Adolf Belka [Mon, 11 May 2026 16:55:51 +0000 (18:55 +0200)]
backup.pl: Create the new unbound user and group when doing a restore
- With the introduction of the unbound user and group, when a restore is done from a
earlier backup when user and group nobody were used then the unbound user and group
are removed as passwd and group are backed up.
- Using the entry already present for the dhcpcd user and group I cre4ated this patch.
- Not 100% certain it is the correct way to do it, as I am not sure about if a restore
is done where the unbound user and group already exist but presumably the same effect
occurs with the dhcpcd user and group.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 11 May 2026 10:42:27 +0000 (12:42 +0200)]
ovpnmain.cgi: CU202 fix - Update the RW Log Status extraction
- Previously the second section of the RW Log Status file had IP:Port, so selecting the
first part of that section showed the IP.
- The new status now has Protocol:IP:Port so the selection has to be changed to the
second part of that section so the index goes from 0 to 1
- That was missed by me when I did the OpenVPON-2.7 update
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 7 May 2026 18:20:00 +0000 (18:20 +0000)]
strongSwan: Update to 6.0.6
Please see https://github.com/strongswan/strongswan/releases/tag/6.0.6
for the release notes of this version.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 7 May 2026 18:16:00 +0000 (18:16 +0000)]
Tor: Update to 0.4.9.7
Changes in version 0.4.9.7 - 2026-05-06
This is a security release fixing several major bugfixes that were reported
in the past weeks. Huge thanks to everyone that reported these issues! We
strongly recommend upgrading as soon as possible.
o Major bugfixes (cell handling):
- Fix out-of-bounds read (OOB) when END, TRUNCATE and TRUNCATED cell
have no reason in their payload. TROVE-2026-011. Found by Found by
Brian Carpenter (geeknik). Fixes bug 41254; bugfix
on 0.1.1.1-alpha.
o Major bugfixes (conflux):
- Do not attempt or accept BEGIN_DIR via conflux legs. TROVE-2026-
008. Credit to Anas Cherni from Calif.io in collaboration with
Claude and Anthropic Research. Fixes bug 41243; bugfix
on 0.4.8.1-alpha.
o Major bugfixes (conflux, relay):
- Adjust conflux out-of-order queue accounting when clearing a
queue. TROVE-2026-010. Found by aptupdate. Fixes bug 41251; bugfix
on 0.4.8.1-alpha.
o Major bugfixes (pathbias):
- Fix a client-side crash caused by double-close of a circuit while
under circuit queue memory pressure. TROVE-2026-009. Found by
cypherpunks. Fixes bug 41237; bugfix on 0.3.3.6-rc.
o Major bugfixes (relay):
- Fix null pointer dereference when receiving a CERT cell out of
order. TROVE-2026-006. Found by Fwame. Fixes bug 41240; bugfix
on 0.2.4.4-alpha.
o Major bugfixes (relay, onion service):
- Fix off-by-one out-of-bounds read if a malformed BEGIN cell is
received. TROVE-2026-007. Found by Flanagan. Fixes bug 41245;
bugfix on 0.2.4.7-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on May 06, 2026.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2026/05/06.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 May 2026 12:12:54 +0000 (14:12 +0200)]
libvirt: Update to version 12.3.0
- Update from version 11.7.0 to 12.3.0
- Update of rootfile
- 2 CVE fixes in 11.10.0
- Changelog
12.3.0
New features
* bhyve: Add blkiotune support
The bhyve driver now supports guest I/O throttling configuration::
<blkiotune>
<device>
<path>*</path>
<read_iops_sec>20000</read_iops_sec>
<write_iops_sec>20000</write_iops_sec>
<read_bytes_sec>10000</read_bytes_sec>
<write_bytes_sec>10000</write_bytes_sec>
</device>
</blkiotune>
It uses the ``rctl(4)`` framework to apply these limits.
* bhyve: Implement ``virDomainInterfaceAddresses()`` and ``virDomainGetHostname()``
The bhyve driver now implements APIs allowing to fetch address of
VM's interfaces (accessible via ``virsh domifaddr``) and the hostname
of the VM (``virsh domhostname``).
* hyperv: Implement ``virDomainGetGuestInfo()``
The hyperv driver now implements API for fetching guest information
(``virsh guestinfo``).
Improvements
* security: Don't error out on security labels of type='none'
Previously, libvirt reported an error if a domain with seclabel of
type='none' (meaning do not take this security model into account for this
domain) was being started and the model wasn't available (for instance, in
case of SELinux it was disabled at boot).
* Allow for multiple PCI root buses, not just for a single one numbered '0'
`virPCIDeviceReset()` and `virPCIDeviceIsBehindSwitchLackingACS()` no
longer use a hardcoded check (e.g bus == 0 ) to determine if a device is
attached to a "root bus". This allows for better support on more complex
PCI topologies.
* Add mechanism to prevent accidental shrink of device with ``virsh blockresize``
A new flag ``VIR_DOMAIN_BLOCK_RESIZE_EXTEND`` was introduced which prevents
accidental shrinking of the block device of the VM. The flag is exposed
as ``virsh blockresize --extend``.
* Expose ``MemAvailable`` field from kernel's meminfo as ``VIR_NODE_MEMORY_STATS_AVAILABLE``
Bug fixes
* virnetdevmacvlan: Wait for udev to settle after creating macvtap
When starting a domain with a macvtap device (or when hotplugging one),
libvirt creates the device and opens its ``/dev`` representation in order
to set it according to the ``<interface/>`` XML (e.g. MAC address, queues,
etc.). But if the system is under heavy load, it might happen that after
the device creation the udev daemon was triggered, but did not have enough
time to set the ``/dev`` representation fully. This may result in various
misconfiguration or even failed ``open()``. Therefore, libvirt waits after
device creation for udev daemon to settle down.
* apparmor: Don't drop macvtap devices from profile on blockjobs
12.2.0
Removed features
* qemu: Stop advertising support for ``handle`` backend of 9p filesystems
QEMU removed the feature in the 4.0 release, but our capability XML
still reported it.
New features
* qemu: Add support to configure IOMMUFD backend for whole VM
In addition to setting IOMMUFD backend for each device it is possible
to use the new ``<iommufd>`` element to enable IOMMUFD backend for all
host devices. Users can still change it per device.
* qemu: Add support to pass FD for IOMMUFD when starting VM
Management applications running unprivileged libvirt can open /dev/iommu
and pass FD to libvirt in order to change locked memory accounting.
This is done via new ``<iommufd>`` element.
* qemu: Add support for declaring that storage was zeroed for storage copy APIs
The qemu driver now can skip zeroing of the storage during
``virDomainBlockCopy`` or migration with non-shared storage with the
appropriate flags. This can be used for storage technologies which lack
efficient zeroing support.
* hyperv: Add basic snapshot functionality
The hyperv driver now implements the following libvirt APIs:
``virDomainDefineXMLFlags()``, ``virDomainSnapshotLookupByName()``,
``virDomainListAllSnapshots()``, ``virDomainSnapshotNum()``,
``virDomainSnapshotGetXMLDesc()``, ``virDomainSnapshotCurrent()``,
``virDomainHasCurrentSnapshot()``, ``virDomainSnapshotGetParent()``.
Improvements
* conf: support more than 255 vCPUs with amd-iommu
With 256 or more vCPUs libvirt previously required EIM enabled for all
models of IOMMU. This is not valid for AMD model and validation was changed
so that XTSup is required there. Additionally, it is automatically enabled
if needed.
* Introduce VIR_CONNECT_GET_DOMAIN_CAPABILITIES_EXPAND_CPU_FEATURES flag
This new flag for virConnectGetDomainCapabilities can be used to request
the host-model CPU definition to include all supported features (normally
only extra features relative to the selected CPU model are listed).
* qemu: Add statistics for ``<dataStore>`` storage
The bulk statistics (``virsh domstats --block --backing``) now report also
information about the ``<dataStore>`` if given disk uses this feature.
* hyperv: Hyper-V guests now report TPM device status in their domain xml
definition.
Bug fixes
* qemu: Fix crash when attaching network inteface with hostdev network
Introduced in v12.1.0 by implementing IOMMUFD backend support for
host devices.
12.1.0
New features
* qemu: Advertise firmware features in domain capabilities XML
The contents of the ``<firmwareFeatures/>`` element can be used to determine
ahead of time whether a firmware matching certain characteristics, for
example Secure Boot support, is available for the selected architecture and
machine type.
* qemu: Add support for uefi-vars device and firmware builds using it
This is particularly noteworthy for people running aarch64 VMs with the
'virt' machine type, as it makes it finally possible to use Secure Boot
with that combination.
In most cases, no special steps are needed to take advantage of this:
assuming that you have installed a recent version of QEMU, as well as a
build of edk2 that includes the necessary binaries, you can just `enable
Secure Boot <kbase/secureboot.html>`__ as you normally would.
To explicitly request that the uefi-vars device is used even for scenarios
where that would normally not be the case, it's enough to add an empty
``<varstore/>`` element in the domain XML. More details are available in
the `guest firmware configuration <formatdomain.html#guest-firmware>`__
section of the documentation.
* hyperv: improve API coverage for the hyperv driver
The `virDomainInterfaceAddresses()` and `virDomainGetBlockInfo()` APIs are
now supported by the hyperv driver. In addition, the domain xml for hyperv
domains will indicate via firmware features whether secure boot is enabled.
It also honors these firmware features when creating new domains.
* bhyve: Add support for vCPU pinning configuration
Bhyve guests can now have vCPU pinning configured::
<cputune>
<vcpupin vcpu="0" cpuset="1,2,3"/>
</cputune>
Additionally, the ``domainGetVcpuPinInfo`` API is implemented for
querying vCPU pinning information.
* qemu: Support block operation latency histograms
Libvirt now allows configuring qemu's block latency histogram collection
as well as returns them via the bulk stats API.
Improvements
* Introduce granule attribute for virtio-iommu
In case when guest page size doesn't match the host page size (typically
aarch64) the ``virtio-iommu`` needs to know the guest page size so it can
allocate memory aligned to guest page size.
* Parse hyperv features even for host-model
Two releases ago, in v11.9.0 new ``host-model`` mode for Hyper-V
enlightenments was introduced. Starting with this release, users can
additionally override the defaults that are picked when domain is started
and features are expanded.
* bhyve: Improve loader configuration for arm64 guests
If loader is not explicitly configured, use the loader
from the ``sysutils/u-boot-bhyve-arm64`` port/package for the
arm64 guests.
Bug fixes
* Fix build with remote driver disabled
Some parts of code were wrongly annotated as depended on remote driver.
But they were used even from client side drivers. This is now fixed and
libvirt builds properly even with remote driver disabled.
* Various fixes to libvirt-guests.sh
Firstly, the exit code of various commands was ignored (which may lead the
script to wrongly determine persistent/transient domain state, for
instance). Secondly, due to logical error, the script might have
incorrectly asses state a domain is in.
* AppArmor: Ask for no deny rule for readonly disk elements
For read only disks, libvirt created an AppArmor profile which disallowed
any future write rules. But when doing a blockcommit, libvirt needs to
allow hypervisor to write to even readonly disks. The rule in the profile
was changed so that future write rules can be added, temporarily.
* esx: Allow connecting to IPv6 server
Due to a bug in our code, if an IPv6 address was provided in connection
URI, libvirt would fail to connect to VMWare server. This is now fixed.
* qemu: Use device alias if interface has no name
The ``virDomainInterfaceAddresses()`` API (or ``virsh domifaddr``) returns
an array interfaces among with their addresses. But some interface names
might be unknown, for instance if the API is told to parse host's ARP table
then PCI assigned NICs or slirp/passt lack interface name. If that's the
case, let the API return domain's ``<interface/>`` alias.
* bhyve: hyperv: Various memory leak fixes
* qemu: Fix failures when restoring save/managed-save images with upcoming qemu versions
Current git version of qemu would return an error when attempting to load
an existing (managed) save image as we relied on deprecated features that
were now removed.
12.0.0
New features
* bhyve: SLIRP networking support
Domain XMLs now can use SLIRP user-mode networking::
<interface type='user'>
<model type='virtio'/>
</interface>
* bhyve: virtio-scsi support
Domain XMLs now can use ``virtio-scsi`` devices::
<disk type='ctl'>
<source dev='/dev/cam/ctl'/>
<target dev='sda' bus='scsi'/>
</disk>
* bhyve: initial ARM64 support
The bhyve driver now supports booting ARM64 domains on ARM64 hosts.
This support is still in early stage of development and has some
limitations. For example, it requires using
``<clock offset='localtime'/>`` in domain XMLs, and
bootrom autofill is not implemented.
Improvements
* qemu: Improvements and fixes to firmware selection
Firmware selection now works more reliably and predictably in many
scenarios.
Notably, issues that were preventing the use of firmware designed for
confidential VMs on aarch64 have been addressed.
* network: Introduce port for DNS forwarder
In the ``<dns/>`` section of network configuration users can set up
forwarding of DNS requests to custom DNS servers. These are specified using
``addr`` attribute. But configuring port wasn't possible, until now. New
``port`` attribute is introduced, which allows overriding the default DNS
port for given address.
Bug fixes
* qemu: Fix startup of VMs with more than ~25 external snapshots
After switch to json-c VMs with too deeply nested image chains would fail
to start due to nesting depth limit in json-c, which is now increased to once
again support backing chains up to 200 images deep.
* qemu: TPM: Properly handle migration when storage resides on NFS
The VM now can be properly migrated in scenarios where TPM data is stored
on a shared filesystem on the destination but on the source it's either
on a different NFS or unshared completely.
* qemu: Treat memory device source nodemask as strict NUMA policy
Until now, the NUMA policy for ``<memory/>`` devices was taken either from
the guest NUMA node or ``<numatune/>``. But this may lead to discrepancies,
where the memory device is configured to bind to a set of host NUMA nodes,
but the guest NUMA node is to bind to a disjoint set of host NUMA nodes. To
resolve this, specifying ``<nodemask/>`` for a memory device implies
``strict`` policy.
* qemu: Relax validation of some hyperv features
Since 11.9.0 release, libvirt performs dependency checks for hyperv
features, for instance ``stimer`` requires ``synic``. But as it turned out,
for some ancient machine types (e.g. 'pc-i440fx-3.0' or 'pc-q35-3.0') some
dependencies are not true. Corresponding checks were removed.
* esx: URI encode inventory objects twice
Formatting domain XML for domains on an ESX server might fail if
corresponding datacenter or datastore contained special characters (e.g.
'+'). This is now fixed.
* Fix race when checking whether a path is on a shared file system
Finding an existing parent of a given path and checking whether it's on a
shared file system was not atomic and thus the path could have been
misinterpreted as non-shared if it was removed between these two
operations. This could cause migration with an emulated TPM device stored
on a shared file system to fail with the following bogus error::
Operation not supported: the running swtpm does not support migration with
shared storage
11.10.0
Security
* CVE-2025-12748: Denial of service by some ACL-limited accounts
Parsing of user provided XMLs in APIs which needed the identification
information from those XML definitions was done in full before ACL checks
were performed. Some valid, but useless, definitions could cause allocation
of too much memory, leading to denial of service. APIs which do equate to
full root access (such as ``domain:write``), and were parsing XML
definitions in full before performing ACL checks could, potentially, be
exploited in a way that would allow users (which were about to be denied the
API call) to cause aforementioned overallocation even before the ACL checks
were performed.
A change was made so that parsing before ACL checks are done only for the
identification parts of the XML definition (which is needed to perform the
checks) and full parsing is done only after checking all ACLs.
* CVE-2025-13193: Incorrect permissions on images after external snapshot of an inactive VM
The overlay ``qcow2`` images which are created as part of creation of an
external snapshot of an inactive VM had world-readable (644) permissions
which would allow unauthorized users to see contents of blocks written by
the VM after snapshot was taken. Libvirt now sets proper umask so that
the images are created with 600 mode.
New features
* Hyper-V virttype support for Qemu domains
Libvirt now supports Hyper-V virttype while lauching QEMU domains. This
feature requires Qemu version 10.2.0 or later and is available on Linux
hosts where the /dev/mshv is present.
* Add more statistics for block devices on QEMU domains
The block devices now report optimal access request sizes as well as
statistics such as the queue depth.
Improvements
* bhyve: VNC ``wait`` attribute support
Bhyve guests can now be configured to wait for a VNC connection before
booting.
* remote: multiple certificate support
The remote daemon and client can be configured to load multiple x509
certificate identities. This facilitates a transition to certificates
supporting Post-Quantum Crytographic algorithms.
* tools: improved virt-host-validate output
The virt-host-validate tool will now report extra details when certain
checks pass.
* qemu: Allow backup jobs to continue if guest OS shuts down
When starting a backup job users can now use a flag which prevents the VM
to be completely cleaned up if the guest OS shuts down while the backup is
running so that the backup can be finalized.
Bug fixes
* ch: Use correct domain definition in chDomainGetXMLDesc()
Cloud-Hypervisor driver claims to support ``VIR_DOMAIN_XML_INACTIVE`` but
in fact it never formatted the inactive XML. This is now fixed.
* esx: Allow disk images in subdirectories
If a domain has a disk image that's not in a datastore path but in a
subdirectory, the ESX driver would have failed to parse that and an error
was reported when obtaining domain XML. This is now fixed.
* qemu: Fix incoming migration to QEMU 10.0.0 and newer
Due to a change in the way QEMU 10.0.0 reports the state of "ht" CPU
feature, incoming migration of a domain with multiple CPU threads would
fail with "guest CPU doesn't match specification: extra features: ht"
error.
* qemu: fix incorrect reporting of the TDX launch security type
The TDX launch security type was incorrectly reported on all platforms
if the QEMU binary had it built-in. It is now limited to only platforms
with the TDX kernel feature available for use.
* qemu: set ``detect_zeroes`` for all backing chain layers
Some block jobs (snapshots, block commit) could modify the backing chain in
a way where ``detect_zeroes`` would no longer be honoured. We now set
it for all images in the backing chain, so that it will behave correctly
even after those operations.
11.9.0
New features
* Introduce Hyper-V ``host-model`` mode
Similarly to CPUs, ``host-model`` mode expands available Hyper-V
enlightenments at domain startup into the live XML so that's obvious which
enlightenments are enabled.
* Add support for Hyper-V ``spinlocks`` "never notify" mechanism
The ``retries`` attribute - which defines after how many failed
acquisition attempts to notify the hypervisor - can now hold the
special value of 4294967295 which means to never notify the
hypervisor.
If the ``retries`` attribute is omitted this value is used.
* ch: Network hotplug Support
Users can now attach and detach network interfaces of Cloud Hypervisor
domains at runtime.
* bhyve: NVMe device support
Domain XMLs now can use NVMe devices::
<disk type='file'>
<driver name='file' type='raw'/>
<source file='/path/to/disk.img'/>
<target dev='nvme0n1' bus='nvme'/>
</disk>
Improvements
* qemu: Improvements to USB controller model selection
Virtualization-friendly USB3 controllers are now used in more situations,
Intel-specific USB controllers are relegated to x86 guests, and model
selection overall behaves more consistently across architectures.
* qemu: Validate Hyper-V enlightenment dependencies
Some Hyper-V enlightenments may require some other enlightenments to be
turned on. Libvirt now validates these for new domains.
* qemu: Introduce virtio options for virtio memory models
Both virtio-mem and virtio-pmem memory models are virtio devices and as
such now support setting various virtio knobs (iommu, ats, packed,
page_per_vq) common to other virtio devices.
* wireshark: Adapt to wireshark-4.6.0
Libvirt's wireshark dissector plugin adapted to changes made to wireshark
dissector API in its 4.6.0 release.
* qemu: 'manual' disk snapshot mode improvements
The 'manual' snapshot mode now ensures that also metadata of the images is
written out to disk so that user can take snapshots of e.g. qcow2 image
safely.
Bug fixes
* ch: Load ``ch.conf`` from ``SYSCONFDIR``
Previously, the ``ch.conf`` file for ``ch:///system`` URI was mistakenly
loaded from a path under ``LOCALSTATEDIR`` (``/var/...``). This is now
fixed and the configuration file is loaded from the ``SYSCONFDIR``
(``/etc/...``) location where it's also installed.
11.8.0
New features
* ch: Disk hotplug Support
Users can now attach and detach disks of Cloud Hypervisor domains at
runtime.
* qemu: Add support for NUMA affinity of PCI devices
To support NVIDIA Multi-Instance GPU (MIG) configurations, libvirt now
handles QEMU's acpi-generic-initiator device internally. MIG enables
partitioning a physical GPU into multiple isolated instances, each
associated with one or more virtual NUMA nodes.
On the XML side, the existing ``<acpi>`` element has been extended with a
``nodeset`` attribute to specify the NUMA node affinity of a PCI device.
* qemu: Add support for hostname and FQDN configration of passt backend
The attributes ``hostname`` and ``fqdn`` for passt backend configure
the guest interface with hostname and FQDN.
Improvements
* ch: Events emitting
The CH driver not only emits more domain lifecycle events but also
implements ``virConnectDomainEventRegister()`` and
``virConnectDomainEventDeregister()`` APIs for management applications to
listen on those events.
Bug fixes
* qemu: Fix selection of stateless/combined firmware
A stateless firmware will now be correctly chosen when appropriate,
e.g. for domains configured to use SEV-SNP.
