Adolf Belka [Thu, 2 Oct 2025 11:10:15 +0000 (13:10 +0200)]
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)]
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 17:22:53 +0000 (19:22 +0200)]
expat: Update to version 2.7.3
- Update from version 2.7.2 to 2.7.3
- Update of rootfile
- Changelog
2.7.3
Security fixes:
Fix alignment of internal allocations for some non-amd64
architectures (e.g. sparc32); fixes up on the fix to
CVE-2025-59375 from #1034 (of Expat 2.7.2 and related
backports)
Fix a class of false positives where input should have been
rejected with error XML_ERROR_ASYNC_ENTITY; regression from
CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and
related backports). Please check the added unit tests for
example documents.
Other changes:
Prove and regression-proof absence of integer overflow
from function expat_realloc
Remove "harmless" cast that truncated a size_t to unsigned
Autotools: Remove "ln -s" discovery
docs: Be consistent with use of floating point around
XML_SetAllocTrackerMaximumAmplification
docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0
docs: Better integrate the effect of the activation thresholds
docs: Fix an in-comment typo in expat.h
docs: Fix a typo in README.md
docs: Improve change log of release 2.7.2
xmlwf: Resolve use of functions XML_GetErrorLineNumber
and XML_GetErrorColumnNumber
Windows: Normalize .bat files to CRLF line endings
Version info bumped from 12:0:11 (libexpat*.so.1.11.0)
to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cleanup UndefinedBehaviorSanitizer fatality
CI|Linux: Stop aborting at first job failure
CI|FreeBSD: Upgrade to FreeBSD 15.0
CI|FreeBSD: Do not install CMake meta-package
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:40 +0000 (13:09 +0200)]
nfs: Update to version 2.8.4
- Update from version 2.8.3 to 2.8.4
- Update of rootfile not required
- Changelog is just a list of the commits. The details can be found in the changelog at
https://sourceforge.net/projects/nfs/files/nfs-utils/2.8.4/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:39 +0000 (13:09 +0200)]
lzip: Update to version 1.25
- Update from version 1.24.1 to 1.25
- Update of rootfile not required
- Changelog
1.25
lzip now exits with error status 2 if any empty member is found in a
multimember file.
lzip now exits with error status 2 if the first byte of the LZMA stream is
not 0.
Options '--empty-error' and '--marking-error' have been removed.
The chapter 'Syntax of command-line arguments' has been added to the manual.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:38 +0000 (13:09 +0200)]
libvirt: Update to version 11.7.0
- Update from version 11.4.0 to 11.7.0
- Update of rootfile
- Changelog
11.7.0
New features
* Allow setting the log level of Cloud Hypervisor
Users can now configure the verbosity of Cloud Hypervisor by setting
the "log_level" option in ch.conf
* bhyve: experimental NAT networking support
The bhyve driver now has experimental NAT networking support
using the Packet Filter (pf) firewall.
* bhyve: domain statistics reporting
The bhyve driver now supports querying domain block, interface,
and memory statistics. Not all statistics fields are supported though.
Improvements
* bhyve: improve 'efi' configuration autofill
When a domain is configured with ``<os firmware='efi'/>``, NVRAM
configuration is now autofilled.
11.6.0
New features
* Introduce VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag
This new flag for virConnectBaselineHypervisorCPU can be used for computing
a baseline CPU on any host. Without the VIR_CONNECT_BASELINE_CPU_IGNORE_HOST
flag the baseline API would return reasonable output only when run on one of
the hosts that the input CPU definitions were collected from.
* Allow control over QEMU TLS priority strings
The qemu.conf file now has multiple settings allowing control over the
QEMU TLS priority strings, for the different subsystems in QEMU that
can support TLS. This can be used to workaround a current bug in GNUTLS
that is liable to cause crashes of the source QEMU when performing long
running live migration operations with TLS enabled.
* Add support for disabling deprecated CPU model features by default for s390
domains. Starting an s390 domain with host-model will now default to
setting the ``deprecated_features`` attribute to ``off``, ensuring the
domain starts with a migration-compatible CPU model to newer systems. This
behavior can be modified by setting the ``default_cpu_deprecated_features``
option in the qemu.conf file.
* bhyve: Add TCP console support
TCP serial devices can now be configured with ``<serial type='tcp'>``::
<serial type='tcp'>
<source mode='bind' host='127.0.0.1' service='12345'/>
<target type='serial' port='0'/>
</serial>
Additionally, number of supported consoles increased to 4.
* qemu: Add support for RBD namespaces
Allow specifying the 'namespace' within a RBD image pool.
Improvements
* qemu: Change default SCSI controller model to ``virtio-scsi`` for ARM and
RISC-V The previous default of ``lsilogic`` is unsupported by modern
operating systems. ``virtio-scsi`` is a more suitable default for ARM and
RISC-V ``virt`` machine types.
* Clarify documentation of virConnectBaselineHypervisorCPU
The documentation makes it clear virConnectBaselineHypervisorCPU is
supposed to be called on one of the hosts represented in the input CPU
definitions. Otherwise the API will give unexpected results.
* Allow specifying zero discard granularity for block devices
This can be used to tell some guest operating systems (notably Windows) to
not trim the disk.
* bhyve: Add timeout handling for bhyveload
It is now possible to run ``bhyveload`` with the ``timeout`` tool, which
can send ``SIGTERM`` and ``SIGKILL`` signals when timeout is reached.
Timeout values are set using the ``bhyveload_timeout`` and
``bhyveload_timeout_kill`` configuration options in ``bhyve.conf``.
* nss: Improve debugging
Debugging messages from NSS modules can be now enabled by setting the
``LIBVIRT_NSS_DEBUG`` environment variable. So far, there is no special
meaning to its value.
* rpc: Removed requirement for TLS certificates to support 'key encipherment'
With TLS 1.3, key encipherment is not required even for RSA keys. Other key
types didn't even support it so they were wrongly refused even in cases when
they would work with libvirt. The TLS certificate validation now no longer
requires 'key encipherment' to be enabled.
Bug fixes
* bhyve: Fix resetting of the autostart flag of the domain on destroy.
* The nwfilter driver no longer recreates the base iptable/ip6tables chains
The nwfilter driver had a impl mistake causing it to recreate the
base chains for iptables/ip6tables every time a VM was started.
This allowed a small window where traffic might not be fully
filtered. It now handles iptables/ip6tables the same way as
ebtables, creating the base chains only if they did not already
exist.
* Fix systemd unit ordering for auto-shutdown of domains via the daemon
The ordering of systemd units created by libvirt for individual machines
needed to be adapted when the shutdown of VMs on host shutdown is done
via the virt daemon itself (rather than ``libvirt-guests.service``) to
ensure that the VMs are not terminated before the virt daemon can deal with
them.
11.5.0
Removed features
* qemu: Don't accept VIR_DUMP_LIVE flag in virDomainCoreDumpWithFormat()
Unfortunately, QEMU always pauses vCPUs when doing a core dump. Therefore,
there is no way for Libvirt to honor VIR_DUMP_LIVE flag semantics. Instead
of silently pretending the flag works, an appropriate error is now
reported.
New features
* vmx: Add support for reporting NVMe disks in the domain XML
* qemu: Add support for NVMe disks
NVMe disks can now be emulated by using an ``nvme`` bus, but require a
serial due to the hypervisor::
<target dev='nvme0n1' bus='nvme'/>
<serial>qwertyuiop</serial>
Multiple disks can be represented as different namespaces on the same
controller, but they cannot have a different serial number due to the fact
that it is the controller which ultimately has the serial number attached to
it, but for ease of use it is automatically copied from the disk serial.
* esx: Add support for specifying alternative CA bundle for remote peer
verification. Users can now use ``cacert`` parameter in the URI to specify
a file path with CA certificate(s) that will be used for remote peer
certificate validation.
* qemu: add support for AMD IOMMU device
The ``amd`` model for the ``<iommu>`` device is now supported.
New attributes ``passtrhough`` and ``xtsup`` are also supported for this
model.
Improvements
* Include supported console types in domain capabilities
Domain capabilities now include information about supported console types,
such as::
<console supported='yes'>
<enum name='type'>
<value>pty</value>
<value>tcp</value>
</enum>
</console>
* virsh: Add waiting for domain state via ``virsh await``
The new helper command ``virsh await`` simplifies waiting on domain state
which is normally announced via events. Currently two waiting conditions are
implemented: ``domain-inactive``, and ``guest-agent-available``.
Bug fixes
* qemu: Be more forgiving when acquiring QUERY job when formatting domain XML
Since ``libvirt-11.0.0`` the ``virDomainGetXMLDesc()`` API used to format
domain XML acquires QUERY job. But this caused a regression when the API
might timeout for incoming migration. This is now fixed.
* qemu: Fix shared filesystem detection on nonexistent paths
Since ``libvirt-11.1.0`` nonexistent paths within directories marked as
shared filesystem (via the ``shared_filesystems`` option in ``qemu.conf``
would not be properly detected as being on a shared filesystem.
* qemu: Properly emulate USB cdrom device
CD-ROM devices on USB bus are now properly emulated as such which was not
the case since libvirt switched to the modern qemu commandline syntax for
storage backends.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:37 +0000 (13:09 +0200)]
less: Update to version 679
- Update from version 678 to 679
- Update of rootfile not required
- Changelog
679
Fix bad parsing of lesskey file an env var is a prefix of another env var
(github #626).
Fix unexpected exit using -K if a key press is received while reading the
input file (github #628).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:36 +0000 (13:09 +0200)]
expat: Update to version 2.7.2
- Update from version 2.7.1 to 2.7.2
- Update of rootfile
- CVE fix
- Changelog
2.7.2
Security fixes:
CVE-2025-59375 -- Disallow use of disproportional amounts of
dynamic memory from within an Expat parser (e.g. previously
a ~250 KiB sized document was able to cause allocation of
~800 MiB from the heap, i.e. an "amplification" of factor
~3,300); once a threshold (that defaults to 64 MiB) is
reached, a maximum amplification factor (that defaults to
100.0) is enforced, and violating documents are rejected
with an out-of-memory error.
There are two new API functions to fine-tune this new
behavior:
- XML_SetAllocTrackerActivationThreshold
- XML_SetAllocTrackerMaximumAmplification .
