example, although diff continues to output
"Only in a: b" as before for most file names, it now outputs
"Only in 'a: b': 'c: d'" instead of "Only in a: b: c: d" because the
file names 'a: b' and 'c: d' contain spaces. For compatibility
with previous practice, diff -c and -u headers continue to quote for
C rather than for the shell.
diff now outputs more information when symbolic links differ, e.g.,
"Symbolic links ‘d/f’ -> ‘a’ and ‘e/f’ -> ‘b’ differ", not just
"Symbolic links d/f and e/f differ". Special files too, e.g.,
"Character special files ‘d/f’ (1, 3) and ‘e/f’ (5, 0) differ", not
"File d/f is a character special file while file e/f is a character
special file".
diff's --ignore-case (-i) and --ignore-file-name-case options now
support multi-byte characters. For example, they treat Greek
capital Δ like small δ when input uses UTF-8.
diff now supports multi-byte characters when treating white space.
In options like --expand-tabs (-t), --ignore-space-change (-b) and
--ignore-tab-expansion (-E), diff now recognizes non-ASCII space
characters and counts columns for non-ASCII characters.
Bug fixes
cmp -bl no longer omits "M-" from bytes with the high bit set in
single-byte locales like en_US.iso8859-1. This fix causes the
behavior to be locale independent, and to be the same as the
longstanding behavior in the C locale and in locales using UTF-8.
[bug introduced in 2.9]
cmp -i N and -n N no longer fail merely because N is enormous.
[bug present since "the beginning"]
cmp -s no longer mishandles /proc files, for which the Linux kernel
reports a zero size even when nonempty. For example, the following
shell command now outputs nothing, as it should:
cp /proc/cmdline t; cmp -s /proc/cmdline t || echo files differ
[bug present since "the beginning"]
diff -E no longer mishandles some input lines containing '\a', '\b',
'\f', '\r', '\v', or '\0'.
[bug present since 2.8]
diff -ly no longer mishandles non-ASCII input.
[bug#64461 introduced in 2.9]
diff - A/B now works correctly when standard input is a directory,
by reading a file named B in that directory.
[bug present since "the beginning"]
diff no longer suffers from race conditions in some cases
when comparing files in a mutating file system.
[bug present since "the beginning"]
Release
distribute gzip-compressed tarballs once again
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Feb 2025 18:12:42 +0000 (19:12 +0100)]
btrfs-progs: Update to version 6.13
- Update from version 6.11 to 6.13
- Update of rootfile not required
- Changelog
6.13
mkfs:
new option to enable compression
updated summary (subvolumes, compression)
completely remove option --leafsize, deprecated long ago
btrfstune: add option to remove squota
scrub:
start: new option --limit to set the bandwidth limit for the duration of
the run
status: fix printing of Rate unit suffix (SI/IEC)
qgroup clean-stale: check if quotas are enabled before starting filesystem sync()
print builtin features and options in --version output (mkfs, convert,
image, btrfstune)
build:
Botan minimum version is now 3.x
target to build compile_commands.json (for LSP)
other:
a bit more optimized crc32c code
sync some headers from kernel code
command help updates and fixes
build warning fixes
error message updates
cleanups and refactoring
updated tests
lots of documentation updates
6.12
subvolume delete: add new option to do recursive subvolume deletion (for
regular user delete only accessible subvolumes)
mkfs:
new option --subvol to create subvolumes in given paths, read-write,
read-only and default
add hard link detection support for --rootdir option
fixes:
receive: message verbosity fixes
check: fix false positive report of missing checksum for extent holes
check: handle compressed extents when checking tree log
when asking Y/N user questions, flush the terminal so the question is
displayed (e.g. btrfstune -S)
other
code refactoring, error handling
python packaging fixes
documentation updates
new tests
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 22 Feb 2025 16:47:41 +0000 (17:47 +0100)]
dhcpcd: Update to 10.2.0
For details see:
https://github.com/NetworkConfiguration/dhcpcd/releases/tag/v10.2.0
"What's Changed
dhcp6: start request when advertise received after IRT by @sshambar in #376
dhcpcd: stdout output sometimes empty when redirected to a file by @diego-santacruz in #364
Fix help text formatting by @jvfranklin in #379
Apply lastlease behavior to DHCPv6 by @jvfranklin in #384
dhcpcd not ignoring source-based routes on linux by @sshambar in #372
DHCP6: lastlease behavior after Confim non-response by @jvfranklin in #387
Allow limited RLIMIT_FSIZE when dumping lease by @ColinMcInnes in #389
IPv6: Avoid uninitialized ifp state when adding address by @kensimon in #395
DHCPv6: Add support for sending Option 17 (VSIO) by @spoljak-ent in #383
Exit the timesyncd hook if not on systemd and not executable (#398) by @perkelix in #403
Add route lifetime from Router Advertisement by @ColinMcInnes in #429
revert e3c5de1 by @zacknewman in #425
Fix using multiple enterprise IDs with vendclass (Option 124 DHCP / Option 16 DHCPv6) (#328) by @spoljak-ent in #408
Update route if acquired time changes by @ColinMcInnes in #441
Always send req for InfoRefreshTime option on Inform-Req by @ColinMcInnes in #446
Increase max IPv4 clientid. by @gnaaman-dn in #442
Update build.yml to fix BSD builds by @perkelix in #456"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 23 Feb 2025 18:14:19 +0000 (19:14 +0100)]
libxcrypt: Update to version 4.4.38
- Update from version 4.4.36 to 4.4.38
- Update of rootfile not required
- in version 4.4.37 pkg-config was made a dependency for building libxcrypt. This caused
user(s) a problem when libxcrypt was being built before pkg-config wasw available.
- In version 4.4.38 it was allowed that if pkg-config was not available then the build
would continue and complete but any installation of .pc files was no longer carried
out.
- moved pkg-config to before libxcrypt so that the libxcrypt.pc file is installed in the
build environment and the libcrypt.pc file linked to it, the same as used to occur in
version 4.4.36
- Changelog
4.4.38
* Fix several "-Wunterminated-string-initialization", which are seen by
upcoming GCC 15.x (issue #194).
* Fix "-Wmaybe-uninitialized" in crypt.c, which is seen by GCC 13.3.0.
* Skip test/explicit-bzero if compiling with ASAN.
* Drop hard requirement for the pkg-config binary (issue #198).
4.4.37
* Several fixes to the manpages (issue #185).
* Add binary compatibility for x86_64 GNU/Hurd (issue #189).
* Only test the needed makecontext signature during configure (issue #178).
* Fix -Werror=strict-overflow in lib/crypt-bcrypt.c, which is seen
by GCC 4.8.5 (issue #197).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Feb 2025 12:44:49 +0000 (13:44 +0100)]
pmacct: Remove autogen.sh step so it builds with autoconf-2.72
- Although the pmacct source tarball has a configure script provided, for some reason
the lfs file ran autogen.sh first and therefore re-created the configure script.
Whatever the autogen.sh script was creating it ended up with a result that the new
autoconf-2.72 didn't like. Some problem with an end of line that was not of the
expected structure.
- It seems reasonable to use the configure script that has been provided by the pmacct
developers in the source tarbal, so this patch removes the use of the autogen.sh
script and uses the configure script provided by pmacct. This then allowed a
successful build with the autoconf-2.72
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Feb 2025 12:44:48 +0000 (13:44 +0100)]
autoconf: Update to version 2.72
- Update from version 2.71 to 2.72
- Update of rootfile
- The update of collectd from 4.10.9 to 5.12.0 now allows it to build with this newer
version of autoconf.
- pmacct however failed to build with it. Updated the pmacct lfs to allow it to build
with this newer version of autoconf. Fix for that is combined in this patch set.
- Changelog
2.72
Backward incompatibilities
Configure scripts no longer support pre-1989 C compilers.
Specifically, compilers that *only* implement the original “K&R”
function definition syntax, and not the newer “prototyped” syntax,
will not be able to parse the test programs now emitted by
AC_CHECK_FUNC, AC_LANG_CALL, and similar macros. AC_PROG_CC still
accepts such compilers, but this may change in the near future.
This change was necessary in order to support the upcoming 2024
edition of the C standard (often referred to as “C23”), which will
officially remove the function declaration syntax used by
AC_CHECK_FUNC in Autoconf 2.71 and earlier. We feel that support
for compilers that support only C 2024 is more useful, nowadays,
than support for compilers that don’t implement a core feature of
C 1989.
Autoconf developers now need Perl 5.10 (2007) or later.
“Autoconf developers” means specifically people hacking on Autoconf
itself. Autoconf *users*, i.e. authors of configure.ac files and
add-on M4 macros, still need only Perl 5.6 (2000) or later.
We do recommend all Autoconf users upgrade to Perl 5.10 or later if
possible, as this version significantly improves Perl’s ability to
handle files with last-modification timestamps separated by less
than a second. (Note: even in the most recent release, Perl cannot
always match the file system’s timestamp resolution.)
Generated configure scripts continue to run without Perl.
Autoconf users now need GNU M4 1.4.8 (2006) or later.
Use of GNU M4 1.4.16 or later is recommended, as all earlier versions
are known to have had serious bugs in the text-processing builtins
on some, but not all, operating systems. Autoconf’s own configure
script will attempt to find a version of M4 that is not affected by
these bugs.
Note: Autoconf 2.70 and 2.71 include code that malfunctions with
M4 1.4.6 or 1.4.7. However, the only effect of the malfunction is
that you will get a confusing error message if you run autoconf on
a configure.ac that neglects to use AC_INIT or AC_OUTPUT.
Generated 'configure' scripts continue to run without M4.
Some m4sh diversions have been renumbered.
This will only affect macros that use m4_divert with numbered rather
than named diversions, which has always been strongly discouraged
both by the documentation and with warnings.
AC_FUNC_GETGROUPS and AC_TYPE_GETGROUPS no longer run test programs.
These macros were testing for OS bugs that we believe are at least
twenty years in the past. Most operating systems are now trusted to
provide an accurate prototype for getgroups in unistd.h, and to
implement it as specified in POSIX.
AC_FUNC_GETGROUPS still includes a short block-list of OSes with
known, severe bugs in getgroups. It can be overridden using
config.site. If you encounter a mistake in this list,
please report it to bug-autoconf.
All internal uses of AC_EGREP_CPP and AC_EGREP_HEADER have been removed.
These macros look for text matching a regular expression in the
output of the C preprocessor. Their use has been discouraged for
many years, as they tend to be unreliable; it is better to find a
way to use AC_COMPILE_IFELSE or AC_PREPROC_IFELSE instead. We have
finally taken our own advice.
This change might break configure scripts that expected probes for
‘grep’ and/or the C preprocessor to happen as a side effect of an
unrelated operation. Such scripts can be fixed by adding
AC_PROG_EGREP and/or AC_PROG_CPP in an appropriate place.
The macros affected by this change are AC_C_STRINGIZE,
AC_C_VARARRAYS, AC_FUNC_GETGROUPS, AC_FUNC_GETLOADAVG,
AC_HEADER_TIOCGWINSZ, AC_PROG_GCC_TRADITIONAL, AC_TYPE_GETGROUPS,
AC_TYPE_UID_T, and AC_XENIX_DIR. Many of these macros are themselves
obsolete; if your configure script uses any of them, check whether
it is actually needed.
New features
Support for ensuring time_t is Y2038-safe
configure can now ensure that time_t can represent moments in time
after 18 January 2038, i.e. 2**31 - 1 seconds after the Unix epoch.
On most “64-bit” systems this is true by default; the new feature
is detection of systems where time_t is a 32-bit signed integer by
default, *and* there is an alternative mode in which it is larger,
in which case that mode will be enabled.
In this release, all configure scripts that use AC_SYS_LARGEFILE
gain a new command line option --enable-year2038. When this option
is used, the configure script will check for and enable support for
a large time_t.
This release also adds two new macros, AC_SYS_YEAR2038 and
AC_SYS_YEAR2038_RECOMMENDED. Both have all the effects of
AC_SYS_LARGEFILE. (This is because it is not possible to enlarge
time_t without also enlarging off_t, on any system we are aware of.)
AC_SYS_YEAR2038 additionally flips the default for --enable-year2038;
a configure script that uses this macro will check for and enable
support for a large time_t by default, but this can be turned off by
using --disable-year2038. AC_SYS_YEAR2038_RECOMMENDED goes even
further, and makes the configure script fail on systems that do not
seem to support timestamps after 18 January 2038 at all. This
failure can be suppressed by using --disable-year2038.
Changing the size of time_t can change a library’s ABI. Therefore,
application and library builders should take care that all packages
are configured with consistent use of --enable-year2038 or
--disable-year2038, to ensure binary compatibility. This is similar
to longstanding consistency requirements with --enable-largefile and
--disable-largefile.
In this release, these macros only know how to enlarge time_t on two
classes of systems: 32-bit MinGW, and any system where time_t can be
enlarged by defining the preprocessor macro _TIME_BITS with the
value 64. At the time this NEWS entry was written, only GNU libc
(version 2.34 and later) supported the latter macro. Authors of
other C libraries with a 32-bit time_t are encouraged to adopt
_TIME_BITS, rather than inventing a different way to enlarge time_t.
AC_USE_SYSTEM_EXTENSIONS now enables C23 Annex F extensions
by defining __STDC_WANT_IEC_60559_EXT__.
Obsolete features and new warnings
Autoconf now quotes 'like this' instead of `like this'.
Autoconf’s diagnostics now follow current GNU coding standards,
which say that diagnostics in the C locale should quote 'like this'
with plain apostrophes instead of the older GNU style `like this'
with grave accent and apostrophe.
AC_PROG_GCC_TRADITIONAL no longer does anything.
This macro has had no useful effect since GCC dropped support for
traditional-mode compilation in version 3.3 (released in 2003), and
the systems that needed it are also long obsolete. It is now a
compatibility synonym for AC_PROG_CC.
Notable bug fixes
autom4te now uses fine-grained file timestamps
Autoconf’s internal “autom4te” utility is now able to compare file
modification timestamps with sub-second precision, when available.
This eliminates a class of bugs where autom4te fails to regenerate
an outdated file. Automake 1.17 (forthcoming) is required for a
complete fix.
AC_HEADER_STDBOOL, AC_CHECK_HEADER_STDBOOL are obsolescent and less picky.
These macros are now obsolescent, as most programs can simply include
stdbool.h unconditionally. If you use these macros, they now accept
a stdbool.h that exists but does nothing, so long as ‘bool’, ‘true’,
and ‘false’ work anyway. This is for compatibility with C23 and
with C++.
AC_PROG_MKDIR_P now falls back on plain 'mkdir -p'.
When AC_PROG_MKDIR_P cannot find a mkdir implementation that is
known to lack race condition bugs, it now falls back on 'mkdir -p'
instead of falling back on a relative path to install-sh, as the
relative paths now seem to be a more important problem than the
problems of ancient mkdir implementations with race condition bugs.
See <https://savannah.gnu.org/support/?110740>. The only ancient
mkdir still supported is Solaris 10 /usr/bin/mkdir, and for that
platform AC_PROG_MKDIR_P falls back on /opt/sfw/bin/mkdir which
should work if it is installed; if not, you should avoid parallel
'make' on that platform.
Better diagnostics for calling m4_warn() with a bad first argument
Calling m4_warn with a first argument that doesn’t match any of the
official warning categories now produces a sensible error message,
instead of something that makes it look like there’s a bug in the
guts of autom4te. Also, the documentation has been adjusted in
several places to make it clearer what the official warning
categories are.
Note: In Autoconf 2.69 and earlier, the manual said that [] and [all]
could be used as the first argument to m4_warn. This was incorrect,
even at the time.
Improved compatibility with a wide variety of systems and tools
including CheriBSD, Darwin (macOS), GNU Guix, OS/2, z/OS, Bash 5.2,
the BusyBox shell and utilities, Clang/LLVM version 16, the upcoming
GCC version 14, etc.
Known bugs
AC_SYS_LARGEFILE and AC_SYS_YEAR2038 only work correctly in C mode.
