Michael Tremer [Mon, 31 Mar 2025 14:35:26 +0000 (16:35 +0200)]
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stephen Cuka [Sun, 30 Mar 2025 17:05:21 +0000 (11:05 -0600)]
pakfire.cgi: Add upgrade confirmation page.
- Add upgrade confirmation page. Clicking on the 'Upgrade' button on the main page displays the confirmation page.
- The upgrade confirmation page runs 'pakfire update' then displays all available core and add-on upgrades for confirmation. If there are any 'ERROR' messages from the 'pakfire update', they are displayed on the confirmation page.
Robin Roevens [Fri, 28 Mar 2025 23:23:32 +0000 (00:23 +0100)]
zabbix_agentd: Set passive check agents to 3 by default on new installations.
Zabbix Agent since v7 by default forks 10 instances to listen for and concurrently execute incoming (passive) checks. This was only 3 in previous versions and should be plenty on an IPFire instance where resources can be scarce.
Users with an existing installation will have to manually add the parameter to their config if they don't want the Zabbix new default of 10 . This will be documented in the wiki.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 28 Mar 2025 21:03:25 +0000 (22:03 +0100)]
expat: Update to version 2.7.1
- Update from version 2.7.0 to 2.7.1
- Update of rootfile
- Changelog
2.7.1
Bug fixes:
#980 #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
#976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
with Automake that were missing from 2.7.0 release tarballs
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
#986 Address compiler warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#982 CI: Start running Perl XML::Parser integration tests
#987 CI: Enforce Clang Static Analyzer clean code
#991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
#981 CI: Cover compilation with musl
#983 #984 CI: Cover compilation with 32bit Emscripten
#976 #977 CI: Protect against fuzzer files missing from future
release archives
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stephen Cuka [Thu, 27 Mar 2025 05:34:40 +0000 (23:34 -0600)]
pakfire.cgi: Convert icons to buttons.
- Convert icons to buttons on main and confirmation pages.
- Disable Upgrade button if no core or add-on updates available.
- Disable Install and Remove buttons until an add-on is selected
to install or remove.
- Change 'abort' to 'cancel'.
- Change 'uninstall' to 'remove'.
- Set fixed height on select boxes to keep the size the same if
there are no options for the select.
- Change translation for install/remove description text, the previous
text referred to the icons.
'pakfire install description' -> 'Please select one or more add-ons to install.'
'pakfire uninstall description' -> 'Please select one or more add-ons to remove.'
Signed-off-by: Stephen Cuka <stephen@firemypi.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stephen Cuka [Mon, 24 Mar 2025 00:35:43 +0000 (18:35 -0600)]
langs: Add 'pakfire updates' translation.
Add missing 'pakfire updates' tr to en.pl and it.pl. For other
languages, in cases where the existing 'pakfire updates' tr does not
match the 'available updates' tr currently used by pakfire.cgi, give
precedence to the 'available updates' tr and update 'pakfire updates'
accordingly.
Signed-off-by: Stephen Cuka <stephen@firemypi.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 27 Mar 2025 22:45:52 +0000 (23:45 +0100)]
zabbix_agentd: Disable passive checks by default on new installations.
Zabbix Agent by default normally forks 10 instances to listen for incoming (passive) checks.
I, however, recommend only using active checks on an IPFire instance, so that the agent on the instance will only actively contact the Zabbix server to request a list of checks to perform instead of waiting for the server to contact the agent for every check.
This frees up some resources valuable to smaller systems and makes the agent not to listen on any TCP port, which is a possible attack surface less.
Users with an existing installation will have to manually add the parameter to their config. This will be documented in the wiki.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 27 Mar 2025 22:45:51 +0000 (23:45 +0100)]
zabbix_agentd: Update to 7.0.11 (LTS)
- Update from version 6.0.33 to 7.0.11
- Update of rootfile not required
This is a major release update to the next LTS version and breaks compatibility with Zabbix Server 6.x.
A survey on the forum resulted in nobody claiming to still use Zabbix Server v6.x.
Matthias Fischer [Tue, 25 Mar 2025 18:08:51 +0000 (19:08 +0100)]
suricata: Update to 7.0.10
For details see:
https://suricata.io/2025/03/25/suricata-7-0-10-released/
"This is an extra release to address a critical issue in 7.0.9 affecting
AF_PACKET users: setting a BPF would cause Suricata to fail to start up. As
this affected many users, we’ve decided to push this release earlier than
originally planned. Our QA processes have been updated to avoid similar
issues going forward."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 24 Mar 2025 17:44:26 +0000 (18:44 +0100)]
libidn: Removal of package as no longer needed.
- A while back elinks changed from using libidn to libidn2. At that time that left
ghostscript as the only package still using libidn. With the removal of cups and
associated packages, including ghostscript, libidn is no longer used. libidn2 is
used where required now.
- This removes the lfs and rootfiles and removes the entry from the make.sh file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 24 Mar 2025 17:44:25 +0000 (18:44 +0100)]
cifs-utils: Update to version 7.3
- Update from version 7.1 to 7.3
- Update of rootfile not required.
- Changelog
7.3
Fix regression in mount.cifs with guest mount option
cldap_ping: Fix socket fd leak
resolve_host.c: Initialize site_name
7.2
cifs-utils: Skip TGT check if valid service ticket is already available
docs: update actimeo description
docs: add max_cached_dirs description
docs: add esize description
cifs-utils: support and document password2 mount option
use enums to check password or password2 in set_password,
get_password_from_file and minor documentation additions
Fix compiler warnings in mount.cifs
Do not pass passwords with sec=none and sec=krb5
smbinfo: add bash completion support for filestreaminfo, keys, gettconinfo
cifs-utils: bump version to 7.2
CIFS.upcall to accomodate new namespace mount opt
cifs-utils: add documentation for upcall_target
cifs-utils: avoid using mktemp when updating mtab
getcifsacl: fix return code check for getting full ACL
cifscreds: use continue instead of break when matching commands
cifscreds: allow user to set the key's timeout
configure.ac: libtalloc is now mandatory
cldap_ping.c: add missing <sys/types.h> include
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20240722.0 to 20250127.0
- Update of rootfile
- Changelog 20250127.0
What's New:
Added support for Bazel 8.0
Added support for Bazel Platforms for better portability
Added ABSL_ATTRIBUTE_VIEW and ABSL_ATTRIBUTE_OWNER for diagnosing certain
lifetime issues
Many performance improvements
A security issue in hash container create/resize has been fixed. Note that
the latest patch releases for previous LTS versions also address this
issue.
Breaking Changes:
Bazel BUILD files now reference repositories by their canonical names from
the Bazel Central Registry. For example, Abseil is now @abseil-cpp
instead of @com_google_absl, and GoogleTest is now @googletest instead
of @com_google_googletest. Users still using the old WORKSPACE system
may need to use repo_mapping on repositories that still use the old
names. See 90a7ba6 for an example.
Other:
This will be the last release to support C++14. Future releases will
require at least C++17.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 24 Mar 2025 10:35:51 +0000 (11:35 +0100)]
util-linux: Update to version 2.41
- Update from version 2.40.2 to 2.41
- Update of rootfile for all three architectures. This time confirmed that all three
have been edited to remove the + additions to lines.
- There are two new commands available, bits and coresched. I have commented both of
these out as they are new and have therefore never been used in the past. If they
are something that should be used in IPFire then the lines can always be uncommented.
