Peter Müller [Mon, 26 May 2025 18:28:00 +0000 (18:28 +0000)]
Core Update 196: Adjust existing IPsec connections using ML-KEM
This causes existing IPsec connections using ML-KEM to always use it in
conjunction with Curve 25519, in line with the changes dfa7cd2bbac3c746569368d70fefaf1ff4e1fed2
implements for newly configured IPsec connections.
Again, we can reasonably assume an IPsec peer supporting ML-KEM also
supports Curve 25519. In case such a peer does not support RFC 9370, and
the IPsec connection was created using our default ciphers, it will fall
back to Curve 448, Curve 25519, or any other traditional algorithm.
This patch will break existing IPsec connections only if they are
exclusively using ML-KEM (which means the IPFire user reconfigured them
manually using the "advanced connection settings" section in the WebUI),
and the IPsec peer is configured in the same manner, and/or is an IPFire
machine not yet updated to Core Update 196. Any other IPFire-to-IPFire
IPsec connection will continue working, potentially falling back to
Curve 448 or 25519 until both peers are updated to Core Update 196,
after which ML-KEM in conjunction with Curve 25519 will be used again.
The second version of this patch modifies IPFire's own configuration
file for IPsec connections, rather than applying these changes directly
to /etc/ipsec.conf, where they would have been overwritten by the next
WebUI change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 26 May 2025 18:27:00 +0000 (18:27 +0000)]
vpnmain.cgi: Use ML-KEM only as a hybrid with Curve 25519
In commit 887778e0888d51eb9942ae310a43f6d2813efad3, the post-quantum
key exchange algorithm ML-KEM was introduced, due to its support being
added in strongSwan 6.0. However, using PQC key exchanges is commonly
recommended only in conjunction with a traditional one, to avoid
encrypted traffic becoming subject to trivial decryption in case a PQC
algorithm proves weak, broken, or backdoored. OpenSSH, for instance,
combines ML-KEM 768 with Curve 25519 (mlkem768x25519-sha256), rather
than using ML-KEM alone.
This patch changes the cipher suites offered for IPsec connections to
always use ML-KEM as a hybrid with Curve 25519. This is possible due to
strongSwan 6.0 having added support for IKE intermediary key exchanges
(RFC 9370); see https://docs.strongswan.org/docs/latest/config/proposals.html#_key_exchange_methods
for additional information.
We can reasonably assume an IPsec peer supporting ML-KEM will also
support Curve 25519, as this has been around for much longer, and is
used quite commonly. Even if this is not the case, or if the IPsec peer
does not implement RFC 9370, any IPsec connection using our default
cipher selection will fall back to Curve 448, Curve 25519, or other,
hence continue working.
IPsec connections already created will need their ciphers to be changed
once during the Core Update routine where this patch will be
incorporated.
Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 27 May 2025 14:25:10 +0000 (16:25 +0200)]
boost: Update to version 1.88.0
- Update from version 1.83.0 to 1.88.0
- Update of rootfiles for all architectures
- Changelogs are very large so urls provided for each release changelog
1.88.0
https://www.boost.org/releases/1.88.0/
1.87.0
https://www.boost.org/releases/1.87.0/
1.86.0
https://www.boost.org/releases/1.86.0/
1.85.0
https://www.boost.org/releases/1.85.0/
1.84.0
https://www.boost.org/releases/1.84.0/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 25 May 2025 11:35:01 +0000 (13:35 +0200)]
index.cgi: Add wireguard status to home screen
- This fix adds a wireguard line to show when it is enabled.
- This fix does not show a table for any net2net connections that are enabled. I have
started working on that but as I only have an OpenVPN n2n connection in place, I can't
test out the copy of the ipsec n2n code section that I have made. I need to get ipsec
and wireguard n2n connections working first.
- If someone else wants to provide a patch for the wireguard n2n connections tables I have
no problems with that. If not then I will submit one when I have been able to test it.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 17 May 2025 12:12:17 +0000 (14:12 +0200)]
manualpages: Fixes bug13849 - adds manual link to wireguard page
Fixes: bug13849 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:53 +0000 (16:36 +0200)]
texinfo: Update to version 7.2
- Update from version 7.1.1 to 7.2
- Update of rootfile
- Changelog
7.2
* Build
. "make install" installs files for texi2any under $datadir/texi2any, not
$datadir/texinfo.
* texinfo.tex
. use @ as the escape character in all index files. this requires
new enough texi2dvi (Texinfo 6.7, 2019) for index files to be
properly processed.
. a bug has been fixed where a mangled PDF outline could be produced for
a document using @unnumberedsec
. you can call @unmacro with an undefined macro name, matching the
behavior of texi2any
* texi2any
. set CHECK_NORMAL_MENU_STRUCTURE by default. this means texi2any
again checks menu structure by default (changed in 6.8 release, 2021).
. only allow @definfoenclose to be used to redefine highlighting commands
. sorting of indices is now independent of the input or output encodings
. new customization variable COLLATION_LANGUAGE to allow linguistic
tailoring of index sorting
. new variable DOCUMENTLANGUAGE_COLLATION to use @documentlanguage for
linguistic tailoring of index sorting
. new variable USE_UNICODE_COLLATION to allow turning off the slower
use of Unicode collation when sorting indices
. rename BODYTEXT customization variable to BODY_ELEMENT_ATTRIBUTES
. rename COMPLEX_FORMAT_IN_TABLE customization variable to
INDENTED_BLOCK_COMMANDS_IN_TABLE
. remove the following variables: AVOID_MENU_REDUNDANCY, FRAMES,
FRAMESET_DOCTYPE, NO_USE_SETFILENAME, SILENT, USE_UP_NODE_FOR_ELEMENT_UP
. remove SIMPLE_MENU variable and tree transformation
. the use of the directories ~/.texinfo and ~/.texi2any for configuration
files is deprecated, and should be replaced by texinfo or texi2any
directories under XDG_CONFIG_HOME (usually ~/.config/). the new
locations are compatible with the XDG Base Directory Specification.
in future versions, the ~/.texinfo and ~/.texi2any directories will
not be in search paths.
. do not try the us-ascii encoding anymore as a locale for translated
document strings.
. some unused translation files have been removed for the
`texinfo_document' domain
. Info output:
. output Info-documentlanguage in Local Variables section of output
file if @documentlanguage is given
. HTML, Texinfo and raw text output:
. an implementation of the conversion in C has been included, which
is much faster than the code in Perl. set the `TEXINFO_XS_CONVERT'
environment variable to 1 to use.
