Adolf Belka [Tue, 14 Oct 2025 13:07:53 +0000 (15:07 +0200)]
btrfs-progs: Update to version 6.17
- Update from veresion 6.16 to 6.17
- No change to rootfile
- Changelog
6.17
* inspect list-chunks: more sorting keys, descending order
* fi resize: add support for offline (unmounted) growing of single device
* device stats: add support for offline (unmounted) reads
* quota status: new command, overview what mode is enabled, tunables
* fi commit-stats: new command, print various commit stats from sysfs (since
kernel 6.1)
* balance start: print warning and delay start if there's a missing device
in the filesystem
* mkfs:
* print zoned mode (native, emulated)
* check:
* verify device bytes in super block item and in chunk tree
* other
* updated CI, new and updated tests
* cleanups, refactoring
* documentation updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 25 Sep 2025 17:56:33 +0000 (17:56 +0000)]
kernel: Disable preemption debugging
From the kernel configuration:
If you say Y here then the kernel will use a debug variant of the
commonly used smp_processor_id() function and will print warnings
if kernel code uses it in a preemption-unsafe way. Also, the kernel
will detect preemption count underflows.
This option has potential to introduce high runtime overhead,
depending on workload as it triggers debugging routines for each
this_cpu operation. It should only be used for debugging purposes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 10:39:52 +0000 (12:39 +0200)]
rust: Update to version 1.85.0
- Update from version 1.83.0 to 1.85.0
- The latest version of rust is at 1.90.0 but that version requires some existing rust
modules to also be updated. I will do that as a separate step once this patch is
in place.
- Update of rootfiles for all three architectures.
- Changelog
1.85.0
Language
The 2024 Edition is now stable. See the edition guide for more details.
Stabilize async closures See RFC 3668 for more details.
Stabilize #[diagnostic::do_not_recommend]
Add unpredictable_function_pointer_comparisons lint to warn against
function pointer comparisons
Lint on combining #[no_mangle] and #[export_name] attributes.
Compiler
The unstable flag -Zpolymorphize has been removed, see
https://github.com/rust-lang/compiler-team/issues/810 for some
background.
Platform Support
Promote powerpc64le-unknown-linux-musl to tier 2 with host tools
Refer to Rust’s platform support page for more information on Rust’s
tiered platform support.
Libraries
Panics in the standard library now have a leading library/ in their path
std::env::home_dir() on Windows now ignores the non-standard $HOME
environment variable
It will be un-deprecated in a subsequent release.
Add AsyncFn* to the prelude in all editions.
Stabilized APIs
BuildHasherDefault::new
ptr::fn_addr_eq
io::ErrorKind::QuotaExceeded
io::ErrorKind::CrossesDevices
{float}::midpoint
Unsigned {integer}::midpoint
NonZeroU*::midpoint
impl std::iter::Extend for tuples with arity 1 through 12
FromIterator<(A, ...)> for tuples with arity 1 through 12
std::task::Waker::noop
These APIs are now stable in const contexts:
mem::size_of_val
mem::align_of_val
Layout::for_value
Layout::align_to
Layout::pad_to_align
Layout::extend
Layout::array
std::mem::swap
std::ptr::swap
NonNull::new
HashMap::with_hasher
HashSet::with_hasher
BuildHasherDefault::new
<float>::recip
<float>::to_degrees
<float>::to_radians
<float>::max
<float>::min
<float>::clamp
<float>::abs
<float>::signum
<float>::copysign
MaybeUninit::write
Cargo
Add future-incompatibility warning against keywords in cfgs and add
raw-idents
Stabilize higher precedence trailing flags
Pass CARGO_CFG_FEATURE to build scripts
Rustdoc
Doc comment on impl blocks shows the first line, even when the impl block
is collapsed
Compatibility Notes
rustc no longer treats the test cfg as a well known check-cfg, instead it
is up to the build systems and users of --check-cfg1 to set it as a
well known cfg using --check-cfg=cfg(test).
This is done to enable build systems like Cargo to set it conditionally,
as not all source files are suitable for unit tests. Cargo (for now)
unconditionally sets the test cfg as a well known cfg.
Disable potentially incorrect type inference if there are trivial and
non-trivial where-clauses
std::env::home_dir() has been deprecated for years, because it can give
surprising results in some Windows configurations if the HOME
environment variable is set (which is not the normal configuration on
Windows). We had previously avoided changing its behavior, out of
concern for compatibility with code depending on this non-standard
configuration. Given how long this function has been deprecated, we’re
now fixing its behavior as a bugfix. A subsequent release will remove
the deprecation for this function.
Make core::ffi::c_char signedness more closely match that of the
platform-default char
This changed c_char from an i8 to u8 or vice versa on many Tier 2 and 3
targets (mostly Arm and RISC-V embedded targets). The new definition
may result in compilation failures but fixes compatibility issues with C.
The libc crate matches this change as of its 0.2.169 release.
When compiling a nested macro_rules macro from an external crate, the
content of the inner macro_rules is now built with the edition of the
external crate, not the local crate.
Increase sparcv9-sun-solaris and x86_64-pc-solaris Solaris baseline to 11.4.
Show abi_unsupported_vector_types lint in future breakage reports
Error if multiple super-trait instantiations of dyn Trait need associated
types to be specified but only one is provided
Change powerpc64-ibm-aix default codemodel to large
Internal Changes
These changes do not affect any public interfaces of Rust, but they
represent significant improvements to the performance or internals of
rustc and related tools.
Build x86_64-unknown-linux-gnu with LTO for C/C++ code (e.g., jemalloc)
1.84.1
Fix ICE 132920 in duplicate-crate diagnostics.
Fix errors for overlapping impls in incremental rebuilds.
Fix slow compilation related to the next-generation trait solver.
Fix debuginfo when LLVM’s location discriminator value limit is exceeded.
Fixes for building Rust from source:
Only try to distribute llvm-objcopy if llvm tools are enabled.
Add Profile Override for Non-Git Sources.
Resolve symlinks of LLVM tool binaries before copying them.
Make it possible to use ci-rustc on tarball sources.
1.84.0
Language
Allow #[deny] inside #[forbid] as a no-op
Show a warning when -Ctarget-feature is used to toggle features that can
lead to unsoundness due to ABI mismatches
Use the next-generation trait solver in coherence
Allow coercions to drop the principal of trait objects
Support / as the path separator for include!() in all cases on Windows
Taking a raw ref (raw (const|mut)) of a deref of a pointer (*ptr) is now safe
Stabilize s390x inline assembly
Stabilize Arm64EC inline assembly
Lint against creating pointers to immediately dropped temporaries
Execute drop glue when unwinding in an extern "C" function
Compiler
Add --print host-tuple flag to print the host target tuple and affirm the
“target tuple” terminology over “target triple”
Declaring functions with a calling convention not supported on the current
target now triggers a hard error
Set up indirect access to external data for
loongarch64-unknown-linux-{musl,ohos}
Enable XRay instrumentation for LoongArch Linux targets
Extend the unexpected_cfgs lint to also warn in external macros
Stabilize WebAssembly multivalue, reference-types, and tail-call target
features
Added Tier 2 support for the wasm32v1-none target
Libraries
Implement From<&mut {slice}> for Box/Rc/Arc<{slice}>
Move <float>::copysign, <float>::abs, <float>::signum to core
Add LowerExp and UpperExp implementations to NonZero
Implement FromStr for CString and TryFrom<CString> for String
std::os::darwin has been made public
Stabilized APIs
Ipv6Addr::is_unique_local
Ipv6Addr::is_unicast_link_local
core::ptr::with_exposed_provenance
core::ptr::with_exposed_provenance_mut
<ptr>::addr
<ptr>::expose_provenance
<ptr>::with_addr
<ptr>::map_addr
<int>::isqrt
<int>::checked_isqrt
<uint>::isqrt
NonZero::isqrt
core::ptr::without_provenance
core::ptr::without_provenance_mut
core::ptr::dangling
core::ptr::dangling_mut
Pin::as_deref_mut
These APIs are now stable in const contexts
AtomicBool::from_ptr
AtomicPtr::from_ptr
AtomicU8::from_ptr
AtomicU16::from_ptr
AtomicU32::from_ptr
AtomicU64::from_ptr
AtomicUsize::from_ptr
AtomicI8::from_ptr
AtomicI16::from_ptr
AtomicI32::from_ptr
AtomicI64::from_ptr
AtomicIsize::from_ptr
<ptr>::is_null
<ptr>::as_ref
<ptr>::as_mut
Pin::new
Pin::new_unchecked
Pin::get_ref
Pin::into_ref
Pin::get_mut
Pin::get_unchecked_mut
Pin::static_ref
Pin::static_mut
Cargo
Stabilize MSRV-aware resolver config
Stabilize resolver v3
Rustdoc
rustdoc-search: improve type-driven search
Compatibility Notes
Enable by default the LSX target feature for LoongArch Linux targets
The unstable -Zprofile flag (“gcov-style” coverage instrumentation) has
been removed. This does not affect the stable flags for coverage
instrumentation (-Cinstrument-coverage) and profile-guided
optimization (-Cprofile-generate, -Cprofile-use), which are unrelated
and remain available.
Support for the target named wasm32-wasi has been removed as the target is
now named wasm32-wasip1. This completes the transition plan for this
target following the introduction of wasm32-wasip1 in Rust 1.78.
Compiler warnings on use of wasm32-wasi introduced in Rust 1.81 are
now gone as well as the target is removed.
The syntax &pin (mut|const) T is now parsed as a type which in theory
could affect macro expansion results in some edge cases
Legacy syntax for calling std::arch functions is no longer permitted to
declare items or bodies (such as closures, inline consts, or async
blocks).
Declaring functions with a calling convention not supported on the current
target now triggers a hard error
The next-generation trait solver is now enabled for coherence, fixing
multiple soundness issues
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 10:39:51 +0000 (12:39 +0200)]
clamav: Update to version 1.5.0
- Update from version 1.4.3 to 1.5.0
- Update of rootfile
- Required an update to rust as clamav required a rust version with edition2024. Patch
for that combined in this set.
- Changelog
1.5.0
Major changes
- Added checks to determine if an OLE2-based Microsoft Office document is
encrypted.
- Added the ability to record URIs found in HTML if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but do not want to record HTML URIs.
The ClamScan command-line option is `--json-store-html-uris=no`.
The `clamd.conf` config option is `JsonStoreHTMLURIs no`.
The libclamav general scan option is `CL_SCAN_GENERAL_STORE_HTML_URIS`
- Added the ability to record URIs found in PDFs if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but do not want to record PDF URIs.
The ClamScan command-line option is `--json-store-pdf-uris=no`.
The `clamd.conf` config option is `JsonStorePDFURIs no`.
The libclamav general scan option is `CL_SCAN_GENERAL_STORE_PDF_URIS`
- Added regex support for the `clamd.conf` `OnAccessExcludePath` config option.
This change courtesy of GitHub user b1tg.
- Added CVD signing/verification with external `.sign` files.
Freshclam will now attempt to download external signature files to accompany
existing `.cvd` databases and `.cdiff` patch files. Sigtool now has commands
to sign and verify using the external signatures.
ClamAV now installs a 'certs' directory in the app config directory
(e.g., `<prefix>/etc/certs`). The install path is configurable.
The CMake option to configure the CVD certs directory is
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is
`--cvdcertsdir PATH`
- The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is
`CVD_CERTS_DIR`
- The config option for Freshclam and ClamD is
`CVDCertsDirectory PATH`
Added two new APIs to the public clamav.h header:
```c
cl_error_t cl_cvdverify_ex(
const char *file,
const char *certs_directory,
uint32_t dboptions);
cl_error_t cl_cvdunpack_ex(
const char *file,
const char *dir,
const char *certs_directory,
uint32_t dboptions);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
Added a `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it with
`cl_engine_get_str`, to override the compiled in default CVD certs directory.
Thank you to Mark Carey at SAP for inspiring work on this feature with an
initial proof of concept for external-signature FIPS compliant CVD signing.
- Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like
limits disabling MD5 and SHA1 from being used for verifying digital signatures
or for being used to trust a file when checking for false positives (FPs).
For `freshclam.conf` and `clamd.conf` set this config option:
```
FIPSCryptoHashLimits yes
```
For `clamscan` and `sigtool` use this command-line option:
```
--fips-limits
```
For libclamav: Enable FIPS-limits for a ClamAV engine like this:
```C
cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
```
ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will
automatically enable the FIPS-limits feature.
This change mitigates safety concerns over the use of MD5 and SHA1 algorithms
to trust files and is required to enable ClamAV to operate legitimately in
FIPS-mode enabled environments.
Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection
purposes or for informational purposes in FIPS-enabled environments and when
the FIPS-limits option is enabled.
- Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5).
The clean-file cache algorithm is not configurable.
This change resolves safety concerns over the use of MD5 to trust files and
is required to enable ClamAV to operate legitimately in FIPS-mode enabled
environments.
- ClamD: Added an option to disable select administrative commands including
`SHUTDOWN`, `RELOAD`, `STATS` and `VERSION`.
The new `clamd.conf` options are:
```
EnableShutdownCommand yes
EnableReloadCommand yes
EnableStatsCommand yes
EnableVersionCommand yes
```
- libclamav: Added extended hashing functions with a "flags" parameter that
allows the caller to choose if they want to bypass FIPS hash algorithm limits:
```c
cl_error_t cl_hash_data_ex(
const char *alg,
const uint8_t *data,
size_t data_len,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
cl_error_t cl_hash_init_ex(
const char *alg,
uint32_t flags,
cl_hash_ctx_t **ctx_out);
cl_error_t cl_update_hash_ex(
cl_hash_ctx_t *ctx,
const uint8_t *data,
size_t length);
cl_error_t cl_finish_hash_ex(
cl_hash_ctx_t *ctx,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
void cl_hash_destroy(void *ctx);
cl_error_t cl_hash_file_fd_ex(
const char *alg,
int fd,
size_t offset,
size_t length,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
```
- ClamScan: Improved the precision of the bytes-scanned and bytes-read counters.
The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB",
or "B" as appropriate. Previously, it always reported "MB".
- ClamScan: Add hash & file-type in/out CLI options:
- `--hash-hint`: The file hash so that libclamav does not need to calculate
it. The type of hash must match the `--hash-alg`.
