Stephen Cuka [Sat, 10 May 2025 16:19:37 +0000 (10:19 -0600)]
pakfire.cgi: Changes to install and remove confirmation pages
- On install confirmation page, add list of packages to install
- if package is already installed, don't show it on the list
- On install and remove confirmation pages, pad out translation
of "Package:" to length of 10 so that the column spacing doesn't
change for different languages.
- Display dependencies for package(s) to remove in 'parent -> child'
format.
- Display packages in use in 'parent -> child' format.
- Add translations for new text in all langs.
- functional changes
- When removing a package, remove it's dependencies.
- Don't allow a package or dependency to be removed if other
installed packages depend on it.
Signed-off-by: Stephen Cuka <stephen@firemypi.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 11 May 2025 10:13:04 +0000 (12:13 +0200)]
transmission: Update to CMakeLists.txt of min cmake version
- The main CMakeLists.txt was okay but a lot of the CMakeLists.txt files in the third
part folder had min version prior to 3.5
- A patch set has been made in the transmission source but it was also changing a lot of
other things. I just created my own patch to update the files in the third party
folder and the build was successfull with that.
- If a new version is released then this patch can be removed but it will depend on
if that new version includes the fix to the bug in 4.0.6 that has resulted in a
variety of torrent mirrors banning transmission-4.0.6. This caused the transmission
update in IPFire to be reverted to 4.0.5
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 11 May 2025 10:13:03 +0000 (12:13 +0200)]
soxr: Update CMakeLists.txt with cmake min version
- The last update and commit on this package was 7 years ago so unlikely that there will
be an update for this.
- An issue has been raised on the github site but as none of the other raised issues
have been dealt with in the last 7 years it looks like this repo is dead.
- Will raise a separate discussion on whether this package should be left in IPFire.
- Patch created to update the min cmake version to 3.10 and the build completed
successfully with that.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 11 May 2025 10:13:02 +0000 (12:13 +0200)]
libssh: Update to version 0.11.1 - fixes min cmake version
- Update from version 0.10.6 to 0.11.1
- Update of rootfile
- Changelog
0.11.1
* Fixed default TTY modes that are set when stdin is not connected to tty (#270)
* Fixed zlib cleanup procedure, which could crash on i386
* Various test fixes improving their stability
* Fixed cygwin build
0.11.0
* Deprecations and Removals:
* Dropped support for DSA
* Deprecated Blowfish cipher (will be removed in next release)
* Deprecated SSH_BIND_OPTIONS_{RSA,ECDSA}KEY in favor of generic HOSTKEY
* Removed the usage of deprecated OpenSSL APIs (Note: Minimum supported
OpenSSL version is 1.1.1)
* Disabled preauth compression (zlib) by default
* Support for pkcs#11 engines are deprecated, pkcs11-provider is used instead
* Deprecation of old async SFTP API
* libgcrypt cryptographic backend is deprecated
* Deprecation of knownhosts hashing
* SFTP Improvements:
* Added support for async SFTP IO
* Added support for sftp_limits() and applied capping to SFTP read/write
operations accordingly
* Added sftp_home_directory() API support for sftp extension "home-directory"
* Added sftp_lsetstat() API for lsetstat extensions
* Added sftp_expand_path() to canonicalize path using expand-path@openssh.com
extension
* Implemented stat and realpath in sftpserver
* Added sftp_readlink() API to support hardlink@openssh.com
* New extensible callback based SFTP server
* Introduced the posix-rename@openssh.com extension
* New functions and features:
* Added support for PKCS #11 provider for OpenSSL 3.0
* Added testing for GSSAPI Authentication
* Implemented proxy jump using libssh
* Recategorized loglevels to show fatal errors and alignment with OpenSSH
log levels
* Added ssh_channel_request_pty_size_modes() API to set terminal modes for
PTYs
* Added function to check username syntax
* Added support to check all keys in authorized_keys instead of one in
example server implementation
* Handled hostkey similar to OpenSSH
* Added ssh_session_socket_close() API in order to not close socket passed
through options on error conditions
* Added option SSH_BIND_OPTIONS_IMPORT_KEY_STR to read user-supplied key
string in ssh_bind_options_set()
* Improved log handling around ssh_set_callbacks
* Added ssh_set_error_invalid in ssh_options_set()
* Prevented signature blob to start with 1 bit in libgcrypt
* Added support to unbreak key comparison of Ed25519 keys imported from PEM
or OpenSSH container
* Added support to calculate missing CRT parameters when building RSA key
* Added ssh_pki_export_privkey_base64_format() and
ssh_pki_export_privkey_file_format() to support exporting keys in different
formats (PEM, OpenSSH)
* Added support to compare certificates and handle automatic certificate
authentication
* Added support to make compile-commands generation conditional
* Built fuzzers for normal testing
* Avoided passing other events to callbacks when called recursively
* Added control master and path options
* Refactored channel_rcv_data, check for errors and report more useful errors
* Added support to connect to other host addresses than just the first one
* Terminated the server properly when the MaxAuthTries is reached
* Added support for no-more-sessions@openssh.com request in both client and
server
* Added callback to support forwarded-tcpip requests
* Bumped minimal CMake version to 3.12
* Added support for MBedTLS 3.6.x
* Added support for +,-,^ modifiers in front of algorithm lists in options
* Added callbacks for channel open response, and channel request response
* Replaced chroot() from chroot_wrapper internal library with chroot()
from priv_wrapper package
* Added a placeholder for non-expanded identities
* Improved handling of channel transfer window sizes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 11 May 2025 10:12:59 +0000 (12:12 +0200)]
xorriso: Package to replace cdrkit
- This package is the command line standalong package from the libburnia project.
- Build successfully created an iso package and this was used to install IPFire onto
a vm on my testbed system. This worked successfully so xorriso successfully
craeted a bootable iso image.
- The build was also tested on a Core Update 193 repo and installed and it successfully
created a bootable iso image with the backupiso process.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 11 May 2025 10:12:57 +0000 (12:12 +0200)]
cmake: Update to version 4.0.2
- Update from version 3.25.2 to 4.0.2
- Update of rootfile
- Version 4.0.0 removed compatibility with versions older than 3.5 so all package
builds using cmake must have the min version at 3.5 or higher otherwise the build
fails.
- Version 3.31 has deprecated compatibility with versions older than 3.10 and this will
be removed in some future version.
- The rest of this patch set are the packages using cmake for the build that required
some changes to the min version.
- Changelog is too large to include here. Details can be found at
https://cmake.org/cmake/help/v4.0/release/index.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 11 May 2025 10:12:56 +0000 (12:12 +0200)]
curl: Update to version 8.13.0
- Update from version 8.11.0 to 8.13.0
- Update of rootfile
- Knock on effect of this update is to require a newer version of cmake due to changes
in some variable from curl that cmake uses.
- This therefore the first of a patch set.
