expat: Update to version 2.6.2 - Update from version 2.6.1 to 2.6.2 - Update of rootfile - Changelog 2.6.2 Security fixes: #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers. Please see the commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 for details. Bug fixes: #839 #841 Reject direct parameter entity recursion and avoid the related undefined behavior Other changes: #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces #837 Add missing #821 and #824 to 2.6.1 change log #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ for what these numbers do Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
xz: Update to version 5.6.1 - Update from version 5.6.0 to 5.6.1 - Update of rootfile - Changelog 5.6.1 * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC) with GCC. The more serious bug caused a program linked with liblzma to crash on start up if the flag -fprofile-generate was used to build liblzma. The second bug caused liblzma to falsely report an invalid write to Valgrind when loading liblzma. * xz: Changed the messages for thread reduction due to memory constraints to only appear under the highest verbosity level. * Build: - Fixed a build issue when the header file <linux/landlock.h> was present on the system but the Landlock system calls were not defined in <sys/syscall.h>. - The CMake build now warns and disables NLS if both gettext tools and pre-created .gmo files are missing. Previously, this caused the CMake build to fail. * Minor improvements to man pages. * Minor improvements to tests. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
wget: Update to version 1.24.5 - Update from version 1.21.4 to 1.24.5 - Update of rootfile not required - Changelog 1.24.5 ** Fix how subdomain matches are checked for HSTS. Fixes a minor issue where cookies may be leaked to the wrong domain ** Wget will now also parse the srcset attribute in <source> HTML tags ** Support reading fetchmail style "user" and "passwd" fields from netrc ** In some cases, prevent the confusing "Cannot write to... (success)" error messages ** Support extremely fast download speeds (TB/s). Previously this would cause Wget to crash when printing the speed ** Improve portability on OpenBSD to run the test suite ** Ensure that CSS URLs are corectly quoted (Bug: 64082) Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
sqlite: Update to version 3450200 - Update from version 3450100 to 3450200 - Update of rootfile not required - Changelog 3450200 (3.45.2) Fix an error in UPSERT, introduced by enhancement 3a in version 3.35.0 (2021-03-12), that could cause an index to get out-of-sync with its table. Forum thread 919c6579c8. Reduce the scope of the NOT NULL strength reduction optimization that was added as item 8e in version 3.35.0 (2021-03-12). The optimization was being attempted in some contexts where it did not work, resulting in incorrect query results. Forum thread 440f2a2f17. Other trifling corrections and compiler warning fixes that have come up since the previous patch release. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
tcl: Update to version 8.6.14 - Update from version 8.6.13 to 8.6.14 - Update of rootfile - Changelog 8.6.14 This is a patch release, so it primarily includes bug fixes and corrections to erratic behavior. Highlighted changes are noted below. The changes file at the root of the source tree contains a more complete list. The Timelines of all changes are online. http://core.tcl-lang.org/tcl/timeline http://core.tcl-lang.org/tk/timeline * [TIP 402] revise path normalization for x-platform UNC path support *** POTENTIAL INCOMPATIBILITY *** * Harmonize Tk's parse of numbers (screen distance, etc) with Tcl *** POTENTIAL INCOMPATIBILITY *** * Iconlist ignores options db for fg text color; affects dialogs *** POTENTIAL INCOMPATIBILITY *** * Aqua: XPutImage() swaps red and blue channels *** POTENTIAL INCOMPATIBILITY *** * [encoding convertfrom] handling of incomplete code sequences *** POTENTIAL INCOMPATIBILITY *** * Harmonize handling of ~ in paths across platforms. *** POTENTIAL INCOMPATIBILITY *** * Fix menu clone binding misbehavior, menu-20.1[2-6]. *** POTENTIAL INCOMPATIBILITY *** * Improved performance of [exec] and [open |$cmd] on unix-lke systems, especially with large memory footprints. * Improve performance of large