Michael Tremer [Tue, 3 Feb 2026 10:15:51 +0000 (10:15 +0000)]
initscripts: Don't perform value filtering in readhash
Since we now have a safe way to parse values from the configuration
file, we should no longer require filtering any more. We will have to be
very careful with working with these values.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Jan 2026 21:44:03 +0000 (22:44 +0100)]
openssl: Update to version 3.6.1
- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- 12 CVE fixes
- Changelog
3.6.1
OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
([CVE-2025-11187])
* Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
([CVE-2025-15467])
* Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
([CVE-2025-15468])
* Fix a buffer overread and an infinite loop in format processing (reported by
Giorgi Kobakhia, issue 4735).
* Allow drag in alternate screen again (issue 4743 reported by Brad King).
* Fix y offset of mouse if status at top (issue 4738 from Michael Grant).
* Add a missing skin tone (from Jake Stewart, issue 4736).
* Allow characters to be combined in either order (issue 4726, reported by Jake
Stewart).
* Fix horizontal mouse resizing when pane status lines are on (from Michael
Grant, issue 4720).
* Fix noattr so it does not delete attributes set in the style itself (issue
4713).
* Newer libevents do not allow event_del on a zero'd event (issue 4706).
* Place cursor on correct line if message-line is not 0 (issue 4707).
* Fix compile error on FreeBSD (from Yasuhiro Kimura, issue 4701).
CHANGES FROM 3.5a TO 3.6
* Add seconds options for clock mode (issue 4697).
* Add a resize callback for menus so that they are correctly moved on resize
(issue 4696).
* Make -v to source-file pass through to subsequent source-file commands (issue
4216).
* If display-popup is used inside a popup, modify that popup (issue 4678).
* Add selection-mode command to expilcitly set the selection mode in copy mode
(issue 3842).
* Save and restore images in alternate screen (issue 3732).
* Ignore Hangul filler character (issue 3998).
* Improve handling of regional indicators and emoji modifiers (issue 3998).
* Preserve marked pane with swap-window and move-window (issue 3443).
* Set and check COLORTERM as a hint for RGB colour.
* If tmux receives a palette request (OSC 4) in a pane and the palette entry
has not been set, send a request to the most recently used client and
forward any response instead (based on change from Tim Culverhouse, issue
4665).
* Add -l flag to command-prompt to disable splitting into multiple prompts
(issue 4483).
* Don't enter copy mode on mouse wheel in alternate screen (issue 3705).
* Add commands to centre the cursor in copy mode (issue 4662).
* Support case insensitive search in modes in the same way as copy mode
(like emacs, so all-lowercase means case insensitive) (issue 4396).
* Fix the logic of the no-detached case for the detach-on-destroy option (from
Martin Louazel, issue 4649).
* Add buffer_full format variable (from Mohammad AlSaleh, issue 4630).
* Introduce a new window option, tiled-layout-max-columns, which configures the
maximum number of columns in the tiled layout.
* Add support for DECRQSS SP q (report cursor style), DECRQM ?12 (report cursor
blink state) and DECRQM ?2004, ?1004, ?1006 (report mouse state) ( rom
Andrea Alberti, issue 4618).
* Fix missing argument from OSC 4 reply (issue 4596).
* Add -k flag to display-popup which allows any key to dismiss the popup once
the command has exited (from Meriel Luna Mittelbach, issue 4612).
* Add nicer default second and third status lines (from Michael Grant, issue
4490).
* Add a pane-border-lines "spaces" value to use spaces for pane borders (issue
4587).
* Replace invalid UTF-8 characters with the placeholder instead of ignoring
them (issue 4514).
* Fix incorrect handling of Korean Hangul Jamo characters (from Roy Jung, issue
4546).
* Allow uppercase letters in gray/grey color names (from Pavel Roskin, issue
4560).
* Add sorting to W, P, L loop operators (from Michael Grant, issue 4516).
* Detect support for OSC 52 using the device attributes report (from James
Holderness, issue 4539).
* Add noattr for styles and use in mode-style to allow whether attributes are
ignored or used to be configured (issue 4498).
* Add a set-default style attribute which replaces the current default colours
and attributes completely.
* Add -E to run-shell to forward stderr as well as stdout (issue 4246).
* Add an option variation-selector-always-wide to instruct tmux not to
always interpret VS16 as a wide character and assume the terminal does
likewise.
* Switch to getopt_long from OpenSSH (from Koichi Murase, issue 4492).
* Add more features for boolean expressions in formats: 1) extend && and || to
support arbitrarily many arguments and 2) add ! and !! for not and not-not
(from David Mandelberg).
* Do not mistake other DCS sequences for SIXEL sequences (from James
Holderness, issue 4488).
* Improve #? conditional expression in formats: add support for else if and
default empty string if no else value (from David Mandelberg, issue 4451).
* Add default-client-command to set the command used if tmux is run without a
command; the default stays new-session (from David Mandelberg, issue
4422).
* Add S-Up and S-Down to move windows in tree mode (from David Mandelberg,
issue 4415).
* Add mode 2031 support to automatically report dark or light theme. tmux will
guess the theme from the background colour on terminals which do not
themselves support the escape sequence (from Jonathan Slenders, issue 4353).
* Add -M flag to capture-pane to use the copy mode screen (issue 4358).
* Align index numbers in trees (from David Mandelberg, issue 4360).
* Add display-message -C flag to update pane while message is displayed (from
Vitaly Ostrosablin, issue 4363).
* Make list-commands command show only one command if an argument is given
(from Ilya Grigoriev, issue 4352).
* Count line numbers correctly inside strings in configuration files (reported
by Pedro Navarro, issue 4325).
* Map bright black (colour 8) to white (7) if the background is black on
terminals with only eight colours so the text is not invisible (from Dmytro
Bagrii, issue 4322).
* New codepoint-widths option allowing users to override the width of
individual Unicode codepoints.
* Add a nesting limit to source-file (from Fadi Afani, issue 4223).
* Add copy-mode-position-style and copy-mode-selection-style options for copy
mode.
* Add no-detach-on-destroy client option (issue 4242).
* Add input-buffer-size option (from Ken Lau).
* Add support for a scrollbar at the side of each pane. New options
pane-scrollbars turn them on or off, pane-scrollbars-position sets the
position (left or right), and pane-scrollbars-style to set the colours (from
Michael Grant, issue 4221).
* Allow control characters to be entered at the command prompt by prefixing
with C-v (from Alexander Arch, issue 4206).
* Do not attempt to search for zero length strings (from Alexander Arch, issue
4209).
* Preserve tabs for copying and capture-pane (from Alexander Arch, issue
4201).
* Increase the maximum for repeat-time.
* Adjust how Ctrl and Meta keys are sent to use standard representation if
available in mode 1 (from Stanislav Kljuhhin, issue 4188).
* Allow attributes in menu style (from Japin Li, issue 4194).
* Add a sixel_support format variable which is 1 if SIXEL is supported, always
0 on OpenBSD (requested by Misaki Masa, issue 4177).
* Add prompt-cursor-colour and prompt-cursor-style to set the style of the
cursor in the command prompt and remove the emulated cursor (from Alexander
Arch, issue 4170).
* Add initial-repeat-time option to allow the first repeat time to be increased
and later reduced (from David le Blanc, issue 4164).
* Send focus events to pane when entering or leaving popup (issue 3991).
* Add copy-mode-position-format to configure the position indicator.
* Add -y flag to disable confirmation prompts in modes (issue 4152).
* Add -C and -P flags to the copy commands in copy mode: -C prevents the
commands from sending the text to the clipboard and -P prevents them from
adding the text as a paste buffer (issue 4153).
* Preserve transparency and raster attribute dimensions when sending a SIXEL
image, and avoid collapsing empty lines (issue 4149).
* Bypass permission check for Cygwin (based on a change by Yuya Adachi via
Rafael Kitover, issue 4148).
* Add MSYSTEM to default update-environment (for Cgywin).
* Set client stdout file descriptor also for Cgywin (from Michael Wild via Rafael
Kitover, issue 4148).
* Use global cursor style and colour options for modes instead of default
(issue 4117).
* Fix pasting so it does not interpret keys but instead copies the input
without interpretation (reported by Mark Kelly).
* Try to query window pixel size from the outside terminal if the values
returned by TIOCGWINSZ are zero (Dmitry Galchinsky, issue 4099)."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 23 Jan 2026 13:59:08 +0000 (14:59 +0100)]
clamav: Update to version 1.5.1
- Update from version 1.4.3 to 1.5.1
- Update of rootfile
- From version 1.5.0 clamav added signing/verification of the signature file downloads
with external .sign files. -D CVD_CERTS_DIRECTORY=/etc/clamav/certs has been added
as a build option to create the certs directory and to install the clamav.crt file
- Tested out the execution of this version on a vm testbed. The .sign files were
correctly downloaded and the databases approved. This was also the case with a
reboot. This was where users had a problem with the version relaesed in CU199 after
they had manually created a directory.