If you ever need to increase these defaults for non-attack
XML payload, please file a bug report with libexpat.
There is also a new environment variable
EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
of allocations debugging at runtime, disabled by default.
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Distributors intending to backport (or cherry-pick) the
fix need to copy 99% of the related pull request, not just
the "lib: Implement tracking of dynamic memory allocations"
commit, to not end up with a state that literally does both
too much and too little at the same time. Appending ".diff"
to the pull request URL could be of help.
Other changes:
Autotools: Sync CMake templates with CMake 3.31 for macOS
CMake: Drop support for CMake <3.15
CMake: Fix off_t detection for -Werror
CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
Windows: Drop support for Visual Studio <=16.0/2019
xmlwf: Mention supported environment variables in
--help output
xmlwf: Fix (internal) help generator
docs: Promote the contract to call function
XML_FreeContentModel when registering a custom
element declaration handler (via a call to function
XML_SetElementDeclHandler)
docs: Add missing <p>..</p> wrap
docs: Drop AppVeyor badge
tests: Fix portable_strndup
Drop casts around malloc/free/realloc that C99 does not need
Replace empty for-loops with while loops
Add const with internal XmlInitUnknownEncodingNS
Drop an OpenVMS support leftover
Address more clang-tidy warnings
Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cover compilation on FreeBSD
CI: Upgrade Clang from 19 to 21
CI: Make calling Cppcheck without --suppress=objectIndex
and --suppress=unknownMacro possible
CI|Windows: Get off of deprecated image "windows-2019"
CI: Adapt to breaking changes in GitHub Actions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 17 Sep 2025 11:09:35 +0000 (13:09 +0200)]
ed: Update to version 1.22.2
- Update from version 1.20.2 to 1.22.2
- Update of rootfile not required
- Changelog
1.22.2
* Newline characters are no longer allowed in file names even when
'--unsafe-names' is specified.
* The file name is now printed escaped also when replaced into a shell command.
1.22.1
* Ed now departs from POSIX and ignores SIGPIPE to prevent commands like 'w !:'
or ',!:' from terminating ed. A broken pipe is now detected as any other
write error. (Reported by Sergei Trofimovich).
1.22
* An ex(1) style filter has been implemented; the shell escape command (!) now
accepts line addresses to filter the addressed lines through a shell command.
(Suggested by Shawn Wagner, Andrew L. Moore, and John Cowan).
1.21.1
* Fixed a compilation failure caused by the inclusion of the unused and
obsolete header <sys/file.h>. (Reported by Michael Mikonos).
* Ed now reads the initial window size for the z command from the environment
variable LINES. (Suggested by Artyom Bologov).
1.21
* 'r !command' and 'w !command' ignore again the exit status of 'command'. Bug
introduced in version 1.6. (Reported by Andrew L. Moore).
* Include 'stdbool.h' instead of defining 'bool' to fix compilation in C23.
(Reported by Alexander Jones).
* The messages "Newline inserted" and "Newline appended" are now suppressed in
scripted mode (-s). (Reported by Artyom Bologov).
* The chapter 'Syntax of command-line arguments' has been added to the manual.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Security #7881: detect/tls: keyword tls.subjectaltname leads to NULL Deref if tls.subjectaltname
contains zero(HIGH - CVE 2025-59150)
Security #7861: detect: Dynamic-stack-buffer-overflow in ShortenString(HIGH - CVE 2025-59149)
Security #7838: detect/entropy: segfault when not anchored to a sticky buffer(HIGH - CVE 2025-59148)
Security #7657: tcp: syn resend with different seq leads to detection bypasss(HIGH - CVE 2025-59147)
Bug #7891: unix-socket: memory leak when client disconnects during rule reload
Bug #7877: rust: build with RUSTC and CARGO variables fails
Bug #7865: detect/integers: u8 prefilter does not support all modes
Bug #7859: doc/userguide: build failure with read the docs theme
Bug #7843: http: dissection anomaly on `Content-Encoding: identity`
Bug #7836: util-byte: bad usage of StringParse function return codes
Bug #7828: util/hash: unexpected remove behavior
Bug #7827: app-layer: ippair.memcap counter shows memuse
Bug #7824: hyperscan: caching results in segfault with link time optimization (-flto=auto, etc)
Bug #7822: engine-analysis: SEGV on rule failure without rules-fast-pattern enabled
Bug #7821: engine-analysis: no report for failed rules without fast pattern
Bug #7820: app-layer/snmp: internal error if app-layer is disabled
Bug #7815: unix-socket: segfault in "pcap-file-list" command
Bug #7813: cppcheck: warnings in counters.c
Bug #7804: util-lua-sandbox.c undeclared identifier error for Suricata 8.0.0
Bug #7803: http: use transactions right get function
Bug #7802: detect/dsize: uninitialized value from SigParseRequiredContentSize
Bug #7741: http2: events can contain an empty response object
Bug #7740: doh2: events are always dns even if there is no DNS info (pure HTTP2 settings)
Bug #7651: decoder/pppoe: valid packets are getting dropped as decoder.ppp.unsup_proto
Bug #7636: tcp: assertion triggered in StreamTcpReassembleAppLayer
Bug #7611: eve: segv in stats.totals output
Bug #5689: eve: community id computed wrong for tcp and ipv4 when src_ip == dest_ip
Bug #4702: tcp: SYN/ACK dropped when client does not support timestamps
Bug #4178: alert-debug: DNS Query triggers alert but no output in alert-debug.log
Bug #3844: tcp: possible bypass with TCP ssn reuse
Optimization #7769: detect/file: remove redundant de_ctx->rule_file != NULL check
Feature #7869: detect/integers: support units like kib
Task #7857: schema/arp: fix invalid pkt event output
Task #7834: detect: remove unused non-pf stats counters
Documentation #7890: detect: tls.cert_subject incorrectly claims to support multi-buffer
Documentation #7867: detect/multi-buffers: complete list in userguide page on multi-buffer-matching
Documentation #7854: doc/lualib: fix flow timestamps() return value order
Documentation #7795: eve/schema: document stats.detect counters
Documentation #7794: eve/schema: document stats.flow counters
Documentation #7728: lua: fix all Lua documentation examples for new library format
Documentation #7648: rtd: set "latest" to last stable release starting with 8.0.0
Documentation #7639: dpdk: update Connect-X4 recommended fallback tx-descriptor count
Documentation #7631: userguide: document lua lib suricata.dnp3
Documentation #7190: detect/integers: document usage of units
Documentation #7081: userguide: add unix socket option to retrieve flow info
Documentation #6840: devguide/app-layer: section with conceptualized steps for adding parser
Documentation #6284: userguide: document what's the impact of `stream.inline`
Documentation #6270: userguide: document usage of Suricata as a firewall
Documentation #5690: userguide: document the differences between IPS and IDS mode
Documentation #5513: userguide: add a chapter for IPS mode
Documentation #5139: userguide: add a section for netflow event type
Documentation #5078: doc/userguide: improve rule reload documentation
Documentation #4351: doc: explain the engine logic to trigger inspection of TCP data"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:40:54 +0000 (19:40 +0200)]
nut: Update to version 2.8.4
- Update from version 2.8.3 to 2.8.4
- Update of rootfile
- sobump requires shipping of collectd
- Changelog
2.8.4
- Bug fixes for fallout possible due to "fightwarn" effort in 2.8.0+:
* In `usbhid-ups` sources, introduced optional `HU_FLAG_PARAM_REQUIRED` for
`setvar()` or `instcmd()` handling (and a `HU_TYPE_CMD_PARAM_REQUIRED`
shortcut) for setting in the mapping table flags, to specify variables
or instant commands that require an argument (either from caller or a
non-`NULL` default in the run-time table after device data discovery);
if the flag is not set, a zero value is assumed. Incomplete code was a
regression of NUT v2.8.3 causing some instant commands to fail. [#2860,
#2955]
- Fix fallout of development in NUT v2.8.0 and/or v2.8.1 and/or v2.8.2 and/or
v2.8.3:
* Fixed a regression in recipes of NUT v2.8.3 release (as compared to
v2.8.2), where `configure --with-docs=all` no longer failed a run
of the `configure` script when some of the required rendering tools
were not in fact available. [#2842, fixed by #2921]
* Some recipe improvements in earlier releases led to `make check` always
running a spelling check (if tools are available), even if the explicit
`configure --disable-spellcheck` option was used. Now it would not run
if disabled (e.g. to speed up CI builds in scenarios that focus on other
aspects of the code base), although developers can still use the explicit
`make spellcheck*` goals, when tools are in fact available. [#2973]
* A change in `Makefile.am` recipes to evaluate some driver names in the
`DRIVERLIST` variables inspected by `configure` script, rather than
having all their names hard-coded like before, led to inability to
`configure --with-drivers=dummy-ups`. [#2825, #2927, fixed by PR #2929]
* A problem noted with `upsdrvquery` (since NUT v2.8.1) message logging
at high debug verbosity levels (5+) with very large blocks of content
has exposed a deficiency in variable-argument handling, and specifically
adaptive resizing of the output buffer or truncation of logged inputs
(which is something NUT code tried to do since the beginning of time),
and could lead to "segmentation fault" crashes on some platforms.
[issue #2948, PR #2963]
* Documentation build recipes overly zealously pre-processed source files,
which was not applicable for each and every document type we have (e.g.
binary images for illustrations); this caused grief with some toolkits.
[issue #2989]
- common code:
* Revised common `writepid()` to use `altpidpath()` as location for the
PID file creation, if the default `rootpidpath()` is not accessible
(e.g. daemon was not initially started as `root`). Likewise updated
short PID file based signal sending to consult both locations. [#1717]
* Linux may report a `/proc/X/exe` symlink with an embedded "(deleted)"
suffix, if the binary was removed (or replaced) since the running process
started. This confused our code which verifies that when it is sending a
signal to a PID, that PID does reflect the expected NUT program. [#3021]
* Refactored NUT "common" sources to reference `nut_version.h` macros from
a smaller C source file, to minimize the compilation unit size impacted
by development iterations. [issue #2097]
* Common code hardening: added sanity-checking for dynamically constructed
or selected formatting strings with variable-argument list methods
(typically used with log printing, `dstate` setting, etc.) [#2450, #3016]
- Warn if `%n` formatting string is used -- it is deprecated in some
newer distros due to security concerns.