* ch: Make sure the cloud-hypervisor process is killed in ``virCHProcessStop()``
Due to wrong assumptions in the CH driver, calling ``virDomainDestroy()``
did not kill the corresponding cloud-hypervisor process. Domains can be now
destroyed reliably.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 4 May 2026 17:40:56 +0000 (19:40 +0200)]
curl: Update to version 8.20.0
- Update from version 8.19.0 to 8.20.0
- Update of rootfile
- Changelog
8.20.0
Changes:
async-thrdd: use thread queue for resolving
build: make NTLM disabled by default
cmake: drop support for CMake 3.17 and older
lib: add thread pool and queue
lib: drop support for < c-ares 1.16.0
lib: make SMB support opt-in
multi.h: add CURLMNWC_CLEAR_ALL
rtmp: drop support
Bugfixes:
altsvc: cap the list at 5,000 entries
altsvc: drop the prio field from the struct
altsvc: skip expired entries read from file
asyn-ares: connect async
asyn-ares: drop orphaned variable references
asyn-ares: fix HTTPS-lookup when not on port 443
asyn-thrdd: drop redundant `result` check
asyn-thrdd: fix clang-tidy unused value warning
async-ares: fix query counter handling
autotools: limit checksrc target to ignore non-repo test sources
badwords-all: exit with correct code on errors
badwords: combine the whitelisting into a single regex
badwords: detect the the and with with
badwords: only check comments and strings in source code
badwords: rework exceptions, fix many of them
boringssl: fix more coexist cases with Schannel/WinCrypt
build: adjust/add casts to fix `-Wformat-signedness`
build: assume `snprintf()` in `mprintf`, drop feature check
build: compiler warning silencing tidy-ups
build: drop `openssl` module dependency for BoringSSL from `libcurl.pc`
build: drop duplicate `pthread.h` includes
build: drop redundant `USE_QUICHE` guards
build: enable `-Wimplicit-int-enum-cast` compiler warning, fix issues
build: fix `-Wformat-signedness` by adjusting printf masks
build: link `bcrypt.lib` via vcxproj files
build: skip detecting `pipe2()` for Apple targets
cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR
cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR
cf-ip-happy: limit concurrent attempts
cf-socket: avoid low risk integer overflow on ancient Solaris
cfilters: fix Curl_pollset_poll() return code mixup
clang-tidy: avoid assignments in `if` expressions
clang-tidy: enable more checks, fix fallouts
cmake: add CMake Config-based dependency detection
cmake: add CMake Config-based dependency detection for c-ares, wolfSSL
cmake: document functions used from Windows system DLLs
cmake: enable pthreads for BoringSSL/AWS-LC
cmake: resolve targets recursively when generating `libcurl.pc`
cmake: rework binutils ld hack to not read `LOCATION` property
cmake: silence bad library `Threads::Threads` warning
cmake: use `AIX` built-in variable (with CMake 4.0+)
config2setopts: make --capath work in proxy disabled builds
configure: fix `--with-ngtcp2=<path>` option for crypto libs
configure: fix LibreSSL ngtcp2 1.15.0+ crypto lib selection logic
configure: prefer dependency-specific variables over `$withval`
configure: remove superfluous experimental warning for HTTP/3
configure: silence useless clang warnings in C89 builds
configure: tidy up comments
connect: fix typo on error message
cookie: fix rejection when tabs in value
curl-wolfssl.m4: fix to use the correct value for pkg-config directory
curl.h: replace macros with C++-friendly method to enforce 3 args
curl_ctype.h: fix spelling in a couple of locally used macros
curl_get_line: error out on read errors
curl_get_line: fix potential infinite loop when filename is a directory
curl_ngtcp2: extend and update callbacks for 1.22.0+
curl_ntlm_core: drop redundant PP condition
curl_ntlm_core: use wolfCrypt DES API with wolfSSL
curl_setup.h: drop stray/unused `USE_OPENSSL_QUIC` guard
curl_sha512_256: support delegating to wolfSSL API
curl_version_info.md: clarify age details
CURLOPT_HAPROXY_CLIENT_IP.md: mention assumption on data format
CURLOPT_RTSP_SESSION_ID.md: clarify reuse "dangers"
CURLOPT_RTSP_SESSION_ID.md: expand the comment
CURLOPT_RTSP_SESSION_ID.md: minor language fix
CURLOPT_SOCKS5_AUTH.md: an access property
CURLOPT_SSL_CTX_FUNCTION.md: expand on effects connection reuse
CURLOPT_UPLOAD_FLAGS.md: expand
curlx_now(), prevent zero timestamp
DEPRECATE: fix minor release number typo
digest: pass in the username quoted (as well)
dns: https-eyeballing async
dnscache: own source file, improvements
docs/cmdline-opts: tidy up retry-connrefused
docs/lib: fix typos
docs/libcurl: improve easy setopt examples
docs: clarify retry-max-time timing
docs: CURLOPT_LOGIN_OPTIONS is a login property
docs: enable more compiler warnings for C snippets, fix 3 finds
docs: list more dependencies for running Python HTTP tests
docs: mention more zip bomb precautions
docs: minor wording tweaks
docs: noproxy wants the punycoded hostname version
docs: SSH host verification is done at connect time
docs: use the correct CURLOPT_WRITEFUNCTION signature
doh: fix memory-leak when doing a second DoH resolve
doh: remove superfluous doh_req check
examples/websocket: fix to sleep more on Windows
examples: drop warning silencers no longer hit
examples: fix typo in comment
file: init fd to -1 to prevent close fd 0 on early failure
fopen: for temp files, inherit permissions only for owner
ftp: do not strdup DATA hostname
ftp: make the MDTM date parser stricter (again)
ftp: reject PWD responses containing control characters
gcc: guard `#pragma diagnostic` in core code for <4.6
generate.bat: remove extra % from VC11 and VC12 runs
genserv.pl: make external calls safe
getinfo: initialize `PureInfo` field `used_proxy`
getinfo: repair CURLINFO_TLS_SESSION
gnutls: fix clang-tidy warning with !verbose
gtls: fail for large files in `load_file()`
h3: HTTPS-RR use in HTTP/3
Happy Eyeballs: add resolution time delay
haproxy: use correct ip version on client supplied address
hostip: clear the sockaddr_in6 structure before use
hostip: init the curl_jmpenv_lock appropriately
hostip: resolve user supplied ip addresses
HSTS: cap the list
hsts: make the HSTS read callback handle name dupes
hsts: skip expired HSTS entries read from file
hsts: when a dupe host adds subdomains, use that
http2: clear the h2 session at delete
http2: prevent secure schemes pushed over insecure connections
http2: return error on OOM in push headers
HTTP3.md: drop outdated mentions of OpenSSL-QUIC
http: clear credentials better on redirect
http: clear digest nonce on cross-origin redirect
http: clear the proxy credentials as well on port or scheme change
http: fix auth_used and auth_avail
http: fix Curl_compareheader for multi value headers
http: make Curl_compareheader handle multiple commas in header
http: on 303, switch to GET
http: use header_has_value() instead of duplicate code
imap: reset the UIDVALIDITY state between transfers
include: drop badword from public headers
INSTALL.md: update Cygwin instructions
keylog.h: replace literal number with macro in declaration
keylog: drop unused/redundant includes and guards
ldap: drop duplicate `ldap_set_option()` on Windows
ldap: fix to initialize cleartext connection on Windows
lib1560: fix comment typo
lib1960: fix test failure
lib: accept larger input to md5/hmac/sha256/sha512 functions
lib: always use Curl_1st_fatal instead of Curl_1st_err
lib: fix typos in comments
lib: make resolving HTTPS DNS records reliable:
lib: minor comment typos
lib: move request specific allocations to the request struct
lib: replace `PRI*32` printf masks with C89 ones
libssh2: allocate libssh2-friendly memory in kbd_callback
libssh2: fix error handling on quote errors
libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0
libssh: fix `-Wsign-compare` in 32-bit builds
libssh: path length precaution
libssh: propagate error back in SFTP function
libtest: drop duplicate include
location/follow: mention netrc
man: fix argument type for `CURLSHOPT_[UN]SHARE` options
mbedtls: cleanup more without care for 'initialized'
mbedtls: fix ECJPAKE matching
mbedtls: remove failf() call with first argument as NULL
md4, md5: switch to wolfCrypt API in wolfSSL builds
mime: only allow 40 levels of calls
misc: fix code quality findings
mk-ca-bundle.pl: make `ca-bundle.crt` timestamp match `certdata.txt`'s
multi: enhance pending handles fairness
multi: fix connection retry for non-http
multi: improve wakeup and wait code
netrc: find login-less password when user is given in URL
netrc: remove unused parsenetrc() macro for netrc-disabled
netrc: skip malformed macdef lines
openssl channel_binding: lookup digest algorithm without NID
openssl: drop obsolete SSLv2 logic
openssl: fix build with 4.0.0-beta1 no-deprecated
openssl: fix memory leaks in ECH code (OpenSSL 3)
openssl: fix unused variable warnings in !verbose builds
openssl: trace count of found / imported Windows native CA roots
OS400: add new definitions to the ILE/RPG binding.
os400sys: fix typo in comment (symmetry)
parsedate: bsearch the time zones
parsedate: fix wrong treatment of "military time zones"
parsedate: refactor
perl: harden external command invocations
progress: count amount of data "delivered" to application
protocol.h: fix the CURLPROTO_MASK
protocol: disable connection reuse for SMB(S)
protocol: use scheme names lowercase
proxy: chunked response, error code
pytest: add additional quiche check for flaky test_05_01
pytest: check 429 handling
rand: use `BCryptGenRandom()` in UWP builds
ratelimit: reset on start
request: reset resp_trailer in new requests
runtests: skip setting ed25519 SSH key format
rustls: fix memory leak on repeated SSLKEYLOGFILE fails
rustls: handle EOF during initial handshake
schannel: increase renegotiation timeout to 60 seconds
scripts: drop redundant double-quotes: `"$var"` -> `$var` (Perl)
scripts: harden / tidy up more Perl `system()` calls
sendf: fix CR detection if no LF is in the chunk
setopt: fix typos in comments
setopt: move CURLOPT_CURLU
setup connection filter: mark as setup
sha256, sha512_256: switch to wolfCrypt API
sha256: support delegating to wolfSSL API
share: concurrency handling, easy updates
share: do bitshifts after the type is checked to be valid
socks: reject zero-length GSSAPI/SSPI tokens from proxy
socks: use dns filter for resolving
spelling: fix typos
src: use ftruncate() unconditionally
sshserver.pl: harden more `system()` calls
sshserver.pl: pass command-line to `system()` safely
strerr: correct the strerror_s() return code condition
sws: fix potential OOB write
synctime: fix off-by-one read and write to a read-only buffer (Windows)
test 766: flag as timing-dependent
test1675: unit tests for URL API helper functions
test459: switch to mode="warn" for stderr check
testcurl.pl: replace shell commands with Perl `rmtree()`
tests/unit/README: describe how to unit test static functions
tests: avoid infinite recursion for `make check`
tests: use %b64[] instead of "raw" base64
tool: check for curlinfo->age when determining if ssh backend
tool: fix memory mixups
tool: fix retries in parallel mode
tool: fix two more allocator mismatches
tool_cb_hdr: only truncate etags output when regular file
tool_cb_rea: make waitfd() return void
tool_cb_wrt: fix no-clobber error handling
tool_cfgable: free the SSL signature algorithms
tool_formparse: propagate my_get_line errors when reading headers
tool_getparam: use correct free function for libcurl memory
tool_ipfs: accept IPFS gateway URL without set port number
tool_msgs: avoid null pointer deref for early errors
tool_operate: actually apply the --parallel-max-host limit
tool_operate: drop the scheme-guessing in the -G handling
tool_operate: fix condition for loading `curl-ca-bundle.crt` (Windows)
tool_operate: fix memory-leak on failed uploads
tool_operate: fix minor memory-leak on early error
tool_operate: reset the upload glob counter for next URL
tool_operhlp: fix `add_file_name_to_url()` result on OOM
tool_operhlp: iterate through all slashes to find name
tool_operhlp: propagate low-level OOM in `add_file_name_to_url()`
tool_setopt: return error on OOM correctly
tool_urlglob: fix memory-leak on glob range overflow
top-complexity: prevent filename-based shell injection risk
transfer: clear the old autoreferer
transfer: clear the URL pointer in OOM to avoid UAF
transfer: enable custom methods again on next transfer
transfer: enhance secure check
unit1675: fix `-Wformat-signedness`
url: do not reuse a non-tls starttls connection if new requires TLS
url: improve connection reuse on negotiate
url: init req.no_body in DO so that it works for h2 push
url: set default upload flags to CURLULFLAG_SEEN
url: use the socks type for socks proxy
url: use URL for lowercase URL even in comments
urlapi: fix handling of "file:///"
urlapi: make dedotdotify handle leading dots correctly
urlapi: same origin tests
urlapi: stop extracting hostname from file:// URLs on Windows
urlapi: verify the last letter of a scheme when set explicitly
urldata.h: fix typo and lingering backtick
urldata: connection bit ipv6_ip is wrong
urldata: import port types and conn destination format
urldata: make hstslist only present in HSTS builds
urldata: make speeder_c uint32
urldata: move cookiehost to struct SingleRequest
urldata: remove trailers_state
vquic: fix variable name in fallback code
vtls: fix comment typos and tidy up a type
vtls: log when key logging is enabled.
vtls_scache: check reentrancy
vtls_scache: include cert_blob independently of verifypeer
wolfssl: document v5.0.0 (2021-11-01) as minimum required
wolfssl: fix `-Wmissing-prototypes`
wolfssl: fix handling of abrupt connection close
ws: fix a blocking curl_ws_send() to report written length correctly
x509asn1: fix to return error in an error case from `encodeOID()`
x509asn1: fixed and adapted for ASN1tostr unit testing
x509asn1: improve encodeOID
8.19.0
Changes:
BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026
cmake: add `CURL_BUILD_EVERYTHING` option
mqtt: initial support for MQTTS
tool: support fractions for --limit-rate and --max-filesize
tool_cb_hdr: with -J, use the redirect name as a backup
vquic: drop support for OpenSSL-QUIC
windows: add build option to use the native CA store
windows: bump minimum to Vista (from XP)
Bugfixes:
altsvc: only accept 17 byte dates from files
asyn-ares: abort with OOM error when Curl_dnscache_mk_entry fails
async-ares: blocking resolve timeout handling, better
badwords: move into ./scripts, speed up
build: add missing `GENERATEDCERTS` files
build: adjust minimum version for some clang picky warnings
build: check `MSG_NOSIGNAL` directly, drop detection and interim macro
build: constify `memchr()`/`strchr()`/etc result variables (cont.)
build: detect and include `inttypes.h` again
build: do not include wolfSSL header in `curl_setup.h`
build: drop duplicate C includes
build: drop global suppression of `-Wformat-nonliteral`, fix fallouts
build: drop unused `snprintf()` feature check on Windows
build: fix `-Wunused-macros` warnings, and related tidy-ups
build: fix building rare combinations
build: fully omit verbose strings and code when disabled
build: globally suppress DJGPP warnings in `FD_SET()`
build: merge TrackMemory (`CURLDEBUG`) into debug-enabled option
build: move curl stat struct type to the curlx namespace
build: opt-in MSVC to C99-style verbose logging logic
build: require POSIX `strdup()`
build: tidy up and dedupe `strdup` functions
cf-socket: ignore SOCK_CLOEXEC etc for socktype equality checks
cf-socket: use SOCK_CLOEXEC in socket_open when available
checksrc-all.pl: skip non-repository files
checksrc: do not apply `BANNEDFUNC` to struct member functions
checksrc: warn for leading spaces before the preprocessor hash
clang-tidy: add missing and delete redundant parentheses
clang-tidy: add more missing parentheses in macro values
clang-tidy: avoid/silence `bugprone-not-null-terminated-result`
clang-tidy: check `bugprone-macro-parentheses`, fix fallouts
clang-tidy: drop redundant conditions reported by `misc-redundant-expression`
clang-tidy: enable `bugprone-signed-char-misuse`, fix fallouts
clang-tidy: enable more checks
clang-tidy: enable scanning headers
clang-tidy: fix issues found with build-fuzzing
clang-tidy: silence more minor issues found by v22
cmake/FindMbedTLS: add workaround for missing static MSVC `mbedcrypto.lib` 4.0.0
cmake: add `CURL_DROP_UNUSED` option to reduce binary sizes
cmake: add native clang-tidy support for tests, with concatenated sources
cmake: always build curlu and curltool test libs in unity mode
cmake: always define `CURL::win32_winsock` on Windows in `curl-config.cmake`
cmake: convert `curl_add_clang_tidy_test_target()` macro to function
cmake: enable binutils ld workaround for all toolchains at build-time
cmake: fix `LOCATION` property access condition (debug)
cmake: fix `LOCATION` property read errors in target debug function
cmake: fix building with `CMAKE_FIND_PACKAGE_PREFER_CONFIG=ON`
cmake: fix confusing error when a dependency is undetected in `curl-config.cmake`
cmake: fix logic for openssl/zlib binutils ld workaround
cmake: fix passing system header directories to clang-tidy for tests
cmake: fix system include directory position for clang-tidy in tests
cmake: improve clang-tidy test command-line reproduction
cmake: minor fixes to test targets after prev
cmake: normalize uppercase hex winver (for display)
cmake: omit `curl.rc` from curltool lib
cmake: reference OpenSSL and ZLIB imported targets only when enabled
cmake: replace internal option with a new `tt` (test tools) target
cmake: silence potential unused var warnings in C++ test snippet
cmake: silence silly Apple clang warnings in C89 mode, test in CI
cmake: silence useless compiler warnings triggered by the FASTBuild generator
cmake: skip binutils ld hack if zlib/openssl target is not `IMPORTED`
cmake: warn for invalid `CURL_TARGET_WINDOWS_VERSION` values
cmke: add `*_USE_STATIC_LIBS` options for 9 dependencies
config-plan9: set `HAVE_STDINT_H` again
config2setopts: acknowledge OOM error from CURLOPT_MIMEPOST
config2setopts: fix for --disable-aws build configuration
configure: drop always true `if` check (Windows)
content_encoding: return 'identity' if none other exists
curl: add -I and -i to -h important
curl: limit Windows-specific code to Windows builds, other tidy-ups
curl_easy_nextheader.md: a new transfer invalidates 'prev'
curl_get_line: drop single-use macro
curl_multi_perform.md: resolve inconsistency
curl_ntlm_core: merge two `#if` blocks
curl_setup.h: drop extra header guard for internal include
curl_setup.h: merge back single-use internal header `curl_setup_once.h`
curl_setup.h: simplify curl memory macro mappings
curl_setup_once: allow CURL_DEBUGASSERT for customization
CURLINFO_CONTENT_LENGTH_DOWNLOAD_T.md: fix available protocols
curlx: drop unused `curlx_saferealloc()`
digest: escape double quotes and backslashes in realm and nonce
digest: fix memory leak in auth_create_digest_http_message()
digest: handle quotes in the path
docs/INSTALL: update configure details
docs/libcurl: unify WARNING use
docs: add LibreELEC to DISTROS.md
docs: add reproducible example for generating man page
docs: avoid starting sentences with However,
docs: avoid using the word 'magic'
docs: clarify --ipv4 and --ipv6
docs: document the need for a 64-bit type and stdint.h
docs: drop basically
docs: explicitly call out Slowloris as not a security flaw
docs: fix grammar nitpicks
docs: handle error in `curl_global_init*` examples
docs: replace instances of the vague qualifier 'quite'
docs: reword explanation of --variable option
docs: some nitpicks
docs: use dot instead of comma at end of sentences
easy: reset errorbuf on eyeballing success
easy: reset pausing when resetting request
examples/usercertinmem: use modern OpenSSL API, drop mentions of RSA
examples: improve OpenSSL certificate examples
examples: omit forward declarations, apply misc fixes
FAQ: syntax improvements
fopen.h: simplify curl memory macro mappings
ftp: replace a `curlx_free()` with `curlx_dyn_free()`
ftp: split ftp_state_use_port into sub functions
GOVERNANCE.md: Post-Daniel BDFL
gss: exclude verbose error logic from non-verbose builds
h2+h3: align stream close handling
hostip.c: fix leak of addrinfo
hostip6: remove debug-only code
hostip: fix unreachable code in rare build configuration
http/3: add description for known server error codes
http1: fix potential NULL dereference in `Curl_h1_req_parse_read()`
http: only send bearer if auth is allowed
http_aws_sigv4: fix query normalization of %2b
imap: add a check for Curl_meta_get()
imap: check `imap_sendf()` printf masks at compile-time
imap: skip literals inside quoted strings
include: avoid recursive macros
include: mask computed auth/proto bitmasks to 32 bits
INSTALL-CMAKE.md: document Apple framework options
INSTALL.md: fix typo
INSTALL.md: suggest `-Wl,-dead_strip` for Apple targets
KNOWN_BUGS.md: absolute Unix domain filename for SOCKS on Windows
ldap: silence clang-tidy v22 warning
ldap: silence potential unused variable warning (OS400)
lib: delete unused local includes
lib: disable websockets early if no http
lib: make sigpipe handling more lazy
lib: reorder protocol functions to avoid forward declarations (email)
lib: reorder protocol functions to avoid forward declarations (ftp)
lib: reorder protocol functions to avoid forward declarations (misc cont.)
lib: reorder protocol functions to avoid forward declarations (misc)
lib: reorder protocol functions to avoid forward declarations (ssh)
lib: separate scheme info from protocol implementation
lib: skip compiling code with features disabled
lib: use (u)int64_t instead of long long
libcurl docs: reduce 'since ...' in descriptions
libcurl-security.md: fix typos and add a point about URLs
libtests: drop two redundant `memset()`s
Makefile.am: delete RPM targets referencing non-existent files
Makefile.am: drop stray VC project files from dist
managen: silence Perl warnings
mbedtls: guard TLS 1.3 + session tickets usage inside ifdef
mbedtls: no pinnedpubkey wo MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
mbedtls: remove newline from failf() call
mbedtls: split mbed_connect_step1 into sub functions
md4, md5: drop redundant forward declarations
md4, md5: replace custom types with `uint32_t`
memdebug: include `backtrace.h` as system header
mime: drop fallback for unused `R_OK` macro
mimepost: allocate main struct on-demand
mk-ca-bundle.pl: drop support for obsolete/insecure fingerprint algos
mod_curltest: silence unused argument compiler warning
mprintf: drop old sprintf fallback
mprintf: rename internal enum to avoid collision with AmigaOS symbol
mprintf: silence clang-tidy `readability-suspicious-call-argument`
mprintf: use `_snprintf()` when compiled with VS2013 and older
mqtt: better too-big-message-check
mqtt: fix EOF handling
mqtt: verify Remaining Length for CONNACK and PUBACK
msvc: drop exception, make `BIT()` a bitfield with Visual Studio
msvc: VS2026: unlock picky warning in cmake, test in CI
multi: avoid a theoretical 32-bit wrap
multi: fix unreachable code compiler warning
multi: probe for IPv6 functionality in multi_init()
multi: split multi_runsingle into sub functions
multi: update timer unconditionally in multi_remove_handle
ngtcp2: stabilize recv
noproxy: simplify, don't mix const non-const in strchr()
openldap: avoid forward declarations in ldaps code
openssl+ech: workaround for insecure handshakes
openssl: adapt to OpenSSL master adding const to more APIs
OpenSSL: check reuse of sessions for verify status
openssl: disable local keylog feature if built-in upstream
openssl: fix compiler warning with OpenSSL master
openssl: fix potential NULL dereference when loading certs (Windows)
openssl: fix potential OOB read in debug/verbose logging
plan9: drop special build and orphaned references
proxy-auth: additional tests
pytest: remove 03_02
quiche: use PRIu64 for outputting the stream id
rand: drop impossible preprocessor branches (wincrypt)
rand: drop scan-build silencer
ratelimit: download finetune
request.h: rename parameter 'buf' to 'req' in Curl_req_send
REUSE: drop broken reference to `MAIL-ETIQUETTE`
rtsp: fix assertion failure on zero-length RTP payload
rtspd: fix to check `realloc()` result
runtests: pass config filename to stunnel in native format (Windows)
schannel: refactor: reduce variable scopes, fix comment, fix indent
send: drop `CURL_UNCONST()` from buffer argument on most platforms
setopt: fix checking range for CURLOPT_MAXCONNECTS
setopt: refuse blobs with zero length
setup-os400.h: drop no longer used custom type `u_int32_t`
sigpipe: unset SA_SIGINFO since it is using sa_handler
silent.md: also mention it shuts off warning messages
smb: free the path in the request struct properly
smb: include arpa/inet.h for NonStop
socket: check result of SO_NOSIGPIPE
socketpair: clear 'err' when retrying due to EINTR
socketpair: set SO_NOSIGPIPE where possible
socks: ensure DNS is freed in failure cases.
