Adolf Belka [Fri, 16 Jan 2026 20:56:22 +0000 (21:56 +0100)]
tshark: Update to version 4.6.3
- Update from version 4.6.2 to 4.6.3
- Update of rootfile
- Changelog
4.6.3
The following vulnerabilities have been fixed:
wnpa-sec-2026-01 BLF file parser crash. Issue 20880.
wnpa-sec-2026-02 IEEE 802.11 dissector crash. Issue 20939.
wnpa-sec-2026-03 SOME/IP-SD dissector crash. Issue 20945.
wnpa-sec-2026-04 HTTP3 dissector infinite loop. Issue 20944.
The following bugs have been fixed:
Wireshark 4.6.0 build fails on Solaris: pcapio.c:441:21: error: request for
member '_flag' in something not a structure or union. Issue 20773.
RTP Player streams cannot be stopped. Issue 20879.
Additional ABI/API compatibility fixes. Issue 20881.
Missing data in pinfo→cinfo in HomePlug message CM_ATTEN_CHAR.IND.
Issue 20893.
maxmind_db: crash when switching from a profile where it’s disabled to one
where it’s enabled. Issue 20903.
Compilation warning or error if CFLAGS defines _FORTIFY_SOURCE to other
than 3 without first undefining it. Issue 20904.
IEEE 802.11: Incorrect parsing of QoS and Mesh Control Field when the frame
body contains an A-MSDU. Issue 20905.
OSS-Fuzz 473164101: Heap-buffer-overflow in dissect_idn_laser_data.
Issue 20936.
Bug in decoding 5G NAS message - Extended CAG information list IE.
Issue 20946.
Updated Protocol Support
DCT2000, DHCP, H.248, H.265, HomePlug AV, HTTP3, IDN, IEEE 802.11,
LTE RRC, NAS-5GS, PKCS12, QUIC, RTPS, SOME/IP-SD, SSH, and Thrift
New and Updated Capture File Support
3GPP TS 32.423 Trace, BLF, NetScreen, and Viavi Observer
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 16 Jan 2026 10:05:35 +0000 (10:05 +0000)]
gnupg: Ship all binaries
On new installations, GnuPG complained that it could not start gpg-agent
when it was importing the Pakfire keys for the first time. Although the
keys were imported successfully and fully functional, there was an error
message being shown at first boot which we don't want to see.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 15 Jan 2026 17:33:05 +0000 (18:33 +0100)]
ovpnmain.cgi: No longer include the CA in the client configuration
NetworkManager complains that it cannot use <ca>...</ca> when
<pkcs12>...</pkcs12> is being used as well. This makes somehwat sense as
the PKCS12 container also contains the CA certificate.
Therefore we are removing the <ca>...</ca> block for all clients as they
must all be able to read the PKCS12 container.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 Jan 2026 11:17:23 +0000 (12:17 +0100)]
tshark: Add libxxhash to dependency list
- From version 2.6.0 tshark added libxxhash as an option which is defined as ON by
default. As libxxhash is built as a dependency for rsync and borgbackup the tshark
build worked without problems but then the libxxhash library wass not present and so
tshark failed to run.
- This patch adds libxxhash to the dependency list for tshark
- No change to rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 13 Jan 2026 12:12:15 +0000 (13:12 +0100)]
mdadm: Update to version 4.5
- Update from version 4.4 to 4.5
- No change to rootfile
- From kernel 6.17.x onwards it produces an error message with version 4.4 and suggests
updating to version 4.5 as async del_gendisk mode will be removed in future. This
update also ensures we will not see that message in any released IPFire CU. I found it
in my testing of Arne's 6.18 kernel
- Changelog
4.5
Features:
Supports --logical-block-size in --create from Wu Guanghao
Create array with sync del gendisk mode from Xiao Ni
Update raid6check man page from Mingye Wang
Re-enable mdadm --monitor ... for /dev/mdX from Dr. Joachim Schneider
Use MAILFROM to set sendmail envelope sender address in mdmon from Martin
Wilck
Don't stop array after creating it during assemble from Xiao Ni
Use kernel raid headers from Mariusz Tkaczyk
Allow RAID0 to be created with v0.90 metadata from NeilBrown
Optimize DDF header search for widely used RAID controllers from lilinzhe
Persist properties of MD devices after switch_root from Antonio Alvarez Feijoo
Refactor continue_via_systemd() to make it more readable from Mateusz Kusiak
Remove --freeze-reshape logic in reshape from Mateusz Kusiak
Simplify remove logic in Incremental from Mariusz Tkaczyk
Fixes:
Fix crash with homehost=none in super1 from Martin Wilck
Moves memory management into Assemble to avoid null pointer dereference
from Xiao Ni
Wait a while before removing a member in Incremental from Xiao Ni
Some memleak issues from Wu Guanghao
Fix memleak in udev from Mariusz Tkaczyk
Support non-absolute name during monitor scan from QRPp
Mdcheck fix and improvment from Martin Wilck
Remove POSIX check for name from Mariusz Tkaczyk
Enable udev block for Incremental/Assemble to avoid race condition from
Nigel Croxon
Fix buiding errors from Xiao Ni
Use standard libc nftw from Xiao Ni
Allow any valid minor number in md device name from Martin Wilck
Fix RAID0 to RAID10 migration for imsm array from Blazej Kucman
Don't set badblock flag when adding a new disk from Wu Guanghao
Regression tests fix from Xiao Ni
Fix metadata corruption when managing new imsm array from Junxiao Bi
Add update_super in ddf to prevent crash when assembling ddf array from
lilinzhe
Disable legacy option ROM scan on UEFI machines for imsm array from Ross
Lagerwall
Add sbin path to env PATH to avoid command modprobe can't be found from
Coly Li
Add xmalloc.h to raid6check.c to fix building error from Xiao Ni
Do not start reshape before switchroot from Mateusz Kusiak
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Jan 2026 11:43:12 +0000 (11:43 +0000)]
suricata: Add IPFire DNSBL to the rule sources
Although this is not the primary use-case, there is a lot of value by
adding the DNSBL to Suricata for secondary filtering. Anything that is
trying to circumvent any local policy will be caught at the edge of the
network and therfore we will even be able to block access to any listed
domains when people are using a private resolver.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Jan 2026 11:37:18 +0000 (11:37 +0000)]
ids-functions.pl: Implement extracting any data from tarballs
Suricata rulesets are distributed as tarballs. Besides the rules, those
tarballs may contain additional data like datasets and so on. This data
was not extracted before.
For the IPFire DNSBL we are shipping any domains as a separate file
which is being parsed by Suricata as a dataset. Obviously these files
need to be extracted to be read by Suricata.
This patch extracts any data files in the first place and later copies
them into the rules directory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:36 +0000 (18:50 +0100)]
xz: Update to version 5.8.2
- Update from version 5.8.1 to 5.8.2
- Update of rootfile
- Changelog
5.8.2
* liblzma:
- Fix the build on ARM64 on glibc versions older than
2.24 (2016). They don't have HWCAP_CRC32 in <sys/auxv.h>.
- Disable CLMUL CRC code when building for 32-bit x86 with
old MSVC versions. This avoids a compiler bug. The exact
compiler version in which the issue was fixed is unknown,
but VS 2022 17.13 (MSVC 19.43.34808) is known to work, so
CLMUL CRC on 32-bit x86 is disabled with MSVC versions
older than that.
* xz:
- Add a workaround for Red Hat Enterprise Linux 9 kernel bug
which made xz fail with "xz: Failed to enable the sandbox".
It only occurs with xz 5.8.0 and 5.8.1 binaries built for
other distros. For example, running Debian 13 in a container
on RHEL/CentOS 9 would trigger the issue.
The bug was introduced in RHEL 9 kernel 5.14.0-603.el9
(2025-07-30) and fixed in 5.14.0-648.el9 (2025-12-05).
However, as of writing, the fixed kernel isn't available
to RHEL 9 users yet, so including the workaround in this
xz release seems reasonable. The workaround will be removed
when it's no longer needed.
xzdec was also affected by this issue.
- On AIX, don't use fsync() on directories because it fails.
- Fix the build on Emscripten.
- Fix the build on clang-cl on Windows.
- Take resource limits (RLIMIT_DATA, RLIMIT_AS, and RLIMIT_VMEM)
into account when determining the default memory usage limit
for multithreaded mode. This should prevent xz from failing
when a resource limit has been set to a value that is less
than 1/4 of total RAM. Other memory limits can still trigger
the same issue, for example, Linux cgroup v2 memory.max.
* Build systems:
- When symbol versioning is enabled, pass --undefined-version
to the linker if the option is supported. This fixes the
build when using LLVM's lld and some liblzma features have
been disabled at build time.