treeview destruction. * Improve performance of large image insertions into text. * Improve widget creation performance due to poor font caching. * Fix notebook tab appearances when placed on edge other than top. * Enable treeview display of partial final line. * Win: restore [exec %var%] that was dropped in 8.6.13. * Allow [chan create {} $cmd]. Enables simulation of server channels. * Allow return from [tk scaling] in safe interps. * Prevent navigation by word exposing clues to masked entry contents. * Fix crashes or hangs in... - [chan pop] with pending input - thread finalization of reflected channels - [label .l -bitmap floppy] - [set tcl_precision 15; expr 6.4623485355705287e-27] - [tk busy forget] and [tk busy hold] - channel read into "string" Tcl_Obj can BO, and perform poorly - KVO crash after destroying Aqua's first root toplevel - Test treeview-6ee162c3f9 - Test tailcall-bug-784befb0ba - Tests menu-40.[12] * Repair memory leaks and errors - Eliminate undefined realloc() calls - Silence many warnings from -fsanitize=function - Flawed interfacing with XIM - Tcl_UtfToExternal writing to one-byte buffer - Tcl_UtfToUniChar() handling of 0xC1. - Tk_ConfigureValue could call wrong free() routine. - tests getuncichar-1.* in utf.test - ...and many more * No more support for 32-bit Cygwin * ::tcl_platform(osVersion) updated to report Windows 11 * Accommodate macOS deprecation of sprintf() * Silence macOS 14 warnings about secure restorable state. * Code changes to support ASan use-after-return detection * Revise Tcl_MakeFileChannel() to better partner with pledge() * Prevent false [clock format] error reports on FreeBSD * Region clip & copy make better use of OS facilities. * Update handling of Apple FourCC creator codes. * Text selection omits first character, text-38.1 * Windows: improved support of non-BMP pathnames * Fixed some Y2038 limitations * Fix photo color drawing on X11 32-bit visuals. * Fix <<MenuSelect>> regression on menus with -tearoff * Correct rounding of [nsFont pointSize]. * zlib comment/filename error handling (zlib-8.19, zlib-8.2[012]) * Prevent theme change attempts after Tk finalize. * Make dialogs robust against parent destruction. * Make [tk_chooseColor] robust against failed grab. * Fix menu parsing of @x,y indices. menu-22.[6-9] * Fix inconsistent results from [font measure]. * Fixed [clock scan|add] handling of abbreviated options * Avoid endless loops replacing [unknown] or [history]. * Fix polluted error messages from [send -option]. * PNG photo image decoder missed a 0xFF entry. * Fix failing winTime-2.1 on Windows * test string-2.20.1 failed on big endian platforms * Updated bundled packages, libraries, standards, data - Itcl 4.2.4 - sqlite3 3.44.2 - Thread 2.8.9 - TDBC* 1.1.7 - tcltest 2.5.7 - libtommath 1.2.1 - zlib 1.3.1 - Unicode 15.1 - tzdata 2024a Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
shadow: Update to version 4.15.0 - Update from 4.14.5 to 4.15.0 - Update of rootfile not required - Changelog 4.15.0 libshadow: Fix build error (parameter name omitted). Build system: Link correctly with libdl. Install pam configs for chpasswd(8) and newusers(8) when using ./configure --with-libpam --disable-account-tools-setuid. Merge libshadow and libmisc into a single libshadow. This fixes problems in the linker, which were reported at least in Gentoo. Fix build with musl libc. Support out of tree builds useradd(8): Set proper SELinux labels for def_usrtemplate 4.14.6 login(1): Fix off-by-one bugs. passwd(1): Don't silently truncate passwords of length >= 200 characters. Instead, accept a length of PASS_MAX, and reject longer ones. libshadow: Fix calculation in strtoday(), which caused a wrong half-day offset in some cases. Fix parsing of dates in get_date(). Use utmpx instead of utmp. This fixes a regression introduced in 4.14.0. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