This is only a problem for configure scripts that invoke either
macro while AC_LANG([something other than C]) is in effect, and
will only be a *visible* problem on systems where support
for large files and/or timestamps after 2038 are *available*
but not enabled by default.
This is the cause of the AC_SYS_LARGEFILE, AC_SYS_YEAR2038, and/or
AC_SYS_YEAR2038_RECOMMENDED testsuite failures on some systems.
See <https://savannah.gnu.org/support/index.php?110983> for details
and a workaround.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Feb 2025 12:21:27 +0000 (13:21 +0100)]
fmt: Update to version 11.1.3
- Update from version 11.0.2 to 11.1.3
- Update of rootfile
- Changelog
11.1.3
- Fixed compilation on GCC 9.4 (https://github.com/fmtlib/fmt/issues/4313).
- Worked around an internal compiler error when using C++20 modules with GCC
14.2 and earlier (https://github.com/fmtlib/fmt/issues/4295).
- Worked around a bug in GCC 6 (https://github.com/fmtlib/fmt/issues/4318).
- Fixed an issue caused by instantiating `formatter<const T>`
(https://github.com/fmtlib/fmt/issues/4303,
https://github.com/fmtlib/fmt/pull/4325). Thanks @timsong-cpp.
- Fixed formatting into `std::ostreambuf_iterator` when using format string
compilation (https://github.com/fmtlib/fmt/issues/4309,
https://github.com/fmtlib/fmt/pull/4312). Thanks @phprus.
- Restored a constraint on the map formatter so that it correctly reports as
unformattable when the element is (https://github.com/fmtlib/fmt/pull/4326).
Thanks @timsong-cpp.
- Reduced the size of format specs (https://github.com/fmtlib/fmt/issues/4298).
- Readded `args()` to `fmt::format_context`
(https://github.com/fmtlib/fmt/issues/4307,
https://github.com/fmtlib/fmt/pull/4310). Thanks @Erroneous1.
- Fixed a bogus MSVC warning (https://github.com/fmtlib/fmt/issues/4314,
https://github.com/fmtlib/fmt/pull/4322). Thanks @ZehMatt.
- Fixed a pedantic mode error in the CMake config
(https://github.com/fmtlib/fmt/pull/4327). Thanks @rlalik.
11.1.2
- Fixed ABI compatibility with earlier 11.x versions
(https://github.com/fmtlib/fmt/issues/4292).
- Added `wchar_t` support to the `std::bitset` formatter
(https://github.com/fmtlib/fmt/issues/4285,
https://github.com/fmtlib/fmt/pull/4286,
https://github.com/fmtlib/fmt/issues/4289,
https://github.com/fmtlib/fmt/pull/4290). Thanks @phprus.
- Prefixed CMake components with `fmt-` to simplify usage of {fmt} via
`add_subdirectory` (https://github.com/fmtlib/fmt/issues/4283).
- Updated docs for meson (https://github.com/fmtlib/fmt/pull/4291).
Thanks @trim21.
- Fixed a compilation error in chrono on nvcc
(https://github.com/fmtlib/fmt/issues/4297,
https://github.com/fmtlib/fmt/pull/4301). Thanks @breyerml.
- Fixed various warnings
(https://github.com/fmtlib/fmt/pull/4288,
https://github.com/fmtlib/fmt/pull/4299). Thanks @GamesTrap and @edo9300.
11.1.1
- Fixed ABI compatibility with earlier 11.x versions
(https://github.com/fmtlib/fmt/issues/4278).
- Defined CMake components (`core` and `doc`) to allow docs to be installed
separately (https://github.com/fmtlib/fmt/pull/4276).
Thanks @carlsmedstad.
11.1.0
- Improved C++20 module support
(https://github.com/fmtlib/fmt/issues/4081,
https://github.com/fmtlib/fmt/pull/4083,
https://github.com/fmtlib/fmt/pull/4084,
https://github.com/fmtlib/fmt/pull/4152,
https://github.com/fmtlib/fmt/issues/4153,
https://github.com/fmtlib/fmt/pull/4169,
https://github.com/fmtlib/fmt/issues/4190,
https://github.com/fmtlib/fmt/issues/4234,
https://github.com/fmtlib/fmt/pull/4239).
Thanks @kamrann and @Arghnews.
- Reduced debug (unoptimized) binary code size and the number of template
instantiations when passing formatting arguments. For example, unoptimized
binary code size for `fmt::print("{}", 42)` was reduced by ~40% on GCC and
~60% on clang (x86-64).
GCC:
- Before: 161 instructions of which 105 are in reusable functions
([godbolt](https://www.godbolt.org/z/s9bGoo4ze)).
- After: 116 instructions of which 60 are in reusable functions
([godbolt](https://www.godbolt.org/z/r7GGGxMs6)).
Clang:
- Before: 310 instructions of which 251 are in reusable functions
([godbolt](https://www.godbolt.org/z/Ts88b7M9o)).
- After: 194 instructions of which 135 are in reusable functions
([godbolt](https://www.godbolt.org/z/vcrjP8ceW)).
- Added an experimental `fmt::writer` API that can be used for writing to
different destinations such as files or strings
(https://github.com/fmtlib/fmt/issues/2354).
For example ([godbolt](https://www.godbolt.org/z/rWoKfbP7e)):
```c++
#include <fmt/os.h>
void write_text(fmt::writer w) {
w.print("The answer is {}.", 42);
}
int main() {
// Write to FILE.
write_text(stdout);
// Write to fmt::ostream.
auto f = fmt::output_file("myfile");
write_text(f);
// Write to std::string.
auto sb = fmt::string_buffer();
write_text(sb);
std::string s = sb.str();
}
```
- Added width and alignment support to the formatter of `std::error_code`.
- Made `std::expected<void, E>` formattable
(https://github.com/fmtlib/fmt/issues/4145,
https://github.com/fmtlib/fmt/pull/4148).
For example ([godbolt](https://www.godbolt.org/z/hrj5c6G86)):
```c++
fmt::print("{}", std::expected<void, int>());
```
prints
```
expected()
```
Thanks @phprus.
- Made `fmt::is_formattable<void>` SFINAE-friendly
(https://github.com/fmtlib/fmt/issues/4147).
- Added support for `_BitInt` formatting when using clang
(https://github.com/fmtlib/fmt/issues/4007,
https://github.com/fmtlib/fmt/pull/4072,
https://github.com/fmtlib/fmt/issues/4140,
https://github.com/fmtlib/fmt/issues/4173,
https://github.com/fmtlib/fmt/pull/4176).
For example ([godbolt](https://www.godbolt.org/z/KWjbWec5z)):
```c++
using int42 = _BitInt(42);
fmt::print("{}", int42(100));
```
Thanks @Arghnews.
- Added the `n` specifier for tuples and pairs
(https://github.com/fmtlib/fmt/pull/4107). Thanks @someonewithpc.
- Added support for tuple-like types to `fmt::join`
(https://github.com/fmtlib/fmt/issues/4226,
https://github.com/fmtlib/fmt/pull/4230). Thanks @phprus.
- Made more types formattable at compile time
(https://github.com/fmtlib/fmt/pull/4127). Thanks @AnthonyVH.
- Implemented a more efficient compile-time `fmt::formatted_size`
(https://github.com/fmtlib/fmt/issues/4102,
https://github.com/fmtlib/fmt/pull/4103). Thanks @phprus.
- Fixed compile-time formatting of some string types
(https://github.com/fmtlib/fmt/pull/4065). Thanks @torshepherd.
- Made compiled version of `fmt::format_to` work with
`std::back_insert_iterator<std::vector<char>>`
(https://github.com/fmtlib/fmt/issues/4206,
https://github.com/fmtlib/fmt/pull/4211). Thanks @phprus.
- Added a formatter for `std::reference_wrapper`
(https://github.com/fmtlib/fmt/pull/4163,
https://github.com/fmtlib/fmt/pull/4164). Thanks @yfeldblum and @phprus.
- Added experimental padding support (glibc `strftime` extension) to `%m`, `%j`
and `%Y` (https://github.com/fmtlib/fmt/pull/4161). Thanks @KKhanhH.
- Made microseconds formatted as `us` instead of `µs` if the Unicode support is
disabled (https://github.com/fmtlib/fmt/issues/4088).
- Fixed an unreleased regression in transcoding of surrogate pairs
(https://github.com/fmtlib/fmt/issues/4094,
https://github.com/fmtlib/fmt/pull/4095). Thanks @phprus.
- Made `fmt::appender` satisfy `std::output_iterator` concept
(https://github.com/fmtlib/fmt/issues/4092,
https://github.com/fmtlib/fmt/pull/4093). Thanks @phprus.
- Made `std::iterator_traits<fmt::appender>` standard-conforming
(https://github.com/fmtlib/fmt/pull/4185). Thanks @CaseyCarter.
- Made it easier to reuse `fmt::formatter<std::string_view>` for types with
an implicit conversion to `std::string_view`
(https://github.com/fmtlib/fmt/issues/4036,
https://github.com/fmtlib/fmt/pull/4055). Thanks @Arghnews.
- Made it possible to disable `<filesystem>` use via `FMT_CPP_LIB_FILESYSTEM`
for compatibility with some video game console SDKs, e.g. Nintendo Switch SDK
(https://github.com/fmtlib/fmt/issues/4257,
https://github.com/fmtlib/fmt/pull/4258,
https://github.com/fmtlib/fmt/pull/4259). Thanks @W4RH4WK and @phprus.
- Fixed compatibility with platforms that use 80-bit `long double`
(https://github.com/fmtlib/fmt/issues/4245,
https://github.com/fmtlib/fmt/pull/4246). Thanks @jsirpoma.
- Added support for UTF-32 code units greater than `0xFFFF` in fill
(https://github.com/fmtlib/fmt/issues/4201).
- Fixed handling of legacy encodings on Windows with GCC
(https://github.com/fmtlib/fmt/issues/4162).
- Made `fmt::to_string` take `fmt::basic_memory_buffer` by const reference
(https://github.com/fmtlib/fmt/issues/4261,
https://github.com/fmtlib/fmt/pull/4262). Thanks @sascha-devel.
- Added `fmt::dynamic_format_arg_store::size`
(https://github.com/fmtlib/fmt/pull/4270). Thanks @hannes-harnisch.
- Removed the ability to control locale usage via an undocumented
`FMT_STATIC_THOUSANDS_SEPARATOR` in favor of `FMT_USE_LOCALE`.
- Renamed `FMT_EXCEPTIONS` to `FMT_USE_EXCEPTIONS` for consistency with other
similar macros.
- Improved include directory ordering to reduce the chance of including
incorrect headers when using multiple versions of {fmt}
(https://github.com/fmtlib/fmt/pull/4116). Thanks @cdzhan.
- Made it possible to compile a subset of {fmt} without the C++ runtime.
- Improved documentation and README
(https://github.com/fmtlib/fmt/pull/4066,
https://github.com/fmtlib/fmt/issues/4117,
https://github.com/fmtlib/fmt/issues/4203,
https://github.com/fmtlib/fmt/pull/4235). Thanks @zyctree and @nikola-sh.
- Improved the documentation generator (https://github.com/fmtlib/fmt/pull/4110,
https://github.com/fmtlib/fmt/pull/4115). Thanks @rturrado.
- Improved CI (https://github.com/fmtlib/fmt/pull/4155,
https://github.com/fmtlib/fmt/pull/4151). Thanks @phprus.
- Fixed various warnings and compilation issues
(https://github.com/fmtlib/fmt/issues/2708,
https://github.com/fmtlib/fmt/issues/4091,
https://github.com/fmtlib/fmt/issues/4109,
https://github.com/fmtlib/fmt/issues/4113,
https://github.com/fmtlib/fmt/issues/4125,
https://github.com/fmtlib/fmt/issues/4129,
https://github.com/fmtlib/fmt/pull/4130,
https://github.com/fmtlib/fmt/pull/4131,
https://github.com/fmtlib/fmt/pull/4132,
https://github.com/fmtlib/fmt/issues/4133,
https://github.com/fmtlib/fmt/issues/4144,
https://github.com/fmtlib/fmt/issues/4150,
https://github.com/fmtlib/fmt/issues/4158,
https://github.com/fmtlib/fmt/pull/4159,
https://github.com/fmtlib/fmt/issues/4160,
https://github.com/fmtlib/fmt/pull/4170,
https://github.com/fmtlib/fmt/issues/4177,
https://github.com/fmtlib/fmt/pull/4187,
https://github.com/fmtlib/fmt/pull/4188,
https://github.com/fmtlib/fmt/pull/4194,
https://github.com/fmtlib/fmt/pull/4200,
https://github.com/fmtlib/fmt/issues/4205,
https://github.com/fmtlib/fmt/issues/4207,
https://github.com/fmtlib/fmt/pull/4208,
https://github.com/fmtlib/fmt/pull/4210,
https://github.com/fmtlib/fmt/issues/4220,
https://github.com/fmtlib/fmt/issues/4231,
https://github.com/fmtlib/fmt/issues/4232,
https://github.com/fmtlib/fmt/pull/4233,
https://github.com/fmtlib/fmt/pull/4236,
https://github.com/fmtlib/fmt/pull/4267,
https://github.com/fmtlib/fmt/pull/4271).
Thanks @torsten48, @Arghnews, @tinfoilboy, @aminya, @Ottani, @zeroomega,
@c4v4, @kongy, @vinayyadav3016, @sergio-nsk, @phprus and @YexuanXiao.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Feb 2025 12:21:26 +0000 (13:21 +0100)]
mpd: Update to version 0.23.17
- Update from version 0.23.15 to 0.23.17
- Update of rootfile not required
- Patch no longer needed as the fixes to work with fmt-11.0.x have been included in the
source tarball.
- This version includes the fix to work with fmt-11.1.x
- Changelog
0.23.17
* protocol
- "albumart" tries to send larger chunks if available
- explicitly disallow "idle" and "noidle" in command lists
* storage
- nfs: require libnfs 4.0 or later
* database
- inotify: trigger update after symlink was created
* decoder
- ffmpeg: prefer over sndfile and audiofile for its DTS-WAV support
* support libfmt 11.1
0.23.16
* database
- fix integer overflows with 64-bit inode numbers
* filter
- ffmpeg: fix for filters producing no output
* support libfmt 11
* support ICU 76
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 20 Feb 2025 21:13:25 +0000 (22:13 +0100)]
update.sh: Remove ABUSECH_BOTNETC2 lists from users systems during update.
- This removes ABUSECH_BOTNETC2 from users system during the update in the same way as
done previously with ALIENVAULT and SPAMHAUS_EDROP.
- As next is still in CU192 I could not add these lines into the CU193 update.sh so I have
added it to the CU192 update.sh
- If not appropriate then let me know and when the CU193 is created in next I will redo
the patch and re-submit it.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 20 Feb 2025 21:13:23 +0000 (22:13 +0100)]
sources: Remove ABUSECH_BOTNETC2 from ipblocklist sources
- Abuse.ch deprecated the ABUSECH_BOTNETC2 list on 3rd Jan 2025 without any warning or
notification except for the deprecation message in the block list.
- This patch removes that list from the ipblocklist sources.
- This is part of a patch set that also removes this list from the files in users
systems and from any restore from an earlier backup when the updates sources list is
issued.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 20 Feb 2025 23:37:04 +0000 (00:37 +0100)]
bind: Update to 9.20.6
For details see:
https://downloads.isc.org/isc/bind9/9.20.5/doc/arm/html/notes.html#notes-for-bind-9-20-6
"Notes for BIND 9.20.6
New Features
Adds support for EDE code 1 and 2.
Support was added for EDE codes 1 and 2, which might occur during
DNSSEC validation in the case of an unsupported RRSIG algorithm or
DNSKEY digest. [GL #2715]
Add an rndc command to toggle jemalloc profiling.
The new command is rndc memprof; the memory profiling status is also
reported inside rndc status. The status shows whether named can toggle
memory profiling, and whether the server is built with jemalloc. [GL
#4759]
Add support for multiple extended DNS errors.