- Changelog
1.5.1
ClamAV 1.5.1 is a patch release with the following fixes:
*
Fixed a significant performance issue when scanning some PE files
*
Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option
*
Improved performance when scanning TNEF email attachments
*
Fixed an issue with recording metadata for OOXML office documents
*
Fixed an issue with signature matches for VBA in OLE2 office documents
*
Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files
*
Fixed an issue with extracting some RAR archives embedded in other files
*
Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies
* This release does not require a newer version of the Rust compiler toolchain than what was required for ClamAV 1.5.0
*
Added checks to determine if an OLE2-based Microsoft Office document is encrypted.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1295>
*
Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record HTML URIs. The ClamScan command-line option is --json-store-html-uris=no. The clamd.conf config option is JsonStoreHTMLURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_HTML_URIS
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1281>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1482>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1514>
*
Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record PDF URIs. The ClamScan command-line option is --json-store-pdf-uris=no. The clamd.conf config option is JsonStorePDFURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_PDF_URIS
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1482>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1514>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1559>
GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1572>
*
Added regex support for the clamd.conf OnAccessExcludePath config option. This change courtesy of GitHub user b1tg.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1314>
*
Added CVD signing/verification with external .sign files.
Freshclam will now attempt to download external signature files to accompany existing .cvd databases and .cdiff patch files. Sigtool now has commands to sign and verify using the external signatures.
ClamAV now installs a 'certs' directory in the app config directory (e.g., <prefix>/etc/certs). The install path is configurable. The CMake option to configure the CVD certs directory is -D CVD_CERTS_DIRECTORY=PATH
New options to set an alternative CVD certs directory:
Added two new APIs to the public clamav.h header:
The original cl_cvdverify and cl_cvdunpack are deprecated.
Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR. You may set this option with cl_engine_set_str and get it with cl_engine_get_str, to override the compiled in default CVD certs directory.
Thank you to Mark Carey at SAP for inspiring work on this feature with an initial proof of concept for external-signature FIPS compliant CVD signing.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1417>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1478>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1489>
GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1491>
* The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is --cvdcertsdir PATH
* The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is CVD_CERTS_DIR
* The config option for Freshclam and ClamD is CVDCertsDirectory PATH
*
Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives (FPs).
For freshclam.conf and clamd.conf set this config option:
FIPSCryptoHashLimits yes
For clamscan and sigtool use this command-line option:
--fips-limits
For libclamav: Enable FIPS-limits for a ClamAV engine like this:
ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will automatically enable the FIPS-limits feature.
This change mitigates safety concerns over the use of MD5 and SHA1 algorithms to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection purposes or for informational purposes in FIPS-enabled environments and when the FIPS-limits option is enabled.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5). The clean-file cache algorithm is not configurable.
This change resolves safety concerns over the use of MD5 to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1560>
*
ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION.
The new clamd.conf options are:
This change courtesy of GitHub user ChaoticByte.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1502>
*
libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits:
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
ClamScan: Improved the precision of the bytes-scanned and bytes-read counters. The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB", or "B" as appropriate. Previously, it always reported "MB".
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
ClamScan: Add hash & file-type in/out CLI options:
We will not be adding this for ClamDScan, as we do not have a mechanism in the ClamD socket API to receive scan options or a way for ClamD to include scan metadata in the response.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
* --hash-hint: The file hash so that libclamav does not need to calculate it. The type of hash must match the --hash-alg.
* --log-hash: Print the file hash after each file scanned. The type of hash printed will match the --hash-alg.
* --hash-alg: The hashing algorithm used for either --hash-hint or --log-hash. Supported algorithms are "md5", "sha1", "sha2-256". If not specified, the default is "sha2-256".
* --file-type-hint: The file type hint so that libclamav can optimize scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with the specified type. See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
* --log-file-type: Print the file type after each file scanned.
*
libclamav: Added new scan functions that provide additional functionality:
The older cl_scan*() functions are now deprecated and may be removed in a future release. See clamav.h for more details.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
libclamav: Added a new engine option to toggle temp directory recursion.
Temp directory recursion is the idea that each object scanned in ClamAV's recursive extract/scan process will get a new temp subdirectory, mimicking the nesting structure of the file.
Temp directory recursion was introduced in ClamAV 0.103 and is enabled whenever --leave-temps / LeaveTemporaryFiles is enabled.
In ClamAV 1.5, an application linking to libclamav can separately enable temp directory recursion if they wish. For ClamScan and ClamD, it will remain tied to --leave-temps / LeaveTemporaryFiles options.
The new temp directory recursion option can be enabled with:
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
libclamav: Added a class of scan callback functions that can be added with the following API function:
The scan callback location may be configured using the following five values:
Each callback may alter scan behavior using the following return codes:
Each callback is given a pointer to the current scan layer from which they can get previous layers, can get the layer's fmap, and then various attributes of the layer and of the fmap. To make this possible, there are new APIs to query scan-layer details and fmap details:
There is an interactive test program to demonstrate the new callbacks. See: examples/ex_scan_callbacks.c
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
* CL_SCAN_CALLBACK_PRE_HASH: Occurs just after basic file-type detection and before any hashes have been calculated either for the cache or the gen-json metadata.
* CL_SCAN_CALLBACK_PRE_SCAN: Occurs before parser modules run and before pattern matching.
* CL_SCAN_CALLBACK_POST_SCAN: Occurs after pattern matching and after running parser modules. A.k.a. the scan is complete for this layer.
* CL_SCAN_CALLBACK_ALERT: Occurs each time an alert (detection) would be triggered during a scan.
* CL_SCAN_CALLBACK_FILE_TYPE: Occurs each time the file type determination is refined. This may happen more than once per layer.
*
CL_BREAK: Scan aborted by callback. The rest of the scan is skipped. This does not mark the file as clean or infected, it just skips the rest of the scan.
*
CL_SUCCESS / CL_CLEAN: File scan will continue.
For CL_SCAN_CALLBACK_ALERT: This means you want to ignore this specific alert and keep scanning.
This is different than CL_VERIFIED because it does not affect prior or future alerts. Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip the rest of the scan for this layer.
*
CL_VIRUS: This means you do not trust the file. A new alert will be added.
For CL_SCAN_CALLBACK_ALERT: This means you agree with the alert and no extra alert is needed.
*
CL_VERIFIED: Layer explicitly trusted by the callback and previous alerts removed for THIS layer. You might want to do this if you trust the hash or verified a digital signature. The rest of the scan will be skipped for THIS layer. For contained files, this does NOT mean that the parent or adjacent layers are trusted.
*
Signature names that start with "Weak." will no longer alert. Instead, they will be tracked internally and can be found in scan metadata JSON. This is a step towards enabling alerting signatures to depend on prior Weak indicator matches in the current layer or in child layers.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
For the "Generate Metadata JSON" feature:
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
The "Viruses" array of alert names has been replaced by two new arrays that include additional details beyond just signature name:
* "Indicators" records three types of indicators:
* Strong indicators are for traditional alerting signature matches and will halt the scan, except in all-match mode.
* Potentially Unwanted indicators will only cause an alert at the end of the scan unless a Strong indicator is found. They are treated the same as Strong indicators in all-match mode.
* Weak indicators do not alert and will be leveraged in a future version as a condition for logical signature matches.
* "Alerts" records only alerting indicators. Events that trust a file, such as false positive signatures, will remove affected indicators, and mark them as "Ignored" in the "Indicators" array.
*
Add new option to calculate and record additional hash types when the "generate metadata JSON" feature is enabled:
* libclamav option: CL_SCAN_GENERAL_STORE_EXTRA_HASHES
* ClamScan option: --json-store-extra-hashes (default off)
* clamd.conf option: JsonStoreExtraHashes (default 'no')
*
The file hash is now stored as "sha2-256" instead of "FileMD5". If you enable the "extra hashes" option, then it will also record "md5" and "sha1".
*
Each object scanned now has a unique "Object ID".
*
Sigtool: Renamed the sigtool option --sha256 to --sha2-256. The original option is still functional but is deprecated.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
Other improvements
*
Set a limit on the max-recursion config option. Users will no longer be able to set max-recursion higher than 100. This change prevents errors on start up or crashes if encountering a file with that many layers of recursion.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1264>
*
Build system: CMake improvements to support compiling for the AIX platform. This change is courtesy of GitHub user KamathForAIX.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1387>
*
Improve support for extracting malformed zip archives. This change is courtesy of Frederick Sell.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1460>
*
Windows: Code quality improvement for the ClamScan and ClamDScan --move and --remove options. This change is courtesy of Maxim Suhanov.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1470>
*
Added file type recognition for an initial set of AI model file types.
The file type is accessible to applications using libclamav via the scan callback functions and as an optional output parameter to the scan functions: cl_scanfile_ex(), cl_scanmap_ex(), and cl_scandesc_ex().
When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1476>
*
Added support for inline comments in ClamAV configuration files. This change is courtesy of GitHub user userwiths.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1308>
*
Disabled the MyDoom hardcoded/heuristic detection because of false positives.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1495>
*
Sigtool: Added support for creating .cdiff and .script patch files for CVDs that have underscores in the CVD name. Also improved support for relative paths with the --diff command.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1541>
*
Windows: Improved support for file names with UTF-8 characters not found in the ANSI or OEM code pages when printing scan results or showing activity in the ClamDTOP monitoring utility. Fixed a bug with opening files with such names with the Sigtool utility.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1461>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1537>
*
Improved the code quality of the ZIP module. Added inline documentation.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1548>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1552>
*
Always run scan callbacks for embedded files. Embedded files are found within other files through signature matches instead of by parsing. They will now be processed the same way and then they can trigger application callbacks (e.g., "pre-scan", "post-scan", etc.).
