Adolf Belka [Fri, 4 Jul 2025 10:14:16 +0000 (12:14 +0200)]
btrfs-progs: Update to version 6.15
- Update from version 6.14 to 6.15
- Update of rootfile not required
- Changelog
6.15
* mkfs: new option --inode-flags to specify flags/attributes for
inodes/directories/subvolumes
* check:
* fix false alert on missing checksum for hole
* in lowmem mode, fix false alerts when checking refs
* convert: check feature compatibility when enabling block-group-tree
* tune convert-bgt: fix resume of conversion
* rescue: add new command fix-data-checksum, selectively fix or find
mismatching checksums
* other:
* new and updated tests
* documentation updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 10 Jul 2025 07:44:28 +0000 (09:44 +0200)]
cifs-utils: Update to version 7.4
- Update fropm version 7.3 to 7.4
- Update of rootfile
- According to Linux From Scratch cifs-utils-7.4 requires the autoreconf to work with
gcc-15. Certainly without it the build failed.
- Changelog
7.4
mount.cifs: retry mount on -EINPROGRESS
cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP
cifs.upcall: fix memory leaks in check_service_ticket_exits()
getcifsacl, setcifsacl: use <libgen.h> for basename
cifscreds: use <libgen.h> for basename
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 10 Jul 2025 07:44:29 +0000 (09:44 +0200)]
libtalloc: Update to version 2.4.3
- Update from version 2.4.2 to 2.4.3
- Update of rootfile
- The last changelog is recorded in the sourcde tarball is from 2007. The only place I
have found anything is by filtering the samba gitlab mirror to show the commits
related to talloc.
https://gitlab.com/samba-team/samba/-/commits/talloc-2.4.3?ref_type=tags
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 9 Jul 2025 12:09:49 +0000 (14:09 +0200)]
json-glib: Move to be built after glib has been built
- Shifted to build after glib is built and removed the dist entry that is used for
addons.
- Checked the glib library and the libgio entries are uncommented so that should be okay
- Checked build and this package then built with no problems but in the addon package
build section libtpms failed to build as it was missing the dist entry. Also the same
with swtpm so this is a patch set with the changes to those two packages as well.
- Full build tested out and confirmed working on x86_64 with this patch set applied.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 9 Jul 2025 08:11:46 +0000 (10:11 +0200)]
libhtp: Update to version 0.5.51
- Update from version 0.5.50 to 0.5.51
- Update of rootfile not required
- suricata-7.0.11 requires libhtp-0.5.51
- Changelog
0.5.51
- decompressors: fix leak in lzma error case
- request: do not fully error on data after HTTP/0.9
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 9 Jul 2025 08:11:45 +0000 (10:11 +0200)]
suricata: Update to version 7.0.11
- Update from version 7.0.10 to 7.0.11
- Update of rootfile not required
- Changelog
7.0.11
Security #7766: libhtp-c: memory leak with lzma(HIGH - CVE 2025-53537)
Security #7659: http2: global tx (stream id 0) may open file and never close it
(7.0.x backport)(HIGH - CVE 2025-53538)
Bug #7779: mpm/ac: error "Just ran out of space in the queue" (7.0.x backport)
Bug #7748: byte_extract: issue with saved 'name' in distance keyword
(7.0.x backport)
Bug #7736: brotli: old crate version has integer underflow (7.0.x backport)
Bug #7731: dcerpc: uint16 overflow (rust debug assertion) (7.0.x backport)
Bug #7716: snmp: probing parser returns ALPROTO_FAILED instead of
ALPROTO_UNKNOWN if slice.len() < 4 (7.0.x backport)
Bug #7690: datasets: set type IP can't set IPv4 (7.0.x backport)
Bug #7688: flow: non-TCP protocol timeout handling leads to missing flows
(7.0.x backport)
Bug #7682: flow: race condition at shutdown leads to duplicate flows
(7.0.x backport)
Bug #7670: http: lack of setting updated_ts leads to detection delay
(7.0.x backport)
Bug #7663: ips: deconflict pass flow and drop packet rules (7.0.x backport)
Bug #7661: pcap: continuous file reading fails on an empty directory
(7.0.x backport)
Bug #7652: rust: warnings with rustc 1.86
Bug #7610: http: reachable assertion when memcap reached during rule reload
Bug #7375: dpdk: iface-copy should not be mandatory (7.0.x backport)
Bug #7293: CI: clang-format does not work for main-7.0.x branch (7.0.x backport)
Optimization #7781: mpm/ac-ks: reduce stack usage (7.0.x backport)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 16:33:00 +0000 (18:33 +0200)]
libtasn1: Update to version 4.20.0 & move before gnutls
- Update from version 4.19.0 to 4.20.0
- Update of rootfile
- Move earlier in make.sh so that the library can be used by gnutls in place of the
gnutls bundled version.
- Fix for a CVE
- Changelog
4.20.0
- The release tarball is now reproducible.
- We publish a minimal source-only tarball generated by 'git archive'.
- Update gnulib files and various build/maintenance fixes.
- Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or
SET OF elements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 16:32:59 +0000 (18:32 +0200)]
gnutls: Update to version 3.8.9
- Update from version 3.8.8 to 3.8.9
- Update of rootfile
- I found that gnutls was using its own bundled versions of libtasn1 and libunistring
and that there had been some CVE's with libtasn1 which were then fixed later in the
gnutls bundled version together with some fixes in the gnutls code. So this patch,
as well updating the version has also removed the options to use the included
versions of the libtasn1 and libunistring libraries. libtasn1 was already in IPFire
and just needed to be moved to before gnutls. libunistring had to be added in.
- The disable-guile option was removed as the guile bindings were removed in
gnutls-3.8.0 and the option is no longer recognised.
- Changelog
3.8.9
** libgnutls: leancrypto was added as an interim option for PQC
The library can now be built with leancrypto instead of liboqs for
post-quantum cryptography (PQC), when configured with
--with-leancrypto option instead of --with-liboqs.
** libgnutls: Experimental support for ML-DSA signature algorithm
The library and certtool now support ML-DSA signature algorithm as
defined in FIPS 204 and based on
draft-ietf-lamps-dilithium-certificates-04. This feature is
currently marked as experimental and can only be enabled when
compiled with --with-leancrypto or --with-liboqs.
Contributed by David Dudas.
** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
The support for ML-KEM post-quantum key encapsulation mechanisms
has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
draft-kwiatkowski-tls-ecdhe-mlkem-03.
** libgnutls: Fix potential DoS in handling certificates with numerous name
constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
bundled copy of libtasn1 has also been updated to the latest 4.20.0
release to complete the fix. Reported by Bing Shi (#1553).
[GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
** API and ABI modifications:
GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:46 +0000 (12:14 +0200)]
util-linux: Update to version 2.41.1
- Update from version 2.41 to 2.41.1
- Update of rootfile not required
- Changelog
2.41.1
autotools:
- don't use wide-character ncurses if --disable-widechar (by Karel Zak)
cfdisk:
- fix memory leak and possible NULL dereference [gcc-analyzer] (by Karel Zak)
column:
- fix compiler warning for non-widechar compilation (by Karel Zak)
fdformat:
- use size_t and ssize_t (by Karel Zak)
fdisk:
- fix possible memory leak (by Karel Zak)
fdisk,partx:
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
findmnt:
- fix -k option parsing regression (by Karel Zak)
hardlink:
- define more function as inline (by Karel Zak)
- fix performance regression (inefficient signal evaluation) (by Karel Zak)
- Use macro for verbose output (by Karel Zak)
include/cctype:
- fix string comparison (by Karel Zak)
include/mount-api-utils:
- include linux/unistd.h (by Thomas Weißschuh)
libblkid:
- Fix crash while parsing config with libeconf (by Stanislav Brabec)
- befs fix underflow (by Milan Broz)
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
libblkid/src/topology/dm:
- fix fscanf return value check to match expected number of parsed items
(by Mingjie Shen)
libfdisk:
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
libmount:
- (subdir) restrict for real mounts only (by Karel Zak)
- (subdir) remove unused code (by Karel Zak)
- avoid calling memset() unnecessarily (by Karel Zak)
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
- fix --no-canonicalize regression (by Karel Zak)
libuuid:
- fix uuid_time on macOS without attribute((alias)) (by Eugene Gershnik)
lsblk:
- use ID_PART_ENTRY_SCHEME as fallback for PTTYPE (by Karel Zak)
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
lscpu:
- fix possible buffer overflow in cpuinfo parser (by Karel Zak)
- Fix loongarch op-mode output with recent kernel (by Xi Ruoyao)
lsfd:
- (bug fix) scan the protocol field of /proc/net/packet as a hex number
(by Masatake YAMATO)
- fix the description for PACKET.PROTOCOL column (by Masatake YAMATO)
lsns:
- enhance compilation without USE_NS_GET_API (by Karel Zak)
- fix undefined reference to add_namespace_for_nsfd #3483 (by Thomas
Devoogdt)
meson:
- add feature for translated documentation (by Thomas Weißschuh)
- remove tinfo dependency from 'more' (by Thomas Weißschuh)
- fix manadocs for libsmartcols and libblkid (by Karel Zak)
- fix po-man installation (by Karel Zak)
misc:
- never include wchar.h (by Karel Zak)
more:
- fix broken ':!command' command key (by cgoesche)
- fix implicit previous shell_line execution #3508 (by cgoesche)
mount:
- (man) add missing word (by Jakub Wilk)
namespace.h:
- fix compilation on Linux < 4.10 (by Thomas Devoogdt)
po:
- update uk.po (from translationproject.org) (by Yuri Chornoivan)
- update sr.po (from translationproject.org) (by Мирослав Николић)
- update ro.po (from translationproject.org) (by Remus-Gabriel Chelu)
- update pt.po (from translationproject.org) (by Pedro Albuquerque)
- update pl.po (from translationproject.org) (by Jakub Bogusz)
- update nl.po (from translationproject.org) (by Benno Schulenberg)
- update ja.po (from translationproject.org) (by YOSHIDA Hideki)
- update hr.po (from translationproject.org) (by Božidar Putanec)
- update fr.po (from translationproject.org) (by Frédéric Marchal)
- update es.po (from translationproject.org) (by Antonio Ceballos Roa)
- update de.po (from translationproject.org) (by Mario Blättermann)
- update cs.po (from translationproject.org) (by Petr Písař)
po-man:
- merge changes (by Karel Zak)
- update sr.po (from translationproject.org) (by Мирослав Николић)
- update de.po (from translationproject.org) (by Mario Blättermann)
tests:
- (test_mkfds::mapped-packet-socket) add a new parameter, protocol (by
Masatake YAMATO)
treewide:
- add ul_ to parse_timestamp() function name (by Karel Zak)
- add ul_ to parse_switch() function name (by Stanislav Brabec)
- add ul_ to parse_size() function name (by Karel Zak)
- add ul_ to parse_range() function name (by Karel Zak)
- fix optional arguments usage (by Karel Zak)
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
Wipefs:
- improve --all descriptions for whole-disks (by Karel Zak)
Misc:
- Do not call exit() on code ending in shared libraries (by Cristian
Rodríguez)
- remove two leftover license lines from colors.{c,h} (by Benno Schulenberg)
- remove "Copyright (C) ...." notes from files that claim no copyright
(by Benno Schulenberg)
- correct the full name of the GPL in various files (by Benno Schulenberg)
- Make scols_column_set_data_func docs visible (by FeRD (Frank Dana))
- Do not use strerror on shared libraries (by Cristian Rodríguez)
- Fix typo in blkdiscard docs (by pls-no-hack)
- lib/fileeq.c Fix a typo in message. (by Masanari Iida)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:45 +0000 (12:14 +0200)]
taglib: Update to version 2.1.1
- Update from version 2.0.2 to 2.1.1
- Update of rootfile
- Changelog
2.1.1
* Map ID3v2.3 IPLS frames to both ID3v2.4 TIPL and TMCL to have a consistent
behavior when using MusicBrainz tags with the property map interface.
* Fix missing include for `wchar_t` when using C bindings with MinGW.
2.1
* Support for Shorten (SHN) files.
* Compile time configuration of supported formats: WITH_APE, WITH_ASF, ...
* Compile time configuration of data and temporary directories for unit tests:
TESTS_DIR and TESTS_TMPDIR.
* C bindings: Added taglib_file_new_wchar() and taglib_file_new_type_wchar().
* Preserve unicode encoding when downgrading to ID3v2.3.
* Do not store FLAC metadata blocks which are too large.
* Fix segfaults with String and ByteVector nullptr arguments.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3500100 to 3500200
- Update of rootfile
- Changelog 3500200
Fix the concat_ws() SQL function so that it includes empty strings in the
concatenation. Forum post 52503ac21d.
Fix the file-io extension (used by the CLI) so that it can be built using the
MinGW compiler chain.
Avoid writing frames with no checksums into the wal file if a savepoint is
rolled back after dirty pages have already been spilled into the wal file.
Forum post b490f726db.
Fix the Bitvec object to avoid stack overflow when the database is within 60
pages of its maximum size.
Fix a problem with UPDATEs on fts5 tables that contain BLOB values.
Fix an issue with transitive IS constraints on a RIGHT JOIN.
Raise an error early if the number of aggregate terms in a query exceeds the
maximum number of columns, to avoid downstream assertion faults.
Ensure that sqlite3_setlk_timeout() holds the database mutex.
Fix typos in API documentation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:43 +0000 (12:14 +0200)]
shadow: Update to version 4.18.0
- Update from version 4.17.4 to 4.18.0
- Update of rootfile not required
- Changelog
4.18.0
CI: purge man-db by @ikerexxe in #1241
passwd: document exit code when PAM has errored by @hallyn in #1244
Man patches by @zeha in #1175
Quick fix: define E_PAM_ERR in lib/pam_pass.c by @hallyn in #1245
Accept /usr/sbin/nologin as an alternate to /sbin/nologin by @zeha in #1246
Add LOGIN_ENV_SAFELIST to FOREIGNDEFS by @stanislav-brabec in #1248
ci: add gawk as a fedora dependency by @ikerexxe in #1252
man/useradd.8.xml: fix the CREATE_HOME description by @hallyn in #1251
lib/getdate.y: Restrict the date formats that we support by
@alejandro-colomar in #1238
newuidmap: better error logging on failure by @matthewhughes934 in #1254
Extend basic test cases to check shadow and gshadow entries by
@ikerexxe in #1237
lib/sizeof.h: Make sure STRLEN() only accepts string literals by
@alejandro-colomar in #1260
Add strprefix(), and use it instead of its pattern by @alejandro-colomar
in #1152
src/: Simplify, using strpbrk(3) by @alejandro-colomar in #1167
lib/string/strdup/: STRNDUPA(): Reimplement in terms of strndupa(3) by
@alejandro-colomar in #1189
Remove dead beef by @alejandro-colomar in #1230
lib/atoi/a2i/: Simplify these macros by calling a2i() by
@alejandro-colomar in #1137
strtolower(): Add API, and use it instead of its pattern by
@alejandro-colomar in #1211
lib/: sget*ent(): Simplify by calling strdup(3) by
@alejandro-colomar in #1146
fields by @alejandro-colomar in #1150
yacc(1) is a dead language; bury it deep in the ground by
@alejandro-colomar in #1217
Test expiration date by @ikerexxe in #1233
[scp] Add strcaseprefix(), and use it instead of its pattern by
@alejandro-colomar in #1262
valid_field(): Improve readability by @alejandro-colomar in #1208
lib/, src/, tests/: Use the standard countof() instead of our NITEMS() by
@alejandro-colomar in #1259
lib/fs/mkstemp/, src/: Move fmkomstemp() to separate files under
lib/fs/mkstemp/, and split into mkomstemp() by @alejandro-colomar in #1139
[x][v]aprintf(): Add APIs, and use them instead of [x][v]asprintf(3) by
@alejandro-colomar in #1168
lib/get_pid.c: pid_t is a signed integer by @alejandro-colomar in #1264
src/newusers.c: Fix off-by-one benign bug in array declaration by
@alejandro-colomar in #1266
Add some wrappers for usual loops around strsep(3) by @alejandro-colomar
in #1155
lib/fs/readlink/areadlink.h: areadlink(): Avoid inconditionally using
PATH_MAX by @sthibaul in #1222
configure: Fix typo by @sthibaul in #1268
Pre-release 4.18.0-rc1 by @hallyn in #1270
Update man pages for chage, shadow, passwd by @domiborges in #1243
contrib/: Burn it all by @alejandro-colomar in #1274
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:42 +0000 (12:14 +0200)]
pciutils: Update to version 3.14.0
- Update from version 3.13.0 to 3.14.0
- Update of rootfile
- Changelog
3.14.0
* New capabilities are decoded: VirtIO SharedMemory, Physical Layer
16 to 64 GT/s, Flit Mode, Device 3, Intel vendor-specific.