sdl2: Update to version 2.30.1 - Update from version 2.28.5 to 2.30.1 - Update of rootfile - Changelog 2.30.1 Fixed a regression causing SDL_WaitEvent() to return spurious failures Fixed X11 cursors on the latest release of GNOME Wayland windows automatically have OpenGL enabled again Fixed memory corruption when converting signed 16-bit audio to float Fixed audio artifacts when converting signed 8-bit audio to float Fixed the clip rectangle not being updated when the viewport changes in the SDL renderer Convert mouse wheel coordinates to the rendering view in the SDL renderer Fixed a crash handling controllers on macOS Fixed a crash setting a window fullscreen with Emscripten Fixed the keyboard automatically popping up when resuming an application on Android 2.30.0 In addition to lots of bug fixes, here are the major changes in this release: General: Added support for 2 bits-per-pixel indexed surface formats Added the function SDL_GameControllerGetSteamHandle() to get the Steam API handle for a controller, if available Added the event SDL_CONTROLLERSTEAMHANDLEUPDATED which is sent when the Steam API handle for a controller changes. This could also change the name, VID, and PID of the controller. Added the environment variable SDL_LOGGING to control default log output macOS: Added the hint SDL_HINT_JOYSTICK_IOKIT to control whether the IOKit controller driver should be used Added the hint SDL_HINT_JOYSTICK_MFI to control whether the GCController controller driver should be used Added the hint SDL_HINT_RENDER_METAL_PREFER_LOW_POWER_DEVICE to choose whether high or low power GPU should be used for rendering, in the case where there are multiple GPUs available Xbox: Added the function SDL_GDKGetDefaultUser() Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
poppler: Update to version 24.03.0 - Update from version 24.01.0 to 24.03.0 - Update of rootfile - find-dependencies run due to sobump. No issues found - Changelog 24.03.0: core: * Fix opening some malformed files. Issue #1447 * Skip drawing image when it has singular matrix. Issue #1114 * Fix crash on malformed files * Small internal code cleanup utils: * pdfdetach: Fix potential directory traversal * pdfimages: Enable to print filenames to stdout. * pdfsig: Add visible name/date when signing an existing form signature field 24.02.0: core: * Fix reading some JBIG2 streams. Issue #1319 * Fix saving some annotation interior color when it's empty * Make searching for fonts when adding annotations a bit faster * Make sure images are compressed when adding them * Small internal code cleanup utils: * pdfimages: return exit code 2 when error opening output files Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
opus: Update to version 1.5.1 - Update from version 1.4 to 1.5.1 - Update of rootfile - Changelog 1.5.1 Opus 1.5.1 fixes the meson build that was broken in 1.5. 1.5 Opus 1.5 is the first release to make extended use of ML in the encoder and decoder. You can read all the details in the release demo page. In summary, major changes since 1.4 include: Significant improvement to packet loss robustness using Deep Redundancy (DRED) Improved packet loss concealment through Deep PLC Low-bitrate speech quality enhancement down to 6 kb/s wideband Improved x86 (AVX2) and Arm (Neon) optimizations Support for 4th and 5th order ambisonics In addition to the improvements above, this release includes many minor bug fixes. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
meson: Update to version 1.4.0 - Update from version 1.3.1 to 1.4.0 - Update of rootfile - Changelog is available on meson website https://mesonbuild.com/Release-notes-for-1-4-0.html Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
iproute2: Update to version 6.8.0 - Update from version 6.7.0 to 6.8.0 - Update of rootfile - Changelog is only available from the git commits. https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/ Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
intel-microcode: Update to version 20240312 - Update from version 20231114 to 20240312 - Update of rootfile - For the changelog details see the releasenote.md file in the source tarball. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
openjpeg: Update to version 2.5.2 - Update from version 2.5.0 to 2.5.2 - Update of rootfile - Changelog 2.5.2 (Feb 2024) No API/ABI break compared to v2.5.1 * Make sure openjpeg.h includes opj_config.h [\#1514](https://github.com/uclouvain/openjpeg/issues/1514) 2.5.1 (Feb 2024) No API/ABI break compared to v2.5.0 * CMake: drop support for cmake < 3.5 * Several bugfixes, including [\#1509](https://github.com/uclouvain/openjpeg/pull/1509) for CVE-2021-3575 * Significant speed-up rate allocation by rate/distoratio ratio [\#1440](https://github.com/uclouvain/openjpeg/pull/1440) Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