A consequence of this change is that each embedded file will be pattern- matched just like any other extracted file. To minimize excessive pattern matching, file header validation checks were added for ZIP, ARJ, and CAB. Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
This change will impact scans with both the "leave-temps" feature and the "force-to-disk" feature enabled, resulting in additional temporary files.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1571>
*
Added DevContainer templates to the ClamAV Git repository in order to make it easier to set up AlmaLinux or Debian development environments.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1462>
*
Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended alerts based on system state.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1573>
*
Improved support for compiling on Solaris.
This fix courtesy of Andrew Watkins.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
*
Improved support for compiling on GNU/Hurd.
This fix courtesy of Pino Toscano.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
*
Improved support for linking with the NCurses library dependency when libtinfo is built as a separate library.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1356>
Bug fixes
*
Reduced email multipart message parser complexity.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1347>
*
Fixed possible undefined behavior in inflate64 module. The inflate64 module is a modified version of the zlib library, taken from version 1.2.3 with some customization and with some cherry-picked fixes. This adds one additional fix from zlib 1.2.9. Thank you to TITAN Team for reporting this issue.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1469>
*
Fixed a bug in ClamD that broke reporting of memory usage on Linux. The STATS command can be used to monitor ClamD directly or through ClamDTOP. The memory stats feature does not work on all platforms (e.g., Windows).
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1465>
*
Windows: Fixed a build issue when the same library dependency is found in two different locations.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1453>
*
Fixed an infinite loop when scanning some email files in debug-mode. This fix is courtesy of Yoann Lecuyer.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1445>
*
Fixed a stack buffer overflow bug in the phishing signature load process. This fix is courtesy of GitHub user Shivam7-1.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1486>
*
Fixed a race condition in the Freshclam feature tests. This fix is courtesy of GitHub user rma-x.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1513>
*
Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests. This fix is courtesy of GitHub user Sophie0x2E.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1542>
*
Fix double-extraction of OOXML-based office documents.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
ClamBC: Fixed crashes on startup.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
Fixed an assortment of issues found with Coverity static analysis.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1574>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1582>
*
Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures affecting some platforms.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1554>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1570>
*
Fixed crash in the Sigtool program when using the --html-normalize option.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1556>
*
Fixed some potential NULL-pointer dereference issues if memory allocations fail.
Fix courtesy of GitHub user JiangJias.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1581>
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 23 Jan 2026 14:51:48 +0000 (14:51 +0000)]
oci-cli: Add missing dependencies
Since the last update, the OCI CLI package requires some extra Python
dependenices. I find it very annoying that Python won't check this
during build time, so I added an extra step where we will run "oci
--help" and see if the command is coming up at all. Hopefully that will
be sufficient any no further Python modules will be loaded whenever they
are needed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 23 Jan 2026 05:26:55 +0000 (06:26 +0100)]
cbindgen: New package
cbindgen creates C/C++11 headers for Rust libraries which expose a public C API.
This tool is required to build the patched version of suricata and any
upcomming major versions of suricata.
* Add a lot of new rust modules in order to provide all dependencies and
their dependencies in order to build the tool.
* Adjusted build order in make.sh
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 23 Jan 2026 05:26:53 +0000 (06:26 +0100)]
suricata: Add upstream patch to purge sgh-mpm-caches
This patch is collection of the recently merged upstream patches to
allow purging the sgh-mpm-cache (hyperscan) after a specified amount of
time. (https://github.com/OISF/suricata/pull/14630)
I've set this to the upstreams example default of 7 days for now.
Fixes #13926.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 19 Jan 2026 16:21:38 +0000 (16:21 +0000)]
readhash: Fix the quote check
The single quotes changed bash's behaviour to interpret the * character
literally, but this is not what we wanted here. We need to escape the
single quotes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 19 Jan 2026 16:21:37 +0000 (16:21 +0000)]
hostapd: Use the new readhash implementation to read configuration files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 19 Jan 2026 16:21:36 +0000 (16:21 +0000)]
hostapd: Bring back support for 802.11g/a
I just have a little bit of easily accessible testing hardware in form
of USB devices which are very suitable for testing, but the one that I
found in my drawer doesn't support 802.11n.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)
Malformed BRID and HHIT records could trigger an assertion failure.
This has been fixed.
ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
bringing this vulnerability to our attention. [GL #5616]
Feature Changes
Add more information to the rndc recursing output about fetches.
This adds more information about active fetches, for debugging and
diagnostic purposes. [GL !11305]
Bug Fixes
Make DNSSEC key rollovers more robust.
A manual rollover when the zone was in an invalid DNSSEC state caused
predecessor keys to be removed too quickly. Additional safeguards to
prevent this have been added: DNSSEC records are not removed from the
zone until the underlying state machine has moved back into a valid
DNSSEC state. [GL #5458]
Fix a catalog zone issue, where member zones could fail to load.
A catalog zone member zone could fail to load in some rare cases, when
the internally generated zone configuration string exceeded 512 bytes.
That condition by itself was not enough for the issue to arise, but it
was necessary. This could happen if, for example, the catalog zone's
default primary servers list contained a large number of items. This
has been fixed. [GL #5658]
Allow glue in delegations with QTYPE=ANY.
When a query for type ANY triggered a delegation response, all
additional data was omitted from the response, including mandatory
glue. This has been fixed. [GL #5659]
Fix slow speed when signing a large delegation zone with NSEC3 opt-out.
BIND 9.20+ took much longer signing a large delegation zone with NSEC3
opt-out compared to version 9.18. This has been fixed. [GL #5672]
Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.
A zone that was signed with NSEC3, had opt-out enabled, and was then
reconfigured to use NSEC, was published with missing NSEC records. This
has been fixed. [GL #5679]
Fix a possible catalog zone issue during reconfiguration.
The named process could terminate unexpectedly during reconfiguration
when a catalog zone update was taking place at the same time. This has
been fixed. [GL !11366]
Fix the charts in the statistics channel.
The charts in the statistics channel could sometimes fail to render in
the browser and were completely disabled for Mozilla-based browsers,
for historical reasons. This has been fixed. [GL !11018]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
v0.19.0:
print progress of curl http uploads
do not load js scripts if ecmascript is disabled by disallow.txt or allow.txt
v0.19.0rc1:
option document.browse.margin_auto #360 (hard margins)
TERM=dumb for js tests. #361
option document.html.compress_empty_lines #362
css visiblity: hidden support
experimental iframe support
spartan protocol
window.scroll in js
inline images support in html documents (meson option kitty)
and options document.html.kitty and document.html.sixel. Note that need
also enable kitty or sixel in terminal options
include-fragment support (now is easier to download something from github)
experimental libuv support
allow to set color0 to color255 as color
toggle-ecmascript-keys action to toggle between Application or Browser mode
requestAnimationFrame in js
option ui.sessions.auto_save_position #392
option document.html.display_unfinished
meson options avif and webp
option protocol.mailcap.allow_empty_referrer
option ui.leds.redraw_interval
fixes in DOS version related to temporary files creation
length can be bigger than int in http protocol #396
ignore result of verification for gemini protocol #397
meson option win32-vt100-native for Windows 10 and newer
support for chawan's extensions for mailcap (x-ansioutput and x-htmloutput)
Polish translation update
Serbian translation update
elinks.get_option(name) and elinks.set_option(name, value) in Python scripting #406
other small fixes
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:07 +0000 (14:39 +0100)]
vim: Update to version 9.1.2098
- Update from version 9.1.1854 to 9.1.2098
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:06 +0000 (14:39 +0100)]
samba: Update to version 4.23.4
- Update from 4.23.2 to 4.23.4
- No change to the roofiles
- Changelog
4.23.4
* BUG 15926: Samba 4.22 breaks Time Machine
* BUG 15947: mdssvc doesn't support $time.iso dates before 1970
* BUG 15963: Fix winbind cache consistency
* BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/')
in vfswrap_openat
* BUG 15950: ctdb can crash with inconsistent cluster lock configuration
* BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/')
in vfswrap_openat
* BUG 15809: samba-bgqd: rework man page
* BUG 15936: samba-bgqd can't find [printers] share
* BUG 15955: Winbind can hang forever in gssapi if there are network issues.
* BUG 15961: libldb requires linking libreplace on Linux
4.23.3
* BUG 15926: Samba 4.22 breaks Time Machine.
* BUG 15927: Spotlight search restriction for shares incomplete and default
search searches in too many attributes.
* BUG 15930: Searching for numbers doesn't work with Spotlight.
* BUG 15931: rpcd_mdssvc may crash because name mangling is not initialized.
* BUG 15933: Only increment lease epoch if a lease was granted.
* BUG 15940: vfs_recycle does not update mtime.
* BUG 15943: samba-log-parser fails with UnicodeDecodeError: 'utf-8' codec
can't decode byte.
* BUG 15935: Crash in ctdbd on failed updateip.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:05 +0000 (14:39 +0100)]
opus: Update to version 1.6.1
- Update from version 1.5.2 to 1.6.1
- Update of rootfile
- Changelog
1.6.1
fixes several minor issues that were discovered since the 1.6 release.