- ARM64: Fix autodetection of fast unaligned memory access when
using GCC and -mstrict-align is in effect. Previously the
build systems would incorrectly guess that unaligned access
is fast, which would result in much slower binaries than
needed. The fix is a workaround for GCC bug 111555;
autodetection already worked with Clang.
- LoongArch: Autodetect if fast unaligned memory access is
supported. This can improve compression speed by 15 % (but
not decompression speed).
* Translations:
- Update the Spanish translation.
- Add Swedish man page translations.
- Update Italian, Korean, Romanian, Serbian, and Ukrainian
man page translations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:35 +0000 (18:50 +0100)]
update.sh: Remove the gpl_affected file
- This file was no longer created for new installs several CU's ago and the file is no
longer needed so if it exists on the users system this will do the removal
housekeeping.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:34 +0000 (18:50 +0100)]
lvm2: Update to version 2.03.38
- Update from version 2.03.37 to 2.03.38
- No change to rootfile
- Changelog
2.03.38
Synchronize with udev after creating pool metadata spare volume.
Conversion to thin-pool removes activation skipping from converted LVs.
Configure now checks for xfs/xfs.h.
Workaround for libblkid returning old FSLASTBLOCK immediately after resize.
Enhance pvmove activation and deactivation.
LV locks whole device tree using such locked LV.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:32 +0000 (18:50 +0100)]
harfbuzz: Update to version 12.3.0
- Update from version 12.2.0 to 12.3.0
- Update of rootfile
- Changelog
12.3.0
- Invalid font tables (eg. GSUB/GPOS) are outright rejected, instead of
partially validated and used. This behavior is different from DirectWrite
and HarfRust, and is in line with CoreText. For context and reasoning see:
https://github.com/harfbuzz/harfbuzz/issues/5535#issuecomment-3573738217
- Various speed optimizations:
* AAT shaping: speed up state machine on Apple silicon using a fast-path.
12% faster in LucidaGrande benchmark.
* OpenType shaping: speed up (Chain)Context lookup shaping using a fast-path
and Coverage caching. 20% speedup in NotoNastaliqUrdu benchmark.
* Drawing mega variable-fonts: 30% speedup on GoogleSansFlex benchmark.
* Drawing `VARC` fonts: 5% speedup on varc-hanzi benchmark.
- Always apply synthetic slant around horizontal glyph origin in hb-draw API.
- Fix undefined C++ behavior in some uses union.
- Remove the disabled by default uniscribe-bug-compatible mode from Indic and
Khmer shapers, that used to be used when testing against Uniscribe shaping
behaviour.
- Support full instancing fonts with v2 `avar` table.
- Various subsetting, build, fuzzing, and documentation fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:31 +0000 (18:50 +0100)]
gnupg: Update to version 2.4.9
- Update from version 2.4.8 to 2.4.9
- No change to rootfile
- The stable version is now 2.5.16 with originally 2.5 being the development branch that
would become 2.6 but 2,5 has now been made the stable branch. The 2.4 branch will
become EOL in 6 months. As gnupg was just recently changed from the 1.4 branch to the
2.4 branch and hasn't been tested out in a Testing/Release version I have just
updated to the latest 2.4 version.
- Once version 2.4.9 has been proven and is in a released CVU then I will do the update
to the latest version in the 2.5 branch.
- Changelog
2.4.9
* gpg: Fix possible memory corruption in the armor parser. [T7906]
* gpg: Avoid potential downgrade to SHA1 in 3rd party key
signatures. [rGddb012be7f]
* gpg: Error out on unverified output for non-detached signatures.
[rG9d302f978b]
* gpg: Do not allow compressed key packets on import. [T7014]
* scd: Fix a harmless read buffer over-read in a function used by
PKCS#15 cards. [T7662]
* dirmngr: Do not require a keyserver for "gpg --fetch-key".
[T7693]
* agent: Fix ssh-agent's request_identities for skipped Brainpool
keys. [rG6bf5696c85]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:30 +0000 (18:50 +0100)]
gdb: Update to version 17.1
- Update from version 16.1 to 17.1
- Update of rootfile
- Changelog
17.1
* Debugging Linux programs that use x86-64 or x86-64 with 32-bit pointer
size (X32) Shadow Stacks are now supported.
* Support for the shadow stack pointer register on x86-64 or x86-64 with
32-bit pointer size (X32) GNU/Linux.
* Debugger Adapter Protocol changes
** GDB now supports the "completions" request.
* "set style" commands now supports numeric format for basic colors
from 0 to 255 and #RRGGBB format for TrueColor.
* New built-in convenience variable $_colorsupport provides comma-separated
list of color space names supported by terminal. Each color space name is one
of monochrome, ansi_8color, aixterm_16color, xterm_256color or rgb_24bit.
It is handy for conditionally using styling colors based on terminal features.
For example:
(gdb) if $_regex ($_colorsupport, ".*(^|,)rgb_24bit($|,).*")
>set style filename background #FACADE
>else
>if $_regex ($_colorsupport, ".*(^|,)xterm_256color($|,).*")
>set style filename background 224
>else
>set style filename background red
>end
>end
* UST (static tracepoint) support from gdbserver has been removed.
* Linux checkpoint code has been updated to work with multiple inferiors.
* The gcore and gdb-add-index scripts now have a -v or --version
option, which prints the version number, and then exits. As well as
a -h or --help option, which prints each options and a brief
description.
* On systems that support linker namespaces, the output of the command
"info sharedlibraries" may add one more column, NS, which identifies the
namespace into which the library was loaded, if more than one namespace
is active.
* New built-in convenience variables $linker_namespace_count and
$_linker_namespace. These show the number of active linker
namespaces, and the namespace to which the current location belongs to.
In systems that don't support linker namespaces, or if the inferior hasn't
started yet, these always return the integer 0.
* Add record full support for rv64gc architectures
* Debugging Linux programs that use AArch64 Guarded Control Stacks is now
supported.
* New "--binary-output" command line option instructs GDB to set the
translation mode of its stdout/stderr to binary mode. This disables
Line Feed translation. MS-Windows only.
* New commands
maintenance check psymtabs
Renamed from maintenance check-psymtabs
maintenance check symtabs
Renamed from maintenance check-symtabs
maintenance canonicalize
Show the canonical form of a C++ name.
set riscv numeric-register-names on|off
show riscv numeric-register-names
Controls whether GDB refers to risc-v registers by their numeric names
(e.g 'x1') or their abi names (e.g. 'ra').
Defaults to 'off', matching the old behaviour (abi names).
set style emoji on|off|auto
show style emoji
Controls whether GDB can display emoji. The default is "auto",
which means emoji will be displayed in some situations when
the host charset is UTF-8.
set style warning-prefix STRING
set style error-prefix STRING
These commands control the prefix that is printed before warnings
and errors, respectively. This functionality is intended for use
with emoji display, and so the prefixes are only displayed if emoji
styling is enabled.
info linker-namespaces
info linker-namespaces [[N]]
Print information about the given linker namespace (identified as N),
or about all the namespaces if no argument is given.
* Changed commands
info sharedlibrary
On Linux and FreeBSD, the addresses shown in the output of this
command are now for the full memory range allocated to the shared
library.
info threads [-gid] [-stopped] [-running] [ID]...
If no threads match the given ID(s) or filter options, GDB now prints
No threads matched.
without printing the provided arguments. The newly added '-stopped'
option makes GDB list the stopped threads only. Similarly,
'-running' makes GDB list the running threads only. If both options
are given together, both stopped and running threads are listed.
These new flags can be useful to get a reduced list when there is a
large number of threads.
* GDB-internal Thread Local Storage (TLS) support
** Linux targets for the x86_64, aarch64, ppc64, s390x, and riscv
architectures now have GDB-internal support for TLS address
lookup in addition to that traditionally provided by the
libthread_db library. This internal support works for programs
linked against either the GLIBC or MUSL C libraries. For
programs linked against MUSL, this new internal support provides
new debug functionality, allowing access to TLS variables, due to
the fact that MUSL does not implement the libthread_db library.
Internal TLS support is also useful in cross-debugging
situations, debugging statically linked binaries, and debugging
programs linked against GLIBC 2.33 and earlier, but which are not
linked against libpthread.
** The command 'maint set force-internal-tls-address-lookup on' may
be used to force the internal TLS lookup mechanisms to be used.
Otherwise, TLS lookup via libthread_db will still be preferred,
when available.
* Python API
** GDB no longer supports Python versions less than 3.4.
** New class gdb.Color for dealing with colors.
** New constant gdb.PARAM_COLOR represents color type of a
gdb.Parameter.value. Parameter's value is gdb.Color instance.
** The memory_source argument (the second argument) has been removed
from gdb.disassembler.builtin_disassemble. This argument was
never used by GDB, and was added by mistake. The unused argument
was never documented in the GDB manual, so users should not have
been using it.