- `--log-hash`: Print the file hash after each file scanned. The type of hash
printed will match the `--hash-alg`.
- `--hash-alg`: The hashing algorithm used for either `--hash-hint` or
`--log-hash`. Supported algorithms are "md5", "sha1", "sha2-256".
If not specified, the default is "sha2-256".
- `--file-type-hint`: The file type hint so that libclamav can optimize
scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names
such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with
the specified type.
See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
- `--log-file-type`: Print the file type after each file scanned.
We will not be adding this for ClamDScan, as we do not have a mechanism in the
ClamD socket API to receive scan options or a way for ClamD to include scan
metadata in the response.
- libclamav: Added new scan functions that provide additional functionality:
```c
cl_error_t cl_scanfile_ex(
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
cl_error_t cl_scandesc_ex(
int desc,
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
cl_error_t cl_scanmap_ex(
cl_fmap_t *map,
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
```
The older `cl_scan*()` functions are now deprecated and may be removed in a
future release. See `clamav.h` for more details.
- libclamav: Added a new engine option to toggle temp directory recursion.
Temp directory recursion is the idea that each object scanned in ClamAV's
recursive extract/scan process will get a new temp subdirectory, mimicking
the nesting structure of the file.
Temp directory recursion was introduced in ClamAV 0.103 and is enabled
whenever `--leave-temps` / `LeaveTemporaryFiles` is enabled.
In ClamAV 1.5, an application linking to libclamav can separately enable temp
directory recursion if they wish.
For ClamScan and ClamD, it will remain tied to `--leave-temps` /
`LeaveTemporaryFiles` options.
The new temp directory recursion option can be enabled with:
```c
cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
```
- libclamav: Added a class of scan callback functions that can be added with the
following API function:
```c
void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location);
```
The scan callback location may be configured using the following five values:
- `CL_SCAN_CALLBACK_PRE_HASH`: Occurs just after basic file-type detection and
before any hashes have been calculated either for the cache or the gen-json
metadata.
- `CL_SCAN_CALLBACK_PRE_SCAN`: Occurs before parser modules run and before
pattern matching.
- `CL_SCAN_CALLBACK_POST_SCAN`: Occurs after pattern matching and after
running parser modules. A.k.a. the scan is complete for this layer.
- `CL_SCAN_CALLBACK_ALERT`: Occurs each time an alert (detection) would be
triggered during a scan.
- `CL_SCAN_CALLBACK_FILE_TYPE`: Occurs each time the file type determination
is refined. This may happen more than once per layer.
Each callback may alter scan behavior using the following return codes:
- `CL_BREAK`: Scan aborted by callback. The rest of the scan is skipped.
This does not mark the file as clean or infected, it just skips the rest of
the scan.
- `CL_SUCCESS` / `CL_CLEAN`: File scan will continue.
For `CL_SCAN_CALLBACK_ALERT`: This means you want to ignore this specific
alert and keep scanning.
This is different than `CL_VERIFIED` because it does not affect prior or
future alerts. Return `CL_VERIFIED` instead if you want to remove prior
alerts for this layer and skip the rest of the scan for this layer.
- `CL_VIRUS`: This means you do not trust the file. A new alert will be added.
For `CL_SCAN_CALLBACK_ALERT`: This means you agree with the alert and no
extra alert is needed.
- `CL_VERIFIED`: Layer explicitly trusted by the callback and previous alerts
removed for THIS layer. You might want to do this if you trust the hash or
verified a digital signature. The rest of the scan will be skipped for THIS
layer. For contained files, this does NOT mean that the parent or adjacent
layers are trusted.
Each callback is given a pointer to the current scan layer from which they can
get previous layers, can get the layer's fmap, and then various attributes of
the layer and of the fmap. To make this possible, there are new APIs to
query scan-layer details and fmap details:
```c
cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);
cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);
cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);
cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);
cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);
cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);
cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);
cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);
cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);
cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out);
cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);
cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);
cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);
cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);
cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);
cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);
cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);
cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);
```
This deprecates, but does not immediately remove, the existing scan callbacks:
```c
void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);
void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);
void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);
void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);
void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);
void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);
```
There is an interactive test program to demonstrate the new callbacks.
See: `examples/ex_scan_callbacks.c`
- Signature names that start with "Weak." will no longer alert.
Instead, they will be tracked internally and can be found in scan metadata
JSON. This is a step towards enabling alerting signatures to depend on prior
Weak indicator matches in the current layer or in child layers.
- For the "Generate Metadata JSON" feature:
- The "Viruses" array of alert names has been replaced by two new arrays that
include additional details beyond just signature name:
- "Indicators" records three types of indicators:
- **Strong** indicators are for traditional alerting signature matches and
will halt the scan, except in all-match mode.
- **Potentially Unwanted** indicators will only cause an alert at the end of
the scan unless a Strong indicator is found. They are treated the same
as Strong indicators in all-match mode.
- **Weak** indicators do not alert and will be leveraged in a future version
as a condition for logical signature matches.
- "Alerts" records only alerting indicators. Events that trust a file, such
as false positive signatures, will remove affected indicators, and mark
them as "Ignored" in the "Indicators" array.
- Add new option to calculate and record additional hash types when the
"generate metadata JSON" feature is enabled:
- libclamav option: `CL_SCAN_GENERAL_STORE_EXTRA_HASHES`
- ClamScan option: `--json-store-extra-hashes` (default off)
- `clamd.conf` option: `JsonStoreExtraHashes` (default 'no')
- The file hash is now stored as "sha2-256" instead of "FileMD5". If you
enable the "extra hashes" option, then it will also record "md5" and "sha1".
- Each object scanned now has a unique "Object ID".
- Sigtool: Renamed the sigtool option `--sha256` to `--sha2-256`.
The original option is still functional but is deprecated.
Other improvements
- Set a limit on the max-recursion config option. Users will no longer be
able to set max-recursion higher than 100.
This change prevents errors on start up or crashes if encountering
a file with that many layers of recursion.
- Build system: CMake improvements to support compiling for the AIX platform.
This change is courtesy of GitHub user KamathForAIX.
- Improve support for extracting malformed zip archives.
This change is courtesy of Frederick Sell.
- Windows: Code quality improvement for the ClamScan and ClamDScan `--move`
and `--remove` options.
This change is courtesy of Maxim Suhanov.
- Added file type recognition for an initial set of AI model file types.
The file type is accessible to applications using libclamav via the scan
callback functions and as an optional output parameter to the scan functions:
`cl_scanfile_ex()`, `cl_scanmap_ex()`, and `cl_scandesc_ex()`.
When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of
"CL_TYPE_BINARY_DATA".
- Added support for inline comments in ClamAV configuration files.
This change is courtesy of GitHub user userwiths.
- Disabled the MyDoom hardcoded/heuristic detection because of false positives.
- Sigtool: Added support for creating `.cdiff` and `.script` patch files for
CVDs that have underscores in the CVD name.
Also improved support for relative paths with the `--diff` command.
- Windows: Improved support for file names with UTF-8 characters not found in
the ANSI or OEM code pages when printing scan results or showing activity in
the ClamDTOP monitoring utility.
Fixed a bug with opening files with such names with the Sigtool utility.
- Improved the code quality of the ZIP module. Added inline documentation.
- Always run scan callbacks for embedded files. Embedded files are found within
other files through signature matches instead of by parsing. They will now
be processed the same way and then they can trigger application callbacks
(e.g., "pre-scan", "post-scan", etc.).
A consequence of this change is that each embedded file will be pattern-
matched just like any other extracted file. To minimize excessive pattern
matching, file header validation checks were added for ZIP, ARJ, and CAB.
Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
This change will impact scans with both the "leave-temps" feature and the
"force-to-disk" feature enabled, resulting in additional temporary files.
- Added DevContainer templates to the ClamAV Git repository in order to make it
easier to set up AlmaLinux or Debian development environments.
- Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended
alerts based on system state.
- Improved support for compiling on Solaris.
- Improved support for compiling on GNU/Hurd.
- Improved support for linking with the NCurses library dependency when
libtinfo is built as a separate library.
Bug fixes
- Reduced email multipart message parser complexity.
- Fixed possible undefined behavior in inflate64 module.
The inflate64 module is a modified version of the zlib library, taken from
version 1.2.3 with some customization and with some cherry-picked fixes.
This adds one additional fix from zlib 1.2.9.
Thank you to TITAN Team for reporting this issue.
- Fixed a bug in ClamD that broke reporting of memory usage on Linux.
The STATS command can be used to monitor ClamD directly or through ClamDTOP.
The memory stats feature does not work on all platforms (e.g., Windows).
- Windows: Fixed a build issue when the same library dependency is found in
two different locations.
- Fixed an infinite loop when scanning some email files in debug-mode.
This fix is courtesy of Yoann Lecuyer.
- Fixed a stack buffer overflow bug in the phishing signature load process.
This fix is courtesy of GitHub user Shivam7-1.
- Fixed a race condition in the Freshclam feature tests.
This fix is courtesy of GitHub user rma-x.
- Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests.
This fix is courtesy of GitHub user Sophie0x2E.
- Fix double-extraction of OOXML-based office documents.
- ClamBC: Fixed crashes on startup.
- Fixed an assortment of issues found with Coverity static analysis.
- Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures
affecting some platforms.
- Fixed crash in the Sigtool program when using the `--html-normalize` option.
- Fixed some potential NULL-pointer dereference issues if memory allocations
fail.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 12 Oct 2025 11:51:42 +0000 (13:51 +0200)]
mympd: Update to version 22.1.1
- Update from version 22.0.4 to 22.1.1
- Addition of cmake option to not create the systemd startup files
- Removal of patch to make mympd work with coreutils-9.8 as this latest update already
includes the change in it.
- Changelog
22.1.1
- Upd: Logging improvements
- Fix: Now playing indicator in Queue View
- Fix: Detection of ca cert store #1469
- Fix: Ending newline detection in build script #1470
22.1.0
This is the first release that supports a system-wide installed libmpdclient
library. If the library was not found or is too old, the build process falls
back to the embedded libmpdclient.
- Feat: Support string normalization option (MPD 0.25)
- Feat: Support shared libmpdclient (v2.24.0) #874
- Upd: Rework album implementation to work with upstream libmpdclient
- Upd: Mongoose 7.19
- Upd: Bootstrap 5.3.8
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 09:18:28 +0000 (11:18 +0200)]
dns.cgi: Correction to typo
- Spotted by a new user on the forum as part of their CU198 Testing.
- Causes an Internal Server Error when trying to access the Domain Name System page.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 10 Oct 2025 15:51:54 +0000 (17:51 +0200)]
tshark: Update to version 4.6.0
- Update from ver4sion 4.4.9 to 4.6.0
- Update of rootfile
- Changelog
4.6.0
New and Updated Features
The following features are new (or have been significantly updated) since
version 4.6.0rc1:
Wireshark can dissect process information, packet metadata, flow IDs,
drop information, and other information provided by tcpdump on macOS.
The following features are either new or have been significantly updated
since version 4.4.0:
The Windows installers now ship with Npcap 1.83. They previously
shipped with Npcap 1.79.
The Windows and macOS installers now ship with Qt 6.9.3. They
previously shipped with Qt 6.5.3.
We now ship universal macOS installers instead of separate packages
for Arm64 and Intel. Issue 17294
WinPcap is no longer supported. On Windows, use Npcap instead,
uninstalling WinPcap if necessary. The final release of WinPcap was
version 4.1.3 in 2013. It only supports up to Windows 8, which is no
longer supported by Microsoft or Wireshark.
A new “Plots” dialog has been added, which provides scatter plots in
contrast to the “I/O Graphs” dialog, which provides histograms. The
Plots dialog window supports multiple plots, markers, and automatic
scrolling.
Live captures can be compressed while writing. (Previously there was
support for compressing when performing multiple file capture, at
file rotation time.) The --compress option in TShark works on live
captures as well. Issue 9311
Absolute time fields, regardless of field display in the Packet
Details, are always written in ISO 8601 format in UTC with -T json.
This was already the case for -T ek since version 4.2.0. JSON is
primarily a data interchange format read by software, so a standard
format is desirable.
When absolute times field are output with -T fields, the "show" field
of -T pdml, or in custom columns (including CSV output of columns),
the formatting similar to asctime (e.g., Dec 18, 2017
05:28:39.071704055 EST) has been deprecated in favor of ISO 8601. For
backwards compatibility, a preference has been added,
protocols.display_abs_time_ascii, which can be set to continue to
format times as before. This preference can also be set to never use
ASCII time and to use ISO 8601 time formatting in the protocol tree
(Packet Details) as well. It is possible that a future release will
remove the ascitime style formatting entirely.
UTC frame time column formats (including "Time (format as specified)"
when a UTC time display format is selected) have a "Z" suffix per
ISO 8601. Local time formats remain unqualified (including if the
local time zone is UTC.) Custom columns displaying FT_ABSOLUTE_TIME
already had time zone indication.
The TShark -G option for generating glossary reports does not need to
be the first option given on the command line anymore. In addition,
the reports now are affected by other command line options such as
-o, -d, and --disable-protocol, in addition to the -C option, which
was already supported. (The defaultprefs report remains unaffected by
any other options.) As a part of this change, -G with no argument,
which was previously deprecated, is no longer supported. Use
tshark -G fields to produce the same report. Also, the syntax for
only listing fields with a certain prefix has changed to tshark -G
fields,prefix.
The underlying type of EUI-64 fields has been switched to bytes when
packet matching, similar to most other address formats. This means
that EUI-64 addresses can be sliced and compared to other bytes
types, e.g. the filter wpan.src64[:3] == eth.src[:3]. Fields can
still be specified using 64-bit unsigned integer literals, though
arithmetic with other integers is no longer supported.
Wireshark can now decrypt NTP packets using NTS (Network Time Security).
To decrypt packets, the NTS-KE (Network Time Security Key
Establishment Protocol) packets need to be present, alongside the TLS
client and exporter secrets. Additionally, the parts of a NTP packet
which can be cryptographically authenticated (from NTP packet header
until the end of the last extension field that precedes the NTS
Authenticator and Encrypted Extension Fields extension field) are
checked for validity.
