Adolf Belka [Wed, 13 Aug 2025 20:53:00 +0000 (22:53 +0200)]
fcron: Update to version 3.4.0
- Update from version 3.2.1 to 3.4.0
- Update of the rootfile
- Changelog
3.4.0
Changed the default "From" header of emails sent by fcron, to be
RFC5322-compliant. This is done (and can be reverted if needed) via the new
fcron.conf option maildisplayname.
Changed the default fcron reload delay from 60s to 5s.
Better doc and logging on bootrun jobs.
3.3.3
Fixed infinite loop when an lavg job reaches its 'until' deadline and gets
rescheduled as the next job to run.
Improved signal safety.
Improved log messages for: indentation, resume after suspend, child task
completion.
Fixed compilation warnings: SELinux, signal handling.
Updated copyright years.
3.3.2
Add compilation option (configure's '--with-max-fcrontab-reload-delay-seconds')
to allow faster or even instant reload for non-root users (thanks Elliot Wolk).
Added fcron.conf option 'maildisplayname', to configure the displayname fcron
uses when sending email. This allows fcron to be configured ot be
RFC5322-compliant (thanks Marco Emilio "sphakka" Poleggi)
Fixed fcrondyn output issue where two lines would be joined due to a long
shell command.
Improve documentation wording (thanks Michael Kopp)
3.3.1
Updated SELinux code to stop using deprecated headers (fixes build on more
recent systems)
Install programs with R/W perms for the owner
Fixed @reboot when using systemd
Various other fixes and improvements in doc, install and boot scripts (in
particular under systemd)
3.3.0
fcron now handles computer suspend/resume. On Linux systems, fcron can detect
resumes and measure the suspend time. On other OSes, a script must be run at
suspend and resume via system hooks.
Added a new option 'runatresume' (as well as a Vixie-cron-style '@resume'
shortcut), to run a job when the system resumes from suspend/hibernation.
Refactored the socket (for fcrondyn), suspend and select code.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 13 Aug 2025 20:53:01 +0000 (22:53 +0200)]
libgcrypt: Update to version 1.11.2
- Update from version 1.11.0 to 1.11.2
- Update of the rootfile
- Changelog
1.11.2
Bug fixes:
- Fix link errors in regression test t-thread-local on some
platforms (e.g. NetBSD). [T7634]
- Add missing file to allow building for RISC-V. [T7647]
- Support secp256k1 by KEM API. GnuPG has recently switched to use
the KEM interface and a few folks are using this curve. [T7698]
- Fix a missing initialization in RSA's generate_fips.
[rG448693047f]
Other:
- Silence GCC 15 warnings [rG7ebe90e555,T7617]
- Provide a prototype for __udiv_qrnnd for PowerPC and Alpha which
is required due to GCC-15 changes. [T7721]
- Add missing abi versions and machine tags for PowerPC assembly
with GCC-15. [T7721]
- Use '.rodata' section for read-only data of poly1305-p10le.
[T7721]
Interface changes relative to the 1.11.1 release:
GCRY_KEM_RAW_P256R1 NEW enum.
1.11.1
Bug fixes:
- Fix build regression on 32 bit Windows using Clang. [T7175]
- Fix build regression on macOS due to symbol naming. [T7170]
- Fix Kyber secret-dependent branch introduced by recent versions
of Clang. [rCf765778e82]
- Fix build regression due to the use of AVX512 in Blake. [T7184]
- Do not build i386 asm on amd64 and vice versa. [T7220]
- Fix build regression on armhf with gcc-14. [T7226]
- Return the proper error code on malloc failure in hex2buffer.
[rCc51151f5b0]
- Fix long standing bug for PRIME % 2 == 0. [rC639b0fca15]
Performance:
- Add AES Vector Permute intrinsics implementation for AArch64.
[rC94a63aedbb]
- Add GHASH AArch64/SIMD intrinsics implementation. [rCfec871fd18]
- Add RISC-V vector permute AES. [rCb24ebd6163]
- Add GHASH RISC-V Zbb+Zbc implementation. [rC0f1fec12b0]
- Add ChaCha20 RISC-V vector intrinsics implementation.
[rC8dbee93ac2]
- Add SHA3 acceleration for RISC-V Zbb extension. [rC1a660068ba]
Other:
- Add CET support for i386 and amd64 assembly. [T7220]
- Add PAC/BTI support for AArch64 asm. [T7220]
- Apply changes to Kyber from upstream for final FIPS 203.
[rCcc95c36e7f]
- Introduce an internal API for a revampled FIPS service indicator.
[T7340]
- Several improvements for constant time operation by the
introduction of Least Leak Intended (LLI) variants of internal
functions. [T7519,T7490]
- Remove WindowsCE support. [T7486]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 13 Aug 2025 16:30:15 +0000 (18:30 +0200)]
zlib-ng: Update to version 2.2.5
- Update from version 2.2.4 to 2.2.5
- Update of rootfile
- Changelog
2.2.5
Important fixes
RiscV: chunkset_rvv: fix SIGSEGV in CHUNKCOPY #1889
MSVC: Disable optimizations for AVX512 GET_CHUNK_MAG causing inflate
failure #1884
Fix building with runtime CPU detection disabled (native) #1931
Also check for ZMM support when detecting VPCLMULQDQ support #1932
Revert "Clean up insert_match() in deflate_medium" due to performance
regression #1938
Buildsystem
Pass POSIX_C_SOURCE for std::alligned_alloc try_compile checks #1896
X86_AVX512VNNI: check for _mm256_dpbusd_epi32 too #1944
CMake: Fix incorrect declaration of FORCE_SSE2 #1880
CMake: Fix CXXFLAGS when coverage enabled #1902
CMake: Remove late enable_language calls #1903
CMake: [FreeBSD] Define _XOPEN_SOURCE for gtest_zlib #1900
CMake: Add bindir into zlib.pc.in for compatibility with Cygwin and Msys2
#1920
Configure: riscv: add bash configure script support for riscv 1904
Tests/Benchmarks
Test: Fix pointer type mismatch #1897
Test: Add large 1mb buffer test for crc32 hashing #1913
Changes to running benchmark during tests #1892
CI
CI: Restore support macOS prior 10.15 #1878
CI: fixes for RISC-V #1890
CI: Preinstall packages needed for testing and benchmark #1894
CI: Remove deprecated ubuntu-20.04 image from CI #1898
CI: Replace deprecated windows-2019 with windows-2022 #1923
Misc
Add .gitignore to allow run tests with zlib-ng/corpora and local dataset
from working copy #1930
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3500200 to 3500400
- Update of rootfile
- Changelog 3500400
Fix two long-standings cases of the use of uninitialized variables in obscure
circumstances. 3500300
Fix a possible memory error that can occur if a query is made against against
FTS5 index that has been deliberately corrupted in a very specific way.
Fix the parser so that it ignored SQL comments in all places of a
CREATE TRIGGER statement. This resolves a problem that was introduced by the
introduction of the SQLITE_DBCONFIG_ENABLE_COMMENTS feature in version 3.49.0.
Fix an incorrect answer due to over-optimization of an AND operator. Forum post f4878de3e.
Fix minor makefile issues and documentation typos.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20250512 to 20250812
- Update of rootfile not required
- Changelog 20250812
Security updates for INTEL-SA-01249
Security updates for INTEL-SA-01308
Security updates for INTEL-SA-01310
Security updates for INTEL-SA-01311
Security updates for INTEL-SA-01313
Security updates for INTEL-SA-01367
Update for functional issues. Refer to 13th/14th Gen Intel® Core™ Processor
Specification Update for details.
Update for functional issues. Refer to 3rd Gen Intel® Xeon® Processor
Scalable Family Specification Update for details.
Update for functional issues. Refer to 4th Gen Intel® Xeon® Scalable
Processors Specification Update for details.
Update for functional issues. Refer to 5th Gen Intel® Xeon® Scalable
Processors Specification Update for details.
Update for functional issues. Refer to 6th Gen Intel® Xeon® Scalable
Processors Specification Update for details.
Update for functional issues. Refer to Intel® Core™ Ultra 200 V Series
Processor for details.
Update for functional issues. Refer to Intel® Core™ Ultra Processor for
details.
Update for functional issues. Refer to Intel® Core™ Ultra Processor
(Series 2) for details.
Update for functional issues. Refer to Intel® Xeon® 6700-Series Processor
Specification Update for details.
Update for functional issues. Refer to Intel® Xeon® D-2700 Processor
Specification Update for details.
Details about new and updated platforms can be found at
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250812
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 11 Aug 2025 09:35:16 +0000 (11:35 +0200)]
grub: Fix CVE's by updating to version 2.12 with commit 0e36779
- Update from version 2.12 to 2.12 and all commits up to 0e36779
- Update of rootfiles for all architectures
- Back in Feb 2025 20 CVE's were identified in Grub-2.12 and 73 security patchers were
applied. However there has been no movement to doing a fresh release. Arch Linux has
just used the committs up to the last of the security patches. However since then they
have also continued takingnew snapshots of the grub git commits to do updates.
- This patch takes the last commit in the grub master dated 11th July 2025.
- Built successfully also on aarch64 & riscv64
- Tested out on my vm testbed. The grub screen worked as expected and the grub version
has been made to show as 2.12.0e36779. This way any further update before version
2.13 is released will follow the same pattern of adding the number of the commit
used in the snapshot.
- The snapshot required the bootstrap script to be used. However this either needs
internet access to download the gnulib git sources or requires a local copy of the
gnulib git sources to be available. Therefore I took the snapshot and downloaded a
local copy of the gnulinb sources to my desktop build system and created a
bootstrapped version of the snapshot, which is the source file I have provided
into the sources and used by the lfs. This means that the autoconf -vfi command in
the lfs is not needed. I just commented it out in case there is a release package in
the future.
- I am not sure if this will be merged into CU197 or wait for CU198.
- As far as I can see all the CVE-s require acces to the grub system, which means local
physical access so don't believe these are critical for the IPFire user base but
it might be good for someone more experienced than me to check the CVE's.
- Changelog
For details of all changes then the grub git repo has to be looked at.
https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=shortlog;h=refs/heads/master
There is no changelog of all the commits, except for a list of the CVE's that were
identified and fixed in this update. These CVE's are listed below.
CVE-2024-45775: commands/extcmd: Missing check for failed allocation
In grub_extcmd_dispatcher() function grub2 calls grub_arg_list_alloc()
to allocate memory for the grub's argument list, however it misses to
check in case the memory allocation failed. Once the allocation failed,
a NULL point will be processed by the parse_option() function leading
grub to crash or in some rare scenarios corrupt the IVT data.
CVE-2024-45776: grub-core/gettext: Integer overflow leads to Heap OOB Write and
Read
When reading language .mo file in grub_mofile_open(), grub2 fails to verify to
a integer overflow when allocating its internal buffer. A crafted .mo file may
lead to the buffer size calculation to overflow leading to Out-of-bound reads
and writes. An attacker may leverage this flaw to leak sensitive data or
overwrite critical data possibly leading to the circumvention of secure boot
protections.
CVE-2024-45777: grub-core/gettext: Integer overflow leads to Heap OOB Write
The calculation of the translation buffer when reading a language .mo file in
grub_gettext_getstr_from_position() may overflow leading to a Out-of-bound
write. This may be leveraged by an attacker to overwrite senstive grub2's heap
data, eventually leading to the circumvention of secure boot protections
CVE-2024-45778: fs/bfs: Integer overflow in the BFS parser
There's a stack overflow when reading a BFS file system. A crafted BFS
filesystem may lead to a uncontrolled loop causing grub2 to crash
CVE-2024-45779: fs/bfs: Integer overflow leads to Heap OOB Read (Write?) in the
BFS parser
There's an integer overflow in the BFS file system driver. When reading a file
with indirect extent map grub2 fails to validate the number of extent entries
to be read. A crafted or corrupted BFS filesystem may cause a integer overflow
during the file reading, leading to a Heap Ouf-of-Bounds read. As consequence
sensitive data may be leaked or the grub2 to crash.
CVE-2024-45780: fs/tar: Integer Overflow causes Heap OOB Write
When reading tar files, grub2 allocates an internal buffer for the file name
however it fails to properly verify the allocation against possible Integer
Overflows. It's possible to cause the allocation length to overflow with
a crafted tar file leading to a head Out-of-bounds write, as consequence an
attacker may leverage this to eventually circumvent secure boot protections.
CVE-2024-45781: fs/ufs: OOB write in the heap
When reading a symbolic link's name from a UFS filesystem, grub2 fails to
validate the string length taken as an input. The lack of validation may lead
to a heap Out-of-bounds write, causing data integrity issues and eventually
allowing an attacker to circumvent secure boot protections.
CVE-2024-45782: fs/hfs: strcpy() using the volume name (fs/hfs.c:382)
When reading a HFS volume's name at grub_fs_mount(), the HFS filesystem driver
performs a strcpy() using the user provided volume name as input without proper
validating the volume name's length. This may read to a heap based
Out-of-bounds write, impacting on grub's sensitive data integrity and
eventually leading to secure boot protection bypass.