** gdb.execute has an additional 'styling' argument. When True, then
output will be styled. The default for this argument is True
when output is going to standard output, and False when output is
going to a string.
** Setting the documentation string (__doc__) of a gdb.Parameter
sub-class to the empty string, means GDB will only display the
set_doc or show_doc strings in the set/show help output.
** New gdb.ParameterPrefix class. This can be used to create 'set'
and 'show' gdb.Command prefixes, suitable for use with new
gdb.Parameters.
** Prefix commands (gdb.Command sub-classes) that don't have an
invoke method will now behave like builtin prefix commands when
invoked without a sub-command name. This means printing the help
text for all sub-commands, unless the prefix command is a 'show'
command, in which case the value of all sub-commands is printed.
** New gdb.warning() function that takes a string and prints it as a
warning, with GDB's standard 'warning' prefix.
** New attribute gdb.Value.is_unavailable, this checks for
unavailability like gdb.Value.is_optimized_out checks for
optimized out values.
* Guile API
** New type <gdb:color> for dealing with colors.
** New constant PARAM_COLOR represents color type of a value
of a <gdb:parameter> object. Parameter's value is <gdb::color> instance.
** Eliding the #:doc string from make-parameter now means that GDB
will use a default documentation string. Setting #:doc to the
empty string for make-parameter means GDB will only display the
#:set_doc or #:show_doc strings in the set/show help output.
** Prefix commands (using make-command) that don't have a #:invoke
property will now behave like builtin prefix commands when
invoked without a sub-command name. This means printing the help
text for all sub-commands, unless the prefix command is a 'show'
command, in which case the value of all sub-commands is printed.
* New remote packets
binary-upload in qSupported reply
If the stub sends back 'binary-upload+' in it's qSupported reply,
then GDB will, where possible, make use of the 'x' packet. If the
stub doesn't report this feature supported, then GDB will not use
the 'x' packet.
vFile:lstat
Return information about files on the remote system. Like
vFile:stat but if the filename is a symbolic link, return
information about the link itself, the file the link refers to.
* Changed remote packets
qXfer:threads:read
The XML that is sent as a response can now include an "id_str"
attribute for a thread element. The attribute indicates what GDB
should print as the target ID of the thread, for example in the
"info threads" command or when switching to the thread.
vFile:stat
Previously, gdbserver incorrectly implemented this packet using
lstat rather than stat. This has now been corrected. The
documentation has also been clarified.
* MI changes
** The =library-unloaded event now includes the 'ranges' field, which
has the same meaning as for the =library-loaded event.
** The =library-unloaded event now includes the 'still-in-use' field.
This field is 'true' when a library is unloaded (removed from the
inferior's list of loaded libraries), but the mapping within the
inferior's address space is retained, as the library was mapped
multiple times, and the same mapping was being reused. In all
other cases, this field will have the value 'false'.
* Support for stabs debugging format and the a.out/dbx object format is
deprecated, and will be removed in GDB 18.
* Configure changes
--enable-binary-file-formats=[FORMAT,...]
--enable-binary-file-formats=all
A user can now decide to only compile support for certain file formats.
The available formats at this point are: dbx, coff, xcoff, elf, mach-o
and mips. Some targets require specific file formats to be available,
and in such cases, the configure script will warn the user and add
support anyway. By default, all formats will be compiled in, to
continue the behavior from before adding the switch.
* A new configure option was added, allowing support for the compile
subsystem to be disabled at configure time, in the form of
--disable-gdb-compile.
* A new configure option was added, allowing support for DWARF debug
information to be disabled at configure time. The flag is
--disable-gdb-dwarf-support.
* A new configure option was added, allowing support for mdebug/ecoff
debug information to be disabled at configure time. The flag to do
that is --disable-gdb-mdebug-support.
* The Alpha target now supports target descriptions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:27 +0000 (18:50 +0100)]
alsa: Update to version 1.2.15.1
- Update from version 1.2.14 to 1.2.15.1
- Update of rootfile
- Changelog
1.2.15.1
alsa-lib
Core
ucm: use closefrom instead of close_range
Use Case Manager API
ucm: exec - fix maxfd used warning
ucm: use closefrom instead of close_range
Configuration
conf: cards: unify whitespace - use tabs and remove trailing spaces
conf: pistachio-card: define pcm configuration block only one time
conf: YMF744: define pcm configuration block only one time
conf: VX222,VXPocket: define pcm configuration block only one time
conf: VIA686A,VIA82xx: define pcm configuration block only one time
conf: TRID4DWAVENX: define pcm configuration block only one time
conf: SI7018: define pcm configuration block only one time
conf: SB-XFi: define pcm configuration block only one time
conf: RME96[35][26]: define pcm configuration block only one time
conf: PS3: define pcm configuration block only one time
conf: PMac,PMacToonie: define pcm configuration block only one time
conf: PC-Speaker: define pcm configuration block only one time
conf: NFORCE: define pcm configuration block only one time
conf: Maestro3: define pcm configuration block only one time
conf: Loopback: define pcm configuration block only one time
conf: ICH,ICH4,ICH-MODEM: define pcm configuration block only one time
conf: ICE17[12][24]: define pcm configuration block only one time
conf: HdmiLpeAudio: define pcm configuration block only one time
conf: GUS: define pcm configuration block only one time
conf: FWSpeakers: define pcm configuration block only one time
conf: FM801: define pcm configuration block only one time
conf: FireWave: define pcm configuration block only one time
conf: ES1968: define pcm configuration block only one time
conf: ENS137[01]: define pcm configuration block only one time
conf: EMU10K1X: define pcm configuration block only one time
conf: EMU10K1: define pcm configuration block only one time
conf: Aureon51: define pcm configuration block only one time
conf: Echo3G: define pcm configuration block only one time
conf: CS46xx: define pcm configuration block only one time
conf: CMI8xxx: define pcm configuration block only one time
conf: CA0106: define pcm configuration block only one time
conf: AU88[123]0: define pcm configuration block only one time
conf: Aureon: define pcm configuration block only one time
conf: Audigy: define pcm configuration block only one time
conf: AACI,ATIIXP: define pcm configuration block only one time
conf: vc4-hdmi: define pcm configuration block only one time
conf: HDA-Intel: define pcm configuration block only one time
conf: USB-Audio: define pcm configuration block only one time
Revert "conf: fix load_for_all_cards() - do not merge the card specific
contents"
conf: fix possible memory leak in config_file_open() - error path
conf: merge card specific contents per file (whole) after parsing
alsa-utils
ALSA Control (alsactl)
alsactl: fix build when in subdirectory
aplay/arecord
aplay: add missing break before the default case
alsa-ucm-conf
Configuration
ucm2: codecs: rt722: add condition to SetLED for mic
ucm2: sof-soundwire: Simplify cs42l45 configs
sof-soundwire: third fix for multi-codec
1.2.15
alsa-lib
Core
include: fix typo in error.h to avoid compile error when gcc <= 2.95
include: list.h - add list_splice() and list_splice_init() functions
github: add coverity.yml
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
error: add missing log_priority/interface functions to header file
configure: bumb version to 1.2.13pre1 (for alsa-utils)
include: remove local SNDMSG/SYSMSG defines (no longer used)
huge correction of tabulators and whitespaces
log: implement filter based on string configuration (env LIBASOUND_DEBUG).