. HTML output:
. CHECK_HTMLXREF set by default for warnings about links to unknown
external manuals
. you can use the MATHJAX_CONFIGURATION customization variable to add
data to the MathJax configuration object
. warn if there is a .inf or .info suffix for cross-reference manual
. use <pre> instead of <div><em> for output of @displaymath
. remove border, cellpadding, cellspacing and align attributes. add
classes and use CSS when needed.
. EPUB output:
. stricter conformance for conformance checkers
* info
. check for init file under XDG_CONFIG_HOME/texinfo/infokey after
checking ~/.infokey, in accordance with the XDG Base Directory
Specification
* Distribution
. automake 1.17, autoconf 2.72, gettext 0.22.5, libtool 2.5.3
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:48 +0000 (16:36 +0200)]
gperf: Update to version 3.3
- Update from version 3.1 to 3.3
- Update of rootfile not required
- Changelog
3.3
* Speedup: gperf is now between 2x and 2.5x faster.
3.2.1
* The generated code avoids -Wundef warnings in C++ mode.
3.2
* The input file may now use Windows line terminators (CR/LF) instead of
Unix line terminators (LF).
Note: This is an incompatible change. If you want to use a keyword that
ends in a CR byte, such as xyz<CR>, write it as "xyz\r".
* The generated code avoids several types of warnings:
- "implicit fallthrough" warnings in 'switch' statements.
- "unused parameter" warnings regarding 'str' or 'len'.
- "missing initializer for field ..." warnings.
- "zero as null pointer constant" warnings.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:47 +0000 (16:36 +0200)]
elfutils: Update to version 0.193
- Update from version 0.192 to 0.193
- Update of rootfile
- Changelog
0.193
debuginfod: Add CORS (webapp access) support to webapi and --cors option.
Add --listen-address option for binding the HTTP listen socket
to a specific IPv4 or IPv6 address.
debuginfod client now caches x-debuginfod-* HTTP headers
alongside downloaded files.
libdw: Add dwarf_language and dwarf_language_lower_bound functions.
Improved support for DWARF6 language metadata as well as DWARF
language constants for Nim, Dylan, Algol68, V and Mojo.
dwarf_srclang is now forward-compatible with DWARF6 language
constants.
libdwfl_stacktrace: Experimental new library interface for unwinding
stack samples into call chains, and tracking and
caching Elf data for multiple processes, building
on libdwfl. Initially supports perf_events stack
sample data.
libelf: elf_scnshndx has been rewritten to be more robust, particularily
for ELF files with more than 64K sections.
readelf: Improved handling of corrupt ELF data.
--section-headers output now includes a "Key to Flags" explaining
section flag meanings.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package FTBFS on riscv64. A header file with special SIMD functions
has not been shipped with the release tarball. This has been fixed
upstream, but a new tarball has not been released. yet:
Adolf Belka [Fri, 23 May 2025 16:03:44 +0000 (18:03 +0200)]
screen: Update to version 5.0.1
- This v2 version is with the correct tarball, without the binary object files.
- Update from version 5.0.0 to 5.0.1
- Update of rootfile
- 5 CVE fixes included in this version
- Changelog
5.0.1
Security fix
CVE-2025-46805: do NOT send signals with root privileges
CVE-2025-46804: avoid file existence test information leaks
CVE-2025-46803: apply safe PTY default mode of 0620
CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
CVE-2025-23395: reintroduce lf_secreopen() for logfile
buffer overflow due bad strncpy()
uninitialized variables warnings
typos
combining char handling that could lead to a segfault
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:55 +0000 (16:36 +0200)]
whois: Update to version 5.6.1
- Update from version 5.5.23 to 5.6.1
- Update of rootfile not required
- Changelog
5.6.1
* Added the .pg TLD server.
* Updated the .gov, .mu, .中国 (.xn--fiqs8s) and .中國 (.xn--fiqz9s)
TLD servers.
* Removed the .jobs TLD server.
* Added the encodings for whois.afrinic.net and whois.apnic.net.
* Enabled the UTF-8 encoding for whois.ripe.net.
* Use the last ReferralServer returned by the ARIN server instead of
the first, because we want to follow the referral for the most
specific record returned.
* Make sure to avoid trivial referral loops.
5.6.0
* Fixed the mangling of RADB queries with commands.
* Implemented the parsing of more variants of ARIN's ReferralServer
field.
* Implemented following the APNIC pseudo-referrals.
* Added the .ad and .za TLD servers.
* Updated the .ao, .bz, .gi, .gq, .gr, .gw, .lc, .md, .pn, .pr, .uy, .vc,
.info, .mobi, .ελ (.xn--qxam, Greece) and .გე (.xn--node, Georgia) TLD
servers.
* Added 2410::/12.
* Removed 7 new gTLDs which are no longer active.
* Cleaned up the markup of the man pages, courtesy of Bjarni Ingi
Gislason. (Closes: #1036826, #1094208)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:52 +0000 (16:36 +0200)]
meson: Update to version 1.8.0
- Update from version 1.6.0 to 1.8.0
- Update of rootfile
- Changelog
1.8.0
https://mesonbuild.com/Release-notes-for-1-8-0.html
1.7.0
https://mesonbuild.com/Release-notes-for-1-7-0.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:51 +0000 (16:36 +0200)]
man: Update to version 2.13.1
- Update from version 2.13.0 to 2.13.1
- Update of rootfile
- Changelog
2.13.1
Fixes:
* Fix various minor formatting issues in manual pages.
* Tolerate additional spaces in preprocessor strings.
* Fix check for generated source files in out-of-tree builds.
* Fix building with the `musl` C library.
Improvements:
* Recognize another Ukrainian translation of the `NAME` section.
* Increase the maximum size of the `NAME` section from 8192 to 16384 bytes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:50 +0000 (16:36 +0200)]
libconfig: Update to version 1.8
- Update from version 1.7.3 to 1.8
- Update of rootfile
- Changelog
1.8
- Added support for binary integer values
- Miscellaneous code cleanup
1.7.4
- Handle malloc failures by calling a fatal error handler
- New API to provide alternative fatal error handler
- Bugfixes to lookup (by name or path) routines
- Bugfixes to APIs with inconsistent const-ness
- Bugfixes to APIs with inconsistent use of short/unsigned short
- Bugfixes to int/int64 auto-conversion
- Various cleanup/fixes to build files
- Added some unit tests
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:49 +0000 (16:36 +0200)]
less: Update to version 678
- Update from version 668 to 678
- Update of rootfile not required
- Changelog
678
* Treat -r in LESS environment variable as -R.