src: simplify declaring `curl_ca_embed`
ssh: dedupe state change function
stop using the word 'just'
sws: prevent "connection monitor" to say disconnect twice
synctime: fix use of uninitialized buffer on non-Windows
system_win32: replace manual init code with `curlx_now_init()` call
tests/server/sockfilt: avoid possible endless loop on Windows
tests/server: drop unused `curlx/version_win32.c`
tests/server: fix to clear the complete `srvr_sockaddr_union_t` variable
tests/server: tidy-up error messages (Windows)
tests: avoid assignment in `if` conditions in `first.h`
tests: convert base64 data to %b64[]
tftp: correct the filename length check
timeout handling: auto-detect effective timeout
tls: add new SSLSUPP flags for several options
tls: remove checks for DEFAULT
tool: enable header separation for HTTPS proxies
tool: improve config error messaging
tool: improve error/warning messages when output filename sanitization fails
tool: rename curl handle and result variable in `--libcurl`-generated code
tool: return code variable consistency
tool_cb_hdr: suppress header output when --out-null
tool_cb_prg: drop duplicate preprocessor logic
tool_dirhie: drop superfluous `F_OK` fallback (Windows)
tool_doswin: avoid memory-leak with CURL_FN_SANITIZE_*
tool_doswin: avoid Windowsisms in socket code (cont.)
tool_doswin: avoid Windowsisms in socket code
tool_doswin: document `ENABLE_VIRTUAL_TERMINAL_PROCESSING` toolchain support
tool_getparam: avoid `-Wcomma` with Apple clang in C89 mode
tool_operate: remove 'else' for VMS
tool_operate: reset the URL --url-query between --next
typos: silence false positives found in C code
unit3205: suppress two clang-tidy false positives
URL-SYNTAX.md: fix port number mistakes for IMAP and LDAP
url.c: code/comment cleanup around conn creation
url.h: fix `-Wdocumentation`
url: fix reuse of connections using HTTP Negotiate
urlapi: use U_CURLU_URLDECODE when toggling it off unsigned
urldata.h: remove two forward-declared structs not used
urldata: byebye `conn->hostname_resolve`
urldata: change 'keep_post' into three distinct bitfields
urldata: convert 'long' fields to fixed variable types
urldata: switch to uint* types
usercertinmem: use the correct cert BIO
verbose.md: explain the { and } prefixes
vquic: fix unused variable warning reported by clang-tidy
vquic: handle SOCKEMSGSIZE correctly
vtls: dedupe common on-session-reuse logic
vtls: use ALPN http/1.0 & http/1.1 for HTTP/1.0 requests
VULN-DISCLOSURE-POLICY.md: push reports to the web form
VULN-DISCLOSURE-POLICY.md: use hackerone
winapi: use FormatMessageA instead of FormatMessageW
windows: `USE_WINSOCK` to guard winsock2 code (where missing)
windows: determine `RtlVerifyVersionInfo` address on global init
windows: tidy up `wincrypt.h` / BoringSSL/AWS-LC coexist workaround
wolfssl: fix build without USE_BIO_CHAIN
ws/tftp: include header file even when protocol disabled
x509asn1: make encodeOID stop on too long input
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 4 May 2026 17:40:57 +0000 (19:40 +0200)]
glib: Update to version 2.88.1
- Update from version 2.88.0 to 2.88.1
- Update of rootfile
- Changelog
2.88.1
* Fix miscompilation with GCC 16 due to GLib’s use of the wrong function
attribute (!5145, work by Sam James)
* Fix flag confusion security issue when using `GRegex` with `G_REGEX_RAW` which
can result in unbounded out-of-bounds heap reads off the start of a regex
input string (#3919, work by linhlhq)
* Fix various minor (low severity) security issues, typically one-to-five-byte
out-of-bounds reads (#3915, #3916, #3917, #3918, #3930) or ones relying on
very specific (and unlikely) API calls (#3925) or ones relying on
discouraged P2P D-Bus configurations (#3931, #3933) (work by linhlhq)
* Bugs fixed:
- #3915 (#YWH-PGM9867-190) Buffer Over-read on GLib through glib/gvariant-
serialiser.c:1253 via gvs_tuple_is_normal() (Philip Withnall)
- #3916 (#YWH-PGM9867-187) OOB Read on GLib through
glib/gmarkup.c:g_markup_escape_text() via
glib/gmarkup.c:append_escaped_text() (Philip Withnall)
- #3917 (#YWH-PGM9867-191) OOB Read on GLib through
glib/gdatetime.c:g_date_time_get_ymd via invalid `GDateTime` (Philip
Withnall)
- #3918 (#YWH-PGM9867-193) Buffer Over-read on GLib's g_regex_replace()
through glib/gregex.c:string_append() via g_utf8_next_char() (Philip
Withnall)
- #3919 (#YWH-PGM9867-194) Buffer Over-read on GLib through
glib/gregex.c:g_regex_split_full() via glib/gutf8.c:g_utf8_prev_char()
(Philip Withnall)
- #3925 (#YWH-PGM9867-199) Buffer Over-read on GLib through glib/giochannel.c
via "g_io_channel_read_line_backend" (Philip Withnall)
- #3930 (#YWH-PGM9867-200) Off-by-one Error on GLib through glib/gkeyfile.c
via "g_key_file_get_locale_string_list" (Philip Withnall)
- #3931 (#YWH-PGM9867-203) Path Traversal on GLib DBus through
glib/gio/gdbusauthmechanismsha1.c via keyring_lookup_entry,
mechanism_client_data_receive (COOKIE_SHA1 Client Authentication) leads to
Arbitrary File Read (Philip Withnall)
- #3933 Integer overflow in g_dbus_message_bytes_needed() bypasses 128 MiB
size check (pre-auth DoS on P2P connections) (Philip Withnall)
- !5101 Update Serbian translation
- !5105 docs: Expand docs for GLIB_VERSION_MAX_ALLOWED
- !5110 gmarkup: fix type of length parameter of text_validate()
- !5111 Update Russian translation
- !5113 Update Polish translation
- !5114 docs: Remove myself from CODEOWNERS
- !5122 Update Slovak translation
- !5134 Backport various recent security fixes to GVariant, GMarkup, GDateTime
and GRegex to glib-2-88
- !5150 Backport !5145 “gvarianttype: use pure attribute, not inappropriate
const” to glib-2-88
- !5152 Update Slovak translation
- !5154 Update German translation
- !5165 Update Slovak translation
- !5166 Update Slovak translation
- !5169 Update Persian translation
- !5174 Backport !5170 !5171 !5172 !5173 Various security fixes to glib-2-88
* Translation updates:
- German (Christian Kirbach)
- Persian (Danial Behzadi)
- Polish (Victoria Niedzielska)
- Russian (Artur S0)
- Serbian (Марко Костић)
- Slovak (Jose Riha)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 4 May 2026 17:40:58 +0000 (19:40 +0200)]
gnutls: Update to version 3.8.13
- Update from version 3.8.11 to 3.8.13
- Update of rootfile
- 13 CVE Fixes in 3.8.13
- 2 CVE Fixes in 3.8.12
- Changelog
3.8.13
** libgnutls: Add more checks to DTLS reassembly
Previously, gnutls didn't check that DTLS fragments claimed
a consistent message_length value.
Additionally, a crucial array size check was missing,
enabling an attacker to cause a heap overwrite.
Reject fragments with mismatching length and add a missing boundary check.
Independently reported by
Haruto Kimura (Stella), Oscar Reparaz and Zou Dikai.
[GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846]
** libgnutls: Fix qsort comparator in DTLS reassembly
The comparator function used for ordering DTLS packets
by sequence numbers did not follow qsort comparator contracts
in case of packets with duplicate sequence numbers,
which could lead to unstable ordering or undefined behaviour.
Return 0 in such cases makes the sorting stable.
Additionally, discard packets with same sequence numbers
and differing handshake type,
so that they don't end up being sorted in the first place.
Reported by Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009]
** libgnutls: Fix crashing on an underflow with a DTLS datagram
A remotely triggerable underflow in the DTLS reassembly code led to
a heap overrun.
Prevent the underflow from happening.
Reported by Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845]
** libgnutls: Fix RSA-PSK identity truncation
Servers configured with RSA-PSK have wrongfully matched usernames with NUL
character in them to ones truncated to NUL character,
which could lead to an authentication bypass.
Fix the check to perform comparison up to the full username length.
Reported by Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010]
** libgnutls: Fix case-sensitivity of domain name comparison in name constraints
Domain name comparison during name constraints processing
was case-sensitive, violating RFC 5280 section 7.2.
For excluded name constraints, this could lead to
incorrectly accepting domain names that should've been rejected.
DNS name comparison and the domain part of email names
now perform case-insensitive comparison.
Independently reported by Oleh Konko (1seal) and
Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833]
** libgnutls: Fix intersecting empty constraints
Permitted name constraints were wrongfully ignored
when prior CAs only had excluded name constraints,
resulting in a name constraint bypass.
Reported by Haruto Kimura (Stella).
[GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011]
** libgnutls: Suppress CN fallback in presence of URI and SRV SAN
Certificates containing URI or SRV Subject Alternative Names
no longer fall back to checking DNS hostnames against Common Name
to avoid potential misuse of such certificates
beyond their original purpose.
Reported by Oleh Konko (1seal).
[GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012]
** libgnutls: Suppress CN fallback for oversized SAN
Validation of certificates with oversized Subject Alternative Names
no longer falls back to checking DNS hostnames against Common Name.
Independently reported by Haruto Kimura (Stella) and
Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013]
** libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin
Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin()
with oldpin == NULL for a token lacking a protected authentication path
led to a use-after-free.
Reported by Luigino Camastra and Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014]
** libgnutls: Fix overread in RSA key exchange with PKCS#11 keys
For a server using an RSA key backed by a PKCS#11 token,
a client sending an extremely short premaster secret
during an RSA key exchange could trigger a short heap overread.
Reported by Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260]
** libgnutls: Fix off-by-one in PKCS#12 bag element bounds check
Appending to a PKCS#12 bag that already contained 32 elements
could write past the bag's internal array.
Reported by Zou Dikai.
[GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015]
** libgnutls: Fix multi-entry OCSP response revocation bypass
When validating a certificate against a multi-entry OCSP response,
the revocation status was always checked for the first entry
instead of the entry matching the certificate,
which could lead to accepting revoked certificates.
Independently reported by Oleh Konko (1seal) and
Joshua Rogers of AISLE Research Team.
[GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832]
** libgnutls: Fix timing side-channel in PKCS#7 padding removal
The PKCS#7 padding check performed during decryption was not constant-time,
potentially leaking information about the padding bytes
through timing differences.
Rewritten to remove padding in a branch-free manner.
Reported by Doria Tang of Stony Brook University.
[GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419]
** libgnutls: Fix PSK username comparison during rehandshake
Rehandshaking to a username with embedded NUL character could theoretically
allow bypassing the GNUTLS_ALLOW_ID_CHANGE protection (#1808).
Reported and fixed by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix OID length check for OCSP delegated signer EKU
The OCSP signing EKU OID was compared without verifying its length,
allowing a shorter OID that shares the same prefix to match.
The check now verifies the length as well (#1810).
Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix AES keys persisting with pkcs11-provider
When using the pkcs11-provider, AES keys used for cipher operations
were created as persistent objects and accumulating.
They are now ephemeral (#1813).
** libgnutls: Fix missing RSA key coprimality check in verify_params
gnutls_privkey_verify_params overlooked the scenario of p and q
not being co-prime.
It now returns GNUTLS_E_PK_INVALID_PRIVKEY in this case (#1818).
Reported by Kamil Frankowicz.
** libgnutls: Fix overread when parsing OpenSSL PEM private keys
Insufficient bounds checking on the PEM header length could lead
to short heap overreads on specially crafted inputs (#1854).
Independently reported by Kamil Frankowicz and
Joshua Rogers of AISLE Research Team.
** libgnutls: Fix a theoretical double-free during certificate import
If gnutls_x509_crt_list_import_pkcs11 failed partway through,
the trust list cleanup code would try to free already-deinitialized
certificate entries, leading to a double-free (#1819).
Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Fix heap overread in SCT extension parser
The list-length validation didn't account for the 2-byte length field,
allowing a specially crafted SCT extension to cause
a 2-byte overread past the buffer (#1822).
Reported by Joshua Rogers of AISLE Research Team.
** libgnutls: Zeroize shared secret derived during hybrid key exchange
The derived shared secret was not zeroized before being freed (#1841).
Reported by liyue.
** build: Support building with Nettle 4.0
Nettle 4.0 was released in Feburary 2026, with API incompatibile
changes from 3.10. The library can now compile with it, while
Nettle 3.10 is still supported (#1791).
** libgnutls: Support deriving ML-DSA public key from an expanded private key
RFC 9881 defines 3 private key formats for ML-DSA: "seed",
"expandedKey" and both. It is now possible to derive a public key
from a private key in the "expandedKey" format (#1723).
** libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11
For compatibility reasons, the library supports two formats for
EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING
(DER). Previously, loading a private key in the former format
resulted in a failure, which is now fixed (#1749).
** libgnutls: HPKE (RFC 9180) is now supported as a technology preview
The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic
protocol which enables to encrypt arbitrary data to a recipient, by
combining key encapsulation mechanism (KEM) and authenticated
encryption with additional data (AEAD). GnuTLS now includes the
implementation contributed by David Dudas. Given this is a
technology preview, the implementation and the API might suffer
modification in the following period. Use --enable-hpke to turn on
this feature (#1506).
** libgnutls: Fix TLS 1.3 client certificate selection
For servers that send a signature_algorithms extension in CertificateRequest
with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones,
the client now properly considers RSA when selecting a certificate to send.
This fixes TLS 1.3 interoperability with newer Java servers
when using client certificates.
Contributed by Romain Tartière (#1842).
** libgnutls: Fix kTLS ChaCha20-Poly1305 IV for TLS 1.2
When using kTLS with ChaCha20-Poly1305 under TLS 1.2,
an incorrect value was passed as the IV to the kernel,
causing connections to fail early.
** libgnutls: Allow fetching object type metadata for PKCS#11 keys
A new library function, gnutls_pkcs11_obj_get_pk_algorithm,
has been added to check the public key algorithms of PKCS#11 key objects.
Object types other than CKO_PRIVATE_KEY are currently not supported.
Contributed by Ghadi Elie Rahme (!2074).
** API and ABI modifications:
gnutls_hpke_kem_t: New enum
gnutls_hpke_kdf_t: New enum
gnutls_hpke_aead_t: New enum
gnutls_hpke_mode_t: New enum
gnutls_hpke_role_t: New enum
gnutls_hpke_context_st: New context structure
gnutls_hpke_init: New function
gnutls_hpke_deinit: New function
gnutls_hpke_encap: New function
gnutls_hpke_seal: New function
gnutls_hpke_decap: New function
gnutls_hpke_open: New function
gnutls_hpke_derive_keypair: New function
gnutls_hpke_export: New function
gnutls_pkcs11_obj_get_pk_algorithm: New function
3.8.12
** libgnutls: Fix NULL pointer dereference in PSK binder verification
A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
could lead to a denial of service attack via crashing the server.
The updated code guards against the problematic dereference.
Reported by Jaehun Lee.
[Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]
** libgnutls: Fix name constraint processing performance issue
Verifying certificates with pathological amounts of name constraints
could lead to a denial of service attack via resource exhaustion.
Reworked processing algorithms exhibit better performance characteristics.
Reported by Tim Scheckenbach.
[Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]
** libgnutls: Fix multiple unexploitable overflows
Reported by Tim Rühsen (#1783, #1786).
** libgnutls: Fall back to thread-unsafe module initialization
Improve fallback handling for PKCS#11 modules that
don't support thread-safe initialization (#1774).
Also return filename from p11_kit_module_get_name() for unconfigured modules.
** libgnutls: Accept NULL as digest argument for gnutls_hash_output
The accelerated implementation of gnutls_hash_output() now
properly accepts NULL as the digest argument, matching the
behavior of the reference implementation (#1769).
** srptool: Avoid a stack buffer overflow when processing large SRP groups.
Reported and fixed by Mikhail Dmitrichenko (#1777).
** API and ABI modifications:
No changes since last version.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 4 May 2026 17:40:59 +0000 (19:40 +0200)]
libmicrohttpd: Update to version 1.0.5
- Update from version 1.0.3 to 1.0.5
- No change to rootfile
- Changelog
1.0.5
It fixes a additional HTTP request smuggling issues (CWE-444)
1.0.4
It fixes a minor HTTP request smuggling issue (CWE-444).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.67
"Changes with Apache 2.4.67
*) SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp:
Heap Over-Read and memory disclosure in ajp_parse_data()
(cve.mitre.org)
Buffer Over-read vulnerability in Apache HTTP Server.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes
the issue.
Credits: Elhanan Haenel
*) SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp:
Heap Buffer Over-Read Due to Missing Null-Termination Check
(ajp_msg_get_string) (cve.mitre.org)
Improper Null Termination, Out-of-bounds Read vulnerability in
Apache HTTP Server.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes
the issue.
Credits: Tianshuo Han (<hantianshuo233@gmail.com>)
*) SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB
reads in AJP getter functions (cve.mitre.org)
Out-of-bounds Read vulnerability in mod_proxy_ajp of
Apache HTTP Server.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes
the issue.
Credits: Elhanan Haenel
*) SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules:
HTTP response splitting forwarding malicious status line
(cve.mitre.org)
HTTP response splitting vulnerability in multiple Apache HTTP
Server modules with untrusted or compromised backend servers.
This issue affects Apache HTTP Server: from through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes
the issue.
Credits: Haruki Oyama (Waseda University)
*) SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache
crash (cve.mitre.org)
A NULL pointer dereference in the mod_authn_socache in Apache
HTTP Server 2.4.66 and earlier allows an unauthenticated remote
user to crash a child process in a caching forward proxy
configuration.
Users are recommended to upgrade to version 2.4.67, which fixes
this issue.
Credits: Pavel Kohout, Aisle Research, Aisle.com
*) SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest
timing attack (cve.mitre.org)
A timing attack against mod_auth_digest in Apache HTTP Server
2.4.66 allows a bypass of Digest authentication by a remote
attacker.
Users are recommended to upgrade to version 2.4.67, which fixes
this issue.
Credits: Nitescu Lucian
*) SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock
indirect lock crash (cve.mitre.org)
A NULL pointer dereference in mod_dav_lock in Apache HTTP Server
2.4.66 and earlier may allow an attacker to crash the server
with a malicious request.mod_dav_lock is not used internally by
mod_dav or mod_dav_fs.
The only known use-case for mod_dav_lock was mod_dav_svn from
Apache Subversion earlier than version 1.2.0.
Users are recommended to upgrade to version 2.4.66, which fixes
this issue, or remove mod_dav_lock.
Credits: Pavel Kohout, Aisle Research, Aisle.com
*) SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md
unrestricted OCSP response (cve.mitre.org)
Allocation of Resources Without Limits or Throttling
vulnerability in Apache HTTP Server's mod_md via OCSP response
data.
This issue affects Apache HTTP Server: from 2.4.30 through
2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes
the issue.
Credits: Pavel Kohout, Aisle Research, Aisle.com
*) SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in
mod_proxy_ajp via ajp_msg_check_header() (cve.mitre.org)
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of
Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP
server can send a malicious AJP message back to mod_proxy_ajp
and cause it to write 4 attacker controlled bytes after the end
of a heap based buffer.
This issue affects Apache HTTP Server: through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes
the issue.
Credits: Andrew Lacambra
*) SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite
elevation of privileges via ap_expr (cve.mitre.org)
An escalation of privilege bug in various modules in Apache HTTP
2.4.66 and earlier allows local .htaccess authors to read files
with the privileges of the httpd user.
Users are recommended to upgrade to version 2.4.67, which fixes
this issue.
Credits: y7syeu
*) SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free
and possible RCE on early reset (cve.mitre.org)
Double Free and possible RCE vulnerability in Apache HTTP Server
with the HTTP/2 protocol.
This issue affects Apache HTTP Server: 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes
the issue.
Credits: Bartlomiej Dmitruk, striga.ai
*) mod_md: update to version 2.6.10
- Fix issue #420 <https://github.com/icing/mod_md/issues/420> by ignoring
job.json files that claim to have completely finished a certificate
renewal, but have not produced the necessary result files.
*) mod_http2: update to version 2.0.39
Remove streams own memory allocator after reports of memory problems
with third party modules.
[Stefan Eissing]
*) mod_http2: update to version 2.0.38
Source sync with mod_h2 github repository. No functional change.
[Stefan Eissing]
*) mod_md: update to version 2.6.7
- Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer
applied, no matter the configuration.
*) mod_md: update to version 2.6.9
- Pebble 2.9+ reports another error when terms of service agreement is
not set. Treating all "userActionRequired" errors as permanent now.
*) mod_md: update to version 2.6.8
- Fix the ARI related `replaces` property in ACME order creation to only
be used when the CA supports ARI and it is enabled in the menu config.
- Fix compatibility with APR versions before 1.6.0 which do not have
`apr_cstr_casecmp` and should use `apr_strnatcasecmp` instead.
*) mod_http2: update to version 2.0.37
Prevent double purge of a stream, resulting in a double free.
Fixes PR 69899.
[Stefan Eissing]
*) mod_md: Use correct function name when compiling against APR < 1.6.0.
PR 69954 [Tần Quảng <baobaoxich@gmail.com>]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 30 Apr 2026 18:36:48 +0000 (20:36 +0200)]
rsync: Update to version 3.4.2
- Update from version 3.4.1 to 3.4.2
- No change to rootfile
- Changelog
3.4.2
SECURITY RELATED:
Several security-relevant defects were reported and fixed since 3.4.1.
None were assigned a CVE — rsync's fork-per-connection design scopes
the impact of each of these to the attacker's own connection, which is
equivalent to the client closing the socket itself — but they are
fixed here as a matter of hygiene and to reduce the chances of a
future exploitable combination. Many thanks to the external
researchers who reported these issues.
- Fixed a signed integer overflow in the PROXY protocol v2 header
parser: a negative `len` field could bypass the size check and cause
a stack buffer overflow in `read_buf()`. Reported by John Walker of
ZeroPath.
- Fixed an invalid access to the files array. Reported by Calum
Hutton of Rapid7.
- Reject negative token values in the compressed-stream token
decoder; a negative value could cause callers to misinterpret a
missing data pointer as literal data. Reported by Will Sergeant.