- Changelog
8.13.0
Changes:
curl: add write-out variable 'tls_earlydata'
curl: make --url support a file with URLs
gnutls: set priority via --ciphers
IMAP: add CURLOPT_UPLOAD_FLAGS and --upload-flags
lib: add CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY
OpenSSL/quictls: add support for TLSv1.3 early data
rustls: add support for CERTINFO
rustls: add support for SSLKEYLOGFILE
rustls: support ECH w/ DoH lookup for config
rustls: support native platform verifier
var: add a '64dec' function that can base64 decode a string
wolfssl: tls early data support
Bugfixes:
addrinfo: add curl macro to avoid redefining foreign symbols
asyn-thread: avoid the separate 'struct resdata' alloc
asyn-thread: avoid the separate curl_mutex_t alloc
asyn-thread: do not allocate thread_data separately
asyn-thread: remove 'status' from struct Curl_async
autotools: fix `dllmain.c` in unity builds
autotools: fix `libtest` bundle to depend on `FIRSTFILES`
autotools: use `CURLDEBUG` to exclude TrackMemory code from unity
aws_sigv4: cannot be used for proxy
aws_sigv4: merge repeated headers in canonical request
aws_sigv4: use strparse more for parsing
base64: drop `BUILDING_CURL` macro, always include in tests/server
build: add Windows CE / CeGCC support, with CI jobs
build: cmake multi-pkg-config detection improvements (brotli, ldap, mbedtls)
build: do not apply curl debug macros to `tests/server` by default
build: drop unused `getpart` tool
build: enable -Wjump-misses-init for GCC 4.5+
build: enable `-Wcast-qual`, fix or silence compiler warnings
build: fix compiler warnings in feature detections
build: replace Curl_ prefix with curlx_ for functions used in servers
build: set `-O3` and tune WinCE in CI, fix `getpart`, `vtls_scache` fallouts
build: set `HAVE_STDINT_H` if `stdint.h` is available
build: set `HAVE_WRITABLE_ARGV` for Apple cross-builds
build: silence bogus `-Wconversion` warnings with gcc 5.1-5.4
build: silence mingw32ce C99 format warnings, simplify CI
build: tidy-ups around `inet_pton`
c-ares httpsrr: fix ifdef
c-ares: error out for unsupported versions, drop unused macros
ca-native.md: sync with CURLSSLOPT_NATIVE_CA
cf-socket: deduplicate Windows Vista detection
cf-socket: remove empty switch
client writer: handle pause before decoding
cmake: `CURL_LIBDIRS` improvements (upstreamed from vcpkg)
cmake: `SHARE_LIB_OBJECT=ON` requires CMake 3.12 or newer
cmake: add custom command scripts as dependencies where missing
cmake: add pre-fill for Unix, enable in GHA/macos, verify pre-fills
cmake: add shell completion support
cmake: allow `CURL_STATIC_CRT` with shared libcurl and no curl exe
cmake: allow `CURL_STATIC_CRT` with UCRT VS2015+ builds
cmake: allow empty `IMPORT_LIB_SUFFIX`, add suffix collision detection
cmake: avoid `-Wnonnull` warning in `HAVE_FSETXATTR_5` detection
cmake: disable HTTPS-proxy as a feature if proxy is disabled
cmake: drop `CURL_DISABLE_TESTS` option
cmake: drop `HAVE_C_FLAG_Wno_long_double` logic for ancient Apple gcc
cmake: drop `HAVE_IN_ADDR_T` from pre-fill too
cmake: drop two stray TLS feature checks for wolfSSL
cmake: exclude `-MP` for `clang-cl` again
cmake: fix `HAVE_ATOMIC`/`HAVE_STDATOMIC` pre-fill for clang-cl
cmake: fix clang-tidy builds to verify tests, fix fallouts
cmake: fix detection pre-fills for iOS
cmake: fix ECH detection in custom-patched OpenSSL
cmake: fix typo in ECH config error msg
cmake: hide empty `MINGW64_VERSION` output for mingw32ce
cmake: improve httpd detection for pytest
cmake: mention 'insecure' in the debug build warning
cmake: misc tidy-ups
cmake: pre-fill known type sizes for Windows OSes
cmake: replace CMAKE_COMPILER_IS_GNUCC with CMAKE_C_COMPILER_ID
cmake: replace exec_program() with execute_process()
cmake: restrict static CRT builds to static curl exe, test in CI
cmake: sync cutoff version with autotools for picky option `-ftree-vrp`
cmake: sync OpenSSL(-fork) feature checks with `./configure`
cmake: unity mode optimization for non-`CURLDEBUG` `testdeps` targets
CODE_STYLE: readability and banned functions
config-win32: set `HAVE_STDINT_H` where available
configure: call the blocking resolver "blocking", not "default"
configure: fix ECH detection with MultiSSL
configure: silence compiler warnings in feature checks, drop duplicates
configure: tidy up shell completion rules
configure: use `curl_cv_apple` variable
conn: eliminate `conn->now`
conn: fix connection reuse when SSL is optional
conncache: eliminate `conn->destination_len` as premature optimization
contributors.sh: lowercase 'github' for consistency
contrithanks.sh: update docs/THANKS in place
cookie: do prefix matching case-sensitively
cookie: minor parser simplification
cookie: simplify invalid_octets()
core: stop redefining `E*` macros on Windows, map `EACCES`, related fixes
curl.h: change some enums to defines with L suffix
curl.h: convert CURLUSESSL* names to defines
curl.h: stop defining non-curl `__has_declspec_attribute`
curl.h: switch `CURL_HTTP_VERSION*` enums to long constants
curl/system.h: drop leftover comment about 32 bit curl_off_t
curl: add my_setopt_long() and _offt()
curl_msh3: remove verify bypass from DEBUGBUILDs
curl_setup: drop `ERANGE` (for WinCE), no longer used
curl_setup_once: drop `E*` macro redefines unused (with winsock2)
curl_setup_once: stop redefining `ENAMETOOLONG` to winsock2 error code
curl_trc: fix build with CURL_DISABLE_VERBOSE_STRINGS
curl_ws_recv.md: expand a little on the fragments the API delivers
CURLMOPT_SOCKETFUNCTION.md: add advice for socket callback invocation
CURLOPT_HTTPHEADER.md: add comments to the example
CURLOPT_HTTPHEADER.md: rephrases
curltime: use libcurl time functions in src and tests/server
DISABLED: add 313 for sectransp (move from GHA/macos)
docs/cmdline-opts: use imperative form
docs: adapt to removed --with-random
docs: add FD_ZERO to curl_multi_fdset example
docs: bump `rustls` to 0.14.1
docs: correct argument names & URL redirection
docs: minor edits to please the new spellchecker regime
docs: rework RUSTLS install instructions
docs: unify HTTP version style in --help output
docs: vulnerabilities in debug code are not eligible for a bounty
doh: improve HTTPS RR svcparams parsing
doh: remove wrong but unreachable exit path from doh_decode_rdata_name
dynbuf: assert init on free
easy: drop `break` after `return`
easy: fix warning about possible comma misuse
eventfd: allow use on all CPUs
examples: prefer `return` over `exit()` (cont.)
ftp/sftp: strdup data info memory
ftp: fix comment
gnutls: fix connection state check on handshake
gnutls: fix use of pkcs11 urls for keys/certs
gtls: fix uninitialized variable
hash: use single linked list for entries
hostip: don't use alarm() for DoH resolves
hostip: make CURLOPT_RESOLVE support replacing IPv6 addresses
http2: add on_invalid_frame callback for error detection
http2: detect session being closed on ingress handling
http2: enhance error messages on Curl_dyn* upon receiving headers
http2: fix stream assignemnt for pushes
http2: reset stream on response header error
HTTP3.md: only speak about minimal versions
http: convert parsers to strparse
http: fix NTLM info message typo
http: fix the auth check
http: make the RTSP version check stricter
http: negotiation and room for alt-svc/https rr to navigate
http: remove a HTTP method size restriction
http: version negotiation
http_chunks: replace a strofft call with curl_str_hex
https-rr: implementation improvements
httpsrr: fix port detection
httpsrr: fix the HTTPS-RR threaded-resolver build combo
INFRASTRUCTURE.md: add IRC and Matrix details
INSTALL-CMAKE.md: CMake usage updates
INSTALL-CMAKE.md: mention `ZLIB_USE_STATIC_LIBS`
lib1156: pass longs to `curl_easy_setopt()`
lib1560: test set path containing LR or CR
lib2302: fix crash due to stack overflow on MSVC and clang Windows
lib696: fix building on Windows in non-bundle mode
lib: better optimized casecompare() and ncasecompare()
lib: clear up CURLRES_ASYNCH vs USE_CURL_ASYNC use
lib: fix two curlx_strtoofft invokes
lib: rename curlx_strtoofft to Curl_str_numblanks()
lib: replace while(ISBLANK()) loops with Curl_str_passblanks()
lib: simplify more white space loops
lib: strtoofft.h header cleanup
lib: use Curl_str_* instead of strtok_r()
lib: use Curl_str_number() for parsing decimal numbers
libssh2: fix freeing of resources in disconnect
libssh2: fix memory leak in `SSH_SFTP_REALPATH` state
libssh2: fix to ignore `known_hosts` if SHA256 host public key is set
libssh2: print user with verbose flag
libssh2: show crypto backend in the verbose connect log
libssh: fix freeing of resources in disconnect
libssh: fix scp large file upload for 32-bit size_t systems
libtest/first.c: remove the Test: stderr output for unity builds
libtest/libprereq.c: set CURLOPT_FOLLOWLOCATION with a long
managen: accept more markdown-quote-markers
managen: correct the warning for un-escaped '<' and '>'
mbedtls: re-enable an error check
memdebug.h: avoid `-Wredundant-decls` with an extra guard
memdebug: drop dynamic allocation from `curl_dbg_log()`
mprintf: switch three number parsers to use strparse
mqtt: convert sendleftovers to dynbuf
msvc: drop support for VS2005 and older
multi: call protocol handler done() if PROTOCONNECT or later
multi: event based rework
multi: kill off remaining internal handles in curl_multi_cleanup
multi: start the loop over when handles are removed
multi_ev: fixes regarding connection shutdowns
ngtcp2: do not iterate over multi handles
ntlm: merge ntlm.h into ntlm.c
openssl-quic: do not iterate over multi handles
openssl: check return value of X509_get0_pubkey
openssl: drop support for old OpenSSL/LibreSSL versions
openssl: fix crash on missing cert password
openssl: fix pkcs11 URI checking for key files.