* Add ESC-j and ESC-k commands (github #560).
* Add --no-paste option (github #523).
* Add --no-edit-warn option (github #513).
* Add --form-feed option (github #496).
* Add ESC-b command (github #615).
* Make TAB complete option name in -- command (github #531).
* Update the file size on an attempt to go past end of file.
* Make -R able to pass through any OSC escape sequences,
not just OSC 8 (github #504).
* Setting LESS_IS_MORE=0 now disables "more" compatibility even
if invoked via a file link named "more" (github #500).
* Pass through escape sequences in prompts even if -R is not set.
* Add LESS_SHELL_LINES to support shell prompts which use more than
one line (github #514).
* Add LESSANSIOSCALLOW to define OSC types which may be passed through.
* Add LESSANSIOSCCHARS to define non-standard OSC intro chars.
* Add LESS_SIGUSR1 to define user signal handler (github #582).
* Add mouse and mouse6 commands to lesskey (github #569).
* Improve behavior of ^O^N and ^O^P commands.
* Leave stty tabs setting unchanged (github #620).
* Fix unexpected behavior when entering a partial command followed by
a valid command (github #543).
* Fix bug when coloring prompt string with SGR sequences (github #516).
* Fix bug when searching for text near an invalid UTF-8 sequence (github #542).
* Fix display bug when file contains ESC followed by NUL (github #550).
* Fix bug when using +:n +:p +:x or +:d on the command line (github #552).
* Fix bug with --no-number-headers when header is not at start of file
(github #566).
* Fix bug where lesstest fails if window is resized (github #570).
* Fix bug using "configure --with-secure=no" (github #584).
* Fix bug using multibyte command chars (github #595).
* Fix auto_wrap setting on Windows (github #497).
* Fix two bugs using ^S search modifier (github #605).
* Fix bug searching for UTF-8 strings with the PCRE2 library (github #610).
* Fix bug highlighting OSC 8 links when opening a new file.
* Fix bug when & filtering is active (github #618).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 May 2025 14:36:46 +0000 (16:36 +0200)]
bc: Update to version 1.08.1
- Update from version 1.07.1 to 1.08.1
- Update of rootfile not required
- Changelog
1.08.1
Fix a formatting botch in doc/bc.1 (which was rendered as blank lines at
the top of the page).
1.08.0
Streamlined the build process; should now be better behaved for those
doing cross-compilation builds.
Made some minor improvements to the documentation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Some blocklist providers does serve blocklists for current events or
with very limited updates. Therefore there is a chance such a blocklist
could be empty for a certain time.
This patch allows to replace an existing filled blocklist by an empty
one and vice versa.
Fixes #13804.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 23 May 2025 15:23:25 +0000 (15:23 +0000)]
dnsdist: Update to 1.9.10
We released PowerDNS DNSdist 1.9.10 today, fixing several bugs including a security issue tracked as CVE-2025-30193 where a remote, unauthenticated attacker can cause a denial of service via a crafted TCP connection. The issue was reported to us via our public IRC channel so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible.
While we advise upgrading to a fixed version, a work-around is to temporarily restrict the number of queries that DNSdist is willing to accept over a single incoming TCP connection, via the setMaxTCPQueriesPerConnection directive. Setting it to 50 is a safe choice that does not impact performance in our tests.
Adolf Belka [Tue, 20 May 2025 10:57:39 +0000 (12:57 +0200)]
http-client-functions.pl: Fixes bug13852
Suggested-by: Adam G <ag@ipfire.org> Fixes: bug13852 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Adam G <ag@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Acked-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 22 May 2025 13:08:31 +0000 (15:08 +0200)]
libarchive: Update to version 3.8.0
- Update from version 3.7.9 to 3.8.0
- Update of rootfile
- Changelog
3.8.0
New features:
bsdtar: support --mtime and --clamp-mtime (#2601)
lib: mbedtls 3.x compatibility (#2602)
7-zip reader: improve self-extracting archive detection (#2088)
xar: xmllite support for the XAR reader and writer (#2388)
zip writer: added XZ, LZMA, ZSTD and BZIP2 support (#2137, #2284, #2391)
zip writer: added LZMA + RISCV BCJ filter (#2403)
Notable security fixes:
rar: do not skip past EOF while reading (#2584)
rar: fix double free with over 4 billion nodes (#2598)
rar: fix heap-buffer-overflow (#2599)
warc: prevent signed integer overflow (#2568)
tar: fix overflow in build_ustar_entry (#2588)
Notable bugfixes:
bsdtar: don't hardlink negative inode files together (#2587)
gz: allow setting the original filename for gzip compressed files (#2544)
lib: improve lseek handling (#2564)
lib: support @-prefixed Unix epoch timestamps as date strings (#2606)
rar: support large headers on 32 bit systems (#2596)
tar reader: Improve LFS support on 32 bit systems (#2582)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 22 May 2025 13:08:30 +0000 (15:08 +0200)]
bind: Update to version 9.20.9
- Update from version 9.20.8 to 9.20.9
- Update of rootfile
- Changelog
9.20.9
Security Fixes
- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm.
``b8c198ac5ca``
DNS messages that included a Transaction Signature (TSIG) containing
an invalid value in the algorithm field caused :iscman:`named` to
crash with an assertion failure. This has been fixed.
:cve:`2025-40775` :gl:`#5300`
Feature Changes
- Use jinja2 templates in system tests. ``8f545784ff0``
`python-jinja2` is now required to run system tests. :gl:`#4938`
:gl:`!10396`
Bug Fixes
- Fix EDNS yaml output. ``8c3b226d89b``
`dig` was producing invalid YAML when displaying some EDNS options.
This has been corrected.
Several other improvements have been made to the display of EDNS
option data: - We now use the correct name for the UPDATE-LEASE
option, which was previously displayed as "UL", and split it into
separate LEASE and LEASE-KEY components in YAML mode. - Human-readable
durations are now displayed as comments in YAML mode so as not to
interfere with machine parsing. - KEY-TAG options are now displayed as
an array of integers in YAML mode. - EDNS COOKIE options are displayed
as separate CLIENT and SERVER components, and cookie STATUS is a
retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414`
- Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6``
This change allows the client to identify the server that returns the
BADVERS and to provide a DNS SERVER COOKIE to be included in the
resend of the request. :gl:`#5235` :gl:`!10392`
- Disable own memory context for libxml2 on macOS. ``51e51d5ea8f``
Apple broke custom memory allocation functions in the system-wide
libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory
allocation functions has been disabled on macOS. :gl:`#5268`
:gl:`!10411`
- `check_private` failed to account for the length byte before the OID.