1.6.0
Opus 1.6 builds on the new ML-based features introduced in Opus 1.5.
Major changes since 1.5 include:
- A new wideband-to-fullband bandwidth extension (BWE) module
- Support for 96 kHz audio with Opus HD
- Significant improvement to Deep Redundancy (DRED)
- A new 24-bit encoder/decoder API
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:01 +0000 (14:39 +0100)]
libtpms: Update to version 0.10.2
- Update from version 0.10.1 to 0.10.2
- Update of rootfile
- CVE fix
- Changelog
0.10.2
- tpm2: Fix memory leak by freeing KDF context
- tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:00 +0000 (14:39 +0100)]
libtasn1: Update to version 4.21.0
- Update from version 4.20.0 to 4.21.0
- Update of rootfile
- CVE fix
- Changelog
4.21.0
- Undocumented asn1Decoding --debug flag removed, thanks to Andrew Hamilton.
- Code coverage for src/ went from 35% to 82%, thanks to Andrew Hamilton.
- Fix of ASN.1 typo in manual, thanks to Masatake YAMATO.
- NEWS renamed to NEWS.md and uses markdown syntax.
- Update gnulib files and various build/maintenance fixes.
- Fix for vulnerability CVE-2025-13151 Stack-based buffer overflow
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:38:59 +0000 (14:38 +0100)]
libplist: Update to version 2.7.0
- Update from version 2.4.0 to 2.7.0
- Update of rootfile
- Changelog
2.7.0
- Changes:
* Add plist_new_unix_date, plist_get_unix_date_val, plist_set_unix_date_val
functions that work with int64_t values representing a UNIX timestamp
instead of using the 'MAC epoch'.
These new functions should be used instead of plist_new_date,
plist_get_date_val, and plist_set_date_val, which are now marked deprecated
and might be removed in a future version of libplist.
* Allow building the library without tool(s)
* Switch to more generic global initializer method
* json: Allow e+/E+ in exponent as per RFC 8259
* C++: Add more convenience functions to the interface
* C++: Add more type variants to different constructors and operators
- Bugfixes:
* Fix segmentation fault when calling plist_sort() on an empty dictionary
* Fix compilation on MSVC
* C++: Fix bug in internal helper function of Array class
* C++: Fix String::GetValue memory leaking and support assignment of const
char*
2.6.0
- Changes:
* Revert back API change around PLIST_DATA to use char* again
2.5.0
- Changes:
* Change API around PLIST_DATA to use uint8_t* instead of char*
* Add PLIST_DICT helper functions for different operations
* Require Cython 3.0 for python bindings
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:38:58 +0000 (14:38 +0100)]
libpcap: Update to version 1.10.6
- Update from version 1.10.5 to 1.10.6
- Update of rootfile
- Two CVE fixes
- Changelog
1.10.6
General:
Fix "tcpdump -i <n>" for something-only libpcap builds.
gencode: Fix an undefined behavior in gen_mcode().
gencode: Add a missing free() in gen_scode().
Remove "DLT_" from the descriptions of two dlt_choices[] entries.
Report the size of time_t in the version string.
Validate remote capture source strings better.
CVE-2025-11961: Fix OOBR and OOBW in pcap_ether_aton().
Source code:
Remove some unneeded includes.
pcapint_find_function() changed to return "void *" to avoid
warnings.
Clean up code that computes the length of a netmask.
Mind netmap support in pcap_lib_version().
Link-layer types:
Add LINKTYPE_ETW/DLT_ETW.
Add LINKTYPE_NETANALYZER_NG/DLT_NETANALYZER_NG (pull request #1008).
Add LINKTYPE_ZBOSS_NCP/DLT_ZBOSS_NCP.
Add LINKTYPE_USB_2_0_LOW_SPEED/DLT_USB_2_0_LOW_SPEED,
LINKTYPE_USB_2_0_FULL_SPEED/DLT_USB_2_0_FULL_SPEED,
LINKTYPE_USB_2_0_HIGH_SPEED/DLT_USB_2_0_HIGH_SPEED
Add LINKTYPE_AUERSWALD_LOG/DLT_AUERSWALD_LOG.
Add LINKTYPE_ZWAVE_TAP/DLT_ZWAVE_TAP.
Add LINKTYPE_SILABS_DEBUG_CHANNEL/DLT_SILABS_DEBUG_CHANNEL.
Add LINKTYPE_FIRA_UCI/DLT_FIRA_UCI.
Rename LINKTYPE_IPMB_LINUX/DLT_IPMB_LINUX to
LINKTYPE_I2C_LINUX/DLT_I2C_LINUX, as it's really just an
encapsulation of I2C, and is also being used for HDMI DDC.
Keep DLT_IPMB_LINUX around as a #define for backwards
compatibility.
Add LINKTYPE_MDB/DLT_MDB.
Add LINKTYPE_DECT_NR/DLT_DECT_NR.
Add LINKTYPE_EDK2_MM/DLT_EDK2_MM.
Add LINKTYPE_DEBUG_ONLY/DLT_DEBUG_ONLY.
Packet filtering:
Make the chunk allocator's alignment more general and
platform-independent.
IEEE 802.11: Fix three undefined behaviors in grammar.y.
Fix IPv4 multicast filtering to only include 224.0.0.0/4.
Fix "(arp|rarp) host NAME" to ignore IPv6 quietly.
Fix ARCnet address parsing.
Linux:
Fix check for mac80211 phydev.
Don't create monitor-mode interface if we're capturing on one.
Expand the table of DSA tag types to include all current types.
Fix an error message when deleting a monN interface.
Fix returning PCAP_ERROR_RFMON_NOTSUP with libnl.
Fix the error message when capure permission is denied.
Fix the error message if PF_PACKET sockets aren't supported.
Fix a file descriptor leak in an error case (pull request #1537).
Handle errors better when checking for a DSA-tagged interface.
Use DLT_DEBUG_ONLY for DSA tags that do not [yet] have a better support.
FreeBSD:
Fix detection and enabling of zero-copy support.
Fix errors in the zero-copy code.
Solaris:
Fix not to ignore logical interfaces in fad-gifc.c and
fad-glifc.c.
Fix attempts to open all-numeric device names with DLPI to
return "no such device".
Fix error returns and messages when an interface has no DLPI
device.
Return all interfaces in pcap_findalldevs() even if they can't be
opened.
HP-UX:
Fix attempts to open all-numeric device names to return
"no such device".
Fix error message if there's no /dev/dlpi device.
Return all interfaces in pcap_findalldevs() even if they can't be
opened.
Windows:
Fix filtering for VLAN-tagged frames.
Add support for Npcap's nanosecond-resolution time stamps in
captures.
CVE-2025-11964: Fix a bug in error message character encoding mapping
from UTF-16 to UTF-8.
Check at create time whether the NPF driver supports nanosecond
precision.
D-Bus:
Fix message leak.
Capture file writing:
Don't close the output stream if it's stdout, just flush it.
Documentation:
Explicitly document that closing a pcap_t for a savefile opened
with pcap_fopen_offline() will close the standard I/O stream.
Building and testing:
Makefile.in: Include instrument-functions.c in the release tarball.
CMake: Fix libnl usage with pkg-config.
CMake: Fix build with CMake 3.31.
CI: Report CMake version in builds.
CI: Visual Studio 2022 builds added, including ARM64 builds;
Visual Studio 2015 builds dropped.
Don't build with sslutils.c if we don't have a TLS library.
Build on Windows with a newer version of OpenSSL.
CMake: generalize handling of non-x86 Windows architectures.
CI: use the -A flag for all Visual Studio generators.
Remove the fuzzing props from the release tarball.
Autoconf: Use AC_SYS_YEAR2038_RECOMMENDED when possible if the
environment variable BUILD_YEAR2038 = yes (via autogen.sh)
DPDK: don't enable it by default.
Update Npcap SDK to 1.15.
autogen.sh: Allow to configure Autoconf warnings.
autogen.sh: Delete all trailing blank lines at end of configure.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:38:57 +0000 (14:38 +0100)]
freeradius: Update to version 3.2.8
- Update from version 3.2.7 to 3.2.8
- Update of rootfile
- The 3.2.8 version shgould also fix the incompatibility with openssl > 3.5.1
- Changelog
3.2.8
Feature Improvements
Add support for automated fuzzing. This doesn't affect normal operations,
but it does allow for testing of the RADIUS decoder.
Allow tagged attributes to use ":V" as a tag in some cases The tag is then
read from the value which is being assigned to the attribute. This
functionality is allowed in 'update' sections, including 'update' in
module configurations See mods-available/ldap for an example.
Add kafka module. See mods-available/kafka.
Allow &control:Packet-SRC-IP-Address to be used when proxying needs a
given source address.
Change lower limit for reject_delay to 0.5s. Apparently some NASes will
panic and go crazy with a 1s reject_delay.
Rate limit complaints when limiting new connections.
Update raddb/certs/Makefile to support DER output.
Elapsed statistics for packets do not include proxy timers, which helps
clarify where any issues are. The total time is still available by
adding "our" time to the "proxy" time.