- Changelog
2.41
Release highlights - full list of all changes is too large to put here (~1400
lines). The details can be found in the source tarball
/Documentation/releases/v2.41-ReleaseNotes file.
agetty:
- Fixed an issue where issue files were not being printed from additional
locations, such as /run or /usr/lib. This change now allows for the use of
local information from /etc, in addition to generated files from /run and
distribution-specific files from /usr/lib.
cfdisk and sfdisk:
- Added support for the --sector-size command line option.
sfdisk:
- Added a new option, --discard-free.
fdisk:
- Added a new command, 'T', to discard sectors.
chrt:
- The --sched-runtime now supports SCHED_{OTHER,BATCH} policies.
column:
- Can now handle ANSI SGR colors inside OSC 8 hyperlink escape codes and
sequences.
enosys:
- Can now dump defined filters.
libmount:
- Added experimental support for statmount() and listmount() syscalls.
- This new functionality can be accessed using "findmnt --kernel=listmount".
- Added a new mount option, X-mount.nocanonicalize[=source|target].
- Added new mount extensions to the "ro" flag (ro[=vfs,fs]).
- Added a new option, X-mount.noloop, to disable automatic loop device
creation.
- Now supports bind symlinks over symlinks.
- Reads all kernel info/warning/error messages from new API syscalls (and
mount(8) prints them).
libuuid:
- Now supports RFC9562 UUIDs.
findmnt, lsblk, and lsfd:
- Added a new --hyperlink command line option to print paths as terminal
hyperlinks.
findmnt:
- Can now address filesystems using --id and --uniq-id (requires listmount()
kernel support).
flock:
- Added support for the --fcntl command line option.
hardlink:
- Can now prioritize specified trees on the command line using
--prioritize-trees.
- Can exclude sub-trees using --exclude-subtree or keep them in the current
mount using --mount.
- Duplicates can now be printed using --list-duplicates.
hwclock:
- Added a new --param-index option to address position for
RTC_PARAM_{GET,SET} ioctls.
kill:
- Can now decode signal masks (e.g. as used in /proc) to signal names.
libblkid:
- Made many changes to improve detection, including exfat, GPT, LUKS2,
bitlocker, etc.
login:
- Added support for LOGIN_ENV_SAFELIST in /etc/login.def.
lsfd:
- Now supports pidfs and AF_VSOCK sockets.
lsipc, ipcmk, ipcrm:
- Now supports POSIX ipc.
lslogins:
- Now supports lastlog2.
lsns:
- Added support for the --filter option.
build by meson:
- Now supports translated man pages and has fixed many bugs.
mkswap:
- The option --file should now be usable on btrfs.
nsenter:
- Improved support for pidfd and can now join target process's socket net
namespace.
scriptlive:
- Added a new option, --echo <never|always|auto>.
zramctl:
- Now supports COMP-RATIO and --algorithm-params.
2.40.4
libmount:
- Revert "libmount: exec mount helpers with posixly correct argument order"
po:
- merge changes
po-man:
- merge changes
- Fix table formatting
2.40.3
agetty:
- Prevent cursor escape
- add "systemd" to --version output
- fix ambiguous ‘else’ [-Werror=dangling-else]
audit-arch.h:
- add defines for m68k, sh
autotools:
- Check for BPF_OBJ_NAME_LEN (required by lsfd)
- add --disable-enosys, check for linux/audit.h
- add Libs.private to uuid.pc
- allow enabling dmesg with --disable-all-programs
- allow enabling lsblk with --disable-all-programs
- check for sys/vfs.h and linux/bpf.h
- fix securedir and pam_lastlog2 install
bash-completion:
- add `--pty` and `--no-pty` options for `su` and `runuser`
- complete `--user` only for `runuser`, not for `su`
chcpu(8):
- Document CPU deconfiguring behavior
- Fix typo
ci:
- bump coveralls compiler version to gcc 13
doc:
- fsck.8.adoc - fix email typo
docs:
- update AUTHORS file
fdisk:
- (man) improve --sector-size description
- fix SGI boot file prompt
- fix fdisk_sgi_set_bootfile return value
- fix sgi_check_bootfile name size minimum
- fix sgi_menu_cb return value
fincore:
- Use correct syscall number for cachestat on alpha
fstab.5 mount:
- fstab.5 mount.8 add note about field separator
hardlink:
- fix memory corruption (size calculation)
- hardlink.1 directory|file is mandatory
hwclock:
- Remove ioperm declare as it causes nested extern declare warning
lib/env:
- fix env_list_setenv() for strings without '='
libblkid:
- (exfat) validate fields used by prober
- (gpt) use blkid_probe_verify_csum() for partition array checksum
- add FSLASTBLOCK for swaparea
- bitlocker add image for Windows 7+ BitLocker
- bitlocker fix version on big-endian systems
- improve portability
libfdisk:
- make sure libblkid uses the same sector size
libmount:
- exec mount helpers with posixly correct argument order
- extract common error handling function
- propagate first error of multiple filesystem types
libmount/context_mount:
- fix argument number comments
logger:
- correctly format tv_usec
lscpu:
- Skip aarch64 decode path for rest of the architectures
- make code more readable
lslocks:
- remove deadcode [coverity scan]
lsns:
- ignore ESRCH errors reported when accessing files under /proc
man pages:
- document `--user` option for `runuser`
- use `user` rather than `username`
meson:
- check for BPF_OBJ_NAME_LEN and linux/bpf.h
mkswap:
- set selinux label also when creating file
more:
- make sure we have data on stderr
nsenter:
- support empty environ[]
partx:
- Fix example in man page
po:
- merge changes
- update de.po (from translationproject.org)
- update ja.po (from translationproject.org)
- update pt_BR.po (from translationproject.org)
- update sr.po (from translationproject.org)
- update zh_CN.po (from translationproject.org)
po-man:
- add missing langs to po4a.cfg
- fix typo, update .gitignore
- merge changes
- update fr.po (from translationproject.org)
- update pt_BR.po (from translationproject.org)
tests:
- fdisk/bsd Update expected output for alpha
umount, losetup:
- Document loop destroy behavior
uuidd:
- fix /var/lib/libuuid mode uuidd-tmpfiles.conf
- fix typo in tmpfiles.conf
- fix /var/lib/libuuid mode uuidd-tmpfiles.conf
- fix typo in tmpfiles.conf
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 23 Mar 2025 17:34:28 +0000 (18:34 +0100)]
tzdata: Update to version 2025b
- Update from version 2025a to 2025b
- Update of rootfile
- Changelog
2025b
Briefly:
New zone for Aysén Region in Chile which moves from -04/-03 to -03.
Changes to future timestamps
Chile's Aysén Region moves from -04/-03 to -03 year-round, joining
Magallanes Region. The region will not change its clocks on
2025-04-05 at 24:00, diverging from America/Santiago and creating a
new zone America/Coyhaique. (Thanks to Yonathan Dossow.) Model
this as a change to standard offset effective 2025-03-20.
Changes to past timestamps
Iran switched from +04 to +0330 on 1978-11-10 at 24:00, not at
year end. (Thanks to Roozbeh Pournader.)