``2b827380e75``
In PRIVATEOID keys, the key data begins with a length byte followed
by an ASN.1 object identifier that indicates the cryptographic
algorithm to use. Previously, the length byte was not accounted for
when checking the contents of keys and signatures, which could have
led to interoperability problems with any zones signed using
PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376`
- Fix a serve-stale issue with a delegated zone. ``d839d11bf62``
When ``stale-answer-client-timeout 0`` option was enabled, it could be
ignored when resolving a zone which is a delegation of an
authoritative zone belonging to the resolver. This has been fixed.
:gl:`#5275` :gl:`!10420`
- Fix the ksr two-tone test. ``3e2b255b5b7``
The two-tone ksr subtest (test_ksr_twotone) depended on the
dnssec-policy keys algorithm values in named.conf being entered in
numerical order. As the algorithms used in the test can be selected
randomly this does not always happen. Sort the dnssec-policy keys by
algorithm when adding them to the key list from named.conf.
:gl:`#5286` :gl:`!10435`
- Revert NSEC3 closest encloser lookup improvements. ``ac41f158fad``
The performance improvements for NSEC3 closest encloser lookups that
were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
records to be returned in nonexistence proofs and were therefore
reverted again. :gl:`#5292` :gl:`!10443`
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 22 May 2025 13:08:29 +0000 (15:08 +0200)]
apr: Update to version 1.7.6
- Update from version 1.7.5 to 1.7.6
- Update of rootfile
- Changelog
1.7.6
*) test/testsock.c (test_get_addr): Fix test to portably switch
the socket to non-blocking mode using apr_socket_timeout_set().
Also make the test SKIP for the case where the connect() completes
synchronously. [Ivan Zhakov]
*) network_io/win32/sockets.c: (apr_socket_connect): Copy the remote
address by value rather than by reference. This ensures that the
sockaddr object returned by apr_socket_addr_get is allocated from
the same pool as the socket object itself, as apr_socket_accept
does; avoiding any potential lifetime mismatches. [Ivan Zhakov]
*) CMake: Install include/apr_encode.h. [Ivan Zhakov]
*) CMake: Fix installation PDB files with multi-config generators.
[Ivan Zhakov]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 May 2025 09:09:27 +0000 (11:09 +0200)]
man-pages: Update to version 6.14
- Update from version 6.9.1 to 6.14
- Update of rootfile
- -R had to be added in to make command. See changelog Global changes for version 6.11
The -R will be able to be removed after make version 4.5 has been released.
- Changelog
6.14
New and rewritten pages
man2const/
UFFDIO_MOVE.2const
man7/
mctp.7
Newly documented interfaces in existing pages
man2/
fanotify_init.2
FAN_REPORT_FD_ERROR
FAN_REPORT_MNT
fanotify_mark.2
FAN_PRE_ACCESS
FAN_MARK_MNTNS
FAN_MNT_ATTACH, FAN_MNT_DETACH
open_by_handle_at.2
AT_HANDLE_CONNECTABLE
AT_HANDLE_MNT_ID_UNIQUE
man2const/
TIOCLINUX.2const
TIOCL_SELCHAR
TIOCL_SELWORD
TIOCL_SELLINE
TIOCL_SELPOINTER
TIOCL_SELCLEAR
TIOCL_SELMOUSEREPORT
man3/
abs.3
uabs(3)
ulabs(3)
ullabs(3)
uimaxabs(3)
man7/
fanotify.7
FAN_DENY_ERRNO()
FAN_REPORT_FD_ERROR
FAN_PRE_ACCESS
FAN_RESPONSE_INFO_AUDIT_RULE
FAN_REPORT_MNT
FAN_MNT_ATTACH, FAN_MNT_DETACH
FAN_EVENT_INFO_TYPE_MNT
New and changed links
man3/
uabs.3 (abs(3))
ulabs.3 (abs(3))
ullabs.3 (abs(3))
uimaxabs.3 (abs(3))
Global changes
- CREDITS, *
- Move in-source contribution records to a new CREDITS file, and
update copyright notices to be uniform across the project.
- man/
- Use GNU forward declarations of parameters for sizes of array
parameters.
- \fX => \f[X]
- Use 'path' instead of 'pathname' for parameters.
6.13
Newly documented interfaces in existing pages
man7/
landlock.7
Landlock ABI v6
LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
LANDLOCK_SCOPE_SIGNAL
Global changes
- Build system:
- PDF book:
- Add support for UNIX V10 sources.
- Makefiles:
- Don't pass an escaped # to grep(1). Use a trick to work with
both new and old systems. This fixes a regressions in the
build system from man-pages-6.11, which was itself introduced
while fixing a regression introduced in man-pages-6.10.
6.12
Newly documented interfaces in existing pages
man2/
mbind.2
MPOL_PREFERRED_MANY
set_mempolicy.2
MPOL_PREFERRED_MANY
Global changes
- Build system:
- Use ifndef and := instead of ?= (fixes regression introduced in
6.11, which affected at least the version string).
6.11
New and rewritten pages
man7/
pathname.7
Global changes
- Build system:
- [Breaking change!]
Require the user to pass '-R' to make(1). This is necessary to be
able to do the following change. When GNU make(1) releases a new
version, it will not be necessary to pass -R, but in current
versions of make(1) it is necessary.
- [Breaking change!]
Use '?=' assignments instead of ':=', to support setting make(1)
variables in the environment. Now one can do this:
$ export prefix=/usr
$ make -R
$ sudo make install -R
(The -R is only necessary in GNU make(1) versions prior to the
yet-unreleased 4.5.)
- Escape '#' in regexes, to support old versions of GNU make(1).
This fixes a regression in man-pages-6.10, which caused issues in
users with an old-enough version of GNU make(1), such as the one
present in Debian old-old-stable.
- Fix duplicate overview-panel entries in the PDF book.
- CONTRIBUTING.d/:
- Add C coding style guide.
- RELEASE:
- Document the production of the book.
- man/:
- Refresh bpf-helpers(7) from Linux v6.13.