* ECAM now works on Windows and DJGPP.
* The GNU/Hurd back-end works on 64-bit systems.
* Added a new back-end for RT-Thread Smart OS.
* <lib/header.h> got definitions of new classes and capabilities
from PCI Code and ID Assignment rev 1.18.
* <lib/pci.h> can be included from C++ programs.
* Updated pci.ids.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:41 +0000 (12:14 +0200)]
pango: Update to version 1.56.4
- Update from version 1.56.3 to 1.56.4
- Update of rootfile
- Changelog
1.56.4
- fontconfig: Improve the add_font_file implementation
- fontconfig: Combine font features and style variants
- fontconfig: Make sure font faces stay alive
- win32: Drop some caching
- win32: Make sure font faces stay alive
- win32: Modernize and simplify the code
- win32: Stop synthesizing fonts
- win32: Implement list models
- coretext: Support synthetic small caps
- layout: Avoid assertions in line breaking
- build: Require GLib 2.82
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:40 +0000 (12:14 +0200)]
openssl: Update to version 3.5.1
- Update from version 3.5.0 to 3.5.1
- Update of rootfile not required
- Changelog
3.5.1
OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this
release is Low.
This release incorporates the following bug fixes and mitigations:
* Fix x509 application adds trusted use instead of rejected use.
([CVE-2025-4575])
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:39 +0000 (12:14 +0200)]
nettle: Update to version 3.10.2
- Update from version 3.10.1 to 3.10.2
- Update of rootfile
- Changelog
3.10.2
* Fix missing prototypes in getopt.h and getopt.c, affecting
non-glibc systems, and causing compile errors with C23
compilers that require prototypes, e.g., gcc-15.
* For powerpc64, avoid using v9 (ISA v3.0) instructions
lxvb16x, lxv and stxv in powerpc64/p8/ files.
* For powerpc64, add configure check for __VSX__, and disable
use of assembly if not defined. Nettle's powerpc64 assembly
requires at least v7 (ISA v2.06).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:38 +0000 (12:14 +0200)]
ncdu: Update to version 1.22
- Update from version 1.20 to 1.22
- Update of rootfile not required
- Changelog
1.22
- Add support for @-prefixed lines to ignore errors in config file (from 2.8)
- List all supported options in `--help` (from 2.8)
- Use `kB` instead of `KB` in `--si` mode (from 2.8)
- Add `--graph-style` option (from 2.1)
- Fix supported range of uid/gid numbers
1.21
- Perform tilde expansion on paths in the config file (from 2.7)
- Fix JSON import of escaped UTF-16 surrogate pairs (from 2.7)
- Fix displaying and exporting zero values when extended info is not
available (from 2.6)
- Fix JSON export and import of the “other filesystem” flag (from 2.5)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:37 +0000 (12:14 +0200)]
lvm2: Update to version 2.03.33
- Update from version 2.03.32 to 2.03.33
- Update of rootfile not required
- Changelog
2.03.33
Various spelling, grammar, formatting, test, and build script improvements.
Override LC_NUMERIC locale if unsuitable for json_std report format.
Repair raid arrays with transiently lost devices.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:36 +0000 (12:14 +0200)]
libssh: Update to version 0.11.2
- Update from version 0.11.1 to 0.11.2
- Update of rootfile
- Changelog
0.11.2
* Security:
* CVE-2025-4877 - Write beyond bounds in binary to base64 conversion
* CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file()
* CVE-2025-5318 - Likely read beyond bounds in sftp server handle management
* CVE-2025-5351 - Double free in functions exporting keys
* CVE-2025-5372 - ssh_kdf() returns a success code on certain failures
* CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding
* CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL
* Compatibility
* Fixed compatibility with CPM.cmake
* Compatibility with OpenSSH 10.0
* Tests compatibility with new Dropbear releases
* Removed p11-kit remoting from the pkcs11 testsuite
* Bugfixes
* Implement missing packet filter for DH GEX
* Properly process the SSH2_MSG_DEBUG message
* Allow escaping quotes in quoted arguments to ssh configuration
* Do not fail with unknown match keywords in ssh configuration
* Process packets before selecting signature algorithm during authentication
* Do not fail hard when the SFTP status message is not sent by noncompliant
servers
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:35 +0000 (12:14 +0200)]
libpng: Update to version 1.6.50
- Update from version 1.6.48 to 1.6.50
- Update of rootfile
- Changelog
1.6.50
Improved the detection of the RVV Extension on the RISC-V platform.
(Contributed by Filip Wasil)
Replaced inline ASM with C intrinsics in the RVV code.
(Contributed by Filip Wasil)
Fixed a decoder defect in which unknown chunks trailing IDAT, set
to go through the unknown chunk handler, incorrectly triggered
out-of-place IEND errors.
(Contributed by John Bowler)
Fixed the CMake file for cross-platform builds that require `libm`.
1.6.49
Added SIMD-optimized code for the RISC-V Vector Extension (RVV).
(Contributed by Manfred Schlaegl, Dragos Tiselice and Filip Wasil)
Added various fixes and improvements to the build scripts and to
the sample code.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:34 +0000 (12:14 +0200)]
libjpeg: Update to version 3.1.1
- Update from version 3.0.4 to 3.1.1
- Update of rootfile
- Changelog
3.1.1
Hardened the libjpeg API against hypothetical calling applications that may
erroneously change the value of the `data_precision` field in
`jpeg_compress_struct` or `jpeg_decompress_struct` after calling
`jpeg_start_compress()` or `jpeg_start_decompress()`.
3.1.0
Fixed an issue in the TurboJPEG API whereby, when generating a
lossless JPEG image with more than 8 bits per sample, specifying a point
transform value greater than 7 resulted in an error ("Parameter value out of
range") unless `TJPARAM_PRECISION`/`TJ.PARAM_PRECISION` was specified before
`TJPARAM_LOSSLESSPT`/`TJ.PARAM_LOSSLESSPT`.
Fixed a regression introduced by 1.4 beta1[3] that prevented
`jpeg_set_defaults()` from resetting the Huffman tables to default (baseline)
values if Huffman table optimization or progressive mode was previously enabled
in the same libjpeg instance.
Fixed an issue whereby lossless JPEG compression could not be disabled if it
was previously enabled in a libjpeg or TurboJPEG instance.
`jpeg_set_defaults()` now disables lossless JPEG compression in a libjpeg
instance, and setting `TJPARAM_LOSSLESS`/`TJ.PARAM_LOSSLESS` to `0` now
disables lossless JPEG compression in a TurboJPEG instance.
3.1 beta1
The libjpeg-turbo source tree has been reorganized to make it easier to find
the README files, license information, and build instructions. The
documentation for the libjpeg API library and associated programs has been
moved into the **doc/** subdirectory, all C source code and headers have been
moved into a new **src/** subdirectory, and test scripts have been moved into a
new **test/** subdirectory.
cjpeg no longer allows GIF input files to be converted into
12-bit-per-sample JPEG files. That was never a useful feature, since GIF
images have at most 256 colors referenced from a palette of 8-bit-per-component
RGB values.
Added support for lossless JPEG images with 2 to 15 bits per sample to the
libjpeg and TurboJPEG APIs. When creating or decompressing a lossless JPEG
image and when loading or saving a PBMPLUS image, functions/methods specific to
8-bit samples now handle 8-bit samples with 2 to 8 bits of data precision
(specified using the `data_precision` field in `jpeg_compress_struct` or
`jpeg_decompress_struct` or using `TJPARAM_PRECISION`/`TJ.PARAM_PRECISION`),
functions/methods specific to 12-bit samples now handle 12-bit samples with 9
to 12 bits of data precision, and functions/methods specific to 16-bit samples
now handle 16-bit samples with 13 to 16 bits of data precision. Refer to
[libjpeg.txt](doc/libjpeg.txt), [usage.txt](doc/usage.txt), and the TurboJPEG
API documentation for more details.
All deprecated constants and methods in the TurboJPEG Java API have been
removed.
TJBench command-line arguments are now more consistent with those of cjpeg,
djpeg, and jpegtran. More specifically:
- `-copynone` has been replaced with `-copy none`.
- `-fastdct` has been replaced with `-dct fast`.
- `-fastupsample` has been replaced with `-nosmooth`.
- `-hflip` and `-vflip` have been replaced with
`-flip {horizontal|vertical}`.
- `-limitscans` has been replaced with `-maxscans`, which allows the scan
limit to be specified.
- `-rgb`, `-bgr`, `-rgbx`, `-bgrx`, `-xbgr`, `-xrgb`, and `-cmyk` have
been replaced with `-pixelformat {rgb|bgr|rgbx|bgrx|xbgr|xrgb|cmyk}`.
- `-rot90`, `-rot180`, and `-rot270` have been replaced with
`-rotate {90|180|270}`.
- `-stoponwarning` has been replaced with `-strict`.
- British spellings for `gray` (`grey`) and `optimize` (`optimise`) are
now allowed.
The old command-line arguments are deprecated and will be removed in a
future release. TJBench command-line arguments can now be abbreviated as well.
(Where possible, the abbreviations are the same as those supported by cjpeg,
djpeg, and jpegtran.)
Added a new TJBench option (`-pixelformat gray`) that can be used to test
the performance of compressing/decompressing a grayscale JPEG image from/to a
packed-pixel grayscale image.
Fixed an issue whereby, if `TJPARAM_NOREALLOC` was set, TurboJPEG
compression and lossless transformation functions ignored the JPEG buffer
size(s) passed to them and assumed that the JPEG buffer(s) had been allocated
to a worst-case size returned by `tj3JPEGBufSize()`. This behavior was never
documented, although the documentation was unclear regarding whether the JPEG
buffer size should be specified if a JPEG buffer is pre-allocated to a
worst-case size.
The TurboJPEG C and Java APIs have been improved in the following ways:
- New image I/O methods (`TJCompressor.loadSourceImage()` and
`TJDecompressor.saveImage()`) have been added to the Java API. These methods
work similarly to the `tj3LoadImage*()` and `tj3SaveImage*()` functions in the
C API.
- The TurboJPEG lossless transformation function and methods now add
restart markers to all destination images if
`TJPARAM_RESTARTBLOCKS`/`TJ.PARAM_RESTARTBLOCKS` or
`TJPARAM_RESTARTROWS`/`TJ.PARAM_RESTARTROWS` is set.
- New functions/methods (`tj3SetICCProfile()` /
`TJCompressor.setICCProfile()` / `TJTransformer.setICCProfile()` and
`tj3GetICCProfile()` / `TJDecompressor.getICCProfile()`) can be used to embed
and retrieve ICC profiles.
- A new parameter (`TJPARAM_SAVEMARKERS`/`TJ.PARAM_SAVEMARKERS`) can be
used to specify the types of markers that will be copied from the source image
to the destination image during lossless transformation if
`TJXOPT_COPYNONE`/`TJTransform.OPT_COPYNONE` is not specified.
- A new convenience function/method (`tj3TransformBufSize()` /
`TJTransformer.bufSize()`) can be used to compute the worst-case destination
buffer size for a given lossless transform, taking into account cropping,
transposition of the width and height, grayscale conversion, and the embedded
or extracted ICC profile.
TJExample has been replaced with three programs (TJComp, TJDecomp, and
TJTran) that demonstrate how to approximate the functionality of cjpeg, djpeg,
and jpegtran using the TurboJPEG C and Java APIs.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:33 +0000 (12:14 +0200)]
jq: Update to version 1.8.1
- Update from version 1.7.1 to 1.8.1
- Update of rootfile not required
- CVE fix in 1.8.1 & 1.8.0
- Changelog
1.8.1
Security fixes
- CVE-2025-49014: Fix heap use after free in `f_strftime`, `f_strflocaltime`.
@wader 499c91bca9d4d027833bc62787d1bb075c03680e
- GHSA-f946-j5j2-4w5m: Fix stack overflow in `node_min_byte_len` of oniguruma.
@wader 5e159b34b179417e3e0404108190a2ac7d65611c
CLI changes
- Fix assertion failure when syntax error happens at the end of the query.
@itchyny #3350
Changes to existing functions
- Fix portability of `strptime/1` especially for Windows. @itchyny #3342
Language changes
- Revert the change of `reduce`/`foreach` state variable in 1.8.0 (#3205).
This change was reverted due to serious performance regression. @itchyny #3349
Documentation changes
- Add LICENSE notice of NetBSD's `strptime()` to COPYING. @itchyny #3344
Build improvements
- Fix build on old Mac with old sed. @qianbinbin #3336
1.8.0
Releasing
- Change the version number pattern to `1.X.Y` (`1.8.0` instead of `1.8`).
@itchyny #2999
- Generate provenance attestations for release artifacts and docker image.
@lectrical #3225
```sh
gh attestation verify --repo jqlang/jq jq-linux-amd64
gh attestation verify --repo jqlang/jq oci://ghcr.io/jqlang/jq:1.8.0
```
Security fixes
- CVE-2024-23337: Fix signed integer overflow in `jvp_array_write` and
`jvp_object_rehash`.
@itchyny de21386681c0df0104a99d9d09db23a9b2a78b1e
- The fix for this issue now limits the maximum size of arrays and objects
to 536870912 (`2^29`) elements.
- CVE-2024-53427: Reject NaN with payload while parsing JSON.
@itchyny a09a4dfd55e6c24d04b35062ccfe4509748b1dd3
- The fix for this issue now drops support for NaN with payload in JSON
(like `NaN123`).
Other JSON extensions like `NaN` and `Infinity` are still supported.
- CVE-2025-48060: Fix heap buffer overflow in `jv_string_vfmt`.