Wireshark’s ability to decrypt MACsec packets has been expanded to
either use the SAK unwrapped by the MKA dissector, or the PSK
configured in the MACsec dissector. To enable the MKA dissector to
unwrap the SAK, the CAK for the applicable CKN can be entered in the
extended CKN/CAK Info UAT in the MKA dissector preferences. The
ability of the MACsec dissector to decrypt packets using a PSK has
been extended to a list of PSKs, which can entered through a new UAT.
The TCP Stream Graph axes now use units with SI prefixes. Issue 20197
Custom columns have an option to show the values using the same format
as in Packet Details.
Custom column complex expressions (e.g., with arithmetic, filter
functions, etc.) that return numeric results are sorted numerically
instead of lexicographically.
Display filter functions float and double are added to allow
explicitly converting field types like integers and times to single
and double precision floats. They can be used to perform further
arithmetic operations on fields of different types, including in
custom column definitions.
The minimum width of the I/O Graph dialog window has been reduced, so
it should work better on small resolution desktops, especially in
certain languages. To enable this, some checkbox controls were moved
to the graph right-click context menu. Issue 20147
X.509 certificates, used in TLS and elsewhere, can be exported via the
File › Export Objects menu in Wireshark (under the name "X509AF")
and --export-objects in TShark (with the protocol name x509af.)
Zstandard Content-Encoding is supported in the HTTP and HTTP/2
dissectors.
Follow Stream is supported for MPEG 2 Transport Stream PIDs, and for
Packetized Elementary Streams contained within MPEG 2 TS. The latter
can be used to extract audio or video for playback with other tools.
DNP 3 (Distributed Network Protocol 3) is now supported in the
Conversations and Endpoints table dialogs.
The Lua supplied preloaded libraries bit and rex_pcre2 are loaded in a
way that adds them to the package.loaded table, as though through
require, so that require("bit") and require("rex_pcre2") statements
in Lua dissectors, while usually superfluous, behave as expected.
Issue 20213
The packet list (Wireshark) and event list (Stratoshark) no longer
support rows with multiple lines. Issue 14424
The ethers file can also contain EUI-64 to name mappings. Issue 15487
Wireshark’s "Import from Hex Dump" feature and text2pcap now support
byte groups with 2 to 4 bytes (with an option for little-endian byte
order), and support hexadecimal offsets with a 0x or 0X prefix (as
produced by tcpdump -x, among others). Issue 16193
Frame timestamps can be added as preamble to hex dumps in Wireshark
from the "Print" and "Export Packet Dissection" dialogs, and in
TShark with the --hexdump time option. Issue 17132
Lua now has a Conversation object, which exposes conversations and
conversation data to Lua. Issue 15396
An Edit › Copy › as HTML menu item has been added, along with
associated context menu items and a keyboard shortcut. It provides an
option (via knobs in preferences) to copy plain text with aligned
columns along with an ability to select a copy format to be used when
copied via keyboard shortcut.
The "no duplicate keys" version of JSON output that tshark has
supported since 2.6.0 is available through the GUI Export Dissections
Dialog. Note that this format does not necessarily preserve the
ordering of all children in a tree, if sibling with identical keys
are not consecutive.
The GUI Export Dissections Dialog can output raw hex bytes of the
frame data for each field with or without exporting the field values,
the same formats as the "-T json -x" and "-T jsonraw" output modes,
respectively, of TShark.
The Conversations and Endpoints dialogs have an option to display byte
counts and bit rates in exact counts instead of human-readable
numbers with SI units. The default setting when opening a dialog is
controlled by a Statistics preference, "conv.machine_readable". The
same preference controls whether precise byte counts are used in the
TShark "-z conv" and "-z endpoints" taps.
The output format for some TShark statistics taps (those selected with
"-z <tap>,tree", which use the stats_tree system) can be controlled
via a preference "-o statistics.output_format".
The color scheme can be set to Light or Dark mode independently of the
current OS default on Windows and macOS, if Wireshark is built with
Qt 6.8 or later as the official installers are. Issue 19328
libxml2 is now a required dependency. Note that Wireshark will not
build with libxml2 2.15.0, but other versions should work.
The View menu has an option to Redissect Packets manually, which can
be useful when address resolution or decryption secrets have changed.
HTTP2 tracking of 3GPP session over 5G Service Based Interfaces is now
optional available. When enabled "Associate IMSI" will be add on
HTTP2 streams which has been found belong to a session.
Building the documentation on Windows no longer requires Java.
On Linux, capture filters that use BPF extensions like "inbound",
"outbound", and "ifindex" can be used for capturing (and compiled by
the Compiled Filter dialog). Instead of always being rejected by the
syntax checker, they will be marked as unknown.
Removed Features and Support
Wireshark no longer supports AirPcap and WinPcap.
Wireshark no longer supports libnl versions 1 or 2.
The ENABLE_STATIC CMake option has been deprecated in favor of
BUILD_SHARED_LIBS
New File Format Decoding Support
Resource Interchange File Format (RIFF) and TTL File Format
New Protocol Support
Asymmetric Key Packages (AKP), Binary HTTP, BIST TotalView-ITCH
protocol (BIST-ITCH), BIST TotalView-OUCH protocol (BIST-OUCH),
Bluetooth Android HCI (HCI ANDROID), Bluetooth Intel HCI (HCI INTEL),
BPSec COSE Context, BPSec Default SC, Commsignia Capture Protocol
(C2P), DECT NR+ (DECT-2020 New Radio), DLMS/COSEM, Ephemeral
Diffie-Hellman Over COSE, Identifier-Locator Network Protocol (ILNP),
LDA Neo Device trailer (LDA_NEO_TRAILER), Lenbrook Service Discovery
Protocol (LSDP), LLC V1, Navitrol messaging, Network Time Security
Key Establishment Protocol (NTS-KE), Ouster VLP-16, Private Line
Emulation (PLE), RC V3, RCG, Roughtime, SBAS L5 Navigation Message,
SGP.22 GSMA Remote SIM Provisioning (SGP.22), SGP.32 GSMA Remote SIM
Provisioning (SGP.32), SICK CoLA Ascii and CoLA Binary protocols,
Silabs Debug Channel, Universal Measurement and Calibration Protocol
(XCP), USB Picture Transfer Protocol (USB-PTP), VLP-16 Data and
Position messaging, and vSomeIP Internal Protocol (vSomeIP)
Updated Protocol Support
Too many protocol updates have been made to list them all here.
New and Updated Capture File Support
BLF is now improved (including writing to BLF)
New and Updated Capture Interfaces support
On Windows, etwdump’s user-friendliness has been greatly improved
thanks to various extcap changes. It should also now display the raw
bytes of unknown events.
Major API Changes
The Lua API now supports Libgcrypt symmetric cipher functions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:18:00 +0000 (12:18 +0200)]
mpd: Update to version 0.24.5
- Update from version 0.24.4 to 0.24.5
- Update of rootfile not required
- Changelog
0.24.5
* database
- fix disappearing playlist files
* decoder
- ffmpeg: handle "*.aif" files
- mpg123: add option "full_scan"
- mpg123: support seeking on remote files
- mpg123: work around libmpg123 ID3 corruption bug
- sidplay: add support for PSID files
* output
- pipewire: fix resuming playback after it was paused by "single" mode
* Windows
- fix libfmt error "what(): invalid utf8"
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:59 +0000 (12:17 +0200)]
libmpdclient: Update to version 2.23
- Update from version 2.22 to 2.23
- Update of rootfile
- Changelog
2.23
* support MPD protocol 0.24.0
- allow window for listplaylist and listplaylistinfo
- command "playlistlength", "protocol", "stickertypes", "stickernamestypes",
"searchplaylist"
- tag "ShowMovement"
- new sticker find api
- new subcommands for "tagtypes": "available", "reset"
* Support open end for mpd_search_add_window
* format floating-point numbers with the POSIX localew
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:58 +0000 (12:17 +0200)]
mympd: Update to version 22.0.4 and work with coreutils-9.8
- Update from version 21.0.1 to 22.0.4
- Add config options to stop doc and man page creation.
- Add patch to fix working with coreutils-9.8
- Update of rootfile
- Changelog
22.0.4
- Upd: Restrict sticker names (forbid equal sign)
- Fix: Really shuffle the playlist #1455
- Fix: Relax search expression validation #1455
- Fix: Alpine packaging
- Fix: Detection of local playback features #1452
22.0.3
- Upd: Create cache und workdir in init script
- Upd: Feature detection for local playback output selection #1452
22.0.2
- Fix: MYMPD_API_JUKEBOX_RESTART requires MPD connection #1448
22.0.1
- Fix: Respect backgroundImage setting #1446
- Fix: Alpine packaging
22.0.0
Notes
- This release enables certificate checking for outgoing https connections.
The system CA cert store should be autodetected, open an issue if it fails.
- The startup process of myMPD was reworked. myMPD no longer drops privileges,
the included startup scripts are using now the init system to do this.
- The default listening ports are now 8080 for HTTP and 8443 for HTTPS.
API changes
- MYMPD_API_SCRIPT_VERIFY_SIG: new
- MYMPD_API_HOME_WIDGET_IFRAME_SAVE: new
- MYMPD_API_HOME_WIDGET_SCRIPT_SAVE: new
- MYMPD_API_HOME_WIDGET_SAVE: removed
Scripting changes
- Feat: `mympd.tblvalue_in_list()` - Checks a Lua table of tags against a comma separated list.
- Upd: Executing external scripts is now disabled by default.
Changelog
- Feat: iFrames for home screen #1429
- Feat: Feat: Add custom css and js #1428
- Feat: Use system provided ca store for ssl certificate checking #1427
- Feat: Sign and verify scripts from mympd-scripts repository #1426
- Feat: Add trigger `mympd_playlistart`, `mympd_folderart`
- Feat: Sort list of timers and triggers #1425
- Feat: Allow changing output device with local playback #1434
- Upd: Improve "Edit Script"-Layout
- Upd: Bootstrap v5.3.7
- Upd: Mongoose 7.18
- Upd: libmympdclient 1.0.34 (libmpdclient 2.24.0)
- Upd: Incbin
- Upd: Replaced mjson with mongoose implementation
- Fix: Improve MPD search expression validation #1435
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:56 +0000 (12:17 +0200)]
coreutils: Update to version 9.8
- Update from version 9.7 to 9.8
- Update of rootfile not required
- Changelog
9.8
Bug fixes
'b2sum' will diagnose --length values that are too big.
Previously it would have silently assumed 512 for any larger values.
[bug introduced in coreutils-9.6]
'base32' and 'base64' when decoding will again diagnose partially
padded data that ends with a newline.
[bug introduced in coreutils-9.5]
'basenc -d -i' will now strip '=' characters from the input
in encodings where padding characters are not valid.
[bug introduced with the basenc program in coreutils-8.31]
'cp -p' had spurious "Operation not supported" failures when
copying to non-NFS files from NFSv4 files with trivial ACLs.
[bug introduced in coreutils-9.6]
'cp --sparse=always' missed some opportunities to create holes.
That is, although the copies had the correct data, sometimes
data zeros used extents rather than holes.
[This bug was present in "the beginning".]
cp missed opportunities to create holes when copying from file
systems like squashfs that support SEEK_HOLE only trivially.
[bug introduced in coreutils-9.0]
cp, install, and mv now avoid possible data corruption on
glibc 2.41 and 2.42 systems when copy_file_range is used with ranges > 2GiB,
avoiding https://sourceware.org/PR33245
[bug triggered since coreutils-9.0]
'date' supports specifying multiple named formats with the last taking
precedence. Previously multiple specifications would induce an error.
[bug introduced in coreutils-5.90]
'dd oflag=seek_bytes' no longer mistakenly reports errors when the
output file exists on GNU/Hurd.
[bug introduced in coreutils-8.16]
'fold' no longer exhausts memory when processing large inputs
with a very large --width argument.
[This bug was present in "the beginning".]
'install -d' now produces the correct diagnostic upon failure
to create a directory. Previously it would have produced
a confusing error about changing permissions.
[This bug was present in "the beginning".]
"ls --size --block-size=\'k" could misalign output in locales
with multi-byte thousands grouping characters.
[This bug was present in "the beginning".]
'nohup' avoids implementation defined behavior setting umask,
avoiding a FORTIFY runtime failure on Bionic libc.
[This bug was present in "the beginning".]
'od --strings' with '-N' now works correctly. Previously od might
write a NUL byte after a heap buffer, or output invalid addresses.
[These bugs were present in "the beginning".]
'od -w0' will now issue a diagnostic and exit gracefully.
Previously it would have aborted.
[bug introduced in coreutils-9.3]
'od -w' no longer silently mishandles enormous widths like 3037000500.
Instead, it either outputs correctly or diagnoses a too-large width.
[This bug was present in "the beginning".]
'od +N.' (where N is a decimal number) works again as per POSIX.
[bug introduced in textutils-2.0]
'od /dev/null ++0' no longer mistakenly treats the ++0 as an offset.
[This bug was present in "the beginning".]
'sort' with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer. For example:
'sort +0.18446744073709551615R input' on 64 bit systems.
[bug introduced in coreutils-7.2]
stdbuf now works on AIX. Previously it would have been ineffective.
[bug introduced with the stdbuf program in coreutils-7.5]
'tail -n NUM' no longer can output more than NUM lines if stdin
is a largish regular file with a nonzero initial offset, and grows
while 'tail' is reading it.
[This bug was present in "the beginning".]
'tail -f -n +NUM' no longer mishandles NUM values >= UINTMAX_MAX
when the input is seekable.
[bug introduced in coreutils-9.6]
'tail --pid' avoids some unlikely races if the kernel reuses PIDs.
[bug introduced in coreutils-9.5]
'tty' now exits with status 4 with a special diagnostic if ttyname
fails even though standard input is a tty. Formerly it quietly
pretended that standard input was not a tty.
[This bug was present in "the beginning".]
New Features
basenc supports the --base58 option to encode and decode
the visually unambiguous Base58 encoding.
'cksum -a' now supports the 'sha3' argument, to use the SHA3-224,
SHA3-256, SHA3-384, SHA3-512 message digest algorithms depending on
the argument passed to the required --length (-l) option.
'cksum -a' now supports the 'sha2' argument, as a more consistent
interface than the existing 'sha224', 'sha256', 'sha384', 'sha512'
arguments, which are now selected with the --length (-l) option.
'date' now outputs dates in the country's native calendar for the
Iranian locale (fa_IR) and for the Ethiopian locale (am_ET), and also
does so more consistently for the Thailand locale (th_TH.UTF-8).
fold now supports multi-byte characters, honoring their column width.