6.10
New and rewritten pages
man1/
diffman-git.1
mansect.1
pdfman.1
sortman.1
man2/
keyctl.2 (split into many pages)
listmount.2
statmount.2
uretprobe.2
man2const/
KEYCTL_ASSUME_AUTHORITY.2const (previously, keyctl.2)
KEYCTL_CHOWN.2const (previously, keyctl.2)
KEYCTL_CLEAR.2const (previously, keyctl.2)
KEYCTL_DESCRIBE.2const (previously, keyctl.2)
KEYCTL_DH_COMPUTE.2const (previously, keyctl.2)
KEYCTL_GET_KEYRING_ID.2const (previously, keyctl.2)
KEYCTL_GET_PERSISTENT.2const (previously, keyctl.2)
KEYCTL_GET_SECURITY.2const (previously, keyctl.2)
KEYCTL_INSTANTIATE.2const (previously, keyctl.2)
KEYCTL_INVALIDATE.2const (previously, keyctl.2)
KEYCTL_JOIN_SESSION_KEYRING.2const (previously, keyctl.2)
KEYCTL_LINK.2const (previously, keyctl.2)
KEYCTL_READ.2const (previously, keyctl.2)
KEYCTL_RESTRICT_KEYRING.2const (previously, keyctl.2)
KEYCTL_REVOKE.2const (previously, keyctl.2)
KEYCTL_SEARCH.2const (previously, keyctl.2)
KEYCTL_SESSION_TO_PARENT.2const (previously, keyctl.2)
KEYCTL_SETPERM.2const (previously, keyctl.2)
KEYCTL_SET_REQKEY_KEYRING.2const (previously, keyctl.2)
KEYCTL_SET_TIMEOUT.2const (previously, keyctl.2)
KEYCTL_UNLINK.2const (previously, keyctl.2)
KEYCTL_UPDATE.2const (previously, keyctl.2)
PR_RISCV_SET_ICACHE_FLUSH_CTX.2const
man3/
__riscv_flush_icache.3
timespec_get.3
wcscasecmp.3 (merged wcsncasecmp.3 with it)
wcsncasecmp.3 (merged into wcsncasecmp.3)
Newly documented interfaces in existing pages
man2/
io_submit.2
RWF_ATOMIC
RWF_NOAPPEND
landlock_add_rule.2
Landlock ABI v4
landlock_create_ruleset.2
Landlock ABI v4
madvise.2
MADV_GUARD_INSTALL
MADV_GUARD_REMOVE
perf_event_open.2
struct perf_event_attr::inherit && cpus=-1
posix_fadvise.2
POSIX_FADV_NOREUSE
prctl.2
PR_RISCV_SET_ICACHE_FLUSH_CTX
process_madvise.2
All flags permitted for calling process
readv.2
RWF_ATOMIC
RWF_NOAPPEND
stat.2
AT_EMPTY_PATH && NULL
statx.2
AT_EMPTY_PATH && NULL
STATX_DIO_READ_ALIGN
STATX_MNT_ID_UNIQUE
STATX_SUBVOL
STATX_WRITE_ATOMIC
man3/
dlinfo.3
RTLD_DI_PHDR
fnmatch.3
FNM_IGNORECASE
man7/
landlock.7
Landlock ABI v4
Landlock ABI v5
rtnetlink.7
struct ifa_cacheinfo
New and changed links
man2/
riscv_flush_icache.2 (__riscv_flush_icache(3))
man2const/
KEYCTL_INSTANTIATE_IOV.2const (KEYCTL_INSTANTIATE(2const))
KEYCTL_NEGATE.2const (KEYCTL_INSTANTIATE(2const))
KEYCTL_REJECT.2const (KEYCTL_INSTANTIATE(2const))
man3/
timespec_getres.3 (timespec_get(3))
wcsncasecmp.3 (wcscasecmp(3))
Global changes
- src/bin/
- Add a few programs that are useful for maintaining manual pages:
diffman-git(1), mansect(1), pdfman(1), sortman(1)
- SPONSORS
- Add file listing the sponsors of this project.
- CONTRIBUTING*
- Expand documentation for contributing to the project. Especially,
regarding help using git(1).
- man/
- Split keyctl.2
- man2/, man3/: SYNOPSIS: Rename function parameters for consistency
and correctness.
- man2/, man3/: SYNOPSIS: Use typeof() to improve readability of
function pointers.
- man1/: SYNOPSIS: Use .SY/.YS for formatting commands.
- share/mk/
- Refactor *FLAGS and LDLIBS variables, as requested by some
distros.
- LICENSES/
- Add GPL-3.0-or-later.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 May 2025 09:09:26 +0000 (11:09 +0200)]
libgcrypt: Update to version 1.11.1
- Update from version 1.11.0 to 1.11.1
- Update of rootfile
- Changelog
1.11.1
* Bug fixes:
- Fix build regression on 32 bit Windows using Clang. [T7175]
- Fix build regression on macOS due to symbol naming. [T7170]
- Fix Kyber secret-dependent branch introduced by recent versions
of Clang. [rCf765778e82]
- Fix build regression due to the use of AVX512 in Blake. [T7184]
- Do not build i386 asm on amd64 and vice versa. [T7220]
- Fix build regression on armhf with gcc-14. [T7226]
- Return the proper error code on malloc failure in hex2buffer.
[rCc51151f5b0]
- Fix long standing bug for PRIME % 2 == 0. [rC639b0fca15]
* Performance:
- Add AES Vector Permute intrinsics implementation for AArch64.
[rC94a63aedbb]
- Add GHASH AArch64/SIMD intrinsics implementation. [rCfec871fd18]
- Add RISC-V vector permute AES. [rCb24ebd6163]
- Add GHASH RISC-V Zbb+Zbc implementation. [rC0f1fec12b0]
- Add ChaCha20 RISC-V vector intrinsics implementation.
[rC8dbee93ac2]
- Add SHA3 acceleration for RISC-V Zbb extension. [rC1a660068ba]
* Other:
- Add CET support for i386 and amd64 assembly. [T7220]
- Add PAC/BTI support for AArch64 asm. [T7220]
- Apply changes to Kyber from upstream for final FIPS 203.
[rCcc95c36e7f]
- Introduce an internal API for a revampled FIPS service indicator.
[T7340]
- Several improvements for constant time operation by the
introduction of Least Leak Intended (LLI) variants of internal
functions. [T7519,T7490]
- Remove WindowsCE support. [T7486]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 May 2025 09:09:25 +0000 (11:09 +0200)]
iperf3: Update to version 3.19
- Update from version 3.16 to 3.19
- Update of rootfile not required
- CVE fix in version 3.18 and another in 3.17. The CVE fix in 3.17 results in a breaking
change. The vulnerable option can be enabled in the build but that doesn't seem to be
a good approach for IPFire. I am not sure that the non backwards compatible changed
padding on encrypted strings would create a problem for us. I suspect this is more
if iperf3 is being used in a continuous measuring mode and in IPFire it is an addon
that is used to measure throughput rates when required.