libplist: Update to version 2.4.0 - Update from version 2.3.0 to 2.4.0 - Update of rootfile - Changelog 2.4.0 - Changes: * Add a PLIST_OPT_NONE value to plist_write_options_t * autoconf: Allow disabling build of test suite * Update doxygen config and document undocumented macros * Add an explicit PLIST_FORMAT_NONE value * Add a libplist_version() function to the interface * docs: Use README.md to generate mainpage with doxygen - Bugfixes: * Several compiler-related fixes and code improvements * Plug memory leak in plist_write_to_stream() * Prevent adding NULL items to array/dictionary nodes * Fix parallel running of test suite * Fix cython bindings * Fix OOB read in plist_from_memory() Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
knot: Update to version 3.3.5 - Update from version 3.2.4 to 3.3.5 - Update of rootfile - Changelog 3.3.5 (2024-03-06) Features: - knotd: new module mod-authsignal for automatic authenticated DNSSEC bootstrapping records synthesis (Thanks to Peter Thomassen) - kzonecheck: new optional ZONEMD verification (see option '-z') Improvements: - knotd: new DNSSEC key rollover log informs about next planned key action - knotd, kzonecheck: added limit on non-matching keys with a duplicate keytag - knot-exporter: added counter-type variant for each metric (Thanks to Marcel Koch) - libs: upgraded embedded libngtcp2 to 1.3.0 - doc: various fixes and updates Bugfixes: - knotd, kzonecheck: failed to validate RRSIG if there are more keys with the same keytag - knotd, kzonecheck: failed to validate zone with more CSK keys - libknot: insufficient check for malformed TCP header options over XDP 3.3.4 (2024-01-24) Features: - knotd: new configuration item for clearing configuration sections (see 'clear') - knotc: configuration import can preserve database contents (see '+nopurge' flag) - kxdpgun: new parameter for setting UDP payload size in EDNS (see '--edns-size') #915 Improvements: - knotd: extended configuration check for 'zonefile-load' and 'journal-content' - knotd: lowered check limit for additional NSEC3 iterations to 0 - knotd: lowered severity level of an informational backup log - knotd: better log message when flushing the journal - knotd: zone restore checks if requested contents are in the provided backup - knotc: '+quic' is default for zone backup, '+noquic' is default for zone restore - kdig: better processing of timeouts and reduced sent datagrams over QUIC - kdig: no retries are attempted over QUIC - keymgr: improved compatibility with bind9-generated keys - libs: some improvements in XDP buffer allocation - libs: upgraded embedded libngtcp2 to 1.2.0 - doc: various fixes and updates Bugfixes: - knotd: failed to build on macOS #909 - knotd: 'nsec3-salt-lifetime: -1' doesn't work if 'ixfr-from-axfr' is enabled - knotd: unnecessarily updated RRSIGs if 'ixfr-from-axfr' and signing are enabled - knotc: zone check complains about missing zone file #913 - kdig: failed to try another target address over QUIC - libknot: infinite loop in knot_rrset_to_wire_extra() #916 3.3.3 (2023-12-13) Features: - knotd: new 'pattern' mode of ACL update owner matching (see 'acl.update-owner-match') - knotc: new '+keysonly' filter for zone backup/restore Improvements: - knotd: zone purging waits for finished zone expiration for better reliability - knotd: remote configuration considers more 'via' with the same address family - knotd: refresh doesn't fall back from IXFR to AXFR upon a network error - knotd: increased default for 'policy.rrsig-refresh' by (0.1 * 'rrsig-lifetime') - knotd: new control flag 'u' for unix time output format from zone status - knotd: extended check for inconsistent acl settings - knotd/libknot: simplified TCP/QUIC sweep logging - mod-dnsproxy: all configured remote addresses are used for fallback operation - mod-dnsproxy: module responds locally if forwarding fails instead of SERVFAIL - libs: upgraded embedded libngtcp2 to 1.1.0 - doc: various fixes and extensions Bugfixes: - knotd: zone backup fails due to improper backup context deinitialization #891 - knotd: failed to sign the zone if maximum zone's TTL is too high - knotd: malformed TCP header if used with QUIC in the generic XDP mode - knotd: server can crash