CVE-2024-45783: fs/hfs+: refcount can be decremented twice
When failing to mount a HFS+ grub hfsplus filesystem driver doesn't properly
set a ERRNO value. This may lead to a NULL pointer access.
CVE-2025-0622: command/gpg: Use-after-free due to hooks not being removed on
module unload
In some scenarios hooks created by loaded modules are not being removed when
the related module is being unloaded. An attacker may leverage this by forcing
the grub2 to call the hooks once the module which registered it was unloaded,
leading to a Use-after-free vulnerability. If correctly exploited this
vulnerability may result int Arbitrary Code Execution eventually allowing the
attacker to by-pass secure boot protections.
CVE-2025-0624: net: Out-of-bounds write in grub_net_search_config_file()
During the network boot process when trying to search for the configuration
file, grub copies data from a user controlled environment variable into an
internal buffer using grub_strcpy() function. During this step it fails to
consider the environment variable length when allocating the internal buffer,
resulting in a out-of-bounds write. If correctly exploited this issue may
result in remote code execution through the same network segment the grub is
searching for the boot information, which can be used to by-pass secure boot
protections.
CVE-2025-0677: UFS: Integer overflow may lead to heap based out-of-bounds write
when handling symlinks
When performing a symlink lookup the grub's UFS module check the inode's data
size to allocate the internal buffer for reading the file content however it
misses to check if the symlink data size has overflown. If that happens
grub_malloc() may be called with a smaller value than needed, as consequence
when further reading the data from disk into the buffer
grub_ufs_lookup_symlink() function will write past the end of the allocated
size. An attack may leverage that by crafting a malicious filesystem and as
a result it will corrupt data stored in the heap, it's possible that arbitrary
code execution may be achieved through it and to be used to by-pass secure boot
mechanisms.
CVE-2025-0678: squash4: Integer overflow may lead to heap based out-of-bounds
write when reading data
When reading data from a squash4 filesystem, grub's squash4 fs module uses
user-controlled parameters from the filesystem geometry to determine the
internal buffers size, however it misses to properly check for integer
overflows. A maliciouly crafted filesystem may lead some of those buffer size
calculation to overflow, causing it to perform a grub_malloc() operation with
a smaller size than expected. As a result the direct_read() will perform a heap
based out-of-bounds write during data reading. This flaw may be leveraged to
corrupt grub's internal critical data and may result in arbitrary code
execution by-passing secure boot protections.
CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may lead to
heap based out-of-bounds write when reading data
When performing a symlink lookup from a reiserfs filesystem, grub's reiserfs fs
module uses user-controlled parameters from the filesystem geometry to
determine the internal buffers size, however it misses to properly check for
integer overflows. A maliciouly crafted filesystem may lead some of those
buffer size calculation to overflow, causing it to perform a grub_malloc()
operation with a smaller size than expected. As a result the
grub_reiserfs_read_symlink() will call grub_reiserfs_read_real() with
a overflown length parameter leading to a heap based out-of-bounds write during
data reading. This flaw may be leveraged to corrupt grub's internal critical
data and may result in arbitrary code execution by-passing secure boot
protections.
CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead to heap
based out-of-bounds write when reading data
When reading data from a jfs filesystem, grub's jfs filesystem module uses
user-controlled parameters from the filesystem geometry to determine the
internal buffers size, however it misses to properly check for integer
overflows. A maliciouly crafted filesystem may lead some of those buffer size
calculation to overflow, causing it to perform a grub_malloc() operation with
a smaller size than expected. As a result the grub_jfs_lookup_symlink() function
will write past of the internal buffer length during grub_jfs_read_file(). This
flaw may be leveraged to corrupt grub's internal critical data and may result
in arbitrary code execution by-passing secure boot protections.
CVE-2025-0686: romfs: Integer overflow when handling symlinks may lead to heap
based out-of-bounds write when reading data
When performing a symlink lookup from a romfs filesystem, grub's romfs
filesystem module uses user-controlled parameters from the filesystem geometry
to determine the internal buffers size, however it misses to properly check for
integer overflows. A maliciouly crafted filesystem may lead some of those
buffer size calculation to overflow, causing it to perform a grub_malloc()
operation with a smaller size than expected. As a result the
grub_romfs_read_symlink() may cause a out-of-bounds writes when calling
grub_disk_read() function. This flaw may be leveraged to corrupt grub's
internal critical data and may result in arbitrary code execution by-passing
secure boot protections.
CVE-2025-0689: udf: Heap based buffer overflow in grub_udf_read_block() may
lead to arbitrary code execution
When reading data from disk, the grub's UDF filesystem module utilizes the user
controlled data length metadata to allocate its internal buffers. In certain
scenarios, while iterating through disk sectors, it assumes the read size from
the disk is always smaller than the allocated buffer size which is not
guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow
resulting in critical data to be corrupted, resulting in the risk of arbitrary
code execution by-passing secure boot protections.
CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write
The read command is used to read the keyboard input from the user, while reads
it keeps the input length in a 32-bit integer value which is further used to
reallocate the line buffer to accept the next character. During this process,
with a line big enough it's possible to make this variable to overflow leading
to a out-of-bounds write in the heap based buffer. This flaw may be leveraged
to corrupt grub's internal critical data and secure boot bypass is not
discarded as consequence.
CVE-2025-1118: commands/dump: The dump command is not in lockdown when secure
boot is enabled
The grub's dump command is not blocked when grub is in lockdown mode. This
allows the user to read any memory information, an attacker may leverage that
in order to extract signatures, salts and other sensitive information from the
memory.
CVE-2025-1125: fs/hfs: Interger overflow may lead to heap based out-of-bounds write
When reading data from a hfs filesystem, grub's hfs filesystem module uses
user-controlled parameters from the filesystem metadata to calculate the
internal buffers size, however it misses to properly check for integer
overflows. A maliciouly crafted filesystem may lead some of those buffer size
calculation to overflow, causing it to perform a grub_malloc() operation with
a smaller size than expected. As a result the hfsplus_open_compressed_real()
function will write past of the internal buffer length. This flaw may be
leveraged to corrupt grub's internal critical data and may result in arbitrary
code execution by-passing secure boot protections.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 5 Aug 2025 10:44:51 +0000 (11:44 +0100)]
IPS: Rename bypassed to "Offloaded"
Bypassed seems to suggest to some people that the traffic was never
looked at, when in fact the IPS is rather offloading anything it is no
longer interested in. I think this is a better phrase.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 22 Jul 2025 21:22:08 +0000 (23:22 +0200)]
vectorscan: Update to version 5.4.12
- Update from version 5.4.11 to 5.4.12
- Update of rootfile
- Removal of patch for sse4.2 as changes now part of source tarball
- Changelog
5.4.12
Multiple changes since last release, this will be the last 100% ABI and API
compatible with Hyperscan release.
Next versions will include major refactors and API extensions, it will be
mostly backwards compatible however.
Without particular order, platform support is now:
* Linux (x86, Arm, Power)
* FreeBSD 14 (x86, Arm, Power)
* MacOS 14+ (x86, Arm)
In total more than 200 configurations in the CI are tested for every PR.
Other features:
- Fat Runtime supported for Arm as well (ASIMD/SVE/SVE2).
- Initial implementations for Arm SVE/SVE2 algorithms added, thanks to
Yoan Picchi from Arm.
- SIMDe support added, used as an alternative backend for existing
platforms, but mostly interesting for allowing Vectorscan to build
in new platforms without a supported SIMD engine.
- Various speedups and optimizations.
- Cppcheck and clang-tidy fixes throughout the code, both have been
added to CI for multiple configurations, but only cppcheck triggers
a build failure for now.
Various bugfixes, most important listed:
- Speed up truffle with 256b TBL instructions (#290)
- Fix Clang Tidy warnings (#295)
- Clang 17+ is more restrictive on rebind<T> on MacOS/Boost, remove
warning (#332)
- partial_load_u64 will fail if buf == NULL/c_len == 0 (#331)
- Bugfix/fix avx512vbmi regressions (#335)
- fix missing hs_version.h header (closes #198)
- hs_valid_platform: Fix check for SSE4.2 (#310)
- Fixed out of bounds read in AVX512VBMI version of
fdr_exec_fat_teddy … (#333)
- Fix noodle SVE2 off by one bug (#313)
- Make vectorscan accept \0 starting pattern (#312)
- Fix 5.4.11's config step regression (#327)
- Fix double shufti's vector end false positive (#325)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 22 Jul 2025 16:55:43 +0000 (18:55 +0200)]
suricata: Update to version 8.0.0
- Update from version 7.0.11 to 8.0.0
- Update of rootfile
- patch file updated for disabling sid-2210059
- Changelog
8.0.0
Security #7658: http2: global tx (stream id 0) may open file and never close
it(HIGH - CVE 2025-53538)
Bug #7798: dpdk: auto count of threads assigns more threads than affined
Bug #7791: http: BUG_ON assertion reached in packet path
Bug #7790: affinity: intermittent unittest failures
Bug #7789: dpdk: compilation warning of a function without prototype
Bug #7783: smtp: incorrect inspection window
Bug #7752: decode: no parent packet flow for ip-in-ipv6
Bug #7678: mpm/ac: error "Just ran out of space in the queue"
Bug #7649: lib: suricata version in sys crate needs to be updated on build
Bug #1484: src: BUG_ON(1) statements in the packet path
Optimization #7643: excessive mtu messages at start up
Optimization #7212: strtoul: replace with ByteExtractString variant
Optimization #6264: mpm/ac-ks: reduce stack usage
Optimization #4753: lua: fix inconsistency in the init "needs" key
Documentation #7749: doc: update user manual seciton on RPMs
Documentation #7723: doc/exceptions: review 'inspection' terminology
Documentation #7648: rtd: set "latest" to last stable release starting with 8.0.0
Documentation #7078: devguide: document current ffi naming style
Documentation #6955: devguide: update coding-style docs
Documentation #6566: userguide: add description for missing EVE krb fields
Documentation #6288: eve/schema: generate tables of data for app-layer protocols
Documentation #6252: userguide/install: move Ubuntu distros to their own page
Documentation #6069: userguide/install: move RPM distros to their own page
Documentation #6022: devguide: explain how the engine identifies applayer
protocols
Documentation #5911: userguide: update & bring guide for installation on
Windows to RtD
Task #7758: decode: add stats counters for ipv4/ipv6 over ipv4
Task #7750: packaging: rpm for RHEL 10
Task #7632: suricata-lua-sys: tag with a non-prerelease version
Task #6941: lua: review and document lua rule return types
Task #6814: libsuricata: opt-in signal handling
Task #6359: detect/analyzer: add more details for the ICMP icode keyword
Task #6262: tracking: reduce stack usage
8.0.0-rc1
Feature #7715: rules: add option to skip flow tracking for a packet
Feature #7714: detect: add pre_flow rule hook
Feature #7713: detect: add tcp.wscale keyword to match on TCP wscale option
values
Feature #7712: detect: add pre_stream rule hook
Feature #7702: commandline: add --list-app-layer-hooks option
Feature #7645: pgsql: add CopyIn subprotocol/mode
Feature #7635: eve: include transaction count
Feature #7599: mime: add email.received keyword
Feature #7597: mime: add email.url keyword
Feature #7593: mime: add email.message_id keyword
Feature #7507: rules: ftp.completion_code keyword
Feature #7506: rules: ftp.reply_received keyword
Feature #7505: rules: ftp.mode keyword
Feature #7504: rules: ftp.dynamic_port keyword
Feature #7372: Datajson: a dataset evolution
Feature #7047: eve: add ip version field