Also the --characters (-c) option was added to wrap at a certain
number of characters, similarly to --bytes in uni-byte locales.
nproc now honors any cgroup v2 configured CPU quotas,
which may reduce the effective number of processors available.
stty supports setting arbitrary baud rates on supported systems,
like Hurd, Linux with glibc >= 2.42, and some BSDs.
Also on other systems the full set of supported baud rates
is determined at build time if possible.
Commands that support hardware acceleration like cksum and wc
can now disable this acceleration at runtime through the
commonly used GLIBC_TUNABLES environment variable. For example
to disable the use of AVX512 instructions in cksum, you can:
export GLIBC_TUNABLES='glibc.cpu.hwcaps=-AVX512F'
Changes to conform better to POSIX.1-2024
readlink now defaults to being verbose if the POSIXLY_CORRECT
environment variable is set.
realpath now supports -E, which specifies the default behavior.
The corresponding long option is --canonicalize.
tsort now accepts and ignores -w.
Improvements
'factor' is now much faster at identifying large prime numbers,
and significantly faster on composite numbers greater than 2^128.
fold now exits immediately upon receiving a write error,
which is significant when reading large / unbounded inputs.
'seq' is more accurate with large integer start values.
Previously 'seq 18446744073709551617 inf | head -n1' would
output the number before the user specified start value.
Build-related
cksum was not compilable by Apple LLVM 10.0.0 x86-64, which
lacks support for checking for the VPCLMULQDQ instruction.
[bug introduced in coreutils-9.6]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 Oct 2025 17:24:29 +0000 (18:24 +0100)]
ovpnmain.cgi: Enable multihome when using UDP
If the client is connecting from an internal network instead of the
internet, the OpenVPN server replies with the public IP address as the
source address. This won't allow to establish a connection.
Enabling multihome changes the behaviour to reply with whatever IP
address the client has connected to.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 8 Oct 2025 20:49:00 +0000 (20:49 +0000)]
Tor: Update to 0.4.8.19
Changes in version 0.4.8.19 - 2025-10-06
This release fixes two major bugfixes for a LibreSSL issue and a flow control
C-tor specific problem (not protocol). We strongly recommend you upgrade as
soon as possible.
o Major bugfixes (client, TLS):
- Fix some clients not being able to connect to LibreSSL relays.
Fixes bug 41134; bugfix on 0.4.8.17
o Major bugfixes (stream flow control performance):
- Use a 5 ms grace period to allow an edge connection to flush its
stream data to the socket before sending an XOFF. This
significantly reduces the number of XON/XOFF messages sent when
(1) the application is reading stream data at a fast rate, and (2)
when conflux is enabled. Fixes part of bug 41130; bugfix
on 0.4.7.2-alpha
o Minor features (fallbackdir):
- Regenerate fallback directories generated on October 06, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/10/06.
o Minor bugfix (process):
- Avoid closing all possible FDs when spawning a process (PT). On
some systems, this could lead to 3+ minutes hang. Fixes bug 40990;
bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 8 Oct 2025 20:28:46 +0000 (22:28 +0200)]
samba: Update to version 4.23.1
- Update from version 4.22.4 to 4.23.1
- Update of rootfile fo0r all architectures
- Changelog
4.23.1
* BUG 15920: Incomplete bind configuration causes DLZ plugin to crash.
* BUG 15914: winbind can crash at startup.
* BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for
fsync_send.
* BUG 15904: CTDB does not support PCP 7.0.0.
* BUG 15921: CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set.
* BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for
fsync_send.
4.23.0
NEW FEATURES/CHANGES
Enable SMB3 Unix Extensions by default
Starting with Samba 4.23, the SMB3 UNIX Extensions are enabled by
default. These extensions provide first-class support for POSIX semantics
over SMB3, allowing UNIX and Linux clients to access file services with
features such as proper POSIX permissions, symlink handling, hardlinks,
and special file types.
Enabling this feature by default improves interoperability for UNIX/Linux
clients without requiring additional configuration. Windows clients that
do not support the extensions will continue to function normally, by
using standard SMB3 behavior.
Add support for SMB3 over QUIC
The new "client smb transports" and "server smb transport"
allow a more flexible configuration for the used tcp
sockets.
It also got the ability specify "quic" as possible transport.
If quic should be used in addition to the defaults something
like "server smb transports = +quic" can be used.
For the client quic only works with name based uncs,
ip address based uncs are not supported.
Note for the server 'quic' requires the quic.ko kernel module
for Linux from https://github.com/lxin/quic (tested with Linux 6.14).
Future Linux versions may support it natively, here's the
branch that will hopefully accepted upstream soon:
https://github.com/lxin/net-next/commits/quic/
For the client side there's a fallback to the userspace ngtcp2
library if the quic kernel module is not available.
Check the smb.conf manpage for additional hints
about the "client smb transports" and "server smb transport"
options and interactions with tls related options.
Modern write time update logic
Samba 4.23 changes file timestamp handling to match modern Windows
servers.
Earlier releases used delayed write time updates, where
last_write_time was
only refreshed after a short idle period. Now Samba applies immediate
timestamp updates consistent with modern Windows 10/Server 2016 or newer.
Initial version of smb_prometheus_endpoint
Samba 4.23 introduces the smb_prometheus_endpoint utility, which exports
Samba server metrics in Prometheus-compatible format. This enables
seamless
integration of Samba performance and status monitoring into existing
Prometheus and Grafana environments. For usage and configuration details,
refer to the new smb_prometheus_endpoint man page.
samba-tool domain backup --no-secrets avoids confidential attributes
The --no-secrets option creates a back-up without secret attributes
(e.g. passwords), suitable for use in a lab domain. Until now it could
still contain confidential attributes, including BitLocker recovery
data and KDS root keys. Objects in the classes msKds-ProvRootKey,
msFVE-RecoveryInformation, and msTPM-InformationObject will now be
entirely removed from the backup, as these objects are required by
schema to have confidential attributes and are no use without them.
CTDB changes
CTDB now supports loading tunables from
/etc/ctdb/tunables.d/*.tunables, in addition to the standard
/etc/ctdb/tunables.conf. See the ctdb-tunables(7) manual page for
more details. Note that the above locations are examples - the
actual location of these files will depend on compile time
configuration.
It isn't expected that many users will require a directory of tunables
files, since most users do not need to change tunables from their
default values. However, this allows vendors to ship their required
tunables settings (for example, in one or more files marked "do not
edit") while still allowing local administrators to add their own
tunables settings (in one or more separate files).
Per-share profiling stats
Starting with Samba 4.23, users can collect profile counters at a
per-share level. This feature requires building Samba with profiling
data enabled and adding an appropriate `smb.conf` parameter for
specific shares. It's particularly useful for deployments with a large
number of active shares, allowing administrators to monitor individual
share activity and identify potential bottlenecks or hot-spots. When
enabled, users can inspect current per-share profile information
("Extended Profile") using the standard `smbstatus` utility.
Currently, this functionality is supported only by the default and
`ceph_new` VFS modules.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
smbd profiling share New no
client smb transports New tcp, nbt
server smb transports New tcp, nbt
winbind varlink service New no
Bugs
* BUG 15911: samba.tests.safe_tarfile fails on Python 3.13 with additional
security fixes for tarfile support.
* BUG 15904: CTDB does not support PCP 7.0.0.
* BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
* BUG 15908: Uninitialized read leads to hanging rpcd_spoolss.
* BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
* BUG 15907: Stack buffer overflow in samba3.smb2.dirlease.fileserver.
* BUG 15902: Regression in gssproxy support in 4.23.rc1+.
* BUG 15900: 'net ads group' failed to list domain groups.
* BUG 15843: macOS Finder client DFS broken on 4.22.0.
* BUG 15899: Self-signed certificates don't have X509v3 Subject Alternative
Name for DNS.
* BUG 15893: Improve handling of principals and realms in client tools.
* BUG 15896: libquic build fixes.
* BUG 15844: getpwuid does not shift to new DC when current DC is down.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
* BUG 15896: libquic build fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 6 Oct 2025 15:32:37 +0000 (17:32 +0200)]
nasm: Add patch fix for typo in le32toh function name
- nasm failed to build with aarch64 due to a typo in the 3.00 source tarball where
l32toh had been written in bytesex.h instead of le32toh
- This patch includes the fix for that. The applied patch will be able to be removed
when the next release after 3.00 is issued.
- Tested the build on the aarch64 builder and nasm successfully built with the patch
applied.
- Update of rootfile not required
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 18:18:08 +0000 (20:18 +0200)]
glib: Update to version 2.86.0
- Update from version 2.83.0 to 2.86.0
- Update of rootfile
- Changelog
2.86.0
* Rework how platform-specific introspected GIO APIs have to be imported to fix
problems with backwards-compatibility provision for it, by removing duplicate
platform-specific symbols from `Gio-2.0`. Users of platform-specific GIO APIs
should be unaffected, as `GIRepository` will now automatically import
`GioWin32-2.0` or `GioUnix-2.0` when asked to import `Gio-2.0`. However,
projects generating introspection data which depends on types from either of
those platform-specific GIRs must make sure they depend on those GIRs
explicitly, rather than just transitively depending on them through `Gio-2.0`
(#3744, work by Emmanuele Bassi, Marco Trevisan, Florian Müllner, and others)
* Fix file existence queries on Solaris, broken due to unexpected flags handling
within `faccessat()` (#3770, work by Niveditha Rau)
* Bugs fixed:
- #3744 GDesktopAppInfo API disappeared after girepository-2.0 port (Emmanuele
Bassi)
- #3768 g_test_trap_subprocess does not check G_TEST_SUBPROCESS_INHERIT_STDIN
(Philip Withnall)
- !4751 gtestutils: Fix a slightly broken example in a doc comment
- !4754 Update Polish translation 250825
- !4758 Update Swedish translation
- !4762 gio: gmemorymonitorpsi: Replace GRegex with g_str_has_prefix()
- !4765 girepository: Add an assertion to help scan-build
- !4767 glocalfile: Disable faccessat()-based query_exists on Solaris
- !4768 gmessages: Fix win32_keep_fatal_message regression
- !4769 docs: Fix typos
- !4770 Update Chinese translation
- !4771 Update Georgian translation
- !4772 po: Update Persian translation.