error: add priority and interface strings to the log messages
redesign the message log functions
error: do not export internal snd_err_msg variable
github: fix Fedora workflow (awk package dependency)
Config API
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
huge correction of tabulators and whitespaces
Control API
coverity.com fixes - initial round
snd_tlv_convert_to_dB: Fix mute handling for MINMAX_MUTE type
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
huge correction of tabulators and whitespaces
redesign the message log functions
HWDEP API
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
Mixer API
mixer: abst - reshuffle snd_mixer_simple_basic_register code to be more
logical
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
huge correction of tabulators and whitespaces
mixer: bag - fix bag_del_all implementation (missing free)
Mixer Abstraction API
huge correction of tabulators and whitespaces
PCM API
pcm: plugin - avoid 32-bit to 64-bit return value conversions
add missing return value changes for snd_config_get_string() calls
add missing return value changes for snd_config_get_id() calls
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
pcm route: suppress false positive warning for gcc 8+
pcm: add a loop to snd_pcm_avail_delay() to avoid bogus delay values
Rawmidi API
rawmidi: Fix SNDRV_RAWMIDI_INFO_STREAM_INACTIVE duplicate definition
rawmidi: Fix the prefix of the inactive stream flag
Sequencer API
seq: fix snd_seq_drain_output return value for partial drain
seq: hw - notify if running mode / pversion ioctl fails
Topology API
add missing return value changes for snd_config_get_id() calls
topology: fix nibble warning in tplg_save_quoted()
Use Case Manager API
ucm: add ValueGlobals section to the top configuration file
ucm: fix the DefineRegex issue where multiple variables were set to empty
string
ucm: Include directive - add optional behaviour
ucm: complete dependency graphs for conflicting/supported device lists
ucm: implement DeviceVariant configuration extension
ucm: implement ValueDefaults.BootCardGroup and define use
ucm: keep original device name for logs
ucm: sort devices by priority
ucm: doc - add examples for device name with descriptors (colon)
ucm: be more restrictive for device name with descriptor
ucm: strip device index when the device type is present only one time
ucm: add support for device names with colon (':')
ucm: normalize device names
ucm: add possibility to inline Verb configurations to the main
configuration file
ucm: add Prepend and Append block handling for If conditions (syntax 8+)
add missing return value changes for snd_config_get_string() calls
ucm: add missing stdbool.h include to ucm_local.h
ucm: fix variant issue where variables or macros are overwritten
ucm: remove 'error: ' prefix from error messages (duplication)
ucm: remove uc_dbg macro and callers
ucm: replace uc_error with snd_error calls
ucm: add a basic set of trace/debug log calls
ucm: use close_range on _GNU_SOURCE
Force to use alphasort64() sorting function for Harmony OS
ucm: regex: fix the error message (missing argument)
Revert "ucm: do not bump syntax version to 8"
ALSA Server
coverity.com fixes - initial round
huge correction of tabulators and whitespaces
replace SNDMSG,SYSMSG,SNDERR,SYSERR with new log macros
Async helpers
coverity.com fixes - initial round
replace SNDMSG,SYSMSG,SNDERR,SYSERR with new log macros
Configuration
coverity.com fixes - initial round
add missing return value changes for snd_config_get_string() calls
add missing return value changes for snd_config_get_id() calls
conf/pistachio: fix syntax
config: do not print errno in snd_config_check_hop()
redesign the message log functions
conf: fix load_for_all_cards() - do not merge the card specific contents
conf: fix parse_array_def - merge arrays
conf: Revert "conf: fix load_for_all_cards()"
conf: fix parse_array_def override code path
Force to use alphasort64() sorting function for Harmony OS
conf: aliases: add hda-acpi -> HDA-Intel alias
Documentation
doc: add missing include pcm_plugin.h to source files
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
Error handler
coverity.com fixes - initial round
error: make prio/interface output a bit shorter in default log handler
log: implement filter based on string configuration (env LIBASOUND_DEBUG).
error: add priority and interface strings to the log messages
redesign the message log functions
error: do not export internal snd_err_msg variable
Simple Abstraction Mixer Modules
replace SNDMSG,SYSMSG,SNDERR,SYSERR with new log macros
Test/Example code
test: ucm - remove old syntax configuration files (incomplete anyway)
test: update midifile library to ANSI C
alsa-utils
Core
configure: Allow systemd service installation without systemd.pc
github: coverity.yml - run at 4am on Sunday
github: add coverity.yml (coverity.com) workflow
github: CI: add awk package for Fedora to build.yml
ALSA Control (alsactl)
alsactl: fix error message arguments (remove card)
alsactl: fix error handling in check_control_cdev()
alsactl: ucm: restore controls for other cards in group
alsactl: move udev/systemd files to conf subdirectory
alsactl: update state file correctly when initialization failed
alsactl: fix state restore to handle dynamic user control elements
alsactl: add systemd service to handle deferred card initialization
alsactl: ucm: add wrestore command and wait_for_card() for boot
synchronization
alsactl: add -Y option to export card states as key=value pairs
alsactl: ucm: implement boot parameters and card group sync infrastructure
alsactl: free scandir list in snd_card_clean_cfgdir
alsactl: add support for new log handler (alsa-lib 1.2.15)
alsactl: restore udev rules - fix HDA analog device check
ALSA RawMidi Utility (amidi)
amidi: Ignore inactive MIDI ports as default at listing
aconnect
aconnect: add support for new log handler (alsa-lib 1.2.15)
alsamixer
alsamixer: add support for new log handler (alsa-lib 1.2.15)
aplay/arecord
aplay: reorganize format handling in begin_wave()
Revert "aplay: fix S24_LE wav header"
alsactl: add support for new log handler (alsa-lib 1.2.15)
bat (basic audio tester)
bat: Fix buffer time configuration
alsa-ucm-conf
Configuration
USB-Audio: add support for conf.d configurations
USB-Audio: Steinberg UR22C - fix capture channels for older firmware
USB-Audio: GoXLR: enable detection of beta firmware (25 channels)
USB-Audio: Add jack controls for HP Thunderbolt Dock G2
ucm2: sof-soundwire: Update cs42l45 JackControls
ucm2: IO-Boards: Toradex: aquila: add support
ucm2: Qualcomm: fix indentation for TUXEDO Elite 14
ucm2: Qualcomm: fix HDMI0 name for TUXEDO Elite 14
ucm2: Qualcomm: add TUXEDO Elite 14 support
rt713: add mic led support
USB-Audio: Add Audient iD14 MK2 support
sof-soundwire: second fix for -sdca variants for multi-codec
common: led.conf - don't use If.0 blocks
common: split.conf - don't use If.0 blocks
USB-Audio: Add support for DualSense PS5 controller
ucm2: Add setting LED Mode in SetLED macro
sof-soundwire: fix for -sdca variants for multi-codec
ucm2: rt712: simplify the init settings
ucm2: sof-soundwire: support rt713vb codec
ucm2: soundwire: cs42l45: Add support for CS42L45 codec
ucm2: Add support for MT8196 Rauru Rev0 Chromebook with SOF
USB-Audio: fix Steinberg UR22mkII device names
ucm2: codecs: rx-macro: add Headset Left enable/disable
ucm2: codecs: pm4125: add ucm for codec
ucm2: Qualcomm: x1e80100: T14s: add USB DisplayPort playback
Qualcomm: qcs615: Add TALOS EVK HiFi config
ucm2: Add support for Steinberg UR22mkII
ucm2: Qualcomm: Radxa: fix Displayport SectionDevice
ucm2: Qualcomm: Add MONACO-EVK HiFi config
ucm2: Qualcomm: sa8775p: Move lemans-evk hifi to sa8775p subdir
Qualcomm: Kaanapali: Add Kaanapali MTP HiFi config
The X1E80100-EVK needs basically the same configuration as
ucm2: MediaTek: mt8391-evk: Add alsa-ucm support
Add support for RME Fireface UCX (heavily based on RME Fireface UCX II
config)
ucm2: Qualcomm: Add Microsoft Surface Pro 12in config
ucm2: Qualcomm: x1e80100: Add X1E001DE-DEVKIT configuration
ucm2: Qualcomm: add Radxa Dragon Q6A
ucm2: sof-soundwire: add rt721 ucm support
ucm2: Qualcomm: add Lenovo Ideapad 5 (Slim 5x / 2in1) support
ucm2: Qualcomm: Rename qcs6490-rb3gen2 and qcs9075-iq-evk ucm2 conf
ucm2: Qualcomm: Add Dell Latitude 7455 / Inspiron 14 Plus
ucm2: codecs: lpass-rx-macro: move mixers that do not belong
UR44: Add stereo inputs to the HiFi profile, relabel the inputs and outputs
Recognize one more Steinberg UR44 variant
ucm2: sof-soundwire: add rt712+rt1320 amplifier
ucm2: MediaTek: mt8395-evk: Add support for SOF
Behringer UCM204HD/404HD: Fix the macro evaluation for Syntax 7+
UCM2: Intel: sof-hda-dsp: HiFi: IPC3 mono DMIC is exposed as stereo PCM
codecs/hda/hdmi.conf - add support for zero device
ucm2: MediaTek: mt8365-evk: Add SOF support
ucm2: USB-Audio: Add Teufel CAGE PRO
add MSI MAG B850M Mortar Wifi to USB-Audio.conf
ucm2: sof-soundwire: add rt712-vb device
UCM2: Intel: sof-hda-dsp: HiFi: Fix handling of mono DMICs
ucm2: Qualcomm: Update the HIFI enable mixer commands for qcm6490-idp and
qcs6490-rb3gen2
ucm2: Qualcomm: Update the QCM6490 and QCS6490 hifi conf files
Qualcomm: Add QCS9075-IQ-EVK HiFi config
Changed 'Stream Mix' channel names to match the latest Window
ucm2: Qualcomm: add ASUS Vivobook S 15 support
USB-Audio: Added Beacn Mic and Studio Support
USB-Audio: Solid State Labs SSL 2 - fix capture channels
ucm2: IO-Boards: Toradex: smarc: add support
ucm2: USB-Audio: Behringer: Flow8: fix conflicting
ucm2: tegra: max98090: fix headphones conflicting device
ucm2: Qualcomm: sm8650: QRD: fix headset jack hw mute
ucm2: Qualcomm: sc8280xp: fix internal microphones device
Fix Presonus Revelator IO44 HWChannels count
tegra: max98089: fix cset names
ucm2: Qualcomm: Add Surface Laptop 7
ucm2: Qualcomm: x1e80100: Also match DMI board name
USB-Audio: Solid State Labs SSL 2+ - fix capture channels
USB-Audio: Remove useless sections for Solid State Labs SSL 2+
acp3x-alc5682-max98357: Fix path of HiFi.conf
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reduce the number of outgoing queries when resolving the nameservers
for delegation points. This helps a DNS resolver with a cold cache
resolve client queries with complex delegation chains and redirections.