Feature #7036: DPDK NUMA setup: choose correct CPUs from worker-cpu-set
Feature #6805: cpu-affinity: enhance CPU affinity logic with per-interface
NUMA preferences
Feature #6695: tls: log extensions
Feature #6259: pgsql: add `query` detection keyword
Feature #5692: http: brotli content encoding for HTTP/1.1
Feature #4099: app-layer: allow direct rule keyword registration
Feature #3952: protocols: implement mDNS
Feature #2290: lua: use script as transform
Bug #7747: affinity: warnings in the granular thread affinity settings code
Bug #7746: suricatasc does not handle reconnect
Bug #7735: brotli: old crate version has integer underflow
Bug #7732: http1: use cursor wrapper handling EOF for brotli
Bug #7730: dcerpc: uint16 overflow (rust debug assertion)
Bug #7725: decode/ipv4: missing ip-in-ip case handling
Bug #7698: firewall: eve verdict field should state "accept" instead of alert
Bug #7694: flow: elephant flow counts previous bytes revisiting an index
Bug #7689: Dataset of type IP can't set IPv4
Bug #7687: flow: non-TCP protocol timeout handling leads to missing flows
Bug #7681: flow: race condition at shutdown leads to duplicate flows
Bug #7671: lua: suricata-lua-sys needs to honor MSAN oss-fuzz flags
Bug #7668: http: lack of setting updated_ts leads to firewall bypass
Bug #7665: transaction rules: support filesize
Bug #7653: ips: deconflict pass flow and drop packet rules
Bug #7647: pgsql: empty request logged if password message disabled
Bug #7634: hyperscan: coverity warnings
Bug #7579: detect/files: local_file_id not incremented if inspection buffer is
NULL
Bug #7568: pcap: continuous file reading fails on an empty directory
Bug #7549: detect: using different sticky buffers for byte_extract and
byte_jump leads to undefined value before doing the jump
Bug #7498: rust: cleanup of extern "C" functions and no_mangle
Bug #7479: segfault using dummy config
output.eve-log.types.alert.payload-buffer-size = 0
Bug #7420: detect-engine: warning fgets could get negative value
Bug #7390: byte_extract: issue with saved 'name' in distance keyword
Bug #7374: dpdk: iface-copy should not be mandatory
Bug #7344: build: build can sometimes fail copying the lua headers into place
Bug #7285: Websocket compression mishandling
Bug #7236: plugins: custom transaction loggers cannot be registered by a plugin
Bug #7019: snmp: probing parser returns ALPROTO_FAILED instead of
ALPROTO_UNKNOWN if slice.len() < 4
Bug #7004: app-layer: wrong tx may be logged for stream rules
Bug #6981: dpdk: compiler warnings about lossy integer precision
Bug #6400: log of DNS answer is in wrong direction
Bug #6186: Integer overflows 64 to 32 bytes
Bug #5739: htp: handle alloc failure for user data
Bug #5177: detect/analyzer: rule analyzer warns about http buffers usage
Bug #4815: unix socket: ftp memcap missing from socket commands
Bug #3436: suricatasc: crashing using command 'reopen-log-files'
Optimization #7733: transforms: move base64 transform pure rust
Optimization #7708: http1: add tx iterator
Optimization #7529: detect/dns: move wrapper code from C to rust
Optimization #7353: files: remove deprecated force-md5 config option
Optimization #7292: CI: clang-format rechecks every main-7.0.x commit
Optimization #7083: detect/dataset: skip adding localstatedir if fullpath is
provided
Task #7727: lua: suricata.log library
Task #7673: libsuricata: rate_filter callback
Task #7656: fast.lua: update script to reflect library use
Task #7609: lua: suricata.util lib
Task #7608: lua: turn tls into lib
Task #7607: lua: turn ssh into lib
Task #7606: lua: turn smtp into lib
Task #7605: lua: turn ja3 into lib
Task #7603: lua: turn hassh into lib
Task #7598: mime: add email.x_mailer
Task #7591: mime: add email.date keyword
Task #7491: lua: turn file into lua lib
Task #7490: lua: turn rule into lua lib
Task #7487: lua: turn flowints into lib
Task #7486: lua: turn flowvars into lib
Task #7461: suricata-verify: pass all tests
Task #7079: rust: unify rust ffi style
Task #7026: app-protos: trigger raw stream inspection
Task #6573: rust: set new minimum Rust version for Suricata 8
Task #3695: research: libhwloc for better autoconfiguration
Documentation #7683: mime: add email.attachment keyword
Documentation #7329: doc: explain the priority ports setting
Documentation #7143: doc: legacy keyword http_host used in examples
Documentation #5485: userguide: explain that the http.header_names buffer is
normalized
8.0.0-beta1
Feature #7644: pgsql: add CopyOut subprotocol/mode
Feature #7633: dpdk: refrain from creating TX queues on zero TX descriptors
Feature #7620: smb: configurable logging
Feature #7596: mime: add email.to keyword
Feature #7595: mime: add email.subject keyword
Feature #7592: mime: add email.from keyword
Feature #7588: mime: add email.cc keyword
Feature #7565: dcerpc: rpc interfaces info in request event
Feature #7533: detect/ldap: add ldap.request.attribute_type and
ldap.request.attribute keywords, and same for responses
Feature #7532: detect/ldap: add keywords for LDAPResult
Feature #7517: detect: smtp.mail_from keyword
Feature #7516: detect: smtp.rcpt_to keyword
Feature #7515: detect: smtp.helo keyword
Feature #7513: detect/integers: add support for negated strings when enum is used
Feature #7508: rules: ftp.reply keyword
Feature #7503: rules: ftp.command_data keyword
Feature #7502: rules: ftp.command keyword
Feature #7485: rules: allow specifying explicit hooks
Feature #7482: eve/flow: log tcp session reuse as a timeout reason
Feature #7481: rules/actions: explicit action scopes
Feature #7477: ldap: add support for AbandonRequest
Feature #7471: detect/ldap: add ldap.distinguished_name keywords for request
and response
Feature #7453: detect/ldap: add ldap.request.operation and
ldap.response.operation keywords
Feature #7433: eve/alert: enrich decoder event rules
Feature #7403: requires: add ability to check for a rule keyword
Feature #7382: dpdk: create separate packet mempools per queue
Feature #7381: dpdk: when running with ice driver fully start only when link
state change event is caught
Feature #7380: dpdk: provide "auto" option for RX/TX descriptors
Feature #7373: dpdk: provide "auto" option to mempool-size property
Feature #7337: dpdk: implement configuration of RSS using rte_flow rules for
major cards
Feature #7330: dpdk: support HW VLAN stripping
Feature #7320: flow: add user registerable flow update callbacks
Feature #7319: flow: add user registerable flow initialization callback
Feature #7311: http1: log invalid status as string
Feature #7291: sdp: implements sticky buffer
Feature #7243: lua: expose dataset functions
Feature #7240: libsuricata: use provided threads and packets
Feature #7204: sip: rustify sticky buffers
Feature #7203: ldap: extend parser for udp
Feature #7202: ldap: frame support
Feature #7170: hyperscan: Cache Hyperscan databases to disk to speed up the
startup
Feature #7120: threshold: add backoff type
Feature #7108: tls: ALPN keyword
Feature #7098: eve: add payload length field
Feature #7074: lua: expose base64 functions
Feature #7073: lua: expose hashing functions (md5/sha1/sha256)
Feature #7055: tls: log ALPN
Feature #7051: websocket: data frame
Feature #7045: tls-store: add support client certs
Feature #7017: dns: add OPT rdata struct and parsing
Feature #7012: rules: add dns.response sticky buffer
Feature #7011: dns: additional section parsing and logging
Feature #6967: multi-tenancy: support thresholding per tenant
Feature #6943: pcap: datalink type 229 not (yet) supported in module PcapFile
Feature #6939: lua: incremement stat when a lua rule exhausts its instruction
count
Feature #6857: iprep: support seeing if rule is part of a rep list
Feature #6856: http: anomaly when request line is missing protocol
Feature #6832: pcap/log: Support BPFs for filtering pcap output
Feature #6827: arp: implement decoder and logger
Feature #6822: threshold: support tracking by flow
Feature #6788: bypass: decouple stream.bypass dependency from TLS encrypted
bypass
Feature #6739: dpdk: warn the user if user-settings are adjusted to the device
capabilities
Feature #6666: dns: add keyword for dns rrtype: dns.rrtype
Feature #6648: detect: integer: support bitmasks
Feature #6647: detect: integers: support for enumerations
Feature #6646: detect: integer: support negated ranges
Feature #6645: detect: integer parsed with hexadecimal notation
Feature #6637: requires: add skipped rules to stats
Feature #6627: sdp: add protocol parser and logger
Feature #6621: dns: add keyword for dns rcode: dns.rcode
Feature #6550: profiling/rules: allow enabling profiling for pcap file runs
Feature #6546: detect/transform: strip_pseudo_headers
Feature #6497: dns: new detection buffer: dns.query.name
Feature #6496: dns: new detection buffer: dns.answer.name
Feature #6487: detect/transform: from_base64
Feature #6480: plugins: allow plugins to specify the version of suricata they
are for
Feature #6455: txbits: support for new type of bits
Feature #6439: rules: add to_lowercase transform
Feature #6426: http2: app-layer-event and normalization when userinfo is in
the :authority pseudo header for the http.host header
Feature #6396: rules: add protocol string support for mqtt
Feature #6379: ja4: support for TLS and QUIC
Feature #6374: sip: add sticky buffers for headers
Feature #6366: pop3: protocol detection
Feature #6290: http: support case insensitive testing of header name existence
Feature #6260: flow: flow matching excluding packet recursion level
Feature #6215: flow/output: log triggered exception policy
Feature #6164: rules: allow matching on flow pkts and bytes
Feature #6090: eve/alert: missing dcerpc metadata
Feature #6079: eve/dcerpc: eve/smb: log dcerpc uuid with request/response txs
Feature #5976: eve/stats: allow hiding counters whose value is 0
Feature #5972: rules: "requires" keyword representing the minimum version of
suricata to support the rule
Feature #5839: dpdk: power saving mode
Feature #5816: stats: exception policy counters
Feature #5773: doh: support DNS over HTTPS (DoH)
Feature #5743: http2: add frame support
Feature #5734: ssh: add frame support
Feature #5665: rules: bidirectional transaction matching
Feature #5647: rules: mark flow as elephant flow
Feature #5646: rules: allow matching on flow pkts and bytes in either direction
Feature #5489: research: multi version rules; or version dependent rules
Feature #5466: detect: allow alert-then-pass logic
Feature #5446: rules: allow ranges in dns.opcode value
Feature #5234: tls: subjectAltName buffer
Feature #5082: smb: keyword for matching the SMB files
Feature #5075: smb: keyword for the SMB version
Feature #4974: eve: log rule references
Feature #4905: smtp: add stream app-layer frame support
Feature #4904: dcerpc: frames support
Feature #4853: eve: Add information about Suricata version
Feature #4777: lua: implement sandboxing
Feature #4776: lua: vendor latest lua stable
Feature #4321: http2: Support link between packets in the same stream
Feature #4102: plugins: support creating app-layer parser, logger and detect
Feature #3958: enip: convert protocol parser to rust
Feature #3487: mime: multi-part parser in Rust
Feature #3351: sip: parse traffic over tcp
Feature #2816: vlan: support more than 2 layers
Feature #2696: http: implement parser in rust
Feature #2695: websocket support
Feature #2486: prefilter/fast_pattern logic for flowbits
Feature #2377: deprecate: ssh.softwareversion and ssh.protoversion
Feature #2280: http: rules that match both request and response
Feature #1971: lua: make mandatory
Feature #1520: multi-tenancy: verbose output clarity
Feature #1199: protocol: LDAP support
Feature #1125: smtp: improve protocol detection
Feature #1065: rules: introduce vlan id keyword
Feature #845: stats: track memory consumption
Security #7615: datasets: signature keyword setting can cause high memory
usage(MODERATE - CVE 2025-29916)
Security #7613: decode_base64: signature can do large
memory allocation(HIGH - CVE 2025-29917)
Security #7526: detect: infinite loop in DetectEngineContentInspectionInternal
with negated pcre(HIGH - CVE 2025-29918)
Security #7465: ldap: bound of number of transactions is not fully enforced
Security #7464: doh2: buffer is not really limited to 65K as should be for DNS
Security #7458: af-packet: defrag option can lead to truncated packets
(HIGH - CVE 2025-29915)
Security #7450: tracking: signature can allocate arbitrary amount of memory
Security #7411: tcp: generic detection bypass using TCP urgent support
(HIGH - CVE 2024-55629)
Security #7393: tcp: segfault on StreamingBufferSlideToOffsetWithRegions
(CRITICAL - CVE 2024-55627)
Security #7366: bpf: oversized bpf file can lead to buffer overflow
(MODERATE - CVE 2024-55626)
Security #7280: dns: quadratic complexity in logging and invalid json as
output(HIGH - CVE 2024-55628)
Security #7267: ja4: non alphanumeric characters in alpn lead to panic
(CRITICAL - CVE 2024-47522)
Security #7229: detect: write to read-only memory in transforms
(CRITICAL - CVE 2024-55605)
Security #7209: thash: random factor not used; possible abusive hash