* Translation updates:
- Chinese (China) (lumingzh)
- Georgian (NorwayFun)
- Persian (Danial Behzadi)
- Polish (Piotr Drąg)
- Swedish (Anders Jonsson)
2.85.4
* Follow symlink (instead of overwriting it) when updating `mimeapps.list`
(#3579, work by Rafael Girão)
* Bugs fixed:
- #3579 mimeapps.list is overwritten if it is a symlink (Rafael Girão)
- #3724 Crash in g_hash_table_add after 252645135 elements (Tobias Stoeckmann)
- #3743 g_utf8_validate out parameter has wrong type (two)
- #3751 meta: clang-format refers to a broken link (Rafael Girão)
- #3758 Out-of-bounds read in GMemoryMonitorPoll (Philip Withnall)
- #3760 Stack overflow when recursing within g_log_structured() with
`G_LOG_FLAG_RECURSION` (Tobias Stoeckmann)
- #3761 Regression in g_printf() - can no longer output formatted values
containing NUL bytes (Luca Bacci)
- #3766 Update sl.po (Slovenian) (Martin)
- !4714 gmain: Reformat docs to fully use gi-docgen and match style guide
- !4720 Disable GMemoryMonitorPsi on Solaris
- !4727 garray: Improve and migrate documentation to gi-docgen
- !4735 build: Fix stp files for development versions
- !4736 systemtap: Use correct formatters/types
- !4738 docs: Add Thomas Haller as a co-maintainer of GObject
- !4739 Annotate ref/unref functions as transfer full
- !4740 gstrfuncs: Check parameter validity
- !4742 garray: Fix g_array_binary_search description
- !4743 Update Russian translation
- !4744 tests/gio: skip Unix socket-mock tests on Windows
- !4747 tests/printf: Use proper compare helper for unsigned types
- !4748 gconstructor: Add attribute used for TLS callback pointer
* Translation updates:
- Russian (jtux270)
- Slovenian (Martin)
2.85.3
* Fix encoding of output from `g_print()` and `g_printerr()` when locale is set
to `.utf8` on Windows (#3341, work by Luca Bacci)
* Bugs fixed:
- #3341 `g_print` and `g_printerr` will cause encoding errors on Windows when
locale is set to `.utf8` (Luca Bacci)
- #3739 Crash in accept_ready() of GThreadedSocketService Under High Load
(Philip Withnall)
- #3740 Documentation of g_win32_error_message does not contain information
about the behaviour when FormatMessageW failed (Philip Withnall)
- #3755 AIX: Unwanted symbol needs to be removed for AIX platform: getpwnam_r,
getpwuid_r (Parth Patel)
- !4706 gthreadpool: Clean up when g_thread_pool_new fails
- !4707 tests: Skip slow mainloop test on valgrind
- !4708 gfilenamecompleter: Fix g_object_unref() of undefined value
- !4709 tests: Connect to GMemoryMonitor signals earlier
- !4712 tests/thread-pool: Add a thread-pool fail test
- !4713 Fix test error for GMemoryMonitor
- !4715 gdbuserror: Reformat docs to fully use gi-docgen and match style guide
- !4722 tests: Add missing unistd.h header to thread-pool test
- !4723 tests: Add a missing poll condition to socket-listener test
- !4724 garray: Pass errors through GByteArray functions
- !4725 garray: Add checks to g_ptr_array_extend_and_steal
- !4726 Add a basic GFilenameCompleter test
- !4728 gbitlock: Fix documentation issues
- !4729 [RFC] Tests: do not set a timeout in Python tests
- !4730 gstrfuncs: Always treat G_MININT64 in g_ascii_strtoll
- !4731 glocalfile: Disable faccessat()-based query_exists on OpenBSD
- !4733 gvalue: Reformat docs to fully use gi-docgen and match style guide
- !4734 gspawn: Improve docstring for g_spawn_async()
2.85.2
* New Linux PSI based backend for `GMemoryMonitor` as an option to use instead
of the existing Low Memory Monitor daemon backend (!4481, work by Kate Hsuan)
* Bugs fixed:
- #1443 Deadlock between g_module_open() and dlopen() when called from a
constructor
- #2848 Doc: clarification request regarding g_match_info_fetch_pos return
value (Mark Lautman)
- #3712 Crash in g_thread_pool_new_full
- #3713 call g_file_enumerator_close in g_file_enumerator_finalize is not safe
(fbrouille)
- #3716 (CVE-2025-7039) (#YWH-PGM9867-104) Buffer Under-read on GLib through
glib/gfileutils.c via get_tmp_file() (Michael Catanzaro)
- #3721 GFile leak in g_local_file_set_display_name during error handling
(Philip Withnall, Michael Catanzaro)
- #3725 Deadlock on source_destroy_lock inside g_main_context_unref() and
g_source_destroy() (with child sources) (Matthew Waters)
- #3726 GApplication sometimes fails to call before_emit (Matthias Clasen)
- !4481 gio: gmemorymonitorpsi: Replace GMemoryMonitor backend with kernel PSI
event
- !4665 gio: enums: Fix GBusNameOwnerFlags's annotation
- !4667 Incorrect output parameter handling in closure helper of
g_settings_bind_with_mapping_closures
- !4669 Add missing `(array zero-terminated=1)` annotations
- !4676 Fix IPv6 scope-id from DNS responses being lost
- !4680 gbacktrace: Correctly wait for children on Unix
- !4681 (CVE-2025-6052) gstring: Improve
g_string_expand/g_string_append_len_inline checks
- !4682 gio-tool-launch: fix %k field code expansion
- !4683 gio-tool-launch: Fix mismatched curly quotes in translatable strings
- !4684 garray: Support unallocated zero terminated arrays
- !4685 garray: Use g_array_elt_len/pos where appropriate
- !4687 gstring: Fix g_string_append_vprintf overflow
- !4690 garray: Fix out of boundary write in g_ptr_array_copy
- !4692 tests: Fix a minor leak in array-test
- !4693 tests: Loosen string comparison assertion in gio-tool.py
- !4694 tests: Do not always skip array overflow checks
- !4695 garray: Add more element_size > 0 checks
- !4698 garray: Avoid exponential growth in g_array_copy
- !4699 garray: Set capacity in terminated take functions
- !4700 gfileutils: Fix OOB read in g_build_path(name)_va
- !4701 gbacktrace: Fix OOB write in stack_trace
- !4702 gio/filenamecompleter: Fix leaks
- !4703 application: NULL check for options
- !4704 tests: Add a regression test for GApplication command line handling
2.85.1
* Re-add the option of a singleton to `GIRepository` (#3664, work by
Christian Hergert)
* Add support for the `e` flag (O_CLOEXEC) to `g_fopen()` (!4564, work by
Luca Bacci and Philip Withnall)
* Make the `sysprof` Meson option yield when using GLib as a subproject (!4659,
work by Matthias Clasen)
* Use the Meson built-in `localedir` option (!4661, work by
Kleis Auke Wolthuizen)
* Bugs fixed:
- #1665 g_file_trash() should return PERMISSION_DENIED if files can't be
deleted (Ignacy Kuchciński)
- #3664 Lack of g_irepository_get_default() equivalent makes cross-library
integration extremely difficult (Christian Hergert)
- #3698 Misleading autogenerated hints in the documentation of
g_async_queue_pop() (Alicia Boya García)
- !4560 glib/gnulib/printf.c: Sync with gnulib
- !4564 gstdio: Add support for the `e` flag (O_CLOEXEC) to g_fopen()
- !4637 Rework Windows implementation of g_getenv()
- !4641 [th/gobj-drop-bit-lock] gobject: drop object_bit_lock() functions
- !4642 [th/gobj-empty-notify-queue] gobject: optimize notify-queue handling
for a single freeze
- !4643 GRegex: apply monospace typeface in description
- !4644 gio: add annotations on parameters of 'g_file_monitor_emit_event' and
of 'g_vfs_get_file_for_path'
- !4645 gregex: Clarify docs for end_pos
- !4646 GRegex: update class description
- !4649 GAsyncQueue: assert non-null data in push_sorted()
- !4650 tests: Add atomics to asyncqueue test global variables
- !4651 Meson: Add libglib_static dependency for use in tests
- !4652 gobject: clarify in documentation that g_value_set_boxed copies
- !4654 Fix buffer overflow in string-test
- !4655 gstring: Fix overflow check when expanding the string
- !4657 docs: Stop hiding the Unix-like APIs which are in Gio-2.0.gir
- !4658 gmarkup: make documentation more discoverable
- !4659 Make the sysprof feature yield
- !4661 meson: Use the appropriate localedir option
2.85.0
* Preserve mode for existing file when creating a temporary file for atomic
updates with g_file_set_contents() (dconf#76, work by Wesley Hershberger)
* Fix race conditions between g_main_context_unref() and g_source_*() methods
(#803, work by Matthew Waters)
* Allow file handles inside nested containers when using the `gdbus call`
command (#3624, work by Julian Sparber)
* Fix DNS resolution of local addresses in offline mode (#3641, work by
Patrick Griffis)
* Various performance improvements to GObject locking (various MRs by
Thomas Haller)
* Prefer matches occurring earlier in the string when searching
`GDesktopAppInfo`s, improving search for apps in gnome-shell (!4369, work by
Fina Wilke)
* Fix thread safety of `GClosure` flags (!4575, !4577, work by Sam James and
Philip Withnall)
* Bugs fixed:
- GNOME/dconf#76 dconf update can set incorrect permissions to dconf system db
(Wesley Hershberger)
- #490 Not clearly documented behavior of g_key_file_set_comment function.
(marklkram)
- #803 g_main_context_unref() versus g_source_*() race (Matthew Waters)
- #1002 GObject doesn't support removing a weak reference in a GWeakNotify for
the same object
- #1250 gsocketlistener: Fix IPv4 listen() error-handling resulting in use-
after-free
- #2377 Document that `g_socket_address_get_native_size()` can return `-1` on
errors
- #2544 Consider `g_log_always_fatal` for aborting in
`g_log_structured_array()` (sid)
- #3405 Enable -Wconversion warnings by default (progress towards this, but it
is not complete)
- #3616 docs: Broken link in GioActionEntry (Philip Withnall)
- #3617 Add generalised version of g_date_get_monday_week_of_year() (Philip
Withnall)
- #3624 `gdbus call` should look for file handles inside nested containers
(Julian Sparber)
- #3630 2.84.0 build failure on Linux: ../gio/gnetworkmonitornetlink.c:47:10:
fatal error: netlink/netlink_route.h: No such file or directory (Philip
Withnall)
- #3634 test failure with gobject-introspection 1.83.4: warning: element
doc:format from state 3 is unknown, ignoring (Philip Withnall)
- #3636 gio/trash does not handle special characters well
- #3641 GResolver: Local DNS resolution failure in offline mode (Patrick
Griffis)
- #3642 `g_cancellable_connect()` documentation incorrect (Marco Trevisan
(Treviño))
- #3643 g_cancellable_connect(): is it safe to unref cancellable from
callback? (Marco Trevisan (Treviño))
- #3649 Crash with some registry key values in GWin32AppInfo (Philip Withnall)
- #3656 Set SYSLOG_IDENTIFIER when logging to journald (Axel Karjalainen)
- #3657 girepository: Wrong typelib path on Windows
- #3663 Cannot use GZlibCompressor in GTK testsuite (Benjamin Otte)
- #3684 UAF in GSignalGroup weak notify callbacks (Thomas Haller)
- #3686 docs.gtk.org doesn't mention that GSourceFuncs.finalize may be NULL
(BZZZZ)
- #3693 Random failures in debian-i386-stable
- !4185 [th/gobject-no-object-locks-pt1-notify] use
`g_datalist_id_update_atomic()` instead of OPTIONAL_BIT_LOCK_NOTIFY
- !4247 mappedfile: Avoid some allocations
- !4369 gdesktopappinfo: Prefer matches that occur earlier in the match string
- !4387 Fix various -Wshorten-64-to-32 warnings
- !4484 Memory sanitizer fixes
- !4489 gobject: Be consistent in using atomic logic to handle the
GParamSpecPool
- !4520 [th/gdataset-cleanup] minor cleanups of gdataset
- !4536 [th/gobj-closure-array-atomic] use g_datalist_id_update_atomic() for
array of closure watches
- !4541 gsettings: Port docs to gi-docgen format, add missing annotations and
make various improvements
- !4544 tests: Don't install runner scripts without installed_tests
- !4545 Update French translation
- !4547 Update Catalan translation
- !4548 Update Turkish translation
- !4551 Updated Danish translation
- !4552 Update Persian translation
- !4553 docs: Document GSignalFlags members added after 2.0
- !4554 Update Indonesian translation
- !4555 tests: Add a test for g_object_freeze_notify() being called too often
- !4557 gfileinfo: Slightly expand docs for
g_file_info_get_attribute_as_string()
- !4558 gi: Dynamically set doc-format
- !4561 tests: Various fixes to create temporary files in /tmp rather than the
build directory
- !4562 gdbusnameowning: Convert docs to gi-docgen linking syntax
- !4563 giounix-private: Fix macro for checking for epoll_create1()
- !4565 Fix LGPL in header
- !4567 gutils: make documentation of g_set_prgname() clearer
- !4568 docs: Add some detail
- !4569 Update Romanian translation
- !4570 gspawn-win32: Fix potential integer overflows in argv handling
- !4571 gvarianttype: Improve docs on type validation
- !4575 gclosure: fix ATOMIC_CHANGE_FIELD to read vint atomically
- !4577 gclosure: Allow full set of closure flags to be queried atomically
- !4578 [th/bit-lock-and-set] bitlock: add g_bit_lock_and_get() and
g_bit_unlock_and_set() API
- !4579 tests: Add missing unistd.h include to scannerapi.c
- !4581 [th/gobj-no-weak-ref-lock] drop OPTIONAL_BIT_LOCK_WEAK_REFS object
lock for `g_object_weak_{ref,unref}()`
- !4583 thread: fix Linux detection
- !4585 gfile: Expand documentation around file info for inaccessible files
- !4586 [th/gobj-doc-weakref] clear #GWeakRef earlier in
g_object_run_dispose() and reword docs about #GWeakRef
- !4588 gstring: carefully handle gssize parameters
- !4590 Various -Wsign-conversion warning fixes
- !4591 gthreadedresolver: fix crash in loopback interface check
- !4592 gstring: Make len_unsigned unsigned
- !4594 Enable -Wsign-conversion for girepository, gthread, gmodule
- !4596 docs: Mention how to run the test suite in CONTRIBUTING.md
- !4598 gtlsconnection: Fix annotation
- !4599 Mark pointer as (type gpointer)
- !4601 garray: Fix annotations
- !4602 docs: fix typo glong: ULONG_MAX -> LONG_MAX
- !4603 Fix GNetworkMonitorNetlink operation under a FreeBSD jail with shared
network stack
- !4604 cocoa: add support for GBytesIcon in notification backend
- !4605 gparamspecs: Use standard min/max constants rather than literals
- !4606 gobject, girepository: Fix several -Wsign-conversion warnings on macOS
- !4609 Update Portuguese translation
- !4610 Update Ukrainian translation
- !4613 Update macOS job for new CI runner
- !4615 shell: Handle empty comment gracefully
- !4619 gslist: Improve documentation for append / prepend / insert methods
- !4620 glocalfile: Disable faccessat()-based query_exists on Android
- !4621 gallocator: mark as deprecated
- !4627 [th/gsignalgroup-dispose] gsignalgroup: make GSignalGroup.dispose() a
bit more reentrant
- !4628 [th/gdataset-fix-zero-key] fix and cleanup related to using a zero
GQuark for keys in GData
- !4631 Update German translation
- !4632 win32: Only print one OS version
- !4633 gzlibcompressor: Convert docs to gi-docgen linking syntax
- !4638 docs: Fix formatting of definition lists
* Translation updates:
- Catalan (Jordi Mas)
- Danish (Ask Hjorth Larsen)
- French (Vincent Chatelain)
- German (Philipp Kiemle)
- Indonesian (Andika Triwidada)
- Persian (Danial Behzadi)
- Portuguese (Hugo Carvalho)
- Romanian (Antonio Marin)
- Turkish (Sabri Ünal)
- Ukrainian (Yuri Chornoivan)
2.84.1
* Fix test failure when building against gobject-introspection ≥1.83.4 (#3634,
work by Philip Withnall)
* Bugs fixed:
- #3630 2.84.0 build failure on Linux: ../gio/gnetworkmonitornetlink.c:47:10:
fatal error: netlink/netlink_route.h: No such file or directory (Philip
Withnall)
- #3634 test failure with gobject-introspection 1.83.4: warning: element
doc:format from state 3 is unknown, ignoring (Philip Withnall)
- #3636 gio/trash does not handle special characters well
- #3642 `g_cancellable_connect()` documentation incorrect (Marco Trevisan
(Treviño))
- #3643 g_cancellable_connect(): is it safe to unref cancellable from
callback? (Marco Trevisan (Treviño))
- #3649 Crash with some registry key values in GWin32AppInfo (Philip Withnall)
- !4484 Memory sanitizer fixes
- !4489 gobject: Be consistent in using atomic logic to handle the
GParamSpecPool
- !4541 gsettings: Port docs to gi-docgen format, add missing annotations and
make various improvements
- !4544 tests: Don't install runner scripts without installed_tests
- !4545 Update French translation
- !4547 Update Catalan translation
- !4548 Update Turkish translation
- !4551 Updated Danish translation
- !4552 Update Persian translation
- !4553 docs: Document GSignalFlags members added after 2.0
- !4554 Update Indonesian translation
- !4555 tests: Add a test for g_object_freeze_notify() being called too often
- !4557 gfileinfo: Slightly expand docs for
g_file_info_get_attribute_as_string()