openssl: remove bad `goto`s into other scope
prox/preproxy.md: document argument within <brackets>
pytest: test negotiate with http proxy
quiche: do not iterate over multi handles
RELEASE-PROCEDURE.md: explain release candidates
request: clear sendbuf_hds_len when resetting request bufq
resolve: fix building without Unix sockets and `CURLDEBUG`
runtests: accept `CURL_DIRSUFFIX` without ending slash
runtests: add feature-based filtering
runtests: check and report if `diff` tool is missing
runtests: drop logic calling the `handle` tool (Windows)
runtests: drop recognizing 'winssl' as Schannel
runtests: drop ref to unused external function
runtests: fix bundled test invocation with `-g` option
runtests: fix SSH server not starting in cases, re-ignore failing vcpkg CI jobs
runtests: fix test key format for libssh2 WinCNG (and others)
runtests: generate certs dynamically, bump to EC-256, tidy up
runtests: recognize AWS-LC as OpenSSL
runtests: rewrite `genserv.sh` in Perl
runtests: support multi-target cmake, drop workarounds from CI
runtests: support running tests under wine or qemu (cont.)
runtests: support running tests under wine or qemu
runtests: use `setfacl` on Cygwin/MSYS, if present
rustls: add ECH support w/ string ECH config
rustls: cap maximum allowed CRL file size to 8MB
rustls: support ECH GREASE
rustls: use client cert and key if available
schannel: deduplicate Windows Vista detection
schannel: enable ALPN support under WINE 6.0+
schannel: enable ALPN with MinGW, fix ALPN for UWP builds
schannel: guard ALPN init code to ALPN builds
scripts/managen: fix option 'single'
scripts/managen: fix parsing of markdown code sections
scripts: update completion.pl to parse options from docs
sectransp: add support for HTTP/2 in gcc builds
sendf: client reader line conversion: do not change data->state.infilesize
setopt: illegal CURLOPT_SOCKS5_AUTH should return error
setopt: remove unnecessary void pointer typecasts
setopt: setting PROXYUSERPWD after PROXYUSERNAME/PASSWORD is fine
shutdowns: split shutdown handling from connection pool
socks: remove bad assert from do_SOCKS5()
src: avoid strdup on platforms not doing UTF-8 conversions
src: cleanup ISBLANK vs ISSPACE
src: remove Curl_ prefix from tool-specific function
src: remove final uses of Curl_ symbol prefixes in tool code
src: replace strto[u][ld] with curlx_str_ parsers
ssh: consider sftp quote commands case sensitive
sshserver.pl: adjust `AuthorizedKeysFile2` cutoff version
sshserver.pl: use Perl `chmod`
sshserver: fix excluding obsolete client config lines
ssl session cache: add exportable flag
SSLCERTS: list support for SSL_CERT_FILE and SSL_CERT_DIR
strparse: make Curl_str_number() return error for no digits
strparse: switch the API to work on 'const char *'
strparse: switch to curl_off_t as base data type
test1022: add support for rc releases
test1167: catch #defines with extra whitespace
test313: disable CRL test for Schannel due to lack of support and flakiness
test313: disable via `<features>` for backends without CRL support
test489: set output dir
test612: SCP `rm` the uploaded remote file (not the local source), unignore in CI
test613: make it pass on Windows, fix postprocess, unignore in CI
test615: fix for Cygwin, unignore in CI
tests/certs: cleanup
tests/server: drop unused `base64.pl`
tests/server: fix to check against winsock2 error codes on Windows
tests/server: give global `path` variable a more descriptive name
tests/server: make the signal handler signal-safe
tests/server: replace `errno` with `SOCKERRNO` in sockfilt, socksd, sws
tests/server: replace `strerror` with `sstrerror` in socksd
tests/server: support bundle binary
tests/server: sync `wait_ms()` with the libcurl implementation
tests/server: use `curlx_str_numblanks()` to avoid `errno`
tests/servers.pm: remove unused variable 'portrange'
tests: build non-debug unit tests with autotools, run them
tests: fix comment in lib533
tests: fix enum/int confusion, fix autotools `CFLAGS` for `servers`
tests: make sure 'commands.log' is generated in the correct logdir
tests: mark tests 1631, 1632 flaky
tests: reformat error messages to avoid tripping MSBuild
tests: remove base64 encoded sections
tests: Remove unused variables
tests: replace remaining non-ASCII bytes with hex markup
tftpd: prefix TFTP protocol error `E*` constants with `TFTP_`
tidy-up: align MSYS2/Cygwin codepaths, follow Cygwin `MAX_PID` bump
tidy-up: delete, comment or scope C macros reported unused
tidy-up: drop unused `CURL_INADDR_NONE` macro and `in_addr_t` type
tidy-up: use `CURL_ARRAYSIZE()`
timediff: fix comment for curlx_mstotv()
timediff: remove unnecessary double typecast
tool_dirhie: create dir hierarchy without strtok
tool_getparam: clear sensitive arguments better
tool_getparam: do parse_upload_flags without the alloc/free
tool_getparam: parse --trace-config without strdup()/free()
tool_getparam: parse_header() without strtok
tool_operate: change "1 retries" to "1 retry"
tool_operate: fail SSH transfers without server auth
tool_operate: fix pluralization of seconds
tool_operate: remove unnecessary (long) typecasts
tool_paramhlp: do --proto parsing without strtok
tool_parsecfg: make my_get_line skip comments and newlines
tool_setopt: reduce use of "code hiding" macros
url: call protocol handler's disconnect in Curl_conn_free
urlapi: fix redirect from file:// with query, and simplify
urlapi: remove percent encoded dot sequences from the URL path
urlapi: simplify junkscan
urldata: remove 'hostname' from struct Curl_async
variable.md: clarify 'trim' example
vquic: obey IOV_MAX
vtls: fix compiler warnings seen with gcc 7.3.0 and mbedTLS
winbuild: reduce command-line length by dropping whitespace
windows: do not use winsock2 `inet_ntop()`/`inet_pton()`
windows: drop code and curl manifest targeting W2K and older
windows: fix issues detected by clang-tidy, and some more
wolfssh: fix freeing of resources in disconnect
wolfssh: retrieve the error using wolfSSH_get_error
wolfssl: fix CA certificate multiple location import
wolfssl: fix unused variable warning
wolfssl: warn if CA native import option is ignored
wolfssl: when using PQ KEM, use ML-KEM, not Kyber
ws: corrected curlws_cont to reflect its documented purpose
ws: fix and extend CURLWS_CONT handling
zlib: bump minimum to 1.2.5.2 (was: 1.2.0.4)
8.12.1
Bugfixes:
all: remove FIXME and TODO comments
asyn-thread: fix build with `CURL_DISABLE_SOCKETPAIR`
asyn-thread: fix HTTPS RR crash
asyn-thread: fix the returned bitmask from Curl_resolver_getsock
asyn-thread: survive a c-ares channel set to NULL
build: add tool_hugehelp.c into IBMi build
checksrc.pl: warn on FIXME/TODO comments
cmake/Find: set `<Modulename>_FOUND` for compatibility when found via
`pkg-config`
cmake: add integration tests, run them in CI
cmake: always reference OpenSSL and ZLIB via imported targets
cmake: avoid unnecessary `-L` for implicit link dirs
cmake: drop `LDAP_DEPRECATED=1` macro, to sync with autotools
cmake: fix `HAVE_GETHOSTBYNAME_R_*` detections with `CURL_WERROR=ON`
cmake: fix to detect `HAVE_OPENSSL_SRP` in MSVC UWP builds
cmake: fix/add missing feature detections for Windows/MS-DOS
cmake: initialize variables where missing
cmake: lib order fixes for picky linkers (e.g. binutils `ld`)
cmake: normalize before matching paths with syspaths
cmake: respect `GNUTLS_CFLAGS` when detected via `pkg-config`
cmake: respect `GNUTLS_LIBRARY_DIRS` in `libcurl.pc` and `curl-config`
cmake: save a line with `CMAKE_C_IMPLICIT_LINK_DIRECTORIES` exclusion