collisions(CRITICAL - CVE 2024-47187)
Security #7195: datasets: rule with unset makes suricata abort
(HIGH - CVE 2024-45795)
Security #7191: http: quadratic complexity in headers processing/finding
(CRITICAL - CVE 2024-45797)
Security #7183: smb: hashmap entries not removed for error responses
Security #7104: http2: oom from duplicate headers(CRITICAL - CVE 2024-38535)
Security #7085: eve: transactions can be logged an arbitrary number of times
Security #7067: defrag: off by one leads to possible evasion
(HIGH - CVE 2024-45796)
Security #7040: defrag: id reuse can lead to invalid reassembly
(CRITICAL - CVE 2024-37151)
Security #7029: http/range: segv when http.memcap is reached
(HIGH - CVE 2024-38536)
Security #6987: modbus: txs without responses are never freed
(MODERATE - CVE 2024-38534)
Security #6902: base64: off-by-three overflow in DecodeBase64()
(HIGH - CVE 2024-32664)
Security #6900: http2: timeout logging headers(HIGH - CVE 2024-32663)
Security #6892: http2: oom on copying compressed headers
(CRITICAL - CVE 2024-32663)
Security #6866: eve: excessive ssh long banner logging(HIGH - CVE 2024-28870)
Security #6799: ssh: quadratic complexity in overlong banner
(CRITICAL - CVE 2024-28870)
Security #6796: output/filestore: slowdown because of running OutputTxLog on
useless packets
Security #6770: log: arbitrary-length value can be logged
Security #6757: libhtp: quadratic complexity checking after request line
missing protocol(CRITICAL - CVE 2024-28871)
Security #6680: smb: pcap with many open files takes too much time
Security #6675: ip-defrag: packet can be considered complete even with holes
(MODERATE - CVE 2024-32867)
Security #6669: ip defrag: re-assembly error in bsd policy
(MODERATE - CVE 2024-32867)
Security #6668: ip defrag: final overlapping packet can lead to "hole" in
re-assembled data(MODERATE - CVE 2024-32867)
Security #6493: ip defrag: several issues with overlap handling
Security #6481: http2: quadratic complexity in find_or_create_tx not bounded
by max-tx(CRITICAL - CVE 2024-23836)
Security #6477: smtp: quadratic complexity from unbounded number of
transaction per flow(CRITICAL - CVE 2024-23836)
Security #6444: http1: quadratic complexity from infinite folded headers
(CRITICAL - CVE 2024-23837)
Security #6441: detect: heap use after free with http.request_header keyword
(CRITICAL - CVE 2024-23839)
Security #6411: pgsql: quadratic complexity leads to over consumption of memory
(HIGH - CVE 2024-23835)
Security #6299: mqtt: pcap with anomalies takes too long to process because of
app-layer-event detection
Security #5926: http2: evasion by splitting header fields over frames
(HIGH - CVE 2024-24568)
Security #5921: http1: configurable limit for maximum number of live
transactions per flow(CRITICAL - CVE 2024-23836)
Bug #7618: af-packet: setting bpf fails
Bug #7577: detect/files: file.data does not use content passed when closing
the file internally
Bug #7567: dcerpc: assertion triggered !((res.needed + res.consumed < input_len))
Bug #7562: detect/flow: null deference in signature parsing
Bug #7560: detect/krb5: undefined behavior with krb5.ticket_encryption when
passing -INT32_MAX
Bug #7556: quic: valid traffic blocked in IPS mode
Bug #7554: tls: parser error on unACK'd data in FIN shutdown
Bug #7552: app-layer: misdetection if response is seen first without request
Bug #7548: dcerpc: avoid integer underflow
Bug #7523: rules/prefilter: prefilter keyword ignored when in content rule
Bug #7521: detect/ip-only: false positive alerts on pseudo packets ending a
one direction flow
Bug #7495: protocol detection: probing parsers do not finish as soon as possible
Bug #7469: smtp: recognize when client initiated TLS
Bug #7467: detect: checksum detection broken by stream.checksum-validation
Bug #7466: lua: Flowvar memory leak
Bug #7455: flow: flow timeout behavior non-deterministic
Bug #7449: app-layer metadata does not get logged for stream rules and
unidirectional protocols
Bug #7447: NULL dereference in ThreadLogFileHashFreeFunc in bug-5198 SV test
Bug #7444: dpdk: RSS key length missmatch on ice (E810) card with DPDK version
22.11.6
Bug #7440: eve/frame: incomplete frame logging
Bug #7437: protocol detection : probing parsers are limited to 32 by use of
bitflag
Bug #7436: sip: remove UPDATE pattern as already used by HTTP/1.1
Bug #7435: fuzz: fix protocol detection target initialization sequence
Bug #7422: tcp: GAP event set on unack'd data following a RST
Bug #7418: requires: rules with unmet requirements are still loaded
Bug #7417: rust: remove shared reference to static mutable
Bug #7414: detect: decoder event rules fail to match on invalid packets
Bug #7409: http: crash in strip_pseudo_headers transform
Bug #7406: eve: Alerts with app_proto=tls no longer logs the tls app data
Bug #7398: datasets: scan-build warning call to blocking fn inside critical
section
Bug #7394: ldap: support starttls with tls upgrade
Bug #7365: flow-manager: multi Flow Manager memory leak problem
Bug #7361: rules: unknown internal events not being detected as errors
Bug #7359: eve/syslog: crashes on use
Bug #7338: rust: different int types turn garbage on FFI boundary
Bug #7334: asan/profiling: global-buffer-overflow error
Bug #7333: tls: impossible to log alpns with 'custom' logging
Bug #7332: tls: fix duplicate EVE field issuerdn
Bug #7326: http: FN with prefilter if the first of multi buffer did not match
Bug #7325: sdp: one or more time descriptions
Bug #7323: mqtt: wrong and missing direction for keywords
Bug #7318: flow: flow timeout pseudo packet triggers unexpected alert
Bug #7315: template: remove usage of template-rust
Bug #7314: misc/warnings: compile warnings during build
Bug #7309: http: incorrect file direction handling
Bug #7305: sdp: media's encryption key not logged
Bug #7303: detect: memleak in case of errors during initialization
Bug #7302: conf: memleak if yaml parser is initialized before checking if file
exists
Bug #7300: output: oversized records lead to invalid json
Bug #7296: detect: transform base64 creates a 0-sized variable-length array
Bug #7279: dns: protocol detection is not strict enough
Bug #7270: conf: nullptr dereference if mem alloc fails for a node in yaml parser
Bug #7264: detect/flow: ACK with data on 3whs fails to match 'flow:established'
Bug #7256: ja3: Error: ja3: Buffer should not be NULL
Bug #7253: fuzz: CIFuzz is not fuzzing PRs as it is supposed to
Bug #7241: app-layer-protocol: negated matching false positive
Bug #7238: app-layer: protocol flows are miscounted in case of error
Bug #7235: tls: a rule stops working since 7.0.5
Bug #7230: dcerpc: invalid dcerpc header is not rejected
Bug #7228: dns: no data logged, and no events with udp corrupt additional record
Bug #7226: lua: use crate from crates.io instead of github to fix offline builds
Bug #7218: profiling: packet profiling to log file is only active with rule
profiling
Bug #7213: frames: stream frame is not always the first one registered
Bug #7210: docs: inconsistent spelling in documentation for RFB
`security_result` key
Bug #7206: cbindgen: comptability with newer version 0.27
Bug #7200: smtp: crash in ByteExtractString
Bug #7199: detect: missing app-layer metadata in alerts
Bug #7187: detect: dcerpc logging and matching issues
Bug #7181: fuzz: File confyaml.c is missing
Bug #7176: ldap: crash when encountering GAP
Bug #7172: detect/integers: do not bother to free NULL pointer on setup/parse
failure
Bug #7169: lua/output: vendored lua search for modules in /usr/local/ rather
than /usr/
Bug #7158: tcp: 'broken ack' event set on flow timeout
Bug #7135: util/thash: debug assertion for memuse
Bug #7126: decode/base64: Error message on packet path.
Bug #7121: smb/ntlmssp: nonsense smb.ntlmssp.version values
Bug #7115: dpdk: timestamping packets through TSC does not yield the same time
as kernel time
Bug #7113: pgsql: track 'progress' in tx per direction
Bug #7111: protodetect: DNS flow direction is not correct sometimes
Bug #7106: packet: app-layer-events incorrectly used on recycled packets
Bug #7093: sip: wrong slice used for sip_take_line with tcp leads to quadratic
oom
Bug #7059: smtp: split name logged as 2 names
Bug #7053: bypass: cannot bypass udp flow from first packet in second direction
Bug #7049: util/radix-tree: Possible dereference of nullptr in case of
unsuccess allocation of memory for node
Bug #7048: af-packet: failure to start up on many threads plus high load
Bug #7037: pcap/log: MacOS rotates file well before limit is reached
Bug #7034: time: in offline mode, time can stay behind at pcap start
Bug #7028: base64: heap buffer overflow in RFC 2045 and 4648 modes
Bug #7025: websocket: wrong value for opcode ping/pong
Bug #7022: unix-socket: iface-bypassed-stat crash
Bug #7020: unix-socket: hostbit commands don't properly release host
Bug #7013: rust: build with rust 1.78 with slice::from_raw_parts now requiring
the pointer to be non-null
Bug #7000: pgsql: trigger raw stream reassembly
Bug #6994: sip/sdp: logget closes unopened array for empty medias
Bug #6989: tls.random buffers don't work as expected
Bug #6985: base64: coverity dead code warning
Bug #6984: mqtt: do not log non-string messages?
Bug #6983: eve/alert/metadata: no pgsql object encapsulation
Bug #6973: detect: log relevant frames app-layer metdata
Bug #6969: dataset: lookup function is not working with ip type
Bug #6964: base64: consumed bytes are incorrectly set for different modes
Bug #6959: http: improve handling of content encoding: gzip but request_body
not actually compressed
Bug #6957: Assert: BUG_ON(id <= 0 || id > (int)thread_store.threads_size);
Bug #6954: eve: packet field packet_info.linktype is non-portable
Bug #6948: detect/http.response_body: false positive because not enforcing
direction to_client
Bug #6942: decode/ppp: decoder.event.ppp.wrong_type on valid packet
Bug #6940: lua: handle errors in lua rules
Bug #6921: jsonbuilder: serializes Rust f64 NaNs to an invalid literal
Bug #6918: pcre2: compile warning
Bug #6913: reimplement systemd sd_notify w/o linking to libsystemd
Bug #6906: smtp/mime: data command rejected by pipelining server does not
reset data mode
Bug #6904: mime: buffer overflow in GetFullValue() (util-decode-mime.c)
Bug #6903: streaming buffer: heap overflows in
StreamingBufferAppend()/StreamingBufferAppendNoTrack()
Bug #6896: detect/port: upper boundary ports are not correctly handled
Bug #6891: sip: usage of Vec instead of Vecdeque leads to quadratic complexity
on cleanup
Bug #6889: detect: slowdown in rule parsing
Bug #6887: defrag: reassembled packet can have wrong datatype
Bug #6883: rust: clippy 1.77 warning
Bug #6881: detect/port: port grouping does not happen correctly if gap between
a single and range port
Bug #6877: Suricata 8 general protection fault ip:698117 sp:7fd537b08090
Bug #6875: output/alert: assertion failed p->flow != NULL
Bug #6871: dpdk: fix compatibility issues for ice cards
Bug #6864: detect: ipopts keyword false positive
Bug #6861: profiling/rules: crash when profiling ends
Bug #6846: eve/alerts: wrongly using tx id 0 when there is no tx
Bug #6843: detect/port: port ranges are incorrect when a port is single as
well as a part of range
Bug #6839: coverity: warning in port grouping code
Bug #6838: eve/filetypes: move from plugin api to eve api
Bug #6837: netmap: error message Netmap pipes (with lb)
Bug #6835: BUG_ON triggered from TmThreadsInjectFlowById
Bug #6834: iprep: rule with '=,0' can't match
Bug #6811: capture plugins: capture plugins unusable due to initialization order
Bug #6790: dpdk: evaluate the correct handling of DPDK ports on shutdown
Bug #6787: decode/pppoe: Suspicious pointer scaling
Bug #6782: streaming/buffer: crash in HTTP body handling
Bug #6778: detect/tls.certs: direction flag checked against wrong field
Bug #6766: multi-tenancy: dead lock during tenant loading
Bug #6762: hugepages: error for FreeBSD when kernel NUMA build option is not
enabled
Bug #6760: af-packet: hugepages Error for ARM64 and af-packet IPS mode
Bug #6755: netmap: deadlock if netmap_open fails
Bug #6753: detect/cip: missing return-value check for a 'scanf'-like function
Bug #6745: util/mime: Memory leak at util-decode-mime.c:MimeDecInitParser
Bug #6741: dpdk: automatic cache calculation is broken
Bug #6737: dpdk: property configuration can lead to integer overflow
Bug #6733: tcp: tcp flow flags changing incorrectly when ruleset contains
content matching
Bug #6732: eve/stats: parent interface object in stats contains VLAN-ID as keys
Bug #6726: stream: stream.drop-invalid drops valid traffic
Bug #6715: dpdk: NUMA warning on non-NUMA system
Bug #6710: rules: failed rules after a skipped rule are recorded as skipped,
not failed
Bug #6678: datasets: discard datasets that hit the memcap while loading correctly
Bug #6664: eve/smtp: attachment filenames not logged
Bug #6661: detect/content-inspect: FN on negative distance
Bug #6656: detect/requires: assertion failed !(ret == -4)
Bug #6643: http: wrongly assuming http0.9 leads to missed headers