when processing new TCP connections over XDP - knotd: incorrect initialization of TCP limits - knotd: orphaned PEM file not deleted when key generation fails - knotd/libknot: connection timeouts over QUIC due to incomplete retransfer handling #894 - kdig: crashed when querying DNS over TLS if TLS handshake times out #896 - kzonecheck: failed to check DS with SHA-1 or GOST if not supported by local policy - libdnssec: failed to compile with GnuTLS if PKCS #11 support is disabled 3.3.2 (2023-10-20) Features: - knotd: support for IXFR from AXFR computation (see 'zone.ixfr-from-axfr') - knotd: support benevolent IXFR (see 'zone.ixfr-benevolent') - knot-exporter: new configuration option '--no-zone-serial' #880 Improvements: - libs: upgraded embedded libngtcp2 to 1.0.0 - knotd: added logging of new SOA serial when signing is finished - knotd: unified some XDP-related logging - keymgr: improved error message if a key file is not accessible - keymgr: added offline RRSIGs validation at the end of their validity intervals - kdig: upgraded EDNS presentation format to draft version -02 - kdig: simplified QUIC connection without extra PING frames - kzonecheck: removed requirement that DS is at delegation point - doc: various fixes and improvements Bugfixes: - knotd: logged incorrect new SOA serial if 'zonefile-load: difference' is set #875 - knotd: more signing threads with a PKCS #11 keystore has no effect #876 - knotd: DNAME record returned with query domain name instead of actual name #873 - knotd: failed to import configuration file if mod-geoip is in use #881 - knotd: failed to sign RRSet that fits to 64k only if compressed - knotd: broken zone update context upon failed operation over control interface - keymgr: offline RRSIGs not refreshed if 'rrsig-refresh' is not set - knsupdate: incorrect processing of @ in the delete operation #879 - knot-exporter: failed to parse knotd PIDs on FreeBSD Packaging: - docker: added support for (inter-container) D-Bus signaling 3.3.1 (2023-09-11) Improvements: - knotd: multiple catalog groups per member are tolerated, but only one is used - modules: added const qualifier to various function parameters #877 (Thanks to Robert Edmonds) - libs: upgraded embedded libngtcp2 to 0.19.1 Bugfixes: - knotd: TCP over XDP fails to respond - knotd: server can crash when adjusting a wildcard glue - knotd: failed to forward DDNS if 'zone.master' points to 'remotes' - knotd: broken YAML statistics if more modules are configured #874 - knotd: DDNS forwarding isn't RFC 8945 compliant 3.3.0 (2023-08-28) Features: - knotd: full DNS over QUIC (DoQ, RFC 9250) implementation, also without XDP - knotd: bidirectional XFR over QUIC (XoQ) support with opportunistic, strict, and mutual authentication profiles - knotd: automatic reverse PTR records pre-generation (see 'zone.reverse-generate') - knotd: new per zone statistic counters 'zone.size' and 'zone.max-ttl' - knotd: new primary server pinning (see 'zone.master-pin-tolerance') - knotd: new SOA serial modulo policy (see 'zone.serial-modulo') - knotd: new multi-signer operation mode (see 'policy.dnskey-sync' and 'DNSSEC multi-signer') - kdig: support for EDNS presentation format, also in JSON mode (see '+optpresent') - kxdpgun: new TCP/QUIC debug mode 'R' for connection reuse - kxdpgun: new XDP mode parameter '--mode' (Thanks to Jan Včelák) - kxdpgun: new parameter '--qlog' for qlog destination specification - kzonecheck: new '--print' parameter for dumping the zone on stdout Improvements: - knotd: secondary can be configured not to forward DDNS (see 'zone.ddns-master') - knotd: extended support for UNIX socket configuration (remote, acl) - knotd: stats no longer dump empty or zero counters - knotd: new 'keys-updated' D-Bus event - knotd: added transport protocol information to outgoing event and nameserver logs - knotd: server cleans up stale LMDB readers when opening a RW transaction - knotd,kzonecheck: semantic check allows DS only at delegation point - knotc: new zone backup filters '+quic' and '+noquic' for QUIC key backup - mod-dnstap: DNS over QUIC traffic is marked as QUIC - kxdpgun: QUIC connections are closed by default - libs: upgraded embedded libngtcp2 to 0.18.0 - kdig: QUIC, TLS, or HTTPS protocol is printed in the final statistics - doc: new sections 'DNS over QUIC' and 