[GL !11148]
Provide more information when memory allocation fails.
BIND now provides more information about the failure when memory
allocation fails. [GL !11272]
Bug Fixes
Adding NSEC3 opt-out records could leave invalid records in chain.
When creating an NSEC3 opt-out chain, a node in the chain could be
removed too soon. The previous NSEC3 would therefore not be found,
resulting in invalid NSEC3 records being left in the zone. This has
been fixed. [GL #5671]
Fix spurious timeouts while resolving names.
Sometimes, loops in the resolving process (e.g., to resolve or validate
ns1.example.com, we need to resolve ns1.example.com) were not properly
detected, leading to a spurious 10-second delay. This has been fixed,
and such loops are properly detected. [GL #3033] [GL #5578]
Fix bug where zone switches from NSEC3 to NSEC after retransfer.
When a zone was re-transferred but the zone journal on an
inline-signing secondary was out of sync, the zone could fall back to
using NSEC records instead of NSEC3. This has been fixed. [GL #5527]
AMTRELAY type 0 presentation format handling was wrong.
RFC 8777 specifies a placeholder value of . for the gateway field when
the gateway type is 0 (no gateway). This was not being checked for, nor
was it emitted when displaying the record. This has been corrected.
Instances of this record will need the placeholder period added to them
when upgrading. [GL #5639]
Fix parsing bug in remote-servers with key or TLS.
The remote-servers clause enables the following pattern using a named
server-list:
remote-servers a { 1.2.3.4; ... };
remote-servers b { a key foo; };
However, such a configuration was wrongly rejected, with an unexpected
token 'foo' error. This configuration is now accepted. [GL #5646]
Fix DoT reconfigure/reload bug in the resolver.
If client-side TLS transport was in use (for example, when forwarding
queries to a DoT server), named could terminate unexpectedly when
reconfiguring or reloading. This has been fixed. [GL #5653]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 5 Jan 2026 15:56:00 +0000 (15:56 +0000)]
Tor: Update to 0.4.8.21
Changes in version 0.4.8.21 - 2025-11-17
This release is a continuation of the previous one and addresses additional
Conflux-related issues identified through further testing and feedback from
relay operators. We strongly recommend upgrading as soon as possible.
o Major bugfixes (conflux, exit):
- When dequeuing out-of-order conflux cells, the circuit could be
close in between two dequeue which could lead to a mishandling of
a NULL pointer. Fixes bug 41162; bugfix on 0.4.8.4.
o Minor feature (compiler flag):
- Add -mbranch-protection=standard for arm64.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 17, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/11/17.
o Minor bugfixes (bridges, pluggable transport):
- Fix a bug causing the initial tor process to hang intead of
exiting with RunAsDaemon, when pluggable transports are used.
Fixes bug 41088; bugfix on 0.4.8.1-alpha.
Changes in version 0.4.8.20 - 2025-11-10
This release fixes several bugfixes related to Conflux edge cases as well as
adding a new hardening compiler flag if supported. We strongly recommend to
upgrade as soon as possible.
o Minor feature (compiler flag):
- Add -fcf-protection=full if supported by the compiler.
Fixes 41139.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on October 06, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/11/10.
o Minor bugfixes (conflux fragile asserts):
- Fix the root cause of some conflux fragile asserts when a control
port listener is attached. Fixes bug 41037; bugfix on 0.4.8.16.
o Minor bugfixes (conflux, relay):
- Fix a series of conflux edge cases about sequence number
arithmetic and OOM handler kicking in under heavy memory pressure.
Fixes bug 41155; bugfix on 0.4.8.4.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 12:55:47 +0000 (13:55 +0100)]
wireless-regdb: Update to version 2025.10.07
- Update from version 2023.05.03 to 2025.10.07
- Update of rootfile
- Changelog
2025.10.07
Permit lower 6 GHz band for Kazakhstan (KZ)
Update regulatory info including bandwidth for Costa Rica (CR) for 2023
update regulatory rules for Sint Marteen (SX) for 2018
update regulatory rules for Botswana (BW) for 2022
2025.07.10
update regulatory rules for Bosnia and Herzegovina (BA) for 6 GHz
Update regulatory info for CEPT countries for 6GHz listed by WiFi Alliance
update regulatory rules for Paraguay (PY) on 6 GHz for 2025
Update regulatory info for Estonia (EE) for 2024
Update regulatory info for Vietnam (VN) for 2025
Update regulatory rules for Brazil (BR) on 6GHz
Update regulatory info for Egypt (EG) for 2024
Permit 320 MHz bandwidth in 6 GHz band for GB
Update regulatory info for Indonesia (ID) for 2025
2025.02.20
Update frequency range with NO-INDOOR for Oman (OM)
Update regulatory rules for Iran (IR) on both 2.4 and 5Ghz for 2021
allow NO-INDOOR flag in db.txt
Update regulatory info for Cayman Islands (KY) for 2024
Update regulatory rules for Austria (AT)
Permit 320 MHz bandwidth in 6 GHz band in ETSI/CEPT
Update regulatory rules for Armenia (AM) on 2.4 and 5 GHz
Update regulatory info for Oman (OM)
Update regulatory info for Azerbaijan (AZ) on 6GHz for 2024
Update regulatory info for Moldova (MD) on 6GHz for 2022
Update regulatory info for Syria (SY) for 2020
assert and correct maximum bandwidth within frequency difference
2024.10.07
Update regulatory info for Tanzania (TZ) for 2024
Update regulatory info for Pakistan (PK) for 2024
Update regulatory info for Serbia (RS) for 2024
Revert Update regulatory info for Serbia (SR) for 2024
Correct regulatory rules of 6GHz frequency for Türkiye (TR)
Update regulatory info for Honduras (HN) for 2023
Update regulatory info for Israel (IL) for 2021
Update regulatory info for Kuwait (KW) for 2022
Update regulatory info for Serbia (SR) for 2024
Add .b4-config
Update .gitignore
Correct regulatory rules for China (CN)
Update regulatory info for Philippines (PH) on 6GHz
Update regulatory info for Guatemala (GT) for 2020
Update regulatory info for Bahrain (BH) for 2024
Add regulatory info for Namibia (NA) for 2023
Update regulatory info for Togo (TG) for 2022
Update regulatory info for El Salvador (SV) on 6GHz
Update regulatory info for Peru (PE) on 6GHz
Update regulatory info for New Zealand (NZ) for 2022
Update regulatory info for Qatar (QA) on 6GHz
2024.07.04
Update regulatory info for Macao (MO) for 2024
Update regulatory info for Kenya (KE) for 2022
Update regulatory info for Jordan (JO) for 2022
Update regulatory info for Liechtenstein (LI) on 6GHz
Update regulatory info for Dominican Republic (DO) on 6GHz
Update regulatory info for Costa Rica (CR) for 2021
Update regulatory info for Colombia (CO) on 6GHz
Update regulatory info for United Arab Emirates (AE) on 6GHz
Update regulatory info for Argentina (AR) on 6GHz
Update regulatory info for Mauritius(MU) on 6GHz
Update regulatory info for Iceland (IS) on 6GHz
Update regulatory info for Mexico (MX) on 6GHz
Update regulatory info for Chile (CL) on 6GHz
Update regulatory info for Morocco (MA) on 6GHz
Update regulatory info for Malaysia (MY) for 2022
Update regulatory info for Thailand (TH) on 6GHz
Update regulatory rules for South Africa (ZA) on 6GHz
Update regulatory rules for Saudi Arabia (SA) on 6GHz
Update regulatory rules for Mongolia (MN) on 6GHz
2024.05.08
Update regulatory rules for Taiwan (TW) on 6GHz
Revert Update and disable 5470-5730MHz band according to TPC requirement for
Singapore (SG)
2024.01.23
Update and disable 5470-5730MHz band according to TPC requirement for
Singapore (SG)
Update regulatory rules for Singapore (SG) for September 2023
Update regulatory rules for Japan (JP) for December 2023
Update regulatory rules for China (CN)
Makefile Reproducible signatures
Update keys and maintainer information
2023.09.01
Update regulatory rules for Australia (AU) for June 2023
Update regulatory info for Türkiye (TR)
Update regulatory rules for Egypt (EG) from March 2022 guidelines
Update regulatory rules for Philippines (PH)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:05 +0000 (11:28 +0100)]
readline: Update to version 8.3 patch 3
- Update from version 8.3 patch 1 to 8.3 patch 3
- No change to rootfile
- Changelog
8.3-003
A SIGINT during a reverse i-search can cause a segmentation fault due to
accessing data freed by a signal handler.