Bug #6634: tls: Invalid ja3 due to double client hello
Bug #6633: stats: flows with a detection-only alproto not accounted in this
protocol
Bug #6619: profiling: runtime much longer to run than it used to
Bug #6618: endace: timestamp fixes
Bug #6617: detect/filestore: flow, to_server was broken by moving files into
transactions
Bug #6615: detect/analyzer: misrepresenting negative distance value
Bug #6592: mqtt: frames on TCP are not set properly when parsing multiple PDUs
in one go
Bug #6585: src: SCTIME_FROM_TIMESPEC() creates incorrect timestamps
Bug #6584: src: SCTIME_ADD_SECS() macro zeros out ts.usec part
Bug #6578: ssh: no alert on packet with Message Code: New Keys (21)
Bug #6574: detect/filestore: memory leak on rule parsing
Bug #6553: eve/alert: payload/payload_printable misrepresent data in case of
overlaps
Bug #6551: Invalid registration of prefiltering in stream size
Bug #6547: http2: http.response_line has leading space
Bug #6527: cppcheck 2.11 errors
Bug #6501: eve/alert: missing TFTP metadata
Bug #6500: eve/alert: missing FTP metadata
Bug #6490: profiling: rule profiling doesn't support absolute paths
Bug #6483: http.request_headers - odd behavior with multiple signtures
Bug #6419: dpdk: Analyze hugepage allocation on startup more thoroughly
Bug #6415: http: various header buffer not populated when malformed header
value exists
Bug #6414: detect-engine/port: recursive DetectPortInsert calls are expensive
Bug #6408: Output plugins receive identifier, but not thread identifier
Bug #6405: eve: ethernet src_mac should match src_ip
Bug #6398: eve/stats: threads object in stats contains memcap_pressure scalars
Bug #6393: detect/filestore: be more explicit about the U16_MAX limit per
signature group head
Bug #6390: detect/filestore: do not store if "both,flow" is triggered after
the file was set to "nostore"
Bug #6389: pgsql: u16 overflow found by oss-fuzz w/ quadfuzz
Bug #6376: detect: huge increase on start up time with a lot of ip-only rules
and bigger HOME_NET
Bug #6347: log-pcap: crash with suricata.yaml setting max-file to 1
Bug #6305: drop: assertion failed
!(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP)
Bug #6304: schema.json : if protocol such as ENIP is detection only, we do not
have _tcp suffix in stats
Bug #6281: dns: structure of query differs between "alert" and "dns" event types
Bug #6280: base64: strict mode should only accept strings that can be reliably
converted back
Bug #6254: bypass: thread "FB" failed to start in time: flags 0003
Bug #6092: eve/alert: missing pgsql metadata
Bug #6080: pgsql/probe: TCP on 5432 traffic incorrectly tagged as PGSQL
Bug #5977: eve/alert: missing KRB5 metadata
Bug #5539: landlock: coverity warnings
Bug #5524: pgsql: parser should not error on parsing error, so as to keep on
parsing the next PDUs
Bug #5491: smtp: response 530 appears to generate an invalid response alert
Bug #5486: eve: ethernet metadata is missing for some protocols or parts of a
protocol
Bug #5279: nom: use of count combinator can use too much memory
Bug #5220: detect/base64_data: fast_pattern shouldn't be allowed
Bug #5185: mime: URL extraction missing
Bug #4921: detect/app-layer-protocol: unexpected results when one direction
state "failed"
Bug #4858: fuzz: Timeout with pcre
Bug #4734: pfring: memory leak
Bug #3910: datasets: for type string the memcap isn't applied to the string data
Bug #3682: detect/bsize: error for impossible matching conditions
Bug #2886: imap: protocol detection is incomplete
Bug #2881: http.protocol parsing inaccuracy : accept spaces in URI
Bug #2224: rules: negated http_* match returns false if buffer not populated
Bug #1457: conf: non-standard units used for file size indication
Optimization #7617: af-packet: set defrag based on passive or inline mode
Optimization #7558: detect: convert rule group dumping to JsonBuilder
Optimization #7358: CI: only run CodeQL python if the PR contains changed
files that are python
Optimization #7304: detect: improve support for multi-protocol keywords
Optimization #7297: src: remove duplicate function declarations
Optimization #7272: af-packet: improve startup time
Optimization #7208: tcp/reassemble: GetBlock takes O(nlgn) in worst case
Optimization #7185: stats: exceptions: use search-friendly log output
Optimization #7178: rfb: rustify keywords and app-layer registration
Optimization #7155: pcap: use larger read size buffer for a performance increase
Optimization #7087: app-layer: track modified transactions
Optimization #7065: base64: move the decoder to rust
Optimization #7044: app-layer: clean up truncate callbacks and logic
Optimization #7018: dns/tcp: allow triggering raw stream reassembly
Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs
Optimization #6938: packet: optimize packet data storage
Optimization #6937: compile: make code clean with -Wunused-macros
Optimization #6878: conf: quadratic complexity in yaml loader
Optimization #6873: byte_extract: convert keyword/option parsing to Rust
Optimization #6855: src: var code cleanups
Optimization #6852: mpm/ac: support endswith
Optimization #6821: smtp: add 535 code
Optimization #6795: detect/port: PortGroupWhitelist fn takes a lot of
processing time
Optimization #6792: detect/port: port grouping is quite slow in worst cases
Optimization #6786: util-rohash.c : make code cleaner to make CodeQL happier
Optimization #6775: detect: do not run tx detection on tcp non established
packets
Optimization #6773: app-layer/template: no limit on txs number
Optimization #6728: detect: prefilter for events (decode, stream, app-layer,
etc...)
Optimization #6718: detect/frames: avoid rescanning in IPS mode
Optimization #6702: streaming-buffer: Explore Rank Balanced trees
Optimization #6575: detect/multi-buffer: use single definition of struct
PrefilterMpmKrb5Name
Optimization #6569: threading: fix condition signalling w/o taking lock first
Optimization #6454: detect: force os to release memory on rule reload
Optimization #6433: packetpool: improve return sync logic
Optimization #6387: mqtt: move parser registration code to the rust side
Optimization #6111: defrag: avoid passing null pointers to functions
Optimization #5699: dcerpc: switch to incomplete api for tcp
Optimization #5672: smb: avoid unbounded hash maps
Optimization #5634: detect: unify ValidateCallback for MD5-like keywords
Optimization #5566: pgsql: add events
Optimization #5517: decode: big clean up (macros and functions)
Optimization #5311: ftp: use unsigned integer for input_len
Optimization #5047: sip: implement pattern based protocol detection
Optimization #4798: af-packet: default to tpacket-v3 in IDS mode
Optimization #3827: output: clean up logging initialization code
Optimization #3449: eve: output calls fflush very often
Optimization #3427: datasets: issue warning/info for data with type string
that are not base64
Optimization #426: threshold: rule based thresholding data structure improvement
Task #7604: lua: turn http into lib
Task #7602: lua: turn dns into lib
Task #7601: lua: turn dnp3 into lib
Task #7492: lua: remove script_api_ver check from needs block
Task #7489: lua: turn flow into lib
Task #7488: lua: turn packet into lib
Task #7456: engine/analysis: report rule state altered by flowbit rule
Task #7426: flowint: add isnotset support
Task #7350: firewall usecase: log app-layer metadata for for catch-all drop rules
Task #7341: rust: use bindgen to generate Rust bindings to C functions
Task #7287: schema: add missing tls fields certificate and chain
Task #7246: libhtp 0.5.49
Task #7227: logging: document and cleanup low level logging registration
Task #7219: rust/crates: update base64
Task #7167: dns: make the version field in a dns object required
Task #7165: napatech: move into bundled plugin
Task #7162: pfring: move into bundled plugin
Task #7154: plugins: add template detection plugin
Task #7152: plugins: add template logger plugin
Task #7151: plugins: add template app-layer plugin
Task #7130: rust: dependency "time" fails to build on Rust nightly
Task #7058: fuzz/base64: check decoded strings for correctness in strict mode
Task #6965: libhtp 0.5.48
Task #6962: yaml: unify 0 stats counter config option terminology
Task #6961: lua: use a rust crate to vendor lua
Task #6935: unittests: convert tests to new FAIL/PASS API - src/app-layer-htp.c
Task #6888: contrib: remove obsolete items from contrib
Task #6818: rust: snmp-parser 0.10.0
Task #6817: rust: kerberos-parser 0.8.0
Task #6769: libhtp 0.5.47
Task #6748: doc: mention X710 RX descriptor limitation
Task #6712: dependencies: completely remove nss
Task #6705: build-info: remove obsolete "rust support" line
Task #6605: flash decompression: update/remove deprecation warnings
Task #6603: pgsql: don't log password msg if password disabled
Task #6586: mpm/ac-bs: remove implementation
Task #6577: pgsql: add cancel request message
Task #6544: logging: deprecate syslog
Task #6543: logging: deprecate http-log
Task #6542: logging: deprecate tls-log
Task #6488: plugins: add example plugins to the suricata source tree
Task #6432: tracking: autofp capture stalls due to packetpool depletion
Task #6427: runmodes: remove reference to auto modes
Task #6360: detect/analyzer: add more details for the icmp_id keyword
Task #6355: detect/analyzer: add more details for the tcp.mss keyword
Task #6354: detect/analyzer: add more details for the tcp ack keyword
Task #6353: detect/analyzer: add more details for the tcp seq keyword
Task #6352: detect/analyzer: add more details for the tcp window keyword
Task #6318: unittests: convert tests to new
FAIL/PASS API - detect-engine-address-ipv4.c
Task #6312: detect/analyzer: add more details for the flow.age keyword
Task #6309: detect/analyzer: add more details for the flowbits keyword
Task #6287: suricatasc: rewrite in rust
Task #6209: libhtp 0.5.46
Task #6107: unittests: convert tests to new FAIL/PASS API - util-memcmp.c
Task #6050: base64: make a fuzz target
Task #5626: doc: document file.data
Task #5588: ips/tap: don't allow mixed tap and ips modes
Task #5053: app-layer: dynamic alproto IDs
Task #4742: build: make the auto-generated config.h not conflict with other
config.h
Task #4698: lib: Example program to bootstrap Suricata (an alternate main()
for Suricata)
Task #4683: detect: remove sigmatch_table in favor of a dynamic storage option
Task #4105: plugins: Create template capture source plugin
Task #4103: plugins: convert an app-layer to use the plugin API (snmp)
Documentation #7540: doc/userguide: fix typo
Documentation #7383: userguide: fix typo
Documentation #7262: doc: remove mentions to suricata-6
Documentation #7260: userguide/config: fix consistency of dashes instead of
underscores
Documentation #7153: devguide: document adding a detection plugin
Documentation #7150: devguide: document adding a logging plugin
Documentation #7149: devguide: document adding a app-layer plugin
Documentation #7031: userguide: document SignatureProperties sigtype
Documentation #6911: manpages: use consistant date based on release and/or git
commits
Documentation #6908: userguide: document how to verify tar.gz signature
Documentation #6781: http: document duplicate headers concatenation handling
Documentation #6725: document pcap file variables
Documentation #6708: userguide/payload: fix explanation about bsize ranges
Documentation #6686: docs: port userguide build instruction changes from
master-6.0.x
Documentation #6685: userguide: explain noalert keyword
Documentation #6629: docs: fix byte_test examples
Documentation #6628: userguide: document generic aspects of integer keywords
Documentation #6599: docs: update eBPF installation instructions
Documentation #6589: docs: fix broken bulleted list style on rtd
Documentation #6570: remove references in docs mentioning prehistoric Suricata
versions
Documentation #6568: devguide: document backports policies and process
Documentation #6552: doc: add tcp timeout fix to upgrade guide
Documentation #6548: http2: http.stat_msg - note about HTTP/2 behavior
Documentation #6445: userguide: explain what flow_id is
Documentation #6076: eve/schema: document quic
Documentation #5651: detect/bsize: format should specify operators
Documentation #5494: userguide: update tls eve-log fields 'not_before' and
'not_after'
Documentation #5393: devguide: move github workflow document from redmine into
devguide
Documentation #5088: detect/file.name: keyword is not documented
Documentation #4359: docs: elaborate documentation for rule profiling
Documentation #3015: userguide: document "tag" keyword
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Aug 2025 15:22:45 +0000 (17:22 +0200)]
bash: Update to patch level 3
- Update from patch level 0 to 3
- Update of rootfile not required
- Changelog
Patch 3
Bash leaves internal quoting in place when expanding array subscripts
that appear inside array subscripts in an arithmetic context, causing
expansion failures.
Patch 2
There are too many differences in the various implementations of shm_open(2)
to rely on it for bash's use.