- !4558 gi: Dynamically set doc-format
- !4561 tests: Various fixes to create temporary files in /tmp rather than the
build directory
- !4562 gdbusnameowning: Convert docs to gi-docgen linking syntax
- !4563 giounix-private: Fix macro for checking for epoll_create1()
- !4565 Fix LGPL in header
- !4567 gutils: make documentation of g_set_prgname() clearer
- !4568 docs: Add some detail
- !4569 Update Romanian translation
- !4570 gspawn-win32: Fix potential integer overflows in argv handling
- !4571 gvarianttype: Improve docs on type validation
* Translation updates:
- Catalan (Jordi Mas)
- Danish (Ask Hjorth Larsen)
- French (Vincent Chatelain)
- Indonesian (Andika Triwidada)
- Persian (Danial Behzadi)
- Romanian (Antonio Marin)
- Turkish (Sabri Ünal)
2.84.0
* Bugs fixed:
- #3590 Update Slovenian (sl) translation in glib
- !4539 Update Korean translation
- !4540 tests: Minor fixes to reference and stream-rw_all tests
- !4542 gdebugcontrollerdbus: Fix a minor typo in a code example in the docs
- !4543 Update Hungarian translation
* Translation updates:
- Hungarian (Balázs Úr)
- Korean (Changwoo Ryu)
- Slovenian (Martin)
2.83.5
* A few improvements for when GLib is used as a subproject (#3625, #3626, work
by Simon McVittie)
* Fix out-of-order parameters in a marshaller generated by `gdbus-codegen`
(!4524, work by Ryan Gonzalez)
* Bugs fixed:
- #3272 gutils-user-database test crashes in CI with G_DISABLE_ASSERT and -m
thorough (Philip Withnall)
- #3424 Update the release instructions (Philip Withnall)
- #3615 Use of timeout in GApplication example code (Reuben Thomas)
- #3625 when GLib is a subproject, check-missing-install-tag.py asserts that
the parent project has install tags (Simon McVittie)
- #3626 when GLib is a subproject and pcre2 is a subproject, pcre2's tests are
run (Simon McVittie)
- !4507 [th/gdataset-misc] minor improvements in gdataset.c (around
g_datalist_id_remove_multiple())
- !4508 [th/datalist-update-atomic-no-keyid] gdataset: drop "key_id" argument
from GDataListUpdateAtomicFunc
- !4509 tests: Search the appropriate directories for our GIR XML inputs
- !4510 doc: Simplify instructions for testing with Automake
- !4511 Update Georgian translation
- !4512 Update Czech translation
- !4513 [th/gobject-inline-private-call] gobject: avoid GLIB_PRIVATE_CALL()
for g_datalist_id_update_atomic
- !4514 Update Ukrainian translation
- !4515 doc: point to iconv(3) and iconv(3posix) for more details about iconv
- !4516 Update Bulgarian translation
- !4517 Update file fa.po
- !4518 Update Chinese translation
- !4521 docs: Fix man page link for xattrs
- !4522 Meson: Disable lint+no-valgrind tests when tests option is set to
false
- !4523 [th/gobj-performance-fixes] improvements and fixes for gobject's
`performance.c` benchmark
- !4524 gdbus-codegen: Fix callback GUnixFDList parameter order
- !4526 [th/gobj-performance-2] more improvements to GObject's `performance.c`
and add test "property-set-signaled"
- !4527 Updated Lithuanian translation
- !4529 Update Portuguese translation
- !4531 Update Swedish translation
- !4535 Update Galician translations
* Translation updates:
- Bulgarian (Alexander Shopov)
- Chinese (China) (lumingzh)
- Czech (AsciiWolf)
- Galician (Fran Diéguez)
- Georgian (NorwayFun)
- Lithuanian (Aurimas Černius)
- Persian (Danial Behzadi)
- Portuguese (Hugo Carvalho)
- Swedish (Anders Jonsson)
- Ukrainian (Yuri Chornoivan)
2.83.4
* Fix Python shebang paths so they work on Windows again (#3331, work by
Dan Yeaw and others)
* Fix refcounting semantics of `g_dbus_connection_register_object_with_closures()`
by adding a replacement API (#3560, work by Philip Withnall)
* Support static vfuncs in GIRepository (!4457, work by Philip Chimento)
* Add support for QNX8.0 (!4466, work by Felix Xing)
* Add a soft dependency on C11 — if your toolchain doesn’t support C11, you have
six months to tell us before this becomes a hard dependency (!4473)
* Port from `net.hadess.PowerProfiles` to `org.freedesktop.UPower.PowerProfiles`
for `GPowerProfileMonitorDBus` (!4478, work by Marco Trevisan)
* Bugs fixed:
- #3331 Windows build broken because of Python paths (Dan Yeaw)
- #3448 Use after free in GCancellableSource test (Marco Trevisan (Treviño))
- #3560 Fix refcounting semantics of
g_dbus_connection_register_object_with_closures() (Philip Withnall)
- #3578 gkeyfile: Honor C in $LANGUAGE as gettext does (Gaël Bonithon)
- #3587 g_app_info_launch crashes on macos (Andre Miranda)
- #3592 GDBusConnection does not handle serial number overflow (Philip
Withnall)
- #3595 Toolchain documentation should mention that GLib assumes functions can
be called through wrongly-typed function pointers (Demi Obenour)
- #3612 cancellable unit test crashes in /cancellable-source/threaded-dispose
(Marco Trevisan (Treviño))
- #3613 Potentially revert g_win32_com_clear() due to pulling in windows.h
- !3255 Drop TypeNode reference counting
- !4046 Add G_OPTION_FLAG_DEPRECATED
- !4457 Support static vfuncs in GIRepository
- !4461 docs: Update the release documentation for the new release workflow
- !4464 gosxappinfo: Fix leak
- !4466 Add support for QNX8.0
- !4468 Registry backend fixes
- !4471 glib.supp: Ignore once-per-thread leak from SysprofCollector
- !4472 gkeyfile: Convert docs to gi-docgen linking syntax
- !4473 build: Add a soft dependency on C11
- !4475 docs: Fix invalid references and broken links
- !4476 tests: Cleanup python tests and add tests for gi-compile-repository
and gi-inspect-typelib
- !4477 gcancellable: remove sketchy source ref/unref
- !4478 gio/powerprofilemonitordbus: Use newer D-Bus API
- !4479 docs: Make docs more markdown-ish
- !4483 tests: Fix a memory leak if a callable-info test is skipped
- !4486 meson: Fix typo in comment about python shebang
- !4487 gio/gfilemonitor: Use atomic API to get / store cancelled state
- !4488 gmain: Use atomic logic to handle internal GSource flags
- !4490 gio/subprocess: Lock while writing on shared pid and status values
- !4491 Update Brazilian Portuguese translation
- !4492 gfilemonitor: Various cleanups and minor fixes to property handling
- !4493 gdbus: Add g_clear_dbus_signal_subscription() inline convenience
function
- !4494 gio/subprocess: Initialize pid variable to 0
- !4495 gio/gvolumemonitor: Suggest disconnecting signals
- !4496 Update Polish translation for GNOME 48
- !4497 tests: Fix a minor leak in a new GSubprocess test
- !4498 gdatetime: Fix integer overflow when parsing very long ISO8601 inputs
* Translation updates:
- Polish (Piotr Drąg)
- Portuguese (Brazil) (Rafael Fontenelle)
2.83.3
* Fix build-time paths appearing in generated `Gio-2.0.gir` and
`GioUnix-2.0.gir` files (#3564, work by Simon McVittie)
* Fix crash on macOS when opening links (#3568, work by John Ralls)
* Bugs fixed:
- #3558 Recent `(inout)` changes caused unintended side-effects with
`GWeakRef` (Michael Catanzaro)
- #3561 Missing nullable annotation on parameter user_data and on the return
value of GVfsFileLookupFunc callback (fbrouille)
- #3562 GBytes semantics of handling empty strings are inconsistent and
confusing (Philip Withnall)
- #3563 Bad anchor link in g_signal_connect() documentation
- #3564 build-time paths to gio/gunixmounts.h, etc. end up in Gio-2.0.gir,
GioUnix-2.0.gir (Simon McVittie)
- #3568 Links crash application on MacOS due to lack of machine-id file (John
Ralls)
- #3569 Requirement of GUnixMountMonitor for a Valid Timestamp from
unix_mount_at is not Suffeciently Documented (Philip Withnall)
- #3582 gmacros: _G_BOOLEAN_EXPR_IMPL is incompatible with c++ functions
marked constexpr
- !3885 [th/gdataset-index] add a lookup index (GHashTable) to `GData`
- !4392 GWin32: Add g_win32_com_clear()
- !4436 docs: Add --generate-md to the gdbus-codegen documentation
- !4437 docs: Fix some backslash escaping issues in doc comments
- !4440 gio, gobject: Improve reproducibility of enumtypes headers
- !4441 gstrfuncs: Drop a redundant paragraph
- !4442 Don't define test setups unless we're testing
- !4443 build: Make the introspection feature yield
- !4444 Fix pointer-to-paramref syntax in docs
- !4446 gio: Fix a link to a specifications document
- !4449 Add several assertions to help static analysis and fix some GIR
annotations
- !4450 Fix GCC version detection for GUINT*_SWAP_LE_BE
- !4454 gioenums: Add deprecation for FLAGS_NONE
- !4455 docs: Use gi-docgen syntax in main-loop.md
- !4458 docs: Document more extension points
- !4460 docs: Clarify that g_array_unref() works like g_ptr_array_unref().
2.83.2
* This release has the same code as 2.83.1, but contains a fix for release
archive generation which means that 2.83.1 does not have a release archive
* Bugs fixed:
- !4433 ci: Enable -Dintrospection for dist builds
2.83.1
* Bugs fixed:
- #1251 gio/tests/contenttype fails on OS X: "public.directory" !=
"public.folder"
- #3441 Bump minimum supported version of macOS (John Ralls)
- #3493 Heap buffer overflow read in utf8_verify_ascii() (Philip Withnall)
- #3511 Build failure “'ifunc' is not supported on this target” with muslc
(Philip Withnall)
- #3517 Silent linked-list corruption in g_static_resource_init() on redundant
calls
- #3524 Wrong parameter type for g_enum_register_static in GObject-2.0.gir
(Jan-Willem Harmannij)
- #3526 Segfault in statically linked binary during initialization of ifuncs
since 2.83.0 (Philip Withnall)
- #3532 g_converter_output_stream_write() can return 0 (Benjamin Otte)
- #3540 g_signal_connect on "notify::non-existant-property" doesn't warn for
invalid property (Sid)
- #3545 Modernize the default value for g_thread_pool_set_max_unused_threads
(Matthias Clasen)
- #3546 Make the thread name available (Matthias Clasen)
- #3548 Fix g_settings_schema_has_key() to work with extended schemas
- #3552 Missing nullable annotation for `log_domain` in `GLogFunc` callback
(Roberto Leinardi)
- #3559 2.82.3 regression: lollypop crashes on startup (Philip Withnall)
- !4232 refstring: Fix race between releasing and re-acquiring an interned
GRefString
- !4382 girepository: gi_object_info_find_signal(): Avoid repeated allocations
- !4384 test utils: Make nonfatal assertions an option
- !4385 gutf8: Skip ASan instrumentation for load_word
- !4389 macos: Add extra content type tests
- !4393 Replace procfs linuxism with kinfo freebsdism
- !4395 appmonitor: Fix warning building test
- !4396 tests: Factor out a function to convert FD to path
- !4398 grefstring: Mark a variable as potentially unused
- !4399 meson: Add variables to -uninstalled.pc files
- !4401 testutils: Documentation improvements
- !4403 Revert "CI: Rebuild a slightly newer version of ninja for debian-
stable-i386"
- !4406 glib/gbytes: Be more careful when saving a GBytes of NULL
- !4407 guri: Fix paths starting with ‘//’ when parsing
- !4410 threadpool: Simplify pool thread naming
- !4411 gdbusconnection: Allow creating connection with cross-namespace
- !4412 gmessages: Treat DEBUG_INVOCATION=1 same as G_MESSAGES_DEBUG=all
- !4413 gunicode: Update some comments in gunicode.h for Unicode 16.0.0
- !4414 gdbus: Add a few missing `(nullable)` annotations to GDBus method
invocation related functions
- !4415 gdbus: Fix leak of method invocation when registering an object with
closures
- !4421 gparam: Add link to constructed vfunc to CONSTRUCT
- !4422 docs: Fix dead link in CONTRIBUTING
- !4423 gio-tool: Clarify that `gio mount -l` only lists user-interesting
things
- !4424 ci: Ensure all variables are quoted in .gitlab-ci.yml
- !4425 tests: Skip unsupported dbus-appinfo test on GNU/Hurd for the moment
- !4428 girepository: Expose gi-compile-repository and gi-* tools in pkg-
config
- !4429 gdbus: Add nullable annotations for fd list outs
- !4432 ci: Add release component to automate tarball publishing
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 13:22:16 +0000 (15:22 +0200)]
protobuf: Update to version 32.1
- Update from version 30.2 to 32.1
- Update of rootfile
- Changelog
32.1
Compiler
Ship all option dependencies to plugins along with regular ones. (34d6c85)
Unify plugin and built-in generators to use request/response interface
(b98f6ee)
Disable symbol visibility enforcement by default in C++ runtime (aad0daa)
C++
Disable symbol visibility enforcement by default in C++ runtime (aad0daa)
Java
Fix handling of optional dependencies in java generator. (892e0d5)
Restore Protobuf Java extension modifiers in gencode that were previously
removed in 7bff169 (4a18be6)
Restore ABI compatibility for extension methods which was previously
(knowingly) broken with 4.x: 94a2a44 (501f4a5)
Cherrypick test improvements (d365736)
Fix handling of optional dependencies in java generator. (9325480)
Ship all option dependencies to plugins along with regular ones. (34d6c85)
Unify plugin and built-in generators to use request/response interface
(b98f6ee)
Csharp
Regenerate stale files (299774c)
PHP
Fix: remove provide from composer.json (bc5f303)
32.0
Bazel
Migrates some Java test protos using java_features.proto to edition 2024
(6f4a990)
Add generated message reflection unittest for import option and
option_deps test proto in edition 2024. (c51df73)
Replace the usage of cc_info.debug_context with _debug_context (776c5f2)
Generate .pyi files in py_proto_library (#10366) (#21567) (e3e56c7)
Introduce denylisted_protos as a preferred replacement for
blacklisted_protos attribute. (795ab9d)
Use native.proto_library for Bazel 7 and explicitly error for Bazel 6
which is incompatible and out of support. (da0077e)
Require ProtoInfo provider instead of proto_library rule for bazel
cc_proto_library deps. (639f1c9)
Compiler
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Deprecate google.protobuf.Method.syntax and google.protobuf.Method.edition
(9ec241e)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Ban import weak and weak field option in edition 2024 in protoc (parser
and c++ runtime). (a2a0511)
C++
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Add generated message reflection unittest for import option and
option_deps test proto in edition 2024. (c51df73)
Remove the flag requirement for Bazel+MSVC users. (c6ba697)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Cast GetCachedTID() to unsigned to prevent left-shifting a negative
number. (3e935cf)
Update comment at the top of message.h and message_lite.h to document that
it should only be extended by gencode and not user code. (6a6ba52)
Treat warnings encountered in chromium builds as errors. (21c3c53)
Ban import weak and weak field option in edition 2024 in protoc (parser
and c++ runtime). (a2a0511)
Java
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Remove CollectExtensions check banning unknown custom options since
unknown custom options are now expected when using import option and
option_deps which exclude the options from the "builder" pool
(aka "import" pool). (694eedd)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Migrates some Java test protos using java_features.proto to edition 2024
(6f4a990)
Restore compatibility of runtime with pre-3.22.x gencode impacted by
CVE-2022-3171 (adf556f)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Restore the long-deprecated static functions on TextFormat. (5777d3b)
Add Kotlin class name helpers to names.h (527b2ab)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Update Java gencode base class documentation to clarify that it is not
supported to extend them. (c3177fb)
Add a FieldMaskUtil#trim overload that accepts TrimOptions and allows
retaining unset primitive field state. (84c5b63)
Csharp
Update staleness (0014173)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Include also ARM build of protoc in nuget package (#21568) (c2b4040)
Improve C# handling of Any JSON serialization/deserialization (dc4e429)
Objective-C
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Rust
Rust: remove DEP_UPB_VERSION check in codegen crate (#22764) (6f6012a)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Update Rust generator to output minidescriptors instead of C minitables
(1b4b5fc)
Add [clear_and_]parse_dont_enforce_required() to Rust protobuf. (e2fd7a0)
Add #[non_exhaustive] on the oneof-case enum (aba2075)
Impl Clone for RepeatedIter (aca1ed5)
See also UPB changes below, which may affect Rust.