@itchyny c6e041699d8cd31b97375a2596217aff2cfca85b
- Fix use of uninitialized value in `check_literal`. @itchyny #3324
- Fix segmentation fault on `strftime/1`, `strflocaltime/1`. @itchyny #3271
- Fix unhandled overflow in `@base64d`. @emanuele6 #3080
CLI changes
- Fix `--indent 0` implicitly enabling `--compact-output`. @amarshall
@gbrlmarn @itchyny #3232
```sh
$ jq --indent 0 . <<< '{ "foo": ["hello", "world"] }'
{
"foo": [
"hello",
"world"
]
}
# Previously, this implied --compact-output, but now outputs with new lines.
```
- Improve error messages to show problematic position in the filter.
@itchyny #3292
```sh
$ jq -n '1 + $foo + 2'
jq: error: $foo is not defined at <top-level>, line 1, column 5:
1 + $foo + 2
^^^^
jq: 1 compile error
```
- Include column number in parser and compiler error messages. @liviubobocu #3257
- Fix error message for string literal beginning with single quote.
@mattmeyers #2964
```sh
$ jq .foo <<< "{'foo':'bar'}"
jq: parse error: Invalid string literal; expected ", but got ' at line 1,
column 7
# Previously, the error message was Invalid numeric literal at line 1,
column 7.
```
- Improve `JQ_COLORS` environment variable to support larger escapes like
truecolor. @SArpnt #3282
```sh
JQ_COLORS="38;2;255;173;173:38;2;255;214;165:38;2;253;255;182:38;2;202;255;191:38;2;155;246;255:38;2;160;196;255:38;2;189;178;255:38;2;255;198;255" jq -nc '[null,false,true,42,{"a":"bc"}]'
```
- Add `--library-path` long option for `-L`. @thaliaarchi #3194
- Fix `--slurp --stream` when input has no trailing newline character.
@itchyny #3279
- Fix `--indent` option to error for malformed values. @thaliaarchi #3195
- Fix option parsing of `--binary` on non-Windows platforms. @calestyo #3131
- Fix issue with `~/.jq` on Windows where `$HOME` is not set. @kirkoman #3114
- Fix broken non-Latin output in the command help on Windows. @itchyny #3299
- Increase the maximum parsing depth for JSON to 10000. @itchyny #3328
- Parse short options in order given. @thaliaarchi #3194
- Consistently reset color formatting. @thaliaarchi #3034
New functions
- Add `trim/0`, `ltrim/0` and `rtrim/0` to trim leading and trailing white
spaces. @wader #3056
```sh
$ jq -n '" hello " | trim, ltrim, rtrim'
"hello"
"hello "
" hello"
```
- Add `trimstr/1` to trim string from both ends. @gbrlmarn #3319
```sh
$ jq -n '"foobarfoo" | trimstr("foo")'
"bar"
```
- Add `add/1`. Generator variant of `add/0`. @myaaaaaaaaa #3144
```sh
$ jq -c '.sum = add(.xs[])' <<< '{"xs":[1,2,3]}'
{"xs":[1,2,3],"sum":6}
```
- Add `skip/2` as the counterpart to `limit/2`. @itchyny #3181
```sh
$ jq -nc '[1,2,3,4,5] | [skip(2; .[])]'
[3,4,5]
```
- Add `toboolean/0` to convert strings to booleans. @brahmlower @itchyny #2098
```sh
$ jq -n '"true", "false" | toboolean'
true
false
```
- Add `@urid` format. Reverse of `@uri`. @fmgornick #3161
```sh
$ jq -Rr '@urid' <<< '%6a%71'
jq
```
Changes to existing functions
- Use code point index for `indices/1`, `index/1` and `rindex/1`. @wader #3065
- This is a breaking change. Use `utf8bytelength/0` to get byte index.
- Improve `tonumber/0` performance and rejects numbers with leading or trailing
white spaces. @itchyny @thaliaarchi #3055 #3195
- This is a breaking change. Use `trim/0` to remove leading and trailing
white spaces.
- Populate timezone data when formatting time. This fixes timezone name in
`strftime/1`, `strflocaltime/1` for DST. @marcin-serwin
@sihde #3203 #3264 #3323
- Preserve numerical precision on unary negation, `abs/0`, `length/0`.
@itchyny #3242 #3275
- Make `last(empty)` yield no output values like `first(empty)`. @itchyny #3179
- Make `ltrimstr/1` and `rtrimstr/1` error for non-string inputs.
@emanuele6 #2969
- Make `limit/2` error for negative count. @itchyny #3181
- Fix `mktime/0` overflow and allow fewer elements in date-time representation
array. @emanuele6 #3070 #3162
- Fix non-matched optional capture group. @wader #3238
- Provide `strptime/1` on all systems. @george-hopkins @fdellwing #3008 #3094
- Fix `_WIN32` port of `strptime`. @emanuele6 #3071
- Improve `bsearch/1` performance by implementing in C. @eloycoto #2945
- Improve `unique/0` and `unique_by/1` performance. @itchyny
@emanuele6 #3254 #3304
- Fix error messages including long string literal not to break Unicode
characters. @itchyny #3249
- Remove `pow10/0` as it has been deprecated in glibc 2.27. Use `exp10/0`
instead. @itchyny #3059
- Remove private (and undocumented) `_nwise` filter. @itchyny #3260
Language changes
- Fix precedence of binding syntax against unary and binary operators.
Also, allow some expressions as object values. @itchyny #3053 #3326
- This is a breaking change that may change the output of filters with
binding syntax as follows.
```sh
$ jq -nc '[-1 as $x | 1,$x]'
[1,-1] # previously, [-1,-1]
$ jq -nc '1 | . + 2 as $x | -$x'
-3 # previously, -1
$ jq -nc '{x: 1 + 2, y: false or true, z: null // 3}'
{"x":3,"y":true,"z":3} # previously, syntax error
```
- Support Tcl-style multiline comments. @emanuele6 #2989
```sh
#!/bin/sh --
# Can be use to do shebang scripts.
# Next line will be seen as a comment be of the trailing backslash. \
exec jq ...
# this jq expression will result in [1]
[
1,
# \
2
]
```
- Fix `foreach` not to break init backtracking with `DUPN`. @kanwren #3266
```sh
$ jq -n '[1, 2] | foreach .[] as $x (0, 1; . + $x)'
1
3
2
4
```
- Fix `reduce`/`foreach` state variable should not be reset each iteration.
@itchyny #3205
```sh
$ jq -n 'reduce range(5) as $x (0; .+$x | select($x!=2))'
8
$ jq -nc '[foreach range(5) as $x (0; .+$x | select($x!=2); [$x,.])]'
[[0,0],[1,1],[3,4],[4,8]]
```
- Support CRLF line breaks in filters. @itchyny #3274
- Improve performance of repeating strings. @itchyny #3272
Documentation changes
- Switch the homepage to custom domain [jqlang.org](https://jqlang.org).
@itchyny @owenthereal #3243
- Make latest release instead of development version the default manual.
@wader #3130
- Add opengraph meta tags. @wader #3247
- Replace jqplay.org with play.jqlang.org @owenthereal #3265
- Add missing line from decNumber's licence to `COPYING`. @emanuele6 #3106
- Various document improvements. @tsibley #3322, @itchyny #3240,
@jhcarl0814 #3239,
@01mf02 #3184, @thaliaarchi #3199, @NathanBaulch #3173, @cjlarose #3164,
@sheepster1 #3105, #3103, @kishoreinvits #3042, @jbrains #3035, @thalman #3033,
@SOF3 #3017, @wader #3015, @wllm-rbnt #3002
Build improvements
- Fix build with GCC 15 (C23). @emanuele6 #3209
- Fix build with `-Woverlength-strings` @emanuele6 #3019
- Fix compiler warning `type-limits` in `found_string`. @itchyny #3263
- Fix compiler error in `jv_dtoa.c` and `builtin.c`. @UlrichEckhardt #3036
- Fix warning: a function definition without a prototype is deprecated.
@itchyny #3259
- Define `_BSD_SOURCE` in `builtin.c` for OpenBSD support. @itchyny #3278
- Define empty `JV_{,V}PRINTF_LIKE` macros if `__GNUC__` is not defined.
@emanuele6 #3160
- Avoid `ctype.h` abuse: cast `char` to `unsigned char` first. @riastradh #3152
- Remove multiple calls to free when successively calling `jq_reset`.
@Sameesunkaria #3134
- Enable IBM z/OS support. @sachintu47 #3277
- Fix insecure `RUNPATH`. @orbea #3212
- Avoid zero-length `calloc`. @itchyny #3280
- Move oniguruma and decNumber to vendor directory. @itchyny #3234
Test improvements
- Run tests in C locale. @emanuele6 #3039
- Improve reliability of `NO_COLOR` tests. @dag-erling #3188
- Improve `shtest` not to fail if `JQ_COLORS` and `NO_COLOR` are already set.
@SArpnt #3283
- Refactor constant folding tests. @itchyny #3233
- Make tests pass when `--disable-decnum`. @nicowilliams 6d02d53f515bf1314d644eee93ba30b0d11c7d2b
- Disable Valgrind by default during testing. @itchyny #3269
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:32 +0000 (12:14 +0200)]
haproxy: Update to version 3.2.2
- Update from version 3.1.2 to 3.2.2
- Update of rootfile not required
- Changelog is too large to include here. Details can be found from the CHANGELOF file
from the source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:31 +0000 (12:14 +0200)]
freeradius: Update to version 3.2.7
- Update from version 3.2.6 to 3.2.7
- Update of rootfile
- Changelog
3.2.7
Feature Improvements
Print MD5 hash of the configuration files in debug mode This helps people
track configuration changes.
Add support for IPv6 to "abinary" type. The fields are the same as for
"ip", but use "ipv6", and IPv6 formatted addresses.
Update radclient to make it clear that Message-Authenticator is added to
all Access-Request packets, even if the input file does not contain it.
Add support for Subject AltName URI. Closes #5450.
Add python_path_mode option to python3 module.
Relax checks on OpenSSL minor versions for OpenSSL 3.x.
Add API for deleting dynamic home servers.
set SO_KEEPALIVE on outbound sockets, so firewalls are less likly to close
TCP connections.
Allow querying of statistics when home_server has src_ipaddr set. See
FreeRADIUS-Stats-Server-Src-IP-Address Fixes #5483.
Update dictionary "man" page. Fixes #4346.
Change jlibtool to use --show-config, to avoid conflicts with clang
--config. Fixes #5442.
RADIUS/TLS clients now support a "tls' subsection. For connections from
this client, this section is used in preference to the "listen" TLS
settings. This allows a server to easily present different identities to
different clients.
RADIUS/TLS has been updated for TLS-PSK and TLS 1.3. Tested with radsecproxy.
Bug Fixes
For EAP-TLS, send TLS start without a length field Some clients refuse to
do EAP-TLS when this field exists.
Avoid blocking TLS sockets on corner cases during session setup.
Update home server stats.
Correct error message about untrusted certs. Fixes #5466.
Use PyEval_RestoreThread to swap to main thread Fixes #5111.
Don't run Python detach function on config check.
Fix a number of issues with TLS connections and
"check_client_connections = yes".
Be more careful about managing the incoming queue when databases block the
server. The server will still be unable to make progress, but it should
crash less. Whether or not this is a good thing is unknown.
Better handler single-character expansions. Fixes #2216.
Correct calculation of EAP length in pre-proxy. Fixes #5486.
Don't segfault when using detail listeners. Fixes #5485.
Add check for Couchbase v2, rlm_couchbase won't build on v3.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:30 +0000 (12:14 +0200)]
fontconfig: Update to version 2.17.1
- Update from version 2.16.2 to 2.17.1
- Update of rootfile
- Changelog
2.17.1
Fix a heap buffer overflow
meson: Add 'noinstall' to default-hinting, default-sub-pixel-rendering,
bitmap-conf build options
Bump the libtool version
2.17
ci: Add a subproject test case for meson
test: Set sys-root to WINEPATH for MinGW
ci: Correct reference to not trigger fetching a branch for main
ci: clean up and add changelog to the release note through changelog API
meson: don't try to call run_command for gperf on --wrap-mode=forcefallback
Make sure that the debugging facilities are initialized at loading config phase
Add FcConfigPerferAppFont() to allow changing the order of application fonts
conf.d/65-nonlatin.conf: Rename Lohit Oriya to Lohit Odia
ci: disable meson static fontations build tentatively
conf.d/65-nonlatin.conf: drop the leading extra white spaces
ci: quote pip's requirement specifier in the build script
ci: Add -O option to the build script for convenience
ci: add installation test
Add a test case for FcPtrList
Improve performance of FcPtrListIterInitAtLast
test: make sure we have fcstdint.h before building test programs
Drop FcDefaultFini() from FcFini() to fix memory leaks
test: do not free FcFontSet From FcConfigGetFonts
Drop the configuration path migration code
Drop FcObjectFini() from FcFini() to fix memory leaks
Free the mutex object only when all cache objects isn't referenced
Free the mutex object only when there are no references to the default FcConfig
instance
Increase a reference count for default FcConfig instance with FcInit()
conf.d: Add a conf to guess a generic-family for substitution
test: add a pattern test
test: add a test scenario for 48-guessfamily.conf
test-crbug1004254: hold FcConfig during running a test in a thread
Simplify FcConfigFini()
Revert "test-crbug1004254: hold FcConfig during running a test in a thread"
Call FcMutexUnlock only when valid instance is available
Fix a memory leak in default_langs
Avoid possibly invalid access on MT
Add bitmap-conf build option to choose default bitmap conf
doc: rewrite check-missing-doc in Python
Do not hardcode a cache version
Add default font paths for Android in configure script
meson: Fix additional-fonts-dirs build option that not taking effect
meson: rename meson_options.txt to meson.options
Allow dotfiles to scan for caching
Trim trailing newline in string in cache
Fix a crash with broken cache
ci: cleanup builddir
Do not fallback decoding with UTF-16BE if no iconv support
Fix padding with "und" in pattern elements
ci: fix pipeline fail of subproject build on forked project
ci: add some usage text to build script
Bump libtool version for autotools build
Fix release script
Avoid conflict between dgettext macro and declaration in fcint.h
fix: Skip empty entries in XDG_DATA_DIRS parsing
[Fontations] Factor out fcpat.c - add Fontations dependencies
Add FcPatternObjectGet* impl for CharSet and LangSet
[Fontations] Improve resolution of Rust crate features
[Fontations] Roll Skrifa, Read-Fonts, Font-Types
[Fontations] Pattern Bindings for CharSet and LangSet
[Fontations] Container and local download of testfiles
Add Pytest status to Meson Summary
Add Roboto Flex to font downloading script
Migrate pytest testcase 431 to pre-downloaded fonts
[Fontations] Enable fc-query indexing through Fontations
Revert "ci: disable meson static fontations build tentatively"
[Fontations] Fix Rust edition, do not require extern crate
[Fontations] Add support for "foundry" pattern element
[Fontations] Add support for "version" pattern element
[Fontations] Clippy fix for foundries mapping
[Fontations] Add attributes weight, width, slant to Pattern
Cargo build improvements
[Fontations] Iterate over TrueType collections and named instances
Amend license headers
[Fontations] Process and append font capabilities to Pattern
Speculative fix for uninitialised value used in FcFontSort
[Fontations] Add charset pattern element
[Fontations] Add langset pattern element
[Fontations] Add fontwrapper, filename and symbol elements to pattern
[Fontations] Add woff wrapper and filename if file is woff or woff2
[Fontations] Roll Fontations, Skrifa to 0.31.3
[Fontations] Match name id append order to FreeType indexer
Sort test pattern elements
[Fontations] Add pixel size information
[Fontations] Fix size element and enable more element tests
[Fontations] Add spacing property
[Fontations] No style element for variable instance
[Fontations] Remove pattern filter from tests
Parse foundry from OS/2 for table version 0
[Fontations] Assorted fixes to match FreeType indexing
[Fontations] Do not combine bindings into one crate
Make "retry:" label conditional on ICONV
[Fontations] Clarify import of FcLangSet
Rename FcFreeTypeLangSet to FcLangSetFromCharset
[Fontations] Fix downstream build of indexing with Fontations
fccharset.c Avoid use-after-free warning
fccharset.c Avoid use-after-free warning
configure.ac: drop -fno-strict-aliasing
Fix heap buffer underflow in FcConfigXdgDataDirs
Fix use-after-free in FcConfigGetPrgname
meson: don't force installation of a static library
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Jul 2025 12:01:11 +0000 (14:01 +0200)]
en.pl: Add "quality of service" and "mdstat" values into en lang file
- The extrahd is already in the file but this change ensures that the lang additions
to the 20-status and 40-services menu files are included in the en.pl file.