- Changelog
3.19
Notable user-visible changes
iperf3 now supports the use of Multi-Path TCP (MPTCPv1) on Linux
with the use of the -m or --mptcp flag. (PR #1661)
iperf3 now supports a --cntl-ka option to enable TCP keepalives
on the control connection. (#812, #835, PR #1423)
iperf3 now supports the MSG_TRUNC receive option, specified by
the --skip-rx-copy. This theoretically improves the rated
throughput of tests at high bitrates by not delivering network
payload data to userspace. (#1678, PR #1717)
A bug that caused the bitrate setting to be ignored when bursts
are set, has been fixed. (#1773, #1820, PR #1821, PR #1848)
The congestion control protocol setting, if used, is now
properly reset between tests. (PR #1812)
iperf3 now exits with a non-error 0 exit code if exiting via a
SIGTERM, SIGHUP, or SIGINT. (#1009, PR# 1829)
The current behavior of iperf3 with respect to the -n and -k
options is now documented as correct. (#1768, #1775, #596, PR #1800)
Notable developer-visible changes
iperf3 now supports a callback function to get the JSON output
strings. (#1711, PR #1798)
iperf3 now builds correctly with gcc-15 (#1838, PR #1805)
Various memory leaks were fixed (#1881, PR#1823, #1814, PR#1822)
A potential segfault crash was fixed (#1807)
Improved warning messages when reading malformed JSON messages
(PR #1817)
The Github CI configuration was changed to use a more up-to-date
set of runners (PR #1864)
3.18
Notable user-visible changes
SECURITY NOTE: Thanks to Leonid Krolle Bi.Zone for discovering a
JSON type security vulnerability that caused a
segmentation fault in the
server. (CVE-2024-53580) This has now been
fixed. (PR#1810)
UDP packets per second now reports the correct number of
packets, by reporting NET_SOFTERROR if there's a EAGAIN/EINTR
errno if no data was sent (#1367/PR#1379).
Several segmentation faults related to threading were fixed. One
where pthread_cancel was called on an improperly initialized
thread (#1801), another where threads were being recycled
(#1760/PR#1761), and another where threads were improperly
handling signals (#1750/PR#1752).
A segmentation fault from calling freeaddrinfo with NULL was
fixed (PR#1755).
Some JSON options were fixed, including checking the size for
json_read (PR#1709), but the size limit was removed for
received server output (PR#1779).
A rcv-timeout error has been fixed. The Nread timeout was
hardcoded and timed out before the --rcv-timeout option
(PR#1744).
There is no longer a limit on the omit time period
(#1770/PR#1774).
Fixed an output crash under 32-bit big-endian systems (PR#1713).
An issue was fixed where CPU utilization was unexpectedly high
during limited baud rate tests. The --pacing-timer option was
removed, but it is still available in the library
(#1741/PR#1743).
Add SCTP information to --json output and fixed compile error
when SCTP is not supported (#1731).
--fq-rate was changed from a uint to a uint64 to allow pacing above
32G. Not yet tested on big-endian systems (PR#1728).
Notable developer-visible changes
Clang compilation failure on Android were fixed (PR#1687).
iperf_time_add() was optimizated to improve performance
(PR#1742).
Debug messages were added when the state changes (PR#1734).
To increase performance, the old UDP prot_listener is cleared
and removed after each test (PR#1708).
A file descriptor leak was closed (PR#1619).
3.17.1
Notable user-visible changes
Version number has been corrected. (#1699)
Notable developer-visible changes
No longer signing tags
3.17
Notable user-visible changes
BREAKING CHANGE: iperf3's authentication features, when used with
OpenSSL prior to 3.2.0, contain a vulnerability to a side-channel
timing attack. To address this flaw, a change has been made to the
padding applied to encrypted strings. This change is not backwards
compatible with older versions of iperf3 (before 3.17). To restore
the older (vulnerable) behavior, and hence
backwards-compatibility, use the --use-pkcs1-padding flag. The
iperf3 team thanks Hubert Kario from RedHat for reporting this
issue and providing feedback on the fix. (CVE-2024-26306)(PR#1695)
iperf3 no longer changes its current working directory in --daemon
mode. This results in more predictable behavior with relative
paths, in particular finding key and credential files for
authentication. (PR#1672)
A new --json-stream option has been added to enable a streaming
output format, consisting of a series of JSON objects (for the
start of the test, each measurement interval, and the end of the
test) separated by newlines (#444, #923, #1098).
UDP tests now work correctly between different endian hosts
(#1415).
The --fq-rate parameter now works for --reverse tests (#1632, PR#1667).
The statistics reporting interval is now available in the --json
start test object (#1663).
A negative time test duration is now properly flagged as an error
(IS#1662 / PR#1666).
Notable developer-visible changes
Fixes have been made to better (unofficially) support builds on
Android (#1641 / #1651) and VxWorks (#1595).
iperf3 now builds correctly on architectures without native
support for 64-bit atomic types, by linking with the libatomic
library (#1611).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 19 May 2025 15:46:11 +0000 (17:46 +0200)]
dhcpcd: Update to version 10.2.3
- Update from version 10.2.2 to 10.2.3
- Update of rootfile not required
- Changelog
10.2.3
Restore logic on when to open an address specific socket by @dougnazar in #502
[Fix] DHCP Failure on WAN Interface Rename (Fixes #504) by @ngxquanganh in #505
BSD: routes via P2P interfaces now find their out-going interface
-b --background fixed
resolv: Fix processing more DNSSL options than RDNSS]
dhcpcd: Remove option rapid_commit from dhcpcd.conf
privsep: Fix valgrind and hardened-malloc on Linux with SECCOMP
route: Don't spam route changes for lifetime
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 19 May 2025 10:37:32 +0000 (12:37 +0200)]
fr.pl: Fixes bug 12060 - remove extraneous spaces at end of lines
- All lines where there was a space at the end of the french translation, and the
other language files did not have a space for that line, had the space removed.
- ./make.sh lang was run but nothing else was created by that.
Fixes: bug12060 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 16 May 2025 11:20:46 +0000 (13:20 +0200)]
include: Add wireguard directory to the backup include file
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 17 May 2025 11:42:50 +0000 (13:42 +0200)]
m4: Update to version 1.4.20
- Update from version 1.4.19 to 1.4.20
- Update of rootfile
- Changelog
1.4.20
** Fix a bug in the `eval' builtin where it does not suppress warnings
about division by zero that occurs within a more complex expression on
the right hand side of || or && (present since short-circuiting was
introduced in 1.4.8b).