Changes to code
'zic -l TIMEZONE -d . -l /some/other/file/system' no longer
attempts to create an incorrect symlink, and no longer has a
read buffer underflow. (Problem reported by Evgeniy Gorbanev.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 23 Mar 2025 17:31:14 +0000 (18:31 +0100)]
shadow: Update to version 4.17.4
- Update from version 4.17.3 to 4.17.4
- Update of rootfile not required
- Changelog
4.17.4
Revert "lib/, src/: Use local time for human-readable dates"
lib/getdate.y: Ignore time-zone information and use UTC
src/chfn.c: Partially revert "lib/, src/: Use strsep(3) instead of its pattern"
src/chfn.c: Use stpsep() instead of its pattern
src/chfn.c: Add local variable to refer to the separated field
src/chfn.c: copy_field(): Rename local variable
lib/commonio.c: Rely on the POSIX.1-2008 behavior of realpath(3)
lib/fs/readlink/: readlinknul(): Use ssize_t to simplify
autogen.sh: Promote -Wsign-compare to an error
lib/sizeof.h: ssizeof(): Add signed variant of sizeof
src/lastlog.c: Use ssizeof() to avoid a -Wsign-compare diagnostic
tests/unit/test_xasprintf.c: Fix sign-mismatch diagnostic
configure.ac: stop checking for utmp location
configure.ac: be deterministic about passwd location
lib/, src/: update audit messages
lib/: audit function for groups
src/: update group audit messages
doc/: Remove list of distributions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 23 Mar 2025 17:26:04 +0000 (18:26 +0100)]
libusb: Update to version 1.0.28
- Update from version 1.0.27 to 1.0.28
- Update of rootfile
- Changelog
1.0.28
* New libusb_get_ssplus_usb_device_capability_descriptor API
for query of SuperSpeed+ Capability Descriptors
* API support for reporting USB 3.2 Gen2x2 speeds
* macOS: Fix Zero-Length Packet for multiple packets per frame
* Windows: Base HID device descriptor on OS-cached values
* Build fixes for Haiku and SunOS
* Many code correctness fixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 12 Mar 2025 11:03:22 +0000 (12:03 +0100)]
sources: Update ipblocklist with Threatview.io IP list
- Blocklist addition was discussed and agreed at IPFire dev conf call in March 2025.
- Tested on vm system.
- Adjusted the entry alignment for the three 3coresec entries as they had used tabs and
all the rest used spaces for alignment. Now all entries are lined up the same.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 12 Mar 2025 14:46:10 +0000 (15:46 +0100)]
ipblocklist-functions.pl: Specify an IPFire user agent for the downloads
- As discussed at the IPFire conf call in March 2025, this patch provides an IPFire
specific User Agent string for the IP Block Lists downloads using LWP::UserAgent.
- It turned out that there was already a function in general-functions.pl that creates
an IPFire Useer Agent string. This was used for this IP Blocklist download.
- Currently it gave me the string IPFire/2.29/192.
- This was tested out with the Threatview.io IP blocklist download and it worked fine.
- If this patch is approved and merged then I will let contact Threatview.io to let them
know what our User Agent string is.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Mar 2025 13:30:45 +0000 (14:30 +0100)]
mpfr: Update to version 4.2.2
- Update from version 4.2.1 to 4.2.2
- Update of rootfile
- Changelog
4.2.2
- In order to resolve a portability issue with the _Float128 fallback to
__float128 for binary128 support (e.g. with Clang and glibc 2.41), the
prototypes of the corresponding conversion functions had to be changed,
with _Float128 replaced by mpfr_float128, where mpfr_float128 is a macro
defined as _Float128 by default. This changes neither the ABI nor the API
(except that the end user of MPFR would need to define mpfr_float128 as
the actual type for the binary128 format if this is not the standard
_Float128 type).
- Other bug fixes (see <https://www.mpfr.org/mpfr-4.2.1/#fixed> and/or the
ChangeLog file). In particular, the formatted output functions behaved
incorrectly with %c on the value 0; such a use is uncommon, but this bug
may have security implications.
- Improved MPFR manual.
- Detect the use of GMP's buggy vsnprintf replacement at configure time.
With it, the tests of "%a" will be disabled to avoid an assertion failure
in the MPFR testsuite. A warning will be displayed in the configure output
in such a case.
Also, note that due to new tests related to the fix of the formatted
output functions with %c on the value 0, failures in the tfprintf and
tsprintf tests may be observed if GMP has been built with its vsnprintf
replacement (i.e. if GMP detected at configure time that the vsnprintf
function from the C library is buggy/non-conforming). This is due to a
bug in the vsnprintf replacement from GMP 6.3.0 (official tarball) and
below. This could be observed on MS Windows and OpenBSD. To get rid of
these failures, either use a fixed version (recommended!) or build the
MPFR tests with the MPFR_TESTS_SKIP_CHECK_NULL macro defined.
See the INSTALL file for other details.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Mar 2025 10:24:56 +0000 (11:24 +0100)]
samba: Update to version 4.22.0
- Update from version 4.21.4
- Update of rootfile for all three architectures
- Changelog
4.22.0
NEW FEATURES/CHANGES
SMB3 Directory Leases
Starting with Samba 4.22 SMB3 Directory Leases are supported. The new
global option "smb3 directory leases" controls whether the feature is
enabled or not. By default, SMB3 Directory Leases are enabled on
non-clustered Samba and disabled on clustered Samba, based on the
"clustering" option. See man smb.conf for more details.
SMB3 Directory Leases allow clients to cache directory listings and,
depending on the workload, result in a decent reduction in SMB
requests from clients.
Netlogon Ping over LDAP and LDAPS
Samba must query domain controller information via simple queries on
the AD rootdse's netlogon attribute. Typically this is done via
connectionless LDAP, using UDP on port 389. The same information is
also available via classic LDAP rootdse queries over TCP. Samba can
now be configured to use TCP via the new "client netlogon ping
protocol" parameter to enable running in environments where firewalls
completely block port 389 or UDP traffic to domain controllers.
Experimental Himmelblaud Authentication in Samba
Samba now includes experimental support for Azure Entra ID
authentication via `himmelblaud`, located in the `rust/` directory.
This implementation provides basic authentication and is configured
through `smb.conf`, utilizing options such as `realm`,
`winbindd_socket_directory`, and `template_homedir`. New global
parameters include `himmelblaud_sfa_fallback`,
`himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`.
To enable, configure Samba with `--enable-rust --with-himmelblau`.
AD DC schema upgrade and provision performance improvements
By increasing the LDB index cache size for certain offline operations
that are likely to require large transactions, these are now several
times faster.
REMOVED FEATURES
The "nmbd proxy logon" feature was removed. This was used before
Samba4 acquired a NBT server.
The parameter "cldap port" has been removed. CLDAP runs over UDP port
389, we don't see a reason why this should ever be changed to a
different port. Moreover, we had several places in the code where
Samba did not respect this parameter, so the behaviour was at least
inconsistent.
fruit:posix_rename
This option of the vfs_fruit VFS module that could be used to enable
POSIX directory rename behaviour for OS X clients has been removed
as it could result in severe problems for Windows clients.
As a possible workaround it is possible to prevent creation of
.DS_Store files (a Finder thingy to store directory view settings)
on network mounts by running
$ defaults write com.apple.desktopservices DSDontWriteNetworkStores true
on the Mac.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
smb3 directory leases New Auto
vfs mkdir use tmp name New Auto
client netlogon ping protocol New cldap
himmelblaud hello enabled New no
himmelblaud hsm pin path New default hsm pin path
himmelblaud sfa fallback New no
client use krb5 netlogon Experimental no
reject aes netlogon servers Experimental no
server reject aes schannel Experimental no
server support krb5 netlogon Experimental no
fruit:posix_rename Removed
cldap port Removed
CHANGES SINCE 4.22.0rc4
* BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
* BUG 15797: Unable to connect to CephFS subvolume shares with
vfs_shadow_copy2.
* BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
* BUG 15820: Incorrect FSF address in ctdb pcp scripts.
* BUG 15804: "samba-tool domain backup offline" hangs.
CHANGES SINCE 4.22.0rc3
* BUG 15815: client use krb5 netlogon is experimental and should not be used
in production.
CHANGES SINCE 4.22.0rc2
* BUG 15738: Creation of GPOs applicable to more than one group is impossible
with Samba 4.20.0 and later.
* BUG 15806: samba-tool acl commands broken for relative path names
* BUG 15807: pysmbd seg faults when file is not found.
* BUG 15796: Spotlight search results don't show file size and creation date.
* BUG 15759: net ads create/join/winbind producing unix dysfunctional
keytabs.
* BUG 15806: samba-tool acl commands broken for relative path names.
* BUG 15807: pysmbd seg faults when file is not found.
* BUG 15680: Trust domains are not created.
* BUG 15680: Trust domains are not created.
* BUG 15703: General improvements for vfs_ceph_new module.
CHANGES SINCE 4.22.0rc1
* BUG 15798: libnet4: seg fault after dc lookup failure
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 20 Mar 2025 22:58:22 +0000 (23:58 +0100)]
bind: Update to 9.20.7
For details see:
https://downloads.isc.org/isc/bind9/9.20.5/doc/arm/html/notes.html#notes-for-bind-9-20-7
Excerpt:
"Notes for BIND 9.20.7
New Features
Implement the min-transfer-rate-in configuration option.
...
Add HTTPS record query to host command line tool.
...
Implement sig0key-checks-limit and sig0message-checks-limit.
...
Bug Fixes
Fix dual-stack-servers configuration option.
...
Fix a data race causing a permanent active client increase.
...
Fix deferred validation of unsigned DS and DNSKEY records.
...
Fix RPZ race condition during a reconfiguration.
...
“CNAME and other data check” not applied to all types.
...
Relax private DNSKEY and RRSIG constraints.
...
Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
...
Fix TTL issue with ANY queries processed through RPZ “passthru”.
...
dnssec-signzone needs to check for a NULL key when setting offline.
...
Fix a bug in the statistics channel when querying zone transfer information.
...
Fix assertion failure when dumping recursing clients.
...
Dump the active resolver fetches from dns_resolver_dumpfetches()"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 19 Mar 2025 12:54:32 +0000 (13:54 +0100)]
shadow: Update to version 4.17.3
- Update from version 4.16.0 to 4.17.3
- Update of rootfile
- At version 4.17.0 groups and ids were removed from shadow, so the parts of the patch
related to stopping installation of groups is no longer needed. The parts related
to not installing the man pages already installed by man are still done but using
the commands shown in Linux From Scratch with shadow-4.17.3 rather than via a patch
file which was getting very difficult to find and edit every man page that should be
excluded from the source tarball to create the diff patch.
- Corrected a typo, --without-brcypt should have been --without-bcrypt. However no
impact as the default for brcypt is to not be installed.
- This version brings in /bin/getsubids. I have commented this out as that command was
never present before, although the subids libraries were. If this command should be
available in IPFire then it can be uncommented in the rootfile.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 11 Mar 2025 20:36:35 +0000 (21:36 +0100)]
bacula: Update to version 15.0.2
- Update from version 13.0.4 to 15.0.2
- Update of rootfile
- Version 15.0.2 has now been released for a year so it is time to update the IPFire
file daemon as the direcdtor and storage daemon should by now be at this latest
version.
- Changelog is too large to fully include here. Details can be found in the ChangeLog
file in the source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:18 +0000 (22:20 +0100)]
pango: Update to version 1.56.3
- Update from version 1.56.1 to 1.56.3
- Update of rootfile
- Changelog
1.56.3
- Improve font description serialization
- fontconfig: Avoid FcFontSetSort when possible
- coverage: Extend coverage by Unicode decomposition
- win32: Speed up coverage creation
- Deprecate pango_font_descriptions_free
1.56.2
- Annotation fixes
- fontconfig: Set optical size for fonts with an opsz axis
- fontconfig: Make panog_font_map_reload_font scale linearly
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:17 +0000 (22:20 +0100)]
lvm2: Update to version 2.03.31
- Update from version 2.03.30 to 2.03.31
- Update of rootfile not required
- Changelog
2.03.31
Reduce 'mandoc -T lint' reported issues for man pages.
Restore support for LVM_SUPPRESS_FD_WARNINGS (2.03.24).
Fix uncache and split cache restoring original state of volume.
Extend use of lockopt skip to more scenarios.
Enhance error path resolving in polling code.
Disallow shared activation of LV with CoW snapshot.
Fix lvmlockd use in lvremove of CoW snapshot, VDO pool, and uncache.
Improve mirror split with opened temporary volumes.
Improve pvmove finish with opened temporary volumes.
Fix backup limit for devices file, handle over 10,000 files.
Ignore reported optimal_io_size not divisible by 4096.
Fix busy-loop in config reading when read returned 0.
Fix DM cache preserving logic (2.03.28).
Improve use of lvmlockd for usecases involving thin volumes and pools.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:16 +0000 (22:20 +0100)]
liburcu: Update to version 0.15.1
- Update from version 0.15.0 to 0.15.1
- Update of rootfile not required
- Changelog
0.15.1
* uatomic/generic: Add missing #include <stdlib.h>
* docs: Clarify that make is required to build the project
* fix: add missing SPDX headers to urcu/uatomic/api.h
* compiler.h: Remove caa_unqual_scalar_typeof
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:15 +0000 (22:20 +0100)]
libseccomp: Update to version 2.6.0
- Update from version 2.5.5 to 2.6.0
- Update of rootfile
- Changelog
2.6.0
- Update the syscall table for Linux v6.13
- Add support for new arches: SuperH little and big endian, LoongArch, and
32-bit Motorola 68000
- Add multiplexed syscall support for more arches: MIPS, SuperH, and PPC
- Consolidate and simplify handling of multiplexed syscalls
- Add support for the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag
- Add support for transactions with the seccomp_transaction_start(),
seccomp_transaction_commit(), and seccomp_transaction_reject() APIs
- Add a seccomp_precompute() API to generate the seccomp BPF filter prior to
seccomp_load() or seccomp_export_bpf_mem()
- Add support for binary tree filters without syscalls
- Add support for the kernel’s implementation change of
SECCOMP_IOCTL_NOTIF_ID_VALID
- Add Python binding support for retrieving the notification file descriptor
- Improved tooling to help track syscall table updates in the Linux kernel
- Handle EINVAL error from the kernel when the WAIT_KILLABLE_RECV flag is
erroneously provided to the kernel
- Fix a seccomp userspace notification issue where the file descriptor was
being requested more than once
- Fix a bug where the internal filter state could be corrupted when a filter
rule addition fails
- Fix potential memory leak in the internal management of filter snapshots
- Utilize Cython rather than distutils in the Python bindings, due to
distutils’ deprecation
- Many test and CI improvements and fixes
- Many documentation improvements and updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:13 +0000 (22:20 +0100)]
libcap: Update to version 2.75
- Update from version 2.73 to 2.75
- Update of rootfile
- Changelog
2.75
This release is devoted to a fix for Bug 219838 reported by Frank.