Suggested-by: Opnwall Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Jul 2025 12:01:10 +0000 (14:01 +0200)]
40-services.menu: Use lang files for caption and title
- The "quality of service" and "extrahd" values are in the two Chinese language files
Suggested-by: Opnwall Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Jul 2025 12:01:08 +0000 (14:01 +0200)]
langs: Addition of Chinese language files - from ipfire github pull request
- These langauage files have been provided by GitHub user Opnwall as a pull request
- Tested out the result of these two patches on my vm testbed. As long as I made sure
I had a font set installed that dealt with these types of character codes then it
worked fine for me. I had to install noto-fonts-cjk on my archlinux system for the
characters to be properly transcribed.
- The associated patch is where a few menu items that had no language translation have
been changed to use the language files, presumably so that those menu names are
shown in the Chinese characters.
Suggested-by: Opnwall Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Jul 2025 11:00:55 +0000 (13:00 +0200)]
sudo: Update to version 1.9.17p1
- Update from version 1.9.17 to 1.9.17p1
- Update of rootfile not required
- Changelog
1.9.17p1
* Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified
when running a command or editing a file. This could enable a
local privilege escalation attack if the sudoers file allows the
user to run commands on a different host.
* Fixed CVE-2025-32463. An attacker can leverage sudo's -R
(--chroot) option to run arbitrary commands as root, even if
they are not listed in the sudoers file. The chroot support has
been deprecated an will be removed entirely in a future release.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 1 Jul 2025 13:44:35 +0000 (15:44 +0200)]
core196: Revert ship of customservices from fwhosts
- Shipping the customservices file replaced the existing file on all users systems, which
resulted in any modificationjs they had made being wiped out.
- Having thought about it further what I shouldn have done is just added the additional
custom service of "DNS over TLS" to the end of the customservices file during the
update process using update.sh but that is also not so easy because what number to
use for the "DNS over TLS" entry will depend on how many custom services the user
has created.
- At the least the shipping of the customservices file needs to be reverted. I and others
can then think about alternative ways to provide that entry to existing files.
- Alternatively we could leave it without doing anything. A fresh install will have the
"DNS over TLS" entry and upgrades will just leave the existing customservices file
alone.
- Users can of course recover the file by doing a restore from the backup they have
created but it is not good to overwrite those sorts of files.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this is needed because some arm systems try to set more than one
console output via firmware/dtb and this is incompatible with the old
initsystem that ipfire use.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 23 Jun 2025 17:16:57 +0000 (17:16 +0000)]
fwhosts.cgi: Move the tooltip into the usage counter
This will clutter the page less as we don't have any good icon sets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peer Dietzmann [Mon, 23 Jun 2025 17:16:54 +0000 (17:16 +0000)]
fwhosts.cgi: Show in which firewall rule objects are being used
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 28 Jun 2025 13:48:49 +0000 (15:48 +0200)]
functions.pl: pakfir cleanup
- I wondered what was supposed to be in the pakfire.log file that has always been empty
so I had a look around and discovered that it has been commented out since CU30
- So this patch removes that commented out line and the other patches in this set
remove the creation of the empty pakfire.log file and stop it being restored etc
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 27 Jun 2025 19:53:50 +0000 (21:53 +0200)]
libloc: Fixes bug13861 - libloc-0.9.18 fails to find some ASN info
- Patch added to fix bactracking after no match found bug. When the next version of
libloc is released then this patch can be removed as the patch will be integrated in
with that version.
- Update of rootfile not required.
- Tested out on local build of libloc-0.9.18
Fixes: bug13861 Reported-by: Adolf Belka <adolf.belka@ipfire.org> Suggested-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 24 Jun 2025 21:21:22 +0000 (23:21 +0200)]
squid: Update to 6.14
For details see:
https://github.com/squid-cache/squid/releases/tag/SQUID_6_14
"Changes in squid-6.14 (24 Jun 2025):
- Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
- Bug 5489: Fix "make check" linking on Solaris
- Fix SNMP cacheNumObjCount -- number of cached objects
- Do not duplicate received Surrogate-Capability in sent requests
- Fix Mem::Segment::open() stub to fix build without shm_open()
- ... and CI and documentation updates"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.0.20210914 to 1.0.20250521
- Update of rootfile not required
- Changelog
1.0.20250521
config: handle strdup failure
wg-quick: linux: add 'dev' to 'ip link add' to avoid keyword conflicts
ipc: add stub for allowedips flags on other platforms
ipc: linux: support incremental allowed ips updates
ipc: freebsd: use AF_LOCAL for the control socket
ipc: linux: enforce IFNAMSIZ limit
man: set private key in PreUp rather than PostUp
wg-quick: run PreUp hook after creating interface
show: fix show all endpoints output
ipc: freebsd: NULL out some freed memory in kernel_set_device()
ipc: freebsd: avoid leaking memory in kernel_get_device()
show: apply const to right part of pointer
ipc: freebsd: move if_wg path to reflect new in-tree location
wg-quick: linux: prevent traffic from momentarily leaking into tunnel
global: dual license core files as MIT for FreeBSD
wg-quick: android: use right regex for host-vs-IP
reresolve-dns: use $EPOCHSECONDS instead of $(date +%s)
embeddable-wg-library: add named wg_endpoint union
ipc: use more clever PnP enumerator
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 23 Jun 2025 10:57:16 +0000 (12:57 +0200)]
frr: Update to version 10.3.1
- Update from version 10.2.1 to 10.3.1
- Update of rootfile
- CVE fix in 10.3.0
- Changelog
10.3.1
Bug Fixes
babeld
Check valid babel port
Fix incorrect type assignment in parse_request_subtlv
bgpd
Fix set evpn gateway-ip ipv[46] route-map
Fix bmp heap use after free on non connected session
Fix evpn attributes being dropped on input
Fix holdtime not working properly when busy
Fix leaked memory when showing some bgp routes
Fixed crash upon bgp network import-check command
On shutdown free up memory leak found by topotest
Prevent crash when issuing a show rpki connections
Remove unused defines from bgp_label.h
Retain the routes if we do a clear with n-bit set for graceful-restart
Set the label for mp_unreach_nlri 0x800000 instead of 0x000000
Treat the peer as not active due to bfd down only if established
isisd
Fix srv6_sid memory leak
lib
Create vrf if needed
Return duplicate ipv6 prefix-list entry test
Return duplicate prefix-list entry test
nhrpd
Add hop count validation before forwarding in nhrp_peer_recv()
ospf6d
Disable and delete ospfv3 areas that no longer have interfaces or configuration.
Fix lsa memory leaks related to graceful restart
pimd
Fix for crash during networking restart
Fix memory leak on shutdown
Initialize gm proxy to false
staticd
Avoid requesting srv6 sid from zebra when loc and sid block dont match
Fix crash that occurs when modifying an srv6 sid
tools
Fix reload script for srv6 locators and formats
zebrad
Do not flush an existing vni configuration trying to remove wrong vni
Ensure proper return for failure for sid allocation
Fixes allowing srv6 func-bits length 0
10.3.0
New Features Highlight:
Lua 5.4 support
Fixed CVE-2024-55553
New match community-count BGP command to limit communities count
New set metric igp|aigp BGP command to inject IGP metric as MED into BGP
New bgp ipv6-auto-ra BGP command
Optimize BGP EVPN L2VNI/L3VIN remote routes processing
Respect non-transitive BGP extended communities between direct peers
Drop deprecated bgp network import-check exact command
Handle BGP ENHE (Extended Next Hop Encoding) capability via dynamic capability
Implement BGP connect backoff retry
Implement an ability to import BMP information from a separate BGP instance
Add support of BGP color extended community color-only types
Implement SBFD
Add support for SRv6 static SIDs
Implement embedded-rp for PIMv6
Implement AutoRP mapping-agent for PIM
Implement MSDP peer SA limiting
What's Changed
zebra: Fix crash in pw code by @donaldsharp in #17042
bfdd, yang: change bfd timer and multiplier values by @louis-6wind in #17002
Adds note about VRRP issues inside a VM with underlying bridge networking by @chriswiggins in #17050
tools: Add missing mgmtd into logrotate/rsyslogd by @ton31337 in #17054
isisd: Lsp fragments will delete the corresponding dyn_cache entry. by @baozhen-H3C in #17044
bgpd: Allow specification of vrf in show bgp neighbor graceful-restart by @donaldsharp in #17057
bgpd: changes for code maintainability by @sri-mohan1 in #17040
10.3 dev deb/rpm housekeeping by @Jafaral in #17061
bgpd: fix ipv6 nexthop-local unchanged by @louis-6wind in #17037
doc: routemap: fix typos by @rudis in #17064
bgpd: Move some non BGP-specific route-map functions to lib by @ton31337 in #17059
bgpd: split nexthop-local unchanged peer subgroup by @louis-6wind in #17071
zebra: add back one field for debug by @anlancs in #17082
zebra: Only notify dplane work pthread when needed by @donaldsharp in #17062
bgpd: fix evpn mh esi down by @chiragshah6 in #17074
doc: clarify bgp as-override by @louis-6wind in #17087
bgpd: bmp loc-rib peer up/down for vrfs by @louis-6wind in #17001
zebra: vlan to dplane by @raja-rajasekar in #16737
bgpd: Remove unused BGP_NEXTHOP_CONNECTED_CHANGED flag for nexthop by @ton31337 in #17099
bgpd: Check if su_local/su_remote exist before encoding BMP peer state by @ton31337 in #17103
bgpd: fix route selection with AIGP by @enkechen-panw in #17093
bgpd: Drop deprecated bgp network import-check exact command by @ton31337 in #17053
lib: Apply and generate route-map commands earlier before any other protocol by @ton31337 in #17058
isisd: Remove circuit state check for openfabric by @ton31337 in #17083
ospfd: fix the bug that the empty area was not free after no_area_range was executed by @Shbinging in #17101
bgpd: fix bmp coverity issue 1600779 by @louis-6wind in #17106
tools/gcc-plugins: don't crash on array parameters by @eqvinox in #17104
bgpd, tests: don't send local nexthop from rr client by @louis-6wind in #17073
zebra: Prevent a kernel route from being there when a connected should by @donaldsharp in #17088
zebra: Attempt to explain the rnh tracking code better by @donaldsharp in #15586
bgpd: Derive and set MED from IGP or AIGP by @ton31337 in #17038
tests: iproute2_check_path_selection call the actual command by @donaldsharp in #17107
ospfd: Fixup ospf_lsa.[ch] to properly spell out parameters for funct… by @donaldsharp in #17126
zebra: unlock node only after operation in zebra_free_rnh() by @enkechen-panw in #17116
vtysh: fix SA warning, no need to call getenv() twice by @Jafaral in #17114
bgpd: Implement match src-peer ... command by @ton31337 in #16946
zebra: fix heap-use-after free on ns shutdown by @pguibert6WIND in #17020
*: Fix up improper handling of nexthops for nexthop tracking by @donaldsharp in #17076
lib, test: fix display ipv4 mapped ipv6 addresses by @louis-6wind in #16452
bgpd: fix several issues in sourcing AIGP attribute by @enkechen-panw in #17091
ospfd: fix some ospf commands by @Shbinging in #17065
*: fix clang-19 SA by @eqvinox in #17136
zebra: Fix possible null deref discovered by coverity by @donaldsharp in #17154
ospfd: update ospf_asbr_status when using no_area_nssa command by @Shbinging in #17134
lib: Correctly handle ppoll pfds.events == 0 by @donaldsharp in #17025
bgpd: changes for code maintainability by @sri-mohan1 in #17164
bgpd: changes for code maintainability by @sri-mohan1 in #17167
tests: logger masked in topotest.py by @liambrady in #17157
bgpd: allow value 0 in aigp-metric setting by @enkechen-panw in #17169
doc: Require unified config for all new topotests by @ton31337 in #17172
bgpd: fix AIGP calculation in route advertisement by @enkechen-panw in #17168
bgpd: Handle non-transitive extended communities by @ton31337 in #17151
bgpd: Do not filter no-export community for BGP OAD by @ton31337 in #17165
zebra: remove useless code by @anlancs in #17166
isisd: fix 'show isis route' and 'show isis fast-reroute summary' errors with vrf by @baozhen-H3C in #17174
zebra: drop NEWLINK event handling in the main thread by @anlancs in #17180
bgpd: Do not leak a stream with bmp code by @donaldsharp in #17192
Revert "lib: Attach stdout to child only if --log=stdout and stdout F… by @donaldsharp in #17198
ospfd:fix the bug that the empty area was not free after no area range command was executed by @Shbinging in #17183
zebra: fix showing nexthop vrf for ipv6 blackhole by @louis-6wind in #17162
bgpd: fix uninitialized bgp_labels by @louis-6wind in #17191
lib: debug memstats-at-exit improvements by @eqvinox in #17155
pimd: PIM autorp no path RP fix by @nabahr in #17215
Optimizations and problem fixing for large scale ecmp from bgp by @donaldsharp in #17229
tests: add bmpserver logging by @louis-6wind in #17207
bgpd: compare aigp after local route check in bgp_path_info_cmp() by @enkechen-panw in #17199
docs: Update evpn.rst by @systemcrash in #17255
pimd, tests: fix bsr assert and expand topotest to pimv6 by @Jafaral in #17216
lib, zebra: Keep zebra on-rib-process script in frr.conf by @ton31337 in #17160
isisd: fix change flex-algorithm number from uint32 to uint8 by @pguibert6WIND in #17250
bgpd: add bgp ipv6-auto-ra command by @Sokolmish in #16354
bgpd: fix display of local label in show bgp by @louis-6wind in #17243
vtysh: fix find and list commands by @eqvinox in #17200
Mrib nht wonky by @donaldsharp in #17254
zebra: add 'debug zebra srv6' command by @pguibert6WIND in #17257
ospfd:fix syntax of some ospf no commands by @Shbinging in #17189
bgpd: fix blank line in running-config with bmp listener cmd by @pguibert6WIND in #17278
bgpd: fix crash when polling bgp4v2PathAttrTable by @fdumontet6WIND in #17245
bgpd: fix prefix same as nexthop in label per nexthop by @lsang6WIND in #16990
isisd: The command "'show isis vrf all summary json" has no output. by @baozhen-H3C in #17190
tests: fix bmp tests random failure by @louis-6wind in #17226
bgpd: bestpath failure when you have a singlepath not in holddown by @donaldsharp in #17251
Bgp musings by @donaldsharp in #15563
doc: Use RST, not Markdown format for links by @ton31337 in #17311
doc: Create html_context before setting READTHEDOCS by @ton31337 in #17310
tests: respect RLIMIT_CORE hard limit by @liambrady in #17296