cmake: tidy up string append and list prepend syntax
configure/cmake: check for realpath
configure/cmake: set asyn-rr a feature only if httpsrr is enabled
content_encoding: #error on too old zlib
curl_global_sslset.md: Add SSL backend names
CURLOPT_SSH_KNOWNHOSTS.md: strongly recommend using this
CURLSHOPT_SHARE.md: adjust for the new SSL session cache
docs: better explain multi-part byte range behavior
docs: use valid example domain names
generate.bat: remove curl_get_line.c from the curlx file list
header.md: mention `Authorization:` and `Cookie:` special treatment
imap: TLS upgrade fix
INTERNALS: fix c-ares, as we actually support 1.6.0 or later
ldap: drop support for legacy Novell LDAP SDK
lib: include necessary headers for `inet_ntop`/`inet_pton`
lib: silence LibreSSL collision warning on non-MSVC Windows
libssh2: comparison is always true because rc <= -1
libssh2: raise lowest supported version to 1.2.8
libssh: drop support for libssh older than 0.9.0
libssh: silence `-Wconversion` with a cast (Windows 32-bit)
netrc: return code cleanup, fix missing file error
openssl-quic: ignore ciphers for h3
openssl: fix out of scope variables in goto
pop3: TLS upgrade fix
runtests: fix the disabling of the memory tracking
runtests: quote commands to support paths with spaces
scache: add magic checks
smb: silence `-Warray-bounds` with gcc 13+
smtp: TLS upgrade fix
SPONSORS.md: clarify that we don't promise goods or services
test1516: avoid failure due to spaces in path
test2080: simplify, avoid the null byte
tests: fix test 558, 1330 for MSVC, allow TrackMemory with MSVC in cmake
tidy-up: make per-file `ARRAYSIZE` macros global as `CURL_ARRAYSIZE`
tool_cfgable: sort struct fields by size, use bitfields for booleans
tool_getparam: add "TLS required" flag for each such option
tool_progress: fix percent output of large parallel transfers
tool_ssls: switch to tool-specific get_line function
verbose.md: mention how carriage-return might occur in headers
vquic: make the "disable GSO" use infof, not failf
vtls: fix multissl-init
vtsl: eliminate 'data->state.ssl_scache'
wakeup_write: make sure the eventfd write sends eight bytes
wolfssl: silence compiler warning (MSVC 2019), simplify existing
8.12.0
Changes:
curl: add byte range support to --variable reading from file
curl: make --etag-save acknowledge --create-dirs
getinfo: fix CURLINFO_QUEUE_TIME_T and add 'time_queue' var
getinfo: provide info which auth was used for HTTP and proxy
hyper: drop support
openssl: add support to use keys and certificates from PKCS#11 provider
QUIC: 0RTT for gnutls via CURLSSLOPT_EARLYDATA
vtls: feature ssls-export for SSL session im-/export
Bugfixes:
altsvc: avoid integer overflow in expire calculation
altsvc: return error on dot-only name
android: add CI jobs, buildinfo, cmake docs, disable `CURL_USE_PKGCONFIG`
by default
asyn-ares: acknowledge CURLOPT_DNS_SERVERS set to NULL
asyn-ares: fix memory leak
asyn-ares: initial HTTPS resolve support
asyn-thread: use c-ares to resolve HTTPS RR
async-thread: avoid closing eventfd twice
autotools: add support for mingw UWP builds
autotools: silence gcc warnings in libtool code
binmode: convert to macro and use it from tests
build: delete `-Wsign-conversion` related FIXMEs
build: drop `-Winline` picky warning
build: drop `tool_hugehelp.c.cvs`, tidy up macros, drop `buildconf.bat`
build: drop unused feature macros, update exception list
build: fix `-Wtrampolines` picky warning for gcc 4.x versions
build: fix compiling with GCC 4.x versions
build: fix the tidy targets for autotools
build: fix unsigned `time_t` detection for cmake, MS-DOS, AmigaOS
build: replace configure check with PP condition (Android <21)
build: stop detecting `sched_yield()` on Windows
c-ares: fix/tidy-up macro initializations, avoid a deprecated function
cd2nroff: do not insist on quoted <> within backticks
cd2nroff: support "none" as a TLS backend
cf-https-connect: look into httpsrr alpns when available
cf-socket: error if address can't be copied
cfilters: kill connection filter events attach+detach
checksrc.bat: remove explicit SNPRINTF bypass
checksrc: ban use of sscanf()
checksrc: check for return with parens around a value/name
checksrc: exclude generated bundle files to avoid race condition
checksrc: fix the return() checker
checksrc: introduce 'banfunc' to ban specific functions
cmake/Find: add `iphlpapi` for c-ares, omit syslibs if dep not found
cmake/FindLDAP: avoid empty 'Requires' item when omitting `pkg-config` module
cmake/FindLDAP: avoid framework locations for libs too (Apple)
cmake/FindLibpsl: protect against `pkg-config` "half-detection"
cmake/FindLibssh: sync header comment with other modules
cmake/FindMbedTLS: drop lib duplicates early
cmake: add `librtmp` Find module
cmake: add LDAP Find module
cmake: add native `pkg-config` detection for remaining Find modules
cmake: allow `CURL_LTO` regardless of `CURL_BUILD_TYPE`, enable in CI
cmake: clang-cl improvements
cmake: delete accidental debug message
cmake: deprecate winbuild, add migration guide from legacy build methods
cmake: detect mingw-w64 version, pre-fill `HAVE_STRTOK_R`
cmake: do not store `MINGW64_VERSION` in cache
cmake: drop `CURL_USE_PKGCONFIG` from `curl-config.cmake.in`
cmake: drop `fseeko()` pre-fill and check for Windows
cmake: drop duplicate Windows cache value
cmake: drop redundant FOUND checks (libgsasl, libssh, libuv)
cmake: drop redundant opening/closing `.*` from `MATCH` expressions
cmake: drop unused `HAVE_SYS_XATTR_H` detection
cmake: drop VS2010 "Dialog Hell" workaround added in 2013
cmake: extend zlib's `AUTO` option to brotli, zstd and enable if found
cmake: fix `net/in.h` detection for MS-DOS
cmake: improve `curl_dumpvars()` and move to `Utilities.cmake`
cmake: make libpsl required by default
cmake: make system libraries `dl`, `m`, `pthread` customizable
cmake: move `pkg-config` names to Find modules
cmake: move GSS init before feature detections
cmake: move mingw UWP workaround from GHA to `CMakeLists.txt`
cmake: namespace functions and macros
cmake: optimize out 4 picky warning option detections with gcc
cmake: pick a better IPv6 feature flag when assembling the feature list
cmake: pre-fill `HAVE_STDATOMIC_H`, `HAVE_ATOMIC` for mingw-w64
cmake: pre-fill `HAVE_STDINT_H` on Windows
cmake: prefer dash-style MSVC options
cmake: publish/check supported protocols/features via `CURLConfig.cmake`
cmake: replace `unset(VAR)` with `set(VAR "")` for init
cmake: sync OpenSSL QUIC fork detection with autotools
cmake: use `CMAKE_REQUIRED_LINK_DIRECTORIES`
cmake: use `STREQUAL` to detect Linux
cmake: warn for OpenSSL versions missing TLS 1.3 support
cmdline-opts/version.md: describe multissl, mention SSLS-EXPORT
completion.pl: add completion for paths after @ for fish
config-mac: drop `MACOS_SSL_SUPPORT` macro
config: drop unused code and variables
configure: do not inline 'dnl' comments
configure: drop unused detections and macros
configure: streamline Windows large file feature check
configure: UWP and Android follow-up fixes
conncache: count shutdowns against host and max limits
conncache: result_cb comment removed from function docs
content_encoding: drop support for zlib before 1.2.0.4
content_encoding: namespace GZIP flag constants
content_encoding: put the decomp buffers into the writer structs
content_encoding: support use of custom libzstd memory functions
cookie: cap expire times to 400 days
cookie: fix crash in netscape cookie parsing
cookie: parse only the exact expire date
curl-functions.m4: fix indentation in `CURL_SIZEOF()`