Python
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Raise warnings for float_precision from python json_format. (#23042)
(1a7e012)
Raise warnings when assign bool to int/enum (#23030) (0b25f7b)
Update python edition default maximum edition to 2024 (#22889) (72abf95)
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Add Python deprecation warnings for Descriptor Label. (64a76e6)
Updating setuptools to patch CVE-2025-47273 (#22094) (508aba1)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Extend gencode compatibility support back to 3.20.0 (1af7fd4)
Change proto_api work with custom pool for upb and pure python. (49d9e2d)
Python pyi print "import datetime" for Duration/Timestamp field (f59b84a)
Add reference leak check to Python well_known_types_test. Fix two refleak
bugs. (e5f9ab4)
Add reference leak check to Python timestamp_test and duration_test. Fix a
refleak bug when assign datetime/duration to Timestamp/Duration (e004c8b)
Add recursion depth limits to pure python (17838be)
Remove calls to Label within Protobuf Python. (f69180a)
Change Python .pyi stubs to generated _Optional[] for bool fields same
with (6972464)
Remove internal/api_implementation.Version() (cbad456)
Fix python proto_api to work with messages that required fields are not
set. (f63ed55)
Fix python upb crashes on map/repeated reference stub destructor (4274909)
Mark Py JSON float_precision deprecated. (727a8ed)
PHP
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Fix(php): use count instead of ->count() to avoid bug in c-extension
(9fbce62)
[php][compiler][ext] - Add missing has* methods and other well known types
(#20636) (01a7429)
Fix PHP 8.4 deprecation in GPBDecodeException (#21232) (676666e)
PHP C-Extension
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Change 'getLabel is deprecated' to E_USER_DEPRECATED (158d8ac)
[php][compiler][ext] - Add missing has* methods and other well known types
(#20636) (01a7429)
See also UPB changes below, which may affect PHP C-Extension.
Ruby
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Fix silent failure of rb_test rules to run test (#21733) (4f74764)
Ruby C-Extension
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Removed wrap_memcpy.c compatibility shim for pre-2.14 glibc (4ba9733)
See also UPB changes below, which may affect Ruby C-Extension.
UPB (Python/PHP/Ruby C-Extension)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Add upb_Message_SetExtensionMessage as a helper for setting a extension
field that is a message. This is the extension equivalent of
upb_Message_SetBaseFieldMessage. (f15d28a)
Other
Update github major version tags to be formatted v..- for clarity (e001d57)
Upgrade Abseil dependency to 20250512.1 (ee68ed1)
Patch rules_ruby to apply neverlink = True to the jars rule (#21416)
(88e11bd)
31.1
Compiler
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
C++
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Java
Add missing copts attribute (#21982) (bec5b5a)
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Python
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Python pyi print "import datetime" for Duration/Timestamp field (#21885)
(0fe099a)
Add recursion depth limits to pure python (a3921fb)
Other
Fix cmake staleness test (96a9ef6)
31.0
Bazel
Loosen py_proto_library check to be on the import path instead of full
directory (i.e. excluding external/module-name prefix). (a4be867)
Compiler
Add support for import option for protoc.(9901db6)
Add notices.h with information about our dependencies' licenses and add
--notices flag to protoc to print the contents of that file. (7a26486)
Move upb minitable code generator into protoc (dce6b0f)
Upgrade abseil-cpp to 20250127 and use @com_google_absl -> @abseil-cpp and
com_google_googletest -> @googletest canonical BCR names. (ba6b54d)
C++
Remove fast-path check for non-clang compilers in MessageCreator. (aa5410d)
Add missing include. (d390631)
Add weak attribute to GetClassData to speed up clang builds. (d896480)
Add nontemporal software prefetcher to repeated ptr field dtor to improve
performance. (73f3469)
Warn on unused RepeatedPtrField. (683e9d2)
Add notices.h with information about our dependencies' licenses and add
--notices flag to protoc to print the contents of that file. (7a26486)
Fix a bug in handling of implicit-presence string_view fields. (bd70a7c)
Control bounds checks via BUILD flags. (d21e8ef)
Upgrade abseil-cpp to 20250127 and use @com_google_absl -> @abseil-cpp and
com_google_googletest -> @googletest canonical BCR names. (ba6b54d)
Create hardened versions of Get and Mutable for repeated_field. (ffade4a)
Java
Add weak attribute to GetClassData to speed up clang builds. (d896480)
Use ProtobufToStringOutput to control the output format of
AbstractMessage.Builder.toString. (f5cb162)
Implement Protobuf Java Immutable API nest_in_file_class feature for
Edition 2024. (0416c3e)
Introduce a Generated annotation to eventually replace
javax.annotation.Generated (31e57fc)
Add volatile to featuresResolved (9e03ca5)
Fix Java concurrency issue in feature resolution for old <=3.25.x gencode
using lazy feature resolution. (fafb0fd)
Remove Java runtime classes from kotlin release. (079be27)
Split maven dependencies into dev vs local (#20549) (e045fc6)
Improve error messaging when detecting and erroring out on integer
overflow of byte count limit variables. (097fdb8)
Kotlin
Remove Java runtime classes from kotlin release. (079be27)
Csharp
Remove "experimental API" warnings from members in the .NET protobuf
runtime. (afea52f)
Improve performace of repeated packed fixedSize fields (#19667) (85507b9)
Objective-C
[ObjC] Deprecate GPBFieldDescriptor.isOptional. (86ab252)
[ObjC] Raise the library version and enable new generated code. (a639cf8)
Rust
Cherry-pick Rust fix to 31.x (#21617) (01b42bb)
Add upb_Map_GetMutable API to upb (dd5bf5e)
See also UPB changes below, which may affect Rust.
Python
Update GetCurrentTime to use datetime.datetime.now (01b154c)
Make Py JSON float_precision apply to both float and double fields. (5b54ee3)
-Add '+' and '-' annotations for Timestamp and Duration in Python (fff783e)
Bug fix for FieldMask.MergeFrom() with unset fields. (1c87ac3)
Make python text_format able to skip unknown fields for repeated messages
(dcafca2)
Fix segment fault for UPB Pyhon 'in' method of empty repeated extensions
(da04261)
Fix upb to escape DefinitelyNeedsEscape (like " and ') for bytes field
(b234305)
Check with fallback descriptorDB for
FindExtensionByNumber()/FindAllExtensions in UPB python pool. (9fd28d9)
Add clear() method to repeated fields in Python. (0324f39)
Register Scalar/MessageMapContainerTypes as virtual subclasses of (9a0b591)
Fix python codegen crash when C++ features are used. (308aaf4)
Add more detail to the comment for GetMessageClassesForFiles (9befb58)
Add constructing unpack routine to Python Protobuf Any API. (fb78c09)
Implement typing for proto Timestamp/Duration assignments. (0e3326b)
PHP
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Feat(php): improve return typehint when repeatedfield (#11734) (e04fe69)
PHP C-Extension
Automated rollback of commit f9863df. (#21355) (a59988c)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Feat(php): improve return typehint when repeatedfield (#11734) (e04fe69)
See also UPB changes below, which may affect PHP C-Extension.
Ruby
Fix silent failure of rb_test rules to run test (#21733) (0cf5489)
Ruby | Add support for a protobuf debug build (#21060) (59e1f0f)
Ruby | Support installing the gem via git and some other small build
tweaks (#21061) (d3560e7)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
[Ruby]Implement #to_hash for message classes (#20866) (5596f6d)
Drop Ruby 3.0 (5de7c80)
Fixes #18726 by backslash escaping descriptor data containing # if the
hashmark appears immediately before any of $, {, or @. (fffa3da)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Ruby: fix bug in Map.hash (b968d0d)
Ruby C-Extension
Ruby | Add support for a protobuf debug build (#21060) (59e1f0f)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Ruby: fix bug in Map.hash (b968d0d)
See also UPB changes below, which may affect Ruby C-Extension.
UPB (Python/PHP/Ruby C-Extension)
Fixed LTO-only linker error in upb linker arrays. (3434a21)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Add upb_Map_GetMutable API to upb (dd5bf5e)
Fix upb to escape DefinitelyNeedsEscape (like " and ') for bytes field
(b234305)
Upb: delete functions in map_gencode_util. They're unused after the Map
iterator API change. (f398807)
Upb: Update _upb_map_next signature to return a boolean and remove the
_nextmutable Map iterator API. (e4cdf44)
Change upb C generated map iteration function to not hand out MapEntry
pointers. (3a3d697)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Expose the upb_ByteSize function to upb clients. Note that the current
naive implementation is no more efficient than serializing the message
yourself and noting the resulting size. (121fdaa)
Move upb minitable code generator into protoc (dce6b0f)
Tolerate message set extensions encoded as normal deliminited submessages
(c63fd56)
Automated rollback of commit 6bde8c4. (8ef81fb)
Fix UPB fast table build. (46f9e29)
Other
Patch rules_ruby to apply neverlink = True to the jars rule (#21416)
(#21505) (664d94a)
Restore JDK8 compatibility in Bazel for libraries with dependencies from
Maven (e.g. //java/util) (e8edc5d)
Protobuf: add //:go_features_proto Bazel alias (f79be3e)
Fixes -lpthread problem when building with android_arm64 config (#20337)
(4f5968a)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:56:31 +0000 (14:56 +0200)]
pango: Update to version 1.57.0
- Update from version 1.56.4 to 1.57.0
- Update of rootfile
- Changelog
1.57.0
Bugs fixed:
- #841 Synthetic small caps does not work with Core Text on Mac (Xavid
Pretzer)
- #864 Possible performance issue under windows (Luca Bacci)
- #866 U+FE0E (text-style selector) ignored when COLRv1 emoji fonts are
present (Matthias Clasen)
Changes:
- !874 Remove conditional code for pre-GLib 2.80 support
- !875 Fix OpenType features set for all petite caps
- !876 Add Cocoa window support for pango-view on macOS
- !877 fc: Update against fontconfig 2.17
- !878 coretext: remove fallback for macOS 10.7 (EOL 2012) and earlier
- !879 meson: Rework introspection handling
- !881 Fix -Wenum-conversion warning with PangoFontColor
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:53:19 +0000 (14:53 +0200)]
nasm: Update to version 3.00
- Update from version 2.16.03 to 3.00
- Update of rootfile not required
- Changelog
3.00
Improve the documentation for building from source (appendix D).
Add support for the APX and AVX10 instruction sets, and various
miscellaneous new instructions.
Add new preprocessor functions: %b2hs(), %chr(), %depend(), %find(),
%findi(), %hs2b(), %null(), %ord(), %pathsearch(), and %realpath().
See section 5.4.
New preprocessor directive %note to insert a note in the list file,
without issuing an external diagnosic. Unlike a comment, it is
optionally macro-expanded, see section 5.11.
New preprocessor directive %iffile (and corresponding function %isfile())
to test for the existence of a file. See section 5.6.12.
New preprocessor directive %ifdirective to test for the existence of a
preprocessor directive, assembly directive, or pseudo-instruction; see
section 5.6.10.
Fix a number of invalid memory references (usually causing crashes) on
various invalid inputs.
Fix multiple bugs in the handling of $–escaped symbols.
The use of $ as a prefix for hexadecimal numbers has been deprecated, and
will now issue a warning. A new directive [DOLLARHEX] can be used to
disable this syntax entirely, see section 8.12.
Fix the generation of segment selector references (mainly used in the obj
output format.)
Fix crash in the obj backend when code was emitted into the default
segment, without any labels having been defined.
Clean up the command-line help text (-h) and break it down into individual
topics, as the previous output was just too verbose to be practical
as a quick reference.
The implicit DEFAULT ABS in 64-bit mode is deprecated and may be changed
to REL in the future. See section 8.2. A warning is now emitted for
this condition.
It is now possible to set the REL/ABS default for memory accesses using
FS: or GS:, see section 8.2.
The __?DEFAULT?__ standard macro now reflects the settings of the DEFAULT
directive. See section 6.4.
The NASM preprocessor now assumes that an unknown directive starting
with %if or %elif is a misspelled or not yet implemented conditional
directive, and tries to match it with a corresponding %endif. See
section 5.6.14.
The masm macro package now defines a macro for x87 register syntax. See
section 7.5.