zebra: Add missing new line for help string by @ton31337 in #17318
tests: Add an ability to specify daemon params with unified config by @ton31337 in #17317
Add support to import alternate URIB tables into the main MRIB by @nabahr in #17281
Bgp update optimizations by @donaldsharp in #17327
Revert "ospfd: update ospf_asbr_status when using no_area_nssa command" by @donaldsharp in #17330
lib: Remove wheel name it is no longer used by @donaldsharp in #17329
tests: Do not set by default netlink receive buffer size for Zebra by @ton31337 in #17328
Clang 19 some more by @donaldsharp in #17230
ospfd: Fix opaque LSA refresh interval and modify LSA cmds. by @aceelindem in #17194
Remove event master free unused by @donaldsharp in #17280
Remove in6addr cmp by @donaldsharp in #17312
bgpd: Replace 128 with IPV6_MAX_BITLEN by @cscarpitta in #17335
zebra: Fix incorrect debug macros by @cscarpitta in #17334
doc: Fix a couple of misspellings in zebra documentation by @cscarpitta in #17333
tests: Remove unnecessary fields from expected JSON by @nabahr in #17332
zebra: On startup actually allow for nhe's to be early by @donaldsharp in #16960
nhrpd: fix passphrase handling, add topotest for resolution request by @jmuthiilabn in #17115
zebra: Don't display the vrf if not using namespace based vrfs by @donaldsharp in #16750
bgpd: Treat numbered community-list only if it's in a range 1-500 by @ton31337 in #17305
ospfd: Use router_id what Zebra has if we remove a static router_id by @ton31337 in #17319
zebra: fix missing kernel routes by @anlancs in #17326
ospfd: Fix assert in LSA refresh interval setting by @aceelindem in #17346
ospf6d: remove redundant null ptr check in ospf6_link_lsa_get_prefix_str() - CID 1599957 in #17364
ospf6d: remove redundant null ptr check in #17363
tests: Add a topology that supports a large number of ecmp by @donaldsharp in #17244
bgpd: Clear stale routes with multiple paths by @ton31337 in #17376
lib: Add ability to track time in individual routemaps by @donaldsharp in #12109
bgpd:support of color extended community color-only types by @guoguojia2021 in #17231
bgpd:support tcp-mss for neighbor group by @zice312963205 in #17341
Bgp withdraw and unlikely by @donaldsharp in #17384
lib: Initialize mbefore for route_map_apply_ext() by @ton31337 in #17386
bgpd: Fix for match source-protocol in route-map for redistribute cmd by @raja-rajasekar in #17362
bgpd: fix resolvedPrefix in show nexthop json output by @krishna-samy in #17409
bgpd: Reset BGP session only if it was a real BFD DOWN event by @ton31337 in #17344
isisd: fix crash when switching P2P after shutdowning LAN circuit by @baozhen-H3C in #17366
Add two RFCs for BGP to the list by @ton31337 in #17374
BGP BFD session things by @ton31337 in #17410
tests: clarify bgp_vpnv4_asbr by @louis-6wind in #17368
zebra, lib: use internal rbtree for per-NS tree of ifps by @mjstapp in #17297
debian: Add missing libprotobuf-dev to grpc profile by @piotrjurkiewicz in #17205
tests: add support for ospf instances with unified configs by @Jafaral in #17331
bgpd: Show neighbor advertised paths including addpath by @ton31337 in #17423
zebra: fix unguarded debug in evpn code by @mjstapp in #17426
bgpd: Fix color extended community parsing by @ton31337 in #17422
bgpd: Drop unsupported commands by @ton31337 in #17429
Zebra debug assert by @donaldsharp in #17433
bgpd: Fix color extended community parsing by @ton31337 in #17434
bgpd : backpressure - Fix to pop items off zebra_announce FIFO for few EVPN triggers by @raja-rajasekar in #17432
pim6d: support embedded-rp by @rzalamena in #16937
bgpd: Validate both nexthop information (NEXTHOP and NLRI) by @ton31337 in #17435
bgpd: Add more details to ebgp requires policy warning by @ton31337 in #17427
accords: guidelines/terms for FRRouting trademarks by @eqvinox in #17193
sharpd: Fix a few typos in CLI help messages by @cscarpitta in #17444
sharpd: Convert numeric 128 into IPV6_MAX_BITLEN for prefixlen by @cscarpitta in #17445
bgpd: Optimize the outbound path if RFC8212 is applied by @ton31337 in #17451
packaging: Use PCRE2 for .deb/.rpm builds by @ton31337 in #17375
bgpd: Optimize the way parsing communities if no community alias exists by @ton31337 in #17457
Lua casting by @ton31337 in #17456
pim6d: fix coverity scan warning by @rzalamena in #17455
tools: Fix syntax raw parsing for make-foobar helper by @ton31337 in #17453
isisd: properly display srv6 algorithm by @dmytroshytyi-6WIND in #17414
*: remove remaining strncpy() users by @eqvinox in #17156
bfdd: retain remote dplane client socket by @mjstapp in #17464
pimd: two small improvements by @rzalamena in #17468
ospfd: OSPF multi-instance default origination fixes by @aceelindem in #17436
Support bundle isis by @donaldsharp in #17476
pimd: MSDP logging improvements by @rzalamena in #17469
PIMD: Implement AutoRP mapping-agent by @nabahr in #17340
Bgp bfd and its ilk by @donaldsharp in #17473
tests: Ensure connected routes are installed before continuing by @donaldsharp in #17477
tools: Add pim show commands to support bundle by @csiltala in #17484
bgpd: Do not reset peers on suppress-fib toggling by @ton31337 in #17487
lib, zebra: Do not have duplicate memory type problems by @donaldsharp in #17492
tools: Add missing keywords in frr-reload by @cscarpitta in #17493
bgpd: Disable sending ROV extended community by default by @ton31337 in #17459
ospfd: Correct invalid SR-MPLS output label by @odd22 in #17495
tools: Add missing keyword encapsulation in frr-reload by @cscarpitta in #17498
tests: add bgp_vpnv4_route_leak_basic by @louis-6wind in #17369
Fix docker image for topotests by @ton31337 in #17509
bgpd: fix version attribute is an int, not a string by @pguibert6WIND in #17506
zebra: avoid a race during FPM dplane plugin shutdown by @mjstapp in #17504
bfdd: disable echo socket when not using it by @rzalamena in #16987
isisd: When the ISIS types of the routers do not match on a P2P link, the neighbor status remains UP by @zhou-run in #17219
two test cleanups by @donaldsharp in #14367
bgpd: Fix Graceful-Restart for peer-groups by @ton31337 in #17501
zebra: fix EVPN check vxlan oper up in vlan mapping by @chiragshah6 in #17483
bgpd: fix use single whitespace when displaying flowspec entries by @pguibert6WIND in #17510
Add some test cases, and some ability to see what is going on in zebra by @donaldsharp in #16878
More found connection conversion issues by @donaldsharp in #17385
zebra: EVPN fix code style in vlan vni map debugs by @chiragshah6 in #17519
doc:Fix bgp doc warning by @guoguojia2021 in #17527
bgpd: fix use real SID in BGP nexthop tracking by @pguibert6WIND in #15542
Docker: Add the ability to override the FRR UID during docker creation by @mikemallin in #17520
Bgp evpn rt5 routemap by @pguibert6WIND in #17491
nhrpd: fix show ip nhrp output by @louis-6wind in #16700
topotests: Allow runing under both docker and podman by @famfo in #17525
BMP test rework by @pguibert6WIND in #17306
Some cleanups by @donaldsharp in #17547
bgpd: Use peer group's member for BGP notify instead of the peer-group by @ton31337 in #17528
bgpd: Fix remote-as with peer-group by @ton31337 in #17542
zebra: separate zebra ZAPI server open and accept by @mjstapp in #17313
pimd: Fix access-list memory leak in pimd by @csiltala in #17518
lib: Fix session re-establishment by @donaldsharp in #17558
Fix bsd sockopt problem by @donaldsharp in #17571
lib: Print the reason why the route-map and/or the index parsing is done by @ton31337 in #17556
pimd: igmp proxy joins should not be written as part of config by @btrent98 in #17569
pimd: Prevent crash of pim when auto-rp's socket is not initialized by @donaldsharp in #17578
pimd: implement MSDP shutdown command by @rzalamena in #17502
lib: Speed up reconnection attempts for zapi by @donaldsharp in #17585
bgpd: fix unconfigure asdot neighbor by @pguibert6WIND in #17582
pimd: free igmp proxy joins on interface deletion by @btrent98 in #17570
Bfd shared network by @donaldsharp in #17600
Timer connect bgp vrf netns by @donaldsharp in #17579
bgpd: fix peer up message for loc-rib not sent by @pguibert6WIND in #17545
bgpd: Check if as_type is not specified when peer is a peer-group member by @ton31337 in #17603
doc: remove no-op "netns NAMESPACE" command from the docs by @idryzhov in #17538
zebra: use macro for one check by @anlancs in #17589
pimd: Extend multicast boundary/ACL functionality by @csiltala in #17461
bgpd: Import allowed routes with self AS if desired by @ton31337 in #17608
bgpd: Show which route-map is used when the prefix is filtered by route-map by @ton31337 in #17575
pimd: MSDP per peer SA limit by @rzalamena in #17521
bgpd: Fix bgp core with a possible Intf delete by @raja-rajasekar in #17624
BMP Peer Distinguisher support by @pguibert6WIND in #17555
Upstream some internal code by @donaldsharp in #17605
bgpd: Show which prefix is suppressed if debug out is enabled by @ton31337 in #17637
zebra: Remove tests for allocation failure by @donaldsharp in #17638
pimd: clean up MSDP code by @rzalamena in #17636
pimd: MSDP originador ID configuration by @rzalamena in #17622
bgpd: When calling bgp_process, prevent infinite loop by @donaldsharp in #17641
doc: Update the next release dates by @ton31337 in #17640
pim6d: fix crash on clear ipv6 mroute by @rzalamena in #17635
pimd,pim6d: optimize multicast prefix generation and fix coverity scan defect by @rzalamena in #17642
zebra: Give a bit more data about zclient connection on errors by @donaldsharp in #17646
tools: Add rip support bundle commands by @donaldsharp in #17645
Fix PIMD RPF lookup mode and nexthop tracking by @nabahr in #17252
bgpd: fix missing addpath withdrawal race condition by @louis-6wind in #16830
EVPN L2VNI/L3VNI Optimize inline Global walk for remote route installations by @raja-rajasekar in #17526
zebra: fix wrong nexthop status for kernel routes by @anlancs in #17544
lib: Take ge/le into consideration when checking the prefix with the prefix-list by @ton31337 in #17615
bgpd: Fix evpn bestpath calculation when path is not established by @donaldsharp in #17613
vlan-subif isis neigbor by @JosiahMg in #16488
bgpd: remove unneeded printfrr reg for pRN by @mjstapp in #17654
bgpd: Connect retry timer backoff by @ton31337 in #17599
tests: add a test case for static route propagation by @Jafaral in #17671
bgpd: Fix memory leak when creating BMP connection with a source interface by @ton31337 in #17675
bgpd: Validate only affected RPKI prefixes instead of a full RIB by @ton31337 in #17586
bgpd: add rpki json attributes to bgp path by @pguibert6WIND in #17670
pim: handle return code to fix a couple of coverity issues by @Jafaral in #17673
bgpd: fix memory leak when reconfiguring a route distinguisher by @pguibert6WIND in #17669
Fix 2 darr (dynamic-array) bugs by @choppsv1 in #17648
test: fix label ordering on error diff report by @choppsv1 in #17676
babel: Clean babel config on babel daemon stop by @ykholod in #17685
bgpd: add meta queue in bgp by @donaldsharp in #17619
lib: Fix to optimize the time taken while batching huge configs by @raja-rajasekar in #17672
bgpd: Fix show neighbor X advertised-routes detail by @ton31337 in #17674
mgmtd: fix compile error by @anlancs in #17704
doc: Fix SRv6 locator documentation by @cscarpitta in #17703
bgpd: Fix enforce-first-as per peer-group removal by @ton31337 in #17705
bgpd: Convert 16 to IPV6_MAX_BYTELEN by @cscarpitta in #17706
bgpd, lib: Use frrstr_time() when using ctime_r() by @ton31337 in #17684
zebra: Remove tests for srv6_locator_alloc failure by @cscarpitta in #17711
BGP Labelpool : Releasing the label in labelpool when VPN session gets removed by @varuntumbe in #17580
tests: enable test failure detection and fix resulting failures by @choppsv1 in #17647
tests: Fix markers in srv6_static_route topotest by @cscarpitta in #17718
isisd: fix srv6 exit statements by @jvoss in #17720
bgpd: Show prefix-related stats per neighbor by @ton31337 in #17734
tools: Add missing formats keyword to segment-routing in frr-reload by @jvoss in #17719
zebra: Fix resetting valid flags for NHG dependents by @raja-rajasekar in #17731
bgpd: add rpki current state by @dmytroshytyi-6WIND in #17728
bgpd: Clean address-family config on daemon restart by @ykholod in #17716
staticd: Reduce the frequency of adding routes by @guoguojia2021 in #17726
zebra:check DAD freeze action before notifying bgp by @chiragshah6 in #17737
isisd: Show correct level information for show isis interface detail json by @ton31337 in #17732
ospfd: Correct one word by @anlancs in #17762
babel: Clean babel related config on daemon stop by @ykholod in #17715
tools: Add missing rpki keyword to vrf in frr-reload by @jvoss in #17750
zebra: fix dpdk compilation error by @raja-rajasekar in #17752
bgpd: Use unique value for BGP_NEXTHOP_EVPN_INCOMPLETE flag by @ton31337 in #17770
bgpd: fix a bug in peer_allowas_in_set() by @enkechen-panw in #17780
bgpd: show json output changes to optimize various show commands by @krishna-samy in #17431
zebra: Fix ip protocol route-map issue. by @sougata-github-nvidia in #17474
bgpd: Withdraw routes without waiting for the coalescing timer to expire by @ton31337 in #17667
ospfd: fix wrong check for two commands by @anlancs in #17779
doc: fix building for alpine package path by @famfo in #17774
tests: improve test reliability by @choppsv1 in #17773
bgpd: Show ifindex for every BGP nexthop cache entry by @ton31337 in #17771
BMP handling of BGP configuration changes by @pguibert6WIND in #17733
ospfclient: fix crash due to streamwriter garbage collect by @Andrew-Dickinson in #17700
bgpd: Respect bgp bestpath missing-as-worst for table-map as well by @ton31337 in #17723
isisd: Allow full no form for domain-password and area-password by @ton31337 in #17725
Add new oper state get callback by @choppsv1 in #17783
New YANG notify msg fmt by @choppsv1 in #17782
fix xpath query on keyless list with positional predicate by @choppsv1 in #17781
improve error handling of operational state walk callback by @choppsv1 in #17772
tests: cleanup ospf6 ecmp inter area by @gromit1811 in #17707
bgpd: add a debug command for route aggregation by @enkechen-panw in #17778
lib: Fix privs syscaps (pset_t) allocation by @gromit1811 in #17795
libs: remove deprecated 'clear thread' cli by @mjstapp in #17798
lib: remove interface dead code by @louis-6wind in #17808
bgpd: fix crash in displaying json orf prefix-list by @louis-6wind in #17807
bgpd: apply route-map for aggregate before attribute comparison by @enkechen-panw in #17801
zebra: Fix leaked nhe by @donaldsharp in #17809
2 test fixes by @donaldsharp in #17805
ospf6d: guard a couple of debugs by @Jafaral in #17831
bgpd: fix memory leak in bgp_aggregate_install() by @enkechen-panw in #17811
bgpd: Fix showing default timers bgp x y by @ton31337 in #17830
bgpd: use igpmetric in bgp_aigp_metric_total() by @enkechen-panw in #17813
tests: avoid nondeterministic route by @Jafaral in #17829
tests: update munet to 0.15.3 by @choppsv1 in #17844
zebra: Optimize invoking nhg compare func by @raja-rajasekar in #17839