Added kafka module. See mods-available/kafka.
json module can now print dates as integers See mods-available/json.
The debug output now points to the online documentation in many cases,
when there are syntax errors in the configuration.
Add support for 389ds password hashes. Patch from Gerald Vogt.
reject_delay does not _add_ a delay, but instead ensures that the reject
is delayed for _at least_ that time. This change means that
reject_delay can be set in more situations, including for proxies.
Add delay_proxy_rejects. By default, proxied rejects are not delayed.
Setting this flag means that reject_delay is applied to proxied
rejects, too.
The proxy_rate_limit module can now be listed in the "authorize" section.
Update dpsk module to be faster, and be easier to configure with
databases. See mods-available/dpsk.
Bug Fixes
Move assertion in thread / queue code, which only affects debug builds.
Fixes #5512.
Update CRL checks to avoid crash in some cases. Fixes #5515.
More tweaks to the TEAP code.
Allow building when OpenSSL is missing PSK. Fixes #5520.
Move assertion so that it isn't triggered when the incoming queue is full,
and the server is blocked. Fixes #5512.
Fix crash when multiple certs are used along with CRL distribution points.
Fixes #5515.
Fix typo in rlm_cache which could cause crashes. Fixes #5522.
Be more forgiving about '%' in strings. Fixes #5525.
Move assertion in threading code.
Fixes to interaction with python interpreter.
Don't crash when setting client hostname in RADIUS/TLS Fixes #5552.
Ignore ".dpkg*" and ".rpm*" files when loading configuration directories.
Package managers can leave these around.
Complain more loudly if all of the "authorize" etc. sections have been
removed, but the server is still configured to process Access-Request
packets.
Use OCIStmtPrepare2 to prepare Oracle queries. Fixes #5540.
Allow dynamic clients with TCP listeners.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:11 +0000 (17:33 +0100)]
libjpeg: Update to version 3.1.3
- Update from version 3.1.1 to 3.1.3
- No change to rootfile
- Changelog
3.1.3
Significant changes relative to 3.1.2:
1. Hardened the TurboJPEG API against hypothetical applications that may
erroneously call `tj*Compress*()` or `tj*Transform()` with a reused JPEG
destination buffer pointer while specifying a destination buffer size of 0.
2. Hardened the TurboJPEG API against hypothetical applications that may
erroneously set `TJPARAM_LOSSLESS` or `TJPARAM_COLORSPACE` prior to calling
`tj3EncodeYUV*8()` or `tj3CompressFromYUV*8()`. `tj3EncodeYUV*8()` and
`tj3CompressFromYUV*8()` now ignore `TJPARAM_LOSSLESS` and
`TJPARAM_COLORSPACE`.
3. Hardened the TurboJPEG Java API against hypothetical applications that may
erroneously pass huge X or Y offsets to one of the compression, YUV encoding,
decompression, or YUV decoding methods, leading to signed integer overflow in
the JNI wrapper's buffer size checks that rendered those checks ineffective.
4. Fixed an issue in the TurboJPEG Java API whereby
`TJCompressor.getSourceBuf()` sometimes returned the buffer from a previous
invocation of `TJCompressor.loadSourceImage()` if the target data precision was
changed before the most recent invocation.
5. Fixed an issue in the PPM reader that caused incorrect pixels to be
generated when using `tj3LoadImage*()` or `TJCompressor.loadSourceImage()` to
load a PBMPLUS (PPM/PGM) file into a CMYK buffer with a different data
precision than that of the file.
3.1.2
Significant changes relative to 3.1.1:
1. Fixed a regression introduced by 3.1 beta1[5] that caused a segfault in
TJBench if `-copy` or `-c` was passed as the last command-line argument.
2. The build system now uses wrappers rather than CMake object libraries to
compile source files for multiple data precisions. This improves code
readability and facilitates adapting the libjpeg-turbo source code to non-CMake
build systems.
3. Fixed an issue whereby decompressing a 4:2:0 or 4:2:2 JPEG image with merged
upsampling disabled/one-pass color quantization enabled, then reusing the same
API instance to decompress a 4:2:0 or 4:2:2 JPEG image with merged upsampling
enabled/color quantization disabled, caused `jpeg_skip_scanlines()` to use
freed memory. In practice, the freed memory was not reclaimed before it was
used. Thus, this issue did not cause a segfault or other user-visible errant
behavior (it was only detectable with ASan), and it did not likely pose a
security risk.
4. The AArch64 (Arm 64-bit) Neon SIMD extensions and accelerated Huffman codec
now support the Arm64EC ABI on Windows, which allows Windows/x64 applications
to call native Arm64 functions when running under the Windows/x64 emulator on
Windows/Arm.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:10 +0000 (17:33 +0100)]
libcap-ng: Update to version 0.9
- Update from version 0.8.5 to 0.9
- No change to rootfile
- Changelog
0.9
This release contains a significant new utility, cap-audit. Its purpose is to
audit the use of capabilities of a target program. When the program ends or
Ctl-c stops it, a report is generated about what was used. This can then be
used to lower capabilities instead of running as root.
Other changes in the release include:
Fix python path when invoking py-compile (Jan Palus)
Drop python2 bindings (Rudi Heitbaum)
Optimize capability name translation lookups
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:09 +0000 (17:33 +0100)]
libarchive: Update to version 3.8.5
- Update from version 3.8.3 to 3.8.5
- Update of rootfile
- Changelog
3.8.5
Notable bugxies:
bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix (#2809)
various small bugfixes in code and documentation
3.8.4
Notable bugxies:
bsdtar: Fix zero-length pattern issue (#2787)
lib: Fix regression introduced in libarchive 3.8.2 when walking enterable
but unreadable directories (#2797)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:07 +0000 (17:33 +0100)]
curl: Update to version 8.18.0
- Update from version 8.17.0 to 8.18.0
- No change to rootfile
- Changelog
8.18.0
Changes:
build: drop support for VS2008 (Windows)
build: drop Windows CE / CeGCC support
gnutls: drop support for GnuTLS < 3.6.5
gnutls: implement CURLOPT_CAINFO_BLOB
openssl: bump minimum OpenSSL version to 3.0.0
Bugfixes:
_PROGRESS.md: add the E unit, mention kibibyte
alt-svc: more flexibility on same destination
altsvc: accept ma/persist per alternative entry
altsvc: make it one malloc instead of three per entry
AmigaOS: increase minimum stack size for tool_main
apple sectrust: fix ancient evaluation
apple-sectrust: always ask when `native_ca_store` is in use
asyn-ares: handle Curl_dnscache_mk_entry() OOM error
asyn-ares: remove hostname free on OOM
asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo
asyn-thrdd: release rrname if ares_init_options fails
auth: always treat Curl_auth_ntlm_get() returning NULL as OOM
autotools: add nettle library detection via pkg-config (for GnuTLS)
autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
autotools: fix LargeFile feature display on Windows (after prev patch)
autotools: tidy-up `if` expressions
badwords: add fist -> first, fix fallouts
badwords: catch and fix threading-related words
badwords: fix issues found in scripts and other files
badwords: fix issues found in tests
build: add build-level `CURL_DISABLE_TYPECHECK` options
build: exclude clang prereleases from compiler warning options
build: replace `-pedantic` with `-Wpedantic` when supported
build: set `-Wno-format-signedness`
build: tidy-up MSVC CRT warning suppression macros
ccsidcurl: make curl_mime_data_ccsid() use the converted size
cf-h1-proxy: support folded headers in CONNECT responses
cf-https-connect: allocate ctx at first in cf_hc_create()
cf-socket: drop feature check for `IPV6_V6ONLY` on Windows
cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs
cf-socket: limit use of `TCP_KEEP*` to Windows 10.0.16299+ at runtime
cf-socket: return OOM error if socket() fails due to OOM
cf-socket: trace ignored errors
cfilters: make conn_forget_socket a private libssh function
checksrc.pl: detect assign followed by more than one space
cmake: adjust defaults for target platforms not supporting shared libs
cmake: define dependencies as `IMPORTED` interface targets
cmake: delete unused file `CMake/CMakeConfigurableFile.in`
cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON`
cmake: fix `ws2_32` reference in `curl-config.cmake`
cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET`
cmake: replace deprecated `OPENSSL_FOUND` with `OpenSSL_FOUND`
cmake: replace deprecated `PERL_FOUND` with `Perl_FOUND`
cmake: save and restore `CMAKE_MODULE_PATH` in `curl-config.cmake`
cmake: set found status to OFF when not found (for compression deps)
code: minor indent fixes before closing braces
CODE_STYLE.md: sync banned function list with checksrc.pl
compressed.md: might generate a huge amount of bytes
config-win32.h: delete obsolete, non-Windows comments
config-win32.h: drop unused/obsolete `CURL_HAS_OPENLDAP_LDAPSDK`
config2setopts: add space in cookie header with multiple -b
config2setopts: bail out if curl_url_get() returns OOM
config2setopts: exit if curl_url_set() fails on OOM
configure: delete unused variable
conncache: silence `-Wnull-dereference` on gcc 14 RISC-V 64
conncontrol: reuse handling
connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition'
connection: attached transfer count
content_encoding: avoid strcpy