** The `syscmd' and `esyscmd' builtins no longer mishandle a command line
starting with `-' or `+' (present since "the beginning").
** Fix regression introduced in 1.4.19 where trace output (such as with
`debugmode(t)') could read invalid memory when tracing a series of
pushed macros that are popped during argument collection.
** Fix regression introduced in 1.4.19 where the `format' builtin
inadvertently took on locale-dependent parsing and output of floating
point numbers as a side-effect of introducing message translations.
While it would be nice for m4 to be fully locale-aware, such a behavior
change belongs in a major version release such as 1.6, and not a minor
release.
** Fix regression introduced in 1.4.11 where the experimental `changeword'
builtin could cause a crash if given a regex that does not match all
one-byte prefixes of valid longer matches. As a reminder, `changeword'
is not recommended for production use, and will likely not be present
in the next major version release.
** On non-Unix platforms where binary files differ from text, loading a
frozen file (which should be cross-platform compatible) now correctly
uses binary mode.
** Several documentation improvements to the manual.
** Update to comply with newer C standards, and inherit portability
improvements from gnulib.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 17 May 2025 11:42:06 +0000 (13:42 +0200)]
harfbuzz: Update to version 11.2.1
- Update from version 11.2.0 to 11.2.1
- Update of rootfile
- Changelog
11.2.1
- Various build improvements.
- Fix build with HB_NO_DRAW and HB_NO_PAINT
- Add an optional “harfruzz” shaper that uses HarfRuzz; an ongoing Rust port of
HarfBuzz shaping. This shaper is mainly used for testing the output of the
Rust implementation.
- Fox regression that caused applying unsafe_to_break() to the whole buffer to
be ignored.
- Update USE data files.
- Fix getting advances of out-of-rage glyph indices in DirectWrite font
functions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 17 May 2025 11:41:41 +0000 (13:41 +0200)]
fmt: Update to version 11.2.0
- Update from version 11.1.3 to 11.2.0
- Update of rootfile
- Changelog
11.2.0
Added the s specifier for std::error_code. It allows formatting an error
message as a string. For example:
#include <fmt/std.h>
int main() {
auto ec = std::make_error_code(std::errc::no_such_file_or_directory);
fmt::print("{:s}\n", ec);
}
prints
No such file or directory
(The actual message is platform-specific.)
Fixed formatting of std::chrono::local_time and tm (#3815, #4350). For example
(godbolt):
#include <fmt/chrono.h>
int main() {
std::chrono::zoned_time zt(
std::chrono::current_zone(),
std::chrono::system_clock::now());
fmt::print("{}", zt.get_local_time());
}
is now formatted consistenly across platforms.
Added diagnostics for cases when timezone information is not available. For
example:
fmt::print("{:Z}", std::chrono::local_seconds());
now gives a compile-time error.
Deprecated fmt::localtime in favor of std::localtime.
Fixed compilation with GCC 15 and C++20 modules enabled (#4347). Thanks @tkhyn.
Fixed handling of named arguments in format specs (#4360, #4361). Thanks
@dinomight.
Added error reporting for duplicate named arguments (#4367). Thanks @dinomight.
Fixed formatting of long with FMT_BUILTIN_TYPES=0 (#4375, #4394).
Optimized text_style using bit packing (#4363). Thanks @LocalSpook.
Added support for incomplete types (#3180, #4383). Thanks @LocalSpook.
Fixed a flush issue in fmt::print when using libstdc++ (#4398).
Fixed fmt::println usage with FMT_ENFORCE_COMPILE_STRING and legacy
compile-time checks (#4407). Thanks @madmaxoft.
Removed legacy header fmt/core.h from docs (#4421, #4422). Thanks
@krzysztofkortas.
Worked around limitations of __builtin_strlen during constant evaluation
(#4423, #4429). Thanks @brevzin.
Worked around a bug in MSVC v141 (#4412, #4413). Thanks @hirohira9119.
Removed the fmt_detail namespace (#4324).
Removed specializations of std::is_floating_point in tests (#4417).
Fixed a CMake error when setting CMAKE_MODULE_PATH in the pedantic mode
(#4426). Thanks @rlalik.
Updated the Bazel config (#4400). Thanks @Vertexwahn.
11.1.4
Fixed ABI compatibility with earlier 11.x versions on Windows (#4359).
Improved the logic of switching between fixed and exponential format for float (#3649).
Moved is_compiled_string to the public API (#4342). Thanks @SwooshyCueb.
Simplified implementation of operator""_cf (#4349). Thanks @LocalSpook.
Fixed __builtin_strlen detection (#4329). Thanks @LocalSpook.
Fixed handling of BMI paths with the Ninja generator (#4344). Thanks @tkhyn.
Fixed gcc 8.3 compile errors (#4331, #4336). Thanks @sergiud.
Fixed a bogus MSVC warning (#4356). Thanks @dinomight.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 17 May 2025 11:41:19 +0000 (13:41 +0200)]
exfatprogs: Update to version 1.2.9
- Update from version 1.2.5 to 1.2.9
- Update of rootfile not required
- Changelog
1.2.9
NEW FEATURES :
* dump.exfat: support dumping directory entry sets,
which prints all fields of directory entries and
cluster chains. See a man page.
CHANGES :
* exfatprogs: update the Github action for build test
with Debain + clang + lld.
1.2.8
BUG FIXES :
* dump.exfat: fix an incorrect output of an entry
position in 32-bit system.
* mkfs.exfat: fill an oem sector with zero instead
of one.
* exfatprogs: fix compilation on musl based systems
due to loff_t type. And update the Github action
to validate builds on the system.
1.2.7
NEW FEATURES :
* fsck.exfat: support repairing the upcase table.
CHANGES :
* exfatprogs: make sure to load the tbl preprocessor
for man pages.
BUG FIXES :
* exfatprogs: fix a double free memory error.
* dump.exfat: fix a constraint that volume label, bitmap,
upcase table must be located at the beginning of a root
directory.
1.2.6
CHANGES :
* exfatprogs: replace obsolete autoconf and libtool
macros.
* mkfs.exfat: prefer the physical block size over
the logical block size for the exFAT sector size.
* mkfs.exfat: add notes about the format of the volume
GUID to the man page.
* mkfs.exfat: fix an incorrect calculation of the number
of used clusters.