Add Ubuntu 24.04 docker image and developer build doc by @choppsv1 in #17843
tools: fix frr-reload for nbr deletion of no form cmds by @chiragshah6 in #17847
tests: remove unnecessary wildcard fields from pim acl test by @Jafaral in #17840
Ability to import BMP information from a separate BGP instance by @pguibert6WIND in #17639
doc: fix LaTex warnings, add documentation to build docs by @Jafaral in #17846
bgpd: remove unused safi in bgp_aggregate structure by @enkechen-panw in #17842
bgpd: fix churn of aggregate routes from duplicate config by @enkechen-panw in #17837
Lua 5.4 support by @ton31337 in #17806
ospfd: avoid the redundant timers by @anlancs in #17803
bgpd: Respect allowas-in value from the source VRF's peer by @ton31337 in #17800
pimd: fix BSR RPs timing out by @Jafaral in #17841
pimd: always write cand-rp group config even when rp is inactive by @Jafaral in #17850
zebra: avoid race between FPM pthread and zebra main pthread in netlink encode/decode by @mjstapp in #17581
operational-state (datastore) change notifications by @choppsv1 in #17796
bgpd: move bgp_aggregate_increment() after bgp_path_info_add() by @enkechen-panw in #17858
Active routes are active by @donaldsharp in #17859
bgpd: remove unused BATTR_REFLECTED for rmap_change_flags by @enkechen-panw in #17854
PIMD: RPF lookup mode per-group, per-source by @nabahr in #17776
mgmtd backend yang model (depends on #17796) by @choppsv1 in #17799
bgpd: Handle ENHE capability via dynamic capability by @ton31337 in #17855
Bgp connect refactor by @donaldsharp in #17810
topotests: improve test reliability by @rzalamena in #17838
ldp snmp/grpc test fix by @choppsv1 in #17862
lib: introduce global -w option for VRF netns backend by @idryzhov in #17727
limit community list count by @pguibert6WIND in #17836
zebra: Uninstall NHG in some situations by @donaldsharp in #17814
tests: ci: add ARM to docker based CI test by @choppsv1 in #17880
Handle datastore notifications correctly in backend clients (daemons) by @choppsv1 in #17876
lib: fix dnode_create to use correct libyang function. by @choppsv1 in #17884
staticd: Add support for SRv6 Static SIDs by @Yubin-Li in #16894
tools: fix regression in gen_northbound_callback tool by @choppsv1 in #17885
Bgp unnumbered interface json by @pguibert6WIND in #17874
small mgmtd-dev doc update and yanglint cleanup by @choppsv1 in #17882
tests: Fix test_bgp_dynamic_capability_enhe topotest by @ton31337 in #17883
tools: fix reload interface deletion by @jklaiber in #16723
bgpd: Fix for local interface MAC cache issue in 'bgp mac hash' table by @krishna-samy in #17888
Fix Rocky 8 RPMs, add options to build without rpki and docs (default is to include) by @louberger in #17793
lib: fix coverity use after free issue: CID 1620101 by @choppsv1 in #17895
bgpd: fix do not send twice peer up/down messages by @pguibert6WIND in #17894
tests: remove table version check in bgp rpki topo1 by @louis-6wind in #17889
bgpd: fix evpn path info get api by @chiragshah6 in #17899
bgpd: fix bfd with update-source in peer-group by @louis-6wind in #17904
bgpd, tests: bgp_evpn_rt5, add test with match evpn vni command by @pguibert6WIND in #17652
zebra: Return error if v6 prefix is passed to show ip route by @Pdoijode in #17898
bgpd: Fix bgp peer solo option by @askorichenko in #17911
redhat: Specify minimum libyang version requirement by @mwinter-osr in #17912
isisd: fix duplicate rfc8919 defines by @pguibert6WIND in #17917
Revert "bgpd: Handle Addpath capability using dynamic capabilities" by @ton31337 in #17926
Bgp suppressed attribute by @pguibert6WIND in #17919
Advertised routes incorrect json by @pguibert6WIND in #17905
bgpd,lib,zebra: permit table-direct on VRFs by @rzalamena in #17736
bgpd: Check if the peer really exists before sending dynamic capability by @ton31337 in #17863
bgpd: last reset SNAFU by @ton31337 in #17881
bgpd: Optimize evaluate paths for a peer going down by @donaldsharp in #17924
Isis srv6 topo1 ping by @pguibert6WIND in #17848
ospfd: Prune duplicate next-hop when installing into zebra route table. by @aceelindem in #17906
bgpd: fix table-map option by @askorichenko in #17802
static: fix botched staticd YANG conversion for dst-src by @eqvinox in #17941
tools: Fix frr-reload for ebgp-multihop TTL reconfiguration. by @bobuhiro11 in #17946
zebra: include resolving nexthops in nhg hash by @mjstapp in #17935
pimd: Close AutoRP socket when not needed by @nabahr in #17934
isisd: fix erroneous srv6 information in database by @pguibert6WIND in #17956
bgpd: With suppress-fib-pending ensure withdrawal is sent by @donaldsharp in #17971
bgpd: add config default for "route-reflector allow-outbound-policy" by @enkechen-panw in #17972
Fix SRv6 SID Manager by @cscarpitta in #17964
bgpd: Do not ignore auto generated VRF instances when deleting by @ton31337 in #17947
staticd: Fix NULL pointer dereference when receiving ZAPI_SRV6_SID_RELEASED notification by @cscarpitta in #17979
bgpd: Release SID on router deletion by @Sokolmish in #17913
libs: return from change_caps if no caps by @mjstapp in #17970
staticd: Fix wrong xpath in no sid X:X::X:X/M by @cscarpitta in #17989
bgpd: add config default for "bgp bestpath aigp" by @enkechen-panw in #17990
implement SBFD by @forrestchu in #17336
lib: fix use after free in clear event cpu by @eqvinox in #17943
zebra: fix evpn svd hash avoid double free by @chiragshah6 in #17991
bgpd: fix route-distinguisher in vrf leak json cmd by @chiragshah6 in #17992
zebra: Ensure dplane does not send work back to master at wrong time by @donaldsharp in #17969
bgpd: Do not start BGP session if BGP identifier is not set (backport #17959) by @mergify in #18006
bgpd: Fix up memory leak in processing eoiu marker (backport #18000) by @mergify in #18019
pimd: fix memory leak and assign allocation type (backport #18038) by @mergify in #18043
Coverity 2024 new hotness (backport #17865) by @mergify in #18042
pimd: Fix for FHR mroute taking longer to age out (backport #14105) by @mergify in #18053
bgpd: fix bgp vrf instance creation from implicit (backport #18081) by @mergify in #18099
bgpd: Request SRv6 locator after zebra connection (backport #18069) by @mergify in #18115
nhrpd: fix dont consider incomplete L2 entry (backport #18078) by @mergify in #18112
lib: crash handlers must be allowed on threads (backport #18060) by @mergify in #18101
lib: actually hash all 16 bytes of IPv6 addresses, not just 4 (backport #17901) by @mergify in #18083
pimd: fix DR election race on startup (backport #18048) by @mergify in #18056
bgpd: fix incorrect JSON in bgp_show_table_rd (backport #18120) by @mergify in #18133
Cid 1636504 (backport) by @ton31337 in #18132
Bfd fixups (backport #18026) by @mergify in #18129
bgpd: release manual vpn label on instance deletion (backport #18121) by @mergify in #18154
staticd: Fix SRv6 SID installation and deletion (backport #18064) by @mergify in #18151
lib: fix false context information for SRv6 route (backport #18023) by @mergify in #18146
bgpd: fix vty output of evpn route-target AS4 (backport #18109) by @mergify in #18183
isisd: Request SRv6 locator after zebra connection (backport #18178) by @mergify in #18179
bgpd: When removing the prefix list drop the pointer (backport #18160) by @mergify in #18166
bgpd: Fix crash in bgp_labelpool (backport #18079) by @mergify in #18143
lib: nb: call child destroy CBs when YANG container is deleted (backport #18082) by @mergify in #18191
bgpd: fix default instance when leaving the hidden state (backport 10.3) by @louis-6wind in #18162
pimd: Fix for data packet loss when FHR is LHR and RP (backport #14227) by @mergify in #18203
pimd: Fix PIM VRF support (send register/register stop in VRF) (backport #18216) by @mergify in #18248
pim: Fix vrf binding of autorp and mroute socket (backport #18226) by @mergify in #18246
pim: Fix autorp group joins (backport #18225) by @mergify in #18244
Fix oper-state queries that involve choice/case nodes (backport #18231) by @mergify in #18232
bgpd: remove dmed check not required in bestpath selection (backport #18210) by @mergify in #18227
Revert "bgpd: fix default instance when leaving the hidden state (backport 10.3)" #18162 by @Jafaral in #18255
pimd: During prefix-list update, behave as PIM_UPSTREAM_NOTJOINED sta… (backport #17666) by @mergify in #18207
bgpd: fix default instance when leaving the hidden state. (backport #18119) by @louis-6wind in #18272
mgmtd: Prevent use after free (backport #18264) by @mergify in #18279
staticd: Add no form for static-sids command (backport #18263) by @mergify in #18284
ospf6d: Fix use after free of router in OSPFv3 ABR route calculation. (backport #18254) by @mergify in #18265
staticd: Fix no srv6 command (backport #18289) by @mergify in #18292
isisd: Correct edge insertion into TED (backport #18294) by @mergify in #18296
tools: Fix frr-reload.py error related to static-sids (backport #18290) by @mergify in #18291
Bring in 2 northbound bug-fixes from master to 10.3 by @choppsv1 in #18302
pimd: Fix PIM6 MLD VRF support (use recvmsg() pktinfo) (backport #18315) by @mergify in #18332
zebra: Bring up 514 BGP neighbor sessions (backport #18214) by @mergify in #18331
Documentation typesafe (backport #18338) by @mergify in #18352
Topotest startup order (backport #18348) by @mergify in #18353
10.2.3
Bug Fixes
babeld
Check valid babel port
Fix incorrect type assignment in parse_request_subtlv
bgpd
Do not call evpn_overlay_free no matter what
Fix set evpn gateway-ip ipv[46] route-map
Fix holdtime not working properly when busy
Fixed crash upon bgp network import-check command
In bgp_update() for mac addrs ensure we are dealing with evpn
Prevent crash when issuing a show rpki connections
Retain the routes if we do a clear with n-bit set for graceful-restart
Treat the peer as not active due to bfd down only if established
Fix incorrect bestpath reasoning in some situations
Fix show bgp vpn rd json
Fix to show exist/non-exist-map in 'show run' properly
Add total path count for bgp net in json output
bfdd
On shutdown prefix/access list memory was being leaked
isisd
Fix srv6_sid memory leak
lib
Create vrf if needed
Return duplicate ipv6 prefix-list entry test
Return duplicate prefix-list entry test
ldpd
Free up leaked prefix-list memory on shutdown
nhrpd
Add hop count validation before forwarding in nhrp_peer_recv()
ospf6d
Disable and delete ospfv3 areas that no longer have interfaces or configuration.
Fix lsa memory leaks related to graceful restart
ospfd
Prune duplicate next-hops when installing into zebra
Fix crash when ospf client connects before doing 'router ospf'
pimd
Fix for crash during networking restart
Fix memory leak on shutdown
Initialize gm proxy to false
zebra
Do not flush an existing vni configuration trying to remove wrong vni
Ensure proper return for failure for sid allocation
Prevent vrf table 254 being used by non-default vrf
Fixes allowing srv6 func-bits length 0
10.2.2
Bug Fixes
bgpd
Allow bfd to work if peer known but interface address not yet
Apply route-map for aggregate before attribute comparison
Do not ignore auto generated vrf instances when deleting
Do not start bgp session if bgp identifier is not set
Do not try to uninstall bfd session if the peer is not established
Don't reuse nexthop variable in loop/switch
Fix a bug in peer_allowas_in_set()
Fix add label support to evpn ad routes
Fix bfd with update-source in peer-group
Fix bgp label evpn cid 1636504
Fix bgp orf prefix-list json prefix
Fix bgp peer solo option
Fix bgp vrf instance creation from implicit
Fix crash in bgp_labelpool
Fix crash in displaying json orf prefix-list
Fix deadlock in bgp_keepalive and master pthreads
Fix duplicate bgp instance created with unified config
Fix for local interface mac cache issue in 'bgp mac hash' table
Fix import vrf creates multiple bgp instances
Fix incorrect json in bgp_show_table_rd
Fix memory leak in bgp_aggregate_install()
Fix route-distinguisher in vrf leak json cmd
Fix static analyzer issues around bgp pointer
Fix table-map option
Fix vty output of evpn route-target as4
Fix wrong pthread event cancelling
Remove dmed check not required in bestpath selection
Request srv6 locator after zebra connection
Reset bgp session only if it was a real bfd down event
Respect allowas-in value from the source vrf's peer
Simplify bgp_evpn_process_rt1 with label
Update source address for bfd session
Use igpmetric in bgp_aigp_metric_total()
When bgp notices a change to shared_network inform bfd of it
When removing the prefix list drop the pointer
With suppress-fib-pending ensure withdrawal is sent
Revert: Handle addpath capability using dynamic capabilities"
Revert: Reinstall aggregated routes if using route-maps and it was changed"
isisd
Add helper function to request srv6 locator information
Allow full no form for domain-password and area-password
Correct edge insertion into ted
Request srv6 locator after zebra connection
Show correct level information for show isis interface detail json
lib
Clean up nexthop hashing mess
Crash handlers must be allowed on threads
Fix false context information for srv6 route
Guard against padding garbage in zapi read
Nb: call child destroy cbs when yang container is deleted
mgmtd
Prevent use after free
nhrpd
Fix dont consider incomplete l2 entry
ospf6d
Fix use after free of router in ospfv3 abr route calculation.
pbrd
Initialize structs used in hash_lookup
pimd
Always write cand-rp group config even when rp is inactive
Close autorp socket when not needed
During prefix-list update, behave as pim_upstream_notjoined state (conformance issue)
Explicitly ensure the rp src is bsr
Fix autorp group joins
Fix bsr rps timing out
Fix dr election race on startup
Fix for data packet loss when fhr is lhr and rp
Fix for fhr mroute taking longer to age out
Fix memory leak and assign allocation type
Fix pim vrf support (send register/register stop in vrf)
Fix pim6 mld vrf support (use recvmsg() pktinfo)
Fix vrf binding of autorp and mroute socket
tests
Add a test that shows the v6 recursive nexthop problem
Bgp_srv6_sid_reachability should give more time
Bgp_srv6l3vpn_to_bgp_vrf3 needs more time
Check if allow as-in works when importing between local vrfs
tools
Add missing formats keyword to segment-routing in frr-reload
Add missing rpki keyword to vrf in frr-reload
Fix frr-reload for ebgp-multihop ttl reconfiguration.
zebra
Ensure dplane does not send work back to master at wrong time
Evpn svd hash avoid double free
Fix leaked nhe
Fix resetting valid flags for nhg dependents
Guard against junk in nexthop->rmap_src
Include resolving nexthops in nhg hash
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 19 Jun 2025 16:04:18 +0000 (18:04 +0200)]
setup: v2 Fixes bug10245 - removal of so called non-local network stop
- In the setup menu if the OK button is pressed when it asks if you want to change any
of the interfaces then the red, blue and orange interfaces are stopped. However if
none of the interfaces are changed then the network restart code does not get used.