8.3-002
If an application calls rl_save_prompt, which sets rl_prompt to NULL,
without calling rl_set_prompt to set it to a new value, readline redisplay
can dereference a NULL pointer.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:04 +0000 (11:28 +0100)]
oath-toolkit: Update to version 2.6.13
- Update from version 2.6.12 to 2.6.13
- No change to rootfile
- Changelog
2.6.13
liboath/libpskc: Fix _FORTIFY_SOURCE build problem and allow configuration.
Some platforms (e.g., Ubuntu 24.10) set _FORTIFY_SOURCE in the default
compiler settings, and this caused build failures since our code
unconditionally #define'd _FORTIFY_SOURCE to 2. We now allow you to
override the desired level by running, for example ./configure
CPPFLAGS=-D_FORTIFY_SOURCE=3 or CPPFLAGS=-D_FORTIFY_SOURCE=0.
liboath: Fix --with-openssl builds, and test for it in pipeline.
Reported by Tomasz Kłoczko in
<https://codeberg.org/oath-toolkit/oath-toolkit/issues/36>.
Git hosting moved from gitlab.com to codeberg.org.
The new URL is https://codeberg.org/oath-toolkit/oath-toolkit although
the old GitLab project will continue to be used for pipelines:
https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines
Various build fixes including updated gnulib files.
Gnulib files are no longer stored in git version control. As a
consequence, gnulib is a required build dependency when building from
git, see CONTRIBUTING.md.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:03 +0000 (11:28 +0100)]
libpng: Update to version 1.6.53
- Update from version 1.6.51 to 1.6.53
- Update of rootfile
- CVE fix from version 1.6.52
- Changelog
1.6.53
Fixed a build failure on RISC-V RVV caused by a misspelled intrinsic.
(Contributed by Alexander Smorkalov.)
Fixed a build failure with CMake 4.1 or newer, on Windows, when using
Visual C++ without MASM installed.
1.6.52
Fixed CVE-2025-66293 (high severity):
Out-of-bounds read in `png_image_read_composite`.
(Reported by flyfish101 <flyfish101@users.noreply.github.com>.)
Fixed the Paeth filter handling in the RISC-V RVV implementation.
(Reported by Filip Wasil; fixed by Liang Junzhao.)
Improved the performance of the RISC-V RVV implementation.
(Contributed by Liang Junzhao.)
Added allocation failure fuzzing to oss-fuzz.
(Contributed by Philippe Antoine.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:02 +0000 (11:28 +0100)]
libidn2: Update to version 2.3.8
- Update from version 2.3.7 to 2.3.8
- No change to rootfile
- Changelog
2.3.8
Unicode 15.1.0 table updates. Now U+19DA is DISALLOWED again
(see version 2.3.4 release notes).
The release tarball is now reproducible.
We publish a minimal source-only tarball generated by 'git archive'.
The release tarball uses tar --format=ustar.
The idn2 tool now binds the "gnulib" domain for translations.
Update gnulib files and various build/maintenance fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:01 +0000 (11:28 +0100)]
libgpg-error: Update to version 1.58
- Update from version 1.56 to 1.58
- Update of rootfile
- Changelog
1.58
Fix building of static libraries on Windows. [rE421e101cf9]
1.57
The sysconfdir as provided by the configure run is now used for the
default global config files of the argparser. [T7894]
New function gpgrt_fconcat and improved the existing
gpgrt_fnameconcat and gpgrt_absfnameconcat. [T7894,rE34dba88757]
On Windows use the UI language instead of the locale for
translations. [T7874]
Some minor build improvements for zOS.
Updated the Swedish and Portuguese translations.
Interface changes relative to the 1.56 release:
gpgrt_fconcat NEW.
GPGRT_FCONCAT_ABS NEW.
GPGRT_FCONCAT_TILDE NEW.
GPGRT_FCONCAT_SYSCONF NEW.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:27:55 +0000 (11:27 +0100)]
bash: Update to version 5.3 patch 9
- Update from version 5.3 patch 8 to 5.3 patch 9
- No change to rootfile
- Changelog
5.3-009
A SIGINT during a reverse i-search can cause a segmentation fault due to
accessing data freed by a signal handler.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Dec 2025 21:46:50 +0000 (22:46 +0100)]
strongswan: Update to version 6.0.4
- Update from version 6.0.3 to 6.0.4
- No change to the rootfile
- Changelog
6.0.4
Vulnerabilities
Fixed a vulnerability in the NetworkManager plugin that potentially allows
using credentials of other local users. This vulnerability has been
registered as CVE-2025-9615. Please refer to our blog for details.
Enhancements and Optimizations
Concurrent requests to fetch the same CRL URI by multiple threads are now
combined by the revocation plugin (#2918). Only the first thread
actually fetches it, the others wait for that result. This is
particularly helpful if the CRL can currently not be fetched due to DNS
or HTTP/LDAP timeouts as it avoids that each thread has to wait
individually, reducing the number of SAs that can concurrently be
established as threads are blocked longer. A negative result is cached
for a while (currently 30 seconds) so requests can fail quickly and
threads can continue establishing SAs if they use a relaxed revocation
policy.
The maximum supported length for section names in swanctl.conf has been
increased to the upper limit of 256 characters that's enforced by VICI
(#2936).
Fixes
Prevent a crash if a confused peer rekeys a Child SA twice before sending a
delete (#2945).
Fixed a memory leak if a peer's self-signed certificate is untrusted (#2954).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 14 Dec 2025 14:02:17 +0000 (15:02 +0100)]
tzdata: Update to version 2025c
- Update from version 2025b to 2025c
- No change in rootfile
- Changelog
2025c
Changes to past timestamps
Baja California agreed with California’s DST rules in 1953 and in
1961 through 1975, instead of observing standard time all year.
(Thanks to Alois Treindl.)
Changes to build procedure
Files in distributed tarballs now have correct commit times.
Formerly, the committer’s time zone was incorrectly ignored.
Distribution products (*.asc, *.gz, and *.lz) now have
reproducible timestamps. Formerly, only the contents of the
compressed tarballs had reproducible timestamps.
By default, distributed formatted man pages (*.txt) now use UTF-8
and are left-adjusted more consistently. A new Makefile macro
MANFLAGS can override these defaults. (Thanks to G. Branden
Robinson for inspiring these changes.)
Changes to code
An unset TZ is no longer invalid when /etc/localtime is missing,
and is abbreviated "UTC" not "-00". This reverts to 2024b behavior.
(Problem and patch reported by Dag-Erling Smørgrav.)
New function offtime_r, short for fixed-offset localtime_rz.
It is defined if STD_INSPIRED is defined.
(Patch from Dag-Erling Smørgrav.)
tzset etc. are now more cautious about questionable TZ settings.
Privileged programs now reject TZ settings that start with '/',
unless they are TZDEFAULT (default "/etc/localtime") or
start with TZDIR then '/' (default "/usr/share/zoneinfo/").
Unprivileged programs now require files to be regular files
and reject relative names containing ".." directory components;
formerly, only privileged programs did those two things.
These changes were inspired by similar behavior in FreeBSD.
On NetBSD, unprivileged programs now use O_REGULAR to check
whether a TZ setting starting with '/' names a regular file,
avoiding a minor security race still present elsewhere.
TZ strings taken from tzalloc arguments are now treated with
no less caution than TZ strings taken from the environment, as
the old undocumented behavior would have been hard to explain.
tzset etc. no longer use the ‘access’ system call to check access;
instead they now use the system calls issetugid, getauxval,
getresuid/getresgid, and geteuid/getegid/getuid/getgid (whichever
first works) to test whether a program is privileged.
Compile with -DHAVE_SYS_AUXV_H=[01] to enable or disable
<sys/auxv.h> which (if it defines AT_SECURE) enables getauxval,
and compile with -DHAVE_ISSETUGID=[01], -DHAVE_GETRESUID=[01], and
-DHAVE_GETEUID=[01] to enable or disable the other calls’ use.
The new CFLAGS option -DTZ_CHANGE_INTERVAL=N makes tzset etc.
check for TZif file changes if the in-memory data are N seconds
old or more, and are derived from the TZ environment variable.
This is intended for platforms that want tzset etc. to reflect
changes to whatever file TZ selects (including changes to
/etc/localtime if TZ is unset). If N is negative (the default)
these checks are omitted; this is the traditional behavior.