* Refactored repetitive implementations of `inet_ntopSS()` (nee
`inet_ntopW()` in `upsd.c`) and `inet_ntopAI()` methods into `common.c`,
so now they can be re-used or expanded more easily. [#2916]
- `upsd` updates:
* Fixed two bugs about printing the "further (ignored) addresses resolved
for this name": the way to extract IP address string was not portable
and misfired on some platforms, and the way to print had a theoretical
potential for buffer overflow. [#2915]
* Print arguments of a processed command into the debug log, to help track
down what unsupported queries are about, etc. (but only endeavor to spend
time, RAM and CPU on this if debug verbosity is high enough). Hide the
sensitive commands' parameters unless verbosity is unusually high. [#3023]
- `upsdrvquery` API updates [#2969]:
* Added `upsdrvquery_oneshot_conn()` for issuing one-shot queries using an
existing `udq_pipe_conn_t *` connection. The caller manages the
connection's lifecycle, and the function includes a best-effort call to
restore broadcast mode after the query to return the connection as it was.
* Added `upsdrvquery_oneshot_sockfn()` for initiating one-shot queries using
a socket filename. Shares internal logic with the existing
`upsdrvquery_oneshot()`, which uses a UPS and driver name, respectively.
* Introduced `upsdrvquery_restore_broadcast()` to explicitly restore
broadcast mode (`BROADCAST 1`) on a connection, helping return it to a
consistent and talkative state.
* Revised connection ownership handling: internal functions like
`upsdrvquery_prepare()` and `upsdrvquery_request()` no longer close
connections they do not own. Responsibility for cleanup is now delegated to
the caller to avoid unintended side effects and better align with expected
usage patterns.
- common driver code:
* Update reports of failed socket file creation, to help troubleshooting
some error cases in the field. [#2959]
* Removed workarounds trying to migrate legacy driver raised `ALARM`
status tokens into modern `alarm_*` function logic. Rather, we keep
supporting them as separate from the modern logic, seeing as `upsmon`
does not care where the token itself was raised for its notifications.
Driver-code related test-cases were updated to reflect these changes.
[issue #2928, PRs #2931 and #2934]
* Introduced some macros in `drivers/upshandler.h` for common syslog level
definitions and message wording for beginning and failing `instcmd()` or
`setvar()` operations consistently in different drivers. As a related
change, operations that intend to turn off or restart the load, or can
do that by side effect (e.g. calibration if batteries are old or dead),
would explicitly `upslogx(LOG_CRIT,...)` by default before commencing.
[#2957]
* Fixed a couple of ancient memory leaks: one "shared" during driver
program initialization, and one specific to `dummy-ups` wind-down. [#2972]
* Added a `suggest_NDE_conflict()` method so drivers which lack access
to the expected device can consistently suggest that this may be because
of running both an NDE-wrapped service unit and a manually launched
driver program at the same time. Currently added to `libusb{0,1}.c`
code, but may later be expanded to e.g. serial drivers and other media,
when their behavior in such situations gets identified. [follow-up to
issue #477, PR #3041]
- `apc_modbus` driver updates:
* The time stamp and inter-frame delay accounting was fixed, alleviating
one of the problems reported in issue #2609. [PR #2982]
* Fix missing variables due to mismatching format string. [PR #3013]
- `bcmxcp` driver updates:
* The latching on to a previous replace battery status was fixed, with its
alarm state variable now correctly being reset; previously a factually
replaced battery did not clear the alarm and the whole driver needed to
be restarted. [issue #2999, PR #3002]
- `clone`, `clone-outlet`, `nhs_ser` driver and `nutdrv_qx_ablerex`
subdriver updates:
* Refactored to follow modern handling of status and alarm conditions,
aligning with current driver design practices. This includes fixing
copy-paste related issues in alarm reporting and removing some alarm
messages that should instead be reflected as status flags. [#2936]
- `dummy-ups` driver updates:
* A new instruction `ALARM` was added for the `Dummy Mode` operation
of the driver, enabling simulation of UPS alarm states more closely
in line with modern, real-world UPS driver implementations. This
follows the updated principle of keeping alarm states decoupled from
the `ups.status` variable, with alarms now raised via common alarm
functions rather than direct manipulation. [issue #2928, PR #2936]
- `nutdrv_qx` driver updates:
* Added support for "preprocess"/"process" methods called from mapping tables
to report back to the driver that an argument value was not supported,
so `setvar()` or `instcmd()` can not proceed safely and should return
`STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017]
* Introduced `innovart33` protocol support for Ippon Innova RT 3/3 topology
UPSes. [#2938]
* Updated `megatec` protocol for more detailed responses to `I` query
which may return `ups.serial` (after a shorter `device.mfr`) and the
`battery.runtime` (after a shorter `device.model`). Note that the
expected response is shorter than in other dialects (38 vs. 39 bytes),
so if this change breaks anything for your UPS that reported the values
above correctly (e.g. the `ups.firmware` version becomes shorter or
none of these are reported), please let NUT developers know. [#2980]
* Revised `voltronic` protocol to suppress alarm "UPS is in ECO Mode",
using "buzzword mode" settings more correctly than in the previous
iteration, shipped in NUT v2.8.3 release (as PR #2750 for issue #2708).
[issue #2494]
* Introduced a `voltronic-axpert` subdriver for Voltronic Axpert inverters
which speak the P30 protocol, currently in a highly experimental state:
with initial support for query commands, but most values are "hidden"
from default NUT builds by being defined in `experimental.*` namespace,
and should also be enabled by `configure --with-unmapped-data-points`.
Development was based on work done in the Voltronic Sunny subdriver in
https://github.com/nickma82/nut/tree/nutdrv_qx_voltronic-sunny_rebased%2Bcommand
[#1407]
- `phoenixcontact_modbus` driver updates:
* Added more settings that can be tuned -- support for shutdown variables,
UPS mode selector, PC reset delay after main power recovers, and
automatic switch to battery mode (and back) if main power is below
or above a defined threshold (see the new "Configurable Values" section
in the man page). They can be configured via `default.*` values in
`ups.conf`. [#2986]
- `pijuice` driver updates:
* Converted to NUT standard use of `status_set()` with single-token values.
[issue #2708]
- `snmp-ups` driver updates:
* Added support for "fun"/"nuf" methods called from mapping tables to
report back to the driver that an argument value was not supported,
so `setvar()` or `instcmd()` can not proceed safely and should return
`STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017]
* Fixed `ups.test.date` to be semi-static in `apc-mib` mapping, so it
would be queried more than once per driver up-time. [issue #3011]
* Fixed debug-logging around `SU_FLAG_STATIC` entries to clarify when
they get skipped. [issue #3011]
- `usbhid-ups` driver updates:
* Added support for "fun"/"nuf" methods called from mapping tables to
report back to the driver that an argument value was not supported,
so `setvar()` or `instcmd()` can not proceed safely and should return
`STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017]
* `hid_ups_walk(HU_WALKMODE_INIT)`: report if exactly one of "fun" or "nuf"
dynamic value mapping methods is defined in a one-line table, and this
may preclude reads/writes of that variable. [#2956]
* The `cps-hid` subdriver's existing mechanism for fixing broken report
descriptors was extended to cover a newly reported case of nominal UPS
power being incorrectly reported due to an unrealistically low maximum
threshold, as seen with a EC850LCD device. [issue #2917, PR #2919]
* Further revision of "ECO mode" related code in `mge-hid` subdriver,
following up from work started for NUT v2.8.3 release. [PR #2956]
* Added APC BVKxxxM2 and BKxxxM2-CH to list of devices where
`lbrb_log_delay_sec=N` may be necessary to address spurious LOWBATT
and REPLACEBATT events. [PR #2942, PR #3007, issue #2347, issue #3006]
- New NUT drivers:
* Introduced a `ve-direct` driver for Victron Energy UPS/solar panels
monitoring. Most specific reported values are in an `experimental.*`
namespace, as a community we need to come up with standard naming for
those via `docs/nut-names.txt`. [#440]
* Introduced a `nutdrv_hashx` driver for numerous devices from Ablerex,
Atlantis Land, Epyc, Infosec, ION, PowerWalker, Right Power Technology,
Salicru, UPS Solutions and other vendors (originally shipped with a
"PowerMaster+", "PowerMaster" or "PowerGuide" software companion suite).
This seems to be a protocol developed by Cyber Energy for serial-port
devices, subsequently used by different vendors in their own products
or re-branded Cyber Energy creations. [#2940]
* Introduced a `failover` driver for monitoring multiple UPS driver sockets
and seamless switching out of UPS data in a failover situation, includes
support for end-to-end tracked instant commands and also variable updating.
[#2962]
* Introduced USB (`powervar_cx_usb`) and Serial (`powervar_cx_ser`) drivers
for Powervar CUSPP protocol, tested with GTS (USB) and UPM (USB, Serial)
models. [#2988]
- The `nut-driver-enumerator.sh` script (NDE) updates:
* Now NDE internally tracks dependency of one driver on another one that
should be locally running to serve the "original" data points (`clone`,
`clone-outlet`, `dummy-ups`, `failover`). It should create "soft"
dependencies between respective service instances to order their
start-up sequence. [#2962]
* Fixed NDE to not consider "masked" systemd units as non-existent or
as syntactically failed instantiated unit names. [#3033]
- NUT Monitor GUI:
* Ported Python 3 version to Qt6, now shipped alongside Qt5 for systems
with either or both, maximizing compatibility with old and new setups.
[#2946]
- `upsmon` client:
* Clearer debug logging of `SHUTDOWNCMD` and `NOTIFYCMD` that would be used
(or warnings that none was set); flush output buffers after these messages
and after each main loop cycle, so any emitted text is seen in a timely
manner. [issue #3003, PR #3008]
- The `nutshutdown` script (end-game integration for UPS power-off in case
of FSD initiated by `upsmon`) was updated to consider `MODE=none` set in
`nut.conf` and bail out quietly. [issue #2935, PR #3008]
- Manual page recipes and contents:
* Introduced handling (possibly rewriting) for man page section "Overviews,
conventions, and miscellaneous" (commonly number 7), to deliver support
for `man nut` queries (NUT overview manual page also created). [#2945]
* A new `configure --with-docs-man-dir-as-base` option was introduced so
that directories for man page sections can now be automatically named
as either "base" number of the section (e.g. `man1`) or by full section
name (`man1m`), as different OS distributions have different preferences
in this regard. [#2950]
* Option to `configure --enable-docs-man-for-progs-built-only` was added,
to differentiate NUT builds that deliver man pages for only built programs
(legacy default) or for all of them (as needed for docs sites). [#2976]
* Option to `configure --enable-docs-changelog` was added, specifically
to allow developer iterations to not waste CPU time rebuilding the huge
`ChangeLog*` files whenever their Git index changes. [#3019]
* Options to `configure --with-docs-changelog-start` and/or
`configure --with-docs-changelog-end` were added to allow developers
to customize the size of `ChangeLog*` files when they are generated.