Patch 1
In posix mode, `wait -n' with pid arguments does not restrict the set of
processes it considers to those arguments.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 29 Jul 2025 14:42:16 +0000 (14:42 +0000)]
network: Add support for bonds
This is a bare-minimum implementation to realise this. It changes the
bridge script because the two of them have quite a bit in common, so we
should avoid further code duplication.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 23 Jul 2025 19:02:31 +0000 (21:02 +0200)]
readline: Update to version 8.3 with patch version 1
- Update from version 8.2 with patch version 13 to 8.3 with patch version 1
- Update of rootfile
- Changelog
8.3
New Features in Readline
a. Output a newline if there is no prompt and readline reads an empty line.
b. The history library falls back to stdio when writing the history list if
mmap fails.
c. New bindable variable `search-ignore-case', causes readline to perform
case-insensitive incremental and non-incremental history searches.
d. rl_full_quoting_desired: new application-settable variable, causes all
completions to be quoted as if they were filenames.
e. rl_macro_display_hook: new application-settable function pointer, used if
the application wants to print macro values itself instead of letting
readline do it
f. rl_reparse_colors: new application-callable function, reparses $LS_COLORS
(presumably after the user changes it)
g. rl_completion_rewrite_hook: new application-settable function pointer,
called to modify the word being completed before comparing it against
pathnames from the file system.
h. execute-named-command: a new bindable command that reads the name of a
readline command from the standard input and executes it. Bound to M-x
in emacs mode by default.
i. Incremental and non-incremental searches now allow ^V/^Q (or, in the former
case, anything bound to quoted-insert) to quote characters in the search
string.
j. Documentation has been significantly updated.
k. New `force-meta-prefix' bindable variable, which forces the use of ESC as
the meta prefix when using "\M-" in key bindings instead of overloading
convert-meta.
l. The default value for `readline-colored-completion-prefix' no longer has a
leading `.'; the original report was based on a misunderstanding.
m. There is a new bindable command, `export-completions', which writes the
possible completions for a word to the standard output in a defined format.
n. Readline can reset its idea of the screen dimensions when executing after
a SIGCONT.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 23 Jul 2025 19:02:30 +0000 (21:02 +0200)]
bash: Update to version 5.3 with patch level 0
- Update from version 5.2 with patch level 37 to 5.3 with patch level 0
- Update rootfile
- remove bash-4.0-paths-1 patch file as this is not included in the current tarball.
- remove all the 5.2 version patches.
- Modify lfs so that the patch version can be added and then use this in the main part
of the lfs to automatically select the correct patches to merge.
- Successful build of bash-5.3 requires readline-8.3 to be installed
- Changelog
5.3
New Features in Bash
a. When checking whether a script file argument is a binary file, check the
first two lines of a script if the first line begins with `#!'.
b. Bash does a better job of preserving user-supplied quotes around a word
completion, instead of requoting it.
c. Bash reports the starting line number in an error message about an
unterminated compound command like `if' without a `fi'.
d. Implement the POSIX requirement that running the `jobs' builtin removes
jobs from the jobs list.
f. Call bash signal handlers while executing programmable completion commands,
instead of readline's.
g. Print an error message if a regular expression used with [[ fails to compile.
h. The `umask' builtin now has additional features for full POSIX conformance.
i. `type -a -P' reports both hashed pathnames and the result of a $PATH search.
j. `trap' has a new -P option that prints the trap action associated with each
signal argument.
k. The `command' builtin preceding a declaration builtin (e.g., `declare')
preserves the special asisgnment statement parsing for the declaration
builtin. This is a new POSIX requirement.
l. `printf' uses the `alternate form' for %q and %Q to force single quoting.
m. `printf' now interprets %ls (%S) and %lc (%C) as referring to wide strings
and characters, respectively, when in a multibyte locale.
n. The shell can be compiled with a different default value for the
patsub_replacement option.
o. Check for window size changes during trap commands, `bind -x' commands,
and programmable completion.
p. Treat a NULL value for $PATH as equivalent to ".".
p. New loadable builtins: kv, strptime
q. GLOBSORT: new variable to specify how to sort the results of pathname
expansion (name, size, blocks, mtime, atime, ctime, numeric, none) in
ascending or descending order.
r. `compgen' has a new option: -V varname. If supplied, it stores the generated
completions into VARNAME instead of printing them on stdout.
s. New form of command substitution: ${ command; } or ${|command;} to capture
the output of COMMAND without forking a child process and using pipes.
t. array_expand_once: new shopt option, replaces assoc_expand_once
u. complete/compopt new option: fullquote; sets rl_full_quoting_desired so all
possible completions are quoted as if they were filenames.
v. Command timing now allows precisions up to 6 digits instead of 3 in
$TIMEFORMAT.
w. BASH_MONOSECONDS: new dynamic variable that returns the value of the
system's monotonic clock, if one is available.
x. BASH_TRAPSIG: new variable, set to the numeric signal number of the trap
being executed while it's running.
y. The checkwinsize option can be used in subshell commands started from
interactive shells.
z. In posix mode, the test command < and > binary primaries compare strings
using the current locale.
aa. bind -x allows new key binding syntax: separate the key sequence and the
command string with whitespace, but require the command string to be
double-quoted if this is used. This allows different quoting options for
the command string.
bb. Print commands bound to key sequences using `bind -x' with the new key
binding syntax it allows.
cc. `read' has a new `-E' option to use readline but with the default bash
completion (including programmable completion).
dd. New bindable readline command name: `bash-vi-complete'.
ee. New test builtin behavior when parsing a parenthesized subexpression and
test was given more than 4 arguments: scan forward for a closing paren and
call posixtest() if there are 4 or fewer arguments between the parentheses.
Added for compatibility with coreutils test, dependent on the shell
compatibility level. Such expressions remain ambiguous.
ff. MULTIPLE_COPROCS is now enabled by default.
gg. The `bind' builtin interprets additional non-option arguments after -p or
-P as bindable command names and restricts output to the bindings for
those names.
hh. Bash now uses the login shell for $BASH if the shell is named `su' or `-su'.
ii. Bash now prints job notifications if an interactive shell is running a trap,
even though the shell is not interactive at that moment.
jj. Programmable completion allows a new compspec loaded after a completion
function returns 124 to be used in more cases.
kk. ./source has a new -p PATH option, which makes it use the PATH argument
instead of $PATH to look for the file.
ll. Documentation has been significantly updated.
mm. `wait -n' can now return terminated process substitutions, jobs about
which the user has already been notified (like `wait' without options),
nn. `wait -n' removes jobs from the jobs table or list of terminated children
when in posix mode.
oo. Changed the `wait' builtin behavior regarding process substitutions to
match the documentation.
pp. There is a new `bash_source_fullpath' shopt option, which makes bash put
full pathnames into BASH_SOURCE, and a way to set a default value for it
at configure time.
qq. Posix mode now forces job notifications to occur when the new edition of
POSIX specifies (since it now specifies them).
rr. Interactive shells don't print job notifications while sourcing scripts.
ss. The parser prints more information about the command it's trying to parse
when it encounters EOF before completing the command.
tt. Posix mode no longer requires function names to be valid shell identifiers.
uu. If `exit' is run in a trap and not supplied an exit status argument, it
uses the value of $? from before the trap only if it's run at the trap's
`top level' and would cause the trap to end (that is, not in a subshell).
This is from Posix interp 1602.
vv. There is a new `fltexpr' loadable builtin to perform floating-point
arithmetic similarly to `let'.
ww. The `install-strip' and `strip' Makefile targets now deal with cross-
compiling.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.65
"Changes with Apache 2.4.65
*) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
always evaluates to true in 2.4.64 (cve.mitre.org)
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
expr ..." tests evaluating as "true".
Users are recommended to upgrade to version 2.4.65, which fixes
the issue."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 23 Jul 2025 10:08:03 +0000 (12:08 +0200)]
samba: Update to version 4.22.3
- Update from version 4.22.2 to 4.22.3
- Update of rootfiles for all architectures
- Changelog
4.22.3
Important Change in Upcoming Microsoft Update
On 8th of July, Microsoft will release an important security update for
Active Directory Domain Controllers for Windows Server versions prior to
2025.
This update includes a change to the Microsoft RPC Netlogon protocol,
which improves security by tightening access checks for a set of RPC
requests. Samba running as domain members in these environments will be
impacted by this change if a specific configuration is used, see below
for which configuration is affected.
Windows Server version 2025 is already equipped with these specific
security hardenings, and Microsoft is now planning to deploy them to all
supported Windows Server versions down to Windows Server 2008.
Who is affected?
Samba installations acting as member servers in Windows AD domains will
be affected if they are configured to use the 'ad' idmapping backend.
Samba servers not using this configuration will not be affected by the
change – at least to our current knowledge and understanding of the
change – and no further action is required.
Current versions of Samba with the affected configuration will no longer
function correctly once the Microsoft update has been applied. Users
will not be able to connect to the SMB service provided by Samba for any
domain configured to use the 'ad' idmapping backend.
See https://bugzilla.samba.org/show_bug.cgi?id=15876.
* BUG 15854: samba-tool cannot add user to group whose name is exactly 16
characters long.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
* BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:59 +0000 (23:25 +0200)]
gnutls: Update to version 3.8.10
- Update from version 3.8.9 to 3.8.10
- Update of rootfile
- 4 CVE fixes in this version
- Changelog
3.8.10
** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
[CVE-2025-6395]
** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
Spotted by oss-fuzz and reported by OpenAI Security Research Team,
and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
CVSS: medium] [CVE-2025-32989]
** libgnutls: Fix double-free upon error when exporting otherName in SAN
Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
CVSS: low] [CVE-2025-32988]
** certtool: Fix 1-byte write buffer overrun when parsing template
Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
CVSS: low] [CVE-2025-32990]
** libgnutls: PKCS#11 modules can now be used to override the default
cryptographic backend. Use the [provider] section in the system-wide config
to specify path and pin to the module (see system-wide config Documentation).
** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
support. The library running on the aforementioned version now utilizes the
kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
TLS session. The --enable-ktls configure option as well as the system-wide
kTLS configuration(see GnuTLS Documentation) are still required to enable
this feature.
** libgnutls: liboqs support for PQC has been removed
For maintenance purposes, support for post-quantum cryptography
(PQC) is now only provided through leancrypto. The experimental key
exchange algorithm, X25519Kyber768Draft00, which is based on the
round 3 candidate of Kyber and only supported through liboqs has
also been removed altogether.
** libgnutls: TLS certificate compression methods can now be set with
cert-compression-alg configuration option in the gnutls priority file.
** libgnutls: All variants of ML-DSA private key formats are supported
While the previous implementation of ML-DSA was based on
draft-ietf-lamps-dilithium-certificates-04, this updates it to
draft-ietf-lamps-dilithium-certificates-12 with support for all 3
variants of private key formats: "seed", "expandedKey", and "both".
** libgnutls: ML-DSA signatures can now be used in TLS
The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
ML-DSA-87, can now be used to digitally sign TLS handshake
messages.
** API and ABI modifications:
GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:58 +0000 (23:25 +0200)]
git: Update to version 2.50.1
- Update from version 2.50.0 to 2.50.1
- Update of rootfile not required
- Changelog
2.50.1
This release merges up the fixes that appear in v2.43.7, v2.44.4,
v2.45.4, v2.46.4, v2.47.3, v2.48.2, and v2.49.1 to address the
following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
CVE-2025-48386. See the release notes for v2.43.7 for details.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:26:01 +0000 (23:26 +0200)]
tshark: Update to version 4.4.8
- Update from version 4.4.7 to 4.4.8
- Update of rootfile
- Changelog
4.4.8
Bug Fixes
Renegotiated DTLS session is not being decrypted. Issue 20362.
Wireshark is completely stuck in initialization because androiddump recv()
is blocked. Issue 20526.
Fuzz job UTF-8 encoding issue: fuzz-2025-06-20-7318.pcap. Issue 20585.
Crash when showing packet in new window after reloading Lua plugins with a
certain gui.column.format preference. Issue 20588.
Bug in UDS dissector with Service ReadDataByPeriodicIdentifier Response.
Issue 20589.
Packet diagram doesn’t show non-standard field value representations.
Issue 20590.
Packet diagram shows representation twice when field type is FT_NONE.
Issue 20601.
application/x-www-form-urlencoded key parsed incorrectly following a
name-value byte sequence with no '=' Issue 20615.
DNP3 time stamp was unable to work after epoch time(year 2038) Issue 20618.
Updated Protocol Support
ASTERIX, DLT, DNP 3.0, DOF, DTLS, ETSI CAT, Gryphon, IPsec, ISObus VT,
KRB5, MBIM, RTCP, SLL, STCSIG, TETRA, UDS, and URL Encoded Form Data
New and Updated Capture File Support
pcapng
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:26:00 +0000 (23:26 +0200)]
strongswan: Update to version 6.0.2
- Update from version 6.0.1 to 6.0.2
- Update of rootfile
- Changelog
6.0.2
- Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+).
- Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+).
- POSIX regular expressions can be used to match remote identities.
- Switching configs based on EAP-Identities is supported. Setting
`remote.eap_id` now always initiates an EAP-Identity exchange.
- On Linux, sequence numbers from acquires are used when installing SAs. This
allows handling narrowing properly.
- During rekeying, the narrowed traffic selectors are now proposed instead of
the configured ones.
- The default AH/ESP proposals contain all supported key exchange methods plus
`none` to make PFS optional and accept proposals of older peers.
- GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance
if the esp4|6_offload modules are loaded.
- charon-nm sets the VPN connection as persistent, preventing NetworkManager
from tearing down the connection if the network connectivity changes.
- ML-KEM is supported via OpenSSL 3.5+.
- The wolfssl plugin is now compatible to wolfSSL's FIPS module.
- The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported
anymore.
- The long defunct uci plugin has been removed.
- Log messages by watcher_t are now logged in a separate log group (`wch`).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:57 +0000 (23:25 +0200)]
gettext: Update to version 0.26
- Update from version 0.25 to 0.26
- Update of rootfile
- Changelog
0.26
Programming languages support:
* JavaScript:
- xgettext now parses regular expressions with character classes
correctly.