- Fixed the element count passed to the xattr `qsort()` (see
https://www.openwall.com/lists/oss-security/2026/04/16/2).
- Fixed a buffer underflow in `clean_fname()`, and added a regression
test.
- Fixed an uninitialized `mul_one` in the AVX2 get_checksum1 path
(undefined behaviour), and added a SIMD-checksum self-test that
cross-checks SSE2, SSSE3 and AVX2 against the C reference on both
aligned and unaligned buffers.
- Fixed an uninitialized `buf1` on the first call to
`get_checksum2()` in the MD4 path (fixes #673).
- Zero all new memory from internal allocations: `my_alloc()` now uses
`calloc`, and `expand_item_list()` zeros the expanded portion after
`realloc`. This gives more predictable behaviour if stale or
uninitialised memory is ever accidentally read.
BUG FIXES:
- Call `tzset()` before chroot so that log timestamps continue to
reflect the configured local timezone after the daemon chroots
(glibc needs `/etc/localtime`, which is unreachable post-chroot).
- Use the correct time when writing to the log file.
- Do not clear `DISPLAY` unconditionally.
- Fixed a Y2038 bug in `syscall.c` by replacing the `Int32x32To64`
macro (which truncates its arguments to 32 bits) with a plain
64-bit multiplication.
- Fixed ACL ID mapping for non-root users (closes #618).
- Fixed handling of objects with many xattrs on FreeBSD.
- Fixed `--open-noatime` not taking effect when opening regular
files: `O_NOATIME` is now also passed to `do_open_nofollow()`, which
has been used for regular files since the CVE fix "fixed symlink
race condition in sender".
- Ignore "directory has vanished" errors.
- Fixed the removal of multiple leading slashes.
- Added the missing `--dirs` long option.
- Fixed a segfault if `poptGetContext()` returns NULL (e.g. under
OOM) by not passing NULL to `poptReadDefaultConfig()`. Reported by
Ronnie Sahlberg; found with `malloc-fail-tester`.
- Fixed a build error on ia64 NonStop (which treats missing
prototypes as an error, not a warning).
- Fixed a flaky hardlinks test (fixes #735).
ENHANCEMENTS:
- Added multi-threaded `zstd` compression, gated by a new
`--compress-threads=N` option, with validation and man-page
coverage.
- Documented the `temp dir` parameter in the rsyncd.conf man page
(fixes #820).
- Improved rendering of interior dashes in long-option names in
`md-convert` (perhaps fixes #686).
PORTABILITY / BUILD:
- Fixed glibc 2.43 const-preserving overloads of `strtok()`,
`strchr()` etc. by declaring the affected locals with the right
constness. Contributed by Holger Hoffstätte.
- Converted the bundled zlib 1.2.8 from K&R-style function
definitions to ANSI prototypes, so it builds with clang 16+.
- Avoid using `bool` as an identifier; it is a keyword in C23.
- `configure.ac`: check for xattr functions in libc first and only
fall back to `-lattr`, avoiding spurious overlinking when `-lattr`
happens to be installed. Contributed by Eli Schwartz.
- Made the build reproducible by honouring `SOURCE_DATE_EPOCH` for
the manpage date.
- Removed obsolete `popt/findme.c` and `popt/findme.h` that upstream
popt 1.14 folded into `popt.c` (fixes #710). Contributed by Alan
Coopersmith.
INTERNAL:
- Made many module-global variables `const` so they can live in
`.rodata` and enable additional compiler optimization.
DEVELOPER RELATED:
- Replaced `runtests.sh` with `runtests.py`, a Python test runner
that supports `--valgrind` (with per-process log files so valgrind
output no longer interferes with output comparisons) and
`-j/--parallel` execution for roughly a 7× speed-up on typical
hardware.
- Added a SIMD checksum self-test and a `clean-fname-underflow`
regression test.
- Various CI fixes for macOS and Cygwin (including adding
`simd-checksum` to the expected-skipped lists on platforms without
SIMD), and tests now run on `ubuntu-latest`.
- removed support for the unmaintained rsync-patches archive
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 30 Apr 2026 18:36:47 +0000 (20:36 +0200)]
openvpn: Update to version 2.7.3
- Update from version 2.7.1 to 2.7.3
- No change to rootfile
- 2 CVE fixes in 2.7.2. These have also been applied to 2.6.20 on the 2.6 branch
- Changelog
2.7.3
bugfixes
in combination with --management-query-passwords, setups using --auth-user-pass
file or inline auth-user-pass would no longer use the configured passwords and
prompt on the management interface instead (OpenVPN GUI would then provide an
empty user/password prompt) (Github: OpenVPN/openpvn#1021).
2.7.2
Security fixes
fix race condition in TLS handshake that could lead to leaking of packet data from
a previous handshake under specific circumstances (CVE-2026-40215)
(Bug found by XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com))
fix server ASSERT() on receiving a suitably malformed packet with a valid
tls-crypt-v2 key (CVE-2026-35058)
(Bug found by XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com)
and independently by Emma Reuter of Cisco ASIG (TALOS-2026-2381))
Bugfixes
when using a config file with inlined username and no password, fix prompting for
the password from management interface.
Windows: fix DNSSEC flag handling - this got never applied due to a bad comparison
being always false.
Windows: fix deinstallation progress bar on adapter deletion.
New features
management interface: permit input of very long passwords in base64-encoded
multiline format. Signal support to management clients via
"management version 6".
Documentation
improve documentation and error messages related to old and new Linux DCO modules
remove some references to pre-2.3 OpenVPN
improve manpage for --learn-address config
User-visible Changes
improve error messages on --verify-x509-name failures
improve error logging when overlong username or passwords can not be written to TLS
buffer
Long-term code maintenance
fully support OpenSSL 4.0 now, without "deprecated API" warnings (multiple small
changes to adapt to 3.5 -> 4.0 API changes)
add unit tests for certificate detail printing
add unit tests for "empty password on inline credentials" handling
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 30 Apr 2026 18:36:46 +0000 (20:36 +0200)]
lvm2: Update to version 2.03.40
- Update from version 2.03.39 to 2.03.40
- Update of rootfile
- Changelog
2.03.40
Reset warned flag in dmeventd raid plugin when device fully syncs.
Fix inverted range comparison in libdm reserved value check.
Fix percent_check threshold stuck above 100% in dmeventd thin/vdo plugins.
Fix cache_check_for_warns reading wrong cache mode for cachevol.
Fix memory leak in process_each_label duplicate handling.
Fix missing unlock_vg in vgcreate when pvcreate_each_device fails.
Lock the origin LV when locking a COW snapshot in lvmlockd.
Preserve bcache AIO context across lvm shell commands to avoid reinit cost.
Fix msg.data leaks in dmeventd restart and reinstate paths.
Fix VG lock leak on init_processing_handle failure in vgcreate.
Fix VG lock leak on lv_remove_single failure in vgmerge.
Fix VG lock leak on second lock_vol failure in vgimportclone.
Fix VG lock leak on early return in pvscan.
Fix inverted strstr check in remove_layer_from_lv layer rename.
Fix inverted strcmp for vgchange --persist lockstart check.
Fix argv overwriting last vdoformat option with device path.
Fix NULL deref of sync_action in dm_get_status_raid.
Fix recovery rate check in lvcreate when max rate is unset.
Fix dm_strncpy off-by-one in raid split image conversion name.
Fix missing failure return after reshape space allocation error in raid.
Pre-create udev cookie before critical section to avoid resume failures.
Validate area_count before subtracting parity_devs in RAID metadata import.
Validate area_count against MAX_STRIPES to prevent integer overflow.
Validate mda size and prevent uint64 to uint32 truncation in metadata reads.
Extract label_check_pv_layout to validate PV label buffer structure.
Remove redundant memset from command registration (global array is zero-init).
Kill orphaned polling lvpoll process in lvmpolld on pvmove --abort.
Fix pvmove mirror image bounds check off-by-one in poll completion.
Fix dev_manager to restore track_pvmove_deps flag on error path.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 30 Apr 2026 18:36:45 +0000 (20:36 +0200)]
ethtool: Update to version 7.0
- Update from version 6.15 to 7.0
- No change to rootfile
- Changelog
7.0
* Feature: support MSE display (--show-mse)
* Feature: add 2 new link_ext_state names
* Fix: fix index calculation in ixgbe register dump (-d)
* Fix: cmis wavelength tolerance output (-m)
* Fix: duplicate sfpid Active Cu compliance output (-m)
6.19
* Feature: support HW timestamp configuration (--set-hwtimestamp-cfg)
* Feature: display HW timestamp source (-T)
* Feature: support PLCA notifications (--get/set-plca-cfg)
* Feature: add PSE priority management support (--show/set-pse)
* Feature: support PSE notifications (--show/set-pse)
* Feature: support configuring RSS on IPv6 Flow Label (-n/-N)
* Feature: support FEC bit error histograms (--show-fec)
* Feature: register dump decoding for TI K3 CPSW and its ALE table (-d)
* Fix: fix missing headers in text output
* Fix: fix print_string when the value is NULL (-Werror=format-security)
* Fix: fix JSON output of SFP diagnostics
* Fix: fix duplicated JSON keys in module info
* Misc: clarify that symmetric RSS may be on by default (-x/-X)
* Misc: add AppStream metainfo file to %files section
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.0.20250521 to 1.0.20260223
- No change in rootfile
- Changelog
1.0.20260223
* wg-quick: linux: use smallest mtu, not largest
The minimum endpoint MTU selection should now actually work.
* wg-quick: pass on # comments to {Pre,Post}{Up,Down}
This handles the case of a literal # being used in a command.
* wg-quick: linux: deal with resolvconf migration more gracefully
This fixes an issue when upgrading Ubuntu boxes.
* wg-quick: use addconf instead of setconf
This will prevent wiping out changes made in PreUp.
* wg-quick: linux: do not unnecessarily set sysctl
Improves docker compatibility.
* wg-quick at .service: add deps on wg-quick.target
* config: preserve const correctness
Squelches a warning on recent gcc.
* syncconf: account for psks removed from config file
* syncconf: account for persistent keepalive removed from config file
PersistentKeepalive and PresharedKey will be removed if they're not found in
the config file during a syncconf operation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-0
Changelog is IMHO too long for the list ( ;-) )
I'll just mention "Fix #1404: Priming the root key fails after
loading ipfire.org RPZ zones. Fixed by including the ZONEMD
RRtype in the list of types to ignore for RPZ zones. Analysis
and patch provided by ummeegge."
=> Patch for RPZ ZONEMD has been removed accordingly.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/htop-dev/htop/blob/main/ChangeLog
"What's new in version 3.5.1
* Consolidate ClockMeter code into DateTimeMeter code
* Darwin: Fix unsigned underflow in memory meter on ARM64 (Apple Silicon 16K pages showing ~64TB used)
* Linux/PCP: Replace M_SHARE (SHR) with M_PRIV (PRIV) in default Main screen columns
* PCP: Fix dynamic screen column (instance) sorting (incorrect cast and field offsets)
* PCP: Fix units used when printing M_PRIV memory column values
* PCP: Add Darwin swap metric values and a fallback on Linux for SwapMeter
* Fix null pointer dereference in actionBacktrace() (GCC LTO -O2 -flto, Ubuntu 24.04)
* Make search function activate following on find consistently
* Make a panel click abort the search function"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- configure: WARNING: unrecognized options: --enable-rust
- This option was in place when rust was still being used experimentally. From version
5.0.0 rust became standard for the build and so the option was removed. from configure
- Option removed
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 29 Apr 2026 17:50:30 +0000 (19:50 +0200)]
screen: Resolve configure unrecognised option(s)
- configure: WARNING: unrecognized options: --with-socket-dir, --with-sys-screenrc
- In version 5.0.0 these were changed
- --with-socket-dir has been changed to --enable-socket-dir
- --with-sys-screenrc has been changed to --with-system_screenrc
- The default location for screenrc was what we had defined anyway so that was still
specified in the version from 5.0.0 onwards.
- The global socket definition due to the unrecognised option becane a No value, so no
socket location was defined at all. This now corrects that. This has been confirmed by
looking at the configure status and confirming the directory now specified for the
socket in the build log.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- configure: WARNING: unrecognized options: --without-xerces
- Building with xerces support was removed in version 12.4.0 in 2023
- Option has been removed
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 29 Apr 2026 17:50:28 +0000 (19:50 +0200)]
openssh: Resolve configure unrecognised option(s)
- configure: WARNING: unrecognized options: --with-md5-passwords
- use of md5 for passwords was removed in version 8.9 in 2022
- Option has been removed
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- configure: WARNING: unrecognized options: --disable-nls
- Checked the tarballs all the way back to 2.4.0 (2001) and nls has never been a
configure option that can be selected.
- Based on that the option has been removed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 29 Apr 2026 17:50:24 +0000 (19:50 +0200)]
gnutls: Resolve configure unrecognised option(s)
- configure: WARNING: unrecognized options: --disable-guile
- The guile bindings were removed and made into a separate package in version 3.8.0
in 2023
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 29 Apr 2026 17:50:23 +0000 (19:50 +0200)]
frr: Resolve configure unrecognised option(s)
- configure: WARNING: unrecognized options: --disable-irdp
- The irdp code was removed from frr in version 10.5.0 so the disable option is no
longer required
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 29 Apr 2026 17:50:22 +0000 (19:50 +0200)]
flac: Resolve configure unrecognised option(s)
- configure: WARNING: unrecognized options: --disable-xmms-plugin
- the xmms plugin was removed from flac in version 1.4.2 in 2022 so the option is no
longer needed and has been removed
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 29 Apr 2026 17:50:21 +0000 (19:50 +0200)]
dnsdist: Resolve configure unrecognised option(s)
- I was searching in the _build.ipfire.log file to resolve something else and I noticed
that there were several packages with the same message.
configure: WARNING: unrecognized options:
- I investigated the options for each package and identified if the option was no longer
valid or if it had been replaced with another option which had not been identified
when it occurred.
- This patch set resolves all the unrecognised configure options except for one that
needs further investigation (tcl) and this has been confirmed ny a search in the
-build.ipfire.log created after the build with all the changes in this patch set.
- For dnsdist two options had their names changed in version 1.4.0 in around 2019.
- --enable-openssl has become --with-libssl
- --disable-gnutls has become --without-gnutls
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 28 Apr 2026 12:11:07 +0000 (14:11 +0200)]
knot: Update to version 3.5.4
- Update from 3.4.2 to 3.5.4
- Update of rootfile
- find-dependencies run due to sobump. No issues identified.
- Changelog
3.5.4
Features:
- knotd: configurable ZERO-COPY XDP mode (see 'xdp.zero-copy')
- mod-dnserr: module for DNS error reporting
Improvements:
- knotd: 'zone-update-error' statistic counter covers more situations
- knotd: 'zone.catalog-zone' configuration option is ignored if not needed
- knotd: dynamic reconfiguration logs item value in debug mode
- knotd: memory optimizations when reloading a zone file
- knotd: improved interoperability with Bind9 Offline KSK operations
- knotd: improved performance of updated zone check
- knotd: increased maximum configuration database reader limit by 3
- knotd: new warning logs if primaries are outdated during zone refresh
- kxdpgun: JSON output is stream of newline-delimited objects instead of a list
- kxdpgun: extended throughput statistics
- libs: support for loading private ALIAS record type
- libs: upgraded embedded libngtcp2 to 1.22.0
- debian: switched to sysusers.d and tmpfiles.d configurations (Thanks to Luca Boccassi)
- doc: various improvements
Bugfixes:
- mod-onlinesign: incorrect next NSEC owner name leading to a DoS (Thanks to Shang Kunjie)
- knotd: server crash upon receiving a malformed resource record over XFR (Thanks to Haruto Kimura)
- knotd: generated catalog not updated if reconfigured without server restart
- knotd: some cross-zone reconfigurations not handled correctly
- knotd: configuration control transaction not recoverable after a semantic error
- knotd: zone loaded from Redis backend incrementally for non-continuous changes
- knotd: server crash when accessing an HSM in parallel by multiple background workers
- knotd: insufficient module unloading if error
- modules: some module hook registrations not checked for errors
- mod-geoip: server crash if record owner missing in configuration file
- libs: insufficient checks for malformed resource records (Thanks to Haruto Kimura)
- redis: incorrect arity check and use-after-free in AOF (Thanks to Haruto Kimura)
- redis: various issues when processing empty data
3.5.3
Features:
- knotd: added statistics counter for failed zone update (see 'zone-update-error')
- knotd: new D-Bus signal for zones not updated (see 'server.dbus-event')
- knotc: optional parameter for delayed old KSK removal upon submission (see 'zone-ksk-submitted')
- libs: added support for the RESINFO record type
Improvements:
- knotd: zone inclusion deletes the whole subtree of glues and junk from the parent
- knotd: supported unsigned input ZONEMD validation if enabled DNSSEC signing and ZONEMD generate
- knotd: DNSSEC signing not required for key restore
- knotd: increased defaults for 'database.timer-db-max-size' and 'database.kasp-db-max-size'
- knotd: database connection pool is purged if reconfigured
- knotd: removed shutdown delay if connected to a database
- knotd: optimized memory trimming frequency for many zones
- knotd: primary server sends NOTIFY after answering started, not sooner
- redis: GnuTLS is not required to build the module alone !1809
- libs: improved detection of PKCS #11 support !1830
- libs: upgraded embedded libngtcp2 to 1.19.0
- samples: added JSON support to probe_dump (Thanks to Benedikt Heine)
- doc: extended and updated table of compatible PKCS #11 devices
Bugfixes:
- knotd: DS push not replanned if reconfigured during DS submission
- knotd: missing check for empty zone when flushing
- knotd: missing catalog update clear if error
- knotd: failed to parse database address without port specification
- knotd: incorrect thread synchronization when dumping timers
- knotd: server crashes when outbound QUIC connection is closed unexpectedly
- knotd: zone not reloaded from database if not updated incrementally
- knotd: UNIX socket path containing a single colon considered an IPv6 address
- keymgr: program crashes when importing a malformed key
- kdig: missing address context deinitialization when iterating over addresses
- kdig: missing AA flag on NOTIFY query
3.5.2
Features:
- knotd: configurable zone timer storage mode (see 'database.timer-db-sync')
- libknot: added support for the DSYNC record type
- redis: new module command for printing zone information (see 'KNOT.ZONE.INFO')
Improvements:
- knotd: queries to a catalog zone are now allowed also for ACL rules with action 'query'
- knotd: denied query to a catalog zone is responded to with NOTAUTH instead of REFUSED
- knotd: existing PID file is reused if it matches current PID !1819
- knotd: zone purge has its own zone event
- knotd: optimized zone timer storage
- knotd: optimized ACL evaluation
- keymgr: added more algorithms to keystore-test and keystore-bench
- mod-dnstap: added detection for protoc
- libs: upgraded embedded libngtcp2 to 1.18.0
- redis: added support for zone data replication
- redis: extended logging
- doc: various improvements
Bugfixes:
- knotd: failed to receive zone with ZONEMD if enabled DNSSEC signing and ZONEMD generate
- knotd: refresh with pinned master not rescheduled when tolerance period expired
- knotd: failed to build with older libhiredis without TLS support
- knotd: misleading error message when attempting to sign empty zone
- mod-rrl: failed to compile if target architecture was specified
- libknot: failed to dump RRSet if the initial output buffer was too small
- libdnssec: missing digest.h in dnssec.h
- redis: defective communication with sentinel
- redis: failed zone load was not rescheduled
- redis: several memory leaks
3.5.1
Features:
- knotc: new command for setting zone SOA serial (see 'zone-serial-set')
Improvements:
- knotd: zone database listen configuration now accepts a hostname value
- knotd: support for specifying multiple zone databases (see 'zone-db-listen')
- knotd: added serial parameter to D-Bus event 'external_verify'
- libs: upgraded embedded libngtcp2 to 1.16.0
- configure: new option for specifying Redis module destination (see '--with-redisdir')
- configure: Redis support is fully optional (see '--enable-redis') (Thanks to Nicolas Parlant)
- deb,rpm: renamed inappropriate package 'redis-knot' to 'redis-module-knot'
Bugfixes:
- knotd: failed to build on PowerPC and MIPS
- knotd: missing some checks for file operations
- knotd: zones added via knotc conf-set include not loaded until restart
- knotd: zone-diff after zone-begin prints misleading SOA removal
- knotd: failed to load from other PEM keystores if PKCS #11 keystore is configured
- knotd: failed to restore PKCS #11 keystore #960
- knotc: failed to compile on GNU Hurd
- keymgr: missing deprecation warning for 'local-serial' command
- configure: linked with libhiredis even when configured with --disable-redis
- deb,rpm: incorrect destination for Redis module (see 'Database zone backend')
3.5.0
Features:
- knotd: database zone backend using Redis/Valkey (see 'Database zone backend')
- knotd: support for multiple control sockets (see 'control.listen')
- knotd: external zone validation (see 'External validation')
- knotd: authorization based on certificate hostname validation (see 'DNS over QUIC')
- knotd: multiple keystores can be specified per policy (see 'DNSSEC multiple keystores')
- knotd: specified resource record types can be omitted when loading (see 'zone.zonefile-skip')
- knotd: configurable delay before zone change processing (see 'zone.update-delay')
- knotd: subzone flattening (see 'zone.include-from')
Improvements:
- knotd: optimized dynamic zone addition/removal for many zones
- knotd: optimized catalog updates for many zones
- knotd: replaced a poor atomic fallback with a spin-lock-protected version
- knotd: support for independent SOA serial series on the secondary side
- knotd: self-signed certificate contains SAN instead of CN
- knotd: removed RCU synchronization lock between unrelated zones' updates
- knotd: zone-reload/reload fails if there is a module configuration error
- knotd: control interfaces are started before zones loading
- knotd: session ticket pool is purged on server reload if changed credentials
- knotc: status returns 'Loading' if the server is not yet answering
- knotc: extended tab completion for details, filters, and paths
- kzonecheck: zone origin auto-detection uses SOA owner from the checked zone file
- libknot: XDP drops packets with too many or inappropriate extended IPv6 headers
- libknot: extended XDP checks for correct packets
- libknot: semantically malformed resource records are dumped in generic format
- libs: upgraded embedded libngtcp2 to 1.15.0
- knot-exporter: less confusing option parsing and documentation
- doc: various improvements
Bugfixes:
- knotd: if multiple primaries send NOTIFY concurrently, only the last remote is queried
- knotd: failed to build on macOS with POSIX semaphores
- knotd: early zone free due to RCU-delayed update cleanup
- knotd: server crashes if "" value overrides template master value
- knot-exporter: label collisions caused by duplicate metrics (Thanks to Guillaume Cornet)
Packaging:
- deb,rpm: keymgr extracted to a separate package knot-keymgr
- deb,rpm: new package redis-knot with a Knot module for Redis/Valkey
- docker: upgraded to Debian trixie-slim
Compatibility:
- license: project relicensed to GPL-2.0-or-later
- knotd: new default value of 'policy.nsec3-salt-length' is 0
- knot-exporter: renamed some metrics, labes, or units (see 'Migration')
3.4.8
Features:
- keymgr: implemented key pregeneration for later use (see 'for-later')
Improvements:
- knotd: decreased remote session ticket lifetime to 1200 seconds
- knotd: TCP connection is not shared between SOA and XFR if 'remote.no-edns' is set
- knotd: 'zone.notify-delay' now applies to every outgoing NOTIFY
- knotd: reduced timers database size by omitting zero timer values
- knotd: zone-reload can be called on an expired zone
- knotd: improved configuration commit performance when many zones are present
- keymgr: allowed boolen key flags without an explicit 'on' value
- keymgr: support for colon separators in keyid specification
- utils: added INTERNET and CHAOS aliases for IN and CH class names
- libs: upgraded embedded libngtcp2 to 1.14.0
- doc: various improvements
Bugfixes:
- knotd: possible use after free if member zone is reused when full reload
- knotd: incorrect zone update revert adjustments
3.4.7
Features:
- knotd: implemented optional NOTIFY delay upon zone loading (see 'zone.notify-delay')
- knotd: failed ZONEMD validation emits 'dnssec-invalid' D-Bus event
- kdig: added option for delayed reading of next transfer message (see '+msgdelay')
- kzonecheck: new parameter for job count (see '-j')
Improvements:
- knotd: semantic checks support DS algorithms 5 and 6
- knotd: pending generation of reverse records is logged as warning
- knotd: DNSKEY synchronization considers keytag modulo for better reliability
- knotd: zone-(un)set parser errors no longer logged by the server
- knotd: more verbose zone-(un)set parser errors are returned to the client
- knotc: configuration warnings are printed only with the conf-check command
- kdig: enabled TLS 1.2 support (with warning)
- kdig: more verbose TLS/QUIC certificate information - SAN (see '-dd')
- mod-rrl: disabled optimized KRU version on macOS to fix CPU issues
- libknot: added two specific variants of KNOT_EAGAIN error (KNOT_NET_EAGAIN, KNOT_ETRYAGAIN)
- libs: upgraded embedded libngtcp2 to 1.13.0
- knot-exporter: added maximum libknot version dependency #956
- knot-exporter: removed return statement from a finally block #957
- packaging: new knot-exporter and python3-libknot RPM subpackages
- doc: simplified highlighting of options enabled by default
- doc: various improvements
Bugfixes:
- knotd: false warning for missing glue if NS is at other delegation
- knotd: missing rdata canonicalization in zone-(un)set operations
- knotd: missing check for member zone configured with a non-generated catalog
- knotd: benevolent IXFR skips whole rrset when ignoring a record
- knotd: missing next remove key action log during KSK/algorithm rollover
- knotd: missing catalog template configuration checks
- knotd: missing check for empty QUIC connection in XDP mode
- libknot: incorrect trailing rdata check in packet parser
- kdig: ignored DoQ response from dnsdist #954
- packaging: uninstalling lib*t64 packages removes files from upstream packages
3.4.6
Improvements:
- knotd: default TSIG algorithm is now 'hmac-sha256'
- knotd: added zone expiration info to the failed zone refresh log
- knotd: reverse record generation now accepts multiple forward zones to be reversed
- keymgr: underscores are now tolerated instead of dashes in command names
- keymgr: correct mnemonic 'rsasha1-nsec3-sha1' is used instead of 'rsasha1nsec3sha1'
- kdig: new '+[no]doflag' alias for '+[no]dnssec' #952
- kdig: documented default option values #951
- kxdpgun: extended JSON output with some packet statistics
- doc: various updates and improvements
Bugfixes:
- knotd: failed to stop the server if 'dbus-event: running` is set
- knotd: TLS 0-RTT not working if compiled with the QUIC support
- knotd: TLS handshake fails on FreeBSD
- knotd: outbound QUIC communication fails on FreeBSD
- knotd: KSK submission not ignored in the manual key management mode
- knotd: failed to bind to a UNIX socket on recent Linux kernels
- kzonecheck: failed to check non-trivial zones through standard input
3.4.5
Features:
- knotd: support for SOA serial shift (see 'serial-modulo')
- knotd: new server statistics (see 'tcp-io-timeout"' and 'tcp-idle-timeout')
Improvements:
- knotd: better signing performance of many zones in parallel by
moving 'last_signed_serial' from KASP database to timer database
- knotd: the 'terminated inactive client' TCP log moved to debug level
- knotd: allowed initial DDNS to an empty zone
- knotd: extended backup and flush argument checks
- knotd: new debug logs for zone events suspension
- libs: upgraded embedded libngtcp2 to 1.11.0
- doc: new section Multi-primary, updates
Bugfixes:
- libdnssec: inappropriate DNSKEY flags evaluation
- libknot: incorrect VLAN map size calculation for XDP
3.4.4
Features:
- knotd: added support for EDNS ZONEVERSION
- kdig: added support for EDNS ZONEVERSION (see '+zoneversion')
Improvements:
- knotd: improved control error detection and reporting
- kdig: proper section names for exported DDNS messages
- libs: upgraded embedded libngtcp2 to 1.10.0
- python: expanded documentation for the libknot control API
- doc: updated XDP prerequisites
Bugfixes:
- knotd: a DNAME record at the zone apex with active NSEC3 not accepted via XFR
- knotd: configuration abort times out if no active transaction
- knotd: defective serial modulo result if it overflows
- knotd: TLS connections not properly terminated
- knotd: maximum zone TTL not correctly recomputed after RRSIG TTL change
- knotd: zone hangs if zone reload fails (Thanks to solidcc2)
- knotd: statistics dump generates invalid YAML output if XDP is enabled #947
- knotd: insufficient check for incomplete control message
- mod-dnstap: used incorrect type for DDNS messages
- knot-exporter: failed to run with Python 3.11 or older
- tests: test_atomic and test_spinlock require building with the daemon enabled #946
3.4.3
Improvements:
- knotd: improved processing of QNAMEs containing zero bytes
- knotd: zone expiration now aborts possible zone control transaction #929
- knotd: generated catalog memeber metadata is stored when the zone is loaded
- knotd: new configuration check for using default NSEC3 salt length, which will change
- mod-rrl: added QNAME (if possible) and transport protocol to log messages
- mod-rrl: increased defaults for 'log-period' to 30 secs, 'rate-limit' to 50,
'instant-rate-limit' to 125, and 'time-rate-limit' to 5 ms
- kxdpgun: added space separators to some printed values for better readability
- libs: upgraded embedded libngtcp2 to 1.9.1
- knot-exporter: zone timers metric is now disabled by default (see '--zone-timers')
- packaging: added build dependency softhsm for PKCS #11 testing on RPM distributions
- doc: updated description of DNSSEC key management and module RRL
Bugfixes:
- knotd: more active ZSKs cause cumulative ZSK rollovers
- knotd: zone purge clears active generated catalog member metadata
- mod-rrl: authorized requests are rate limited #943
- kdig: misleading warning about timeout during QUIC connection
- keymgr: public-only keys are marked as missing in the list output
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 28 Apr 2026 12:11:11 +0000 (14:11 +0200)]
samba: Update to version 4.24.1
- Update from version 4.23.6 to 4.24.1
- Update of rootfiles for all three architectures
- Changelog
4.24.1
* BUG 16057: autobuild fails if /proc/version contains trailing space
* BUG 16035: use after free in streams_xattr_connect()
* BUG 16042: rpc workers with long living clients grow server memory keytab
* BUG 16058: vfs_snapper failing to access or enumerate files in subfolders
* BUG 16040: Samba is not build with FORTIFY_SOURCE
* BUG 16055: Fix tests with MIT Kerberos 1.22.x
4.24.0
NEW FEATURES/CHANGES
Authentication information audit support
There are some Active Directory attributes that are not secret, but
are relied on in some forms of authentication. Changes to these
attributes could indicate surreptitious activity. The
"dsdb_password_audit" and "dsdb_password_json_audit" debug classes now
log changes to the following attributes:
* altSecurityIdentities
* dNSHostName
* msDS-AdditionalDnsHostName
* msDS-KeyCredentialLink
* servicePrincipalName
For the JSON logs, changes to these will be logged with the "action"
field set to "Auth info change".
vfs_streams_xattr can hold larger streams
On Linux the size of a single extended attribute is limited to 65536
bytes of size. For some file systems, this is also the overall limit
of space for xattrs, but for example xfs can hold more than that 64k
of extended xattrs, although the individual xattr is still limited to
64k. Setting
streams_xattr:max xattrs per stream = 1
to a higher value than 1 will allow Samba to shard the stream to more
than one xattr. It has an artificial limit of 16 for a maximum stream
length of 1MB.
Support for remote password management (Entra ID SSPR, Keycloak)
When a system such as Entra ID or Keycloak wants to change a user's
password in its own database as well as in AD, it will use a password
reset, meaning it does not transmit the old password to the domain
controller. Normally a password reset avoids password history and age
checks, which would allow a cloud password change to bypass
on-premises password policies. To address this, a password reset using
the "policy hints" control should respect password policies, as if it
were an ordinary password change. Both Entra ID and Keycloak use this,
but until now Samba did not understand this control, and would reject
these reset requests.
Now Samba AD will recognise the policy hints control and enforce local
policy. This allows Microsoft Entra self-service password reset (SSPR)
to work, and for Keycloak to work with the "password policy hints
enabled" option.
Kerberos PKINIT KeyTrust logon support
Samba servers configured with the embedded heimdal KDC and running as an ADDC,
now support "Windows Hello for Business Key-Trust logons". This allows the
PKINIT authentication mechanism to be used with self-signed keys.
The samba-tool computer and user commands have a new "keytrust"
sub-command which allows for the setting and viewing of the public key
details for computer and user accounts. This stores the public key
details in msDS-KeyCredentialLink attribute of the account.
msDS-KeyCredentialLink validation
Updates to the msDS-KeyCredentialLink attribute are validated against the
rules specified by MS-ADTS 3.1.1.5.3.1.1.6.
Kerberos PKINIT strong/flexible key mappings
Samba servers configured with the embedded heimdal KDC and running as an ADDC
now support "Windows Strong and Flexible key mappings" as outlined in
Microsoft KB5014754: Certificate-based authentication changes on Windows domain
controllers.
The default enforcement mode ("full") allows only strong certificate
mappings. The smb.conf option
strong certificate binding enforcement = compatibility
will allow weak mappings where the certificate is newer than the user
account. The option "none" will allow any mappings.
The mappings for an account should be placed in the altSecurityIdentities
attribute and follow the syntax documented in KB5014754.
Kerberos PKINIT SID extension
PKINIT authentication now supports certificates containing an Object SID
extension (extension 1.3.6.1.4.1.311.25.2), this is considered to be a STRONG
mapping for KB5014754.
The computer and user samba-tool commands have a new sub-command
"generate-csr" to generate certificate signing requests.
KDC includes PAC by default
Samba will ignore the value provided by the client in "PA-PAC-REQUEST"
and always include a PAC in responses, unless "kdc always generate
pac" is set to "no".
KDC can insist clients request canonicalization
Canonicalization of principal client names is not mandatory in
Kerberos (per RFC4120), but must be requested by the client. In some
circumstances allows a client to deceive Active Directory member
servers (known as the "dollar ticket" attack).
The new configuration option "kdc require canonicalization" can be
used to require that clients request canonicalization; if they do not,
their AS_REQ requests will be rejected as if the account was unknown.
The default value is "no", for backward compatibility. Windows clients
will ask for canonicalization by default, so in Windows-heavy
environments it is safe and recommended to set this to "yes".
KDC can avoid potentially confusing canonicalization
Currently when the client does not request canonicalization, when the
KDC looks up a name and there is no match it will append a "$" to the
name and try again. An attacker who can create arbitrary machine
accounts can sometimes get tickets for Unix users by mimicking their
names (the "dollar ticket" attack).
The configuration option
kdc name match implicit dollar without canonicalization = no
can be used to disable this behaviour for clients that do not request
canonicalization. Probably this only affects traditional Unix clients,
as Windows clients use canonicalization. If affected clients want a
ticket for a machine account, they will have to use the full name
including the dollar (e.g. "server$", not "server").
If the "kdc require canonicalization" option cannot be set to "yes"
(because some clients do not request canonicalization) setting this
option to "no" is a good alternative.
KDC provides Kerberos acceptors with canonical client names
By default the KDC will now send Kerberos services the canonicalized
name (the sAMAccountName from the PAC) rather than trusting the cname.
To return to the old behaviour, use
krb5 acceptor report canonical client name = no
in the smb.conf.
This currently affects Heimdal KDC only, not MIT.
KDC recommended configuration:
strong certificate binding enforcement full
kdc always include pac yes
kdc require canonicalization yes
If unable to use "kdc require canonicalization" = "yes", then
"kdc name match implicit dollar without implicit canonicalization" should be
set to "no" if possible.
samba tool
Two new sub-commands have been added to the user and computer commands:
user|computer generate-csr
Generate a Certificate signing request for an account containing the
Object SID extension (extension 1.3.6.1.4.1.311.25.2)
user|computer keytrust
Add the public key details of a self signed certificate to an account.
The command supports PEM and DER encoded public keys.
New AIO rate-limiting VFS module
A new VFS stackable module has been introduced to implement rate-limiting for
asynchronous I/O operations. Administrators can now enforce throughput ceilings
by defining limits in either operations per second or bytes per second. The
module utilizes a token-based algorithm to calculate real-time I/O load; when
limits are exceeded, it dynamically injects millisecond delays into async
operations to maintain the defined threshold.
CephFS FSCrypt support for the VFS ceph_new module
The ceph_new VFS module can now make use of the FSCrypt feature recently added
to CephFS. This enhancement enables data and file name encryption on a per
share basis. A single CephFS file system may host a mix of encrypted and
unencrypted directories.
To obtain the encryption keys needed for FSCrypt the ceph_new module includes
support for the Keybridge protocol. Keybridge is an RPC protocol based on
Varlink that can retrieve keys from a local service via a UNIX socket. Users
can choose to develop a custom Keybridge implementation or use the existing
KMIP-compatible Keybridge server available as part of the sambacc project
(https://github.com/samba-in-kubernetes/sambacc).
Domain encryption types changed to AES by default
The default value of the smb.conf option ‘kdc default domain supported enctypes’
now corresponds to ‘aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96’ (both AES
encryption types) if the domain functional level is 2008 or higher. This
addresses CVE-2026-20833.
smb.conf changes
Parameter Name Description Default
strong certificate binding enforcement New full
certificate backdating compensation New 0
kdc always include pac New yes
kdc require canonicalization New no
kdc name match implicit dollar without canonicalization
New yes
kdc default domain supported enctypes New default AES encryption types (if supported by domain)
bugfixes
* BUG 16019: incorrect behavior on rpcclient enumport with rpcd_spoolss
* BUG 16001: altSecurityIdentities X509 issuer DN order is reversed
* BUG 16000: vfs_aio_ratelimit: introduce burst-aware and persistent state
model
4.24.0rc3
* BUG 15990: No function _python_sysroot defined
* BUG 15978: leases torture test flappy
* BUG 15984: smbd: in contend_dirleases() don't bother checking when not
enabled
* BUG 15993: 'net ads kerberos kinit' should use also default ccache name
from krb5.conf
* BUG 15789: "use-kerberos=desired" broken
* BUG 15975: source3/libads/kerberos.c sets wrong failure for negative
connection cache
* BUG 15938: CTDB's statd_callout fails on sm-notify
* BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses
their state
* BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses
their state
* BUG 15998: Backport domain default AES encryption types to 4.24
4.24.0rc2
* BUG 15979: possible memory leak on rpc_spoolss
* BUG 15972: Winbind group resolution failure
* BUG 15979: possible memory leak on rpc_spoolss
* BUG 15977: ctdbd socket documentation is wrong
* BUG 15976: time_t related build failure on 32bit arch in 4.24.0rc1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 28 Apr 2026 12:11:10 +0000 (14:11 +0200)]
oath-toolkit: Update to version 2.6.14
- Update from version 2.6.13 to 2.6.14
- No change to rootfile
- Changelog
2.6.14
** pam_oath: Support null_usersfile_okay parameter.
The argument no_usersfile_okay forces the module to act as if the user
is not present in the config, if the config file does not exist. This
has security implications only use if you know what you are
doing. E.g. if the file is in a mount like home and that fails to be
mounted, then this will succeed even if the OTP if configured for that
user. Patch by Luna, Jan Zerebecki, and Miika Alikirri; see
<https://codeberg.org/oath-toolkit/oath-toolkit/pulls/94>.
** pam_oath README: Suggest `KbdInteractiveAuthentication`.
Instead of deprecated `ChallengeResponseAuthentication`. Patch by
lvgenggeng, see
<https://codeberg.org/oath-toolkit/oath-toolkit/pulls/112>.
** Various build fixes including updated gnulib files.
Fixes building with glibc 2.43, see
<https://codeberg.org/oath-toolkit/oath-toolkit/issues/113>.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 28 Apr 2026 12:11:09 +0000 (14:11 +0200)]
mympd: Update to version 25.0.1
- Update from version 22.1.1 to 25.0.1
- No chanjge to rootfile
- Changelog
25.0.1
- Upd: Translation #1527 #1529
- Fix: Compile error with libmpdclient 2.24 #1528
25.0.0
This is the first release that supports only MPD 0.23.5 and higher and
Lua 5.4.x and higher.
- Feat: Use myGPIOd REST-API #1510
- Feat: Implement merge sort for linked lists
- Feat: Use a faster algorithm for shuffling linked lists
- Feat: Regularly save the myMPD state if myMPD is active
- Feat: Scripting - Add custom Lua function `mympd.firstTableValue`
- Upd: Bump requirement for MPD and Lua versions
- Upd: Search and utf8 handling improvements
- Upd: Add connection header to responses
- Upd: Improve HTTP session handling
- Fix: Check for minimum string length in json payload
- Fix: libutf8proc is an unused shared library in mympd-script #1520
24.0.3
- Upd: Split sds_extras compile unit
- Fix: test_utf8wrap still fails #1519
- Fix: Reset scrolling position on search
24.0.2
- Fix: Define NDEBUG for all release types but Debug #1515
- Fix: utf8 test failures #1514
24.0.1
- Fix: Handle invalid unicode strings #1511
24.0.0
This release improves the integrated search by using string normalization and
adding a fuzzy search option. Furthermore the mpd connection handling was
improved.
The documentation site was migrated from Mkdocs to Sphinx, because of the
deprecation of Material for Mkdocs.
- Feat: Fuzzy substring matching using the levenshtein distance
- Feat: String normalization for album, webradio, playlists and filesystem search
- Feat: Replace utf8 implementation with utf8proc library
- Feat: Add setting for default search operator
- Upd: Migrate documentation to Sphinx with Sphinx Book Theme #1495
- Upd: Move lyrics handling from mympd_api to webserver thread
- Upd: Performance improvements for mympd_api polling
- Upd: Stability improvements in MPD connection handling
- Upd: Limit length of smart playlists #1505
- Fix: Handling of HTTP connections #1503
- Fix: Endless scrolling in mobile view #1504
23.0.1
- Upd: Translations
- Upd: Mongoose 7.20
- Upd: Optimize build for openSUSE Build Service
- Fix: Segvault in album view if song title tag not exists
- Fix: Segvault in playlist view if song title tag not exists
23.0.0
This versions enhances the jukebox implementation and the album handling.
- Feat: Keep jukebox queue between myMPD restarts #1485
- Feat: Add option for Jukebox Autostart #1482
- Feat: Manually trigger refill of the jukebox queue #1483
- Feat: Configurable jukebox queue lengths #1484
- Feat: Add option for default behavior on click on tag in browse view #1472
- Feat: Optionally group songs with empty album tag in a special
`Unknown Album` album #1472
- Feat: Support large images
- Feat: Add implicit secondary sort tag to album view
- Feat: Add option to increase the size of action icons in lists #1489
- Upd: Remove obsolete config variable save_caches
- Fix: Do not reset scrolling position on update of lists #1478
- Fix: Try to keep select if list is refreshed because of an event #1479
- Fix: Song count and limit calculation for last played list #1487
- Fix: Display Disc 1 for multidisc albums #1490
22.1.2
- Upd: Translations
- Fix: Initialize mg_user_data in debug build
- Fix: Listing songs from Artists List view fails #1474
- Fix: Random select if only one entry must be added #1480
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 28 Apr 2026 12:11:08 +0000 (14:11 +0200)]
lldpd: Update to version 1.0.21
- Update from version 1.0.20 to 1.0.21
- No change to rootfile
- Changelog
1.0.21
* Changes:
+ Add "configure lldp portdescription-source" to choose how to populate port
description (#763)
* Fix:
+ Fix path traversal vulnerabilities in the privileged process (#773, #774)
+ Fix arbitrary file deletion in the privileged process (#772)
+ Fix accuracy of Dot3 MAU types advertised and add support for 200G and 400G (#771)
+ Fix detection of wireless interfaces (#738)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 28 Apr 2026 12:11:06 +0000 (14:11 +0200)]
inotify-tools: Update to version 4.25.9.0
- Update from version 4.23.9.0 to 4.25.9.0
- No change to rootfile
- Changelog
4.25.9.0
Reject fanotify-only options if fanotify is disabled by @defanor in #196
Fix formatting of man page references by @jwilk in #213
Disable SonarCloud by @ericcurtin in #214
Remove dead builds from README.md by @ericcurtin in #215
Add Fedora 39 build to github actions by @ericcurtin in #216
Add flag for forcing static compilation by @nirhaike in #220
Allow recursive watch with --include by @arnib in #229
Fix a crash on >=1024 watched files by @jankratochvil in #230
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 28 Apr 2026 12:11:01 +0000 (14:11 +0200)]
arpwatch: Update to version 3.9
- Update from version 3.8 to 3.9
- No change to rootfile
- Changelog
3.9
- Use mktemp(1) to obtain a temporary file for update-ethercodes
and avoid potiential security issues. Reported by Johannes Segitz
(jsegitz@suse.de)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Apr 2026 18:47:01 +0000 (20:47 +0200)]
sed: Update to version 4.10
- Update from version 4.9 to 4.10
- Update of rootfile
- Changelog
4.10
Bug fixes
sed 's/a/b/g' (and other global substitutions) now works on input
lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
would evoke a "panic" (exit 4).
[bug present since the beginning]
'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
an attacker swap a symlink between resolution and open, causing sed to
read attacker-chosen content and write it to the original target.
[bug introduced in sed 4.1e]
sed no longer falsely matches when back-references are combined with
optional groups (.?) and the $ anchor. For example, this no longer
falsely matches the empty string at beginning of line:
$ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/'
Xab
[bug present since "the beginning"]
In --posix mode, sed no longer mishandles backslash escapes (\n,
\t, \a, etc.) after a named character class like [[:alpha:]].