The Extended DNS Error (EDE) mechanism may raise errors during a DNS
resolution. named is now able to add up to three EDE codes in a DNS
response. If there are duplicate error codes, only the first one is
part of the DNS response. [GL #5085]
Print the expiration time of stale records.
BIND now prints the expiration time of any stale RRsets in the cache
dump.
Bug Fixes
Recently expired records could be returned with a timestamp in future.
Under rare circumstances, an RRSet that expired at the time of the
query could be returned with a TTL in the future. This has been fixed.
As a side effect, the expiration time of expired RRSets is no longer
returned in a cache dump. [GL #5094]
YAML string not terminated in negative response in delv.
[GL #5098]
Fix a bug in dnssec-signzone related to keys being offline.
When dnssec-signzone was called on an already-signed zone and the
private key file was unavailable, a signature that needed to be
refreshed was dropped without being able to generate a replacement.
This has been fixed. [GL #5126]
Apply the memory limit only to ADB database items.
Under heavy load, a resolver could exhaust the memory available for
storing the information in the Address Database (ADB), effectively
discarding previously stored information in the ADB. The memory used to
retrieve and provide information from the ADB is no longer subject to
the same memory limits that are applied to the Address Database. [GL
#5127]
Avoid unnecessary locking in the zone/cache database.
Lock contention among many worker threads referring to the same
database node at the same time is now prevented. This improves zone and
cache database performance for any heavily contended database nodes.
[GL #5130]
Fix reporting of Extended DNS Error 22 (No Reachable Authority).
This error code was previously not reported in some applicable
situations. This has been fixed. [GL #5137]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 20 Feb 2025 20:57:44 +0000 (21:57 +0100)]
tshark: Update to version 4.4.4
- Update from version 4.4.3 to 4.4.4
- Update of rootfile
- Changelog
4.4.4
The following vulnerabilities have been fixed:
wnpa-sec-2025-01 Bundle Protocol and CBOR dissector {crash,infinite loop,
memory leak}. Issue 20373.
The following bugs have been fixed:
Crash when sorting columns during capture with display filter active. Issue
20263.
OSS-Fuzz 384757274: Invalid-bool-value in dissect_tcp. Issue 20300.
Test failure in 4.4.2/4.4.3: test_sharkd_req_follow_http2. Issue 20330.
Regression in extcap interface toolbar. Issue 20354.
Clicking outside columns in TCP tab of Statistics → Conversations window
causes crash. Issue 20357.
FTBFS with Ubuntu development (25.04) release. Issue 20359.
DNS enable_qname_stats crash Wireshark when QDCOUNT == 0. Issue 20367.
Windows: Android extcap plugin fails with "Broken socket connection" if
there are no new packets for 2sec. Issue 20386.
TECMP: Calculation of lifecycle start in Status message is wrong. Issue 20387.
MQTT v5.0 properties total length presentation is incorrect. Issue 20389.
TShark doesn’t resolve addresses in custom "hosts" files. Issue 20391.
Incorrect JA4 fingerprint with empty ciphers. Issue 20394.
New and Updated Features
Updated Protocol Support
CESoETH, DNS, IEEE 1609.2, ISOBUS, ITS, MPLS, MQTT, PDU
Transport, RTP, TCP, TECMP, WebSocket, and WSMP
New and Updated Capture File Support
CLLog, EMS, and ERF
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 20 Feb 2025 11:16:31 +0000 (12:16 +0100)]
frr: Ship frr to use new libyang version
- PAK_VER incremented to provide build with new libyang version.
- Update of rootfile not required.
- Tested out on vm in combination with the new libyang version. frr daemons were all able
to successfully start. As I have never used frr, I can not test anything further.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 20 Feb 2025 11:16:30 +0000 (12:16 +0100)]
libyang: Update to version 3.7.8
- Update from version 2.1.148 to 3.7.8
- Update of rootfile
- Submited as a set with a PAK_VER update of frr as frr needs to be shipped to use this
new version.
- In the changelog for moving the library from 2.x to 3.0 it mentions that there are
some breaking changes but then says they are minor. The library versions are not
alligned with the package version numbers.
Following is what is said:-
* Non-backwards-compatible changes between libyang version 2 and 3 are rather
minor and can be summarized as providing
* structured error information (instead of a single message), unifying
**lyd_new_*()** function options, and some
* minor changes such as removing deprecated functions or making a few functions
inlined. However, there is another
* large change that has not affected the API, specifically configuration
system-ordered lists and leaf-lists are now
* ordered based on their keys/values, respectively. Except for moderately
slower performance and negligible increased
* memory requirements, it should not affect existing applications (assuming
they do not rely on the previous order of
* these instances).
- I tested this updated version of libyang with frr. frr built without any problems. It
just has the requirement that libyang >= 2.1.128, so no restriction that it must not
be version 3. I then installed the IPFire built with the updated libyang and installed
the frr that was built with it. I was able to start frr successfully, so all the
specified frr daemons successfully started.
- I could only test that frr successfully had all the daemons start but could not test
out actual functioning of frr as this is something I have never used. I would expect
that if all the daemons start successfully then frr should be happy working with
libyang-3.7.8
- Changelog
3.7.8
yanglint UTF8 support
validation optimizations
lots of bugfixes
3.4.2
data handling optimizations
32b build fixes
various bugfixes
3.1.0
lots of improvements and bugfixes in various parts of the library
2.2.8
new SO version 3
with some non-backwards compatible changes
transition manual from version 2 in docs
(leaf-)list instance semantic ordering
sorts instances based on their values or their key values
minor performance cost
logging API improved
new parsing flag LYD_PARSE_STORE_ONLY
avoids value validation
run-time plugin support
build improvements
lots of other bugfixes and optimizations
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3470200 to 3490100
- Update of rootfile
- Changelog 3490100
Improve portability of makefiles and configure scripts.
Fix a bug in the concat_ws() function, introduced in version 3.44.0, that could
lead to a memory error if the separator string is very large (hundreds of
megabytes).
Enhanced the SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust against
misuse. 3490000
Enhancements to the query planner:
Improve the query-time index optimization so that it works on WITHOUT ROWID
tables.
Better query plans for large star-query joins. This fixes three different
performance regressions that were reported on the SQLite Forum.
When two or more queries have the same estimated cost, use the one with the
fewer bytes per row.
Enhance the iif() SQL function so that it can accept any number of arguments
greater than or equal to two.
Enhance the session extension so that it works on databases that make use of
generated columns.
Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which was not
implemented correctly and never worked right. In its place add the
SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This option applies to
command-line tools like the CLI only, not to the SQLite core. It causes Win32
APIs to be used for console I/O instead of stdio. This option affects Windows
builds only.
Three new options to sqlite3_db_config(). All default to "on".
SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE
SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE
SQLITE_DBCONFIG_ENABLE_COMMENTS
Replace Autotools with Autosetup for the configure script used in the
precompiled amalgamation tarball. The configure script for the canonical
source code was changed to Autosetup in the previous (3.48.0) release. Only
the main SQLite configure script in the amalgamation tarball is changed. The
(deprecated) configuration script use by TEA subdirectory of the amalgamation
tarball still relies on Autotools.
Various minor patches and fixes for problems seen in the 3.48.0 release. 3480000
Refactor the "configure" script used to help build SQLite from canonical
sources, to fix bugs, improve performance, and make the code more maintainable.
This does not affect the "configure" script in the
sqlite3-autoconf-NNNNNNN.tar.gz "amalgamation tarball", only the
canonical sources. The build system for the amalgamation tarball is
unchanged. If you are using the amalgamation tarball, nothing about
this change log entry applies to you.
The key innovation here is that Autosetup is now used instead of GNU
Autoconf. That seems like a big change, but it is really just an
implementation detail. The ./configure script is coded very
differently, but should work the same as before.
One advantage of the new configure is that you no longer need to install
TCL in order to build most SQLite targets. TCL is still required to
run tests or to build accessory programs (like sqlite3_analyzer) that
use TCL, but it is not required for most common targets. Hence, as of
this release, the only build dependencies are a C compiler and "make"
or "nmake".
Improved EXPLAIN QUERY PLAN output for covering indexes.
Allow a two-argument version of the iif() SQL function. Also allow if() as an
alternative spelling for iif().
Add the ".dbtotxt" command to the CLI.
Add the SQLITE_IOCAP_SUBPAGE_READ property to the xDeviceCharacteristics
method of the sqlite3_io_methods object.
Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3() that prevents
warning messages being sent to the error log if the SQL is ill-formed. This
allows sqlite3_prepare_v3() to be used to do test compiles of SQL to check
for validity without polluting the error log with false messages.
Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from 1 to 30.
Added the SQLITE_FCNTL_NULL_IO file control.
Extend the FTS5 auxiliary API xInstToken() to work with prefix queries via the
insttoken configuration option and the fts5_insttoken() SQL function.
Increase the maximum number of arguments to an SQL function from 127 to 1000.
Remove vestigial traces of SQLITE_USER_AUTHENTICATION.
Various obscure bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20241112 to 20250211
- Update of rootfile
- Changelog 20250211
Security updates for INTEL-SA-01166
Security updates for INTEL-SA-01213
Security updates for INTEL-SA-01139
Security updates for INTEL-SA-01228
Security updates for INTEL-SA-01194
Update for functional issues. Refer to Intel® Core™ Ultra Processor for
details.
Update for functional issues. Refer to 13th/14th Generation Intel® Core™
Processor Specification Update for details.
Update for functional issues. Refer to 12th Generation Intel® Core™
Processor Family for details.
Update for functional issues. Refer to 11th Gen Intel® Core™ Processor
Specification Update for details.
Update for functional issues. Refer to 8th and 9th Generation Intel® Core™
Processor Family Spec Update for details.
Update for functional issues. Refer to 5th Gen Intel® Xeon® Scalable
Processors Specification Update for details.
Update for functional issues. Refer to 4th Gen Intel® Xeon® Scalable
Processors Specification Update for details.
Update for functional issues. Refer to 3rd Generation Intel® Xeon®
Processor Scalable Family Specification Update for details.
Update for functional issues. Refer to Intel® Xeon® D-2700 Processor
Specification Update for details.
Update for functional issues. Refer to Intel® Xeon® E-2300 Processor
Specification Update for details.
Update for functional issues. Refer to Intel® Xeon® 6700-Series Processor
Specification Update for details.
Update for functional issues. Refer to Intel® Processors and Intel® Core™
i3 N-Series for details
New Platforms
Processor Stepping F-M-S/PI Old Ver New Ver Products
SRF-SP C0 06-af-03/01 03000330 Xeon 6700-Series Processors with E-Cores
Updated Platforms
Processor Stepping F-M-S/PI Old Ver New Ver Products
ADL C0 06-97-02/07 0000003700000038 Core Gen12
ADL H0 06-97-05/07 0000003700000038 Core Gen12
ADL L0 06-9a-03/80 0000043500000436 Core Gen12
ADL R0 06-9a-04/80 0000043500000436 Core Gen12
ADL-N N0 06-be-00/19 0000001a0000001c Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E
AZB A0/R0 06-9a-04/40 0000000700000009 Intel(R) Atom(R) C1100
CFL-H R0 06-9e-0d/22 0000010000000102 Core Gen9 Mobile
CFL-H/S/E3 U0 06-9e-0a/22 000000f8000000fa Core Gen8 Desktop, Mobile, Xeon E
EMR-SP A0 06-cf-01/87 2100028321000291 Xeon Scalable Gen5
EMR-SP A1 06-cf-02/87 2100028321000291 Xeon Scalable Gen5
ICL-D B0 06-6c-01/10 010002b0010002c0 Xeon D-17xx, D-27xx
ICX-SP Dx/M1 06-6a-06/87 0d0003e70d0003f5 Xeon Scalable Gen3
RPL-E/HX/S B0 06-b7-01/32 0000012b0000012c Core Gen13/Gen14
RPL-H/P/PX 6+8 J0 06-ba-02/e0 0000412300004124 Core Gen13
RPL-HX/S C0 06-bf-02/07 0000003700000038 Core Gen13/Gen14
RPL-U 2+8 Q0 06-ba-03/e0 0000412300004124 Core Gen13
RPL-S H0 06-bf-05/07 0000003700000038 Core Gen13/Gen14
RKL-S B0 06-a7-01/02 0000006200000063 Core Gen11
SPR-HBM Bx 06-8f-08/10 2c0003902c0003e0 Xeon Max
SPR-SP E4/S2 06-8f-07/87 2b0006032b000620 Xeon Scalable Gen4
SPR-SP E5/S3 06-8f-08/87 2b0006032b000620 Xeon Scalable Gen4
TWL N0 06-be-00/19 0000001a0000001c Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E
New Disclosures Updated in Prior Releases
Processor Stepping F-M-S/PI Old Ver New Ver Products
CFL-H/S P0 06-9e-0c/22 000000f6000000f8 Core Gen9
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Mon, 10 Feb 2025 14:40:17 +0000 (15:40 +0100)]
apache: Update to 2.4.63
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.63
"Changes with Apache 2.4.63
*) mod_dav: Update redirect-carefully example BrowserMatch config
to match more recent client versions. PR 66148, 67039.
[Michal Maloszewski <michal.maloszewski canonical.com>,
Romain Tartière <romain blogreen.org>]
*) mod_cache_socache: Fix possible crash on error path. PR 69358.
[Ruediger Pluem]
*) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
[StephenWall]
*) mod_md: update to version 2.4.31
- Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
*) mod_proxy_balancer: Fix the handling of the stickysession configuration
parameter by the balancer manager. PR 69510
[Yutaka Tokunou <tokunou.yutaka@fujitsu.com>]
*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Make sure that when ldap searches are too long, we explicitly log the
error. [Graham Leggett]
*) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
in the host name or port. PR 69233. [Yann Ylavic]
*) mod_log_config: Fix merging for the "LogFormat" directive.
PR 65222. [Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
- Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
without "SSLCryptoDevice" configured. [Joe Orton]
*) mod_authnz_ldap: Fix possible memory corruption if the
AuthLDAPSubGroupAttribute directive is configured. [Joe Orton]
*) mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME when set via SetHandler.
PR 69203. [Yann Ylavic]
*) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs,
including "unix:" ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem]
*) mod_rewrite: Error out in case a RewriteRule in directory context uses the
proxy, but mod_proxy is not loaded. PR 56264.
[Christophe Jaillet, Michael Streeter <mstreeter1@gmail.com>]
*) http: Remove support for Request-Range header sent by Navigator 2-3 and
MSIE 3. [Stefan Fritsch]
*) mod_rewrite: Don't require [UNC] flag to preserve a leading //
added by applying the perdir prefix to the substitution.
[Ruediger Pluem, Eric Covener]
*) Windows: Restore the ability to "Include" configuration files on UNC
paths. PR 69313 [Eric Covener]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs
in <Location> (incomplete fix in 2.4.62). PR 69160. [Yann Ylavic]
*) mod_md: update to version 2.4.28
- When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in 'md/staging/<domain>' is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
- Fix certificate retrieval on ACME renewal to not require a 'Location:'
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let's Encrypt still supports this,
but other CAs do not. [icing]
- Restore compatibility with OpenSSL < 1.1. [ylavic]
*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
[Stefan Eissing]
*) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
PR 69197. [Yann Ylavic, Eric Covener]
*) mod_http2: Return connection monitoring to the event MPM when blocking
on client updates. [Stefan Eissing, Yann Ylavic]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Mon, 10 Feb 2025 09:03:59 +0000 (10:03 +0100)]
vnstat: Update to 2.13
For details see:
https://humdi.net/vnstat/CHANGES
"- Fixed
- Opening of body html tag was missing on some pages in image output
example cgi (examples/vnstat.cgi)
- New
- Add database data merge support as --merge
- Add --db for specifying database file for queries (vnstat and vnstati)
- Add exit status 2 options to --alert for making it possible to
differentiate alerts from errors (exit status 1)
- Add --dbiflist also to vnstati command
- Image output example cgi (examples/vnstat.cgi) improvements
- Remove dependency to vnstat command
- Add option for selecting how many images are shown per row on the index
page when the database has more than one interface
- Add option for selecting which image output is used on the index page
when the database has more than one interface
- Add options for selecting which interfaces are shown or hidden from the
index page without disabling access to all interface specific page when
the database has more than one interface
- Harmonize layout style between pages"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 3 Feb 2025 20:50:12 +0000 (20:50 +0000)]
vpnmain.cgi: Reduce the number of offered ciphers
For new connections, we will now configure fewer ciphers by default. I
currently do not see any reason why we should support so many different
versions of AES-GCM and AES-128 by default.