* C, C++, Python, JavaScript, EmacsLisp, librep, Go, Ruby, awk, D, Tcl,
Perl, PHP:
- xgettext's heuristic recognition of format strings has been improved:
strings like "100% complete" (with a space flag in a format directive)
are no longer flagged as format strings by default, unless they occur
in a context that requires a format string. You can override this
heuristic by using a comment of the form /* xgettext: c-format */.
* Shell:
- The documentation now mentions two other approaches for
internationalizing messages with parameters in shell scripts.
- xgettext now recognizes format strings in the 'printf' command syntax.
They are marked as 'sh-printf-format' in POT and PO files.
- Two new programs 'printf_gettext' and 'printf_ngettext' are provided,
that do formatted output with a localized format string in a more
efficient way (without spawning a subshell).
- xgettext now recognizes the \c, \u, and \U escape sequences in dollar-
single-quoted strings $'...'.
Improvements for maintainers:
* xgettext:
- When extracting a message with plural that is some format string,
xgettext now verifies that the msgid and msgid_plural are compatible
as format strings. For most format string types, this still allows
omitting from msgid a placeholder that is used in msgid_plural. But
when a placeholder is used in both msgid and msgid_plural, its type
must be the same in both.
- xgettext now suggests a refactoring when a translatable string
contains an URL or email address.
Improvements for translators:
* msggrep:
- msggrep accepts two new options -W/--workflow-flags and -S/--sticky-flags
that allow to select only messages that have a specified flag.
Bug fixes:
- The AM_GNU_GETTEXT macro now rejects the dysfunctional gettext() function
in libc of Solaris 11.[0-3], Solaris OpenIndiana, and Solaris OmniOS.
- The AM_GNU_GETTEXT macro now recognizes, on MSVC, the GNU libintl built
as a shared library.
0.25.1
Bug fixes:
- autopoint no longer fails if configure.ac contains no
AM_GNU_GETTEXT_VERSION or AM_GNU_GETTEXT_REQUIRE_VERSION invocation.
- nls.m4 is installed again under $PREFIX/share/aclocal/.
Portability:
- Building on native Windows with MSVC and --enable-shared is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:56 +0000 (23:25 +0200)]
e2fsprogs: Update to version 1.47.3
- Update from version 1.47.2 to 1.47.3
- Update of rootfile not required
- Changelog
1.47.3
UI and Features
Mke2fs -d can now copy the fs-verity metadata and chattr flags into
newly created file system.
Add fuse2fs's support for the XATTR_CREATE and XATTR_REPLACE flags in
setxattr.
Add support for FALLOC_FL_ZERO_RANGE in fuse2fs.
Add support to fuse2fs for the setting file attributes via fsxattr,
including support for nanosecond timestamps.
Add support to fuse2fs to set newer chattr flags.
Add a lockfile command-line option to fuse2fs which is useful for
scripts that need to know when fuse2fs is done modifying the file system
after it is unmounted.
Add mke2fs.conf knobs to control whether the RAID stripe or stride sizes
from the storage device information depending on whether the storage
device is a rotational or non-rotational device. By default don't set
the RAID stripe size for non-rotational devices.
E2scrub no longer runs fstrim by default, since util-linux ships with a
fstrim.timer systemd file which will run fstrim on all mounted file
systems. This can be re-enabled in /etc/e2scrub.conf if for some reason
it is desireable to run the fstrim out of e2scrub.
Fixes
Fix "e2fsck -E unshare_blocks" to clear the shared_blocks flag when
there are no shared blocks to clear
Fix "e2fsck -n" to not abort when it trips across an EA inode which
is not referenced by any inodes in the file system.
Fix debugfs's dump and rdump commands to avoid looping forever when
it runs across an I/O error or corupt filesystem metadata.
Fix debugfs's dirsearch command on big-endian systems.
Fix many fuse2fs bugs found by running fstests, including fixing
support for O_APPEND, O_TRUNC, POSIX ACLs, and the immutable flag. Also
fix fuse2fs to correctly remove ea_inodes if the last reference to an
ea_inode is removed when an inode is removed, and to update timestmps
correctly after the mkdir(2) and symlink(2) operations.
Fix fuse2fs's error code handling for fallocate(), truncate() and
removexattr().
Fix an integer overflow bug which resulted in fuse2fs failing to delete
very large files. (Addresses Debian Bug: #1106241)
Fix a (hard to reproduce) extent tree corruption bug which could be
triggered by resize2fs or fuse2fs if the extent tree was especially
complex
Improve fuse2fs's handling of corrupted file systems.
Fuse2fs doesn't support renameat2()'s RENAME_EXCHANGE or RENAME_WHITEOUT
flags, so return ENOSYS instead of incorrectly handling the renameat2()
request.
Fuse2fs will avoid clearning the setgid bit in op_chmod if the file's
group ownership is one of the calling process's group list (instead of
just the primary group id).
Change fuse2fs to align with kernel's behaviors by (a) clearing
post-EOF on truncation, (b) validating FITRIM's parameters consistently
with how the kernel does things, (c) how the "ro" mount option will
replay the journal, (d) only supporting the xattr namespaces supported
by the kernel, (e) clamping timestamps to the minimum and maximum value
supported by the on-disk format, and (e) optionally delegating access
control decisions to the kernel.
Prevent fuse2fs from mounting file systems which have features that
fuse2fs can't deal with.
Fix error path handling in fuse2fs when servicing an op_create request.
Fix spurious warnings from fuse2fs while servicing an op_fallocate request.
Fix fuse2fs to correctly translate system errors from libext2fs to the
negative error codes expected by the FUSE kernel driver. There aren't
many; but in some cases, when the file system is corrupted, libext2fs
will return EOVERFLOW and we sent a nonsense error to the kernel.
Optimize ext2fs_extent_set_bmap() to avoid fragmenting the extent tree.
This fixes a problem where resize2fs is trying to relocate all of the
blocks in a file leading to the extent tree doubling in size, and
potentially leading to a corrupted extent tree.
Fix a bounding error in ext2fs_fallocate() which could cause it to
allocate far more blocks than was requested. This caused a failure in
fuse2fs while formatting a loopback file system stored in a large sparse
file.
Fix potential livelock bug in the unix_io manager.
Fix invaidation support in the unix_io manager.
Various man page cleanups.
Performance, Internal Implementation, Development Support etc.
Improve performance in e2fsck when replaying a journal with a large
number of revoke blocks (which can be the case on Lustre servers).
Improve tune2fs's performance by avoiding scanning the file system to
update quota inodes in cases when it's not necessary.
Improve fuse2fs's performance by returning inode and type information in
readdir() and to use the actal inode numbers instead of asking fuse
to make up inode numbers.
Fix various Coverity and compiler warnings.
Add two new flags for ext2fs_link(). The EXT2FS_LINK_APPEND flag
causes ext2fs_link() to only search the last block in the directory,
which imrpoves the scalability of creating a large number of files in a
directory. The EXT2FS_LINK_EXPAND() causes ext2fs_link() to
automatically expand the directory if there is no free space found to
create the requested directory entry.
Add a new function, ext2fs_mkdir2() which allows the flags parameter
to be passed to ext2fs_link(), allows the chattr flags to be set in the
newly created directory, and return the inode number for the newly
created directory.
Add new functions ext2fs_log2_u{32,64}() and ext2fs_log10_u{32,64}() so
we don't have multiple copies of these functions in various e2fsprogs
programs.
Improve debugging and logging in fuse2fs.
General code cleaups in fuse2fs.
Improve fuse2fs's performance by allowing a larger cache in unix_io and
using O_DIRECT to read and write the block device.
Fixed Windows portability problems intrduced in 1.47.2.
Fix various FreeBSD compile warnings and test issues.
Fix MacOS build issues when compiling with libarchive and FUSE support.
To avoid warning messages on newer versions of GNU grep, use "grep -E"
instead of "egrep" when possible.
Fix test failure for m_rootdir_acl when the build tree is hosted on
btrfs. (This was caused by btrfs returning extended attributes relating
to Posix ACL's in a different order than ext4 or xfs.)
Fixed potention races in the Makefiles which could show up when using
"make -j install".
Fixed build failures when libarchive is not available.
Fixed various Debian packaging issues. (Addresses Debian Bugs:
#1106799, #1107595)
Update Czech, Chinese, Dutch, French, Malay, Portuguese, Polish,
Romainian, Serbian, Spanish, Swedish, and Ukrainian translations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:55 +0000 (23:25 +0200)]
curl: Update to version 8.15.0
- Update from version 8.14.1 to 8.15.0
- Update of rootfile not required
- Changelog
8.15.0
changes:
o TLS: remove support for Secure Transport and BearSSL [19]
bugfixes:
o altsvc: accept 'clear' without semicolon as well [190]
o asyn-ares: remove redundant NULL check [152]
o asyn-thrdd: free the previous name before strdup'ing the new [84]
o autotools: detect and link `brotlicommon` library for brotli [130]
o autotools: drop `$top_builddir/src` from src header path [23]
o autotools: drop headers from src mk-unity rules (fixup) [136]
o autotools: drop no longer necessary `--srcdir` unity options [66]
o autotools: drop redundant `Makefile.inc` from `EXTRA_DIST` in src [127]
o autotools: simplify configuration in tests, examples [47]
o bufq: change read/write signatures [120]
o bufq: remove the unused Curl_bufq_unwrite function [143]
o build: assume `sys/socket.h`, `sys/time.h` on non-Windows (as in
`curl/curl.h`) [21]
o build: drop `HAVE_SYS_SOCKET_H` and `HAVE_SYS_TIME_H` macros [69]
o build: drop explicit curlx from hdr paths, refer headers with `curlx/`
prefix [150]
o build: drop unused variables in tests
o build: fix libcurltool with cmake and tunits, related tidy-ups [138]
o build: split `.c` and `.h` file lists in tests [128]
o build: stop checking for `sys/stat.h` [146]
o build: stubgss tidy-ups (in tests) [137]
o build: sync build scripts between client/libtest [49]
o build: tidy up `Makefile.inc` use in lib and src [116]
o build: tidy up header paths, use srcdir where possible [42]
o cf-socket: make socket data_pending a nop [175]
o checksrc-all: rewrite in Perl, remove `checksrc.bat` [217]
o checksrc: reduce exceptions, apply again to curlx [114]
o cmake/FindGSS: fix processing C header path options [160]
o cmake/FindGSS: initialize result variables [159]
o cmake: `curl_add_clang_tidy_test_target` tidy-ups [185]
o cmake: build `stubgss` library for libtests to match autotools [34]
o cmake: check USE_WINDOWS_SSPI when adding secur32 to CURL_LIBS [144]
o cmake: configure c-ares header directory in project root (was: lib) [106]
o cmake: document OpenSSL and ngtcp2 crypto lib custom variables [29]
o cmake: drop never propagated C macros [22]
o cmake: drop passing redundant `CURL_STATICLIB` in examples and clients [52]
o cmake: drop redundant macro from test clients [51]
o cmake: drop reference to future variable
o cmake: enable soversion by default for OpenHarmony OS [131]
o cmake: fix `curl_add_clang_tidy_test_target` when no `-D` option [155]
o cmake: fix generator expression in docs/examples [109]
o cmake: gather options recursively in `curl_add_clang_tidy_test_target` [156]
o cmake: make docs depend on support files [80]
o cmake: move `OUTPUT` argument in the `add_custom_command()` line [50]
o cmake: omit clang-tidy on internal libs curlu and curltool [64]
o cmake: replace `cmakelint` with `cmake-lint` from `cmakelang`, fix issues [20]
o cmake: replace the way clang-tidy verifies tests, fix issues found [101]
o cmake: simplify handling generated `lib1521.c` in libtests [24]
o cmake: sync `target_link_libraries()` order in tests more [44]
o cmake: sync tests scripts by using the variable `BUNDLE` [46]
o cmake: sync tests scripts with each other and autotools (more) [100]
o cmake: use `target_link_options()` when available [43]
o config-win32: fix default targets, shorten macro logic [227]
o configure: order LDAP after the SSL libraries
o connect: drop unused struct member [209]
o connection: clarify `transport` [197]
o connection: eliminate member `remote_addr` [10]
o curl-config: fix whitespace in usage text [122]
o curl.h: make CURL_IPRESOLVE_* symbols defined as longs [206]
o curl.h: make CURLSSLOPT_* symbols defined as longs [3]
o curl.h: remove the "RESERVED" error codes [2]
o curl: implement non-blocking STDIN read on Windows [28]
o curl: improve non-blocking STDIN performance [129]
o curl: remove the global argument from many functions [218]
o curl: unify pointer names to global config [219]
o curl_get_line: make sure lines end with newline [110]
o curl_memory.h: fix to undefine `accept4` [180]
o curl_path: make SFTP handle a path like /~ properly. [11]
o curlinfo: provide the 'digest' feature [168]
o CURLSHOPT_SHARE.md: mention multi-threading requires callbacks [161]
o DEPRECATE.md: add VS2005 removal to the list [214]
o digest: fix build with disabled digest auth [72]
o DISTROS: update NixOS link
o docs,tests: fix english grammar "allow to" -> "allow <something> to" [158]
o docs/CONTRIBUTE: fix broken link [173]
o docs/examples: add ftp-delete.c [5]
o docs: beef up examples/websocket.c [189]
o docs: fix broken link in CODE_REVIEW.md [67]
o docs: fix broken link in INSTALL.md [68]
o docs: fix docs for CURLOPT_PREQUOTE after #17616 [70]
o docs: fix documentation of connect_only 2 [78]
o docs: fix two typos [163]
o docs: mention that the netrc file works without port numbers [112]
o docs: mention the as-is concept generically [225]
o docs: note SSLS-EXPORT feature in -ssl-sessions doc [199]
o docs: reflect that delimiter-separated capath is only OpenSSL [135]
o docs: sync -tls-earlydata support w/ CURLOPT_SSL_OPTIONS [198]
o docs: warn about lifetime in CURLOPT_CLOSESOCKET* [54]
o easy: fix comment-documentation [36]
o easygetopt: fix curl logo in header comment [167]
o firefox-db2pem: avoid use of eval in script [103]
o ftp: fix prequotes for a directory in URL [83]
o ftplistparser: split parse_unix into sub functions [77]
o h2_serverpush: fix file handle leaks reported by clang-tidy [105]
o h3: fix query of concurrent streams [220]
o http/3: report handshake with version and cipher as for TCP connections [212]
o http2: do not delay RST send on aborted transfer [57]
o http2: fix var types in is_alive() implementations [222]
o http: explicitly ignore parsing errors for Retry-After [98]
o http: fix build with cookies and HSTS disabled [124]
o http_ntlm: protect against null deref [95]
o http_ntlm: remove unreachable code [88]
o INSTALL.md: cygwin details and add source code link [4]
o ldap: avoid automake caching issues with LDAP library names
o ldap: if ldap-lib is sufficient, add it to LIBS.