2.74
ERRATA
Bug 219838 the psx go package fails to build standalone.
You can work around this by go mod vendor in your code tree
or upgrade your package reference to psx/v1.2.75.
This release addresses Bug 219687 reported by David Runge.
Code at HEAD (tagged {cap,psx}/v1.2.74-rc5) fixes it for
{x86,arm,mips}x{32-bit,64-bit}, ppc64, s390x and riscv.
The mips32 support requires a more modern Go compiler than the
default provided by Debian. For successfully testing I used
go1.24.0.
May be fixed for loongarch, but no system to test this with
(derived from mips, so perhaps it is fixed).
Group syntax parsing bugfix for pam_cap from Tianjia Zhang.
Doc typo fix for cap_get_proc.3 from Tianjia Zhang.
Fix transitive include in capsh.c from Leo.
Go package documentation updates, including more cap examples.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:12 +0000 (22:20 +0100)]
kmod: Update to version 34.1
- Update from version 0.34 to 0.34.1
- Update of rootfile not required
- Changelog
0.34.1
It's mostly a build system fix release, the first .1 we are releasing.
My goal is to mimic what is done in the kernel and propagate the
critical fixes to a stable release, which should help distros to get the
fixes ahead of a new release, without having to patch it themselves.
Shortlog is below:
meson: Use short options for ln everywhere
meson: Fix setting an absolute customdir
NEWS: ditch mention of libxz.so
meson: Fix build with glibc 2.31
kmod 34.1
build: support missing gtkdocize in releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:09 +0000 (22:20 +0100)]
harfbuzz: Update to version 10.4.0
- Update from version 10.2.0 to 10.4.0
- Update of rootfile
- Changelog
10.4.0
- Drawing glyphs using hb-draw API now avoids any “malloc” calls, which
improves drawing performance by 10+%.
- Add support new “GVAR” table fonts with more than 65535 glyphs. Support is
currently behind a compilation flag and is disabled by default.
- Some hb-directwrite and hb-ft APIs got renamed with more clear names and the
old names are deprecated.
- Various build and fuzzing fixes.
- New API:
+hb_directwrite_face_get_dw_font_face()
+hb_ft_font_get_ft_face()
- Deprecated API:
+hb_directwrite_face_get_font_face()
+hb_ft_font_get_face()
10.3.0
- Vastly improved “AAT” shaping performance. LucidaGrande benchmark-shape
before: 14.6ms after: 5.9ms.
- Improved OpenType shaping performance (kerning / ligature), at the expense of
~1kb per face allocated cache memory. Roboto-Regular benchmark-shape before:
10.3ms after: 9.4ms.
- Improved “COLRv1” benchmark-font paint performance. Before: 7.85ms after
4.85ms.
- Don’t apply glyph substitutions in “morx” table of a font with known broken
“morx” table (AALMAGHRIBI.ttf font).
- Update IANA and OT language registries.
- Various documentation updates.
- Various build improvements, and test speed-ups.
- The “hb_face_reference_blob()” API now works for faces created with
“hb_face_create_for_tables()” if the face sets “get_table_tags” callback.
This constructs a new face blob from individual table blobs.
- Various fixes to how “trak” table is handled to bring it closer to Core Text
behaviour. Particularly, the tracking values for sizes not explicitly set in
the table are now properly interpolated, and the tracking is applied to glyph
advances when they are returned by ot-font functions, instead of applying
them during shaping. The “trak” pseudo OpenType feature that could be used to
disable “trak” table application have been dropped.
- Core Text font functions now support non-BMP code points.
- The drawing algorithm used by hb-draw for “glyf” table now match the
algorithm used by FreeType and Core Text.
- The “hb_coretext_font_create()” API now copy font variations from Core Text
font to the created HarfBuzz font.
- Add an API to get the feature tags enabled on a given shape-plan after
executing it, which can be used to applications to show in the UI what
features are applied by default (which can vary based on the font, the
script, the language, and the direction set on the buffer).
- Add APIs to created HarfBuzz font from DirectWrite font, and copy the font
variations.
- New API:
+hb_directwrite_font_create()
+hb_directwrite_font_get_dw_font()
+hb_ot_shape_plan_get_feature_tags()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:08 +0000 (22:20 +0100)]
git: Update to version 2.49.0
- Update from version 2.48.1 to 2.49.0
- Update of rootfile
- Changelog
2.49.0
UI, Workflows & Features
* Completion script updates for zsh
* "git pack-objects" and its wrapper "git repack" learned an option
to use an alternative path-hash function to improve delta-base
selection to produce a packfile with deeper history than window
size.
* "git gc" learned the "--expire-to" option and passes it down to
underlying "git repack".
* "[help] autocorrect = 1" used to be a way to say "please wait for
0.1 second after suggesting a typofix of the command name before
running that command"; now it means "yes, if there is a plausible
typofix for the command name, please run it immediately".
* "git clone" learned to make a shallow clone for a single commit
that is not necessarily be at the tip of any branch.
* Lazy-loading missing files in a blobless clone on demand is costly
as it tends to be one-blob-at-a-time. "git backfill" is introduced
to help bulk-download necessary files beforehand.
* "git push --atomic --porcelain" used to ignore failures from the
other side, losing the error status from the child process, which
has been corrected.
* "git rev-list --missing=" learned to accept "print-info" that gives
known details expected of the missing objects, like path and type.
* Comes with an updated "gitk".
* The documentation of "git commit" and "git rebase" now refer to
commit titles as such, not "subject".
* The value of "uname -s" is by default sent over the wire as a part
of the "version" capability.
* "git refs migrate" can optionally be told not to migrate the reflog.
* The netrc support (via the cURL library) for the HTTP transport has
been re-enabled.
* Removal of ".git/branches" and ".git/remotes" support in the
BreakingChanges document has been further clarified.
* What happens to submodules during merge has been documented in a
bit more detail.
Performance, Internal Implementation, Development Support etc.
* More -Wsign-compare fixes.
* meson-based build now supports the unsafe-sha1 build knob.
* The meson-based build procedure covers contrib/ and other places as
well.
* The code to check LSan results has been simplified and made more
robust.
(merge 164a2516eb jk/lsan-race-ignore-false-positive later to maint).
* More code paths have a repository passed through the callchain,
instead of assuming the primary the_repository object.
* Move a few more unit tests to the clar test framework.
* Introduce a new API to visit objects in batches based on a common
path, or by type.
* Following the procedure we established to introduce breaking
changes for Git 3.0, allow an early opt-in for removing support of
$GIT_DIR/branches/ and $GIT_DIR/remotes/ directories to configure
remotes.
* The code paths to interact with zlib has been cleaned up in
preparation for building with zlib-ng.
* Foreign language interface for Rust into our code base has been added.
* All the documentation .txt files have been renamed to .adoc to help
content aware editors.
* "git difftool" code clean-up.
* Rename processing in the recursive merge backend has seen a micro
optimization.
* The path.[ch] API takes an explicit repository parameter passed
throughout the callchain, instead of relying on the_repository
singleton instance.
* Large-object promisor protocol extension has been introduced.
* The editorconfig file is updated to tell us that bash scripts are
similar to general Bourne shell scripts.