The defaults should provide high security as well as decent
compatibility to solutions from other vendors.
I am currently not sure whether ChaCha20-Poly1305 should remain as
default as AES should usually outperform it by far. We can assume that
most hardware has support for AES-NI.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/squid-cache/squid/releases/tag/SQUID_6_13
"Changes in squid-6.13 (31 Jan 2025):
- Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
- Bug 5405: Large uploads fill request buffer and die
- Bug 5093: List http_port params that https_port/ftp_port lack
- Bug 5311: clarify configuration byte units
- Bug 5091: document that changes to workers require restart
- Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
- Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
- Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
- Clarify --enable-ecap failure on missing shared library support
- Fix syntax error in configure.ac
- Remove GNU'ism in release notes Makefile
- Annotate PoolMalloc memory in valgrind builds
- Fix systemd startup sequence to require active Local Filesystem
- Display Linux variant at ./configure time
- Refactor peerRefreshDNS() to clarify its (void*)1 logic
- Portability: remove explicit check for libdl
- ext_time_quota_acl: remove -l option
- ... and some documentation updates
- ... and some CI updates"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 25 Jan 2025 09:32:07 +0000 (10:32 +0100)]
mc: Update to 4.8.33
For details see:
https://midnight-commander.org/wiki/NEWS-4.8.33
"Major changes since 4.8.32
Starting with this release, we will be using language features that require
a C99 compiler to build.
Core
Minimal version of Automake is 1.14 (#4604)
Upgrade C standard to C99 (#4604)
Support ksh variants as subshell (#3748)
Improve fish 4.0 shell support (#4597)
Add support for bash PROMPT_COMMAND being an array (#4599)
Don't override ENV variable for ash/dash subshell (#4605)
Don't disable verbose mode if tty baudrate can't be reliably determined
(#2452)
New keymap for vim users (#4588)
Misc
Code cleanup (#4572, #4593, #4595, #4598)
Adjust mc-wrappers to work with the new MC_TMPDIR creation logic (#4575)
Prefer console players for sound, images and video in non-graphical
sessions (#4479, #4596)
Support TERM=xterm-clear for FreeBSD users (#2633)
mc.ext.ini:
Support for Rust crates file format (#4609)
Support for OpenEmbedded ipk archives (#4626)
ext.d: select browser at runtime (#4615)
Move CI from Travis to GitHub Actions (#4170, #3738, #4602)
Fixes
Segfault if filter makes file panel empty (#4600)
Segfault in built-in help when going to the previous topic (#4627)
Incorrect handling of ext2 attributes of a directory (#4590)
Failed copy/move operations make ETA inaccurate (#3205, #4613, #4623)
Hotlist: use after free (#4621)
mc.ext.ini: typo for apt view command line (#4583)
mcedit: visual glitches if built with aspell, but libraries not
installed (#4576)
mcedit: segfault on new file creation (#4580)
mcedit: PageDown skips lines in edit window (#4617)
mcedit: cursor jumps during PageDown in edit window (#4618)
mvciew: false-positive regex search of BOL (#4587)
mcdiff: segmentation fault on empty files merge (#4608)
tar vfs: double free (#4616)
sftpfs vfs: use after free (#4620)
tests: fix charset-related code on non-glibc platforms (Alpine,
Illumos) (#3972, #4495)
tests: use weak symbols instead of symbol duplication to support
non-GNU linkers / macOS (#4584, #3542)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:15 +0000 (13:43 +0100)]
pango: Update to version 1.56.1
- Update from version 1.54.0 to 1.56.1
- Update of rootfile
- Changelog
1.56.1
- Avoid criticals when there are no fonts
- fontconfig: Handle lack of FC_FONT_WRAPPER in font cache
- fontconfig: Prefer application fonts even if they are older
1.56.0
- Support setting font features in font descriptions
- serialization: Document the tab array format
- serialization: Accept attributes without range
- win32: Improve the pango_font_map_reload_implementation
- win32: Take variations into account for caching
- layout: Fix measuring ellipsis runs with shapes
- build: Require C11
- build: Require GLib 2.80
- build: Require cairo 1.18
1.55
- Support Unicode 16
- Add pango_font_map_add_font_file
- fontconfig: Reject patterns without FC_FILE
- coretext: Actually use .AppleSystemUIFont
- coretext: Keep track of variations
- win32: Use font options for caching
- win32: Keep variations in PangoWin32Font
- build: Require harfbuzz 8.4.0
- build: Require fontconfig 2.15
- build: Require meson 1.2.0
- build: Require Window 10
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:14 +0000 (13:43 +0100)]
openvmtools: Update to version 12.5.0
- Update from version 12.0.5 to 12.5.0
- Update of rootfile not required
- Several CVE's in various updates between 12.0.5 and 12.5.0
- Changelog
12.5.0
The following github.com/vmware/open-vm-tools pull request has been addressed.
Revise settings for vmware-user.desktop
Pull request #668
Accomodate newer releases of libxml2 and xmlsec1.
The configure.ac and VGAuth code updated to avoid deprecated functions
and build options based on OSS product version.
12.4.5
A number of issues flagged by Coverity and ShellCheck have been addressed.
The changes include code fixes and Coverity escapes for reported
false positives. See the details in the open-vm-tools ChangeLog
for specific fix or false positive escape.
Nested logging from RPCChannel error may hang the vmtoolsd process.
This issue has been fixed in this release.
vmtoolsd child processes invoke parent's atexit handler.**
Fixed in this release by terminating child processes with _exit().
Mutexes in lib/libvmtools/vmtoolsLog.c and glib could have been locked at
fork time. The vmtoolsLog.c Debug(), Warning() and Panic() functions
are not safe for child processes.
Fixed in this release by directing child processes' logging to
stdout.
Permission on the vmware-network.log file incorrectly defaults to (0644).
Fixed in this release. The correct default is set to (0600).
The NetworkManager calls in the Linux "network" script have been updated.
Defaults to using the "Sleep" method over the "Enabled" method
used to work around a bug in NetworkManager version 0.9.0.
Resolves:
Pull request #699
Issue #426
Unused header files have been dropped from the current open-vm-tools source.
Accomodate newer releases of libxml2 and xmlsec1.
The configure.ac and VGAuth code updated to avoid deprecated
functions and build options based on OSS product version.
12.4.0
The following github.com/vmware/open-vm-tools pull request has been addressed
Power Ops: Attempt to execute file path only
Pull request #689
A number of issues flagged by Coverity have been addressed.
Add aliasing code to identify Miracle Linux by its former name of "asianux".
The Asianux Linux distribution rebranded itself as Miracle Linux.
Since vSphere infrastructure recognizes "asianux" but not
Miracle Linux, aliasing code was added to open-vm-tools to
continue to identify Miracle Linux systems as "asianux".
12.3.5
This release resolves CVE-2023-34058.
For more information on this vulnerability and its impact on
VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html.
open-vm-tools contains a SAML token signature bypass vulnerability.
VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of
7.5 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
A malicious actor that has been granted Guest Operation Privileges
in a target virtual machine may be able to elevate their
privileges if that target virtual machine has been assigned a
more privileged Guest Alias.
Note: While the description and known attack vectors are very
similar to CVE-2023-20900, CVE-2023-34058 has a different root
cause that must be addressed.
A patch for earlier versions of open-vm-tools is available at
CVE-2023-34058.patch.
This release resolves CVE-2023-34059.
open-vm-tools contains a file descriptor hijack vulnerability in
the vmware-user-suid-wrapper. VMware has evaluated the
severity of this issue to be in the Important severity range
with a maximum CVSSv3 base score of 7.4. -
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
A malicious actor with non-root privileges may be able to hijack
the /dev/uinput file descriptor allowing them to simulate user
inputs.
A patch for earlier versions of open-vm-tools is available at
CVE-2023-34059.patch.
The following github.com/vmware/open-vm-tools issue have been addressed
Better cooperation between deployPkg plugin and cloud-init concerning
location of 'disable_vmware_customization' flag.
Issue #310
12.3.0
This release resolves CVE-2023-20900.
For more information on this vulnerability and its impact on VMware
products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html.
Linux quiesced snapshot: "SyncDriver: failed to freeze 'filesystem'"
The open-vm-tools 12.2.0 release had an update to the Linux quiesced
snapshot operation that would avoid starting a quiesced snapshot if a
filesystem had already been frozen by another process. See the
Resolved Issues section in the open-vm-tools 12.2.0 Release Notes.
That fix may have been backported into earlier versions of
open-vm-tools by Linux vendors.
It is possible that filesystems are being frozen in custom pre-freeze
scripts to control the order in which those specific filesystems are
to be frozen. The vmtoolsd process must be informed of all such
filesystems with the help of "excludedFileSystems" setting of
tools.conf.
[vmbackup]
excludedFileSystems=/opt/data,/opt/app/project-*,...
A temporary workaround is available (starting from open-vm-tools 12.3.0)
for system administrators to quickly allow a quiescing operation to
succeed until the "excludedFileSystems" list can be configured. Note,
if another process thaws the file system while a quiescing snapshot
operation is ongoing, the snapshot may be compromised. Once the
"excludedFileSystems" list is configured this setting MUST be unset
(or set to false).
[vmbackup]
ignoreFrozenFileSystems = true
This workaround is provided in the source file changes in
https://github.com/vmware/open-vm-tools/commit/60c3a80ddc2b400366ed05169e16a6bed6501da2
and at Linux vendors' discretion, may be backported to earlier versions
of open-vm-tools.
A number of Coverity reported issues have been addressed.
Component Manager / salt-minion: New InstallStatus "UNMANAGED".
Salt-minion added support for "ExternalInstall" (106) to indicate an
older version of salt-minion is installed on the vm and cannot be
managed by the svtminion.* scripts. The Component Manager will track
that as "UNMANAGED" and take no action.
The following pull requests and issues have been addressed
Add antrea and calico interface pattern to GUESTINFO_DEFAULT_IFACE_EXCLUDES
Issue #638
Pull request #639
Invalid argument with "\" in Linux username (Active Directory user)
Issue #641
Improve POSIX guest identification
Issue #647
Issue #648
Remove appUtil library which depends on deprecated "gdk-pixbuf-xlib"
Issue #658
Fix build problems with grpc
Pull request #664
Issue #676
12.2.5
This release resolves CVE-2023-20867.
For more information on this vulnerability and its impact on VMware
products, see https://www.vmware.com/security/advisories/VMSA-2023-0013.html.
12.2.0
A number of Coverity reported issues have been addressed.
The vmtoolsd task is blocked in the uninterruptible state while doing a
quiesced snapshot.
As the ioctl FIFREEZE is done during a quiesced snapshot operation, an
EBUSY could be seen because of an attempt to freeze the same
superblock more than once depending on the OS configuration (e.g.
usage of bind mounts). An EBUSY could also mean another process has
locked or frozen that filesystem. That later could lead to the
vmtoolsd process being blocked and ultimately other processes on the
system could be blocked.
The Linux quiesced snapshot procedure has been updated that when an
EBUSY is received, the filesystem FSID is checked against the list of
filesystems that have already been quiesced. If not previously seen,
a warning that the filesystem is controlled by another process is
logged and the quiesced snapshot request will be rejected.
This fix to lib/syncDriver/syncDriverLinux.c is directly applicable to
previous releases of open-vm-tools and is available at:
https://github.com/vmware/open-vm-tools/commit/9d458c53a7a656d4d1ba3a28d090cce82ac4af0e
Updated the guestOps to handle some edge cases.
When File_GetSize() fails or returns a -1 indicating the user does not
have access permissions:
Skip the file in the output of the ListFiles() request.
Fail an InitiateFileTransferFromGuest operation.
The following pull requests and issues have been addressed.
Detect the proto files for the containerd grpc client in alternate locations.
Pull request #626
FreeBSD: Support newer releases and code clean-up for earlier versions.
Pull request #584
12.1.5
A number of Coverity reported issues have been addressed.
The deployPkg plugin may prematurely reboot the guest VM before cloud-init
has completed user data setup.
If both the Perl based Linux customization script and cloud-init
run when the guest VM boots, the deployPkg plugin may reboot
the guest before cloud-init has finished. The deployPkg plugin
has been updated to wait for a running cloud-init process to
finish before the guest VM reboot is initiated.
This issue is fixed in this release.
A SIGSEGV may be encountered when a non-quiesing snapshot times out.
This issue is fixed in this release.
Unwanted vmtoolsd service error message if not on a VMware hypervisor.
When open-vm-tools comes preinstalled in a base Linux release, the
vmtoolsd services are started automatically at system start
and desktop login. If running on physical hardware or in a
non-VMware hypervisor, the services will emit an error message
to the Systemd's logging service before stopping.
This issue is fixed in this release.
12.1.0
This release resolves CVE-2022-31676. For more information on this
vulnerability and its impact on VMware products, see
https://www.vmware.com/security/advisories/VMSA-2022-0024.html.
A patch for existing open-vm-tools releases is provided in the
CVE-2022-31676 README file.
A number of Coverity reported issues have been addressed.
[FTBFS] Fix the build of the ContainerInfo plugin for a 32-bit Linux release
Reported in open-vm-tools pull request #588, the fix did not make the
code freeze date for open-vm-tools 12.0.5.
This issue is fixed in this release.
Make HgfsConvertFromNtTimeNsec aware of 64-bit time_t on i386 (32-bit)
Reported in open-vm-tools pull request #387, this change incorporates
the support of 64 bit time epoch conversion from Windows NT time to
Unix Epoch time on i386.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:13 +0000 (13:43 +0100)]
monit: Update to version 5.34.4
- Update from version 5.34.3 to 5.34.4
- Update of rootfile not required
- Changelog
5.34.4
Fixed: If the Monit configuration file contains a string with unbalanced
escape sequences, Monit may crash upon startup.
Fixed: If the password in the set mmonit URL contains only binary
characters, syntax check passed (-t), but Monit aborts after start and
reports following error:
AssertException: n >= 0
raised in Str_ndup at src/util/Str.c:315
Aborted
Fixed: If the every <cron> statement contained a syntax error, syntax check
passed (-t), but Monit aborts after start and reports following error:
AssertException: n < 5 && n >= 0
raised in Time_incron at src/system/Time.c:1566
Aborted
Fixed: If the timeout option value was set to 0, the syntax check was
successful (-t), but Monit aborts after starting and reports the
following error:
AssertException: timeout > 0
raised in Socket_create at src/net/socket.c:319
Aborted
Fixed: The set syslog statement's facility option did not permit the
specification of the log_user. Thanks to Lutz Mader for report.
Fixed: Double interpretation of format strings during RETHROW
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:12 +0000 (13:43 +0100)]
lynis: Update to version 3.1.3
- Update from version 3.1.1 to 3.1.3
- Update of rootfile
- Changelog
3.1.3
This release introduces additional documentation in the form of blog articles
to support the (missing) control information on the website.