For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the
trailing newline, treating \n as a literal backslash and an 'n'
rather than a newline. This happened when an earlier backslash
escape in the same regex had already been converted, shifting the
in-place normalization buffer.
[bug introduced in sed 4.9]
sed --debug no longer crashes when a label (":") command is compiled
before the --debug option is processed, e.g., sed -f<(...) --debug.
[bug introduced in sed 4.7 with --debug]
sed no longer rejects the documented GNU extension 'a**' (equivalent
to 'a*') in Basic Regular Expression (BRE) mode. Previously, this
worked only with -E (ERE mode), even though grep has always accepted
it in BRE mode.
[bug present since "the beginning"]
sed no longer rejects "\c[" in regular expressions
[bug present since the beginning]
'sed --follow-symlinks -i' no longer mishandles an operand that is a
short symbolic link to a long symbolic link to a file.
[bug introduced in sed 4.9]
Fix some some longstanding but unlikely integer overflows.
Internally, 'sed' now more often prefers signed integer arithmetic,
which can be checked automatically via 'gcc -fsanitize=undefined'.
Changes in behavior
In the default C locale, diagnostics now quote 'like this' (with
apostrophes) instead of `like this' (with a grave accent and an
apostrophe). This tracks the GNU coding standards.
'sed --posix' now warns about uses of backslashes in the 's' command
that are handled by GNU sed but are not portable to other
implementations.
Build-related
builds no longer fail on platforms without the <getopt.h> header or
getopt_long function.
[bug introduced in sed 4.9]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Apr 2026 18:47:00 +0000 (20:47 +0200)]
man-pages: Update to version 6.18
- Update from version 6.17 to 6.18
- Update of rootfile
- Changelog
6.18
New and rewritten pages
man2/
futex_waitv.2
man3/
aprintf.3
io_destroy.3 (previously, io_destroy(2))
io_setup.3 (previously, io_setup(2))
rawmemchr.3 (previously, memchr(3))
stpcpy.3 (previously, strcpy(3))
strchrnul.3 (previously, strchr(3))
strdupa.3 (previously, strdup(3))
strnul.3
strtok_r.3 (previously, strtok(3))
Newly documented interfaces in existing pages
man2/
landlock_create_ruleset.2
struct landlock_ruleset_attr::scoped
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
LANDLOCK_CREATE_RULESET_ERRATA
landlock_restrict_self.2
LANDLOCK_RESTRICT_SELF_TSYNC
statmount.2
req.mnt_ns_id
STATMOUNT_MNT_NS_ID
STATMOUNT_MNT_OPTS
STATMOUNT_FS_SUBTYPE
STATMOUNT_SB_SOURCE
STATMOUNT_OPT_ARRAY
STATMOUNT_OPT_SEC_ARRAY
STATMOUNT_{UIDMAP,GIDMAP}
STATMOUNT_SUPPORTED_MASK
req.mnt_ns_fd
STATMOUNT_BY_FD
truncate.2
ENOSPC
man3/
printf.3
scanf.3
%wN
man5/
core.5
%f
FC
man7/
landlock.7
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
LANDLOCK_CREATE_RULESET_ERRATA
LANDLOCK_RESTRICT_SELF_TSYNC
New and changed links
man3/
strndupa.3 (strdupa(3))
vaprintf.3 (aprintf(3))
Global changes
- man/
- man3/
- Document how string functions relate to each other.
- Separate documentation of system calls and of libaio wrappers.
Changes to individual files
The manual pages and other files in the repository have been improved
beyond what this changelog covers. To learn more about changes applied
to individual pages, or the authors of changes, use git(1)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:00 +0000 (13:44 +0200)]
coreutils: Update to version 9.11
- Update from version 9.10 to 9.11
- No change to rootfile
- Changelog
9.11
Bug fixes
'dd' now always diagnoses partial writes correctly upon write failure.
Previously it may have indicated that only full writes were performed.
[This bug was present in "the beginning".]
'fold' will no longer truncate output when encountering 0xFF bytes.
[bug introduced in coreutils-9.8]
'fold' is again responsive to its input. Previously it would have delayed
processing until 256KiB was read from the input.
[bug introduced in coreutils-9.8]
'kill --help' now has links to valid anchors in the html manual.
[bug introduced in coreutils-9.10]
When configured with --enable-systemd, the commands 'pinky',
'uptime', 'users', and 'who' no longer consider the systemd session
classes 'greeter', 'lock-screen', 'background', 'background-light',
and 'none' to be users.
[bug introduced in coreutils-9.4]
'pwd' on ancient systems will no longer overflow a buffer
when operating in deep paths longer than twice the system PATH_MAX.
[bug introduced in coreutils-9.6]
'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE
environment variable.
[bug introduced in coreutils-8.26]
'timeout' no longer exits abruptly when its parent is the init process, e.g.,
when started by the entrypoint of a container.
[bug introduced in coreutils-9.10]
New Features
'cut' now supports multi-byte input and delimiters. Consequently
the -c option is now honored, and no longer an alias for -b, and
the -n option is now honored, and no longer ignored.
Also the -d option supports multi-byte delimiters.
'cut' adds new options for better compatibility:
The -w,--whitespace-delimited option was added to support blank aligned fields
and for better compatibility with FreeBSD/macOS.
The -O option was added as an alias for the --output-delimiter option,
for better compatibility with busybox/toybox.
The -F option was added as an alias for -w -O ' '
for better compatibility with busybox/toybox.
'date --date' now parses dot delimited dd.mm.yy format common in Europe.
This is in addition to the already supported mm/dd/yy and yy-mm-dd formats.
Changes in behavior
'cksum --check' now uses shell quoting when required, to more robustly
escape file names output in diagnostics.
This also affects md5sum, sha*sum, and b2sum.
Improvements
'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput.
E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system.
'df --local' recognises more file system types as remote.
Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs.
'df' improves duplicate mount suppression, by checking each mount against
all previously kept entries for the same device, not just the latest one.
'expand' and 'unexpand' now support multi-byte characters.
'groups' and 'id' will now exit sooner after a write error,
which is significant when listing information for many users.
'install' now allows the combination of the --compare and
--preserve-timestamps options.
'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character
determination on non GLIBC platforms. For example \u3000 (ideographic space)
will be considered a blank character on all platforms.
'nl' now supports multi-byte --section-delimiter characters.
'shuf -i' now operates up to two times faster on systems with unlocked stdio
functions.
'tac' will now exit sooner after a write error, which is significant when
operating on a file with many lines.
'timeout' now properly detects when it is reparented by a subreaper process on
Linux instead of init, e.g., the 'systemd --user' process.
'wc -l' now operates up to four and a half times faster on hosts that support
Neon instructions.
'wc -m' now operates up to 2.6 times faster on GLIBC when processing
non-ASCII UTF-8 characters.
'yes' now uses zero-copy I/O on Linux to significantly increase throughput.
E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system.
Build-related
./configure --enable-single-binary=hardlinks is now supported on systems
with dash as the system shell at /bin/sh.
[issue introduced in coreutils-9.10]
The test suite may have failed with a "Hangup" error if run non-interactively.
[issue introduced in coreutils-9.10]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:01 +0000 (13:44 +0200)]
git: Update to version 2.54.0
- Update from version 2.53.0 to 2.54.0
- Update of rootfile
- Changelog
2.54.0
UI, Workflows & Features
"git add -p" and friends note what the current status of the hunk
being shown is.
"git history" history rewriting (experimental) command has been
added.
"git replay" is taught to drop commits that become empty (not the
ones that are empty in the original).
The help text and the documentation for the "--expire" option of
"git worktree [list|prune]" have been improved.
When "git show-index" is run outside a repository, it silently
defaults to SHA-1; the tool now warns when this happens.
"git merge-file" can be run outside a repository, but it ignored
all configuration, even the per-user ones. The command now uses
available configuration files to find its customization.
"auto filter" logic for large-object promisor remote.
"git rev-list" and friends learn "--maximal-only" to show only the
commits that are not reachable by other commits.
Command line completion (in contrib/) update for
"stash import/export".
"git repo info" learns "--keys" action to list known keys.
Extend the alias configuration syntax to allow aliases using
characters outside ASCII alphanumeric (plus -).
A signature on a commit that was GPG signed a long time ago ought to
be still valid after the key that was used to sign it has expired,
but we showed them in alarming red.
"git subtree split --prefix=P <commit>" now checks the prefix P
against the tree of the (potentially quite different from the
current working tree) given commit.
"git add -p" learned a new mode that allows the user to revisit a
file that was already dealt with.
Allow the directory in which reference backends store their data to
be specified.
"gitweb" has been taught to be mobile friendly.
"git apply --directory=./un/../normalized/path" now normalizes the
given path before using it.
"git maintenance" starts using the "geometric" strategy by default.
"git config list" is taught to show the values interpreted for
specific type with "--type=<X>" option.
"git add <submodule>" has been taught to honor
submodule.<name>.ignore that is set to "all" (and requires "git add
-f" to override it).
Hook commands are now allowed to be defined (possibly centrally)
in the configuration files, and run multiple of them for the same
hook event.
The way end-users can add their own "git <cmd>" subcommand by
storing "git-<cmd>" in a directory on their $PATH has not been
documented clearly, which has been corrected.
"git send-email" learns to pass hostname/port to Authen::SASL
module.
"git send-email" learns to support use of client-side certificates.
"git send-email" has learned to be a bit more careful when it
accepts charset to use from the end-user, to avoid y (mistaken
yes when expecting a charset like UTF-8) and other nonsense.
"git status" learned to show comparison between the current branch
and various other branches listed on status.compareBranches
configuration.
"git repo structure" command learns to report maximum values on
various aspects of objects it inspects.
"git rebase" learns "--trailer" option to drive the
interpret-trailers machinery.
"git fast-import" learned to optionally replace signature on
commits whose signatures get invalidated due to replaying by
signing afresh.
"git history" learned the "split" subcommand.
The reference-transaction hook was taught to be triggered before
taking locks on references in the "preparing" phase.
"git apply" now reports the name of the input file along with the
line number when it encounters a corrupt patch, and correctly
resets the line counter when processing multiple patch files.
The HTTP transport learned to react to "429 Too Many Requests".
"git repo info -h" and "git repo structure -h" limit their help output
to the part that is specific to the subcommand.
"git format-patch --cover-letter" learns to use a simpler format
instead of the traditional shortlog format to list its commits with
a new --commit-list-format option and format.commitListFormat
configuration variable.
git backfill learned to accept revision and pathspec arguments.
"git replay" (experimental) learns, in addition to "pick" and
"replay", a new operating mode "revert".
"git replay" now supports replaying down to the root commit.
Handling of signed commits and tags in fast-import has been made more
configurable.
"git config list" is the official way to spell "git config -l" and
"git config --list". Use it to update the documentation.
Performance, Internal Implementation, Development Support etc.
Avoid local submodule repository directory paths overlapping with
each other by encoding submodule names before using them as path
components.
The string_list API gains a new helper, string_list_sort_u(), and
new unit tests to extend coverage.
Improve set-up time of a perf test.
ISO C23 redefines strchr and friends that traditionally took
a const pointer and returned a non-const pointer derived from it to
preserve constness (i.e., if you ask for a substring in a const
string, you get a const pointer to the substring). Update code
paths that used non-const pointer to receive their results that did
not have to be non-const to adjust.
Rename three functions around the commit_list data structure.
Transaction to create objects (or not) is currently tied to the
repository, but in the future a repository can have multiple object
sources, which may have different transaction mechanisms. Make the
odb transaction API per object source.
"git merge-ours" is taught to work better in a sparse checkout.
Allow recording process ID of the process that holds the lock next
to a lockfile for diagnosis.
Reduce dependency on the_repository of xdiff-interface layer.
Code clean-up to use the commit_stack API.
"git diff --anchored=<text>" has been optimized.
A CodingGuidelines update.
Add process ancestry data to trace2 on macOS to match what we
already do on Linux and Windows. Also adjust the way Windows
implementation reports this information to match the other two.
A handful of places used refs_for_each_ref_in() API incorrectly,
which has been corrected.
Some tests assumed "iconv" is available without honoring ICONV
prerequisite, which has been corrected.
Revamp object enumeration API around odb.
Additional tests were introduced to see the interaction with netrc
auth with auth failure on the http transport.
A couple of bugs in use of flag bits around odb API has been
corrected, and the flag bits reordered.
Plumb gitk/git-gui build and install procedure in meson based
builds.
The code to accept shallow "git push" has been optimized.
Simplify build procedure for oxskeychain (in contrib/).
Fix dependency screw-up in meson-based builds.
Wean the mailmap code off of the_repository dependency.
API clean-up for the worktree subsystem.
The last uses of the_repository in "tree-diff.c" have been
eradicated.
Clean-up the code around "git repo info" command.
Mark the merge-ort codebase to prevent more uses of the_repository
from getting added.
The core.attributesfile is intended to be set per repository, but
was kept track of by a single global variable in-core, which has
been corrected by moving it to per-repository data structure.
Use the hook API to replace ad-hoc invocation of hook scripts via
the run_command() API.
Code refactoring around refs-for-each-* API functions.
The parse-options API learned to notice an options[] array with
duplicated long options.
(merge 237e520d81 rs/parse-options-duplicated-long-options later to maint).
The code to maintain mapping between object names in multiple hash
functions is being added, written in Rust.
A bit of OIDmap API enhancement and cleanup.
Move gitlab CI from macOS 14 images that are being deprecated.
The object source API is getting restructured to allow plugging new
backends.
Reduce dependence on the global the_hash_algo and the_repository
variables of wt-status code path.
The way combined list-object filter options are parsed has been
revamped.
Editorconfig filename patterns were specified incorrectly, making
many source files inside subdirectories unaffected, which has been
corrected.
The run_command() API lost its implicit dependency on the singleton
the_repository instance.
The unit test helper function was taught to use backslash
mnemonic notation for certain control characters like "\t", instead
of octal notation like "\011".
Adjust test-lint to allow "sed -E" to use ERE in the patterns.
Clar (unit testing framework) update from the upstream.
Reduce system overhead "git upload-pack" spends on relaying "git
pack-objects" output to the "git fetch" running on the other end of
the connection.
Add a coccinelle rule to break the build when "struct strbuf" gets
passed by value.
Further work on incremental repacking using MIDX/bitmap
The logic to count objects has been cleaned up.
Tweak the build infrastructure by moving tools around.
Uses of prio_queue as a LIFO stack of commits have been written
with commit_stack.
The cleanup of remaining bitmaps in "ahead_behind()" has been
simplified.
split-index.c has been updated to not use the global the_repository
and the_hash_algo variables.
The unsigned integer that is used as a bitset to specify the kind
of branches interpret_branch_name() function has been changed to
use a dedicated enum type.
Various updates to contrib/diff-highlight, including documentation
updates, test improvements, and color configuration handling.
Code paths that loop over another array to push each element into a
strvec have been rewritten to use strvec_pushv() instead.
In case homebrew breaks REG_ENHANCED again, leave an in-code comment
to suggest use of our replacement regex as a workaround.
MinGW build updates.
The way dash 0.5.13 handles non-ASCII contents in here-doc
is buggy and breaks our existing tests, which unfortunately
have been rewritten to avoid triggering the bug.
Object name handling (disambiguation and abbreviation) has been
refactored to be backend-generic, moving logic into the respective
object database backends.
pack-objects’s --stdin-packs=follow mode learns to handle
excluded-but-open packs.
A few code paths that spawned child processes for network
connection weren’t wait(2)ing for their children and letting "init"
reap them instead; they have been tightened.
Adjust the codebase for C23 that changes functions like strchr()
that discarded constness when they return a pointer into a const
string to preserve constness.
A handful of inappropriate uses of the_repository have been
rewritten to use the right repository structure instance in the
read-cache.c codepath.
Internals of "git fsck" have been refactored to not depend on the
global the_repository variable.
Reduce dependency on the_repository in add-patch.c file.
The way the "git log -L<range>:<file>" feature is bolted onto the
log/diff machinery is being reworked a bit to make the feature
compatible with more diff options, like -S/G.
Further work to adjust the codebase for C23 that changes functions
like strchr() that discarded constness when they return a pointer into
a const string to preserve constness.
"git rev-list --maximal-only" has been optimized by borrowing the
logic used by "git show-branch --independent", which computes the
same kind of information much more efficiently.
Fixes since v2.53
HTTP transport failed to authenticate in some code paths, which has
been corrected.
(merge ed0f7a62f7 ap/http-probe-rpc-use-auth later to maint).
The computation of column width made by "git diff --stat" was
confused when pathnames contain non-ASCII characters.
(merge 04f5d95ef7 lp/diff-stat-utf8-display-width-fix later to maint).
The "-z" and "--max-depth" documentation (and implementation of
"-z") in the "git last-modified" command have been updated.
(merge 9dcc09bed1 tc/last-modified-options-cleanup later to maint).
A handful of code paths that started using batched ref update API
(after Git 2.51 or so) lost detailed error output, which have been
corrected.
(merge eff9299eac kn/ref-batch-output-error-reporting-fix later to maint).
"git blame --ignore-revs=… --color-lines" did not account for
ignored revisions passing blame to the same commit an adjacent line
gets blamed for.
(merge d519082d4e rs/blame-ignore-colors-fix later to maint).
Coccinelle rules update.
(merge 60614838a4 tc/memzero-array later to maint).
Giving "git last-modified" a tree (not a commit-ish) died an
uncontrolled death, which has been corrected.
(merge 525ef52301 tc/last-modified-not-a-tree later to maint).
Test contrib/ things in CI to catch breakages before they enter the
"next" branch.
(merge c591c3ceff jc/ci-test-contrib-too later to maint).
A handful of documentation pages have been modernized to use the
"synopsis" style.
(merge a34d1d53a6 ja/doc-synopsis-style-even-more later to maint).
Small clean-up of xdiff library to remove unnecessary data
duplication.
(merge 5086213bd2 pw/xdiff-cleanups later to maint).
Update sample commit-msg hook to complain when a log message has
material mailinfo considers the end of log message in the middle.
(merge 83804c361b pw/commit-msg-sample-hook later to maint).
"git pack-objects --stdin-packs" with "--exclude-promisor-objects"
fetched objects that are promised, which was not wanted. This has
been fixed.
(merge f4eff7116d ps/pack-concat-wo-backfill later to maint).
"git switch <name>", in an attempt to create a local branch <name>
after a remote tracking branch of the same name gave an advice
message to disambiguate using "git checkout", which has been
updated to use "git switch".
(merge 12fee11f21 jc/checkout-switch-restore later to maint).
It does not make much sense to apply the "incomplete-line"
whitespace rule to symbolic links, whose contents almost always
lack the final newline. "git apply" and "git diff" are now taught
to exclude them for a change to symbolic links.
(merge 6a41481c6d jc/whitespace-incomplete-line later to maint).
"git format-patch --from=<me>" did not honor the command line
option when writing out the cover letter, which has been corrected.
Update build procedure for mergetool documentation in meson-based builds.
(merge 58e4eeeeb5 pw/meson-doc-mergetool later to maint).
An earlier attempt to optimize "git subtree" discarded too much
relevant histories, which has been corrected.
A prefetch call can be triggered to access a stale diff_queue entry
after diffcore-break breaks a filepair into two and freed the
original entry that is no longer used, leading to a segfault, which
has been corrected.
(merge 2d88ab078d hy/diff-lazy-fetch-with-break-fix later to maint).
"git fetch --deepen" that tries to go beyond merged branch used to
get confused where the updated shallow points are, which has been
corrected.
(merge 3ef68ff40e sp/shallow-deepen-relative-fix later to maint).
"fsck" iterates over packfiles and its access to pack data caused
the list to be permuted, which caused it to loop forever; the code
to access pack data by "fsck" has been updated to avoid this.
(merge 13eb65d366 ps/fsck-stream-from-the-right-object-instance later to maint).
"git log --graph --stat" did not count the display width of colored
graph part of its own output correctly, which has been corrected.
(merge 064b869efc lp/diff-stat-utf8-display-width-fix later to maint).
The configuration variable format.noprefix did not behave as a
proper boolean variable, which has now been fixed and documented.
(merge ea3a62c40e kh/format-patch-noprefix-is-boolean later to maint).
CI fix.
(merge eb35167dd4 ps/ci-reduce-gitlab-envsize later to maint).
"git diff --no-index --find-object=<object-name>" outside a
repository of course wouldn’t be able to find the object and died
while parsing the command line. The command is made to die in a
bit more user-friendly way.
(merge b0ddc7947c mm/diff-no-index-find-object later to maint).
Fix typo-induced breakages in fsmonitor-watchman sample hook.
(merge 41366e4677 pt/fsmonitor-watchman-sample-fix later to maint).
"git for-each-repo" started from a secondary worktree did not work
as expected, which has been corrected.
(merge e87493b9b4 ds/for-each-repo-w-worktree later to maint).
The construct test "$(command)" = expectation loses the exit
status from the command, which has been fixed by breaking up the
statement into pieces.
(merge d3edca979a fp/t3310-unhide-git-failures later to maint).
While discovering a ".git" directory, the code treats any stat()
failure as a sign that a filesystem entity .git does not exist
there, and ignores ".git" that is not a "gitdir" file or a
directory. The code has been tightened to notice and report
filesystem corruption better.
(merge 1dd27bfbfd ty/setup-error-tightening later to maint).
Plug a few leaks where mmap’ed memory regions are not unmapped.
(merge a8a69bbb64 jk/unleak-mmap later to maint).
A test now uses the symbolic constant $ZERO_OID instead of 40 "0" to
work better with SHA-256 as well as SHA-1.
(merge 30310f3cc4 ss/t3200-test-zero-oid later to maint).
Instead of hardcoded origin, use the configured default remote
when fetching from submodules.
(merge 3b5fb32da8 ng/submodule-default-remote later to maint).
The code in "git help" that shows configuration items in sorted
order was awkwardly organized and prone to bugs.
"imap-send" used to use functions whose use is going to be removed
with OpenSSL 4.0; rewrite them using public API that has been
available since OpenSSL 1.1 since 2016 or so.
(merge 6392a0b75d bb/imap-send-openssl-4.0-prep later to maint).
Fix an example in the user-manual.
(merge 5514f14617 gj/user-manual-fix-grep-example later to maint).
The final clean-up phase of the diff output could turn the result of
histogram diff algorithm suboptimal, which has been corrected.
(merge e417277ae9 yc/histogram-hunk-shift-fix later to maint).
"git diff -U<num>" was too lenient in its command line parsing and
took an empty string as a valid <num>.
(merge 4f6a803aba ty/doc-diff-u-wo-number later to maint).
The handling of the incomplete lines at the end by "git
diff-highlight" has been fixed.
merge-file --object-id used to trigger a BUG when run in a linked
worktree, which has been fixed.
(merge 57246b7c62 mr/merge-file-object-id-worktree-fix later to maint).
"git apply -p<n>" parses <n> more carefully now.