'DNSSEC multi-signer' - doc: various improvements Bugfixes: - knotd: server can crash if a shared module is loaded and dynamic configuration used - knotd: inaccurate transfer size is logged if EDNS EXPIRE, PADDING, or TSIG is present - knotd: subsequent addition and removal to catalog zone isn't handled properly - knotc: configuration import fails if an explicit shared module is configured - utils: database transactions not properly closed when terminated prematurely - kdig: double-free on some malformed responses over QUIC #869 - kdig: some TLS parameters override QUIC parameters - libs: NULL record with empty RDATA isn't allowed - tests: dthreads destructor test sometimes fails Compatibility: - knotd: responses to forwarded DDNS requests are signed with local TSIG key - knotd: NOTIFY-initiated refresh tries all configured addresses of the remote - knotd: configuration option 'xdp.quic-log' was replaced with 'log.quic' - libs: removed embedded libbpf, an external one is necessary for XDP - libs: DNS over QUIC implementation only supports 'doq' ALPN - ctl: removed 'Version: ' prefix from 'status version' output - modules: reduced parameters of 'knotd_qdata_local_addr()' Packaging: - knot-exporter: Prometheus exporter imported from GitHub - knot-exporter: packages for Debian, Ubuntu, and PyPI - debian,ubuntu: new self-hosted repository (see https://pkg.labs.nic.cz/doc/) - docker: upgraded to Debian bookworm-slim 3.2.9 (2023-07-27) Improvements: - keymgr: 'import-pkcs11' not allowed if no PKCS #11 keystore backend is configured - keymgr: more verbose key import errors - doc: extended migration notes - doc: various improvements Bugfixes: - knotd: server may crash when storing changeset of a big zone migrating to/from NSEC3 - knotd: zone refresh loop when all masters are outdated and timers cleared - knotd: failed to active D-Bus notifications if not started as systemd service - kjournalprint: database transaction not properly closed when terminated prematurely 3.2.8 (2023-06-26) Improvements: - kdig: malformed messages are parsed and printed using a best-effort approach - python: new dname from wire initialization Bugfixes: - knotd: missing outgoing NOTIFY upon refresh if one of more primaries is up-to-date - knotd: journal loop detection can prevent zone from loading - knotd: cryptic error message when journal is full #842 - knotd: failed to query catalog zone over UDP - configure: libngtcp2 check wrongly requires version 0.13.0 instead of 0.13.1 3.2.7 (2023-06-06) Features: - knotd: new configuration option for preserving incoming IXFR changeset history (see 'zone.ixfr-by-one') Improvements: - knotd: journal ensures the stored changeset's SOA serials are strictly increasing - knotd: more effective handling of zero KNOT_ZONE_LOAD_TIMEOUT_SEC environment value - knotd, kdig: incoming transfer fails if a message has the TC bit set - knotd, kjournalprint: store or print the timestamp of changeset creation - kxdpgun: load only necessary number of queries (Thanks to Petr Špaček) - kxdpgun: print ratio of sent vs. requested queries (Thanks to Petr Špaček) - kxdpgun: print percentages as floats (Thanks to Petr Špaček) - kjournalprint: ability to print a changeset loop - kjournalprint: added changset serials information to '-z -d' output - packaging: RHEL9 requires libxdp like fedora since RHEL 9.2 #844 - doc: various improvements Bugfixes: - knotd: journal loading can get stuck in a multi-changeset loop - knotd: missing RCU lock when reading zone through the control interface - knotd: server start D-Bus signaling doesn't work well if the zone file is missing, catalog zones are used, or in the async-start mode - knotd: test suite fails on 32bit architectures on musl 1.2 and newer #843 - knotd: failed to process zero-length messages over QUIC - libs: compilation with embedded ngtcp2 fails if there is another ngtcp2 in the path 3.2.6 (2023-04-04) Improvements: - libs: upgraded embedded libngtcp2 to 0.13.1 - libs: added support for building on Cygwin and MSYS (Thanks to Christopher Ng) - mod-dnstap: improved precision of stored time values - kdig: added option for EDNS EXPIRE (see '+expire') #836 - kdig: extended description of SOA timers in the multiline mode - kdig: reduced latency of TLS communication - libknot: added EDE codes 28 and 29 - doc: various