- This results in the system ending up with only the green interfrace being UP and
connected.
- This patch removes the command that stops the red, blue & orange interfaces but leaves
the green one running. It seems to not bhe needed and if the OK button is pressed
on the Drivers and card assignments window but no change made then the IPFire system
is left with only the green interface connected.
- This command has been present since at least Core Update 30 and the bug was originally
raised in 2012.
- I tested out this v2 code on my vm testbed and everything worked fine and if any
change was made then when leaving the Networking section the Network and Unbound were
restarted.
Fixes: bug10245 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 23 Jun 2025 08:02:30 +0000 (10:02 +0200)]
netatalk: Update to version 4.2.4
- Update from version 3.2.8 to 4.2.4
- Patch for removal of prefix for sysconfdir and localstatedir has been removed as there
is an alternative way to define the required paths using meson options.
- The -Dwith-embedded-ssl option is no longer needed as the embedded WolfSSL has been
removed from netatalk
- Update of rootfile
- netatalk now requires the iniparser package as their own hacked version has been
removed. So iniparser has been added in another patch in this patch set.
- Changelog
4.2.4
* FIX: uams: Check for const pam_message member of pam_conv, GitHub #2196
Makes it possible to build on Solaris 11.4.81 CBE
* FIX: meson: Avoid build error in incomplete Homebrew env, GitHub #2190
* UPD: meson: Build with Homebrew libraries is now opt-in, GitHub #2194
To opt in to build against Homebrew, use -Dwith-homebrew=true
* UPD: docs: Improve afpd and macipgw man pages, GitHub #2155
4.2.3
* FIX: Properly read from afp.conf file passed with -F parameter, GitHub #2150
* FIX: Read the appletalk option only when built with DDP, GitHub #2149
* UPD: Consistently return exit code 0 after daemon version info, GitHub #2151
* UPD: libatalk: MySQL query error log level is dropped to debug, GitHub #2143
* UPD: initscripts: Improvements to netatalk OpenRC init script, GitHub #2148
* FIX: meson: enhance iconv detection when cross compiling, GitHub #1921
* UPD: docs: Cross-platform friendly docs for CNID statedir, GitHub #2146
4.2.2
* NEW: cnid: Create MySQL database automatically if needed, GitHub #2119
* UPD: meson: Use pandoc to build documentation when available, GitHub #2127
* UPD: meson: Generate the html manual with plain cmark, GitHub #2134
* NEW: docker: Support for the mysql CNID backend in container, GitHub #2116
* NEW: docker: Containerized netatalk webmin module, GitHub #1463
* NEW: docker: Introduce option to enable extension mapping, GitHub #2125
* NEW: docker: Introduce option for disabling Spotlight, GitHub #2128
* NEW: webmin: UI for editing of the extmap.conf file, GitHub #2129
* NEW: webmin: Introduce option for hiding service controls, GitHub #2133
* FIX: webmin: Correct handling of volume and preset names, GitHub #2130
* FIX: webmin: Treat uams_randnum.so as a standard UAM, GitHub #2131
* FIX: docs: More portable man page markdown source syntax, GitHub #2114
* FIX: docs: Properly build the localized html manual, GitHub #2136
* FIX: docs: Overhauled markdown styles of whole manual, GitHub #2138
4.2.1
* NEW: meson: Introduce option to control state dir creation, GitHub #2070
Introduces the with-statedir-creation boolean option, true by default
* NEW: meson: Option for controlling CUPS backend installation, GitHub #2071
Introduces with-cups-pap-backend (boolean, default false)
and with-cups-libdir-path (string)
* FIX: meson: Generate Unicode lookup table sources before use, GitHub #2072
* FIX: libatalk: Work around DSIWrite() bug in AppleShare Client 3.7.x,
GitHub #2085
* FIX: libatalk: Restore cnid mysql pw option that had fallen off
which makes the mysql backend usable again, GitHub #2112
* FIX: afpd: Don't lose extension mapping on macOS hosts, GitHub #2092
* FIX: afpd: Fall back to ea = none rather than ea = ad when
the filesystem EA support check fails, GitHub #2103
* UPD: webmin: Print volume name + section name in volumes list, GitHub #2073
* FIX: webmin: Sort lists of index page items in alphabetical order,
GitHub #2074
* FIX: webmin: Return to the correct index tab from other actions, GitHub #2075
* UPD: testsuite: Print a detailed test summary after spectest run, GitHub #2095
* UPD: testsuite: Break out separate FPGetExtAttr test module, GitHub #2104
* UPD: testsuite: Print usage helptext when running test binaries
without params, GitHub #2111
* UPD: docs: Major additions to the afptest man page, GitHub #2100
* NEW: docs: bstring README with redistribution notes and LICENSE,
GitHub #2077
* FIX: docs: Improve verbiage in signature and UUID man pages, GitHub #2084
* UPD: docs: Transition Compilation from manual chapter to readme, GitHub #2106
* UPD: docs: Reduce overlap between install chapter and install readme,
GitHub #2107
4.2.0
* NEW: Link with shared iniparser library instead of vendored one, GitHub #1948
- Makes iniparser a mandatory dependency
- Our own hacked iniparser is now removed, which has a few side effects
- Volume section names are now case insensitive, forced to lower case
- The include directive is no longer supported (for now)
* NEW: afpd: Introduce apf.conf 'volume name' Volume option, GitHub #1976
* NEW: afpd: Introduce 'server name' Global option in afp.conf, GitHub #1974
* NEW: docs: Convert documentation from XML to Markdown format,
introducing cmark dependency instead of docbook-xsl, GitHub #1905
* NEW: docs: Generate local html manual with only core pages, GitHub #1969
* NEW: docker: Introduce dropbox mode option for guest access, GitHub #1981
* NEW: docker: New and improved env variable options including debug mode,
GitHub #1977, #1979
* UPD: Control metadata settings with 'ea' solely,
removing 'appledouble' option, GitHub #1983
* UPD: afpd: Use servername for ASP connections with hostname fallback,
GitHub #1978
* UPD: afpd: Refactor FCE file skip logic, make comma the standard delineator,
GitHub #1997
* UPD: libatalk: Use getaddrinfo() instead of deprecated gethostbyname(),
GitHub #1934
* UPD: meson: Introduce with-unicode-data option to build case tables,
GitHub #1928
* UPD: meson: Clean up obsoleted compatibility macros, GitHub #2035
* UPD: meson: Cross-platform crypt library detection, GitHub #2036
* UPD: Improve and harden the FCE listener app,
rename it to fce_listen and install with Meson, GitHub #2063
* FIX: afpd: Register FCE file creation event when copying files, GitHub #2027
* FIX: afpd: Use getpwnam_shadow() for basic auth on OpenBSD, GitHub #2040
* FIX: libatalk: Use unspecified network stack by default on OpenBSD,
GitHub #2044
* FIX: uams: Support for OpenBSD flavor crypt_checkpass()
for password validation, GitHub #2037
* FIX: Fix ad cp loss of FinderInfo, GitHub #2058
* FIX: Fix for CNID error with ad mv utility, GitHub #2060
* FIX: Apply additional hardening to the Netatalk Metadata EA handling,
GitHub #2059
* FIX: Avoid TOCTOU race conditions in libatalk code, GitHub #1938, #1936
* FIX: Fix high severity memory safety bugs, GitHub #1966
* FIX: Protect against memory leaks and out of bounds array access,
GitHub #1989
* FIX: bstrlib: Protect against buffer overflow, null pointer dereference,
GitHub #1987
* FIX: libatalk: Refactor vfs write_ea() to avoid TOCTOU race condition,
GitHub #1965
* FIX: libatalk: Refactor vfs ea_open() to avoid TOCTOU race condition,
GitHub #1964
* FIX: uams: Check account validity after calling pam_authenticate(),
GitHub #1935
* FIX: uams: Validate PAM account after root auth in DHX2 UAM, GitHub #1937
* FIX: uams: Return properly when ClearTxt shadow password has expired,
GitHub #2041
* FIX: getzones: do not attempt to bind to the address we're also sending to,
GitHub #2051
* FIX: libatalk: Improved logging when charset conversion fails,
GitHub #1952
* FIX: webmin: Add RandNum UAM option to Global config, GitHub #2047
* REM: Remove traces of unsupported LDAP SASL auth, GitHub #1925
* REM: Remove standards.h with macros that are defined by the build system,
GitHub #1988
* REM: Eliminate obsoleted NO_REAL_USER_NAME capability flag macro,
GitHub #2018
* REM: meson: Remove legacy IRIX XFS extended attributes API, GitHub #2052
4.1.2
* UPD: meson: Look for shared Berkeley DB library in versioned subdir too,
to detect the library in the MacPorts build system, GitHub #1909
* FIX: webmin: Redirect back to the originating module index tab
when returning from actions, GitHub #1915
* FIX: webmin: Fix '-router' switch in Webmin atalkd module, GitHub #1943
* FIX: webmin: Fix a default value helptext string, GitHub #1946
* UPD: Add GPL v2 license grant to mysql CNID backend code, GitHub #1874
4.1.1
* NEW: meson: Introduce with-bdb-include-path override option, GitHub #1908
* FIX: meson: Restore prioritized Berkeley DB detection, GitHub #1877
Fixes a regression when building on Arch Linux.
* FIX: meson: Detect file command dynamically for NixOS, GitHub #1907
* FIX: meson: Remove libquota check that breaks NetBSD, GitHub #1900
* FIX: docs: Consolidate redundant CNID and encoding info, GitHub #1880
* FIX: afpd: Log an error when directory has invalid did, GitHub #1893
* FIX: macipgw: Don't crash when config file is missing, GitHub #1891
* FIX: macipgw: Disable default options in macipgw.conf, GitHub #1876
* UPD: macipgw: Print usage notes for the -f option, GitHub #1898
* FIX: Prevent a number of illegal null pointer calls, GitHub #1894
4.1.0
* NEW: afpd: Add native metadata storage for macOS hosts, GitHub #1813
* FIX: afpd: Do not report old AFP versions when AppleTalk support
is disabled, GitHub #1846
* REM: Remove 'start tracker' and 'start dbus' afp.conf options, GitHub #1848
* REM: Remove the running of AFP commands with root privileges, GitHub #1849
* FIX: libatalk: Loosen AppleDouble checks for macOS, GitHub #1829
* FIX: libatalk: Protect Netatalk metadata EA from tampering, GitHub #1855
* FIX: Refactor retreival of native FinderInfo EA on macOS hosts, GitHub #1858
* NEW: macipgw: Introduce a configuration file, GitHub #1852
* UPD: macipgw: Default port value for zip/ddp service, GitHub #1836
This should get the gateway working on musl systems (OpenWrt)
* FIX: afppasswd: Safe password string handling, GitHub #1845
* NEW: meson: Introduce with-kerberos-path option for custom dependency path,
which can be used for Heimdal compatibility, GitHub #1822
* UPD: meson: Define lockfiles through the Meson build system, GitHub #1850
Meson's with-lockfile-path now points to the lockfile root
* UPD: meson: Detect lib paths within Homebrew build system, GitHub #1833
* FIX: meson: Correctly detect bundled iconv on OpenWrt, GitHub #1857
* UPD: meson: Link papd with cups only when cups is enabled, GitHub #1862
* UPD: initscripts: Disable fork safety workaround for macOS, GitHub #1810
* UPD: initscripts: Start in non-forking mode with launchd, GitHub #1859
* UPD: docs: Correct atalkd.conf documentation, GitHub #1818
* FIX: docs: Fixes for spelling and grammar, GitHub #1856
* UPD: docs: Clarify the behavior of the -d option for daemons, GitHub #1861
* NEW: testsuite: Introduce -X option for running on big-endian systems,
specifically s309x, GitHub #1817
* FIX: testsuite: Cross-platform compatible file ID tests, GitHub #1826
* FIX: testsuite: Don't attempt unauthorized file renaming in Error tests,
GitHub #1828
* FIX: testsuite: Clean up after execution of encoding test, GitHub #1832
* FIX: testsuite: Free memory after running tests, GitHub #1866
* FIX: testsuite: Improve memory management in lantest, GitHub #1868
* UPD: Rename apple_dump script to addump, GitHub #1811
* UPD: webmin: Restructure index page into three tabs, GitHub #1785
* UPD: docker: Bump base image to Alpine 3.21, GitHub #1842
4.0.8
* UPD: Set resource max limit to 10240 on macOS, GitHub #1793
Compatibility with older macOS hosts such as 10.15 Catalina.
* UPD: meson: Allow building papd without CUPS, GitHub #1774
Activate the override with: -Dwith-cups=false
* UPD: meson: Favor openldap when building on macOS, GitHub #1792
Avoids linking with macOS LDAP.Framework by default.
* UPD: meson: Improved libquota detection on FreeBSD and NetBSD, GitHub #1805
* FIX: meson: DocBook detection stops at first hit, GitHub #1800
Detect xsl-stylesheets-nons with higher priority than xsl-stylesheets;
-Dwith-docbook-path is now a hard override
* UPD: docs: Clarify D-Bus and GLib dependencies in the Install chapter,
GitHub #1798 GitHub #1799
* FIX: docs: Document that DocBook XSL has to be non-namespaced, GitHub #1800
* FIX: testsuite: Retry logic for final cleanup step in test358, GitHub #1795
4.0.7
* FIX: Remove bitrotted code in the bstring library, GitHub #1769
This was a regression between netatalk 3.2 and 4.0.
* FIX: meson: Check for SunRPC function quota_open(), GitHub #1225
This should enable build with quota on *BSDs.
* FIX: meson: *BSD compatible libwrap check, GitHub #1770
* NEW: meson: Add option with-manual=man_only
which compiles and installs only troff pages, GitHub #1766
* NEW: meson: Option to specify path to perl runtime, GitHub #1776
* UPD: meson: Flip order of Berkeley DB version detection, GitHub #1771
A more recent version of dbd is now prioritized over older ones.