Default starting value is `auto` which applies the legacy default
`v2.6.0` to release/pre-release builds, or when local Git version info
could not be retrieved, and the most-recent release tag (or `master`
as fallback) for usual build iterations. Default ending value is `HEAD`
for the current git commit at the moment the ChangeLog is (re-)generated.
Balancing against the option to not build `ChangeLog*` files at all,
this couple allows quicker builds that exercise all relevant recipe
code paths. [#3019]
- Extended the `gitlog2changelog.py` helper script to report start/end commits
actually used, and to allow callers to tweak them better (not only `HEAD`
for the end of range); this may be of interest to other projects which use
this script. Allow `configure` to disable generation of either certain
`ChangeLog*` rendering formats or completely, to speed up developer
iterations (much time is wasted when dev-testing new code, due to git
index changes if NUT was configured to build with documentation). [#3019]
- The `BUILD_TYPE=default-all-errors ci_build.sh` script handling was
revised to simplify code, and to default in CI builds to a quicker
mode which randomly mixes the selected SSL, USB and UNMAPPED variants
(and relies on the dozens of NUT CI farm runs per iteration to likely
cover all possible combinations), which should roughly halve the CI
build times. Default activity for developer builds should remain as
it was -- to try each such "axis" sequentially. [#2973]
- Revised generation of links to external manual pages in HTML rendering
of NUT manual pages (previous recipe iterations left DocBook XML `ulink`
tag "as is", which was not understood by web browsers).
[follow-up to PR #2797]
- Made the distro-dependent URL template for man pages configurable.
[follow-up to PR #2797]
- Revised `make install-as-root` to fall back to legacy ways of enabling
services, if `systemctl preset-all` fails (assumed due to a systemd 252
bug). [#3022]
- Added a `make check-parallel-builds` recipe to help troubleshoot recipes
in sub-directories, and improved build-ability of existing NUT sources
starting from scratch there. This is a workflow useful for NUT development
(e.g. to focus only on drivers, or tests, or nut-scanner) but not so much
for end-user packaging where everything builds from the root directory.
[PR #3030, follows up from PR #2825, highlights why issue #2584 better
be solved]
- Revised `appveyor.yml` to run CI builds faster (forfeit MSYS2 ecosystem
updates and some other steps) and more likely fit in one-hour allocation.
Also have it install `mingw-w64-x86_64-python-pyqt6` so the `NUT-Monitor`
application can get packaged (would need a capable Python run-time though).
[#3046]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:29 +0000 (19:46 +0200)]
lvm2: Update to version 2.03.35
- Update from version 2.03.33 to 2.03.35
- Update of rootfile
- Changelog
2.03.35
Fix unlocking devices file only after all PVs are processed.
Avoid creating system.devices when deleting entries.
Fix existing issues with persistent reservations.
Fix possible report output format inconsistencies while processing PVs.
Allow report options for pv/vg/lvdisplay only if used with -C|--columns.
Fix vgsplit failing to split a VG with RAID+integrity or cache with cachevol.
Fix --lockopt handling in lvmlockd when --nolocking is used.
Optimize dmeventd when remonitoring active devices.
2.03.34
Support dmeventd restart when there are no monitored devices.
Dmeventd no longer calls 'action commands' on removed devices.
Fix reader of VDO metadata on 32bit architecture.
Fix lvmdevices --deldev/--delpvid to error out if devices file not writeable.
Fix lvresize corruption in LV->crypt->FS stack if near crypt min size limit.
Enhanced lvresize -r support for btrfs.
Use glibc standard functions htoX, Xtoh functions for endian conversion.
Fix structure copying within sanlock's release_rename().
Fix autoactivation on top of loop dev PVs to trigger once for change uevents.
Add lvmlockd --lockopt repair to reinitialize corrupted sanlock leases.
Fix support for lvcreate -T --setautoactivation.
Add lvm.conf global/lvresize_fs_helper_executable.
Enable lvm to use persistent reservations on a VG.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:28 +0000 (19:46 +0200)]
libxml2: Update to version 2.14.6
- Update from version 2.14.4 to 2.14.6
- Update of rootfile
- 5 CVE fixes in version 2.14.5
- Changelog
2.14.6
Regressions
valid: Don't add ids when validating entity content
Fix initGenericErrorDefaultFunc(NULL) (Samuel Thibault)
valid: Undeprecate xmlAdd*Decl
globals: Include HTMLparser.h, fixing Windows build
io: Fix reading from pipes like stdin on Windows
Security
regexp: Avoid integer overflow and OOB array access
tree: Guard against atype corruption
Improvements
parser: Fix xmlSaturatedAddSizeT argument type
2.14.5
Regressions
valid: Don't add ids when validating entity content
io: Fix reading from pipes like stdin on Windows
parser: Fix handling of invalid char refs in recovery mode
Security
regexp: Avoid integer overflow and OOB array access
tree: Guard against atype corruption
[CVE-2025-49794] [CVE-2025-49796] schematron: Fix xmlSchematronReportOutput
[CVE-2025-49795] schematron: Fix null pointer dereference leading to DoS
(Michael Mann)
[CVE-2025-6170] Fix potential buffer overflows of interactive shell
(Michael Mann)
[CVE-2025-6021] tree: Fix integer overflow in xmlBuildQName
Bug fixes
save: Fix serialization of attribute defaults containing <
Improvements
parser: Fix xmlSaturatedAddSizeT argument type
Build systems and portability
meson: Add libxml2 part of include dir to pc file (Heiko Becker)
cmake: Fix installation directories in libxml2-config.cmake
io: Fix linkage of __xml*BufferCreateFilename functions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:27 +0000 (19:46 +0200)]
libssh: Update to version 0.11.3
- Update from version 0.11.2 to 0.11.3
- Update of rootfile
- Changelog
0.11.3
* Security:
* CVE-2025-8114: Fix NULL pointer dereference after allocation failure
* CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated
wrong KEX
* Potential UAF when send() fails during key exchange
* Fix possible timeout during KEX if client sends authentication too early (#311)
* Cleanup OpenSSL PKCS#11 provider when loaded
* Zeroize buffers containing private key blobs during export
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:26 +0000 (19:46 +0200)]
libffi: Update to version 3.5.2
- Update from version 3.5.1 to 3.5.2
- Update of rootfile not required
- Changelog
3.5.2
fix: enable FFI_MMAP_EXEC_WRIT for DragonFly BSD by @liweitianux in #930
Emscripten: Add wasm64 target by @ktock in #927
fix: Ensure trampoline file descriptors are closed on exec.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:25 +0000 (19:46 +0200)]
haproxy: Update to version 3.2.4
- Update from version 3.2.2 to 3.2.4
- Update of rootfile not required
- Changelog
3.2.4
- DOC: deviceatlas build clarifications
- BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no
ECDSA ciphers
- BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources
- MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead
- BUG/MINOR: acme: allow "processing" in challenge requests
- CLEANUP: acme: fix wrong spelling of "resources"
- MINOR: acme: add ACME to the haproxy -vv feature list
- MINOR: acme: implement traces
- BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet
- BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket
- BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket
- BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally
established
- BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options
- BUG/MINOR: hlua: take default-path into account with lua-load-per-thread
- BUG/MEDIUM: mux-quic: ensure Early-data header is set
- CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h
- BUILD: acme: avoid declaring TRACE_SOURCE in acme-t.h
- BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list
iterator
- MINOR: acme: emit a log for DNS-01 challenge response
- MINOR: acme: emit the DNS-01 challenge details on the dpapi sink
- MEDIUM: acme: allow to wait and restart the task for DNS-01
- MINOR: acme: update the log for DNS-01
- BUG/MINOR: acme: possible integer underflow in acme_txt_record()
- MEDIUM: acme: use lowercase for challenge names in configuration
- DOC: management: clarify usage of -V with -c
- MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory
- BUG/MINOR: listener: really assign distinct IDs to shards
- MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version
< 3.5.1
- BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration
(OpenSSL 3.5)
- BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was
xferred
- BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are
xferred
- BUG/MEDIUM: http-client: Ask for more room when request data cannot be
xferred
- BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode
- BUG/MINOR: http-client: Reject any 101-switching-protocols response
- BUG/MEDIUM: http-client: Drain the request if an early response is received
- BUG/MEDIUM: http-client: Notify applet has more data to deliver until
the EOM
- MINOR: h1-htx: Add function to format an HTX message in its H1
representation
- BUG/MINOR: mux-h1: Use configured error files if possible for early H1
errors
- BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg function
- BUG/MEDIUM: h3: do not overwrite interim with final response
- BUG/MINOR: h3: properly realloc buffer after interim response encoding
- BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side)
- MINOR: qmux: change API for snd_buf FIN transmission
- BUG/MEDIUM: h3: handle interim response properly on FE side
- BUG/MINOR: quic: Wrong source address use on FreeBSD
- MINOR: h3: remove unused outbuf in h3_resp_headers_send()
- BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init
- BUG/MINOR: halog: exit with error when some output filters are set
simultaneosly
- BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS
- BUG/MINOR: logs: fix log-steps extra log origins selection
- BUG/MINOR: hq-interop: fix FIN transmission
- BUG/MINOR mux-quic: apply correctly timeout on output pending data
- BUG/MINOR: mux-quic: ensure close-spread-time is properly applied
- CLEANUP: http-client: Remove useless indentation when sending request body
- DOC: list missing global QUIC settings
- BUILD: compat: provide relaxed versions of the MIN/MAX macros
- BUILD: compat: always set _POSIX_VERSION to ease comparisons
- BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr
instead of MAX_SESS_STKCTR
- MINOR: sock: update broken accept4 detection for older hardwares.