* Meson-based build procedure forgot to build some docs, which has
been corrected.
Fixes
* "git submodule" learned various ways to spell the same option,
e.g. "--branch=B" can be spelled "--branch B" or "-bB".
(merge b86f0f9071 re/submodule-parse-opt later to maint).
* Tweak the help text used for the option value placeholders by
parse-options API so that translations can customize the "<>"
placeholder signal (e.g. "--option=<value>").
(merge 5b34dd08d0 as/long-option-help-i18n later to maint).
* CI jobs gave sporadic failures, which turns out that that the
object finalization code was giving an error when it did not have
to.
(merge d7fcbe2c56 ps/object-collision-check later to maint).
* The code to compute "unique" name used git_rand() which can fail or
get stuck; the callsite does not require cryptographic security.
Introduce the "insecure" mode and use it appropriately.
(merge 0b4f8afef6 ps/reftable-get-random-fix later to maint).
* A misconfigured "fsck.skiplist" configuration variable was not
diagnosed as an error, which has been corrected.
(merge ca7158076f jt/fsck-skiplist-parse-fix later to maint).
* Extended SHA-1 expression parser did not work well when a branch
with an unusual name (e.g. "foo{bar") is involved.
(merge 191f0c8db2 en/object-name-with-funny-refname-fix later to maint).
* The meson build procedure looked for the 'version-def.h' file in a
wrong directory, which has been corrected.
(merge 4771501c0a tc/meson-use-our-version-def-h later to maint).
* The meson build procedure for Documentation/technical/ hierarchy was
missing necessary dependencies, which has been corrected.
(merge 1dca492edd sj/meson-doc-technical-dependency-fix later to maint).
* The "instaweb" bound only to local IP address without "--local" and
to all addresses with "--local", which was the other way around, when
using Python's http.server class, which has been corrected.
(merge 76baf97fa1 ak/instaweb-python-port-binding-fix later to maint).
* Document that it is insecure to use Personal Access Tokens, which
some hosting providers take as username/password, embedded in URLs.
(merge a90ff409f0 mh/doc-credential-helpers-with-pat later to maint).
* The help text from "git $cmd -h" appear on the standard output for
some $cmd and the standard error for others. The built-in commands
have been fixed to show them on the standard output consistently.
(merge f66d1423f5 jc/show-usage-help later to maint).
* The meson-driven build is now aware of "git-subtree" housed in
contrib/subtree hierarchy.
(merge 8454b42f94 ps/build-meson-subtree later to maint).
* It was possible for "git unpack-objects" and "git index-pack" to
make an unaligned access, which has been corrected.
(merge 98046591b9 jk/pack-header-parse-alignment-fix later to maint).
* The "cache" credential back-end did not handle authtype correctly,
which has been corrected.
(merge 0b43274850 mh/credential-cache-authtype-request-fix later to maint).
* "git branch --sort=..." and "git for-each-ref --format=... --sort=..."
did not work as expected with some atoms, which has been corrected.
(merge c5490ce9d1 rs/ref-fitler-used-atoms-value-fix later to maint).
* reflog entries for symbolic ref updates were broken, which has been
corrected.
(merge 3519492430 kn/reflog-symref-fix later to maint).
* The trace2 code was not prepared to show a configuration variable
that is set to true using the valueless true syntax, which has been
corrected.
(merge 2fd367cf63 am/trace2-with-valueless-true later to maint).
* The "git refs migrate" command did not migrate the reflog for
refs/stash, which is the contents of the stashes, which has been
corrected.
(merge a0bea0978f ps/reflog-migration-with-logall-fix later to maint).
* Doc and short-help text for "show-index" has been clarified to
stress that the command reads its data from the standard input.
(merge 49edce4ff9 jc/show-index-h-update later to maint).
* The API around choosing to use unsafe variant of SHA-1
implementation has been updated in an attempt to make it harder to
abuse.
(merge 04292c3796 tb/unsafe-hash-cleanup later to maint).
* Fix bugs in an earlier attempt to fix "git refs migration".
(merge f11f0a5a2d kn/reflog-migration-fix-fix later to maint).
* The code path used when "git fetch" fetches from a bundle file
closed the same file descriptor twice, which sometimes broke things
unexpectedly when the file descriptor was reused, which has been
corrected.
(merge 9a84794ad8 js/bundle-unbundle-fd-reuse-fix later to maint).
* "git init" to reinitialize a repository that already exists cannot
change the hash function and ref backends; such a request is
silently ignored now.
(merge 7e88640cd1 ps/setup-reinit-fixes later to maint).
* "git apply" internally uses unsigned long for line numbers and uses
strtoul() to parse numbers on the hunk headers. It however forgot
to check parse errors.
(merge a206058fda pw/apply-ulong-overflow-check later to maint).
* Two CI tasks, whitespace check and style check, work on the
difference from the base version and the version being checked, but
the base was computed incorrectly in GitLab CI in some cases, which
has been corrected.
(merge acc4fb302b jt/gitlab-ci-base-fix later to maint).
* "git repack --keep-unreachable" to send unreachable objects to the
main pack "git repack -ad" produces did not work when there is no
existing packs, which has been corrected.
(merge 414c82300a ps/repack-keep-unreachable-in-unpacked-repo later to maint).
* Going into a secondary worktree and asking "is the main worktree
bare?" did not work correctly when per-worktree configuration
option was in use, which has been corrected.
* Fetching into a bare repository incorrectly assumed it always used
a mirror layout when deciding to update remote-tracking HEAD, which
has been corrected.
(merge 93dc16483a bf/fetch-set-head-fix later to maint).
* A thunderbird helper script lost its bashism.
(merge 59d26bd961 bc/contrib-thunderbird-patch-inline-fix later to maint).
* The -G/-S options to the "diff" family of commands caused us to hit
a BUG() when they get no values; they have been corrected.
(merge a620046b29 bc/diff-reject-empty-arg-to-pickaxe later to maint).
* "git merge-tree --stdin" has been improved (including a workaround
for a deadlock).
(merge 6a9ae81015 pw/merge-tree-stdin-deadlock-fix later to maint).
* Correct the default target in Documentation/Makefile, and
future-proof all Makefiles from similar breakages by declaring the
default target (which happens to be "all") upfront.
(merge 5309c1e9fb ad/set-default-target-in-makefiles later to maint).
* "git check-mailmap" used to segfault when queried without human
readable name.
(merge bb60c52131 jk/check-mailmap-wo-name-fix later to maint).
* Support for renaming of symbolic links on Windows has been improved.
* "git rebase -i" failed to allow rewording an empty commit that has
been fast-forwarded.
(merge af8fc7be10 pw/rebase-i-ff-empty-commit later to maint).
* The use of "paste" command for aggregating the test results have
been corrected.
(merge ce98863204 dk/test-aggregate-results-paste-fix later to maint).
* Other code cleanup, docfix, build fix, etc.
(merge ddb5287894 jk/t7407-use-test-grep later to maint).
(merge 21e1b44865 aj/difftool-config-doc-fix later to maint).
(merge 6a63995335 mh/gitattr-doc-markup-fix later to maint).
(merge 43850dcf9c sk/unit-test-hash later to maint).
(merge 4ad47d2de3 jc/cli-doc-option-and-config later to maint).
(merge 2d0ff147e5 jp/t8002-printf-fix later to maint).