cookie. return proper error on OOM
cookie: allocate the main struct once cookie is fine
cookie: flush better
cookie: only keep and use the canonical cleaned up path
cookie: propagate errors better, cleanup the internal API
cookie: return error on OOM
cookie: when parsing a cookie header, delay all allocations until okay
cshutdn: acknowledge FD_SETSIZE for shutdown descriptors
curl: fix progress meter in parallel mode
curl_fopen: do not pass invalid mode flags to `open()` on Windows
curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer
curl_ntlm_core: fix DES_* symbols for some wolfSSL builds
curl_quiche: refuse headers with CR, LF or null bytes
curl_sasl: if redirected, require permission to use bearer
curl_sasl: make Curl_sasl_decode_mech compare case insensitively
curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS`
curl_setup.h: drop stray `#undef stat` (Windows)
curl_setup.h: drop superfluous parenthesis from `Curl_safefree` macro
curl_threads: don't do another malloc if the first fails
curl_trc: delete unused DoH remains
CURLINFO: remove 'get' and 'get the' from each short desc
CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer"
CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text
CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use
CURLOPT_ACCEPT_ENCODING.md: warn about the expansion
CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/
CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use
CURLOPT_READFUNCTION.md: clarify the size of the buffer
CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
curlx/fopen: replace open CRT functions their with `_s` counterparts
(Windows)
curlx/multibyte: stop setting macros for non-Windows
curlx/strerr: use `strerror_s()` on Windows
curlx: add `curlx_rename()`, fix to support long filenames on Windows
curlx: curlx_strcopy() instead of strcpy()
curlx: limit use of system allocators to the minimum possible
curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows)
curlx: replace `sprintf` with `snprintf`
curlx: use curl alloc in `curlx_win32_stat()` (Windows)
curlx: use curlx allocators in non-memdebug builds (Windows)
DEPRECATE: add CMake <3.18 deprecation for April 2026
digest: fix OWS and escaped quote handling
digest_sspi: fix a memory leak on error path
digest_sspi: properly free sspi identity
DISTROS.md: add OpenBSD
DISTROS: fix a Mageia URL
DISTROS: remove broken URLs for buildroot
doc: some returned in-memory data may not be altered
Dockerfile: update debian:bookworm-slim digest to e899040
docs/libcurl: fix C formatting nits
docs: add a note about --compressed to note about binary output
docs: clarify how to do unix domain sockets with SOCKS proxy
docs: fix checksrc `EQUALSPACE` warnings
docs: fix time_posttransfer output unit as seconds
docs: mention umask need when curl creates files
docs: remove dead URLs
docs: rename CURLcode variables to 'result'
docs: spell it Rustls with a capital R
docs: switch more URLs to https://
docs: use .example URLs for proxies
docs: use mresult as variable name for CURLMcode
escape: add a length check in curl_easy_escape
example: fix formatting nits
examples/crawler: fix variable
examples/multi-uv: fix invalid req->data access
examples/threaded-ssl: delete in favor of `examples/threaded`
examples/threaded: fix race condition
examples: fix minor typo
examples: make functions/data static where missing
examples: tidy-up headers and includes
examples: use 64-bit `fstat` on Windows
FAQ/TODO/KNOWN_BUGS: convert to markdown
FAQ: fix hackerone URL
file: do not pass invalid mode flags to `open()` on upload (Windows)
formdata: validate callback is non-NULL before use
ftp: make EPRT connections non-blocking
ftp: refactor a piece of code by merging the repeated part
ftp: remove #ifdef for define that is always defined
ftp: return better on OOM in two places
ftp: return from ftp_state_use_port immediately on OOM
getenv: drop internal 1-to-1 wrapper
getinfo: improve perf in debug mode
gnutls: add PROFILE_MEDIUM as default
gnutls: report accurate error when TLS-SRP is not built-in
gtls: add return checks and optimize the code
gtls: Call keylog_close in cleanup
gtls: skip session resumption when verifystatus is set
h2/h3: handle methods with spaces
headers: add length argument to Curl_headers_push()
hostcheck: fail wildcard match if host starts with a dot
hostip.h: drop redundant `setjmp.h` include
hostip: don't store negative lookup on OOM
hostip: make more functions return CURLcode
hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST
hsts: propagate and error out correctly on OOM
hsts: use one malloc instead of two per entry
http: acknowledge OOM errors from Curl_input_ntlm
http: avoid two strdup()s and do minor simplifications
http: error on OOM when creating range header
http: fix OOM exit in Curl_http_follow
http: handle oom error from Curl_input_digest()
http: replace atoi use in Curl_http_follow with curlx_str_number
http: return OOM errors from hsts properly
http: the :authority header should never contain user+password
http: unfold response headers earlier
idn: avoid allocations and wcslen on Windows
idn: clarify null-termination on Windows
idn: fix memory leak in `win32_ascii_to_idn()`
idn: use curlx allocators on Windows
imap: check buffer length before accessing it
imap: make sure Curl_pgrsSetDownloadSize() does not overflow
inet_ntop: avoid the strlen()
INSTALL-CMAKE.md: document static option defaults more
krb5: fix detecting channel binding feature
krb5_sspi: unify a part of error handling
ldap: call ldap_init() before setting the options
ldap: drop PP logic for old, unsupported, Windows SDKs
ldap: improve detection of Apple LDAP
ldap: provide version for "legacy" ldap as well
lib/sendf.h: forward declare two structs
lib: cleanup for some typos about spaces and code style
lib: create unitprotos.h in the builddir, not srcdir
lib: drop unused or duplicate `curlx/timeval.h` includes
lib: drop unused protocol headers
lib: eliminate size_t casts
lib: error for OOM when extracting URL query
lib: fix formatting nits (part 2)
lib: fix formatting nits (part 3)
lib: fix formatting nits
lib: fix gssapi.h include on IBMi
lib: name the main CURLMcode variable 'mresult'
lib: refactor the type of funcs which have useless return and checks
lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows)
lib: timer stats improvements
lib: use `SOCKET_WRITABLE()`/`SOCKET_READABLE()` where possible
libssh2: add paths to error messages for quote commands
libssh2: cleanup ssh_force_knownhost_key_type
libssh2: consider strdup() failures OOM and return correctly
libssh2: replace atoi() in ssh_force_knownhost_key_type
libssh: fix state machine loop to progress as it should
libssh: properly free sftp_attributes
libssh: require private key or user-agent for public key auth
libssh: set both knownhosts options to the same file
libtests: replace `atoi()` with `curlx_str_number()`
limit-rate: add example using --limit-rate and --max-time together
localtime: detect thread-safe alternatives and use them
m4/sectrust: fix test(1) operator
manage: expand the 'libcurl support required' message
mbedTLS: cleanup insecure/deprecated code
mbedtls: fix potential use of uninitialized `nread`
mbedtls: sync format across log messages
mbedtls_threadlock: avoid calloc, use array
mdlinkcheck: ignore IP numbers, allow '@' in raw URLs
mdlinkcheck: only look for markdown links in markdown files
memdebug: add mutex for thread safety
memdebug: fix realloc logging
mk-ca-bundle.md: the file format docs URL is permaredirected
mk-ca-bundle.pl: default to SHA256 fingerprints with `-t` option
mk-ca-bundle.pl: use `open()` with argument list to replace backticks
mqtt: reject overly big messages
mqtt: return error when a too large packet is decoded
multi: make max_total_* members size_t
multi: remove MSTATE_TUNNELING
multi: simplify admin handle processing
multibyte: limit `curlx_convert_*wchar*()` functions to Unicode builds
ngtcp2+openssl: fix leak of session
ngtcp2: remove the unused Curl_conn_is_ngtcp2 function
ngtcp2: retune window sizes
noproxy: fix build on systems without IPv6
noproxy: fix ipv6 handling
noproxy: replace atoi with curlx_str_number
openssl: exit properly on OOM when getting certchain
openssl: fix a potential memory leak of bio_out
openssl: fix a potential memory leak of params.cert
openssl: fix building against no-dsa openssl
openssl: fix building against no-ocsp openssl with Apple SecTrust
openssl: no verify failf message unless strict
openssl: release ssl_session if sess_reuse_cb fails
openssl: remove code handling default version
openssl: simplify `HAVE_KEYLOG_CALLBACK` guard
openssl: stop checking for `OPENSSL_NO_SHA*` macros
openssl: stop checking for `OPENSSL_NO_TLSEXT` macro
openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs
OS400/makefile.sh: fix shellcheck warning SC2038
os400sys: replace `strcpy()` with `memcpy()`
osslq: code readability
progress: make it one column narrower
progress: narrower time display, multiple fixes
progress: show fewer digits
projects/README.md: Markdown fixes
pytest fixes and improvements
pytest: add tests using sshd
pytest: disable two H3 earlydata tests for all platforms (was: macOS)
pytest: do not ignore server issues
pytest: enable OCSP test 17_08 for LibreSSL
pytest: fix and improve reliability
pytest: improve stragglers
pytest: quiche flakiness
pytest: skip H2 tests if feature missing from curl