curl: return error if etag options are used with multiple URLs
curl_multi_fdset: include the shutdown connections in the set
curl_multi_waitfds.md: tidy up the example
curl_multibyte: support Windows paths longer than MAX_PATH
curl_setup: fix missing `ADDRESS_FAMILY` type in rare build cases
curl_sha512_256: rename symbols to the curl namespace
curl_url_set.md: adjust the added-in to 7.62.0
curl_ws_recv.md: fix typo
CURLOPT_CONNECT_ONLY.md: an easy handle with this option set cannot be reused
CURLOPT_PROXY.md: clarify the crendential support in proxy URLs
CURLOPT_RESOLVE.md: fix wording
CURLOPT_SEEKFUNCTION.md: used for FTP, HTTP and SFTP (only)
docs/BUGS.md: remove leading space from a link
docs/cmdline-opts/_ENVIRONMENT.md: minor language fix
docs/cmdline-opts/location.md: fix typos for location flag
docs/HTTP-COOKIES.md: link to more information
docs/HTTPSRR.md: initial HTTPS RR documentation
docs/libcurl/opts: clarify the return values
docs/libcurl: return value overhall
docs/TLS-SESSIONS: fix typo, the->they
docs: document the behavior of -- in the curl command line
docs: use lowercase curl and libcurl
doh: cleanups and extended HTTPS RR code
doh: send HTTPS RR requests for all HTTP(S) transfers
easy: allow connect-only handle reuse with easy_perform
easy: make curl_easy_perform() return error if connection still there
easy_lock: use Sleep(1) for thread yield on old Windows
ECH: update APIs to those agreed with OpenSSL maintainers
examples/block-ip: drop redundant `memory.h` include
examples/block-ip: show how to block IP addresses
examples/complicated: fix warnings, bump deprecated callback, tidy up
examples/synctime.c: remove references to dead URLs and functionality
examples: make them compile with compatibility functions disabled (Windows)
examples: use return according to code style
file: drop `OPEN_NEEDS_ARG3` option
file: fix Android compiler warning
gitignore: add generated unity sources for lib and src
GnuTLS: fix 'time_appconnect' for early data
hash: add asserts in hash_element_dtor()
HTTP/2: strip TE request header
http2: fix data_pending check
http2: fix value stored to 'result' is never read
http: fix build with `CURL_DISABLE_COOKIES`
http: ignore invalid Retry-After times
http_aws_sigv4: Fix invalid compare function handling zero-length pairs
https-connect: start next immediately on failure
INFRASTRUCTURE.md: project infra
INSTALL-CMAKE.md: fix punctuation
INSTALL.md: add CMake examples for macOS and iOS
INSTALL.md: document VS2008 and mingw-w64
INTERNALS.md: sync wolfSSL version requirement with source code
lib517: extend the getdate test with quotes and leading "junk"
lib: clarify 'conn->httpversion'
lib: redirect handling by protocol handler
lib: remove `__EMX__` guards
lib: replace `inline` redefine with `CURL_INLINE` macro
lib: supress deprecation warnings in apple builds
lib: TLS session ticket caching reworked
libcurl/opts: do not save files in dirs where attackers have access
Makefile.dist: delete
Makefile.mk: drop in favour of autotools and cmake (MS-DOS, AmigaOS3)
mbedtls: fix handling of blocked sends
mbedtls: PSA can be used independently of TLS 1.3 (avoid runtime errors)
mime: explicitly rewind subparts at attachment time.
mprintf: fix integer handling in float precision
mprintf: terminate snprintf output on windows
msvc: add missing push/pop for warning pragmas
msvc: assume `_INTEGRAL_MAX_BITS >= 64`
msvc: drop checks for ancient versions
msvc: fix building with `HAVE_INET_NTOP` and MSVC <=1900
msvc: require VS2005 for large file support
msvc: tidy up `_CRT_*_NO_DEPRECATE` definitions
multi: fix curl_multi_waitfds reporting of fd_count
multi: fix return code for an already-removed easy handle
multihandle: add an ssl_scache here
multissl: auto-enable `OPENSSL_COEXIST` for wolfSSL + OpenSSL
multissl: make openssl + wolfssl builds work
netrc: 'default' with no credentials is not a match
netrc: fix password-only entries
netrc: restore _netrc fallback logic
ngtcp2: fix memory leak on connect failure
ngtcp2: fix two cases of value stored never read
openssl: define `HAVE_KEYLOG_CALLBACK` before use
openssl: drop unused `HAVE_SSL_GET_SHUTDOWN` macro
openssl: fix ECH logic
osslq: use SSL_poll to determine writeability of QUIC streams
projects/Windows: remove wolfSSL from legacy projects
projects: fix `INSTALL-CMAKE.md` references
pytest: remove 'repeat' parameter
pytest: use httpd/apache2 directly, no apachectl
RELEASE-PROCEDURE.md: mention how to publish security advisories
runtests.pl: fix precedence issue
scripts/mdlinkcheck: markdown link checker
sectransp: free certificate on error
select: avoid a NULL deref in cwfds_add_sock
smb: fix compiler warning
src: add `CURL_STRICMP()` macro, use `_stricmp()` on Windows
src: drop support for `CURL_TESTDIR` debug env
src: omit hugehelp and ca-embed from libcurltool
ssl session cache: change cache dimensions
strparse: string parsing helper functions
symbols-in-versions: update version for LIBCURL_VERSION and
LIBCURL_VERSION_NUM
system.h: add 64-bit curl_off_t definitions for NonStop
system.h: drop compilers lacking 64-bit integer type (Windows/MS-DOS)
system.h: drop duplicate and no-op code
system.h: fix indentation
telnet: handle single-byte input option
test1960: don't close the socket too early
test483: require cookie support
tests/http/clients: use proper sleep() call on NonStop
tests: change the behavior of swsbounce
tests: stop promoting perl warnings to fatal errors
TheArtOfHttpScripting.md: rewrite double 'that'
tidy-up: `curl_setup.h`, `curl_setup_once.h`, `config-win32ce.h`
tidy-up: drop parenthesis around `return` expression
tidy-up: drop parenthesis around `return` values
tidy-up: extend `CURL_O_BINARY` to lib and tests
TLS: check connection for SSL use, not handler
tool_formparse.c: make curlx_uztoso a static in here
tool_formparse: accept digits in --form type= strings
tool_getparam: ECH param parsing refix
tool_getparam: fail --hostpubsha256 if libssh2 is not used
tool_getparam: fix "Ignored Return Value"
tool_getparam: fix memory leak on error in parse_ech
tool_getparam: fix the ECH parser
tool_operate: make --etag-compare always accept a non-existing file
transfer: fix CURLOPT_CURLU override logic
urlapi: fix redirect to a new fragment or query (only)
urldata: tweak the UserDefined struct
variable.md: mention --expand-variable for variables to variables
variable.md: show function use with examples
version: fix the IDN feature for winidn and appleidn
vquic: fix 4th function call argument is an uninitialized value
vquic: make vquic_send_packets not return without setting psent
vtls: fix default SSL backend as a fallback
vtls: only remember the expiry timestamp in session cache
vtls: remove 'detach/attach' functions from TLS handler struct
vtls: remove unusued 'check_cxn' from TLS handler struct
vtls: replace "none"-functions with NULL pointers
VULN-DISCLOSURE-POLICY.md: mention the not setting CVSS
VULN-DISCLOSURE-POLICY: on legacy dependencies
websocket: fix message send corruption
windows: drop dupe macros, detect `CURL_OS` for WinCE ARM, indentation
windows: drop redundant `USE_WIN32_SMALL_FILES` macro
windows: drop two missed `buildconf.bat` references
windows: merge `config-win32ce.h` into `config-win32.h`
ws-docs: extend WebSocket documentation
ws-docs: remove the outdated texts saying ws support is experimental
ws: reject frames with unknown reserved bits set
x509asn1: add parse recursion limit
8.11.1
Bugfixes:
build: fix ECH to always enable HTTPS RR
build: fix MSVC UWP builds