(merge d05d84c5f5 mf/apply-p-no-atoi later to maint).
A test to run a .bat file with whitespaces in the name with arguments
with whitespaces in them was flaky in that sometimes it got killed
before it produced expected side effects, which has been rewritten to
make it more robust.
(merge 3ad4921838 jk/t0061-bat-test-update later to maint).
"git ls-remote +refs/tags/:refs/tags/ https://…" run outside a
repository would dereference a NULL while trying to see if the given
refspec is a single-object refspec, which has been corrected.
(merge 4e5dc601dd kj/refspec-parsing-outside-repository later to maint).
Fix a regression in writing the commit-graph where commits with dates
exceeding 34 bits (beyond year 2514) could cause an underflow and
crash Git during the generation data overflow chunk writing.
The value of a wrong pointer variable was referenced in an error
message that reported that it shouldn’t be NULL.
(merge 753ecf4205 yc/path-walk-fix-error-reporting later to maint).
The check in "receive-pack" to prevent a checked out branch from
getting updated via updateInstead mechanism has been corrected.
"git backfill" is capable of auto-detecting a sparsely checked out
working tree, which was broken.
(merge 339eba65a7 th/backfill-auto-detect-sparseness-fix later to maint).
add_files_to_cache() used diff_files() to detect only the paths that
are different between the index and the working tree and add them,
which does not need rename detection, which interfered with unnecessary
conflicts.
(merge c0ce43376b ng/add-files-to-cache-wo-rename later to maint).
Doc mark-up update for entries in the glossary with bulleted lists.
(merge a65cbd87ea jk/doc-markup-sub-list-indentation later to maint).
CI dependency updates.
(merge 4bdb17e3a8 jc/ci-github-actions-use-checkout-v5 later to maint).
Other code cleanup, docfix, build fix, etc.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:03 +0000 (13:44 +0200)]
harfbuzz: Update to version 14.2.0
- Update from version 14.0.0 to 14.2.0
- Update of rootfile
- Changelog
14.2.0
- GPU library:
* New color-glyph paint renderer, based on design by Lê Duy Quang.
`hb_gpu_paint_t` walks a font's paint tree (COLRv0 or COLRv1) and encodes
its layers (solid fills, linear / radial / sweep gradients, transforms,
composite groups) into a compact blob.
A new fragment-shader function `hb_gpu_paint()` renders the blob in
premultiplied RGBA; monochrome glyphs are handled transparently via a
synthesized foreground-colored layer.
Shader sources provided in GLSL, WGSL, MSL, and HLSL.
* Paint encoder limitations: the encoder sets `unsupported` and returns
`NULL` when `num_ops` would exceed 32767, `push_group` nests deeper than 4,
or the paint tree calls back through the image callback (PaintImage).
Nested glyph clips are intersected up to 3 levels; a few composite modes
use approximate fallbacks; `push_clip_rectangle` is silently ignored.
* Encode entry point now returns extents and auto-clears the encoder; the
standalone `get_extents()` is gone.
* Gradient color stop interpolation now happens in premultiplied space per
the OpenType COLR specification.
* The foreground color sentinel (`is_foreground`) now correctly preserves the
paint-tree alpha from the encoded color data instead of discarding it.
* The hb-gpu utility gains `--draw` / `--paint` flags with per-font
auto-detect, and `--output-file` / `-o` for headless single-frame rendering
to a PPM image.
- Vector library:
* New PDF output backend. Vector paint glyphs now render to PDF page content,
producing scalable COLRv0 / COLRv1 color-glyph artwork (solid fills, linear
/ radial / sweep gradients, blend modes, PNG images with transparency) that
can be embedded directly in PDF documents. Useful for PDF producers such as
LibreOffice that want crisp, resolution-independent color emoji.
* New SVG id prefix API on paint allows prefixing document references, which
allows for embedding multiple SVGs in the same page without name clashes
(`hb_vector_paint_set_svg_prefix`).
* Removed glyph path dedup from vector draw and paint. Each glyph is emitted
inline; no `<defs>` / `<use>` caching.
* `_glyph()` functions are now thin convenience wrappers documented as
equivalent expansions of the underlying font draw/paint API.
* Drop glyph-source rendering of SVG-in-OT fonts.
- Raster library:
* Drop glyph-source rendering of SVG-in-OT fonts.
- Across Draw / Paint subsystems:
* `_reset()` methods gain matching`_clear()` companions that drop accumulated
data while preserving user configuration. Getter companions added for
setters across raster, vector, and gpu types.
- Various fuzzer fixes for raster, vector, and GPU libraries.
- Paint API:
* New arbitrary-path clip: `hb_paint_push_clip_path_start` / `_end` let
callers clip to a caller-supplied outline, not just a font glyph.
`push_clip_path_start()` returns the draw-funcs (and matching draw data)
for the backend’s path accumulator; the caller drives `hb_draw_*()` into
it, then calls `push_clip_path_end()`, followed by painted ops, then
`hb_paint_pop_clip()` to release the clip. Implemented for all paint
backends: vector (SVG defs + clipPath + url ref), vector PDF (q / path / W
n), raster (path rendered to an alpha mask, intersected with the current
clip), and GPU (the path is encoded into a Slug sub-blob so the fragment
shader clips against it the same way it clips against glyph outlines).
- Shaping:
* Indic: categorize U+1CF5 and U+1CF6 as CS.
- Changed API
* GPU library:
- `hb_gpu_draw_glyph()` now returns `void` (was `hb_bool_t`). Use
`hb_gpu_draw_glyph_or_fail()` if you need the success status.
- `hb_gpu_paint_glyph()` now returns `void` (was `hb_bool_t`) and
internally synthesizes a foreground-colored layer for non-color glyphs
via `hb_font_paint_glyph()`, so every glyph with an outline produces
output. Use `hb_gpu_paint_glyph_or_fail()` (which delegates to
`hb_font_paint_glyph_or_fail()`) if you need to distinguish color vs
synthesized paint. Encoder-level limits (unsupported ops, group-stack
overflow) no longer fail paint_glyph; they surface from
`hb_gpu_paint_encode()` returning `NULL`.
- `hb_gpu_draw_encode()` now takes an `extents` out-parameter and
auto-clears the encoder on return.
- `hb_gpu_draw_darken()` renamed to `hb_gpu_stem_darken()`.
* Vector library:
- `hb_vector_svg_set_precision()` and its paint counterpart renamed to
`hb_vector_draw_set_precision()` / `hb_vector_paint_set_precision()`
(SVG-specific naming is inaccurate with the PDF backend added).
- `hb_vector_draw_glyph()` / `hb_vector_paint_glyph()` now return `void`
(were `hb_bool_t`). Paint additionally gains a draw fallback for
non-color glyphs. Use the matching `_or_fail()` variants for the
`hb_bool_t` return.
* Raster library:
- `hb_raster_draw_glyph()` / `hb_raster_paint_glyph()` now return `void`
(were `hb_bool_t`). Paint additionally gains a draw fallback for
non-color glyphs. Use the matching `_or_fail()` variants for the
`hb_bool_t` return.
* General:
- Many read-only getters gained const on their object argument.
- Six public draw / paint funcs getters across raster, vector, and gpu now
take a const-pointer to the relevant context instance instead of being
singletons:
hb_raster_draw_get_funcs (const hb_raster_draw_t *)`
hb_raster_paint_get_funcs (const hb_raster_paint_t *)
hb_vector_draw_get_funcs (const hb_vector_draw_t *)
hb_vector_paint_get_funcs (const hb_vector_paint_t *)
hb_gpu_draw_get_funcs (const hb_gpu_draw_t *)
hb_gpu_paint_get_funcs (const hb_gpu_paint_t *)
This is what lets vector_paint dispatch to SVG- vs PDF- flavored
callbacks transparently when called from outside code; the others
currently use the instance for symmetry only.
- New API
* Draw:
+HB_DRAW_LINE_CAP_BUTT
+HB_DRAW_LINE_CAP_ROUND
+HB_DRAW_LINE_CAP_SQUARE
+hb_draw_line_cap_t
+hb_draw_line()
+hb_draw_rectangle()
+hb_draw_circle()
* Paint:
+hb_paint_push_clip_path_start_func_t
+hb_paint_push_clip_path_end_func_t
+hb_paint_sweep_gradient_tile_func_t
+hb_paint_push_group_for_func_t
+hb_paint_push_group_for()
+hb_paint_funcs_set_push_group_for_func()
+hb_paint_reduce_linear_anchors()
+hb_paint_normalize_color_line()
+hb_paint_sweep_gradient_tiles()
+hb_paint_push_clip_path_start()
+hb_paint_push_clip_path_end()
+hb_paint_funcs_set_push_clip_path_start_func()
+hb_paint_funcs_set_push_clip_path_end_func()
* GPU library:
+HB_GPU_SHADER_STAGE_VERTEX
+HB_GPU_SHADER_STAGE_FRAGMENT
+HB_GPU_SHADER_LANG_INVALID
+hb_gpu_shader_stage_t
+hb_gpu_paint_t
+hb_gpu_paint_create_or_fail()
+hb_gpu_paint_reference()
+hb_gpu_paint_destroy()
+hb_gpu_paint_set_user_data()
+hb_gpu_paint_get_user_data()
+hb_gpu_paint_get_funcs()
+hb_gpu_paint_set_palette()
+hb_gpu_paint_get_palette()
+hb_gpu_paint_set_custom_palette_color()
+hb_gpu_paint_clear_custom_palette_colors()
+hb_gpu_paint_set_scale()
+hb_gpu_paint_get_scale()
+hb_gpu_paint_glyph()
+hb_gpu_paint_encode()
+hb_gpu_paint_clear()
+hb_gpu_paint_reset()
+hb_gpu_paint_recycle_blob()
+hb_gpu_paint_shader_source()
+hb_gpu_paint_glyph_or_fail()
+hb_gpu_shader_source()
+hb_gpu_draw_shader_source()
+hb_gpu_draw_clear()
+hb_gpu_draw_get_scale()
+hb_gpu_draw_glyph_or_fail()
* Raster library:
+hb_raster_draw_clear()
+hb_raster_draw_glyph_or_fail()
+hb_raster_paint_clear()
+hb_raster_paint_glyph_or_fail()
+hb_raster_paint_set_palette()
+hb_raster_paint_get_palette()
+hb_raster_paint_get_foreground()
+hb_raster_paint_set_background()
+hb_raster_paint_get_background()
* Vector library:
+HB_VECTOR_FORMAT_PDF
+hb_vector_draw_clear()
+hb_vector_draw_get_precision()
+hb_vector_draw_get_format()
+hb_vector_draw_glyph_or_fail()
+hb_vector_draw_new_path()
+hb_vector_draw_set_foreground()
+hb_vector_draw_get_foreground()
+hb_vector_draw_set_background()
+hb_vector_draw_get_background()
+hb_vector_paint_clear()
+hb_vector_paint_get_precision()
+hb_vector_paint_get_format()
+hb_vector_paint_get_foreground()
+hb_vector_paint_set_background()
+hb_vector_paint_get_background()
+hb_vector_paint_get_palette()
+hb_vector_paint_glyph_or_fail()
+hb_vector_paint_set_svg_prefix()
+hb_vector_paint_get_svg_prefix()
- Removed API
* GPU library:
-hb_gpu_shader_fragment_source() (replaced by hb_gpu_shader_source(stage))
-hb_gpu_shader_vertex_source() (replaced by hb_gpu_shader_source(stage))
-hb_gpu_draw_get_extents() (extents are now an out-parameter of hb_gpu_draw_encode())
* Vector library:
-hb_vector_draw_set_flat()
-hb_vector_draw_get_flat()
-hb_vector_paint_set_flat()
-hb_vector_paint_get_flat()
14.1.0
- GPU library improvements:
* Add anti-aliased rendering for small sizes.
* Store font scale in blob header.
* Port scale/ppem support to MSL, WGSL, and HLSL shaders.
* Fix contour breaks and bounds quantization in encode.
* Fix garbled rendering after font change in web demo.
* Various robustness fixes.
- Various fuzzing fixes for `harfbuzz-raster`, `harfbuzz-gpu` and
`harfbuzz-vector` libraries.
- Move `HB_NO_CFF` from `HB_LEAN` to `HB_NO_DRAW` closure, and fix
`HB_TINY` build.
- New API:
+hb_gpu_draw_set_scale()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:02 +0000 (13:44 +0200)]
glib: Update to version 2.88.0
- Update from version 2.87.0 to 2.88.0
- Update of rootfile
- 3 CVE fixes in 2.87.3
- 3 CVE fixes in 2.87.1
- Changelog
2.88.0
* Bugs fixed:
- !5097 gslice: Factor out a size helper macro and stop using MAX in a public
header
2.87.5
* Brown paper bag release to attempt to fix the dist-job in CI; this caused it
to be impossible to build a release archive for 2.87.4
* Bugs fixed:
- !5096 ci: Force a git clone and update the index when running dist-job
2.87.4
* Avoid installing broken symlinks as part of the test data for the gdatetime
tests (!5054, work by Alessandro Astone)
* Fix `g_file_set_contents()` with non-ASCII filenames on Windows (#3873, work
by Lukas K.)
* Bugs fixed:
- #3688 Documentation issue with g_slice_new and g_slice_new0 (Philip
Withnall)
- #3730 Unclear assertion failure message when `G_PARAM_CONSTRUCT` and
`G_PARAM_CONSTRUCT_ONLY` are both specified (depuc8)
- #3814 vs2019-arm64 CI fails with ninja error (Philip Withnall)
- #3873 g_file_set_contents broken on windows for non-ASCII filenames
- #3885 Documentation of g_file_info_get_is_backup() doesn’t define what a
backup file is (depuc8)
- #3897 GLocalFileInfo's set_symlink() is backwards (Philip Withnall)
- #3905 Memory leak in g_desktop_app_info_launch_uris_with_spawn (correctmost)
- !5030 gsocketconnection: Set an error when closed if no address is cached
- !5037 minor doc fixes
- !5047 i18n: Update and correction for Occitan
- !5048 ci: Install gi-docgen in the Fedora CI image
- !5049 Update Serbian translation
- !5050 Update Swedish translation
- !5051 Update French translation
- !5052 Update Bulgarian translation
- !5053 Update Romanian translation
- !5054 tests: Create unix_localtime root directory structure at runtime
- !5055 Update Chinese (China) translation
- !5056 Update Japanese translation
- !5057 Update Korean translation
- !5058 Update Georgian translation
- !5059 Update Ukrainian translation
- !5060 Update Lithuanian translation
- !5061 Update French translation
- !5062 Update Hungarian translation
- !5064 Update Portuguese translation
- !5065 Update Nepali translation
- !5066 i18n: Update for Occitan
- !5068 Update Turkish translation
- !5069 Update Brazilian Portuguese translation
- !5070 Update Galician translation
- !5071 Update Kazakh translation
- !5075 Update Polish translation
- !5076 Update Catalan translation
- !5077 Update Slovenian translation
- !5078 gio-tool-launch: Fix a filename leak
- !5080 Update Catalan translation
- !5081 Update Danish translation
- !5082 Update Polish translation
- !5084 Update British English translation
- !5085 Update Georgian translation
- !5087 Update Nepali translation
- !5088 tests: Fix a minor memory leak in the socket test
- !5089 ci: Drop workaround for GitLab submodule checkout bug
- !5090 Prevent iptosmessage test failures on FreeBSD and Hurd
- !5091 gobject: Disable new construct property check with G_DISABLE_CHECKS
* Translation updates:
- Bulgarian (Alexander Alexandrov Shopov)
- Catalan (Victor Dargallo, Jordi Mas)
- Chinese (China) (luming zh)
- Danish (Ask Hjorth Larsen)
- English (United Kingdom) (Bruce Cowan)
- French (Guillaume Bernard)
- Galician (Francisco Diéguez Souto)
- Georgian (Ekaterine Papava)
- Hungarian (Balázs Úr)
- Japanese (Makoto Sakaguchi)
- Kazakh (Baurzhan Muftakhidinov)
- Korean (Changwoo Ryu)
- Lithuanian (Aurimas Aurimas Černius)
- Nepali (Pawan Chitrakar)
- Occitan (post 1500) (Mejans)
- Polish (Victoria)
- Portuguese (Hugo Carvalho)
- Portuguese (Brazil) (Rafael Fontenelle)
- Romanian (Antonio Marin)
- Serbian (Miloš Popović)
- Slovenian (Martin)
- Swedish (Anders Jonsson)
- Turkish (Emin Tufan Çetin)
- Ukrainian (Yuri Chornoivan)
2.87.3
* Improved support for `GNotification` on Windows (#3867, #3869, work by
Oscar Pernia Moreno)
* Fix module lookups via `GModule` on Cygwin (#3741, work by Ailin Nemui)
* Fix local timezone lookup with nested symlinks in `/etc/localtime` (#3816,
work by Alessandro Astone)
* Fix ordering and sequential consistency of gatomic memory barriers on MSVC
and fallback GCC code paths (#3829, #3852, work by Luca Bacci)
* Fix various integer overflow bugs (#3870, #3871, #3872, CVE-2026-1484,
CVE-2026-1485, CVE-2026-1489, work by Marco Trevisan)
* Add `GSocketControlMessage` subclasses for receiving `IP_TOS` and
`IPV6_TCLASS` (!4846, work by Jakub Adam)
* Support polling more than 1024 FDs on macOS (!4953, work by Ihar Hrachyshka)
* Remove platform-specific backward compatibility from GLib-2.0 as it’s
impossible to support (#3839, !4881, work by Marco Trevisan)
* Improve introspection annotations for delimiters on `g_strsplit_set()` (this
may require changes in introspection bindings)
* Basic support for building and running some functionality on tvOS and watchOS
(!4992, work by Nirbheek Chauhan)
* Add `g_get_monotonic_time()` variant with nanosecond precision (!5004, work
by Benjamin Otte)
* Bugs fixed:
- #3628 Add test suite for gdbus tool (Philip Withnall)
- #3741 GModule incorrectly searches for cyg....so instead of cyg....dll on
Cygwin (Ailin Nemui)
- #3816 Local timezone wrongly considered to be UTC if timezone file in
/usr/share/zoneinfo is a symlink (Alessandro Astone)
- #3829 [RFC] gatomic: Memory barriers should be reversed (Luca Bacci)
- #3839 Broken Unix/Win32 specific GIRs
- #3852 MSVC and GCC-fallback atomics are not sequentially consistent (Luca
Bacci)
- #3863 Iterating over a short (preallocated) GVariant bytestring invalidly
refs a NULL GBytes (Christian Hergert)
- #3865 callable-info/native-address test fails on big endian (Alessandro
Astone)
- #3867 win32: Notifications without body won't show up
- #3869 gnotification-win32: Re-initialize tray icon if `explorer.exe` got
restarted
- #3870 (CVE-2026-1484) (YWH-PGM9867-168) Integer Overflow -> Buffer Underflow
on Glib through glib/gbase64.c via g_base64_encode_close() leads to OOB
Write (Marco Trevisan (Treviño))
- #3871 (CVE-2026-1485) (#YWH-PGM9867-169) Buffer underflow on Glib through
gio/gcontenttype-fdo.c via parse_header() lead to OOB Read/Write (Marco
Trevisan (Treviño))
- #3872 (CVE-2026-1489) (#YWH-PGM9867-171) Integer Overflow on Glib through
glib/guniprop.c via output_marks() lead to OOB Write in
glib/gutf8.c:g_unichar_to_utf8() (Marco Trevisan (Treviño))
- #3877 hash test failing randomly on MSYS2 (Luca Bacci)
- #3880 Integer overflow in gio-launch-desktop from over-long environment
variables (Philip Withnall)
- #3881 Integer overflow in g_resource_find_overlay() from over-long
environment variables (Philip Withnall)
- #3883 Integer overflow in `g_path_get_basename()` when passed an extremely
long path (length ≈SSIZE_MAX) (Philip Withnall)
- #3886 Crash in gdbus-tool on invalid --method argument format (Philip
Withnall)
- #3895 date_time_lookup_era unsafely caches `setlocale` pointer (Philip
Withnall)
- !4846 gio: Add GSocketControlMessage subclasses for receiving IP_TOS and
IPV6_TCLASS
- !4953 darwin: Support g_poll:maxfd >= FD_SETSIZE
- !4957 gstrfuncs: Annotate g_strsplit_set() as taking a byte array of
delimiters
- !4966 gio-tool-{copy,move}: Fix incorrect transfer rate calculation and
improve visualization
- !4968 markup: Better error reporting
- !4970 gutf8: Clarify docs about negative return values
- !4971 gutf8: Use size_t internally for some length calculations
- !4976 docs: Fix a typo and specify a codeblock is C
- !4977 gobject: Add nullable annotation to g_weak_ref_get return value
- !4982 markup: Initialize tag positions
- !4985 ci/fedora, glib/casemap: Add tests for the Azerbaijani cases
- !4987 giomodule: Simplify macro usage for getting the giomodule dir, don't
use it on iOS
- !4991 gio/gdatainputstream: Mark bytes as potentially unused
- !4992 Disable or stub out fork/execv* usage when targeting tvOS and watchOS
- !4993 Windows: Add test-profile
- !4996 Fix some small regressions in the iOS build
- !4997 meson: Add guesses for compute_int to speed up cross-compile setup
- !5002 Update Lithuanian translation
- !5004 Add g_get_monotonic_time() variant with nanosecond precision
- !5006 gfileutils: Fix a regression in `g_path_get_basename()` for plain
files
- !5008 Update Swedish translation
- !5009 Update Kazakh translation
- !5011 Update Romanian translation
- !5012 Compilation fixes for CLangCL and older MSVC
- !5013 Update Czech translation
- !5014 Update Russian translation
- !5015 GApplication: make send_notification / withdraw_notification thread-
safe
- !5018 Update Ukrainian translation
- !5020 Update Romanian translation
- !5021 Update Lithuanian translation
- !5023 Update Greek translation
- !5024 Update Chinese (China) translation
- !5025 Update Slovenian translation
- !5026 Update Brazilian Portuguese translation
- !5027 Update Basque translation
- !5028 gvalue: Update default terminology to initial
- !5029 Update Bulgarian translation
- !5031 Update Galician translation
- !5032 Update Hungarian translation
- !5034 Fix const qualifiers where discarded
- !5036 Address more size types issues
- !5038 Update Kazakh translation
- !5039 Update Catalan translation
- !5040 gsettings-tool: Fix leaks when running set commands
- !5041 gsettings-tool: Fix leaks when specifying invalid schemas
- !5042 Update Spanish translation
* Translation updates:
- Basque (Asier Saratsua Garmendia)
- Bulgarian (Alexander Alexandrov Shopov)
- Catalan (Victor Dargallo)
- Chinese (China) (luming zh)
- Czech (Daniel Rusek)
- Galician (Fran Diéguez)
- Greek, Modern (1453-) (Efstathios Iosifidis)
- Hungarian (Balázs Úr)
- Kazakh (Baurzhan Muftakhidinov)
- Lithuanian (Aurimas Aurimas Černius)
- Portuguese (Brazil) (Juliano de Souza Camargo)
- Romanian (Antonio Marin)
- Russian (Artur S0)
- Slovenian (Martin)
- Spanish (Daniel Mustieles)
- Swedish (Anders Jonsson)
- Ukrainian (Yuri Chornoivan)
2.87.2
* Add initial support for `GNotification` on Windows (#3857, work by
Oscar Pernia Moreno)
* Bugs fixed:
- #3850 g_strsplit_set docs are misleading (Matthias Clasen)
- #3857 win32: Add support for notifications using Shell_NotifyIcon API
- #3858 glib-compile-resources: Incorrect compiler detection on Windows when
building GTK causes a DoS (L. E. Segovia)
- #3863 Iterating over a short (preallocated) GVariant bytestring invalidly
refs a NULL GBytes (Christian Hergert)
- #3864 gir-tracker-bot posting diffs against too-recent-`main` (Marco
Trevisan (Treviño))
- #3867 win32: Notifications without body won't show up
- !4918 gio/unixmounts: use bsearch() to check for set inclusion
- !4949 gdesktopappinfo: Fix -Wsign-conversion warnings
- !4950 gobject: Fix -Wshorten-64-to-32 warnings and enable warning flag
- !4958 gtestutils: Avoid pointless logging string handling in gtestutils
- !4959 glib-unix: Implement g_unix_fd_query_path for Cygwin
- !4964 gio: Fix some -Wsign-conversion warnings
- !4965 gmodule: Enable -Wshorten-64-to-32 warnings for gmodule
- !4967 Fixup unicode 17
2.87.1
* Several low-risk CVE fixes (#3827, #3834, #3845)
* Fix return type of `gi_callable_info_get_closure_native_address()` (#3859,
work by Philip Chimento)
* Tweak thread pool handling for `GTask` threads to prevent stalls (#3840, work
by Ignazio Pillai)
* Respect `NO_COLOR` environment variable in log output (!4898, work by
Aaron Andersen)
* Update file system type lists to mark more file system types as system ones
and to recognise `ntfs3` file systems (!4916 and #3828, work by
Christian Hergert and Alexander Schwinn)
* Add `G_GNUC_FLAG_ENUM` attribute to mark enums as flags (!4900, work by
Philip Chimento)
* Add a static CRT constructor and fusion manifest XML for GLib utilities on
Windows so that `stderr` can be unbuffered and streams are flushed on exit
(#3733, work by Luca Bacci)
* Fix `G_FILE_MONITOR_WATCH_HARD_LINKS` on Windows (#3819, work by Jehan)
* Bugs fixed:
- #74 ignore case and '-' vs '_' differences when maching on enum/flag
nick/name (Emmanuel Fleury)
- #1181 Test failure: check_expected_events
- #3360 msys2-mingw32 CI failure: mingw-w64-i686-gcc and mingw-w64-i686-gcc-
objc are in conflict
- #3733 gi-compile-repository.py test intermittently fails on Windows with
empty stderr (Luca Bacci)
- #3818 g_main_context_check with a NULL context crashes (Michiel Jan Laurens
de Hoon)
- #3819 G_FILE_MONITOR_WATCH_HARD_LINKS flag does not monitor files on Windows
- #3827 (CVE-2025-13601) (#YWH-PGM9867-134) Incorrect calculation of buffer
size in g_escape_uri_string() (Philip Withnall)
- #3828 NTFS not detected by g_file_info_get_attribute_string
- #3834 (CVE-2025-14087) (#YWH-PGM9867-145) Buffer underflow on Glib through
glib/gvariant via bytestring_parse() or string_parse() leads to OOB Write
(Philip Withnall)
- #3840 GTask: g_task_run_in_thread never starts pending tasks (Ignazio
Pillai)
- #3843 glib: Integer overflow in `g_bytes_new_from_bytes()` leads to
corrupted `GBytes` object (Philip Withnall)
- #3845 (CVE-2025-14512) GIO: Integer overflow in file attribute escaping
(Philip Withnall)
- #3851 Integer overflow in `g_buffered_input_stream_peek()` leads to
segmentation fault (Philip Withnall)
- #3859 Return type of gi_callable_info_get_closure_native_address() should be
void* (Philip Chimento)
- !4883 ci: Do not use anymore only/except deprecated syntax
- !4885 ci: Track changes to gir files using artifacts and MRs comments
- !4898 glog: respect NO_COLOR environment variable
- !4899 genvironment: consider macOS behavior when testing g_getenv
- !4900 Add G_GNUC_FLAG_ENUM
- !4904 glog: guard NO_COLOR environment variable check with a GOnce for
performance reasons
- !4907 completion: fix error on nounset mode unknown completions
- !4908 glocalfile: Complain if `faccessat` sets an unusual error and use
AT_FDCWD
- !4909 glocalfile: Fix trash user cancellation not reported on Windows
- !4910 ci: Use issue bot native support for $ISSUE_BOT_API_TOKEN_FILE
- !4913 gdbusprivate: check length of path to GDBus binary
- !4916 gio/gunixmounts: mark some file-system types as system
- !4920 tests: Fix static-link test when running installed
- !4921 gutf8: Add tests and clarify documentation for g_unichar_to_utf8()
- !4922 ci: Enable the gobject-introspection build for the debian-stable-i386
job
- !4923 Added AIX implementation of g_unix_fd_query_path
- !4926 Fix g_strcompress docs (mod 256)
- !4928 Update of the Occitan translation
- !4930 gio/gunixmounts: Mark more file systems as system internal
- !4931 gio/gunixmounts: Replace /bin/efi with /boot/efi
- !4937 docs(GResource): Tweak overlays description
- !4939 gsocks4aproxy: Fix a buffer leak when finishing connecting
- !4941 gsignal: Cleanup handler disconnection avoiding unneeded operations
- !4942 gio: Fix a few -Wsign-conversion warnings
- !4943 ci: Some fixups on the gir checker
* Translation updates:
- Occitan (post 1500) (Mejans)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:06 +0000 (13:44 +0200)]
iperf3: Update to version 3.21
- Update from version 3.19 to 3.21
- No change to rootfile
- 3 CVE fixes were applied in version 3.19.1
- Changelog
3.21
* Notable user-visible changes
* Support has been added for Global Segmentation Offload (GSO) and
Global Receive Offload (GRO) under Linux (PR #1926, PR #2007,
also note that a number of other pull requests were submitted
towards this functionality).