A new macro package, vtern, to simplify generation of the control
immediates for the VPTERNLOGD and VPTERNLOGQ instructions. See
section 7.6.
A new command line option -LF allows overriding [LIST -] directives.
In the obj output format, allow a segment in the FLAT pseudo-group to also
belong to another (real) group. Used on OS/2.
Add a new build_version directive to the Mach-O backend. See section 9.8.6.
Fix a spec violation in the generation of DWARF debugging information on ELF.
Response files can now be nested.
Many documentation improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:45:08 +0000 (14:45 +0200)]
libxml2: Update to version 2.15.0
- Update from version 2.14.6 to 2.15.0
- Update of rootfile
- Changelog
2.15.0
Major changes
The API documentation is now generated with Doxygen. Building the
documentation requires the new --with-docs configuration option as well
as Doxygen, xsltproc and the DocBook 4 XSLT stylesheets.
The Python bindings are disabled by default now. Building the bindings
also requires Doxygen.
Support for Schematron is now disabled by default.
The parser option XML_PARSE_UNZIP is now required to read compressed data.
HTML serialization and handling of character encodings is more in line
with the HTML5 spec now.
More accessors for xmlParserCtxt were added.
Deprecations
More internal functions and struct members were deprecated.
Removals
The built-in HTTP client and support for LZMA compression were removed.
The custom Windows build system in `win32` was removed in favor of CMake.
Planned removals
The Python bindings and support for Schematron validation are planned to
be removed in the 2.16 release.
The following features are considered for removal:
- Modules API (xmlmodule.h)
- Support for zlib compressed file I/O
RELAX NG support is still in a bad state and a long-term removal
candidate.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:39:32 +0000 (14:39 +0200)]
iproute2: Update to version 6.17.0
- Update from version 6.16.0 to 6.17.0
- Update of rootfile
- Changelog is not provided. Details of changes can be found from the git commit changes
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:35:56 +0000 (14:35 +0200)]
harfbuzz: Update to version 12.1.0
- Update from version 11.4.5 to 12.1.0
- Update of rootfile
- Changelog
12.1.0
- Build fixes with GCC 15 on some 32 bit platforms.
- Fix misaligned pointer use.
- New API, `hb_ot_layout_lookup_collect_glyph_alternates()`, to collect glyph
substitutions from single and alternate substitution lookups in one call,
instead of getting substitutions one by one using
`hb_ot_layout_lookup_get_glyph_alternates()`.
- New API
+hb_ot_layout_lookup_collect_glyph_alternates()
12.0.0
- The major feature of this release is that the Variable Composites /
Components (`VARC` table) addition to the ISO OpenFontFormat has graduated
from experimental, and is now enabled by default. It can be disabled at
compile time by defining the `HB_NO_VAR_COMPOSITES`z macro.
`VARC` table is a new way to store glyph outlines, that allows for better
shape reuse, and can reduce font file size for Chinese, Japanese, Korean, and
some other scripts drastically. Some font design tools provide a similar
feature to designers, known as "smart components". This technology brings the
same idea to the compiled font file. For the format specification, see:
https://github.com/harfbuzz/boring-expansion-spec/blob/main/VARC.md
Test fonts can be found at:
https://github.com/notofonts/noto-cjk-varco/releases/tag/v0.003
The Fontra font editor already supports this technology.
Note that this new format involves just the HarfBuzz draw API and does not
affect shaping.
- Correctly handle `markFilteringSet` lookup field during subsetting.
- Deduplicate features during subsetting.
- Disable “more” buffer messages that give more verbose output when using
buffer messages callbacks, as it has a performance overhead. Users/tools that
need the more verbose messages should define `HB_BUFFER_MESSAGE_MORE` to 1
when building HarfBuzz.
- Shaping and instancing optimizations.
- Fix subsetting issues when building with GCC 12.
11.5.1
- Optimized partial-instancing of fonts with a large number of axes. Now over
two times faster.
- Fix C++ STL atomics implementation.
11.5.0
- Update to Unicode 17.0.0.
- Subsetter optimizations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 17:31:06 +0000 (19:31 +0200)]
fetchmail: Update to version 6.5.5
- Update from version 6.5.4 to 6.5.5
- Update of rootfile not required
- Changelog
6.5.5
LICENSING CHANGE OF WOLFSSL:
* Note that wolfSSL 5.8.2 switched license from GPLv2 to GPLv3, so if
a distribution links fetchmail against wolfSSL, this implies the use
of the "or-any-later-version" clause of the GPLv2-or-later licensed material
in fetchmail, and the combined work can also only ship as GPLv3.
This may or may not apply to later versions of wolfSSL - be sure to check!
BUGFIXES:
==-- note that these comprise C23 compatibility fixes (GCC 15) --==
* Support t.operation when the running user is different from the one
mentioned in the $USER variable. Fix courtesy of Corey Halpin.
* The kerberos*_auth() functions for v4 and v5 have prototypes now,
so they can be compiled by the most modern C compilers.
* AC_TYPE_* type-checking macros seem unnecessary, strip them, also from
config.h.meson which would not fill them from build.meson. We expect
the operating system to provide us pid_t, size_t, uint32_t.
* Our res_search() autoconf check was broken on compilers adhering to newer
standards (C23), for instance GCC 15, disabling several DNS-based features
in autotools-based builds, but not meson-based builds.
Strip the bogus "extern int res_search();" declaration without prototype,
we would need to have the prototype from the system either way.
IMPORTANT CHANGE:
* Fetchmail is now more careful to actually clear password and like buffers
in memory, so that is less likely that other processes could access them
should they happen to access similar memory regions after fetchmail's exit.
Fetchmail now uses memset_explicit(), explicit_bzero(), or its own
explicit_bzero() implementation to clear memory buffers that contain
passwords or like secrets, or their base64 equivalents, and also buffers
that it uses to visualize such strings, instead of just using memset().
The motivating reason is that a plain memset() that does not have
/observable/ effects, i. e. when we do not read from the buffer or
transfer it, can be removed by the compiler's optimizer in the so-called
dead store elimination, voiding our attempt to clear the buffer contents
before releasing it to the heap.
The named alternative functions are not being optimized away.
WORKAROUND:
* IMAP: Recognize SASL_IR advertisement of Cyrus IMAP 3.10.0...3.12.? as
synonymous to SASL-IR per RFC4959. Upstream bug reported at
https://github.com/cyrusimap/cyrus-imapd/issues/5481 - and it was
quickly fixed in all their supported branches by patch releases.
CHANGES:
* Several documentation tweaks.
* As long as SOURCE_DATE_EPOCH is set, the source tarball build may
be reproducible now. Tested on Fedora 42.
* The Japanese translation [ja] has been updated by Takeshi Hamasaki.
* The Makefile should be compatible across a wider set of make implementations,
beyond GNU make.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 14:12:04 +0000 (16:12 +0200)]
openvpn: Update to version 2.6.15
- Update from version 2.6.14 to 2.6.15
- Update of rootfile not required
- Changelog
2.6.15
dco: add standard mi prefix handling to multi_process_incoming_dco()
Check message id/acked ids too when doing sessionid cookie checks
GHA: Pin version of CMake for MinGW build
GHA: Dependency and Actions update April 2025 (2.6)
GHA: Update dependencies July 2025 (2.6)
Fix compiler warning in reliable.c with --disable-debug
dco linux: avoid redefining ovpn enums (2.6)
Update text of GPL to latest version from FSF
unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
replace assert() calls with ASSERT()
remove newline characters at the end of msg() calls
fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
Fix t_net.sh / networking_testdriver after 'broadcast' change
preparing release 2.6.15
Fix tmp-dir documentation
dco: support float notifications on FreeBSD
dco-win: Ensure correct OVERLAPPED scope
win: replace wmic invocation with powershell
openvpnserv: Fix writing messages to the event log
Validate DNS domain name before powershell invocation
Makefile: fix 'make dist'
GHA: collect more artifacts for mingw builds
dco: backport OS-independent part of peer float support
Bugfix: Set broadcast address on interface.
Fix MBEDTLS_DEPRECATED_REMOVED build errors
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 14:08:13 +0000 (16:08 +0200)]
openvmtools: Update to version 13.0.5
- Update from version 12.5.0 to 13.0.5
- Update of rootfile not required
- 2 CVE fixes.
- Changelog
13.0.5
Resolved Issues
This release resolves CVE-2025-41244.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0015.
A patch to address CVE-2025-41244 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-41244.patch.
Guest OS Customization updated to use "systemctl reboot".
Currently the "telinit 6" command is used to reboot a Linux VM following
Guest OS Customization. As the classic Linux init system, SysVinit, is
deprecated in favor of a newer init system, systemd, the telinit
command may not be available on the base Linux OS.
This change adds support to Guest OS Customization for the systemd init
system. If the modern init system, systemd, is available, then a
"systemctl reboot" command will be used to trigger reboot. Otherwise,
the "telinit 6" command will be used assuming the traditional init
system, SysVinit, is still available.
13.0.0
Resolved Issues
The following github.com/vmware/open-vm-tools pull requests and issues has
been addressed.
FTBFS: --std=c23 conflicting types between function definition and
declaration MXUserTryAcquireForceFail()
Fixes Issue #750
Pull request #751
Provide tools.conf settings to deactivate one-time and periodic time
synchronization
The new tools.conf settings disable-all and disable-periodic allow the
guest OS administrator to deactivate one-time and periodic time
synchronization without rebooting the VM or restarting the guest OS.
Fixes Issue #302
Fix xmlsec detection when cross-compiling with pkg-config
Pull request #732
After October 25, 2024, with open-vm-tools earlier than 13.0.0, the
salt-minion component is not installed or fails to install in a guest
operating system through the VMware Component Manager
When you configure the salt-minion component in the present state, its
last status is set to 102 (not installed) or 103 (installation failed),
never reaching the installed state 100.
The VM advanced setting with the key
"guestinfo./vmware.components.salt_minion.desiredstate" has a value
present.
The VM advanced setting with the key
"guestinfo.vmware.components.salt_minion.laststatus" has a value 102
or 103.
The salt-minion component installs a log file with traces indicating
failure to access the online salt repository on
https://repo.saltproject.io. The "vmware-svtminion.sh-install-*.log"
file for the failed install shows a trace similar to:
<date+time> INFO: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download attempting download of file 'repo.json'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '0' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '1' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '2' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '3' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '4' attempt, retcode '6'
<date+time> ERROR: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' after '5' attempts
This issue is resolved in this release.
The new versions of the salt-minion integration scripts supporting the
new Salt Project repository locations are available at:
https://packages.broadcom.com/artifactory/saltproject-generic/onedir/
12.5.4
Product Support Notice
Beginning with the next major release, we will be reducing the number
of supported localization languages. The three supported languages
will be:
Japanese
Spanish
French
The following languages will no longer be supported:
Italian
German
Brazilian Portuguese
Traditional Chinese
Korean
Simplified Chinese
Impact:
Users who have been using the deprecated languages will no longer
receive updates or support in these languages.
All user interfaces, message catalogs, help documentation, and
customer support will be available only in English or in the
three supported languages mentioned above.
Resolved Issues
This release resolves CVE-2025-41244.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0015.
A patch to address CVE-2025-41244 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-41244.patch.
12.5.2
Resolved Issues
This release resolves CVE-2025-22247.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0007
A patch to address CVE-2025-22247 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-22247.patch.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 3 Oct 2025 14:04:35 +0000 (16:04 +0200)]
openssl: Update to version 3.5.4
- Update from version 3.5.1 to 3.5.4
- Update of rootfile
- Changelog
3.5.4
* Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
Issue summary: An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.
Impact summary: This out-of-bounds read may trigger a crash which leads to
Denial of Service for an application. The out-of-bounds write can cause
a memory corruption which can have various consequences including
a Denial of Service or Execution of attacker-supplied code.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9230])
* Fix Timing side-channel in SM2 algorithm on 64 bit ARM
Issue summary: A timing side-channel which could potentially allow remote
recovery of the private key exists in the SM2 algorithm implementation on
64 bit ARM platforms.
Impact summary: A timing side-channel in SM2 signature computations on
64 bit ARM platforms could allow recovering the private key by an attacker.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9231])
* Fix Out-of-bounds read in HTTP client no_proxy handling
Issue summary: An application using the OpenSSL HTTP client API functions
may trigger an out-of-bounds read if the "no_proxy" environment variable is
set and the host portion of the authority component of the HTTP URL is an
IPv6 address.
Impact summary: An out-of-bounds read can trigger a crash which leads to
Denial of Service for an application.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9232])
* The FIPS provider no longer performs a PCT on key import for ECX keys
(that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
* Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted
signatures.
* Reverted the synthesised `OPENSSL_VERSION_NUMBER` change for the release
builds, as it broke some exiting applications that relied on the previous
3.x semantics, as documented in `OpenSSL_version(3)`.
3.5.3
* Avoided a potential race condition introduced in 3.5.1, where
`OSSL_STORE_CTX` kept open during lookup while potentially being used
by multiple threads simultaneously, that could lead to potential crashes
when multiple concurrent TLS connections are served.
* The FIPS provider no longer performs a PCT on key import for RSA, DH,
and EC keys (that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
* Secure memory allocation calls are no longer used for HMAC keys.
* `openssl req` no longer generates certificates with an empty extension list
when SKID/AKID are set to `none` during generation.
* The man page date is now derived from the release date provided
in `VERSION.dat` and not the current date for the released builds.
* Hardened the provider implementation of the RSA public key "encrypt"
operation to add a missing check that the caller-indicated output buffer
size is at least as large as the byte count of the RSA modulus. The issue
was reported by Arash Ale Ebrahim from SYSPWN.
This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that
in fact provide a sufficiently large buffer, but fail to correctly indicate
its size may now encounter unexpected errors. In applications that attempt
RSA public encryption into a buffer that is too small, an out-of-bounds
write is now avoided and an error is reported instead.
* Added FIPS 140-3 PCT on DH key generation.
* Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
3.5.2
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Oct 2025 11:10:15 +0000 (13:10 +0200)]
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)]
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Oct 2025 11:10:15 +0000 (13:10 +0200)]
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
'dmz' => 'AÇIK BÖLGE',
'dmz pinhole configuration' => 'Açık bölge yapılandırma',
'dmz pinhole rule added' => 'Açık bölge kuralı eklendi; Açık bölge
yeniden başlatılıyor',
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