quiche: use client writer
ratelimit blocking: fix busy loop
ratelimit: redesign
rtmp: fix double-free on URL parse errors
rtmp: precaution for a potential integer truncation
rtmp: stop redefining `setsockopt` system symbol on Windows
runner.pm: run memanalyzer as a Perl module
runtests: add options to set minimum number of tests, use them
runtests: detect bad libssh differently for test 1459
runtests: drop Python 2 support remains
runtests: enable torture testing with threaded resolver
runtests: improve XML prolog check, enable `-w` permanently, fix two tests
runtests: make memanalyzer a Perl module (for 1.1-2x speed-up per test run)
rustls: fix a potential memory issue
rustls: minor adjustment of sizeof()
rustls: simplify init err path
rustls: verify that verifier_builder is not NULL
schannel: cap the maximum allowed size for loading cert
schannel: fix memory leak of cert_store_path on four error paths
schannel: replace atoi() with curlx_str_number()
schannel: use Win8 `CERT_NAME_SEARCH_ALL_NAMES_FLAG` with old SDKs
schannel_verify: fix a memory leak of cert_context
scripts: fix shellcheck SC2046 warnings
scripts: use end-of-options marker in `find -exec` commands
setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL
setopt: when setting bad protocols, don't store them
sftp: fix range downloads in both SSH backends
slist: constify Curl_slist_append_nodup() string argument
smb: fix a size check to be overflow safe
socketpair: drop redundant `_WIN32` branch and include
socks_sspi: use free() not FreeContextBuffer()
source: misc typos
speedcheck: do not trigger low speed cancel on transfers with
CURL_READFUNC_PAUSE
speedlimit: also reset on send unpausing
src: drop redundant definition of `BIT()`
src: fix formatting nits
ssh: tracing and better pollset handling
sspi: fix memory leaks on error paths in `Curl_create_sspi_identity()`
sws: fix binding to unix socket on Windows
synctime: tidy up, make it work on all platforms
telnet: abort on bad suboption sequence
telnet: replace atoi for BINARY handling with curlx_str_number
TEST-SUITE.md: correct the man page's path
test07_22: fix flakiness
test1475: consistently use %CR in headers
test1498: disable 'HTTP PUT from stdin' test on Windows
test2045: replace HTML multi-line comment markup with `#` comments
test318: tweak the name a little
test3207: enable memdebug for this test again
test363: delete stray character (typo) from a section tag
test568: fix codespell, catch it next time early in CI
test568: remove what looks like an email and a URL
test787: fix possible typo `&` -> `%` in curl option
test96: fix to accept non-unity memdump content with MSVC
tests/data: move `--libcurl` output to external data files
tests/data: replace hard-coded test numbers with `%TESTNUMBER`
tests/data: support using native newlines on disk, drop `.gitattributes`
tests/server: do not fall back to original data file in `test2fopen()`
tests/server: fix initialization on Windows Vista+
tests/server: replace `atoi()` and `atol()` with `curlx_str_number()`
tests: add `%AMP` macro, use it in two tests
tests: add a standard log line for alloc failures
tests: allow 2500-2503 to use ~2MB malloc
tests: drop redundant parenthesis from two macro expressions
tests: fix formatting nits
tests: rename CURLMcode variables to mresult
tftp: release filename if conn_get_remote_addr fails
tftpd: fix/tidy up `open()` mode flags
tidy-up: avoid `(())`, clang-format fixes and more
tidy-up: move `CURL_UNCONST()` out from macro `curl_unicodefree()`
tidy-up: URLs (cont.) and mdlinkcheck
tidy-up: URLs
TODO: remove a mandriva.com reference
tool: consider (some) curl_easy_setopt errors fatal
tool: log when loading .curlrc in verbose mode
tool_cfgable: free ssl-sessions at exit
tool_doswin: clear pointer when thread takes ownership
tool_doswin: increase allowable length of path sanitizer
tool_doswin: remove the max length check
tool_getparam: simplify the --rate parser
tool_getparam: use memdup0() instead of malloc + copy
tool_getparam: verify that a file exists for some options
tool_help: add checks to avoid unsigned wrap around
tool_ipfs: check return codes better
tool_msgs: make voutf() use stack instead of heap
tool_operate: exit on curl_share_setopt errors
tool_operate: fix a case of ignoring return code in operate()
tool_operate: fix case of ignoring return code in single_transfer
tool_operate: remove redundant condition
tool_operate: return error for OOM in append2query
tool_operate: use curlx_str_number instead of atoi
tool_paramhlp: refuse --proto remove all protocols
tool_paramhlp: remove a malloc+free from proto2num()
tool_paramhlp: simplify number parsing
tool_progress: fix large time outputs and decimal size display
tool_urlglob: acknowledge OOM in peek_ipv6
tool_urlglob: clean up used memory on errors better
tool_urlglob: constify an argument
tool_urlglob: fix propagating OOM error from `sanitize_file_name()`
tool_urlglob: support globs as long as config line lengths
tool_writeout: bail out proper on OOM
url: fix return code for OOM in parse_proxy()
url: if curl_url_get() fails due to OOM, error out properly
url: if OOM in parse_proxy() return error
url: return error at once when OOM in netrc handling
urlapi: fix mem-leaks in curl_url_get error paths
urlapi: handle OOM properly when setting URL
urlapi: return OOM correctly from parse_hostname_login()
verify-release: update to avoid shellcheck warning SC2034
vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
vquic: do not pass invalid mode flags to `open()` (Windows)
vquic: do_sendmsg full init
vquic: ignore 0-length UDP packets
vquic: initialize new callback in nghttp3 1.14.0+
vtls: drop unused `use_alpn` from `ssl_connect_data` struct
vtls: fix CURLOPT_CAPATH use
vtls: handle possible malicious certs_num from peer
vtls: pinned key check
VULN-DISCLOSURE-POLICY.md: CRLF in data
wcurl: import v2025.11.09
wcurl: import v2026.01.05
windows: assume `USE_WIN32_LARGE_FILES`
windows: fix `CreateFile()` calls to support long filenames
windows: use `_strdup()` instead of `strdup()` where missing
wolfSSL: able to differentiate between IP and DNS in alt names
wolfssl: avoid NULL dereference in OOM situation
wolfssl: fix a potential memory leak of session
wolfssl: fix cipher list, skip 5.8.4 regression
wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds
wolfssl: proof use of wolfSSL_i2d_SSL_SESSION
wolfssl: simplify wssl_send_earlydata
ws: replace a cast by matching the format string
x509asn1: drop unused `hostcheck.h`, `vtls_int.h` includes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:03 +0000 (17:33 +0100)]
alsa: Update to version 1.2.15.3
- Update from version 1.2.15.1 to 1.2.15.3
- Update of rootfile
- Changelog
1.2.15.3
alsa-lib
Sequencer API
seq: return back old snd_seq_drain_output behaviour for -EAGAIN
alsa-ucm-conf
Configuration
HDA-analog: Fix the phantom jack detection if block
HDA-analog: Use phantom jacks to determine the device for single
output
HDA-analog: Add output when only 'Master Playback' control exists
sof-hda-dsp: remove some debug lines
sof-hda-dsp: Headphone output is optional
ucm2: HDA: Fix headphone detection
USB-Audio: Add volume controls to Behringer UMCx0xHD direct profiles
USB-Audio: Fix UR22C firmware version condition
USB-Audio: Add support for UR24C firmware version channel differences
1.2.15.2
alsa-lib
Use Case Manager API
ucm: add some traces for the config filenames
Makefile.am
Makefile: remove dist-hook and remove tar option 'follow symlinks'
Error handler
error: fix the "return old snd_lib_error_set_handler() behaviour"
error: fix indendation in snd_lib_log_filter()
error: return old snd_lib_error_set_handler() behaviour
alsa-utils
ALSA Control (alsactl)
alsactl: fix sequence to clean card specific config files for UCM
alsactl: add missing call to clean card specific config files
alsaloop
alsaloop: only log xrun debug messages when verbose
aplay/arecord
aplay: add support for G.711 A_LAW enconding in AU file format
alsa-ucm-conf
Configuration
common: remove direct.conf and direct-verb.conf files
USB-Audio: update to use new DirectUseCase macro
common: introduce DirectUseCase macro
USB-Audio: Scarlett 18i20 gen4 - improve channel detection
USB-Audio: Add conditional channel count on Scarlett 18i20 version
USB-Audio: Steinberg UR22C - fix regex
ucm2: HDA: Create microphone devices optionally
ucm2: HDA: Headphone output may be optional
ucm2: sof-soundwire: cs42l45: Remove outdated DisableSequence
elements
ucm2: sof-soundwire: cs42l43: Remove outdated DisableSequence
elements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Jan 2026 12:55:09 +0000 (12:55 +0000)]
cdrom+flash-images: Check if we would remove any libraries
The filesystem-cleanup script has recently shown that it can create some
false-positives. By running it on top of the generated images we should
be able to catch these problems during the build stage.
I have unfortunately no way to run this for any add-on packages.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 20 Jan 2026 16:13:52 +0000 (16:13 +0000)]
glibc: Import fix for CVE-2025-15281
GLIBC-SA-2026-0003:
===================
wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory
Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the
GNU C Library version 2.0 to version 2.42 may cause the interface to
return uninitialized memory in the we_wordv member, which on subsequent
calls to wordfree may abort the process.