improvements Bugfixes: - knotd: generated catalog zone not updated upon server reload #834 - knotd: failed to check shared module configuration - knotd: missing RCU registration of the statistics thread (Thanks to Qin Longfei) - knotd: server logs failed to send QUIC packets in the XDP mode - libs: inconsistent transformation of IPv4-Compatible IPv6 Addresses - utils: failed to load configuration if dnstap module is enabled #831 - libknot: missing include string.h 3.2.5 (2023-02-02) Features: - knotd: new configuration option for enforcing IXFR fallback (see 'zone.provide-ixfr') Improvements: - knotd: changed UNIX socket file mode to 0222 for answering and 0220 for control - mod-probe: new support for communication over a UNIX socket - kdig: new support for communication over a UNIX socket - libs: upgraded embedded libngtcp2 to 0.13.0 - doc: various improvements Bugfixes: - knotd: failed to get catalog member configuration if catalog template is in a template - knotd: failed to respond over a UNIX socket with EDNS - knotd: unexpected zone update upon restart or zone reload if ZONEMD generation is enabled - knotd: redundant zone flush of unchanged zone if zone file load is 'difference-no-serial' - knotd/kxdpgun: failed to receive messages over XDP with drivers tap or ena - knotc: zone check doesn't report missing zone file #829 - kxdpgun: program crashes when remote closes QUIC connection instead of resumption - mod-geoip: configuration check leaks memory in the geodb mode - utils: unwanted color reset sequences in non-color output Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ghostscript: Update to version 10.03.0 - Update from version 10.02.1 to 10.03.0 - Update of rootfile - Changelog 10.03.0 Highlights in this release include: A vulnerability was identified in the way Ghostscript/GhostPDL called tesseract for the OCR devices, which could allow arbitrary code execution. As as result, we strongly urge anyone including the OCR devices in their build to update as soon as possible. As of this release (10.03.0) pdfwrite creates PDF files with XRef streams and ObjStm streams. This can result in considerably smaller PDF output files. See Vector Devices for more details. Ghostscript/pdfwrite now supports passing through PDF "Optional Content". Our efforts in code hygiene and maintainability continue. The usual round of bug fixes, compatibility changes, and incremental improvements. (9.53.0) We have added the capability to build with the Tesseract OCR engine. In such a build, new devices are available (pdfocr8/pdfocr24/pdfocr32) which render the output file to an image, OCR that image, and output the image "wrapped" up as a PDF file, with the OCR generated text information included as "invisible" text (in PDF terms, text rendering mode 3). Mainly due to time constraints, we only support including Tesseract from source included in our release packages, and not linking to Tesseract/Leptonica shared libraries. Whether we add this capability will be largely dependent on community demand for the feature. See Enabling OCR for more details. Incompatible changes (10.03.0) Almost all the "internal" PostScript procedures defined during the interpreter startup are now "executeonly", further reducing the attack surface of the interpreter. The nature of these procedures means there should be no impact for legitimate usage, but it is possible it will impact uses which abuse the previous accessibility (even for legitimate reasons). Such cases may now require "DELAYBIND", See DELAYBIND (10.03.0) The "makeimagedevice" non-standard operator has been removed. It allowed low level access to the graphics library in a way that was, essentially impossible to secure. (10.03.0) The "putdeviceprops", "getdeviceprops", "finddevice", "copydevice", "findprotodevice" non-standard operators have all been removed. They provided functionality that is either accessible through standard operators, or should not be used by user PostScript. (10.03.0) The process of "tidying" the PostScript namespace should have removed only non-standard and undocumented operators. Nevertheless, it is possible that any integrations or utilities that rely on those non-standard and undocumented operators may stop working or may change behaviour. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>