- BUG/MEDIUM: ssl: Fix 0rtt to the server
- BUG/MEDIUM: ssl: fix build with AWS-LC
- BUG/MINOR: init: Initialize random seed earlier in the init process
- DOC: management: fix typo in commit f4f93c56
- DOC: config: recommend single quoting passwords
- BUG/MEDIUM: mux-quic: adjust wakeup behavior
- BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX
buffer
3.2.3
- CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0
- CI: github: add an OpenSSL 3.5.0 job
- CI: github: update the stable CI to ubuntu-24.04
- BUILD: quic: QUIC build against OpenSSL 3.5 broken
- BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5
- CI: github: update to OpenSSL 3.5.1
- BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits
(OpenSSL 3.5 QUIC API)
- BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init()
- BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle
connections
- BUG/MINOR: http-act: Fix parsing of the expression argument for pause
action
- BUILD/MEDIUM: deviceatlas: fix when installed in custom locations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:24 +0000 (19:46 +0200)]
freetype: Update to version 2.14.1
- Update from version 2.13.3 to 2.14.1
- Update of rootfile
- Changelog
2.14.1
This is an emergency release that fixes a couple of severe bugs introduced in
version 2.14.0 and discovered right after the release;
see issues #1349, #1353, #1354, #1355, and #1356.
2.14.0
IMPORTANT CHANGES
- A new configuration macro `FT_CONFIG_OPTION_USE_HARFBUZZ_DYNAMIC`
is available to load the HarfBuzz library dynamically (in addition
to the standard static and dynamic linking modes); cmake, meson,
and autotools support have been updated accordingly. Using this
new feature makes it possible to avoid the circular dependency
between HarfBuzz and FreeType.
A side effect of this change is that FreeType no longer uses
HarfBuzz header files (if HarfBuzz support is activated).
This code was contributed by Behdad Esfahbod.
- The auto-hinter got new abilities.
. It can now better separate diacritic glyphs from base glyphs at
small sizes by artificially moving diacritics up (or down) if
necessary.
. Tilde accent glyphs get vertically stretched at small sizes so
that they don't degenerate to horizontal lines.
. Diacritics directly attached to a base glyph (like the ogonek in
character 'ę') no longer distort the shape of the base glyph.
These features use a database (which currently has entries for
Unicode characters up to U+FFFF, based on Unicode 17.0), handling
scripts like Latin, Cyrillic, or Greek, but not Arabic or Indic
scripts. FreeType needs to access a proper Unicode character map
(or must be able to construct such a cmap) of a given font to make
this work.
The central algorithm and the foundation of this feature was Craig
White's GSoC 2023 project.
- Bitmap-only TrueType fonts now ignore the `FT_LOAD_NO_BITMAP` flag
and proceed loading bitmaps instead of giving an error. This
behavior is documented and implemented for other bitmap-only
fonts. The flag was always meant to suppress the bitmap strikes
in favor of outlines, not to ban them completely.
IMPORTANT BUG FIXES
- Users of the `TT_CONFIG_OPTION_GPOS_KERNING` configuration option
should update; the 'GPOS' table wasn't correctly validated before
access, which could lead to crashes with malformed font files.
MISCELLANEOUS
- `FT_Set_Var_Design_Coordinates` and `FT_Set_MM_Blend_Coordinates`
now set the `FT_FACE_FLAG_VARIATION` bit in the `face_flag` field
of `FT_Face` (i.e., the macro `FT_IS_VARIATION` returns true) also
if any of the provided coordinates is different from the face's
default value for the corresponding axis, that is, the set up face
is not at its default position.
- `FT_Load_Sfnt_Table` can now also load a font's table directory.
- The TrueType instruction interpreter was optimized to produce a
15% gain in the glyph loading speed.
- Handling of Variation Fonts is now considerably faster, thanks to
contributions by Behdad Esfahbod.
- TrueType and CFF glyph loading speed has been improved by 5-10% on
modern 64-bit platforms as a result of better handling of fixed-
point multiplication.
- The BDF driver now loads fonts 75% faster.
- 'GPOS' kern table handling (if the `TT_CONFIG_OPTION_GPOS_KERNING`
configuration option is active) is now about 3.5 times faster than
before.
- Support for the (currently undocumented) 'flip' graphic type in
the 'sbix' SFNT table as used in the `Apple Color Emoji.ttc` font
(code provided by Andrew Murray).
- `ftmulti` can now scroll through named instances and gracefully
show static fonts.
- The build file on OpenVMS now also creates a 32-bit version of the
library.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 17:46:23 +0000 (19:46 +0200)]
ethtool: Update to version 6.15
- Update from version 6.9 to 6.15
- Update of rootfile
- Changelog
6.15
* Feature: support OR-XOR symmetric RSS hash type (-x/-X)
* Feature: dump registers for hibmcge driver (-d)
* Feature: configure header-data split threshold (-g/-G)
* Feature: dump registers for fbnic driver (-d)
* Feature: JSON output for channels info (-l)
* Fix: incorrect data in appstream metainfo XML
* Fix: prevent potential null pointer dereferences
* Fix: more consistent and better parseable per lane signal info (-d)
6.14
* Feature: list PHYs (--show-phys)
* Feature: target a specific PHY with some commands (--phy)
* Feature: more attributes for C33 PSE (--show-pse, --set-pse)
* Feature: source information for cable tests (--cable-test[-tdr])
* Feature: JSON output for module info (-m)
* Feature: misc RSS hash info improvements (-x)
* Feature: tsinfo hwtstamp provider (--{get,set}-hwtimestamp-cfg)
* Fix: fix wrong auto-negotiation state (no option)
* Fix: more explicit RSS context action (-n)
* Fix: print PHY address as decimal (no option)
* Fix: fix return value on flow hashing error (-N)
* Fix: fix JSON output for IRQ coalescing
* Fix: fix MDI-X info output (no option)
* Misc: code cleanup in module parsers
* Misc: provide module_info JSON schema
* Misc: add '-j' alias for --json
* Misc: provide AppStream metainfo XML
* Misc: update message descriptions for debugging output
6.11
* Feature: cmis: print active and inactive firmware versions
* Feature: flash transceiver module firmware (--flash-module-firmware)
* Feature: add T1BRR 10Mb/s mode to link mode tables
* Feature: support for disabling netlink from command line
* Fix: fix lanes parameter format specifier
* Fix: add missing clause 33 PSE manual description
* Fix: qsf: Better handling of Page A2h netlink read failure
* Fix: rss: retrieve ring count using ETHTOOL_GRXRINGS ioctl (-x)
* Misc: man page formatting fix
6.10
* Feature: suport for PoE in PSE (--show-pse and --set-pse)
* Feature: add statistics support to tsinfo (-T)
* Feature: add JSON output to base command (no option)
* Feature: add JSON output to EEE info (--show-eee)
* Fix: qsfp: better handling on page 03h read failure (-m)
* Fix: handle zero arguments for module eeprom dump (-m)
* Fix: check for missing arguments in do_srxfh() (-X)
* Misc: compiler warnings in "make check"
* Misc: more descriptive error when JSON output is not available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 15:47:27 +0000 (17:47 +0200)]
cmake: Add patch to avoid using undocumented type for CURLOPT_PROXYTYPE values
- Update of rootfile
- With the new update of curl changes were made to CURLOPT which resulted in cmake using
an undocumented type.