(merge 69666e6746 ja/doc-restore-markup-update later to maint).
(merge d11d003ba5 sk/strlen-returns-size_t later to maint).
(merge 77b2d29e91 ja/doc-notes-markup-updates later to maint).
(merge 6979bf6f8f jk/combine-diff-cleanup later to maint).
(merge 8705c9bd13 kn/pack-write-with-reduced-globals later to maint).
(merge 087740d65a ps/leakfixes-0129 later to maint).
(merge 6bba6f604b jp/doc-trailer-config later to maint).
(merge f1cc562b77 lo/t7603-path-is-file-update later to maint).
(merge 45761988ac en/doc-renormalize later to maint).
(merge 832f56f06a jc/doc-boolean-synonyms later to maint).
(merge 3eeed876a9 ac/doc-http-ssl-type-config later to maint).
(merge c268e3285d jc/breaking-changes-early-adopter-option later to maint).
(merge 0d03fda6a5 pb/doc-follow-remote-head later to maint).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:07 +0000 (22:20 +0100)]
gettext: Update to version 0.24
- Update from version 0.22.5 to 0.24
- Update of rootfile
- Changelog
0.24
# Programming languages support:
* JavaScript:
- xgettext now parses recursive JSX expressions correctly.
* Rust:
- xgettext now supports Rust.
- 'msgfmt -c' now verifies the syntax of translations of Rust format
strings.
- A new example 'hello-rust' has been added.
* C:
- A new example 'hello-c-http' has been added, showing the use of
GNU gettext in a multithreaded web server.
* C++:
- A new example 'hello-c++-gnome3' has been added.
* Ruby:
- A new example 'hello-ruby' has been added.
# Improvements for maintainers:
* When xgettext creates the POT file of a package under Git version control,
the 'POT-Creation-Date' in the POT file usually no longer changes
gratuitously each time the POT file is regenerated.
# Caveat maintainers:
* Building the po/ directory now requires GNU make on specific platforms:
macOS, Solaris, AIX.
0.23.1
* Bug fixes:
- Building with libxml2 >= 2.12.0 and gcc >= 14 now works.
- XML: The value of the xml:lang attribute, inserted by msgfmt, is now
more correct.
0.23
# Internationalized data formats:
* XML:
o The escaping of characters such as & < > has been changed:
- No escaping is done any more by xgettext, when creating a POT file.
- Instead, extra escaping can be requested for the msgfmt pass, when
merging into an XML file.
- The default value of 'escape' in the <gt:escapeRule> was "yes";
now it is "no".
This means that existing translations of older POT files may no longer
fully apply. As a maintainer of a package that has translatable XML files,
you need to regenerate the POT file and pass it on to your translators.
o XML schemas for .its and .loc files are now provided.
o The value of the xml:lang attribute, inserted by msgfmt, now conforms
to W3C standards.
o 'msgfmt --xml' accept an option --replace-text, that causes the output
to be a mono-lingual XML file instead of a multi-lingual XML file.
o xgettext and 'msgfmt --xml' now support DocBook XML files.
* Desktop: xgettext now produces POT files with correct line numbers.
# Programming languages support:
* Python:
o xgettext now assumes source code for Python 3 rather than Python 2.
This affects the interpretation of escape sequences in string literals.
o xgettext now recognizes the f-string syntax.
* Scheme:
o xgettext now supports the option '-L Guile' as an alternative to
'-L Scheme'. They are nearly equivalent. They differ in the
interpretation of escape sequences in string literals: While
'xgettext -L Scheme' assumes the R6RS and R7RS syntax of string literals,
'xgettext -L Guile' assumes the syntax of string literals understood by
Guile 2.x and 3.0 (without command-line option '--r6rs' or '--r7rs', and
before a '#!r6rs' directive is seen).
o xgettext now recognizes comments of the form '#; <expression>'.
* Java: xgettext now has an improved recognition of format strings when the
String.formatted method is used.
* JavaScript:
o xgettext now parses template literals inside JSX correctly.
o xgettext has a new option --tag that customizes the behaviour of tagged
template literals.
* C#:
o The build system and tools now also support 'dotnet' (.NET) as C#
implementation. In order to declare a preference for 'dotnet' over
'mono', you can use the configure option '--enable-csharp=dotnet'.
o xgettext now recognizes strings with embedded expressions (a.k.a.
interpolated strings).
* awk: xgettext now recognizes string concatenation by juxtaposition.
* Smalltalk: xgettext now recognizes the string concatenation operator ','.
* Vala: xgettext now has an improved recognition of format strings when the
string.printf method is used.
* Glade: xgettext has improved support for GtkBuilder 4.
* Tcl: With the recently released Tcl 9.0, characters outside the Unicode BMP
in Tcl message catalogs (.msg files) will work regardless of the locale's
encoding.
* Perl:
o xgettext now reports warnings instead of fatal errors.
o xgettext now recognizes strings with embedded expressions (a.k.a.
interpolated strings).
* PHP:
o xgettext now recognizes strings with embedded expressions.
o xgettext now scans Heredoc and Nowdoc strings correctly.
o xgettext now regards the format string directives %E, %F, %g, %G, %h, %H
as valid.
# Runtime behaviour:
* In the C.UTF-8 locale, like in the C locale, the *gettext() functions
now return the msgid untranslated. This is relevant for GNU systems,
Linux with musl libc, FreeBSD, NetBSD, OpenBSD, Cygwin, and Android.
# Documentation:
* The section "Preparing Strings" now gives more advice how to deal with
string concatenation and strings with embedded expressions.
# xgettext:
* Most of the diagnostics emitted by xgettext are now labelled as
"warning" or "error".
# msgmerge:
* The option '--sorted-output' is now deprecated.
# libgettextpo library:
* This library is now multithread-safe.
* The function 'po_message_set_format' now supports resetting a format string
mark.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:06 +0000 (22:20 +0100)]
dbus: Update to version 1.16.2
- Update from version 1.16.0 to 1.16.2
- Update of rootfile not required
- Changelog
1.16.2
Build system:
• The branch used for development releases has been renamed to `main`.
Please see CONTRIBUTING.md for details of how to update existing checkouts.
(dbus#530, Simon McVittie)
Bug fixes:
• On Linux, fix build regression with libselinux ≥ 3.8 and verbose mode
enabled (Debian#1096212, dbus!511; Simon McVittie)
Internal changes:
• Documentation updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Mar 2025 21:20:05 +0000 (22:20 +0100)]
cairo: Update to version 1.18.4
- Update from version 1.18.2 to 1.18.4
- Update of rootfile
- Changelog
1.18.4
The dependency on LZO has been made optional through a build time
configuration toggle. [!580]
You can build Cairo against a Freetype installation that does not have the
FT_Color type. [#792]
Cairo tests now build on Solaris 11.4 with GCC 14. [!599]
The DirectWrite backend now builds on MINGW 11. [!600]
Thanks to Luca Bacci, the DirectWrite backend now supports font
variations and proper glyph coverage. [#877, !602]
Support for Windows 98 has been removed. The minimum requirement for
Windows is now Vista.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 15 Mar 2025 20:45:31 +0000 (21:45 +0100)]
perl: uncomment the json entrries in the rootfile
- Back in Sept 2024 I supplied a patch to remove certain perl modules as they were now
available in the core perl package.
- The perl-json was one of these modules but unfortunately I missed to uncomment the json
entries in the perl rootfile so they have been unavailable to samba since then.