Added
- Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux,
Peppermint OS
- Support for blog posts and articles to enhance suggestions
Changed
- BOOT-5264 - Changed output of systemd-analyze test and added link
- FILE-6398 - Test temporarily disabled as on modern kernels JDB
support is built-in
- FIRE-4508 - Several changes to expand the test, make it more generic,
resolve minor issues
- KRNL-5622 - Test if systemctl binary is set
- Several improvements for busybox
- Update of translations: Italian, Russian, Spanish
3.1.2
Added
- Detection of ALT Linux
- Detection of Athena OS
- Detection of Container-Optimized OS from Google
- Detection of Koozali SME Server
- Detection of Nobara Linux
- Detection of Open Source Media Center (OSMC)
- Detection of PostmarketOS
- CRYP-7932 - macOS FileVault encryption test
- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded
- FINT-4344 - Wazuh system running state
- PKGS-7305 - Query macOS Apps in /Applications and CoreServices
- File added: .editorconfig, which is used by editors to standardize
formatting
Changed
- Correction of software EOL database and inclusion of AIX entries
- Support sysctl value perf_event_paranoid -> 2|3
- Update of translations: German, Portuguese, Turkish
- Grammar and spell improvements
- Improved package detection on Alpine Linux
- Slackware support to check installed packges
(functionPackageIsInstalled())
- Added words prosecute/report to LEGAL_BANNER_STRINGS
- Busybox support: Replace newer tr command syntax with older ascii
specific operations
- Added Wazuh as a malware scanner/antivirus and rootkit detection tool
- Updated PHP versions and removed PHP 5 (deprecated)
- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc)
- CONT-8104 - Checking for errors, not only warning in docker info output
- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux,
and FreeBSD
- FILE-6344 - Test kernel version (major/minor)
- INSE-8000 - Added inetd package and service name used in ubuntu 24.04
- KRNL-5622 - Use systemctl get-default instead of following link
- KRNL-5820 - Accept ulimit with -H parameter also
- LOGG-2144 - Check for wazuh-agent presence on Linux systems
- MACF-6234 - Test if semanage binary is available
- MALW-3200 - ESET Endpoint Antivirus added
- MALW-3280 - McAfee Antivirus for Linux deprecated
- MALW-3291 - Check if Microsoft Defender Antivirus is installe
- NETW-3200 - Added regex to allow both /bin/true as /bin/false
- PKGS-7303 - Added version numbers to brew packages
- PKGS-7370 - Cron job check for debsums improved
- PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may
give an error)
- PKGS-7410 - Added kernel name for Hardkernel odroid XU4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:11 +0000 (13:43 +0100)]
lvm2: Update to version 2.03.30
- Update from version 2.03.28 to 2.03.30
- Update of rootfile not required
- Changelog
2.03.30
Lvresize reports origin vdo volume cannot be resized.
Support setting reserved_memory|stack of --config cmdline.
Fix support for disabling memory locking (2.03.27).
Do not extend an LV if FS resize unsupported and '--fs resize' used.
Prevent leftover temporary device when converting in use volume to a pool.
lvconvert detects early volume in use when converting it to a pool.
Handle NVMe with quirk changed WWID not matching WWID in devices file.
2.03.29
Configure --enable/disable-sd-notify to control lvmlockd build with sd-notify.
Allow test mode when lvmlockd is built without dlm support.
Add a note about RAID + integrity synchronization to lvmraid(7) man page.
Add a function for running lvconvert --repair on RAID LVs to lvmdbusd.
Improve option section of man pages for listing commands ({pv,lv,vg}{s,display}).
Fix renaming of raid sub LVs when converting a volume to raid (2.03.28).
Fix segfault/VG write error for raid LV lvextend -i|--stripes -I|--stripesize.
Revert ignore -i|--stripes, -I|--stripesize for lvextend on raid0 LV (2.03.27).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:08 +0000 (13:43 +0100)]
harfbuzz: Update to version 10.2.0
- Update from version 10.1.0 to 10.2.0
- Update of rootfile
- Changelog
10.2.0
- Consider Unicode Variation Selectors when subsetting “cmap” table.
- Guard hb_cairo_glyphs_from_buffer() against malformed UTF-8 strings.
- Fix incorrect “COLR” v1 glyph scaling in hb-cairo.
- Use locale-independent parsing of double numbers is “hb-subset” command line
tool.
- Fix incorrect zeroing of advance width of base glyphs in various “Courier New”
font versions due to incorrect “GDEF” glyph classes.
- Fix handling of long language codes with “HB_LEAN” configuration.
- Update OpenType language system registry.
- Allow all Myanmar tone marks (including visarga) in any order
- Don’t insert U+25CC DOTTED CIRCLE before superscript/subscript digits
- Handle Garay script as right to left script.
- New API for serializing font tables and potentially repacking them in optimal
way. This was a previously experimental-only API.
- New API for converting font variation setting from and to strings.
- Various build fixes
- Various subsetter and instancer fixes.
- New API:
+hb_subset_serialize_link_t
+hb_subset_serialize_object_t
+hb_subset_serialize_or_fail()
+hb_subset_axis_range_from_string()
+hb_subset_axis_range_to_string()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:07 +0000 (13:43 +0100)]
git: Update to version 2.48.1
- Update from version 2.46.0 to 2.48.1
- Update of rootfile
- Changelog
2.48.1
This release merges up the fix that appears in v2.40.4, v2.41.3,
v2.42.4, v2.43.6, v2.44.3, v2.45.3, v2.46.3, and v2.47.2 to address
the security issues CVE-2024-50349 and CVE-2024-52006; see the release
notes for these versions for details.
2.48.0
UI, Workflows & Features
* A new configuration variable remote.<name>.serverOption makes the
transport layer act as if the --serverOption=<value> option is
given from the command line.
* "git rebase --rebase-merges" now uses branch names as labels when
able.
* Describe the policy to introduce breaking changes.
* Teach 'git notes add' and 'git notes append' a new '-e' flag,
instructing them to open the note in $GIT_EDITOR before saving.
* Documentation for "git bundle" saw improvements to more prominently
call out the use of '--all' when creating bundles.
* Drop support for older libcURL and Perl.
* End-user experience of "git mergetool" when the command errors out
has been improved.
* "git bundle --unbundle" and "git clone" running on a bundle file
both learned to trigger fsck over the new objects with configurable
fck check levels.
* When "git fetch $remote" notices that refs/remotes/$remote/HEAD is
missing and discovers what branch the other side points with its
HEAD, refs/remotes/$remote/HEAD is updated to point to it.
* "git fetch" honors "remote.<remote>.followRemoteHEAD" settings to
tweak the remote-tracking HEAD in "refs/remotes/<remote>/HEAD".
* "git range-diff" learned to optionally show and compare merge
commits in the ranges being compared, with the --diff-merges
option.
Performance, Internal Implementation, Development Support etc.
* Document "amlog" notes.
* The way AsciiDoc is used for SYNOPSIS part of the manual pages has
been revamped. The sources, at least for the simple cases, got
vastly more pleasant to work with.
* The reftable library is now prepared to expect that the memory
allocation function given to it may fail to allocate and to deal
with such an error.
* An extra worktree attached to a repository points at each other to
allow finding the repository from the worktree (and vice versa)
possible. Use relative paths for this linkage.
* Enable Windows-based CI in GitLab.
* Commands that can also work outside Git have learned to take the
repository instance "repo" when we know we are in a repository, and
NULL when we are not, in a parameter. The uses of the_repository
variable in a few of them have been removed using the new calling
convention.
* The reftable sub-system grew a new reftable-specific strbuf
replacement to reduce its dependency on Git-specific data
structures.
* The ref-filter machinery learns to recognize and avoid cases where
sorting would be redundant.
* Various platform compatibility fixes split out of the larger effort
to use Meson as the primary build tool.
* Treat ECONNABORTED the same as ECONNRESET in 'git credential-cache'
to work around a possible Cygwin regression. This resolves a race
condition caused by changes in Cygwin's handling of socket
closures, allowing the client to exit cleanly when encountering
ECONNABORTED.
* Demonstrate an assertion failure in 'git mv'.
* Documentation update to clarify that 'uploadpack.allowAnySHA1InWant'
implies both 'allowTipSHA1InWant' and 'allowReachableSHA1InWant'.
* Replace various calls to atoi() with strtol_i() and strtoul_ui(),
and add improved error handling.
* Documentation updates to 'git-update-ref(1)'.
* Update the project's CodingGuidelines to discourage naming functions
with a "_1()" suffix.
* Update '.clang-format' to match project conventions.
* Centralize documentation for repository extensions into a single place.
* Buildfix and upgrade of Clar to a newer version.
* Documentation mark-up updates.
* Renaming a handful of variables and structure fields.
* Fix for clar unit tests to support CMake build.
* C23 compatibility updates.
* GCC 15 compatibility updates.
* We now ensure "index-pack" is used with the "--promisor" option
only during a "git fetch".
* The migration procedure between two ref backends has been optimized.
* "git fsck" learned to issue warnings on "curiously formatted" ref
contents that have always been treated as valid but that Git
wouldn't have written itself (e.g., missing terminating end-of-line
after the full object name).
* Work around Coverity warning that would not trigger in practice.
* Built-in Git subcommands are supplied the repository object to work
with; they learned to do the same when they invoke sub-subcommands.
* Drop support for ancient environments in various CI jobs.
* Isolate the reftable subsystem from the rest of Git's codebase by
using fewer pieces of Git's infrastructure.
* Optimize reading random references out of the reftable backend by
allowing reuse of iterator objects.
* Backport oss-fuzz tests to our codebase.
* Introduce a new repository extension to prevent older Git versions
from mis-interpreting worktrees created with relative paths.
* Yet another "pass the repository through the callchain" topic.
* "git describe" learned to stop digging the history needlessly
deeper.
* Build procedure update plus introduction of Meson based builds.
* Recent reftable updates mistook a NULL return from a request for
0-byte allocation as OOM and died unnecessarily, which has been
corrected.
* Reftable backend adds check for upper limit of log's update_index.
* Start working to make the codebase buildable with -Wsign-compare.
* Regression fix for 'show-index' when run outside of a repository.
* The meson-build procedure is integrated into CI to catch and
prevent bitrotting.
* "git refs migrate" learned to also migrate the reflog data across
backends.
* The developer documentation has been updated to give the latest
info on gitk and git-gui maintainer.
* CI jobs that run threaded programs under LSan has been giving false
positives from time to time, which has been worked around.
* Doc update to clarify how periodical maintenance are scheduled,
spread across time to avoid thundering herds.
* Use after free and double freeing at the end in "git log -L... -p"
had been identified and fixed.
* On macOS, fsmonitor can fall into a race condition that results in
a client waiting forever to be notified about an event that has
already happened. This problem has been corrected.
* "git maintenance start" crashed due to an uninitialized variable
reference, which has been corrected.
* Fail gracefully instead of crashing when attempting to write the
contents of a corrupt in-core index as a tree object.
* A "git fetch" from the superproject going down to a submodule used
a wrong remote when the default remote names are set differently
between them.
* Fixes compile time warnings with 64-bit MSVC.
* Teaches 'shortlog' to explicitly use SHA-1 when operating outside
of a repository.
* Fix 'git grep' regression on macOS by disabling lookahead when
encountering invalid UTF-8 byte sequences.
* The dumb-http code regressed when the result of re-indexing a pack
yielded an *.idx file that differs in content from the *.idx file
it downloaded from the remote. This has been corrected by no longer
relying on the *.idx file we got from the remote.
* When called with '--left-right' and '--use-bitmap-index', 'rev-list'
will produce output without any left/right markers, which has been
corrected.
* More leakfixes.
* Test modernization.
* The "--shallow-exclude=<ref>" option to various history transfer
commands takes a ref, not an arbitrary revision.
* A regression where commit objects missing from a commit-graph can
cause an infinite loop when doing a fetch in a partial clone has
been fixed.
* The MinGW compatibility layer has been taught to support POSIX
semantics for atomic renames when other process(es) have a file
opened at the destination path.
* "git gc" discards any objects that are outside promisor packs that
are referred to by an object in a promisor pack, and we do not
refetch them from the promisor at runtime, resulting an unusable
repository. Work around it by including these objects in the
referring promisor pack at the receiving end of the fetch.
* Avoid build/test breakage on a system without working malloc debug
support dynamic library.
(merge 72ad6dc368 jk/test-malloc-debug-check later to maint).
* Double-free fix.
(merge fe17a25905 jk/fetch-prefetch-double-free-fix later to maint).
* Use of some uninitialized variables in "git difftool" has been
corrected.
* Object reuse code based on multi-pack-index sent an unwanted copy
of object.
(merge e199290592 tb/multi-pack-reuse-dupfix later to maint).
* "git fast-import" can be tricked into a replace ref that maps an
object to itself, which is a useless thing to do.
(merge 5e904f1a4a en/fast-import-avoid-self-replace later to maint).
* The ref-transaction hook triggered for reflog updates, which has
been corrected.
(merge b886db48c6 kn/ref-transaction-hook-with-reflog later to maint).
* Give a bit of advice/hint message when "git maintenance" stops finding a
lock file left by another instance that still is potentially running.
(merge ba874d1dac ps/gc-stale-lock-warning later to maint).
* Use the right helper program to measure file size in performance tests.
(merge 3f97f1bce6 tb/use-test-file-size-more later to maint).
* A double-free that may not trigger in practice by luck has been
corrected in the reference resolution code.
(merge b6318cf23a sj/refs-symref-referent-fix later to maint).
* The sequencer failed to honor core.commentString in some places.
* Describe a case where an option value needs to be spelled as a
separate argument, i.e. "--opt val", not "--opt=val".
(merge 1bc1e94091 jc/doc-opt-tilde-expand later to maint).
* Loosen overly strict ownership check introduced in the recent past,
to keep the promise "cloning a suspicious repository is a safe
first step to inspect it".
(merge 0ffb5a6bf1 bc/allow-upload-pack-from-other-people later to maint).
* "git fast-import" learned to reject paths with ".." and "." as
their components to avoid creating invalid tree objects.
(merge 8cb4c6e62f en/fast-import-verify-path later to maint).
* The --ancestry-path option is designed to be given a commit that is
on the path, which was not documented, which has been corrected.
(merge bc1a980759 kk/doc-ancestry-path later to maint).
* "git tag" has been taught to refuse to create refs/tags/HEAD
since such a tag will be confusing in the context of the UI provided by
the Git Porcelain commands.
(merge bbd445d5ef jc/forbid-head-as-tagname later to maint).
* The advice messages now tell the newer 'git config set' command to
set the advice.token configuration variable to squelch a message.
(merge 6c397d0104 bf/explicit-config-set-in-advice-messages later to maint).
* The syntax ":/<text>" to name the latest commit with the matching
text was broken with a recent change, which has been corrected.
(merge 0ff919e87a ps/commit-with-message-syntax-fix later to maint).
* Fix performance regression of a recent "fatten promisor pack with
local objects" protection against an unwanted gc.
* "git log -p --remerge-diff --reverse" was completely broken.
(merge f94bfa1516 js/log-remerge-keep-ancestry later to maint).
* "git bundle create" with an annotated tag on the positive end of
the revision range had a workaround code for older limitation in
the revision walker, which has become unnecessary.
(merge dd1072dfa8 tc/bundle-with-tag-remove-workaround later to maint).
* GitLab CI updates.
(merge c6b43f663e ps/ci-gitlab-update later to maint).
* Code to reuse objects based on bitmap contents have been tightened
to avoid race condition even when multiple packs are involved.
(merge 62b3ec8a3f tb/bitmap-fix-pack-reuse later to maint).
* An earlier "csum-file checksum does not have to be computed with
sha1dc" topic had a few code paths that had initialized an
implementation of a hash function to be used by an unmatching hash
by mistake, which have been corrected.
(merge 599a63409b ps/weak-sha1-for-tail-sum-fix later to maint).
* Other code cleanup, docfix, build fix, etc.
(merge 77af53f56f aa/t7300-modernize later to maint).
(merge dcd590a39d bf/t-readme-mention-reftable later to maint).
(merge 68e3c69efa kh/trailer-in-glossary later to maint).
(merge 91f88f76e6 tb/boundary-traversal-fix later to maint).
(merge 168ebb7159 jc/doc-error-message-guidelines later to maint).
(merge 18693d7d65 kh/doc-bundle-typofix later to maint).
(merge e2f5d3b491 kh/doc-update-ref-grammofix later to maint).
(merge 8525e92886 mh/doc-windows-home-env later to maint).
2.47.2
This release merges up the fix that appears in v2.40.4, v2.41.3,
v2.42.4, v2.43.6, v2.44.3, v2.45.3 and v2.46.3 to address the
security issues CVE-2024-50349 and CVE-2024-52006; see the release
notes for these versions for details.
2.47.1
This is to flush accumulated fixes since 2.47.0 on the 'master'
front down to the maintenance track.