build: omit certain deps from `libcurl.pc` unless found via `pkg-config`
build: use `_fseeki64()` on Windows, drop detections
cmake: do not echo most inherited `LDFLAGS` to config files
cmake: drop cmake args list from `buildinfo.txt`
cmake: include `wolfssl/options.h` first
cmake: remove legacy unused IMMEDIATE keyword
cmake: restore cmake args list in `buildinfo.txt`
cmake: set `CURL_STATICLIB` for static lib when `SHARE_LIB_OBJECT=OFF`
cmake: sync GSS config code with other deps
cmake: typo in comment
cmake: work around `ios.toolchain.cmake` breaking feature-detections
cmakelint: fix to check root `CMakeLists.txt`
cmdline/ech.md: formatting cleanups
configure: add FIXMEs for disabled pkg-config references
configure: do not echo most inherited `LDFLAGS` to config files
configure: replace `$#` shell syntax
cookie: treat cookie name case sensitively
curl-rustls.m4: keep existing `CPPFLAGS`/`LDFLAGS` when detected
curl.h: mark two error codes as obsolete
curl: --continue-at is mutually exclusive with --no-clobber
curl: --continue-at is mutually exclusive with --range
curl: --continue-at is mutually exclusive with --remove-on-error
curl: --test-duphandle in debug builds runs "duphandled"
curl: do more command line parsing in sub functions
curl: rename struct var to fix AIX build
curl: use realtime in trace timestamps
curl_multi_socket_all.md: soften the deprecation warning
CURLOPT_PREREQFUNCTION.md: add result code on failure
digest: produce a shorter cnonce in Digest headers
DISTROS: update Alt Linux links
dmaketgz: use --no-cache when building docker image
docs: bring back ALTSVC.md and HSTS.md
docs: document default `User-Agent`
docs: suggest --ssl-reqd instead of --ftp-ssl
duphandle: also init netrc
ECH: enable support for the AWS-LC backend
hostip: don't use the resolver for FQDN localhost
http_negotiate: allow for a one byte larger channel binding buffer
http_proxy: move dynhds_add_custom here from http.c
KNOWN_BUGS: setting a disabled option should return CURLE_NOT_BUILT_IN
krb5: fix socket/sockindex confusion, MSVC compiler warnings
lib: fixes for wolfSSL OPENSSL_COEXIST
libssh: use libssh sftp_aio to upload file
libssh: when using IPv6 numerical address, add brackets
macos: disable gcc `availability` workaround as needed
mbedtls: call psa_crypt_init() in global init
mime: fix reader stall on small read lengths
mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
mprintf: fix the integer overflow checks
multi: add clarifying comment for wakeup_write()
multi: fix callback for `CURLMOPT_TIMERFUNCTION` not being called again
when...
netrc: address several netrc parser flaws
netrc: support large file, longer lines, longer tokens
nghttp2: use custom memory functions
OpenSSL: improvde error message on expired certificate
openssl: remove three "Useless Assignments"
openssl: stop using SSL_CTX_ function prefix for our functions
os400: Fix IBMi builds
os400: Fix IBMi EBCDIC conversion of arguments
pytest: add test for use of CURLMOPT_MAX_HOST_CONNECTIONS
rtsp: check EOS in the RTSP receive and return an error code
schannel: remove TLS 1.3 ciphersuite-list support
setopt: fix CURLOPT_HTTP_CONTENT_DECODING
setopt: fix missing options for builds without HTTP & MQTT
show-headers.md: clarify the headers are saved with the data
socket: handle binding to "host!<ip>"
socketpair: fix enabling `USE_EVENTFD`
strtok: use namespaced `strtok_r` macro instead of redefining it
tests: add the ending time stamp in testcurl.pl
tests: re-enable 2086, and 472, 1299, 1613 for Windows
TODO: consider OCSP stapling by default
tool_formparse: remove use of sscanf()
tool_getparam: parse --localport without using sscanf
tool_getpass: fix UWP `-Wnull-dereference`
tool_getpass: replace `getch()` call with `_getch()` on Windows
tool_urlglob: parse character globbing range without sscanf
vtls: fix compile warning when ALPN is not available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://mmonit.com/monit/changes/
"Fixed: An issue where Monit with a short poll cycle could skip
sleep intervals, run checks continuously, and use CPU
excessively when using numerous "check program" tests."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 8 May 2025 12:01:51 +0000 (14:01 +0200)]
sqlite: Update to version 3.49.2
- Update from version 3.49.1 to 3.49.2
- Update of rootfile
- Changelog
3.49.2
Fix a bug in the NOT NULL optimization of version 3.40.0 (item 3c in the
version 3.40.0 change log) that can lead to a memory error if abused.
Fix the count-of-view optimization so that it does not give an incorrect answer
for a DISTINCT query.
Fix a possible incorrect answer that can result if a UNIQUE constraint of a
table contains the PRIMARY KEY column and that UNIQUE constraint is used by an
IN operator.
Fix obscure problems with the generate_series() extension function.
Incremental improvements to the configure/make.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 May 2025 09:58:33 +0000 (11:58 +0200)]
passwords.c: Update number of rounds for passwords from 7 to 10
- This improves the security of the root and admin passwords created and makes it the
same as used for the proxy local auth password code in proxy.cgi & chpasswd.cgi
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 May 2025 14:10:12 +0000 (16:10 +0200)]
perl-Apache_Htpasswd: remove module from IPFire
- This module was only used for the proxy.cgi and chpasswd.cgi files for the local
authentication option.
- As this module was last updated in Nov 2012 its use has been replaced by direct use
of htpasswd. This is dealt with by other patches in this set.
- With those changes this module is no longer required.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 May 2025 14:10:11 +0000 (16:10 +0200)]
chpasswd.cgi: Make swroot refs the same as for other cgi files
- This uses the swroot definition from general-functions.pl and makes the definition
the same as used in the majority of other IPFire cgi files.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 May 2025 14:10:10 +0000 (16:10 +0200)]
proxy.cgi: Fixes bug12755 - proxy auth problem with password longer than 8 chars
- This makes the proxy local password management the same between chpasswd.cgi and
proxy.cgi
- Tested out on my vm testbed and was able to create and modify users and their passwords
in the proxy.cgi page or modify a password for a specified user on the chpasswd.cgi
page. This all happened successfully and was confirmed by testing out the local
authentication.
Fixes: bug12755 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 May 2025 14:10:09 +0000 (16:10 +0200)]
chpasswd.cgi: Fixes bug12755 - proxy auth password problem longer than 8 chars
- The existing version of the perl module Apache::Htpasswd was using the crypt hash for
the password hashing, which is very insecure. The only alternative with this module
is the md5 and sha1 hashes which are also considered weak now.
- The module was last updated in Nov 2012 and there is no alternative module available.
- This patch replaces that perl module with using the apache htpasswd program. This can
be set to use the bcrypt hash which is considered secure. This is used for the
generation of the root and admin passwords during the IPFire install.
- Tested out on my vm testbed system and the password for a specific user name was
changed successfully without any restriction to the length of the password.
- Existing passwords with the existing md5 or crypt options will still work as htpasswd
can manage different encoding hashes in the one file.