- This patch has been merged in the cmake git repo and will become available in version
cmake-4.1.2 so the patch will be able to be removed when that version is released
and updated in IPFire.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 15:47:25 +0000 (17:47 +0200)]
curl: Update to version 8.16.0
- Update from version 8.15.0 to 8.16.0
- Update of rootfile
- Changelog
8.16.0
changes:
o build: bump minimum required mingw-w64 to v3.0 (from v1.0) [33]
o curl: add --follow [129]
o curl: add --out-null [101]
o curl: add --parallel-max-host to limit concurrent connections per host [81]
o curl: make --retry-delay and --retry-max-time accept decimal seconds [112]
o hostip: cache negative name resolves [175]
o ip happy eyeballing: keep attempts running [80]
o mbedtls: bump minimum version required to 3.2.0 [180]
o multi: add curl_multi_get_offt [56]
o multi: add CURLMOPT_NETWORK_CHANGED to signal network changed [84]
o netrc: use the NETRC environment variable (first) if set [70]
o smtp: allow suffix behind a mail address for RFC 3461 [127]
o tls: make default TLS version be minimum 1.2 [71]
o tool_getparam: add support for `--longopt=value` [69]
o vquic: drop msh3 [8]
o websocket: support CURLOPT_READFUNCTION [193]
o writeout: add %time{} [74]
bugfixes:
o _PROTOCOLS.md: mention file:// is only for absolute paths [102]
o acinclude: --with-ca-fallback only works with OpenSSL [217]
o alpn: query filter [104]
o ares: destroy channel on shutdown [178]
o ares: use `ares_strerror()` to retrieve error messages [236]
o asyn-thrdd: fix --disable-socketpair builds [235]
o asyn-thrdd: fix Curl_async_pollset without socketpair [205]
o asyn-thrdd: fix no `HAVE_GETADDRINFO` builds [214]
o asyn-thrdd: manage DEFERRED and locks better [228]
o autotools: make curl-config executable [253]
o aws-lc: do not use large buffer [250]
o BINDINGS.md: add LibQurl [156]
o bufq: add integer overflow checks before chunk allocations [108]
o bufq: removed "Useless Assignment" [188]
o bufq: simplify condition [207]
o build: allow libtests/clients to use libcurl dependencies directly [87]
o build: disable `TCP_NODELAY` for emscripten [176]
o build: enable _GNU_SOURCE on GNU/Hurd [27]
o build: extend GNU C guards to clang where applicable, fix fallouts [61]
o build: fix build errors/warnings in rare configurations [7]
o build: fix disable-verbose [48]
o build: fix mingw-w64 version guard for mingw32ce [124]
o build: if no perl, fix to use the pre-built hugehelp, if present [144]
o build: link to Apple frameworks required by static wolfSSL [40]
o build: support LibreSSL native crypto lib with ngtcp2 1.15.0+ [209]
o build: tidy up compiler definition for tests [37]
o cf-https-connect: delete unused declaration [15]
o clang-tidy: disable `clang-analyzer-security.ArrayBound` [265]
o cmake: `CURL_CA_FALLBACK` only works with OpenSSL [215]
o cmake: capitalize 'Rustls' in the config summary
o cmake: defer building `unitprotos.h` till a test target needs it [75]
o cmake: define `WIN32_LEAN_AND_MEAN` for examples [159]
o cmake: drop redundant unity mode for `curlinfo` [155]
o cmake: enable `-Wall` for MSVC 1944 [128]
o cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix
o cmake: fix setting LTO properties on the wrong targets [258]
o cmake: fix to disable Schannel and SSPI for non-Windows targets
o cmake: fix to restrict `SystemConfiguration` to macOS [139]
o cmake: honor `CMAKE_C_FLAGS` in test 1119 and 1167 [206]
o cmake: improve error message for invalid HTTP/3 MultiSSL configs [187]
o cmake: keep websockets disabled if HTTP is disabled
o cmake: make `runtests` targets build the curl tool [32]
o cmake: make the ExternalProject test work [183]
o cmake: omit linking duplicate/unnecessary libs to tests & examples [45]
o cmake: re-add simple test target, and name it `tests` [142]
o cmake: set `CURL_DIRSUFFIX` automatically in multi-config builds [154]
o CODE_STYLE: sync with recent `checksrc.pl` updates [49]
o config-win32.h: do not use winsock2 `inet_ntop()`/`inet_pton()` [58]
o configure: if no perl, disable unity and shell completion, related tidy ups
[137]
o configure: tidy up internal names in ngtcp2 ossl detection logic [212]
o connectdata: remove primary+secondary ip_quadruple [126]
o connection: terminate after goaway [62]
o contrithanks: fix for BSD `sed` tool [98]
o cookie: don't treat the leading slash as trailing [185]
o cookie: remove expired cookies before listing [158]
o curl-config: remove X prefix use [138]
o curl/system.h: fix for GCC 3.3.x and older [38]
o curl: make the URL indexes 64 bit [117]
o curl: tool_read_cb fix of segfault [18]
o curl_addrinfo: drop workaround for old-mingw [14]
o curl_easy_ssls_export: make the example more clear [78]
o curl_fnmatch, servers: drop local macros in favour of `sizeof()` [21]
o curl_mime_data_cb.md: mention what datasize is for [107]
o curl_ossl: extend callback table for nghttp3 1.11.0 [46]
o curl_setup.h: include `stdint.h` earlier [260]
o curl_setup.h: move UWP detection after `config-win32.h` (revert) [51]
o curl_setup.h: move UWP detection after `config-win32.h` [23]
o CURLINFO_FILETIME*.md: correct the examples [242]
o CURLOPT: bump `CURL_REDIR_*` macros to `long` [110]
o CURLOPT: bump `CURL_SSLVERSION_*` macros to `long` [149]
o CURLOPT: bump `CURLALTSVC_*` macros to `long` [96]
o CURLOPT: bump `CURLFTP*` enums to `long`, drop casts [54]
o CURLOPT: bump `CURLHEADER_*` macros to `long`, drop casts [94]
o CURLOPT: bump `CURLPROTO_*` macros to `long` [148]
o CURLOPT: bump `CURLPROXY_*` enums to `long`, drop casts [95]
o CURLOPT: bump `CURLWS_NOAUTOPONG`, `CURLWS_RAW_MODE` macros to `long` [150]
o CURLOPT: bump remaining macros to `long` [147]
o CURLOPT: drop redundant `long` casts [55]
o CURLOPT: replace `(long)` cast with `L` suffix for `CURLHSTS_*` macros
o CURLOPT_HTTP_VERSION: mention new default value [179]
o CURLOPT_SSL_CTX_*: replace the base64 with XXXX [171]
o delta: fix warnings, fix for non-GNU `date` tool [99]
o DEPRECATE.md: drop old OpenSSL versions [266]
o DEPRECATE.md: drop support for c-ares versions before 1.16.0 [191]
o DEPRECATE.md: drop support for Windows XP/2003 [31]
o DEPRECATE.md: remove leftover "nothing" [57]
o DISTROS.md: add Haiku [39]
o docs/cmdline-opts: the auth types are not mutually exclusive [103]
o docs: add CURLOPT type change history, drop casts where present [143]
o docs: add major incident section to vuln disclosure policy [271]
o docs: fix link CONTRIBUTE.md link [192]
o docs: fix name in curl_easy_ssls_export man page [12]
o docs: fix typo (staring -> starting) [211]
o docs: point two broken links to archive.org [134]
o docs: put `<>` within backticks in titles [261]
o doh: rename symbols to avoid collision with mingw-w64 headers [66]
o easy handle: check validity on external calls [28]
o examples: drop long cast for `CURLALTSVC_*`
o examples: make `CURLPIPE_MULTIPLEX` fallback `long` [233]
o examples: remove base64 encoded chunks from examples [189]
o examples: remove href_extractor.c [186]
o ftp: store dir components as start+len instead of memdup'ing [198]
o ftp: use 'conn' instead of 'data->conn' [208]
o gnutls: fix building with older supported GnuTLS versions [241]
o gnutls: some small cleanups [41]
o hmac: return error if init fails [2]
o hostip: do DNS cache pruning in milliseconds [132]
o HTTP3.md: avoid `configure` issue for ngtcp2 1.14.0+ compatibility [182]
o http: const up readonly H2_NON_FIELD [10]
o http: do the cookie list access under lock [270]
o http: silence `-Warray-bounds` with gcc 13+ [44]
o idn: reject conversions that end up as a zero length hostname [273]
o inet_pton, inet_ntop: drop declarations when unused [59]
o lib1560: fix memory leak when run without UTF-8 support [17]
o lib1560: replace an `int` with `bool` [97]
o lib2700: use `testnum` [151]
o lib517: use `LL` 64-bit literals & re-enable a test case (`time_t`) [100]
o lib: drop `UNUSED_PARAM` macro [259]
o libcurl: reset rewind flag in curl_easy_reset() [184]
o libssh: Use sftp_aio instead of sftp_async for sftp_recv [92]
o libtests: update format strings to avoid casts, drop some macros [109]
o libtests: use `FMT_SOCKET_T`, drop more casts [136]
o managen: reset text mode at end of table marker [145]
o mbedtls: check for feature macros instead of version [166]
o mdlinkcheck: handle links with a leading slash properly [195]
o memanalyze: fix warnings [22]
o memory: make function overrides work reliably in unity builds [93]
o multi event: remove only announced [25]
o multi: don't insert a node into the splay tree twice [68]
o multi: fix assert in multi_getsock() [53]
o multi: fix bad splay management [133]
o multi: process pending, one by one [90]
o multi: replace remaining EXPIRE_RUN_NOW [67]
o multissl: initialize when requesting a random number [30]
o ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0 [47]
o ngtcp2: handshake timeout should be equal to --connect-timeout [262]
o ngtcp2: use custom mem funcs [204]
o openldap: fix `-Wtentative-definition-compat` [268]
o openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro [222]
o openssl: add and use `HAVE_OPENSSL3` internal macro [223]
o openssl: assume `OPENSSL_VERSION_NUMBER` [181]
o openssl: auto-pause on verify callback retry [167]
o openssl: check SSL_write() length on retries [152]
o openssl: clear errors after a failed `d2i_X509()` [161]
o openssl: drop more legacy cruft [224]
o openssl: drop redundant `HAVE_OPENSSL_VERSION` macro [221]
o openssl: drop redundant version check [246]
o openssl: drop single-use interim macro `USE_OPENSSL_SRP` [201]
o openssl: enable `HAVE_KEYLOG_CALLBACK` for AWS-LC [220]
o openssl: merge two `#if` blocks [218]
o openssl: output unescaped utf8 x509 issuer/subject DNs [169]
o openssl: remove legacy cruft, document macro guards [231]
o openssl: save and restore OpenSSL error queue in two functions [172]
o openssl: some small cleanups [42]
o openssl: split cert_stuff into smaller sub functions [72]
o openssl: sync an AWS-LC guard with BoringSSL [199]
o openssl: use `RSA_flags()` again with BoringSSL [219]
o parallel-max: bump the max value to 65535 [86]
o parsedate: make Curl_getdate_capped able to return epoch [229]
o processhelp.pm: fix to use the correct null device on Windows [164]
o processhelp.pm: use `Win32::Process*` perl modules if available [200]
o projects: drop unused logic from `generate.bat` [157]
o projects: fix Windows project 'clean' function [203]
o pytest: add SOCKS tests and scoring [9]
o pytest: fix test_17_09_ssl_min_max for BoringSSL [197]
o pytest: increase server KeepAliveTimeout [26]
o pytest: relax error check on test_07_22 [16]
o resolving: dns error tracing [196]
o runtests: assume `Time::HiRes`, drop Perl Win32 dependency [163]
o runtests: remove warning message [230]
o runtests: replace `--ci` with `--buidinfo`, show OS/Perl version again [247]
o runtests: show still running tests when nothing has happened for a while [227]
o schannel: add an error message for client cert not found [165]
o schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN` [114]
o schannel: drop fallbacks for 4 macros [121]
o schannel: drop fallbacks for unused `BCRYPT_*` macros [122]
o schannel: drop old-mingw special case [77]
o schannel: fix recent update for mingw32ce [123]
o schannel: fix renegotiation [202]
o schannel: improve handshake procedure [239]