Fixes since Git 2.47
* Use after free and double freeing at the end in "git log -L... -p"
had been identified and fixed.
* On macOS, fsmonitor can fall into a race condition that results in
a client waiting forever to be notified for an event that have
already happened. This problem has been corrected.
* "git maintenance start" crashed due to an uninitialized variable
reference, which has been corrected.
* Fail gracefully instead of crashing when attempting to write the
contents of a corrupt in-core index as a tree object.
* A "git fetch" from the superproject going down to a submodule used
a wrong remote when the default remote names are set differently
between them.
* The "gitk" project tree has been synchronized again with its new
maintainer, Johannes Sixt.
Also contains minor documentation updates and code clean-ups.
2.47.0
UI, Workflows & Features
* Many Porcelain commands that internally use the merge machinery
were taught to consistently honor the diff.algorithm configuration.
* A few descriptions in "git show-ref -h" have been clarified.
* A 'P' command to "git add -p" that passes the patch hunk to the
pager has been added.
* "git grep -W" omits blank lines that follow the found function at
the end of the file, just like it omits blank lines before the next
function.
* The value of http.proxy can have "path" at the end for a socks
proxy that listens to a unix-domain socket, but we started to
discard it when we taught proxy auth code path to use the
credential helpers, which has been corrected.
* The code paths to compact multiple reftable files have been updated
to correctly deal with multiple compaction triggering at the same
time.
* Support to specify ref backend for submodules has been enhanced.
* "git svn" has been taught about svn:global-ignores property
recent versions of Subversion has.
* The default object hash and ref backend format used to be settable
only with explicit command line option to "git init" and
environment variables, but now they can be configured in the user's
global and system wide configuration.
* "git send-email" learned "--translate-aliases" option that reads
addresses from the standard input and emits the result of applying
aliases on them to the standard output.
* 'git for-each-ref' learned a new "--format" atom to find the branch
that the history leading to a given commit "%(is-base:<commit>)" is
likely based on.
* The command line prompt support used to be littered with bash-isms,
which has been corrected to work with more shells.
* Support for the RUNTIME_PREFIX feature has been added to z/OS port.
* "git send-email" learned "--mailmap" option to allow rewriting the
recipient addresses.
* "git mergetool" learned to use VSCode as a merge backend.
* "git pack-redundant" has been marked for removal in Git 3.0.
* One-line messages to "die" and other helper functions will get LF
added by these helper functions, but many existing messages had an
unnecessary LF at the end, which have been corrected.
* The "scalar clone" command learned the "--no-tags" option.
* The environment GIT_ADVICE has been intentionally kept undocumented
to discourage its use by interactive users. Add documentation to
help tool writers.
* "git apply --3way" learned to take "--ours" and other options.
Performance, Internal Implementation, Development Support etc.
* A build tweak knob has been simplified by not setting the value
that is already the default; another unused one has been removed.
* A CI job that use clang-format to check coding style issues in new
code has been added.
* The reviewing guidelines document now explicitly encourages people
to give positive reviews and how.
* Test script linter has been updated to catch an attempt to use
one-shot export construct "VAR=VAL func" for shell functions (which
does not work for some shells) better.
* Some project conventions have been added to CodingGuidelines.
* In the refs subsystem, implicit reliance of the_repository has been
eliminated; the repository associated with the ref store object is
used instead.
* Various tests in reftable library have been rewritten using the unit test
framework.
* A test that fails on an unusually slow machine was found, and made
less likely to cause trouble by lengthening the expiry value it
uses.
* An existing test of hashmap API has been rewritten with the
unit-test framework.
* A policy document that describes platform support levels and
expectation on platform stakeholders has been introduced.
* The refs API has been taught to give symref target information to
the users of ref iterators, allowing for-each-ref and friends to
avoid an extra ref_resolve_* API call per a symbolic ref.
* Unit-test framework has learned a simple control structure to allow
embedding test statements in-line instead of having to create a new
function to contain them.
* Incremental updates of multi-pack index files is getting worked on.
* Use of API functions that implicitly depend on the_repository
object in the config subsystem has been rewritten to pass a
repository object through the callchain.
* Unused parameters have been either marked as UNUSED to squelch
-Wunused warnings or dropped from many functions..
* The code in the reftable library has been cleaned up by discarding
unused "generic" interface.
* The underlying machinery for "git diff-index" has long been made to
expand the sparse index as needed, but the command fully expanded
the sparse index upfront, which now has been taught not to do.
* More trace2 events at key points on push and fetch code paths have
been added.
* Make our codebase compilable with the -Werror=unused-parameter
option.
* "git cat-file" works well with the sparse-index, and gets marked as
such.
* CI started failing completely for linux32 jobs, as the step to
upload failed test directory uses GitHub actions that is deprecated
and is now disabled.
* Import clar unit tests framework libgit2 folks invented for our
use.
* The error messages from the test script checker have been improved.
* The convention to calling into built-in command implementation has
been updated to pass the repository, if known, together with the
prefix value.
* "git apply" had custom buffer management code that predated before
use of strbuf got widespread, which has been updated to use strbuf,
which also plugged some memory leaks.
* The reftable backend learned to more efficiently handle exclude
patterns while enumerating the refs.
* CI updates. FreeBSD image has been updated to 13.4.
(merge 2eeb29702e cb/ci-freebsd-13-4 later to maint).
* Give timeout to the locking code to write to reftable, instead of
failing on the first failure without retrying.
* The checksum at the tail of files are now computed without
collision detection protection. This is safe as the consumer of
the information to protect itself from replay attacks checks for
hash collisions independently.
2.46.3
This release merges up the fix that appears in v2.40.4, v2.41.3, v2.42.4,
v2.43.6, v2.44.3 and v2.45.3 to address the security issues CVE-2024-50349 and
CVE-2024-52006; see the release notes for these versions for details.
2.46.2
This release is primarily to merge changes to unbreak the 32-bit
GitHub actions jobs we use for CI testing, so that we can release
real fixes for the 2.46.x track after they pass CI.
It also reverts the "git patch-id" change that went into 2.46.1,
as it seems to have got a regression reported (I haven't verified,
but it is better to keep a known breakage than adding an unintended
regression).
Other than that, a handful of minor bugfixes are included.
* In a few corner cases "git diff --exit-code" failed to report
"changes" (e.g., renamed without any content change), which has
been corrected.
* Cygwin does have /dev/tty support that is needed by things like
single-key input mode.
* The interpret-trailers command failed to recognise the end of the
message when the commit log ends in an incomplete line.
2.46.1
This release is primarily to merge fixes accumulated on the 'master'
front to prepare for 2.47 release that are still relevant to 2.46.x
maintenance track.
* "git checkout --ours" (no other arguments) complained that the
option is incompatible with branch switching, which is technically
correct, but found confusing by some users. It now says that the
user needs to give pathspec to specify what paths to checkout.
* It has been documented that we avoid "VAR=VAL shell_func" and why.
* "git add -p" by users with diff.suppressBlankEmpty set to true
failed to parse the patch that represents an unmodified empty line
with an empty line (not a line with a single space on it), which
has been corrected.
* "git rebase --help" referred to "offset" (the difference between
the location a change was taken from and the change gets replaced)
incorrectly and called it "fuzz", which has been corrected.
* "git notes add -m '' --allow-empty" and friends that take prepared
data to create notes should not invoke an editor, but it started
doing so since Git 2.42, which has been corrected.
* An expensive operation to prepare tracing was done in re-encoding
code path even when the tracing was not requested, which has been
corrected.
* Perforce tests have been updated.
* The credential helper to talk to OSX keychain sometimes sent
garbage bytes after the username, which has been corrected.
* A recent update broke "git ls-remote" used outside a repository,
which has been corrected.
* "git config --value=foo --fixed-value section.key newvalue" barfed
when the existing value in the configuration file used the
valueless true syntax, which has been corrected.
* "git reflog expire" failed to honor annotated tags when computing
reachable commits.
* A flakey test and incorrect calls to strtoX() functions have been
fixed.
* Follow-up on 2.45.1 regression fix.
* "git rev-list ... | git diff-tree -p --remerge-diff --stdin" should
behave more or less like "git log -p --remerge-diff" but instead it
crashed, forgetting to prepare a temporary object store needed.
* The patch parser in "git patch-id" has been tightened to avoid
getting confused by lines that look like a patch header in the log
message.
* "git bundle unbundle" outside a repository triggered a BUG()
unnecessarily, which has been corrected.
* The code forgot to discard unnecessary in-core commit buffer data
for commits that "git log --skip=<number>" traversed but omitted
from the output, which has been corrected.
* "git verify-pack" and "git index-pack" started dying outside a
repository, which has been corrected.
* A corner case bug in "git stash" was fixed.
Also contains minor documentation updates and code clean-ups.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:06 +0000 (13:43 +0100)]
gdb: Update to version 16.1
- Update from version 15.2 to 16.1
- Update of rootfile
- Changelog
16.1
* Support for Nios II targets has been removed as this architecture
has been EOL'ed by Intel.
* GDB now supports watchpoints for tagged data pointers (see
https://en.wikipedia.org/wiki/Tagged_pointer) on amd64, such as the
one used by the Linear Address Masking (LAM) feature provided by
Intel.
* Debugging support for Intel MPX has been removed. This includes the
removal of
** MPX register support
** the commands "show/set mpx bound" (deprecated since GDB 15)
** i386 and amd64 implementation of the hooks report_signal_info and
get_siginfo_type.
* GDB now supports printing of asynchronous events from the Intel Processor
Trace during 'record instruction-history', 'record function-call-history'
and all stepping commands. This can be controlled with the new
"set record btrace pt event-tracing" command.
* GDB now supports printing of ptwrite payloads from the Intel Processor
Trace during 'record instruction-history', 'record function-call-history'
and all stepping commands. The payload is also accessible in Python as a
RecordAuxiliary object. Printing is customizable via a ptwrite filter
function in Python. By default, the raw ptwrite payload is printed for
each ptwrite that is encountered.
* For breakpoints that are created in the 'pending' state, any
'thread' or 'task' keywords are parsed at the time the breakpoint is
created, rather than at the time the breakpoint becomes non-pending.
* Thread-specific breakpoints are only inserted into the program space
in which the thread of interest is running. In most cases program
spaces are unique for each inferior, so this means that
thread-specific breakpoints will usually only be inserted for the
inferior containing the thread of interest. The breakpoint will
be hit no less than before.
* For ARM targets, the offset of the pc in the jmp_buf has been fixed to match
glibc 2.20 and later. This should only matter when not using libc probes.
This may cause breakage when using an incompatible libc, like uclibc or
newlib, or an older glibc.
* MTE (Memory Tagging Extension) debugging is now supported on AArch64 baremetal
targets.
* Remove support (native and remote) for QNX Neutrino (triplet
`i[3456]86-*-nto*`).
* In a record session, when a forward emulation reaches the end of the reverse
history, the warning message has been changed to indicate that the end of the
history has been reached. It also specifies that the forward execution can
continue, and the recording will also continue.
* The Ada 'Object_Size attribute is now supported.
* Support for process record/replay and reverse debugging on loongarch*-linux*
targets has been added.
* New bash script gstack uses GDB to print stack traces of running processes.
* Python API
** Added gdb.record.clear. Clears the trace data of the current recording.
This forces re-decoding of the trace for successive commands.
** Added the new event source gdb.tui_enabled.
** New module gdb.missing_objfile that facilitates dealing with
missing objfiles when opening a core-file.
** New function gdb.missing_objfile.register_handler that can
register an instance of a sub-class of
gdb.missing_debug.MissingObjfileHandler as a handler for missing
objfiles.
** New class gdb.missing_objfile.MissingObjfileHandler which can be
sub-classed to create handlers for missing objfiles.
** The 'signed' argument to gdb.Architecture.integer_type() will no
longer accept non-bool types.
** The gdb.MICommand.installed property can only be set to True or
False.
** The 'qualified' argument to gdb.Breakpoint constructor will no
longer accept non-bool types.
** Added the gdb.Symbol.is_artificial attribute.
* Debugger Adapter Protocol changes
** The "scopes" request will now return a scope holding global
variables from the stack frame's compilation unit.
** The "scopes" request will return a "returnValue" scope holding
the return value from the latest "stepOut" command, when
appropriate.
** The "launch" and "attach" requests were rewritten in accordance
with some clarifications to the spec. Now they can be sent at
any time after the "initialized" event, but will not take effect
(or send a response) until after the "configurationDone" request
has been sent.
** The "variables" request will not return artificial symbols.
* New commands
show jit-reader-directory
Show the name of the directory that "jit-reader-load" uses for
relative file names.
set style line-number foreground COLOR
set style line-number background COLOR
set style line-number intensity VALUE
Control the styling of line numbers printed by GDB.
set style command foreground COLOR
set style command background COLOR
set style command intensity VALUE
Control the styling of GDB commands when displayed by GDB.
set style title foreground COLOR
set style title background COLOR
set style title intensity VALUE
This style now applies to the header line of lists, for example the
first line of the output of "info breakpoints". Previous uses of
this style have been replaced with the new "command" style.
set warn-language-frame-mismatch [on|off]
show warn-language-frame-mismatch
Control the warning that is emitted when specifying a language that
does not match the current frame's language.
maintenance info inline-frames [ADDRESS]
New command which displays GDB's inline-frame information for the
current address, or for ADDRESS if specified. The output identifies
inlined frames which start at the specified address.
maintenance info blocks [ADDRESS]
New command which displays information about all of the blocks at
ADDRESS, or at the current address if ADDRESS is not given. Blocks
are listed starting at the inner global block out to the most inner
block.
info missing-objfile-handlers
List all the registered missing-objfile handlers.
enable missing-objfile-handler LOCUS HANDLER
disable missing-objfile-handler LOCUS HANDLER
Enable or disable a missing-objfile handler with a name matching the
regular expression HANDLER, in LOCUS.
LOCUS can be 'global' to operate on global missing-objfile handler,
'progspace' to operate on handlers within the current program space,
or can be a regular expression which is matched against the filename
of the primary executable in each program space.
* Changed commands
remove-symbol-file
This command now supports file-name completion.
remove-symbol-file -a ADDRESS
The ADDRESS expression can now be a full expression consisting of
multiple terms, e.g. 'function + 0x1000' (without quotes),
previously only a single term could be given.
target core
target exec
target tfile
target ctf
compile file
maint print c-tdesc
save gdb-index
These commands now require their filename argument to be quoted if
it contains white space or quote characters. If the argument
contains no such special characters then quoting is not required.
maintenance print remote-registers
Add an "Expedited" column to the output of the command. It indicates
which registers were included in the last stop reply packet received by
GDB.
show configuration
Now includes the version of GNU Readline library that GDB is using.
* New remote packets
vFile:stat
Return information about files on the remote system. Like
vFile:fstat but takes a filename rather than an open file
descriptor.
x addr,length
Given ADDR and LENGTH, fetch LENGTH units from the memory at address
ADDR and send the fetched data in binary format. This packet is
equivalent to 'm', except that the data in the response are in
binary format.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:04 +0000 (13:43 +0100)]
ddrescue: Update to version 1.29
- Update from version 1.28 to 1.29
- Update of rootfile not required
- Changelog
1.29
The new option '--continue-on-errno' has been added.
If ddrescue exits because of a fatal read error, it now prints the value of
the variable 'errno' so that it can be used as argument to
'--continue-on-errno'.
When using '--ask' and '--verbose', print rescue options before asking user.
Option '--log-reads' now records the value of errno if different from EIO.
(The four changes above suggested by Christian Franke).
The effect of option '-O, --reopen-on-error' has been extended to all phases.
It has been documented in the manual that '--reopen-on-error' may be needed
when using '--continue-on-errno'.
A compilation error on FiwixOS 3.3 about an ambiguous call to std::abs has
been fixed. (Reported by Jordi Sanfeliu).
The chapter 'Syntax of command-line arguments' has been added to the manual.
Two examples of combined use with lziprecover have been added to the manual.
(One of them uses the new Forward Error Correction (FEC) feature of
lziprecover).