Fixes: bug12755 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 May 2025 13:17:11 +0000 (15:17 +0200)]
xfsprogs: Update to version 6.14.0
- Update from version 6.13.0 to 6.14.0
- Update of rootfile not required
- Changelog
6.14.0
xfs_scrub_all: localize the strings in the program (Darrick J. Wong)
xfs_protofile: add messages to localization catalog (Darrick J. Wong)
Makefile: inject package name/version/bugreport into pot file (Darrick J. Wong)
xfs_scrub_all: rename source code to .py.in (Darrick J. Wong)
xfs_protofile: rename source code to .py.in (Darrick J. Wong)
xfs_repair: handling a block with bad crc, bad uuid, and bad magic number needs
fixing (Bill O'Donnell)
xfs_repair: fix stupid argument error in verify_inode_chunk (Darrick J. Wong)
xfs_repair: fix infinite loop in longform_dir2_entry_check* (Darrick J. Wong)
xfs_repair: fix crash in reset_rt_metadir_inodes (Darrick J. Wong)
xfs_repair: don't recreate /quota metadir if there are no quota inodes
(Darrick J. Wong)
xfs_repair: fix wording of error message about leftover CoW blocks on the rt
device (Darrick J. Wong)
xfs_io: Add cachestat syscall support (Ritesh Harjani (IBM))
xfs_io: Add RWF_DONTCACHE support to preadv2 (Ritesh Harjani (IBM))
xfs_io: Add RWF_DONTCACHE support to pwritev2 (Ritesh Harjani (IBM))
xfs_io: Add support for preadv2 (Ritesh Harjani (IBM))
make: remove the .extradep file in libxfs on "make clean" (Theodore Ts'o)
xfs_{admin,repair},man5: tell the user to mount with nouuid for snapshots
(Darrick J. Wong)
xfsprogs: Fix mismatched return type of filesize() (Pavel Reichl)
xfs_io: don't fail FS_IOC_FSGETXATTR on filesystems that lack support (Anthony
Iliopoulos)
configure: additionally get icu-uc from pkg-config (Alyssa Ross)
xfs_scrub: use the display mountpoint for reporting file corruptions (Darrick
J. Wong)
xfs_scrub: don't warn about zero width joiner control characters (Darrick J.
Wong)
xfs_scrub: fix buffer overflow in string_escape (Darrick J. Wong)
xfs_db: add command to copy directory trees out of filesystems (Darrick J. Wong)
xfs_db: make listdir more generally useful (Darrick J. Wong)
xfs_db: use an empty transaction to try to prevent livelocks in path_navigate
(Darrick J. Wong)
xfs_db: pass const pointers when we're not modifying them (Darrick J. Wong)
mkfs: enable reflink on the realtime device (Darrick J. Wong)
mkfs: validate CoW extent size hint when rtinherit is set (Darrick J. Wong)
xfs_logprint: report realtime CUIs (Darrick J. Wong)
xfs_repair: validate CoW extent size hint on rtinherit directories (Darrick J.
Wong)
xfs_repair: allow realtime files to have the reflink flag set (Darrick J. Wong)
xfs_repair: rebuild the realtime refcount btree (Darrick J. Wong)
xfs_repair: reject unwritten shared extents (Darrick J. Wong)
xfs_repair: check existing realtime refcountbt entries against observed
refcounts (Darrick J. Wong)
xfs_repair: compute refcount data for the realtime groups (Darrick J. Wong)
xfs_repair: find and mark the rtrefcountbt inode (Darrick J. Wong)
xfs_repair: use realtime refcount btree data to check block types (Darrick J.
Wong)
xfs_repair: allow CoW staging extents in the realtime rmap records (Darrick J.
Wong)
xfs_spaceman: report health of the realtime refcount btree (Darrick J. Wong)
xfs_db: add rtrefcount reservations to the rgresv command (Darrick J. Wong)
xfs_db: copy the realtime refcount btree (Darrick J. Wong)
xfs_db: support the realtime refcountbt (Darrick J. Wong)
xfs_db: display the realtime refcount btree contents (Darrick J. Wong)
man: document userspace API changes due to rt reflink (Darrick J. Wong)
mkfs: create the realtime rmap inode (Darrick J. Wong)
xfs_logprint: report realtime RUIs (Darrick J. Wong)
xfs_repair: reserve per-AG space while rebuilding rt metadata (Darrick J. Wong)
xfs_repair: rebuild the bmap btree for realtime files (Darrick J. Wong)
xfs_repair: check for global free space concerns with default btree slack
levels (Darrick J. Wong)
xfs_repair: rebuild the realtime rmap btree (Darrick J. Wong)
xfs_repair: always check realtime file mappings against incore info (Darrick J.
Wong)
xfs_repair: check existing realtime rmapbt entries against observed rmaps
(Darrick J. Wong)
xfs_repair: find and mark the rtrmapbt inodes (Darrick J. Wong)
xfs_repair: refactor realtime inode check (Darrick J. Wong)
xfs_repair: create a new set of incore rmap information for rt groups (Darrick
J. Wong)
xfs_repair: use realtime rmap btree data to check block types (Darrick J. Wong)
xfs_repair: flag suspect long-format btree blocks (Darrick J. Wong)
xfs_repair: tidy up rmap_diffkeys (Darrick J. Wong)
xfs_spaceman: report health status of the realtime rmap btree (Darrick J. Wong)
xfs_db: add an rgresv command (Darrick J. Wong)
xfs_db: make fsmap query the realtime reverse mapping tree (Darrick J. Wong)
xfs_db: copy the realtime rmap btree (Darrick J. Wong)
xfs_db: support the realtime rmapbt (Darrick J. Wong)
xfs_db: display the realtime rmap btree contents (Darrick J. Wong)
xfs_db: don't abort when bmapping on a non-extents/bmbt fork (Darrick J. Wong)
xfs_db: compute average btree height (Darrick J. Wong)
man: document userspace API changes due to rt rmap (Darrick J. Wong)
xfs_scrub: try harder to fill the bulkstat array with bulkstat() (Darrick J.
Wong)
xfs_scrub: ignore freed inodes when single-stepping during phase 3 (Darrick J.
Wong)
xfs_scrub: hoist the phase3 bulkstat single stepping code (Darrick J. Wong)
xfs_scrub: don't blow away new inodes in bulkstat_single_step (Darrick J. Wong)
xfs_scrub: return early from bulkstat_for_inumbers if no bulkstat data
(Darrick J. Wong)
xfs_scrub: don't complain if bulkstat fails (Darrick J. Wong)
xfs_scrub: don't (re)set the bulkstat request icount incorrectly (Darrick J.
Wong)
xfs_scrub: don't double-scan inodes during phase 3 (Darrick J. Wong)
xfs_scrub: actually iterate all the bulkstat records (Darrick J. Wong)
xfs_scrub: selectively re-run bulkstat after re-running inumbers (Darrick J.
Wong)
xfs_scrub: remove flags argument from scrub_scan_all_inodes (Darrick J. Wong)
xfs_scrub: call bulkstat directly if we're only scanning user files (Darrick
J. Wong)
xfs_scrub: don't report data loss in unlinked inodes twice (Darrick J. Wong)
man: document new XFS_BULK_IREQ_METADIR flag to bulkstat (Darrick J. Wong)
xfs_db: obfuscate rt superblock label when metadumping (Darrick J. Wong)
mkfs,xfs_repair: don't pass a daddr as the flags argument (Darrick J. Wong)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 May 2025 13:17:10 +0000 (15:17 +0200)]
tshark: Update to version 4.4.6
- Update from version 4.4.5 to 4.4.6
- Update of rootfile
- Changelog
4.4.6
Bug Fixes
Bug in EtherCAT dissector with ECS order. Issue 13718.
Conversation dialog columns return to default width on each new packet in
live capture. Issue 15978.
Tests fail in LTO-enabled builds in Ubuntu/Debian. Issue 18216.
Incorrect conditions in BFCP dissector. Issue 18717.
Static build fails on Ubuntu 24.04 because the c-ares library isn’t found.
Issue 20343.
Flutter’s Image Picker Generated JPEG Files Detected as Malformed Packet.
Issue 20355.
QUIC dissector breaks when src and dst change. Issue 20371.
s390x: build fail on Ubuntu PPA nighty build. Issue 20372.
Trailing octet after IPv4 packet end is not detected or displayed in raw
bytes. Issue 20423.
[packet-ax25-nol3.c] Only call APRS dissector on UI Frames. Issue 20429.
Wireshark hangs when refreshing interfaces with the debug console
preference set to "always" and a file open (Windows) Issue 20434.
BGP EVPN - Type-8 route not correctly read after addition of Max. Response
Time field. Issue 20459.
Wireshark does not correctly decode LIN "go to sleep" in TECMP and CMP.
Issue 20463.
MQTT-SN: WILLTOPIC message not decoded correctly (missing some flags) Issue
20476.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ADB, ASAM CMP, AX.25, BACapp, BFCP, BGP, CP2179, DCERPC WKSSVC, DCT2000,
DECT-NWK, DHCP, DOF, EAPOL-MKA, ECAT, ErlDP, Ethertype, F1AP, GSM BSSMAP,
GSM DTAP, HomePlug AV, ICMP, IEEE 802.11, ITS, LDP, MQTT-SN, NAS-EPS,
NR RRC, OER, PCEP, PNIO, PPP, QUAKE, QUIC, Raw, Signal PDU, TCP, TECMP,
TLS, and USB DFU
New and Updated Capture File Support
3GPP and pcapng
Updated File Format Decoding Support
There is no updated file format support in this release.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 May 2025 13:17:09 +0000 (15:17 +0200)]
patch: Update to version 2.8
- Update from version 2.7.6 to 2.8
- Update of rootfile not required
- Changelog
2.8
* The --follow-symlinks option now applies to output files as well as input.