* FIX: meson: Don't attempt to detect shadow passwords
on *BSD and macOS, GitHub #1777
* FIX: meson: Configure dbus paths and config files only if dbus exists,
GitHub #1773
* FIX: meson: Don't define spooldir when building without papd, GitHub #1786
* UPD: meson: Generate appendix XML sources via with-manual=www
and allow custom manual install path with with-manual-install-path,
GitHub #1781
(This is useful primarily for project maintainers.)
* UPD: docs: Only compile and install appletalk documentation when
with-appletalk=true, GitHub #1753
* UPD: docs: Overhaul of man page Synopsis sections, GitHub #1765
* UPD: docs: Refer to CONTRIBUTORS hosted on netatalk.io in man pages,
GitHub #1767
4.0.6
* FIX: Workaround for bug in AppleShare Client 3.7.4, GitHub #1749
Only report support of AFP 2.2 and later to DSI (TCP) clients
which shaves several bytes off the server response
and lowers the chance of >512 byte FPGetSrvrInfo response.
* UPD: All AppleTalk daemons now take -v to print version info, GitHub #1745
* FIX: `ad find' can take any kind of string, not just lowercase, GitHub #1751
* UPD: meson: Default to no init scripts if service management command
not found, GitHub #1743
* FIX: Include config.h by relative path consistently (cleanup) GitHub #1746
* FIX: Remove duplicate header includes in MySQL CNID backend, GitHub #1748
* FIX: docs: Fix formatting of afppasswd man page, GitHub #1750
* FIX: webmin: Properly install netatalk-lib.pl, GitHub #1752
4.0.5
* UPD: Distribute pre-generated Unicode table sources, GitHub #1724
This reverts the previous change in v4.0.0 removing these sources.
We retain the ability to regenerate them on the fly,
if Unicode character database is found by the build system.
Built with UnicodeData.txt version 16.0.
This also removes hard Perl and Unicode dependencies.
* NEW: afpd: Fallback to new DSI icon when no icon defined, GitHub #1729
* FIX: atalkd: Don't send NBP Reply packets from the loopback interface,
addressing side effect in Linux kernel 6.9+ GitHub #1734
* FIX: docs: Strip out linebreak escapes in Compile appendix, GitHub #1733
* FIX: docs: Remove straggler afp_encodingtest.1 man page alias, GitHub #1728
* FIX: macipgw: On MACIP_ASSIGN, prepopulate the newly-assigned IP address
into the arp cache to avoid warning on Linux, GitHub #1727
* NEW: macipgw: Add command-line option to drop root privileges
after the server has been started, GitHub #1727
* FIX: macipgw: Fix argument handling in main() for aarch64 compatibility,
GitHub #1735
* FIX: webmin: Revert default dir detection to address
critical regression bug, GitHub #1736
* FIX: testsuite: Exit tests with the Exclude flag early, GitHub #1737
* FIX: testsuite: Longer sleep time after file operation in test358,
GitHub #1739
* FIX: testsuite: Make Utf8 tests big-endian safe, GitHub #1740
4.0.4
* FIX: Fix loss of FinderInfo on resource fork creation with
AppleDouble EA backend, GitHub #1702
* FIX: Remove remnants of obsoleted DEBUG compile time flag, GitHub #1696
- Fixes compile time error on MUSL systems when building with AppleTalk
- When building debug builds, the EBUG flag is now activated
- Print build type in the Meson summary
* FIX: meson: Detect rresvport() function in system libraries, GitHub #1697
- Local rresvport() code was previoulsy behind a broken MUSL flag
- Enables building with AppleTalk on OpenWrt
* FIX: meson: Fix build fail with -Dwith-spotlight=false, GitHub #1715
* FIX: docker: Explicitly launch the cupsd daemon on startup, GitHub #1707
* NEW: docs: Create manual page for `afptest' (testsuite) tools, GitHub #1695
* UPD: docs: Bring CONTRIBUTORS up to date, GitHub #1722
* UPD: testsuite: Consolidate afp_ls as a command in afparg, GitHub #1705
- Add `FPEnumerate dir' as an afparg command
- Remove `afp_ls' as a separate executable
* UPD: testsuite: Merge encoding test into spectest, GitHub #1716
- Add `Encoding' as a testset in the spectest
- Rewrite the `western' test to use Unicode for the same characters
- Remove `afp_encodingtest' as a separate executable
* UPD: testsuite: Collapse spectest into a single suite, GitHub #1713
The testsuite grouping have been removed, and all spectests
are in a single suite. The tier 2 tests are enabled with
the -c option. The sleep and readonly tests can be run with
the -f option.
* UPD: testsuite: Enable Color terminal output by default,
and flip the -C option, GitHub #1708
* UPD: testsuite: Print a test summary for the spectest, GitHub #1708
* UPD: testsuite: Treat `Not Tested' as a failure again, GitHub #1709
* FIX: testsuite: Use AFPopenLogin() for FPopenLoginExt() as bug workaround
to enable testing of AFP 3.x connections, GitHub #1709
* UPD: testsuite: Install test data for test431 into the datadir, GitHub #1712
* FIX: testsuite: Workarounds for MUSL system calls default permissions,
which enables the testsuite to run on Alpine Linux, GitHub #1682
* UPD: testsuite: Break down login testsuite into atomic tests, GitHub #1717
* UPD: testsuite: Use AFP 3.4 by default (previously: AFP 2.1), GitHub #1718
* UPD: testsuite: Use the Exclude flag to skip test that require setup,
previously used to skip known buggy tests, GitHub #1720
* FIX: testsuite: Improvements to test setup, cleanup, and early failure
4.0.3
* FIX: afpd: Limit FPGetSrvrInfo packet for AppleTalk clients, GitHub #1661
This prevents errors with very old clients
when many AFP options are enabled.
* FIX: Fix EOF error reporting in dsi_stream_read(), GitHub #1631
This should prevent warnings such as:
`dsi_stream_read: len:0, unexpected EOF'
* FIX: Fix regression when accessing the afpd UUID, GitHub #1679
Resolves an error when running the `ad' utilities.
* FIX: meson: Fix indexer path detection on meson 1.6, GitHub #1672
* FIX: meson: Fix PAM config directory detection, GitHub #1678
* FIX: meson: Shore up Unicode char table script error handling and detection,
GitHub #1692
* FIX: initscripts: Remove redundant nbpunrgstr cleanup
in atalkd systemd config, GitHub #1660
* NEW: docker: Containerized testsuite, GitHub #1649
* UPD: docker: Register the conventional NBP entities when starting up,
GitHub #1653
* UPD: docker: Remove file/dir perm settings that were causing problems
* FIX: testsuite: Treat NOT TESTED spectest result as non-failure,
GitHub #1663
* FIX: testsuite: Don't treat initial spectest.sh run as a failure,
GitHub #1664
* UPD: testsuite: Reduce default log verbosity for better test reports,
introducing two verbosity levels (-v, -V), GitHub #1665
* UPD: testsuite: Reposition the Exclude option (-x)
to flag known failures with Netatalk 4.0
* UPD: testsuite: Install all test runners and utils, GitHub #1675
* FIX: testsuite: Link test executables with -rdynamic
to allow sole test case runs with -f, GitHub #1690
* UPD: testsuite: Consolidate spectest into a single binary, GitHub #1693
4.0.2
* NEW: Bring back Classic Mac OS `legacy icon' option, GitHub #1622
* UPD: Spotlight: Support TinySPARQL/LocalSearch, GitHub #1078
* FIX: ad: Fix volume check for the AppleDouble toolsuite, GitHub #1605
Check was failing if the `ea = ad' option was set.
* FIX: meson: Refactor Berkley DB detection for robustness, GitHub #1604
* UPD: meson: Add localstatedir override option, GitHub #1608
* UPD: meson: Make the print spool dir FHS compliant, GitHub #1608
* UPD: docs: Improve Upgrade chapter, GitHub #1609
* UPD: docker: Use multistage build to optimize image size, GitHub #1620
* FIX: afpd: Cleanup unused, broken AFP over ASP code #1612
* FIX: papd: Correct PAPStatus string copy buffer length, GitHub #1576
* UPD: Make last CNID backend writable when built for tests, GitHub #1623
This unblocks the integration tests that concern writing.
* NEW: Bundle and improve the afptest test suite, GitHub #1633
Build with the new `-Dwith-testsuite' option.
* FIX: webmin: Make AppleTalk service control functional, GitHub #1636
4.0.1
* UPD: Update license grant to reflect the retroactive rescission
of U.C Berkeley clause 3, GitHub #1567
* FIX: meson: Don't always build AppleTalk utils with RPATH, GitHub #1568
* FIX: docs: Build the macipgw html manual page, GitHub #1569
* FIX: Explicitly import headers to appease gcc on Debian Sid, GitHub #1571
* UPD: docs: Install static redirect man pages for nbp tools, GitHub #1575
* FIX: meson: Missing xsltproc and docbook-xsl treated
as non-fatal error, GitHub #1581
* UPD: docker: Build with optimizations, without debug symbols, GitHub #1584
* UPD: meson: In summary, list Webmin module under
a new Add-ons section, GitHub #1586
* UPD: initscripts: Use launchctl bootstrap and
enable directives for installing on macOS, GitHub #1583
* REM: Remove obsoleted netatalk-config script, GitHub #1587
* FIX: Change u_char data types to the portable uint8_t, GitHub #1590
* FIX: meson: Detect native Avahi before mDNS, GitHub #1591
* UPD: initscripts: Remove the redundant systemd Also directive, GitHub #1593
* UPD: docs: Flesh out the compile appendix
and break down start steps, GitHub #1595
* FIX: Fix seg fault in ad set utility
when not in a netatalk volume, GitHub #1597
* UPD: Update ad manual page to cover 'ad set' utility, GitHub #1599
4.0.0
* NEW: Reintroduce AppleTalk / DDP support, GitHub #220
Controlled with the new build system option `-Dwith-appletalk'.
Revived daemons: atalkd, papd, timelord, a2boot
Revived config files: atalkd.conf, papd.conf
Revived utilities: aecho, getzones, nbplkup, nbprgstr, nbpunrgstr, pap,
papstatus
* NEW: Bundle macipgw, the MacIP Gateway daemon by Stefan Bethke, GitHub #1204
* UPD: uams: All encrypted UAMs depend on Libgcrypt now, GitHub #1488, #1506
This means we remove the bundled wolfSSL library.
A big thanks to the wolfSSL team for all their support!
* FIX: uams: Remove unhelpful Libgcrypt version check, GitHub #1550
* REM: Remove the obsoleted PGP UAM, GitHub #1507
* NEW: Bundle, configure and install the Webmin module, GitHub #518
Controlled with the new build system option `-Dwith-webmin'.
* UPD: Migrate afpstats from dbus-glib to GDBus, GitHub #666
Special thanks to Simon McVittie for his help!
* BREAKING: Remove canned troff man pages from distribution, GitHub #460
The build system now generates them on the fly.
Introduces a build time dependency on DocBook XSL and xsltproc.
* BREAKING: Remove generated Unicode conversion tables, GitHub #1220
Introduces a build time dependency on the UnicodeData.txt database.
* UPD: Detect host OS home dir and configure afp.conf on the fly, GitHub #1274
* UPD: meson: Autodetect init style for host OS, #1124
* UPD: meson: Allow building with multiple init styles, GitHub #1291
* NEW: meson: Introduce `-Dwith-readmes' option for installing additional docs.
GitHub #1310
* REM: Remove the Autotools build system. Meson is now the only choice.
GitHub #1213
3.2.10
* BREAKING: Install netatalk-dbus.conf into datadir by default, GitHub #1533
Previously: sysconfdir. This can be overridden by the build system.
* FIX: uams: Correct shadow password length check for ClearTxt, GitHub #1528
* FIX: cnid_dbd: Set explicit max length of db_params to prevent potential
buffer overflow, GitHub #694
* FIX: meson: Debugging was enabled by default causing tickles
to not be sent out, GitHub #1514
* FIX: meson: Format afpd help text output to match autotools, GitHub #1499
* FIX: meson: Throw missing cracklib dictionary warning, GitHub #1495
* FIX: meson: Use a valid code sample for the TCP Wrappers check, GitHub #1491
3.2.9
* UPD: Use the recommended command to import Solaris init manifest,
GitHub #1451
* FIX: uams: Make sure the DHX2 client nonce is aligned appropriately,
GitHub #1456
* FIX: uams: Fix DHCAST128 key alignment problem, GitHub #1464
* FIX: wolfssl: OpenSSL coexistence tweaks, GitHub #1469
* FIX: docs: Remove straggler path substitution in afp.conf, GitHub #1480
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 22 Jun 2025 18:21:41 +0000 (20:21 +0200)]
sudo: Update to version 1.9.17
- Update from version 1.9.16p2 to 1.9.17
- Removed --with-ignore-dot as the setting is now on bt default. The --with-ignore-dot
configure option has been deprecated so will eventually be removed. Therefore good
to remove it now in preparation for the future.
- Update of rootfile
- Changelog
1.9.17
Sudo now uses the NODEV macro consistently. Bug #1074.
Fixed a bug where the ALL command in a sudoers rule would override a
previous NOSETENV tag. Command tags are inherited from previous Cmnds in
a Cmnd_Spec_List. There is a special case for the SETENV tag with the ALL
command, where SETENV is implied if no explicit SETENV or NOSETENV tag is
specified. This special case did not take into account that a NOSETENV
tag that was inherited should override this behavior.
If sudo is run via ssh without a terminal and a password is required, it
now suggest using ssh’s -t option.
Fixed the display of timeout values in the sudo -V output on systems
without a C99-compliant snprintf() function.
Quieted a number of minor Coverity warnings.
Fixed a problem running sudo from a serial console on Linux when the
command is run in a pseudo-terminal (the default).
Fixed a crash in sudo which could occur if there was a fatal error after
the user was validated but before the command was actually run.
Fixed a number of man page style warnings. The “lint” make target in the
docs directory will now run groff with warnings enabled if it is
available. Bug #1075.
The ignore_dot sudoers setting is now on by default. There is now a
--disable-ignore-dot configure option to disable it. The --with-ignore-dot
configure option has been deprecated.
Fixed a problem with the pwfeedback option where an initial backspace
would reduce the maximum length allowed for the password. GitHub issue #439.
Fixed minor grammar and spelling problems in the man pages.
Fixed a bug where a user could avoid entering a password for sudo -l
command if they specified their own user or group name via the -u or -g
options.
Avoid potential password guessing based on timing attacks on the strcmp()
function on systems without PAM or a crypt() function where plaintext
passwords are stored in the shadow password file.
Fixed a potential information leak where sudo -l command could be used to
determine whether an executable exists in a directory that they do not
have search access to.
Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once again. A long
time ago sudo changed from using TCSAFLUSH to TCSADRAIN due to some
systems having bugs related to TCSAFLUSH. That should no longer be a
concern. Using TCSAFLUSH ensures that password input that has been
received by the kernel, but not yet read by sudo, will be discarded and
not echoed.
Added the SUDO_TTY environment variable if the user has a terminal. This
can be used to find the user’s original tty device when sudo runs the
command in its own pseudo-terminal. GitHub issue #447.
New Cantonese translation for sudo.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