It has been documented in the manual that option '-b' of ddrescuelog is
position dependent. (Reported by Winston B. E.).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:05 +0000 (13:43 +0100)]
fontconfig: Update to version 2.16.0
- Update from version 2.15.0 to 2.16.0
- Update of rootfile
- Changelog
2.16.0
Publish docs to GitLab pages
doc: default index for fontconfig-devel to index.html
Update URLs for docs
doc: Fix a typo of the summary for FcFontSetSort
Clean up .uuid files with fc-cache -f too
Fix undesired unref of FcConfig on Win32
meson.build: Fix a typo in POT names
meson.build: Add missing --msgid-bugs-address
Sort out bitmap related config files
Add test cases for 70-no-bitmap-and-emoji.conf and 70-no-bitmap-except-emoji.conf
meson: Add missing checkup
Add a missing dependency for CI on FreeBSD
meson: try to figure out libintl dependency
ci: Fix a typo in build script
ci: Add config.log for artifacts
ci: Add missing dependencies
ci: Disable cache update
meson: Fix build fail with NLS enabled on BSD
meson: Add libxml2 support
ci: Add libxml2 build for meson
meson: Workaround an exception
ci: Workaround an error with libxml2 on Android
meson: Add iconv checkup for all platforms
Fix incompatible pointer type on MinGW
meson: Use c_shared_args to take care of --default-library=both on Win32
ci: Fix a typo
ci: disable iconv for MSVC
ci: build with expat on MSVC
doc: Use sans-serif instead of sans
Do not add merge commits into NEWS file
doc: Fix a typo
meson: Enable run-test.sh for non-Win32
test/wrapper-script.sh: don't add a path when executable already has a path name.
meson: Add missing the unit testing with json-c
test-conf: Fix compiler warnings
Fix test case for reproducible builds
ci: Use md5 if md5sum isn't available.
ci: normalize path to avoid miscalculation of cache name
ci: Add Fedora 40 and remove Fedora 38
More information when no writable cache directories
Fix a memory leak in _get_real_paths_from_prefix
Set FcTypeVoid if no valid types to convert
Add FcConfigSetFontSetFilter
Improve hinting detection for fonthashint object
Accept integer for pixelsize
Fix a memory leak in fc-list/fc-query/fc-scan
Add got.orth for Gothic language
Add cop.orth for Coptic language
Add foreign automake option to avoid an error on autotools bootstrap
ci: rebase ci-templates
ci: Add Fedora 41 and drop 39
ci: run check-merge-request on merge request pipelines only
ci: Add FreeBSD 14.1 and drop 13.2
ci: build mingw on f40 only
meson: Add install_tag for install targets
meson: Add docs into dist
meson: Add autotools files into dist
doc: generate fontconfig-devel.html as one big file
ci: Fix a fail on pages deployment
ci: Fix pages deployment again
fc-case: Correct the license header of fccase.h
Use proper postscriptname for named instance if any
Replace hardcoded path in man pages to url link
Allow comma as a delimiter in postscriptname and ignore it on matching
Deal with glob string properly
Another fix of glob string for Win32
ci: Enable meson dist
Fix misleading-indentation warning
Bump the libtool version
Do not prefix cache_base with a "/". Doing so will lead to FcStrBuildFilename()
composing paths that contain double slashes, e.g. in FcDirCacheProcess(). If
FcDirCacheBasenameMD5() returns a cache_base that is prefixed with a "/", the
call to FcStrBuildFilename() in FcDirCacheProcess() will compose a path that
contains double slashes and this double-slashed path will then be passed to
FcDirCacheOpenFile(). This won't cause any harm on Linux because Linux just
ignores multiple slashes in paths but on other operating systems multiple
slashes in paths are not allowed so FcDirCacheOpenFile() will fail on those
platforms because of the double slash in the path.
Fix qsort nullpointer issue
Fix FcSerialize null pointer usage
meson: fix config relocation on Windows
Fix invalid escape character \s
Remove redundant leaf assignment in fcfreetype.c
Move Mac OS image to an up-to-date Mac OS 15 Sequoia image on ARM
Update Windows image to gstreamer image from stable
Allow building Rust targets in CI
[Fontations] Build bindgen targets, basic Rust test
Refactor exclusive language logic into separate file
meson: added default font dirs for android
Unlock on allocation failure in FcCacheInsert
Ensure config is locked during retry in FcConfigReference
Fix wording in README.md
build: detect-and-use `-lm` for `fabs` in fcmatch
fontconfig: mark _FcPatternIter as may_alias
Meson: Fix build with clang-cl by using cc.preprocess()
meson: Add missing dep on generated header
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:44 +0000 (23:08 +0100)]
traceroute: Update to version 2.1.6
- Update from version 2.1.5 to 2.1.6
- Update of rootfile not required
- Updated version number in name of patch
- Changelog
2.1.6
Let getaddrinfo(3) select the default IPv4 or IPv6 protocol version
when it is not explicitly specified on the command line
(Jan Macku, SF bug #16)
No more mandatory default to IPv4, follow rfc3484 and
the similar ping(1) behaviour. Drop DEF_AF macro.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:43 +0000 (23:08 +0100)]
tcpdump: Update to version 4.99.5
- Update from version 4.99.4 to 4.99.5
- Update of rootfile not required
- Changelog
4.99.5
Refine protocol decoding for:
Arista: Use the test .pcap file from pull request #955 (HwInfo).
BGP: Fix an undefined behavior when it tries to parse a too-short packet.
CARP: Print the protocol name before any GET_().
CDP: only hex-dump unknown TLVs in verbose mode.
DHCP: parse the SZTP redirect tag.
DHCPv6: client-id/server-id DUID type 2 correction; parse the user class,
boot file URL, and SZTP redirect options; add DUID-UUID printing
(RFC6355).
DNS: Detect and correctly handle too-short URI RRs.
EAP: Assign ndo_protocol in the eap_print() function.
ESP: Don't use EVP_add_cipher_alias() (fixes building on OpenBSD 7.5).
Frame Relay (Multilink): Fix the Timestamp Information Element printing.
ICMPv6: Fix printing the Home Agent Address Discovery Reply Message.
IEEE 802.11: no need for an element ID in the structures for IEs, make
the length in the IE structures a u_int, include the "TA" field while
printing Block Ack Control frame.
IP: Enable TSO (TCP Segmentation Offload) support; fix printing invalid
cases as invalid, not truncated; use ND_ICHECKMSG_ZU() to test the
header length.
IPv6: Fix printing invalid cases as invalid, not truncated; use
ND_ICHECKMSG_U() to print an invalid version.
IPv6: Fix invalid 32-bit versus 64-bit printouts of fragment headers.
ISAKMP: Fix printing Delete payload SPI when size is zero.
Kerberos: Print the protocol name, remove a redundant bounds check.
lwres: Fix an undefined behavior in pointer arithmetic.
OpenFlow 1.0: Fix indentation of PORT_MOD, improve handling of
some lengths, and fix handling of snapend.
TCP: Test ports < 1024 in port order to select the printer.
UDP: Move source port equal BCM_LI_PORT to bottom of long if else chain.
UDP: Test ports < 1024 in port order to select the printer.
LDP: Add missing fields of the Common Session Parameters TLV and fix the
offset for the A&D bits.
NFLOG: Use correct AF code points on all OSes.
NFS: Avoid printing non-ASCII characters.
OSPF: Pad TLVs in LS_OPAQUE_TYPE_RI to multiples of 4 bytes.
OSPF: Update LS-Ack printing not to run off the end of the packet.
OSPF6: Fix an undefined behavior.
pflog: use nd_ types in struct pfloghdr.
PPP: Check if there is some data to hexdump.
PPP: Remove an extra colon before LCP Callback Operation.
Use the buffer stack for de-escaping PPP; fixes CVE-2024-2397;
Note: This problem does not affect any tcpdump release.
PTP: Fix spelling of type SIGNALING, Parse major and minor version
correctly, Print majorSdoId field instead of just the first bit.
RIP: Make a couple trivial protocol updates.
RPKI-Router: Refine length and bounds checks.
RX: Use the "%Y-%m-%d" date format.
smbutil.c: Use the "%Y-%m-%d" date format.
SNMP: Fix two undefined behaviors.
Text protocols: Fix printing truncation if it is not the case.
ZEP: Use the "%Y-%m-%d" date format.
ZMTP: Replace custom code with bittok2str().
User interface:
Print the supported time stamp types (-J) to stdout instead of stderr.
Print the list of data link types (-L) to stdout instead of stderr.
Use symmetrical quotation characters in error messages.
Update --version option to print 32/64-bit build and time_t size.
Improve error messages for invalid interface indexes specified
with -i.
Support "3des" as an alias for "des_ede3_cbc" even if the crypto
library doesn't support adding aliases.
Source code:
tcpdump: Fix a memory leak.
child_cleanup: reap as many child processes as possible.
Ignore failures when setting the default "any" device DLL to LINUX_SLL2.
Fix for backends which doesn't support capsicum.
Update ND_BYTES_BETWEEN() macro for better accuracy.
Update ND_BYTES_AVAILABLE_AFTER() macro for better accuracy.
Introduce new ND_ICHECK*() macros to deduplicate more code.
Skip privilege dropping when using -Z root on --with-user builds.
Add a nd_printjn() function.
Make nd_trunc_longjmp() not static inline.
Include <time.h> from netdissect.h.
Remove init_crc10_table() and the entourage.
Initialize tzcode early.
Capsicum support: Fix a 'not defined' macro error.
Update the "Error converting time" tests for packet times.
Fix warnings when building for 32-bit and defining _TIME_BITS=64.
Free interface list just before exiting where it wasn't being
freed.
Building and testing:
Add a configure option to help debugging (--enable-instrument-functions).
At build time require a proof of suitable snprintf(3) implementation in
libc (and document Solaris 9 as unsupported because of that).
Makefile.in: Add two "touch .devel" commands in the releasecheck target.
Autoconf: Get --with-user and --with-chroot right.
Autoconf: Fix --static-pcap-only test on Solaris 10.
Autoconf: Add some warning flags for clang 13 or newer.
Autoconf: Update config.{guess,sub}, timestamps 2024-01-01.
Autoconf: Add autogen.sh, remove configure and config.h.in and put
these generated files in the release tarball.
Autoconf: Update the install-sh script to the 2020-11-14.01 version.
configure: Apply autoupdate 2.69.
CMake: improve the comment before project(tcpdump C).
Do not require vsnprintf().
tests: Use the -tttt option, by default, for the tests.
Autoconf, CMake: Get the size of a void * and a time_t.
Fix propagation of cc_werr_cflags() output.
Makefile.in: Fix the depend target.
mkdep: Exit with a non-zero status if a command fails.
Autoconf: use V_INCLS to update the list of include search paths.
Autoconf: don't put anything before -I and -L flags for local libpcap.
Autoconf, CMake: work around an Xcode 15+ issue.
Autoconf, CMake: use pkg-config and Homebrew when looking for
libcrypto.
Fix Sun C invocation from CMake.
mkdep: Use TMPDIR if it is set and not null.
Add initial support for building with TinyCC.
Makefile.in: Use the variable MAKE instead of the make command.
Makefile.in: Add instrumentation configuration in releasecheck target.
Make various improvements to the TESTrun script.
Untangle detection of pcap_findalldevs().
Autoconf: don't use egrep, use $EGREP.
Autoconf: check for gethostbyaddr(), not gethostbyname().
Autoconf, CMake: search for gethostbyaddr() in libnetwork.
Make illumos build warning-free.
Documentation:
Fixed errors in doc/README.Win32.md and renamed it to README.windows.md.
Make various improvements to the man page.
Add initial README file for Haiku.
Make various improvements to CONTRIBUTING.md.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:42 +0000 (23:08 +0100)]
rpcbind: Update to version 1.2.7
- Update from versio0n 1.2.6 to 1.2.7
- Update of rootfile
- Changelog
1.2.7
rpcinfo: try connecting using abstract address.
rpcinfo doesn't use library calls to set up the address for rpcbind. So
to get to it try the new abstract address, we need to explicitly
teach it how.
Listen on an AF_UNIX abstract address if supported.
As RPC is primarily a network service it is best, on Linux, to use
network namespaces to isolate it. However contacting rpcbind via an
AF_UNIX socket allows escape from the network namespace.
If clients could use an abstract address, that would ensure clients
contact an rpcbind in the same network namespace.
systemd can pass in a listening abstract socket by providing an '@'
prefix. However with libtirpc 1.3.3 or earlier attempting this will
fail as the library mistakenly determines that the socket is not bound.
This generates unsightly error messages.
So it is best not to request the abstract address when it is not likely
to work.
A patch to fix this also proposes adding a define for
_PATH_RPCBINDSOCK_ABSTRACT to the header files. We can check for this
and only include the new ListenStream when that define is present.
autotools/systemd: call rpcbind with -w only on enabled warm starts
If rpcbind is configured with --disable-warmstarts it responds on -w
with its usage string. This is not helpful in a systemd service, so pass
-w conditionally.
rpcbind: fix double free in init_transport
$ rpcbind -h 127.0.0.1
free(): double free detected in tcache 2
Aborted
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:41 +0000 (23:08 +0100)]
nfs: Update to version number 2.8.2
- Update from versionj number 2.7.1 to 2.8.2
- Update of rootfile
- Changelog
2.8.2
exports: Fix referrals when --enable-junction=no
Commit 15dc0bea ("exportd: Moved cache upcalls routines into
libexport.a") caused write_fsloc() to be elided when junction support is
disabled. Remove the not needed #ifdef HAVE_JUNCTION_SUPPORT which
blocks the referrals from working when --enable-junction=no is set.
(only the #ifdef HAVE_JUNCTION_SUPPORT should be around actual
junction code). Fixes: 15dc0bea ("exportd: Moved cache upcalls routines into libexport.a") Link: https://bugs.debian.org/1035908 Link: https://bugs.debian.org/1083098
nfsidmap(v2): Add guards around [nfsidmap] usages of [sysconf].
sysconf(_SC_GETPW_R_SIZE_MAX) and sysconf(_SC_GETGR_R_SIZE_MAX)
return -1 on musl, which causes either segmentation faults or ENOMEM
errors.
Replace all usages of sysconf with dedicated methods that guard against
a result of -1.
libnsm(v2): fix the safer atomic filenames fix
Commit 9f7a91b51ffc ("libnsm: safer atomic filenames") messed up the length
arguement to snprintf() in nsm_make_temp_pathname such that the length is
longer than the computed string. When compiled with "-O
-D_FORTIFY_SOURCE=3", __snprintf_chk will fail and abort statd.
The fix is to correct the original size calculation, then pull one from the
snprintf length for the final "/".
Revert "libnsm: fix the safer atomic filenames fix"
This reverts commit 8fcddae4437510137baf108f477d116ce345ce80.
libnsm: fix the safer atomic filenames fix
Commit 9f7a91b51ffc ("libnsm: safer atomic filenames") messed up the length
arguement to snprintf() in nsm_make_temp_pathname such that the length is
longer than the computed string. When compiled with "-O
-D_FORTIFY_SOURCE=3", __snprintf_chk will fail and abort statd.
The fix is to correct the original size calculation, then pull one from the
snprintf length for the final "/".
nfsd: dump default number of threads to 16
nfsdctl defaults to 16 threads. Since the nfs-server.service file first
tries nfsdctl and then falls back to rpc.nfsd, it would probably be wise
to make the default in rpc.nfsd and nfs.conf 16, for the sake of
consistency and to avoid surprises.
autoconf: don't build nfsdcltrack by default
Now that we've started the process to remove legacy v4 client tracking
methods, let's stop building nfsdcltrack by default.
nfs(5): Update rsize/wsize options
The rsize/wsize values are not multiples of 1024 but multiples of the
system's page size or powers of 2 if < system's page size as defined
in fs/nfs/internal.h:nfs_io_size().
nfsdctl: clarify when versions can be set on the man page
Attempting to make version changes while there are nfsd threads running
fails with -EBUSY, so make note of it on the man page.
nfsdctl: fix up the help text in version_usage()
The help text in version_usage() has examples with a 'v' character in
the version string, but the format string in the sscanf() call in
version_func() doesn't contain a 'v' character.
libnsm: safer atomic filenames
We've gotten a report of reboot notifications being sent to domains that
end in '.new', which can happen if the NSM temporary pathname code leaves a
file behind. Let's fix this up by prepending a single '.' to the temp path
which will never be resolvable as a DNS record.
https://lore.kernel.org/linux-nfs/04D30B5A-C53E-4920-ADCB-C77F5577669E@oracle.com/T/#t
nfs-utils: fixup statd testing simulator host arg
The getopt setup for the host arg was not expecing a value, update it as
expected
reexport.h: Include unistd.h to compile with musl
Makefile.am: allow mount.nfs to be writeable by owner
On Red Hat-based systems, the debug symbol files are built with a
.gdb_index section to speed up gdb initialization. The gdb-add-index
program calls objcopy to merge the index file into the object file.