* The `--bind-dev` option is now supported on macOS (PR #1945).
* Support has been added on macOS for the equivalent of the
`tcp_info` structure (#1411, PR #2008). This change results in
TCP window information being printed in human-readable output
and a number of TCP statistics being added to the JSON output.
* The iperf3 server provides more information about various error
conditions to the client (PR #1914, PR #1931, PR #1950).
* The maximum value for the `--set-mss` option is now 32K (PR
#1816). Note that this option still does not work reliably in
all cases.
* The cancellation type of child threads was changed from
`PTHREAD_CANCEL_ASYNCHRONOUS` to `PTHREAD_CANCEL_DEFERRED`
(#1991, #2003, PR #2004). This change fixes some hangs that
could occur at the end of a test.
* A race condition leading to a crash when closing sockets at the
end of a test has been fixed (PR #1990).
* iperf3 no longer erroneously prints that zero UDP packets were
lost during a lossy UDP test (#1984, PR #1988).
* A division by zero error has been avoided (PR #2002).
* The security posture of the `iperf3.service` file has been
improved considerably by updating a number of settings (PR
#1855). Note that this file is neither installed nor activated
by default.
* Notable developer-visible changes
* iperf3 finally performs `ldconfig` as a part of `make install`
on platforms that require it (#1995, PR #2005).
* Various bug fixes (PR #1960, PR #1981, PR #2001).
* Various documentation fixes (PR #1972, PR #1974, PR #1993).
3.20
* Notable user-visible changes
* Millisecond-resolution representations have been added to JSON
timestamps. (PR #1846)
* The reorder_seen metric, where available, is now available in
the JSON output. (PR #1278)
* A division by zero error has been fixed. (PR #1906)
* Some command-line options were not properly restricted to the
client or server; this problem has been fixed. (#1892 / PR #1894)
* The combination of `--udp` and `--file` is now explicitly
disallowed. (PR #1909)
* It is now possible to get both the full JSON result object as
well as streaming intermediate JSON result objects. This
functionality is enabled by using the new `--json-stream-full`
command-line flag, in addition to the existing `--json-stream`
flag (PR #1903)
* Sends with `--zerocopy` are now properly seeded with data
instead of being all-zeroes. (PR #1949)
* The `--server-max-duration` flag is now allowed on the iperf3 server to impose
a maximum duration on timed tests. (PR #1684)
* The `--rcv-timeout` flag is now ignored for `--bidir`
tests. This change prevents premature termination of
bidirectional tests. (#1766 / PR #1946)
* Several errors in the authentication code were uncovered when
building with OpenSSL 3.5.3 and later versions. These were
fixed. (#1951 / PR #1956)
* Various issues in the iperf3 manual page were fixed up. (PR
#1887, PR #1927, PR #1936, PR #1941, #1891 / PR #1952)
* Notable developer-visible changes
* A build failure with uClibc has been fixed. (#1888 / PR #1890)
* It is now possible to use the API to load RSA keys from a file.
(PR #1889)
* Some calls to sprintf() were replaced with calls to
snprintf(). There were no hazards in the code as written, but
this change might help silence some compiler warnings and
potentially prevent future vulnerabilities. (PR #1929)
* Proper error handling has been added to the `unit_atoX()`
functions. (PR #1394)
* Some memory handling errors in `t_auth` were fixed. (PR #1953)
* Minor enhancements and fixes to GitHub Actions workflows (PR
#1919, PR #1928, PR #1942).
3.19.1
* Notable user-visible changes
* SECURITY NOTE: Thanks to Han Lee with Apple Information Security
for finding and reporting several memory errors
including a buffer overflow within the
`--skip-rx-copy` option, and two memory errors
within authentication, including a heap overflow
in the plaintext password and an assert.
* An off-by-one heap overflow has been fixed in authentication.
(CVE-2025-54349, ESNET-SECADV-2025-0003)
* An assert in authentication has been removed. (CVE-2025-54350,
ESNET-SECADV-2025-0002)
* A buffer overflow in the `--skip-rx-copy` option for zerocopy
has been fixed. (CVE-2025-54351, ESNET-SECADV-2025-0001)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:08 +0000 (13:44 +0200)]
libcap-ng: Update to version 0.9.3
- Update from version 0.9.2 to 0.9.3
- Update of rootfile
- Changelog
0.9.3
- In cap-audit, split capability analysis across init and runtime phases
- If vm_sockets.h and others are not available, remove "netcap --advanced"
- Add netcap --list-interfaces & --interface to restrict output to 1 interface
- Put bash completions in /usr/share/bash-completion/completions/
- capng_change_id now detects it added setpcap and drops only if it added it
- Add capng_stage_additional_groups and its support in capng_change_id
- Add CAPNG_APPLY_BOUNDING flag to capng_change_id to direct it to apply changes
- filecap: add path-to-fd consistency check in capability write path
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:07 +0000 (13:44 +0200)]
iproute2: Update to version 7.0.0
- Update from version 6.17.0 to 7.0.0
- Update of rootfile
- Changelog is not provided. Details of changes for versions 7.0.0, 6.19.0 and 6.18.0
can be found from the git commit changes
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:09 +0000 (13:44 +0200)]
libcap: Update to version 2.78
- Update from version 2.77 to 2.78
- Update of rootfile
- Changelog
2.78
Fix mistakes in setcap for reporting errors: report them with the appropriate filename.
Thanks to Nikolas for reporting these in Bug 220245.
Fix bug in cap.GetIAB() reported and fix provided by Garret Kelly via Bug 220420.
Improve libcap managed memory allocation and support CHERI RISC-V. Reported with fix
by Chris Hofer via Bug 220415.
Add (unverified) support for the PSX mechanism on microblaze, arc, openrisc and xtensa
architectures. Thanks to Tom Petazzoni for including these in Bug 219915
Please let me know if these work or fail on these architectures.
Add C++ support to the run a .so file as an executable mechanism employed by libcap.so,
libpsx.so and pam_cap.so. Not really necessary for the libcap build tree, but wanted
to capture the details of my recent update to a Stackoverflow answer on the topic.
Use BUILD_LDFLAGS when compiling _makenames fix contributed by Khem Raj.
Fix broke some builds, so will revert and apply a more comprehensive fix.
Fixed sendmail issue discussion link. Thanks to Ariel Otilibili for noticing the
breakage and contributing a fix.
Some debugging fixes for use of the kdebug/ testing setup
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:10 +0000 (13:44 +0200)]
libgcrypt: Update to version 1.12.2
- Update from version 1.12.0 to 1.12.2
- Update of rootfile
- Changelog
1.12.2
* Bug fixes:
- Fix possible ECDH buffer overwrite with zeroes. [T8211]
- Add a missing bounds check to the Dilithium context handling.
[T8208]
- Add point validation when using the new KEM interface. [T8212]
* Other:
- Fix the dead-code of stronger_key_check for RSA. [T8171]
1.12.1
* Bug fixes:
- Fix for aSmartOS (Solaris) build problem due to AVX2 changes.
[T8071]
- Fix a regression in gcry_mpi_ec_curve_point. [T8080]
- Make sure to have MPI limbs pre-allocated in ECC and fix
Weierstrass curve use with PUBKEY_FLAG_PARAM. [T8094]
* Other:
- Add MPI configuration for NetBSD m68k. [T8069]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:11 +0000 (13:44 +0200)]
libjpeg: Update to version 3.1.4.1
- Update from version 3.1.3 to 3.1.4.1
- No change to rootfile
- Changelog
3.1.4.1
1. Fixed multiple issues, some long-standing and some that were regressions
introduced in 3.1.4, that made the CMake package config files non-relocatable
and broke the `--prefix` option to `cmake --install`.
3.1.4
1. Fixed an issue in the TurboJPEG 2.x compatibility wrapper whereby, if a
calling program attempted to decompress a lossless JPEG image using
`tjDecompress2()` with decompression scaling, the decompressed image was
unexpectedly unscaled. This could have led to a buffer overrun if the caller
allocated the packed-pixel destination buffer based on the assumption that the
decompressed image would be scaled down.
2. The SIMD dispatchers now use `getauxval()` or `elf_aux_info()`, if
available, to detect support for Neon and AltiVec instructions on AArch32 and
PowerPC Linux, Android, and *BSD systems.
3. Hardened the libjpeg API against hypothetical applications that may
erroneously set one of the exposed quantization table values to 0 just before
calling `jpeg_start_compress()`. (This would never happen in a
correctly-written program, because `jpeg_add_quant_table()` clamps all values
less than 1.)
4. Fixed a division-by-zero error that occurred when attempting to use the
jpegtran `-drop` option with a specially-crafted malformed drop image
(specifically an image in which one or more of the quantization table values
was 0.)
5. Fixed an issue in the TurboJPEG API library's data destination manager that
manifested as:
- a memory leak that occurred if a pre-allocated JPEG destination buffer
was passed to `tj3Compress*()` or `tj3Transform()`, `TJPARAM_NOREALLOC` was
unset, and it was necessary for the library to re-allocate the buffer to
accommodate the destination image, and
- a potential caller double free that occurred if pre-allocated JPEG
destination buffers were passed to `tj3Transform()`, multiple lossless
transform operations were performed, and it was necessary for the library to
re-allocate the second buffer to accommodate the second destination image.
6. Fixed an issue in `tj3Transform()` whereby, if `TJPARAM_SAVEMARKERS` was set
to 2 or 4, `TJXOPT_COPYNONE` was not specified, an ICC profile was extracted
from the source image, and another ICC profile was associated with the
TurboJPEG instance using `tj3SetICCProfile()`, both profiles were embedded in
the destination image. The documented API behavior is for `TJXOPT_COPYNONE` to
take precedence over `TJPARAM_SAVEMARKERS` and for `TJPARAM_SAVEMARKERS` to
take precedence over the associated ICC profile. Thus, `tj3Transform()` now
ignores the associated ICC profile unless `TJXOPT_COPYNONE` is specified or
`TJPARAM_SAVEMARKERS` is set to something other than 2 or 4.
7. Fixed an oversight in the libjpeg API whereby, if a calling application
manually set `cinfo.Ss` (the predictor selection value) to a value less than 1
or greater than 7 after calling `jpeg_enable_lossless()` and prior to calling
`jpeg_start_compress()`, an incorrect (all white) lossless JPEG image was
silently generated.
8. Further hardened the TurboJPEG Java API against hypothetical applications
that may erroneously pass huge values to one of the compression, YUV encoding,
decompression, YUV decoding, or packed-pixel image I/O methods, leading to
signed integer overflow in the JNI wrapper's buffer size checks that rendered
those checks ineffective.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:13 +0000 (13:44 +0200)]
libpng: Update to version 1.6.58
- Update from version 1.6.56 to 1.6.58
- Update of rootfile
- CVE fix applied in 1.6.57
- Changelog
1.6.58
Fixed a regression introduced in version 1.6.56 that caused `png_get_PLTE`
to return stale palette data after applying gamma and background transforms
in-place.
(Reported by ralfjunker <ralfjunker@users.noreply.github.com>.)
1.6.57
Fixed CVE-2026-34757 (medium severity):
Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST`
leading to corrupted chunk data and potential heap information disclosure.
Also hardened the append-style setters (`png_set_text`, `png_set_sPLT`,
`png_set_unknown_chunks`) against a theoretical variant of the same
aliasing pattern.
(Reported by Iv4n <Iv4n550@users.noreply.github.com>.)
Fixed integer overflow in rowbytes computation in read transforms.
(Contributed by Mohammad Seet.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:14 +0000 (13:44 +0200)]
libsodium: Update to version 1.0.22
- Update from version 1.0.21 to 1.0.22
- Update of rootfile
- Patch fix for arm build has been integrated into the tarball in this version
- Changelog
1.0.22
- Post-quantum key encapsulation is now available. ML-KEM768, the
NIST-standardized lattice-based KEM, is accessible through the
`crypto_kem_mlkem768_*()` functions.
- X-Wing, a hybrid KEM combining ML-KEM768 with X25519 for protection
against both classical and quantum adversaries, is available through the
`crypto_kem_*()` functions. X-Wing is the recommended KEM for most
applications.
- SHA-3 hash functions are now available as `crypto_hash_sha3256_*()`
and `crypto_hash_sha3512_*()`, with both one-shot and streaming APIs.
1.0.21-stable
- Performance: NEON optimizations for Argon2 on ARM platforms.
- Performance: SHA3 (Keccak1600) now leverages ARM SHA3 instructions when
available on ARM platforms.
- Performance: WebAssembly SIMD implementations of Argon2 have been added.
- Emscripten: LTO is now disabled. With Emscripten 4, LTO produced
WebAssembly modules with functions that ran significantly slower than
without it.
- Emscripten: a new option allows compilation with SIMD support.
- Emscripten: native ESM module generation is now supported.
- JavaScript sumo builds now allow up to 80 MiB memory usage, so that
`crypto_pwhash` with the interactive settings can be used in pure
JavaScript, not just WebAssembly.
- XOF state alignment has been relaxed.
- `crypto_core_keccak1600_state` has been added.
- Export missing `crypto_ipcrypt_nd_keygen()` helper function.
- `crypto_auth_hmacsha256_init` and `crypto_auth_hmacsha512_init` now
accept NULL key pointers (with a zero key length), for consistency with
other `_init` functions.
- apple-xcframework: headers are now in a Clibsodium subdirectory
to prevent module.modulemap collisions with other xcframeworks.
- Fixed compilation with GCC on aarch64 and gcc 4.x.
- On aarch64, aes256-gcm is now enabled even when not using clang,
including MSVC.
- Added compatibility with Visual Studio 2026 when toolsets do not
define PlatformToolsetVersion.
- Libsodium can be directly used as a dependency in a Zig project.
- Performance of MSVC builds has been improved.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 26 Apr 2026 11:44:15 +0000 (13:44 +0200)]
libxml2: Update to version 2.15.3
- Update from version 2.15.1 to 2.15.3
- Update of rootfile
- Five CVE fixes applied in 2.15.2
- Changelog
2.15.3
Security
- parser: Pass userData to SAX text callbacks in xmlParseReference (type-confusion)
- entities: copy children in xmlCopyEntity
- c14n: Fix Type confusion in xmlC14NProcessAttrsAxis
- python: Do not decref string after adding to the list (double-free / use-after-free)
- c14n: Reuse tmp_str, xmlStrcat reallocates *cur (double-free)
Improvements
- schemas: Fix relative schemaLocation resolution in XSI assembly in streaming mode
- xmlreader: propagate reader resource loaders to validator parsers
- python: Make python bindings python2 compatible
- xmlregexp: Fix escape-sequence character range matching
- xmlreader: Free input in xmlReaderForFd (memory-leak)
- xmlstring: Free cur on every error for xmlStrncat (memory-leak)
- catalog: Free xmlCatalogResolveCache on cleanup (memory leak)
- Fix nanohttp.c build when --without-output
- test: fix mismatched signed/unsigned comparison
2.15.2
Security
- CVE-2026-1757 fix: Memory leak in xmllint Shell - shell.c
- CVE-2026-0990 fix: Prevent infinite recursion in
xmlCatalogListXMLResolve
- CVE-2026-0992 fix: Exponential behavior when handling
- parser: Fix infinite loop in xmlCtxtParseContent
- CVE-2025-10911 libxslt related: Ignore next/prev of documents when
traversing XPath
- CVE-2026-0989 fix: Add RelaxNG include limit
- xmlIO: use size_t for buffer size reallocation
- uri: fix signed integer overflow in xmlBuildRelativeURISafe
- schematron: fix memory leaks on error paths in xmlSchematronParseRule
- catalog: fix stack overflow from self-referencing SGML CATALOG entries
Improvements
- fuzz: Make fuzzy encoding match more lenient
- Fix C14N type confusion
- meson: Fix build with Meson < 1.3
- xmllint: Use zlib directly
- xmllint: New option to separate xpath results using null, --xpath0
- autotools: Make valgrind actually check for leaks
- meson: Add valgrind test setup
- Fix xmlOutputBufferGetContent output when encoder is set
- threads: don't force _WIN32_WINNT to Vista if it's set to a higher value
- dist: Add generated documentation to the dist as "dist-doc" folder
to simplify downstream packaging of doc
- Fix xmlRemoveEntity removing from wrong hash table
- use duplicating variant in relaxng to mitigate UAF
- Fix memory leak in xmlTextWriterStartAttributeNS on OOM
- meson: remove hardcoded buildtype=debug default
- Fix memory leak of prefix in xmlTextWriterStartElementNS()
- writer: Add a few extra NULL checks to avoid memory leaks on corrupt
writer path.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