* 'patch' now supports file timestamps after 2038 even on traditional
GNU/Linux platforms where time_t defaults to 32 bits.
* 'patch' no longer creates files with names containing newlines,
as encouraged by POSIX.1-2024.
* Patches can no longer contain NUL ('\0') bytes in diff directive lines.
These bytes would otherwise cause unpredictable behavior.
* Patches can now contain sequences of spaces and tabs around line numbers
and in other places where POSIX requires support for these sequences.
* --enable-gcc-warnings no longer uses expensive static checking.
Use --enable-gcc-warnings=expensive if you still want it.
* Fix undefined or ill-defined behavior in unusual cases, such as very
large sizes, possible stack overflow, I/O errors, memory exhaustion,
races with other processes, and signals arriving at inopportune moments.
* Remove old "Plan B" code, designed for machines with 16-bit pointers.
* Assume C99 or later; previously it assumed C89 or later.
* Port to current GCC, Autoconf, Gnulib, etc.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 May 2025 13:17:07 +0000 (15:17 +0200)]
harfbuzz: Update to version 11.2.0
- Update from version 11.0.0 to 11.2.0
- Update of rootfile
- Changelog
11.2.0
- Painting of COLRv1 fonts without clip boxes is now about 10 times faster.
- Synthetic bold/slant of a sub font is now respected, instead of using the
parent’s.
- Glyph extents for fonts synthetic bold/slant are now accurately calculated.
- Various build fixes
- New API:
+hb_font_is_synthetic()
+hb_font_draw_glyph_or_fail_func_t
+hb_font_paint_glyph_or_fail_func_t
+hb_font_funcs_set_draw_glyph_or_fail_func()
+hb_font_funcs_set_paint_glyph_or_fail_func()
+hb_font_draw_glyph_or_fail()
+hb_font_paint_glyph_or_fail()
- Deprecated API:
-hb_font_draw_glyph_func_t
-hb_font_paint_glyph_func_t
-hb_font_funcs_set_draw_glyph_func()
-hb_font_funcs_set_paint_glyph_func()
11.1.0
- Include bidi mirroring variants of the requested codepoints when subsetting.
The new HB_SUBSET_FLAGS_NO_BIDI_CLOSURE can be used to disable this
behaviour.
- Various bug fixes.
- Various build fixes and improvements.
- Various test suite improvements.
- New API:
+HB_SUBSET_FLAGS_NO_BIDI_CLOSURE
11.0.1
- The change in version 10.3.0 to apply “trak” table tracking values to glyph
advances directly has been reverted as it required every font functions
implementation to handle it, which breaks existing custom font functions.
Tracking is instead back to being applied during shaping.
- When `directwrite` integration is enabled, we now link to `dwrite.dll`
instead of dynamically loading it.
- A new experimental APIs for getting raw “CFF” and “CFF2” CharStrings.
- We now provide manpages for the various command line utilities. Building
manpages requires “help2man” and will be skipped if it is not present.
- The command line utilities now set different return value for different kinds
of failures. Details are provided in the manpages.
- Various fixes and improvements to `fontations` font functions.
- All shaping operations using the `ot` shaper have become memory
allocation-free.
- Glyph extents returned by `hb-ot` and `hb-ft` font functions are now rounded
in stead of flooring/ceiling them, which also matches what other font
libraries do.
- Fix “AAT” deleted glyph marks interfering with fallback mark positioning.
- Glyph outlines emboldening have been moved out of `hb-ot` and `hb-ft` font
functions to the HarfBuzz font layer, so that it works with any font
functions implementation.
- Fix our fallback C++11 atomics integration, which seems to not be widely
used.
- Various testing fixes and improvements.
- Various subsetting fixes and improvements.
- Various other fixes and improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 May 2025 13:17:06 +0000 (15:17 +0200)]
grep: Update to version 3.12
- Update from version 3.11 to 3.12
- Update of rootfile not required
- Changelog
3.12
** Bug fixes
Searching a directory with at least 100,000 entries no longer fails
with "Operation not supported" and exit status 2. Now, this prints 1
and no diagnostic, as expected:
$ mkdir t && cd t && seq 100000|xargs touch && grep -r x .; echo $?
1
[bug introduced in grep 3.11]
-mN where 1 < N no longer mistakenly lseeks to end of input merely
because standard output is /dev/null.
** Changes in behavior
The --unix-byte-offsets (-u) option is gone. In grep-3.7 (2021-08-14)
it became a warning-only no-op. Before then, it was a Windows-only no-op.
On Windows platforms and on AIX in 32-bit mode, grep in some cases
now supports Unicode characters outside the Basic Multilingual Plane.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 May 2025 13:17:05 +0000 (15:17 +0200)]
gawk: Update to version 5.3.2
- Update from version 5.3.1 to 5.3.2
- Update of rootfile
- Changelog
5.3.2
1. The pretty printer now produces fewer spurious newlines; at the
outermost level it now adds newlines between block comments and
the block or function that follows them. The extra final newline
is no longer produced.
2. OpenVMS 9.2-2 x86_64 is now supported.
3. On Linux and macos systems, the -no-pie linker flag is no longer required.
PMA now works on macos systems with Apple silicon, and not just
Intel systems.
4. Still more subtle issues related to uninitialized array elements have
been fixed.
5. Associative arrays should now not grow quite as fast as they used to.
6. The code and documentation are now consistent with each other with
respect to path searching and adding .awk to the filename. Both
are always done, even with --posix and --traditional.
7. As usual, there have been several minor code cleanups and bug fixes.
See the ChangeLog for details.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 May 2025 13:17:04 +0000 (15:17 +0200)]
diffutils: Update to version 3.12
- Update from version 3.11 to 3.12
- Update of rootfile not required
- Changelog
3.12
Bug fixes
diff -r no longer merely summarizes when comparing an empty regular
file to a nonempty regular file.
[bug#76452 introduced in 3.11]
diff -y no longer crashes when given nontrivial differences.
[bug#76613 introduced in 3.11]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 29 Apr 2025 14:42:19 +0000 (16:42 +0200)]
backup.pl: Fix restores for ipsec backups before regen was fixed
- Prior to the ipsec host cert regen fix, the backup did not include the serial or the
index.txt files.
- After the ipsec regen patch set, if a backup from before the change is retsored then
the serial and index.attr could end up not matching. This would break the ipsec regen
again.
- All backups before the change will have hostcerts with serial numbers of 1.
- This patch extracts the serial number from the restored hostcert.pem. If the serial
number is 1 and if the existing serial number file does not contain 02, then the
serial file contents are replaced by 02 and the index.txt contents are deleted.
- If the restored hostcert.pem serial number is greater than 1 then the backup will
contain the serial anf index.txt files.
- If the restored hostcert.pem serial number is 1 and the serial file contains 02 then
the ipsec regen will work correctly.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 29 Apr 2025 10:10:49 +0000 (12:10 +0200)]
update.sh: Core 194 - increment ipsec serial file if x509 set exists
- This is related to the fix patch set for bug13737. That patch set works with no problems
if the root/host x509 set is created for the first time with that patch set merged.
However if the x509 is already created previously then the contents of serial will
still be 01 instead of 02.
- This patch checks if the hostcert.pm file exists and that the index.txt file is empty,
and then increments the serial content from 01 to 02. This means that when the x509
is regenerated the system will not complain that 01 cannot be used as it has already
been revoked but will use 02 for the new host and everything works fine after that.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 29 Apr 2025 14:56:48 +0000 (14:56 +0000)]
dnsdist: Update to 1.9.9
We released PowerDNS DNSdist 1.9.9 today, an emergency release fixing a security issue tracked as CVE-2025-30194 where a remote, unauthenticated attacker can cause a denial of service via a crafted DNS over HTTPS connection. The issue was reported to us via our public GitHub tracker, so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