The new CFLAGS options -DHAVE_STRUCT_STAT_ST_CTIM=0 and
-DHAVE_STRUCT_TIMESPEC=0 port to non-POSIX.1-2008 platforms
that lack st_ctim and struct timespec, respectively.
tzset etc. now treat ' ' like '_' in time zone abbreviations,
just as they treat other invalid bytes. This continues the
transition begun in release 96k, which removed spaces in tzdata
because the spaces break time string parsers.
The new CFLAGS option -DTHREAD_PREFER_SINGLE causes tzcode
in single-threaded processes to avoid locks, as FreeBSD does.
This can save time in single-threaded apps. The threadedness
testing costs CPU time and energy in multi-threaded apps.
New options -DHAVE___ISTHREADED and -DHAVE_SYS_SINGLE_THREADED_H
can help configure how to test for single-threadedness.
The new CFLAGS option -DTHREAD_RWLOCK uses read-write locks, as
macOS does, instead of mutexes. This saves real time when TZ is
rarely changing and many threads call tzcode simultaneously.
It costs more CPU time and energy.
The new CFLAGS option -TTHREAD_TM_MULTI causes localtime to return
a pointer to thread-specific memory, as FreeBSD does, instead of
to the same memory in all threads. This supports unportable
programs that incorrectly use localtime instead of localtime_r.
This option affects gmtime and offtime similarly to localtime.
Because the corresponding storage is freed on thread exit, this
option is incompatible with POSIX.1-2024 and earlier. It also
costs CPU time and memory.
tzfree now preserves errno, consistently with POSIX.1-2024 ‘free’.
tzcode now uses mempcpy if available, guessing its availability.
Compile with -DHAVE_MEMPCPY=1 or 0 to override the guess.
tzcode now uses strnlen to improve asymptotic performance a bit.
Compile with -DHAVE_STRNLEN=0 if your platform lacks it.
tzcode now hand-declares unistd.h-provided symbols like getopt
if HAVE_UNISTD_H=0, not if HAVE_POSIX_DECLS=0.
tzset etc. now have an experimental OPENAT_TZDIR option;
see Makefile and localtime.c for details.
On platforms like GNU/Hurd that do not define PATH_MAX,
exceedingly long TZ strings no longer fail merely because they
exceed an arbitrary file name length limit imposed by tzcode.
zic has new options inspired by FreeBSD. ‘-D’ skips creation of
output ancestor directories, ‘-m MODE’ sets output files’ mode,
and ‘-u OWNER[:GROUP]’ sets output files’ owner and group.
zic now uses the fdopen function, which was standardized by
POSIX.1-1988 and is now safe to use in portable code.
This replaces its use of the older umask function, which
complicated maintenance.
Changes to commentary
The leapseconds file contains commentary about the IERS and NIST
last-modified and expiration timestamps for leap second data.
(Thanks to Judah Levine.)
Commentary now also uses characters from the set –‘’“”•≤ as this
can be useful and should work with current applications. This
also affects data in iso3166.tab and zone1970.tab, which now
contain strings like “Côte d’Ivoire” instead of “Côte d'Ivoire”.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Dec 2025 16:38:11 +0000 (17:38 +0100)]
exclude: Add the suricata sgh cache directory to the list
- Depending on the number of suricata rulesets that users have got enabled the suricata
cache in /var/cache/suricata/sgh/ gets currently backed up in the ipfire .ipf file
and some users are ending up with backup files that used to be 190MB and are now
greater than 700MB, some even over 800MB.
- This change excludes the cache from the backup as it seems that a restore with a cache
from an earlier time does not make sense.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Dec 2025 14:07:07 +0000 (15:07 +0100)]
dracut-ng: Update the rootfile to include initqueue
- In dracut-180 initqueue was removed from the base system and made its own set. This
was missed when the original release was done and the initqueue entries were
commented out.
- Tested out with the new 6.18.0 kernel evaluation and initqueue was successfully
installed and therefore also subsequently btrfs, lvm & mdraid that depended on
initqueue
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Dec 2025 16:38:11 +0000 (17:38 +0100)]
exclude: Add the suricata sgh cache directory to the list
- Depending on the number of suricata rulesets that users have got enabled the suricata
cache in /var/cache/suricata/sgh/ gets currently backed up in the ipfire .ipf file
and some users are ending up with backup files that used to be 190MB and are now
greater than 700MB, some even over 800MB.
- This change excludes the cache from the backup as it seems that a restore with a cache
from an earlier time does not make sense.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Dec 2025 14:07:07 +0000 (15:07 +0100)]
dracut-ng: Update the rootfile to include initqueue
- In dracut-180 initqueue was removed from the base system and made its own set. This
was missed when the original release was done and the initqueue entries were
commented out.
- Tested out with the new 6.18.0 kernel evaluation and initqueue was successfully
installed and therefore also subsequently btrfs, lvm & mdraid that depended on
initqueue
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 9 Dec 2025 11:46:22 +0000 (11:46 +0000)]
dns.cgi: Consitently show the legend
Fixes: #13917 - Legend in dns.cgi disappears Suggested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 8 Dec 2025 13:00:04 +0000 (14:00 +0100)]
fort-validator: Update to version 1.6.7
- Update from version 1.6.6 to 1.6.7
- Change from the Github created tarball to the fort created tarball, which is the one
they specify to use in their compile and install documentation.
- Version 1.6.7 requires libmicrohttpd as a runtime dependency. This has been provided
in this patch set.
- No change to the rootfile
- Changelog
1.6.7
bug #50: Add simple Prometheus
bug #159: Validate PrintableString character set
bug #160: Add HTTP proxy
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 6 Dec 2025 12:04:15 +0000 (13:04 +0100)]
tshark: Update to version 4.6.2
- Update from version 4.6.1 to 4.6.2
- Update of rootfile
- Changelog
4.6.2
Bug Fixes
This release fixes an API/ABI change that was introduced in
Wireshark 4.6.1, which caused a compatibility issue with plugins
built for Wireshark 4.6.0. Issue 20881.
The following vulnerabilities have been fixed:
wnpa-sec-2025-07 HTTP3 dissector crash. Issue 20860.
wnpa-sec-2025-08 MEGACO dissector infinite loop. Issue 20884.
The following bugs have been fixed:
ws_base32_decode should be named *_encode ? Issue 20754.
Omnipeek files not working in 4.6.1. Issue 20876.
Stack buffer overflow in wiretap/ber.c (ber_open) Issue 20878.
Plugins incompatibility between 4.6.0 & 4.6.1. Issue 20881.
Fuzz job crash: fuzz-2025-11-30-12266121180.pcap. Issue 20883.
New and Updated Features
The Windows installers now ship with the Visual C++ Redistributable
version 14.44.35112. They previously shipped with 14.40.33807.
Updated Protocol Support
ATM PW, COSEM, COTP, DECT NR+, DMP, Fc00, GTP, HTTP3, IEEE 802.15.4,
ISIS HELLO, ISOBUS, MAC-LTE, MAUSB, MEGACO, MPEG DSM-CC, OsmoTRXD,
PTP, RLC, SAPDIAG, and SMTP
New and Updated Capture File Support
Peektagged
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.66
"Changes with Apache 2.4.66
*) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
bypass via AllowOverride FileInfo (cve.mitre.org)
mod_userdir+suexec bypass via AllowOverride FileInfo
vulnerability in Apache HTTP Server. Users with access to use
the RequestHeader directive in htaccess can cause some CGI
scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through
2.4.65.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Mattias Åsander (Umeå University)
*) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
variable override (cve.mitre.org)
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly
superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes
the issue.
Credits: Mattias Åsander (Umeå University)
*) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
Windows through UNC SSRF (cve.mitre.org)
Server-Side Request Forgery (SSRF) vulnerability
 in Apache HTTP Server on Windows
with AllowEncodedSlashes On and MergeSlashes Off allows to
potentially leak NTLM
hashes to a malicious server via SSRF and malicious requests or
content
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
Includes adds query string to #exec cmd=... (cve.mitre.org)
Apache HTTP Server 2.4.65 and earlier with Server Side Includes
(SSI) enabled and mod_cgid (but not mod_cgi) passes the
shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Anthony Parfenov (United Rentals, Inc.)
*) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
unintended retry intervals (cve.mitre.org)
An integer overflow in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to
renew the certificate then are repeated without delays until it
succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Aisle Research
*) mod_http2: Fix handling of 304 responses from mod_cache. PR 69580.
[Stefan Eissing]
*) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
PR69741 [Benjamin P. Kallus]
*) mod_md: update to version 2.6.5
- New directive `MDInitialDelay`, controlling how longer to wait after
a server restart before checking certificates for renewal.