o schannel: not supported with UWP, drop redundant code [105]
o schannel: use if(result) like the code style says [125]
o scripts: enable strict warnings in Perl where missing, fix fallouts [63]
o scripts: fix two Perl uninitialized value warnings [60]
o sendf: getting less data than "max allowed" is okay [170]
o servers: convert two macros to scoped static const strings [89]
o setopt: refactor out the booleans from setopt_long to setopt_bool [83]
o setopt: split out cookielist() and cookiefile() [130]
o socks: do_SOCKS5: Fix invalid buffer content on short send [43]
o socks_sspi: simplify, clean up Curl_SOCKS5_gssapi_negotiate [237]
o spacecheck.pl: when detecting unicode, mention line number [85]
o spacecheck: warn for 3+ empty lines in a row, fix fallouts [240]
o spelling: file system [232]
o test1148: drop redundant `LC_NUMBER=` env setting [13]
o test1557: pass `long` type to `multi_setopt()` [234]
o test1560: set locale/codeset with `LC_ALL` (was: `LANG`), test in CI [19]
o test1560: skip some URLs if UTF-8 is not supported [34]
o test1: raise alloc limits [11]
o test428: re-enable for Windows [5]
o test436: fix running on Windows with `_curlrc` present [153]
o test: add `cygwin` feature and use it (test 1056, 1517) [249]
o tests/ech_tests.sh: indent, if/for style, inline ifs [131]
o tests: constify command-line arguments [82]
o tests: delete unused commands [177]
o tests: drop unused `BLANK` envs, unset `CURL_NOT_SET` [248]
o tests: drop unused `CURL_FORCEHOST` envs [36]
o tests: fix perl warnings in http2-server, http3-server [119]
o tests: fix prechecks to call the bundle libtest tool [120]
o tests: fix UTF-8 detection, per-test `LC_*` settings, CI coverage [6]
o tests: merge clients into libtests, drop duplicate code [76]
o tests: remove the QUIT filters [210]
o tests: set `CURL_ENTROPY` per test, not globally [35]
o tests: unset some envs instead of blanking them [4]
o threaded-resolver: fix shutdown [252]
o tidy-up: `Curl_thread_create()` callback return type [20]
o tidy-up: move literal to the right side of comparisons [65]
o tidy-up: prefer `ifdef`/`ifndef` for single checks [64]
o tls: CURLINFO_TLS_SSL_PTR testing [79]
o TODO: remove session export item [194]
o TODO: remove the expand ~ idea [216]
o tool_cb_wrt: stop alloc/free for every chunk windows console output [140]
o tool_filetime: accept setting negative filetime [256]
o tool_getparam: let --trace-config override -v [238]
o tool_getparam: warn on more unicode prefixes [275]
o tool_operate: avoid superfluous strdup'ing output [1]
o tool_operate: use stricter curl_multi_setopt() arguments [225]
o tool_operate: use the correct config pointer [115]
o tool_paramhlp: fix secs2ms() [116]
o tool_parsecfg: use dynbuf for quoted arguments [162]
o tool_urlglob: add integer overflow protection [244]
o tool_urlglob: polish, cleanups, improvements [141]
o typecheck-gcc: add type checks for curl_multi_setopt() [226]
o unit-tests: build the unitprotos.h from here [73]
o unit2604: avoid `UNCONST()` [135]
o URL-SYNTAX.md: drop link to codepoints.net to pass linkcheck [190]
o urlapi: allow more path characters "raw" when asked to URL encode [146]
o urldata: reduce two long struct fields to unsigned short [174]
o urlglob: only accept 255 globs
o vquic-tls: fix SSL backend type for QUIC connections using gnutls [29]
o vquic: replace assert [254]
o vquic: use curl_getenv [168]
o vtls: set seen http version on successful ALPN [160]
o websocket example: cast print values to unsigned int [251]
o websocket: handling of PONG frames [213]
o websocket: improve handling of 0-len frames [269]
o websocket: reset upload_done when sending data [245]
o windows: assume `ADDRESS_FAMILY`, drop feature checks [88]
o windows: document toolchain support for `CERT_NAME_SEARCH_ALL_NAMES_FLAG`
o windows: document toolchain support for some macros (cont.) [111]
o windows: document toolchain support for some macros [113]
o windows: drop `CRYPT_E_*` macro fallbacks, limit one to mingw32ce [118]
o windows: drop two interim, single-use macros [106]
o windows: drop unused `curlx/version_win32.h` includes [52]
o windows: fix `if_nametoindex()` detection with autotools, improve with
cmake [24]
o windows: include `wincrypt.h` before `iphlpapi.h` for mingw-w64 <6 [50]
o windows: target version macro tidy-ups [3]
o wolfssl: rename ML-KEM hybrids to match IETF draft [173]
o write-out.md: header_json is not included the json object [243]
o ws: avoid NULL pointer deref in curl_ws_recv [91]
o ws: get a new mask for each new outgoing frame [255]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 12:07:24 +0000 (14:07 +0200)]
wio: Update openvpn.pid to openvpn-rw.pid
- This change was needed together with the log file name change to have wio show the
openvpn statuses.
- Tested and confirmed on my vm testbed.
- Will leave it to be decided if this gets merged into CU197 Testing or waits for CU198
Either is fine for me.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 15 Sep 2025 10:17:01 +0000 (12:17 +0200)]
ovpnmain.cgi: Never write ncp-disable
This was some compatibility code which was supposed to help us with the
transition towards NCP. Since we are now on OpenVPN 2.6, this version no
longer supports the "ncp-disable" switch and we cannot write it to the
configuration any more. There should always be a default value for data
ciphers.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Sep 2025 08:56:33 +0000 (10:56 +0200)]
python3: Remove bundled setuptools
- python3-pillow was finding the bundled setuptools version 63.2.0 and not the
installed version of 80.9.0 and the bundled version failed the pillow requirement of
>=77
- The bundled version install can not be disabled so this patch removes all the
setuptools directories at the end of the python3 install so that only the IPFire
installed version of setuptools will be available.
- This resolved the problem of python3-pillow failing to build
- The bundled setuptools has been removed in python-3.12 so when that version is
released in IPFire the removal lines added in this patch will be able to be removed.
- The removal of the bundled version of setuptools also caused changes in the rootfiles
of 6 other python modules, so it looks like those were also building with the older
bundled version but had no version requirement failure. This patch set also includes
the changed rootfiles for each of those packages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 14 Sep 2025 10:01:34 +0000 (12:01 +0200)]
ovpnmain.cgi: Manually push a different gateway for static pools
This is because in "topology subnet", ifconfig-push is massively broken.
The client is not able to configure any routes correctly by pointing
them to the interface. Instead it is trying to use the gateway address
from the dynamic pool as gateway which cannot be reached if the client
only has an IP address from another subnet. Pushing host routes is not
supported, so we have to create a hack here and pretend that there is a
gateway in the static pool somewhere.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When enabled, named will not modify DNSSEC keys or key states
automatically. The proposed change will be logged and only after manual
confirmation with rndc dnssec -step will the modification be made. [GL
#4606]
Add a new option servfail-until-ready to response-policy zones.
By default, when named is started, it starts answering queries before
all response policy zones are completely loaded and processed. This new
option instructs named to respond with SERVFAIL until all the response
policy zones are processed and ready. Note that if one or more response
policy zones fail to load, named starts responding to queries according
to those zones that did load.
Note, that enabling this option has no effect when a DNS Response
Policy Service (DNSRPS) interface is used. [GL #5222]
Support for parsing HHIT and BRID records has been added.
[GL #5444]
Removed Features
Deprecate the tkey-gssapi-credential statement.
The tkey-gssapi-keytab statement allows GSS-TSIG to be set up in a
simpler and more reliable way than using the tkey-gssapi-credential
statement and setting environment variables (e.g. KRB5_KTNAME).
Therefore, the tkey-gssapi-credential statement has been deprecated;
tkey-gssapi-keytab should be used instead.
For configurations currently using a combination of both
tkey-gssapi-keytab and tkey-gssapi-credential, the latter should be
dropped and the keytab pointed to by tkey-gssapi-keytab should now only
contain the credential previously specified by tkey-gssapi-credential.
[GL #4204]
Obsolete the “tkey-domain” statement.
Mark the tkey-domain statement as obsolete because it has not had any
effect on server behavior since support for TKEY Mode 2
(Diffie-Hellman) was removed (in BIND 9.20.0). [GL #4204]
Bug Fixes
Prevent spurious SERVFAILs for certain 0-TTL resource records.
Under certain circumstances, BIND 9 can return SERVFAIL when updating
existing entries in the cache with new NS, A, AAAA, or DS records that
have a TTL of zero. [GL #5294]
Fix unexpected termination if catalog-zones had undefined
default-primaries.
The issue manifested only if the server was reloaded or reconfigured
twice. [GL #5494]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:10:18 +0000 (22:10 +0200)]
lynis: Update to version 3.1.5
- Update from version 3.1.3 to 3.1.5
- Update of rootfile
- Changelog
3.1.5
Added
- Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll
Changed
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
- Check modules also under /usr/lib/modules.d
3.1.4
Changed
- Update of translations: Portuguese
- Add macOS Sequoia
- Update of EOL database
- Bugfix for using slashes in parameters (SafeInput function)
- Simplified copyright line and meta data in files
- Support for powerpc64le in authentication section
- Don't show error "kadmin.local: unable to get default realm"
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:14 +0000 (22:08 +0200)]
strace: Update to version 6.16
- Update from 6.12 to 6.16
- Update of rootfile not required
- Changelog
6.16
* Improvements
* Added -N/--arg-names option for printing syscall argument names.
* Implemented setting of system call information using
PTRACE_SET_SYSCALL_INFO ptrace API introduced in Linux 6.16.
* Implemented decoding of SO_RCVPRIORITY and SO_PASSRIGHTS socket options.
* Implemented decoding of RTA_NH_ID and RTA_FLOWLABEL netlink attributes.
* Updated decoding of statx syscall.
* Updated lists of BR_*, CRYPTOCFGA_*, FUTEX2_*, IORING_*, IPSET_*, KVM_*,
MDB_*, NETDEV_*, PR_*, RXRPC_*, SW_*, THERMAL_*, and V4L2_*
constants.
* Updated lists of ioctl commands from Linux 6.16.
6.15
* Improvements
* Implemented decoding of open_tree_attr syscall.
* Implemented decoding of AF_TIPC socket addresses and socket options.
* Updated decoding of statmount syscall.
* Updated lists of AUDIT_*, BPF_*, BTRFS_*, COUNTER_*, FAN_*, FRA_*, IFLA_*,
IORING_*, KVM_*, LANDLOCK_*, PKEY_*, RTPROT_*, TCP_*, and V4L2_* constants.
* Updated lists of ioctl commands from Linux 6.15.
6.14
* Improvements
* Added -e namespace=new option for printing the namespaces entered
by the tracee.
* Implemented decoding of FRA_FLOWLABEL and FRA_FLOWLABEL_MASK netlink
attributes of RTM_{NEW,DEL,GET}RULE NETLINK_ROUTE messages.