The implementation of WRDE_REUSE in conjunction with WRDE_APPEND fails
to clear the we_wordc member of the structure, and as such, when new
words are added internally, a leading we_wordc count number of entries
are skipped since they are assumed initialized. These skipped entries
are not initialized, but are the contents of a realloc-expanded array of
pointers. If the caller inspects the we_wordv array, it will
dereference invalid pointers and crash. If the caller calls wordfree,
the malloc implementation may detect the invalid pointers and abort the
process. Calls to wordexp using WRDE_REUSE and WRDE_APPEND have never
worked correctly and thus the existence of applications that make use of
this feature is unlikely.
Michael Tremer [Mon, 19 Jan 2026 11:05:15 +0000 (11:05 +0000)]
glibc: Add fixes for CVE-2026-0861 and CVE-2026-0915
GLIBC-SA-2026-0001:
===================
Integer overflow in memalign leads to heap corruption
Passing too large an alignment to the memalign suite of functions
(memalign, posix_memalign, aligned_alloc) in the GNU C Library version
2.30 to 2.42 may result in an integer overflow, which could consequently
result in a heap corruption.
Note that the attacker must have control over both, the size as well as
the alignment arguments of the memalign function to be able to exploit
this. The size parameter must be close enough to PTRDIFF_MAX so as to
overflow size_t along with the large alignment argument. This limits
the malicious inputs for the alignment for memalign to the range [1<<62
+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.
Typically the alignment argument passed to such functions is a known
constrained quantity (e.g. page size, block size, struct sizes) and is
not attacker controlled, because of which this may not be easily
exploitable in practice. An application bug could potentially result in
the input alignment being too large, e.g. due to a different buffer
overflow or integer overflow in the application or its dependent
libraries, but that is again an uncommon usage pattern given typical
sources of alignments.
Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf
that specifies the library's DNS backend for networks and queries for a
zero-valued network in the GNU C Library version 2.0 to version 2.42
can leak stack contents to the configured DNS resolver.
A defect in the _nss_dns_getnetbyaddr_r function which implements
getnetbyaddr and getnetbyaddr_r in the dns-based network database can
pass stack contents unmodified to the configured DNS resolver as part of
the network DNS query when the network queried is the default network
i.e. net == 0x0. This stack contents leaking in the query is considered
a loss of confidentiality for the host making the query. Typically it
is rare to call these APIs with a net value of zero, and if an attacker
can control the net value it can only leak adjacent stack, and so loss
of confidentiality is spatially limited. The leak might be used to
accelerate an ASLR bypass by knowing pointer values, but also requires
network adjacent access to snoop between the application and the
DNS server; making the attack complexity higher.
Adolf Belka [Fri, 16 Jan 2026 20:56:22 +0000 (21:56 +0100)]
tshark: Update to version 4.6.3
- Update from version 4.6.2 to 4.6.3
- Update of rootfile
- Changelog
4.6.3
The following vulnerabilities have been fixed:
wnpa-sec-2026-01 BLF file parser crash. Issue 20880.
wnpa-sec-2026-02 IEEE 802.11 dissector crash. Issue 20939.
wnpa-sec-2026-03 SOME/IP-SD dissector crash. Issue 20945.
wnpa-sec-2026-04 HTTP3 dissector infinite loop. Issue 20944.
The following bugs have been fixed:
Wireshark 4.6.0 build fails on Solaris: pcapio.c:441:21: error: request for
member '_flag' in something not a structure or union. Issue 20773.
RTP Player streams cannot be stopped. Issue 20879.
Additional ABI/API compatibility fixes. Issue 20881.
Missing data in pinfo→cinfo in HomePlug message CM_ATTEN_CHAR.IND.
Issue 20893.
maxmind_db: crash when switching from a profile where it’s disabled to one
where it’s enabled. Issue 20903.
Compilation warning or error if CFLAGS defines _FORTIFY_SOURCE to other
than 3 without first undefining it. Issue 20904.
IEEE 802.11: Incorrect parsing of QoS and Mesh Control Field when the frame
body contains an A-MSDU. Issue 20905.
OSS-Fuzz 473164101: Heap-buffer-overflow in dissect_idn_laser_data.
Issue 20936.
Bug in decoding 5G NAS message - Extended CAG information list IE.
Issue 20946.
Updated Protocol Support
DCT2000, DHCP, H.248, H.265, HomePlug AV, HTTP3, IDN, IEEE 802.11,
LTE RRC, NAS-5GS, PKCS12, QUIC, RTPS, SOME/IP-SD, SSH, and Thrift
New and Updated Capture File Support
3GPP TS 32.423 Trace, BLF, NetScreen, and Viavi Observer
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 16 Jan 2026 10:05:35 +0000 (10:05 +0000)]
gnupg: Ship all binaries
On new installations, GnuPG complained that it could not start gpg-agent
when it was importing the Pakfire keys for the first time. Although the
keys were imported successfully and fully functional, there was an error
message being shown at first boot which we don't want to see.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 15 Jan 2026 17:33:05 +0000 (18:33 +0100)]
ovpnmain.cgi: No longer include the CA in the client configuration
NetworkManager complains that it cannot use <ca>...</ca> when
<pkcs12>...</pkcs12> is being used as well. This makes somehwat sense as
the PKCS12 container also contains the CA certificate.
Therefore we are removing the <ca>...</ca> block for all clients as they
must all be able to read the PKCS12 container.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 Jan 2026 11:17:23 +0000 (12:17 +0100)]
tshark: Add libxxhash to dependency list
- From version 2.6.0 tshark added libxxhash as an option which is defined as ON by
default. As libxxhash is built as a dependency for rsync and borgbackup the tshark
build worked without problems but then the libxxhash library wass not present and so
tshark failed to run.
- This patch adds libxxhash to the dependency list for tshark
- No change to rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 13 Jan 2026 12:12:15 +0000 (13:12 +0100)]
mdadm: Update to version 4.5
- Update from version 4.4 to 4.5
- No change to rootfile
- From kernel 6.17.x onwards it produces an error message with version 4.4 and suggests
updating to version 4.5 as async del_gendisk mode will be removed in future. This
update also ensures we will not see that message in any released IPFire CU. I found it
in my testing of Arne's 6.18 kernel
- Changelog
4.5
Features:
Supports --logical-block-size in --create from Wu Guanghao
Create array with sync del gendisk mode from Xiao Ni
Update raid6check man page from Mingye Wang
Re-enable mdadm --monitor ... for /dev/mdX from Dr. Joachim Schneider
Use MAILFROM to set sendmail envelope sender address in mdmon from Martin
Wilck
Don't stop array after creating it during assemble from Xiao Ni
Use kernel raid headers from Mariusz Tkaczyk
Allow RAID0 to be created with v0.90 metadata from NeilBrown
Optimize DDF header search for widely used RAID controllers from lilinzhe
Persist properties of MD devices after switch_root from Antonio Alvarez Feijoo
Refactor continue_via_systemd() to make it more readable from Mateusz Kusiak
Remove --freeze-reshape logic in reshape from Mateusz Kusiak
Simplify remove logic in Incremental from Mariusz Tkaczyk
Fixes:
Fix crash with homehost=none in super1 from Martin Wilck
Moves memory management into Assemble to avoid null pointer dereference
from Xiao Ni
Wait a while before removing a member in Incremental from Xiao Ni
Some memleak issues from Wu Guanghao
Fix memleak in udev from Mariusz Tkaczyk
Support non-absolute name during monitor scan from QRPp
Mdcheck fix and improvment from Martin Wilck
Remove POSIX check for name from Mariusz Tkaczyk
Enable udev block for Incremental/Assemble to avoid race condition from
Nigel Croxon
Fix buiding errors from Xiao Ni
Use standard libc nftw from Xiao Ni
Allow any valid minor number in md device name from Martin Wilck
Fix RAID0 to RAID10 migration for imsm array from Blazej Kucman
Don't set badblock flag when adding a new disk from Wu Guanghao
Regression tests fix from Xiao Ni
Fix metadata corruption when managing new imsm array from Junxiao Bi
Add update_super in ddf to prevent crash when assembling ddf array from
lilinzhe
Disable legacy option ROM scan on UEFI machines for imsm array from Ross
Lagerwall
Add sbin path to env PATH to avoid command modprobe can't be found from
Coly Li
Add xmalloc.h to raid6check.c to fix building error from Xiao Ni
Do not start reshape before switchroot from Mateusz Kusiak
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Jan 2026 11:43:12 +0000 (11:43 +0000)]
suricata: Add IPFire DNSBL to the rule sources
Although this is not the primary use-case, there is a lot of value by
adding the DNSBL to Suricata for secondary filtering. Anything that is
trying to circumvent any local policy will be caught at the edge of the
network and therfore we will even be able to block access to any listed
domains when people are using a private resolver.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Jan 2026 11:37:18 +0000 (11:37 +0000)]
ids-functions.pl: Implement extracting any data from tarballs
Suricata rulesets are distributed as tarballs. Besides the rules, those
tarballs may contain additional data like datasets and so on. This data
was not extracted before.
For the IPFire DNSBL we are shipping any domains as a separate file
which is being parsed by Suricata as a dataset. Obviously these files
need to be extracted to be read by Suricata.
This patch extracts any data files in the first place and later copies
them into the rules directory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