o ldap: initial support for --with-ldap option
o lib2082: drop `typedef struct` [118]
o lib: address singleuse issues [132]
o lib: avoid reusing unclean connection [73]
o lib: drop two interim macros in favor of native libcurl API calls [172]
o lib: fix unused parameter/function compiler warnings [186]
o lib: make `CURLX_SET_BINMODE()` and use it [39]
o lib: make `curlx_wait_ms()` and use it [40]
o lib: replace scache no-op macros with `#ifdef` [117]
o lib: stop `time()` debug overrides at the end of source in altsvc, hsts [211]
o lib: unify recv/send function signatures [92]
o libcurl-env.md: drop LOGNAME, USER and NTLMUSER [99]
o libcurl.m4: fix indentation [194]
o libssh2: remove use of 'initialised' for cleanup [208]
o libssh: de-complex myssh_statemach_act() [18]
o libssh: fix readdir issues [191]
o libtests: make test 1503,1504,1505 use the 1502 binary [90]
o libtests: more header tidy-ups [224]
o libtests: stop building the sames source multiple times [89]
o memdebug.h: #undef `fclose` before defining it
o memdebug.h: eliminate global macro `CURL_MT_LOGFNAME_BUFSIZE` [178]
o memdebug: include in unity batch [63]
o memory: stop overriding unused `wcsdup()`/`_wcsdup()` system functions [204]
o memory: tidy up `_tcsdup()` override [202]
o misc: fix typos [207]
o mk-lib1521: replace `printf` with `curl_mprintf` [141]
o multi: add dirty bitset [115]
o multi: do no expire a blocked transfer [56]
o multi: fix polling with pending input [60]
o multi: remove careful bounds check as coverity says it is not needed [174]
o multi: xfer table/bitset, handle limits [142]
o ngtcp2: fix coverity warning about result handling [166]
o openssl: enable readahead [91]
o openssl: error on SSL_ERROR_SYSCALL [94]
o openssl: fix handling of buffered data [82]
o openssl: fix openssl engine use [74]
o openssl: fix pkcs11 provider available check [154]
o os400: upgrade ILE/RPG bindings with latest definitions. [184]
o pingpong: on disconnect, check for unflushed pingpong state [12]
o projects/build-openssl.bat: remove [223]
o pytest test_07_70, weaken early data check [96]
o pytest: adapt for runs with openssl-1.1.1
o pytest: disable test_07_37 and test_07_36 with openssl's quic [1]
o quic: implement CURLINFO_TLS_SSL_PTR [176]
o RELEASE-PROCEDURE.md: update docs/VERSIONS [7]
o runtests.pl: fix sprintf() using one too many %s [134]
o runtests: fix `LD_PRELOAD` detection for cmake-built curl binaries [123]
o runtests: support memory-limits per test [193]
o rustls: apply memory function overrides, fixing an ECH buffer free [181]
o rustls: don't try printing the not provided file [104]
o schannel: allow partial chains for manual peer verification [79]
o schannel: drop Windows 2000 compatibility logic [26]
o scorecard: flame graphs and documentation [165]
o SCP/SFTP: avoid busy loop after EAGAIN [8]
o scripts: fix to quote the copyright email address [210]
o socks: fix query when filter context is null [221]
o system.h: remove some macros [6]
o test1117: reduce write delays [9]
o test1175: fix to run, and fix documentation issues detected [216]
o test1222: fix for out-of-tree and no-libcurl-manual builds [215]
o test1499, 1599: use `%LOGDIR` [226]
o test1499: verify two chunked responses on reused connection [145]
o test1596: let test pass after year 2036 [35]
o test1706: pass include directory to `managen` for out-of-tree builds [187]
o tests/client: drop autotools logic no longer necessary [45]
o tests/client: use `curl_mfprintf()` [48]
o tests/dnsd: read config from file [85]
o tests/http/clients: drop hack and use `curl_setup.h` again [58]
o tests/http/clients: move to tests/client [53]
o tests/http/requirements: remove multipart [183]
o tests/libtest: call `curlx_now_init()` for unit 1399, 2600 (Windows) [76]
o tests/libtest: drop `TEST_HANG_TIMEOUT` redefinition hack [108]
o tests/libtest: drop a checksrc exception [119]
o tests/libtest: use `curltime` from curlx [71]
o tests/server/util.c: include netinet/in6.h [113]
o tests/server: de-dupe/merge three `sockdaemon()` clones into one [149]
o tests/server: drop `memdebug.h` [111]
o tests/server: make all global vars/funcs static [41]
o tests/server: move memory init to `memptr.c` [140]
o tests/servers.pm: add more ways to figure out current user [17]
o tests: always make bundles, adapt build and tests [81]
o tests: bundle http clients, de-dupe, enable for MSVC [61]
o tests: constify, make consts static [139]
o tests: drop `BUNDLE_SRC` variable [59]
o tests: drop mk-bundle exceptions [25]
o tests: drop unused or redundant includes [153]
o tests: drop useless "nodist_SOURCES" assignments [93]
o tests: fail torture if !valgrind&threaded resolver [31]
o tests: fix 1301, 1308 to fail on error [177]
o tests: fix `BUNDLE` variable references in `Makefile.am` [125]
o tests: make all names < 75 characters long [182]
o tests: make individual test sources compile cleanly [107]
o tests: make sshserver less verbose [55]
o tests: move `curlcheck.h` to libtest as `unitcheck.h` [171]
o tests: move GSS-API dynamic stub into debug-mode libcurl [169]
o tests: torture: don't duplicate valgrind command [32]
o tests: use %b64[] to base64 data [151]
o tests: use %b64[] to base64 data in 2056, 2057 [126]
o tftpd: use `CURLMIN()` macro [38]
o tidy-up: replace `<memdebug.h>` with `"memdebug.h"` (src, units) [147]
o tls: remove Curl_ssl false_start [86]
o tool1621: drop unused internal libcurl headers [157]
o tool_getparam: fix --ftp-pasv [15]
o tool_operate: fix return code when --retry is used but not triggered [13]
o tool_paramhelp: fix language in comments [196]
o top-complexity: lower max allowed complexity threshold to 90 [33]
o unit tests: extract "private" prototypes at build time [170]
o unit1302: expand the base64 encode/decode tests [148]
o url: fix connection lifetime checks [14]
o url: fix NULL deref with bad password when no user is provided [87]
o urlapi: simplify and split into sub functions [16]
o urlapi: use uppercase hex encoding [133]
o vauth: move auth structs to conn meta data [30]
o vtls: change send/recv signatures of tls backends [65]
o vtls: fix a copy-pasted early data comment typo [200]
o vtls: log rustls negotiated KEX group name [201]
o vtls: prefer ciphersuite to cipher in msgs [203]
o vtls: prefer rustls-ffi ciphersuite name API [205]
o VULN-DISCLOSURE-POLICY.md: fix typos [164]
o VULN-DISCLOSURE-POLICY: all reports should be disclosed [102]
o VULN-DISCLOSURE-POLICY: exclude not installed software [121]
o VULN-DISCLOSURE-POLICY: minor language polish [162]
o warnless: drop parts of the `read`/`write` preprocessor hack (Windows) [37]
o warnless: replace `read()`/`write()` wrapper functions with macros
(Windows) [75]
o windows: drop redundant `curl_wcsdup_callback` callback [188]
o windows: fixup `fopen()` in `CURLDEBUG` builds [62]
o windows: reduce/stop loading DLLs at runtime [27]
o wolfssl: add support for ML_KEM hybrids [195]
o ws: drop redundant `CURL_EXTERN` from function definitions [179]
o xfer: manage pause bits [97]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:49 +0000 (23:25 +0200)]
automake: Update to version 1.18.1
- Update from version 1.18 to 1.18.1
- Update of rootfile not required
- Changelog
1.18.1
* Bugs fixed
- Undo change to mdate-sh; once again, it does not look at
SOURCE_DATE_EPOCH. This change was a misunderstanding that causes
problems, not fixes, for reproducible builds.
(https://lists.gnu.org/archive/html/automake/2025-06/msg00021.html)
- Improve debuggability of installcheck failures. (bug#78850)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 14:34:52 +0000 (16:34 +0200)]
ruleset-sources: Remove the abuse.ch SSL list from the suricata sources
- The abuse.ch ssl suricata list has stopped being updated since 2025-06-25
- Looking at all of the abuse.ch lists, none of them are being updated anymore so abuse.ch
becoming part of spamhaus looks to have stopped all work on free versions of the lists
- This change modifies the abuse.ch entry so that it no longer can be installed but also
if already installed it will remove it.
- The patch has also made a few minor typo corrections in comments.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.20.11/doc/arm/html/notes.html#notes-for-bind-9-20-11
"Notes for BIND 9.20.11
Security Fixes
Fix a possible assertion failure when stale-answer-client-timeout is
set to 0.
In specific circumstances the named resolver process could exit with an
assertion failure when stale answers were enabled and the
stale-answer-client-timeout configuration option was set to 0. This has
been fixed. (CVE-2025-40777) [GL #5372]
New Features
Add support for the CO flag to dig.
Add support for Compact Denial of Existence to dig. This includes
showing the CO (Compact Answers OK) flag when displaying messages and
adding an option to set the CO flag when making queries (dig +coflag).
[GL #5319]
Bug Fixes
Correct the default interface-interval from 60s to 60m.
When the interface-interval parser was changed from a uint32 parser to
a duration parser, the default value stayed at plain number 60 which
now means 60 seconds instead of 60 minutes. The documentation also
incorrectly states that the value is in minutes. That has been fixed.
[GL #5246]
Fix a purge-keys bug when using multiple views of a zone.
Previously, when a DNSSEC key was purged by one zone view, other zone
views would return an error about missing key files. This has been
fixed. [GL #5315]
Use IPv6 queries in delv +ns.
delv +ns invokes the same code to perform name resolution as named, but
it neglected to set up an IPv6 dispatch object first. Consequently, it
was behaving more like named -4. It now sets up dispatch objects for
both address families, and performs resolver queries to both IPv4 and
IPv6 addresses, except when one of the address families has been
suppressed by using delv -4 or delv -6. [GL #5352]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:03 +0000 (19:52 +0200)]
zabbix_agentd: Add LocationDB functionality
Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.locationdb.lookup[<ip>,<ip>,...]: Perform IPFire LocationDB lookups
from within Zabbix. Returns a JSON dict.
- ipfire.locationdb.version: Get LocationDB version timestamp in unixtime.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:02 +0000 (19:52 +0200)]
zabbix_agentd: Add WireGuard specific monitoring items
Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.wireguard.peers.discovery: Discovery of configured WireGuard
clients. Returns a JSON array.
- ipfire.wireguard.statusreport.get: Parses and returns output of
`wireguardctrl dump` as a JSON array.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:01 +0000 (19:52 +0200)]
zabbix_agentd: Add ARPing method for checking Internet Gateway
Since some ISP's block ICMP ping to their gateway ARPing can be an alternative.
This change adds arping alternatives for the regular (icmp) ping checks:
- ipfire.net.gateway.arping: Check if the Internet Gateway is reachable via ARPing
- ipfire.net.gateway.arpingtime: Measure the time it takes to ARPing the Internet Gateway
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