* Implemented decoding of RTM_{NEW,DEL}MULTICAST and RTM_{NEW,DEL}ANYCAST
NETLINK_ROUTE messages.
* Updated decoding of statx syscall.
* Updated lists of AT_*, AUDIT_*, ETHTOOL_*, FAN_*, IORING_*, IPPROTO_*,
KEY_*, NL80211_*, RWF_*, and SECBIT_* constants.
* Updated lists of ioctl commands from Linux 6.14.
6.13
* Improvements
* Implemented decoding of getxattrat, setxattrat, listxattrat,
and removexattrat syscalls.
* Updated decoding of struct io_uring_clone_buffers, struct io_uring_napi,
and struct perf_event_attr.
* Updated decoding of crypto_user_alg netlink attributes of NETLINK_CRYPTO.
* Implemented decoding of IFLA_MCTP_PHYS_BINDING netlink attribute.
* Updated lists of AT_*, BPF_*, FAN_*, IORING_*, MADV_*, NT_*, and SCM_*
constants.
* Updated lists of ioctl commands from Linux 6.13.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:13 +0000 (22:08 +0200)]
nginx: Update to version 1.29.1
- Update from version 1.26.2 to 1.29.1
- Update of rootfile not required
- One CVE fix in 1.27.4, one CVE fix in 1.27.1, four CVE fixes in 1.27.0
- Changelog
1.29.1
*) Change: now TLSv1.3 certificate compression is disabled by default.
*) Feature: the "ssl_certificate_compression" directive.
*) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.
*) Bugfix: the 103 response might be buffered when using HTTP/2 and the
"early_hints" directive.
*) Bugfix: in handling "Host" and ":authority" header lines with equal
values when using HTTP/2; the bug had appeared in 1.17.9.
*) Bugfix: in handling "Host" header lines with a port when using
HTTP/3.
*) Bugfix: nginx could not be built on NetBSD 10.0.
*) Bugfix: in the "none" parameter of the "smtp_auth" directive.
1.29.0
*) Feature: support for response code 103 from proxy and gRPC backends;
the "early_hints" directive.
*) Feature: loading of secret keys from hardware tokens with OpenSSL
provider.
*) Feature: support for the "so_keepalive" parameter of the "listen"
directive on macOS.
*) Change: the logging level of SSL errors in a QUIC handshake has been
changed from "error" to "crit" for critical errors, and to "info" for
the rest; the logging level of unsupported QUIC transport parameters
has been lowered from "info" to "debug".
*) Change: the native nginx/Windows binary release is now built using
Windows SDK 10.
*) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or
ngx_http_v3_module modules were used.
*) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto
optimization if ngx_http_v3_module was used.
*) Bugfixes and improvements in HTTP/3.
1.27.5
*) Feature: CUBIC congestion control in QUIC connections.
*) Change: the maximum size limit for SSL sessions cached in shared
memory has been raised to 8192.
*) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file",
and "uwsgi_ssl_password_file" directives when loading SSL
certificates and encrypted keys from variables; the bug had appeared
in 1.23.1.
*) Bugfix: in the $ssl_curve and $ssl_curves variables when using
pluggable curves in OpenSSL.
*) Bugfix: nginx could not be built with musl libc.
Thanks to Piotr Sikora.
*) Performance improvements and bugfixes in HTTP/3.
1.27.4
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache",
"proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and
"uwsgi_ssl_certificate_cache" directives.
*) Feature: the "keepalive_min_timeout" directive.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: nginx could not build libatomic library using the library
sources if the --with-libatomic=DIR option was used.
*) Bugfix: QUIC connection might not be established when using 0-RTT;
the bug had appeared in 1.27.1.
*) Bugfix: nginx now ignores QUIC version negotiation packets from
clients.
*) Bugfix: nginx could not be built on Solaris 10 and earlier with the
ngx_http_v3_module.
*) Bugfixes in HTTP/3.
1.27.3
*) Feature: the "server" directive in the "upstream" block supports the
"resolve" parameter.
*) Feature: the "resolver" and "resolver_timeout" directives in the
"upstream" block.
*) Feature: SmarterMail specific mode support for IMAP LOGIN with
untagged CAPABILITY response in the mail proxy module.
*) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.
*) Change: an IPv6 address in square brackets and no port can be
specified in the "proxy_bind", "fastcgi_bind", "grpc_bind",
"memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as
client address in ngx_http_realip_module.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Nils Bars.
*) Bugfix: the "so_keepalive" parameter of the "listen" directive might
be handled incorrectly on DragonFly BSD.
*) Bugfix: in the "proxy_store" directive.
1.27.2
*) Feature: SSL certificates, secret keys, and CRLs are now cached on
start or during reconfiguration.
*) Feature: client certificate validation with OCSP in the stream
module.
*) Feature: OCSP stapling support in the stream module.
*) Feature: the "proxy_pass_trailers" directive in the
ngx_http_proxy_module.
*) Feature: the "ssl_client_certificate" directive now supports
certificates with auxiliary information.
*) Change: now the "ssl_client_certificate" directive is not required
for client SSL certificates verification.
1.27.1
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
*) Change: now the stream module handler is not mandatory.
*) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old
worker processes.
Thanks to Kasei Wang.
*) Bugfixes in HTTP/3.
1.27.0
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
*) Feature: variables support in the "proxy_limit_rate",
"fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate"
directives.
*) Bugfix: reduced memory consumption for long-lived requests if "gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-libatomic
option was used.
Thanks to Edgar Bonet.
*) Bugfixes in HTTP/3.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:12 +0000 (22:08 +0200)]
mympd: Update to version 22.0.4
- Update from version 21.0.1 to 22.0.4
- Update of rootfile not required
- Changelog
22.0.4
- Upd: Restrict sticker names (forbid equal sign)
- Fix: Really shuffle the playlist #1455
- Fix: Relax search expression validation #1455
- Fix: Alpine packaging
- Fix: Detection of local playback features #1452
22.0.3
- Upd: Create cache und workdir in init script
- Upd: Feature detection for local playback output selection #1452
22.0.2
- Fix: MYMPD_API_JUKEBOX_RESTART requires MPD connection #1448
22.0.1
- Fix: Respect backgroundImage setting #1446
- Fix: Alpine packaging
22.0.0
Notes
- This release enables certificate checking for outgoing https connections. The system CA cert store should be autodetected, open an issue if it fails.
- The startup process of myMPD was reworked. myMPD no longer drops privileges, the included startup scripts are using now the init system to do this.
- The default listening ports are now 8080 for HTTP and 8443 for HTTPS.
API changes
- MYMPD_API_SCRIPT_VERIFY_SIG: new
- MYMPD_API_HOME_WIDGET_IFRAME_SAVE: new
- MYMPD_API_HOME_WIDGET_SCRIPT_SAVE: new
- MYMPD_API_HOME_WIDGET_SAVE: removed
Scripting changes
- Feat: `mympd.tblvalue_in_list()` - Checks a Lua table of tags against a comma separated list.
- Upd: Executing external scripts is now disabled by default.
Changelog
- Feat: iFrames for home screen #1429
- Feat: Feat: Add custom css and js #1428
- Feat: Use system provided ca store for ssl certificate checking #1427
- Feat: Sign and verify scripts from mympd-scripts repository #1426
- Feat: Add trigger `mympd_playlistart`, `mympd_folderart`
- Feat: Sort list of timers and triggers #1425
- Feat: Allow changing output device with local playback #1434
- Upd: Improve "Edit Script"-Layout
- Upd: Bootstrap v5.3.7
- Upd: Mongoose 7.18
- Upd: libmympdclient 1.0.34 (libmpdclient 2.24.0)
- Upd: Incbin
- Upd: Replaced mjson with mongoose implementation
- Fix: Improve MPD search expression validation #1435
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Sep 2025 20:08:11 +0000 (22:08 +0200)]
mtr: Update to version 0.96
- Update from version 0.95 to 0.96
- Update of rootfile not required
- Changelog
0.96
Merge branch 'traviscross:master' into master
Change UDP and ICMP sockets binding to accept a source IP from the -a CLI option
Adjust MIN_PORT to match other implementations
Handle EHOSTDOWN and refine error handling better granularity
add braille graph support with --displaymode 3
fix legend for braille display
fix documentation/comment for ENABLE_BRAILLE
use addrs for static host ordering in curses
add --max-display-paths option
Add a compact mode in curses
mtr.8.in: spell --mark argument type properly
Fix tiny typo in target
Implement ASN lookups in well-known nat64 prefix
net: implement addrcmp for AF_UNSPEC
Initialize lines to empty string in split mode
Add error code ETIMEOUT(110) handle logic
fixed the sizes passed into snprintf
Allow signed integers in the utils function
Split the strtonum function into two parts to create a better structure
Remove redundant code
Fix https://github.com/traviscross/mtr/issues/475
xml report: remove leading spaces
Set UTF-8 encoding for XML reports
Update Cygwin ICMP service thread for asynchronous pipes
Prevent icmp_socket leak on error
Markus pointed out useless statement.
merged
Merge branch 'master' of github.com:traviscross/mtr
Fixed typo noted by @szczot3k
Changed how conflicitng first/max TTL works.
Increased max probes
Added protection against use of MTR_PACKET under special circumstances
Merge branch 'master' of github.com:traviscross/mtr
Added Arad Cohen to NEWS
Set SO_BINDTODEVICE for -I
Check if SO_BINDTODEVICE is defined
ui: make interactive and non-interactive exit code the same
Add WSL method to Windows Install
Add Ubuntu as specific distribution
Update section title
Github actions added to perform lint and compile
configure.ac: fix broken cap check
Add option to use custom ipinfo provider
Fix Capability Management, Retain CAP_NET_ADMIN
Fix interface binding by retaining CAP_NET_RAW
Linux-Only Interface, Marking, and IP Unit Tests
Annotate `set_privileged_socket_opt` with UNUSED
Drop capabilities when `setsockopt` errors
Fix flake8 linting
Change B101->S101 to reflect flake8
Use a uint32 for the type of a Linux mark
Use Packet Marking for IP Address Selection
Support Hexadecimal Arguments for Packet Marking
ipv6 udp checksums like ipv4 but with ipv6 pseudoheader
fix typo
Merge branch 'master' into compact-layout
Add help info for option -E
Brought an unlikely privilege escalation scenario to my attention.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