BUG FIXES :
* exfatlabel: fix an user input error when setting
a volume serial or label.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 May 2025 20:51:38 +0000 (22:51 +0200)]
hwdata: Update to version 0.395
- Update from version 0.394 to 0.395
- Update of rootfile not required
- Removal of the old hwdata directory as no longer required with the source tarball
approach implemented from CU191 onwards.
- Changelog
0.395
Update usb and vendor ids
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 May 2025 16:25:25 +0000 (18:25 +0200)]
screen: Update to version 5.0.1
- Update from version 5.0.0 to 5.0.1
- Update of rootfile
- 5 CVE fixes included in this version
- Changelog
5.0.1
Security fix
CVE-2025-46805: do NOT send signals with root privileges
CVE-2025-46804: avoid file existence test information leaks
CVE-2025-46803: apply safe PTY default mode of 0620
CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
CVE-2025-23395: reintroduce lf_secreopen() for logfile
buffer overflow due bad strncpy()
uninitialized variables warnings
typos
combining char handling that could lead to a segfault
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 15 May 2025 16:03:00 +0000 (16:03 +0000)]
Tor: Update to 0.4.8.16
Full changelog since version 0.4.8.13:
Changes in version 0.4.8.16 - 2025-03-24
This is quick second release since 0.4.8.15 due to a typo in a directory
authority rule file. This only affects directory authorities. Regardless,
upgrading to latest stable is always desired.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/03/24.
o Minor bugfix (dirauth):
- Fix typo in flag assignment approved-routers file. Fixes bug
41035; bugfix on 0.4.8.15
Changes in version 0.4.8.15 - 2025-03-20
This is a minor release fixing a sandbox issue for bandwidth authority and a
conflux issue on the control port. It also has a client fix about relay flag
usage. We strongly recommend to update as soon as possible as usual.
o Minor feature (testing, CI):
- Use a fixed version of chutney (be881a1e) instead of its current
HEAD. This version should also be preferred when testing locally.
o Minor features (continuous integration):
- Upgrade CI runners to use Debian Bookworm instead of Bullseye.
Closes ticket 41029.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on March 20, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/03/20.
o Minor bugfixes (control port):
- Correctly report conflux pair information to controller fields
Fixes bug 40872; bugfix on 0.4.8.1-alpha
o Minor bugfixes (relay flag usage):
- Fix client usage of the MiddleOnly flag so that MiddleOnly relays
are not used as HS IP or RP by clients or services. Additionally,
give dirauths the ability to remove specific flags, as an
alternative to MiddleOnly. Fixes bug 41023; bugfix on 0.4.7.2-alpha
o Minor bugfixes (sandbox, bwauth):
- Fix sandbox to work for bandwidth authority. Fixes bug 40933;
bugfix on 0.2.2.1-alpha
Changes in version 0.4.8.14 - 2025-02-05
Minor release fixing a major bug affecting onion service directory cache,
also known as HSDir. Furthermore, the fallbackdir list had more than 25% of
its entries unreachable or gone from the consensus. As usual, we strongly
recommend to update to this version as soon as possible.
o Major bugfixes (onion service directory cache):
- When the OOM killer kicks in, cleanup the descriptor cache of an
HSDir by looking at the lowest downloaded count instead of time in
cache. Fixes bug 40996; bugfix on 0.3.5.1-alpha.
o Minor feature (testing):
- test-network now unconditionally includes IPv6 instead of trying
to detect IPv6 support.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on February 05, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/02/05.
o Minor bugfixes (memory):
- Fix a pointer free that wasn't set to NULL afterwards which could
be reused by calling back in the free all function. Fixes bug
40989; bugfix on 0.4.8.13.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 May 2025 11:49:20 +0000 (13:49 +0200)]
graphs.pl: Update of rrd file names from the collectd-5 update
- Some additional rrd file name changes missed from collect-5 update.
- This was identified as part of fixing bug13834
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 May 2025 11:49:19 +0000 (13:49 +0200)]
red: Fixes rrd file name updates from collectd-5 update
- Some additional rrd file name changes missed from collect-5 update.
- This was identified as part of fixing bug13834
- Couldn't test this as I don't have a ppp0 connection available but the chnage is inline
with the other rrd changes which have been tested as working.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 May 2025 11:49:18 +0000 (13:49 +0200)]
netovpnsrv.cgi: Fixes rrd file names for n2n openvpn graphs
- An additional rrd file name change missed from collect-5 update.
- This was identified as part of fixing bug13834
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 May 2025 11:49:17 +0000 (13:49 +0200)]
netexternal.cgi: Fixed bug13834 - tun0 graph missing in external net traffic
- Some additional rrd directory and file name changes missed from collect-5 update.
Fixes: bug13834 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 May 2025 13:15:13 +0000 (15:15 +0200)]
libloc: Addition of patch to deal with gettext update to 0.25
Suggested-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 May 2025 13:15:12 +0000 (15:15 +0200)]
ddns: Addition of patch to deal with gettext update to 0.25
Suggested-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 May 2025 13:15:11 +0000 (15:15 +0200)]
fireperf: Addition of patch to deal with gettext update to 0.25
Suggested-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 May 2025 13:15:10 +0000 (15:15 +0200)]
gettext: Update to version 0.25
- Update from version 0.24 to 0.25
- Update of rootfile
- This is part of a patch set as the gettext update required some patches to other
packages to get them to build
- Changelog
0.25
# Programming languages support:
* Go:
- xgettext now supports Go.
- 'msgfmt -c' now verifies the syntax of translations of Go format
strings.
- New examples 'hello-go' and 'hello-go-http' have been added.
* TypeScript:
- xgettext now supports TypeScript and TSX (= TypeScript with JSX
extensions).
* D:
- A new library libintl_d.a contains the runtime for using GNU gettext
message catalogs in the D programming language.
- xgettext now supports D.
- 'msgfmt -c' now verifies the syntax of translations of D format
strings.
- A new example 'hello-d' has been added.
* Modula-2:
- A new library libintl_m2.so contains the runtime for using GNU gettext
message catalogs in the Modula-2 programming language.
- xgettext now supports Modula-2.
- 'msgfmt -c' now verifies the syntax of translations of Modula-2 format
strings.
- A new example 'hello-modula2' has been added.
# Improvements for maintainers:
* xgettext has a new option '--generated' that customizes the way the
'POT-Creation-Date' in the POT file is computed.
0.24.1
* Bug fixes:
- Fix bad interactions between autoreconf and autopoint.
- xgettext: Creating the POT file of a package under Git version control
is now faster. Also, the use of Git can be turned off by specifying
the option '--no-git'.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