That fails if the object file isn't writeable by the owner.
mount.nfs: retry NFSv3 mount after NFSv4 failure in auto negotiation
The problem happens when a v3 mount fails with ETIMEDOUT after
the v4 mount failed with EPROTONOSUPPORT, in mount auto negotiation.
It immediately breaks from the "for" loop in nfsmount_fg()
or nfsmount_child() due to EPROTONOSUPPORT, never doing the expected
retries until timeout.
2.8.1
nfs-utils: use getpwuid_r() and getpwnam_r() in gssd
gssd uses getpwuid(3) and getpwnam(3) in a pthreads context but
these functions are not thread safe.
nfsdcld: prevent from accessing /var/lib/nfs/nfsdcld in read-only file system during boot
I saw a VMWare guest that hit a rare condition during boot;
nfsdcld started too early to check access on /var/lib/nfs/nfsdcld which were
still in read-only file system as follows:
nfsdcld[...]: Unexpected error when checking access on /var/lib/nfs/nfsdcld: Read-only file system
systemd[1]: nfsdcld.service: Main process exited, code=exited, status=226/NAMESPACE
systemd[1]: nfsdcld.service: Failed with result 'exit-code'.
nfsdcld.service needs to wait the root file system to be remounted at least.
systemd: use nfsdctl to start and stop the nfs server
Attempt to use nfsdctl to start and stop the nfs-server. If that fails
for any reason, use rpc.nfsd to do it instead.
nfsdctl: asciidoc source for the manpage
Convert to manpage with:
asciidoctor -b manpage nfsdctl.adoc
nfsdctl: add the nfsdctl utility to nfs-utils
This tool is based on Lorenzo's original nfsdctl tool [1]. His original
tool used getopt_long to indicate the command, but that's somewhat
limiting. This converts it to a subcommand-based interface, where each
subcommand can take its own options, in the spirit of commands like
nmcli or virsh.
There are currently 6 different subcommands:
pool-mode get/set current pool mode setting
listener get/set listener info
version get/set supported NFS versions
threads get/set nfsd thread settings
status get current RPC processing info
autostart start server with settings from /etc/nfs.conf
Each can take different options, and we can expand this interface later
with more commands as necessary.
This is based on Lorenzo's original userland tool:
https://github.com/LorenzoBianconi/nfsdctl
rpc.idmapd: nfsopen() failures should not be fatal
dirscancb() loops over all clnt* subdirectories of /run/rpc_pipefs/nfs/.
Some of these directories contain /idmap files, others don't. nfsopen()
returns -1 for the latter; we then want to skip the directory, not abort
the entire scan.
mount.nfs: improve EPROTO error message for RDMA mounts
When mounting NFS shares using RDMA, users may encounter this rather
unclear error message:
mount.nfs: Protocol error
Often there are either no RDMA interfaces existing, or that routing is
being done via other interfaces. This patch enhances the `mount_error`
function to provide a more informative message in such cases.
support/junction/path.c: Fix buld for musl
Fixed:
path.c:164:24: error: implicit declaration of function 'strchrnul'; did you mean 'strchr'? [-Wimplicit-function-declaration]
[snip]
path.c:239:27: error: 'NAME_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
support/include/junction.h: Define macros for musl
Fixed 1:
In file included from cache.c:1217:
../../support/include/junction.h:128:21: error: expected ';' before 'char'
128 | __attribute_malloc__
| ^
| ;
129 | char **nfs_dup_string_array(char **array);
Fixed 2:
junction.c: In function 'junction_set_sticky_bit':
junction.c:164:39: error: 'ALLPERMS' undeclared (first use in this function)
164 | stb.st_mode &= (unsigned int)~ALLPERMS;
nfsdcld: don't send null client ids to the kernel
It's apparently possible for the sqlite database to get corrupted and
cause one or more rows to have null in the id column.
The knfsd fix was posted here:
https://lore.kernel.org/linux-nfs/20240903111446.659884-1-lilingfeng3@huawei.com/
nfsdcld should have a similar fix. If we encounter a client record with
a null id, just skip it instead of sending it to the kernel.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:40 +0000 (23:08 +0100)]
flac: Update to version 1.4.3
- Update from version 1.4.2 to 1.4.3
- Update of rootfile
- Changelog
1.4.3
As there have been additions to the libFLAC interfaces, the libFLAC version
number is incremented to 13. The libFLAC++ version number stays at 10.
* General
* All PowerPC-specific code has been removed, as it turned out those
improvements didn't actually improve anything
* Large improvements in encoder speed for all presets. The largest
change is for the fastest presets and for 24-bit and 32-bit inputs.
* Small improvement in decoder speed for BMI2-capable CPUs
* Various documentation fixes and cleanups (Mark Grassi, Jake Schmidt)
* Various fixes (Ozkan Sezer, Zhipeng Xue, orbea, Sam James, Harish
Mahendrakar)
* Fix building on Universal Windows Platform (Dmitry Kostjučenko)
* flac
* A lot of small fixes for bugs found by fuzzing
* Various improvements to the --keep-foreign-metadata and
--keep-foreign-metadata-if-present options on decoding
* The output format (WAV/AIFF/RF64 etc.) is now automatically
selected based on what kind of foreign metadata is stored
* Decoded file is checked afterwards, to see whether stored
foreign format data agrees with FLAC audio properties
* AIFF-C sowt data can now be restored
* Add --force-legacy-wave-format option, to decode to WAV with
WAVEFORMATPCM where WAVE_FORMAT_EXTENSIBLE would be more appropriate
* Add --force-aiff-c-none-format and --force-aiff-c-sowt-format to
decode to AIFF-C
* The storage of WAVEFORMATEXTENSIBLE_CHANNEL_MASK is no longer
restricted to known channel orderings
* Throw an error when WAV or AIFF files are over 4GiB in length and
the --ignore-chunk-sizes option is not set
* Warn on testing files when ID3v2 tags are found
* Warn when data trails the audio data of a WAV/AIFF/RF64/W64 file
* Fix output file not being deleted after error on Windows
* Removal of the --sector--align option
* metaflac
* A lot of small fixes for bugs found by fuzzing
* Added options --append and --data-format, which makes it possible to
copy metadata blocks from one FLAC file to another
* Added option --remove-all-tags-except
* Added option --show-all-tags (harridu, Martijn van Beurden)
* libFLAC
* No longer write seektables to Ogg, even when specifically asked for.
Seektables in Ogg are not defined
* Add functions FLAC__metadata_object_set_raw and
FLAC__metadata_object_get_raw to convert between blob and
FLAC__StreamMetadata
* Build system
* Autoconf (configure)
* The option --enable-64-bit-words is now on by default
* CMake
* The option ENABLE_64_BIT_WORDS is now on by default
* Testing/validation
* Fuzzers were added for the flac and metaflac command line tools
* Fuzzer coverage was improved
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 12:54:57 +0000 (13:54 +0100)]
strongswan: Update to version 6.0.0
- Update from version 5.9.14 to 6.0.0
- Update of rootfile
- The stroke plugin, which was deprecated in 2014 is no longer enabled by default.
So it is now enabled expolicitly in this patch.
The stroke plugin is recommended to be migrated to using the vici plugin but this
will require a re-write of the ipsec WUI page. Hopefully the removal of the stroke
plugin will also take many years as the time between deprecation and default
disabling.
- Also aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2, sha1 & sha2 are no
longer enabled by default. Most of these don 't need to be enabled as they are
supported by the openssl plugin whicxh we have had explicitly enabled for some time.
The openssl plugin is now enabled by default. After some checks to see which plugins
I needed to enable to match the current set of algorithms I ended up only needing\
to explicitly enable fips-prf, mgf1 & hmac.
- The ml plugin has also been enbabled so that we have the ML_KEM post quantum key
exchange algorithms enabled so they can be made available in the ipsec WUI.
- All existing algorithms are available together with the following new ones.
XOF_MGF1_SHA3_224
XOF_MGF1_SHA3_256
XOF_MGF1_SHA3_384
XOF_MGF1_SHA3_512
ML_KEM_512
ML_KEM_768
ML_KEM_10245
- I also installed the build using 6.0.0 into a vm testbed system and confirmed that my
existing ipsec connection using the default crypto values from the WUI worked without
any problems. So existing connections should all be fine.
- Changelog
6.0.0
New Feature Additions
Support for multiple IKEv2 key exchanges (RFC 9370) has been added
(3a850ae). IKE_INTERMEDIATE exchanges (RFC 9242) are used to transport
additional KE payloads between the IKE_SA_INIT and IKE_AUTH exchanges. To
rekey IKE and Child SAs with multiple key exchanges, IKE_FOLLOWUP_KE
exchanges are used, as defined in RFC 9370.
In proposals, additional key exchange methods are configured via
keX_ prefix, where X is a number between 1 and 7. For example,
ke1_mlkem768 adds ML-KEM-768 as additional KE method (works with any key
exchange method, whether post-quantum or classic). As with regular key
exchanges, peers have to agree on a method for each round unless no
algorithms are defined by both or keX_none is configured to make that
round explicitly optional.
Support for the Module-Lattice-Based Key-Encapsulation Mechanism
(ML-KEM, FIPS 203), a key exchange method that, at present, is believed
to be secure even against adversaries who possess a quantum computer, has
been added via Botan 3.6.0+ (botan plugin), wolfSSL 5.7.4+
(wolfssl plugin), AWS-LC 1.37.0+ (openssl plugin), and the new ml plugin.
The keywords for ML-KEM-512 (128 bits security strength), ML-KEM-768
(192 bits), ML-KEM-1024 (256 bits) are mlkem512, mlkem768 and mlkem1024,
respectively.
AF_VSOCK sockets can be used on Linux to communicate with a daemon that
runs in a VM (e.g. via the vici plugin).
The file logger can optionally log messages as JSON objects (a2fba6d, bea1f11, see the docs for details), and can add timestamps in
microseconds via the new time_precision setting (#2475).
Enhancements and Optimizations
Handling of CHILD_SA rekey collisions has been improved (d2b2e1b). This
makes CHILD_SAs properly trackable via child_rekey() hook and some corner
cases are also handled correctly e.g. if a responder's DELETE for the new
CHILD_SA arrives before its CREATE_CHILD_SA response that creates that SA
in the first place. Also handled properly are responders of rekeyings
that incorrectly send a DELETE for the old CHILD_SA (previously, this
caused both, the new and the old SA, to get deleted).
The behavior when reloading or unloading connections that include start in
their start_action has been improved (#2324, #2418).
If no identity is configured but a certificate is available, the subject
DN is used instead of the IP address (#2353).
The cert-enroll script now supports three generations of CA certificates
(f59ca96).
IKE ports are now considered when matching connections (9228a51, 6928709).
The base address of in-memory IP address pools is now reported as
configured (#2264).
IKE fragment sizes can be configured for each address family explicitly
(84bd011).
The openssl plugin can use the EVP_DigestSqueeze() API for XOFs, which was
introduced with OpenSSL 3.3 (3d0f695).
The kernel-netlink plugin explicitly configures the direction of IPsec SAs
when running on 6.10+ kernels (abdc787).
The Android app was updated for compatibility with Android 14 (740cbb2), a
bug was fixed that affects importing already existing VPN profiles
(9b9cf20).
Fixes
The NetworkManager plugin (charon-nm) now uses a different routing table
than the regular IKE daemon to avoid conflicts if both are running (#2230).
TUN devices can properly handle IPv6 addresses (fccc764) and routes via
them are now correctly installed on FreeBSD (bf165af).
Reassigning a matching online lease is now preferred over an offline lease
by the in-memory IP address pool to avoid conflicts with make-before-break
reauthentication and multiple IKE_SAs per identity (#2472).
To avoid conflicts with other processes when using ephemeral UDP ports,
the socket-default plugin now always opens IPv4 sockets before IPv6
sockets (#2494).
Challenge passwords in PKCS#10 containers are again encoded as
PrintableString if possible to be compatible with older SCEP
implementations (8e88d56).
The vici plugin now uses the same ESP proposals (AEAD before regular) when
configuring default instead of not configuring esp_proposals at all
(8e020bc).
Fixed handling of adopted reqids during IKEv1 rekeying (d02aea9, bug was
introduced in 5.9.12).
A typo in the cert-enroll script prevented successful signalling of a
change of the sub CA certificate (957aae8).
Plugin and Configuration Changes
The legacy stroke plugin is no longer enabled by default and must be
enabled explicitly.
The openssl plugin is now enabled by default, while the following crypto
plugins are no longer enabled by default: aes, curve25519, des, fips-prf,
gmp, hmac, md5, pkcs12, rc2, sha1, sha2.
The following deprecated plugins have been removed: bliss (signature
scheme), newhope (key exchange method), ntru (key exchange method).
charon.make_before_break is now enabled by default, which initiates IKEv2
reauthentication with a make-before-break instead of a break-before-make
scheme. Make-before-break creates overlapping IKE and Child SA during
reauthentication by first recreating all SAs before deleting the old ones.
This behavior can be beneficial to avoid connectivity gaps during
reauthentication (unlike rekeying still not completely without
interruption), but requires support for overlapping SAs by the peer.
strongSwan can handle such overlapping SAs since version 5.3.0.
For Developers
Using the child_rekey() hook now allows tracking CHILD_SAs correctly in
case of rekey collisions. The event is generally only triggered once
after installing the outbound SA for the new/winning CHILD_SA. However,
in some cases the event is triggered twice, but it is now ensured that
listeners can properly transition to the winning SA.
Refer to the documentation of key_exchange_method_t interface to learn how
KEMs can be implemented in plugins.
The format of key exchange test vectors has been changed so they can be
used for KEMs and classic DH methods (4067678).
The NetworkManager frontend's build files have been updated to not rely on
gnome-common. It now also uses gettext directly instead of intltool
(5019e3e).
Performance of running tests in the testing environment has been improved.
Refer to the 6.0.0 milestone for a list of all closed issues and pull requests.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Jan 2025 17:08:38 +0000 (18:08 +0100)]
wpa-supplicant: Update to version 2.11
- Update from version 2.10 to 2.11
- Update of rootfile not required
- Changelog
2.11
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* MACsec
- add support for GCM-AES-256 cipher suite
- remove incorrect EAP Session-Id length constraint
- add hardware offload support for additional drivers
* HE/IEEE 802.11ax/Wi-Fi 6
- support BSS color updates
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* support OpenSSL 3.0 API changes
* improve EAP-TLS support for TLSv1.3
* EAP-SIM/AKA: support IMSI privacy
* improve mitigation against DoS attacks when PMF is used
* improve 4-way handshake operations
- discard unencrypted EAPOL frames in additional cases
- use Secure=1 in message 2 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* improve cross-AKM roaming with driver-based SME/BSS selection
* PASN
- extend support for secure ranging
- allow PASN implementation to be used with external programs for
Wi-Fi Aware
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible, but PMKSA
caching with FT-EAP was, and still is, disabled by default
* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
for using per-network random MAC addresses
* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
to improve security for still unfortunately common invalid
configurations that do not set ca_cert
* extend SCS support for QoS Characteristics
* extend MSCS support
* support unsynchronized service discovery (USD)
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
- in addition, verify SSID after key setup when beacon protection is
used
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* a large number of other fixes, cleanup, and extensions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