- This patch corrects that situation.
Suggested-by: ummeegge <ummeegge@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 15 Mar 2025 12:29:26 +0000 (13:29 +0100)]
expat: Update to version 2.7.0
- Update from version 2.6.4 to 2.7.0
- Update of rootfile
- Fix for CVE-2024-8176
- Changelog
2.7.0
Security fixes:
#893 #973 CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
recursion, for all three uses of entities:
- general entities in character data ("<e>&g1;</e>")
- general entities in attribute values ("<e k1='&g1;'/>")
- parameter entities ("%p1;")
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Other changes:
#935 #937 Autotools: Make generated CMake files look for
libexpat.@SO_MAJOR@.dylib on macOS
#925 Autotools: Sync CMake templates with CMake 3.29
#945 #962 #966 CMake: Drop support for CMake <3.13
#942 CMake: Small fuzzing related improvements
#921 docs: Add missing documentation of error code
XML_ERROR_NOT_STARTED that was introduced with 2.6.4
#941 docs: Document need for C++11 compiler for use from C++
#959 tests/benchmark: Fix a (harmless) TOCTTOU
#944 Windows: Fix installer target location of file xmlwf.xml
for CMake
#953 Windows: Address warning -Wunknown-warning-option
about -Wno-pedantic-ms-format from LLVM MinGW
#971 Address Cppcheck warnings
#969 #970 Mass-migrate links from http:// to https://
#947 #958 ..
#974 #975 Document changes since the previous release
#974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
Infrastructure:
#926 tests: Increase robustness
#927 #932 ..
#930 #933 tests: Increase test coverage
#617 #950 ..
#951 #952 ..
#954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on
#961 Google's libprotobuf-mutator ("LPM")
#957 Fuzzing|CI: Start producing fuzzing code coverage reports
#936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh
#942 CI: Small fuzzing related improvements
#139 #203 ..
#791 #946 CI: Make GitHub Actions build using MSVC on Windows and
produce 32bit and 64bit Windows binaries
#956 CI: Get off of about-to-be-removed Ubuntu 20.04
#960 #964 CI: Start uploading to Coverity Scan for static analysis
#972 CI: Stop loading DTD from the internet to address flaky CI
#971 CI: Adapt to breaking changes in Cppcheck
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 11 Mar 2025 16:36:17 +0000 (17:36 +0100)]
libloc: Update to version 0.9.18
- Update libloc from version 0.9.17 to 0.9.18
- Update of rootfile
- Update of patch to revert installing of perl files into perl vendor directory as source
file has changed enough.
- Changelog
0.9.18
* A new Lua module has been added as announced here:
https://www.ipfire.org/blog/ipfire-location-lua-bindings-for-fun-and-profit
* The algorithm to detect bogons and duplicates in the tree have massively been
improved and should be nearing their theoretical maximum in terms of
performance.
* A large number of stability and correctness fixes have been rolled out. These
mostly affect the code generating the database.
* We now have a small Jenkins pipeline which will check if the library still
builds for a couple of major Linux distributions and various architectures.
Python:
* AS and Country objects are now hashable and support rich comparison operations
Importer:
* Exporting the database is around 200x faster due to eliminating any excessive
joins. Instead a new temporary table will be created and a temporary index
will be used to apply various updates to the data from various sources inside
the database. That allows us to create the export iteratively instead of
having one large query that runs for forever. An export that formerly took
around 17-20 hrs(!) will now take only ~5 mins.
* A new source for human-friendly names for Autonomous Systems registered with
ARIN has been added
* Importing feeds from AWS and Spamhaus has been split off into separate
database tables. This will allow us to import them separately and prioritise
our own rewrites over them.
* The ARIN parser has been refactored based on csv.DictReader(), parsers for
the AWS and Spamhaus feeds have been rewritten, too
* Geofeeds are now fetched concurrently with a unified downloader
* Certain country codes will be entirely ignored. Currently this is YU for
former Yugoslavia and ZZ which is used to say “no country”
* Country codes can now be corrected on the fly. This is used to change UK to
GB as only the latter is the valid country code for the United Kingdom.
* Countries that are not on our list will not be imported any more.
* Networks larger than /4 for IPv6, and /10 for IPv4 won’t be imported any
more. This avoids that we propagate any issues in the global routing table
into the database.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 11 Mar 2025 15:28:31 +0000 (16:28 +0100)]
htop: Update to 3.4.0
For details see:
https://github.com/htop-dev/htop/blob/main/ChangeLog
"What's new in version 3.4.0
* More expressive version tag generated for development versions (htop --version, help screen)
* Improve Darwin support for ARM-based systems
* Fix static linking with libsystemd
* Various build fixes for DragonFlyBSD, Darwin, NetBSD, OpenBSD & Solaris
* Fix running task display (count)
* Fix sort order handling in tree mode
* Add warning when exiting with a signal (not saving .htoprc)
* Add Disk I/O and Network I/O meter for DragonFlyBSD
* Improve handling of invalid Unicode strings
* Disable basename checking for kernel tasks
* Updated documentation for pcp-htop
* Disable FOCUS_IN/FOCUS_OUT event handling
* Add GPU meter for Linux and PCP
* Add colum for GPU time per process on Linux and PCP
* Avoid glibc FILE API voodoo
* Ignore previously unhandled signals USR1 and USR2
* Force locating the config file to only use absolute paths
* Prefer reading htoprc from ~/.config/htop/htoprc over legacy ~/.htoprc
* Force writing the configuration to a regular file
* Use distinct config files for htop and pcp-htop
* Link libnl3 at runtime
* Gather permitted capabilities via capget(2)
* Avoid fetching certain process information for each thread on Linux (speed up)
* Improved handling for invalid data in /proc/tty/drivers on Linux
* Various changes to avoid memory allocations inside signal handlers
* Add single column header layout
* Fix DivByZero bug on startup on Darwin
* Include thread information on Darwin
* Show process state on Darwin
* Update compat check for C23 compilers
* Improved detail in help screen
* Unicode support for CGROUP, CCGROUP, CONTAINER and SECATTR columns
* Mark newline characters in the process command line display
* Resolve nested derived metrics for PCP
* Make supported modes/styles specific to each meter
* Refined checks for terminals supporting to redefine keys
* Fix handling of the NICE value on FreeBSD
* Fix display of CPU utilization on FreeBSD
* Honour update interval adjustments properly without restart
* Force rebuild of display table after item removals
* Reworked handling for various temperature sensors
* Fix high CPU load when the strace'd process exits prematurely
* Document --drop-capabilities to require a compile time support
* Always call PKG_PROG_PKG_CONFIG in configure
* Make configure warn when pkg.m4 is absent
* Rewrite curses/terminfo detection code in configure
* Keep following a process when resuming process updates (Z key)
* Normalize Disk I/O usage and allow utilization above 100%
* Plug several memory leaks and improve performance for information parsing
* Allow to show or hide cache and buffers in memory usage meter
* Visibility hint and UX improvements in status bar of display options panel
* Remove IOKit / IOMainPort / IOMMasterPort logic for Darwin builds
* Replace BCC with metrics from BPF for pcp-htop"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 6 Mar 2025 11:32:21 +0000 (12:32 +0100)]
en.pl: Update the wording for the check on the CA Name for upload
- This changes the wording to allowing characters and spaces.
Fixes: Bug10595 part 2 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