[Michael Kaufmann]
- Hardening: when build with OpenSSL older than 1.0.2 or old libressl
versions, the parsing of ASN.1 time strings did not do a length check.
- Hardening: when reading back OCSP responses stored in the local JSON
store, missing 'valid' key led to uninitialized values, resulting in
wrong refresh behaviour.
*) mod_md: update to version 2.6.6
- Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
- Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]
*) mod_http2: update to version 2.0.35
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
[Stefan Eissing]
* mod_proxy_http2: add support for ProxyErrorOverride directive. PR69771
*) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
[Ruediger Pluem]
*) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
host compatibility policy. PR 69743. [Joe Orton]
*) mod_md: update to version 2.6.2
- Fix error retry delay calculation to not already doubling the wait
on the first error.
*) mod_md: update to version 2.6.1
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 5 Dec 2025 19:24:43 +0000 (20:24 +0100)]
openvpn: Update to version 2.6.17
- Update from 2.6.16 to 2.6.17
- No change to rootfile
- Changelog
2.6.17
Security fixes:
CVE-2025-13751: Windows/interactive service: fix erroneous exit on error
that could be used by a local Windows users to achieve a local
denial-of-service
Bug fixes:
Windows/interactive service: improve service pipe robustness against file
access races (uuid) and access by unauthorized processes (ACL).
upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper to
1.31, fixing a parser bug
Windows MSI changes since 2.6.16-I001:
Built against OpenSSL 3.6.0
Included openvpn-gui updated to 11.59.0.0
Authorize config before opening the service pipe
Remove dependence on pathcch.dll not in Windows 7
Included win-dco driver updated to 2.8.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 5 Dec 2025 19:24:40 +0000 (20:24 +0100)]
bash: Update to version 5.3 patch 8
- Update from version 5.3 patch 3 to 5.3 patch 8
- No change to rootfile
- Changelog
patch 8
Bash tries to consume entire multibyte characters when looking for backslash
escapes in $'...' strings, and treats too many characters as potentially
beginning a multibyte character in UTF-8 locales. Being more selective about
when to call mbrtowc() can lead to optimized string processing and script
speedups. This patch also handles the unlikely situation of a locale
encoding null wide characters with non-null bytes.
patch 7
No-fork command substitutions can perform redirections that act on the
enclosing command as well.
patch 6
When `globasciiranges' is enabled, glob patterns with ranges in bracket
expressions can produce incorrect matches for character ranges whose
start and end are non-ascii characters.
patch 5
Restoring the default disposition in a subshell for a signal bash treats
specially can cause a crash.
patch 4
The Linux kernel reports incorrect sizes for files in /sys/block/*/uevent,
leading bash to report a read error when the byte count does not agree
with the file size from fstat(2).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 8 Dec 2025 11:19:48 +0000 (11:19 +0000)]
ppp: Send LCP keepalive packets only when there is no traffic
lcp-echo-adaptive
If this option is used with the lcp-echo-failure option
then pppd will send LCP echo-request frames only if no
traffic was received from the peer since the last
echo-request was sent.
Suggested-by: Heath Harry <hharry06@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 28 Nov 2025 12:23:08 +0000 (12:23 +0000)]
unbound: Launch more threads
This partially reverts 0f0f3ae7dc5da502c1aaf4bb295778d7657a0af5 which
attempted to remove lock contention. However, we are still observing
that Unbound sometimes just seems to hang. This should create multiple
independent threads which could compensate if one of the threads locks
up and is in line with upstream configuration.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 3 Dec 2025 10:24:34 +0000 (10:24 +0000)]
dnsdist: Update to 2.0.2
We released PowerDNS DNSdist 2.0.2 today, fixing several issues:
- the wrong reply address was used when using DNS over QUIC or DNS over HTTP/3 on FreeBSD
- query rules were not processed after setting a tag from a dynamic rule
- selecting the Lua version to use was not possible when building with meson
- rules executed from a timeout when invoked without a valid DNS header, causing issues with some selectors and actions
- large UDP responses received via AF_XDP/XSK were not always properly processed
- the round-robin load-balancing policy was not using an atomic counter, and could thus have a bias
- meta protocol buffer keys were not properly passed from query to response
- setting the hash perturbation to a custom value from YAML was not working properly
- TCP connections to backends could fail on macOS and some BSD systems
- invalid regular expressions from YAML are now properly handled
- unknown selectors and policies in YAML could lead to a crash when parsing the configuration
- "TimedIPSet" objects can now be used from YAML
- errors in Lua traceback handlers are now properly handled
- we added a workaround for a memory leak present in OpenSSL 3.6.0
A few performance improvements were also made:
- inserting into the in-memory rings is a bit faster
- using "recvmmsg" is now be faster
- change bogusV4/bogusV6 addresses to static constants to avoid parse in every call (delichik)
- the default maximum number of descriptors has been raised to 1M
- the FFI "alternate name" interface has been refactored
And the following new features were added:
- a new selector to match the incoming protocol
- a Date: response header is now included for rejected HTTP/1 requests
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3510000 to 3510100
- Update of rootfile
- Changelog 3510100
Fix incorrect results from nested EXISTS queries caused by the optimization in
item 6b in the 3.51.0 release.
Fix a latent bug in fts5vocab virtual table, exposed by new optimizations in
the 3.51.0 release
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 2 Dec 2025 11:57:46 +0000 (12:57 +0100)]
postfix: Update to version 3.10.6
- Update from version 3.10.4 to 3.10.6
- No change to rootfile
- Changelog
3.10.6
Bugfix (defect introduced: Postfix 3.10, date: 20250117). Symptom: warning messages
that smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt".
Root cause: Support for "TLS-Required: no" broke client-side TLS wrappermode
support, by downgrading a connection to TLS security level 'may'.
The fix changes the downgrade level for wrappermode connections to 'encrypt'.
Rationale: by design, TLS can be optional only for connections that use
STARTTLS. The downgrade to unauthenticated 'encrypt' allows a sender to avoid
an email delivery problem. Problem reported by Joshua Tyler Cochran.
New logging: the Postfix SMTP client will log a warning when an MX hostname does
not match STS policy MX patterns, with "smtp_tls_enforce_sts_mx_patterns = yes"
in Postfix, and with TLSRPT support enabled in a TLS policy plugin. It will log
a successful match only when verbose logging is enabled.
Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP client null pointer
crash when an STS policy plugin sends no policy_string or no mx_pattern
attributes. This can happen only during tests with a fake STS plugin.
Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault when a duplicate
parameter name is given to "postconf -X" or "postconf -#'.
Documentation: removed incorrect text from the parameter description for
smtp_cname_overrides_servername. File: proto/postconf.proto.
3.10.5
Workaround for an interface mis-match between the Postfix SMTP client and MTA-STS
policy plugins.
The existing behavior is to connect to any MX host listed in DNS, and
to match the server certificate against any STS policy MX host pattern.
The corrected behavior is to connect to an MX host only if its name
matches any STS policy MX host pattern, and to match the server
certificate against the MX hostname.
The corrected behavior must be enabled in two places: in Postfix with a new
parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in an
MTA-STS plugin by enabling TLSRPT support, so that the plugin forwards STS
policy attributes to Postfix. This works even if Postfix TLSRPT support is
disabled at build time or at runtime.
TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found", pretend
that the TLSRPT policy domain value is equal to the recipient domain. This
ignores that different policy types (TLSA, STS) use different policy domains.
But this is what Microsoft does, and therefore, what other tools expect.
Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's connection
reuse logic did not distinguish between sessions that require SMTPUTF8
support, and sessions that do not. The solution is 1) to store sessions with
different SMTPUTF8 requirements under distinct connection cache storage keys,
and 2) to not cache a connection when SMTPUTF8 is required but the server does
not support that feature.
Bugfix (defect introduced: Postfix 3.0, date 20140731): the smtpd 'disconnect'
command statistics did not count commands with "bad syntax" and
"bad UTF-8 syntax" errors.
Bugfix: the August 2025 patch broke DBM library support which is still needed on
Solaris; and the same change could result in warnings with
"database X is older than source file Y".
Postfix 3.11 forward compatibility: to avoid ugly warnings when Postfix 3.11 is
rolled back to an older version, allow a preliminary 'size' record in maildrop
queue files created with Postfix 3.11 or later.
Bugfix (defect introduced: Postfix 3.8, date 20220128): non-reproducible build,
because the 'postconf -e' output order for new main.cf entries was no longer
deterministic. Problem reported by Oleksandr Natalenko, diagnosis by Eray Aslan.
To make builds predictable, add missing meta_directory and shlib_directory
settings to the stock main.cf file. Problem diagnosed by Eray Aslan.
Bugfix (defect introduced: Postfix 3.9, date 20230517): posttls-finger(1) logged
an incorrectly-formatted port number. Viktor Dukhovni.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
