Adolf Belka [Mon, 27 Oct 2025 10:35:41 +0000 (11:35 +0100)]
samba: Update to version 4.23.2
- Update from version 4.23.1 to 4.23.2
- No change to any of the rootfiles
- Changelog
4.23.2
This is a security release in order to address the following defects:
o CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr.
https://www.samba.org/samba/security/CVE-2025-9640.html
o CVE-2025-10230: Command injection via WINS server hook script.
https://www.samba.org/samba/security/CVE-2025-10230.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:37:54 +0000 (17:37 +0200)]
fetchmail: Update to version 6.5.7
- Update from version 6.5.6 to 6.5.7
- No change to rootfile
- Changelog
6.5.7
BUGFIXES:
* When authenticating to an SMTP server, the AUTH LOGIN method (which didn't
become a proposed standard, and is only the third method fetchmail would try,
if CRAM-MD5 and PLAIN weren't offered) required that the server returned
a 334 code followed by a blank and by a decodable base64 challenge we ignored
anyways. This is in line with RFC 4952.
However, to improve compatibility, fetchmail now accepts anything that
starts with "334 " and disregards the remainder of the line.
At the same time, AUTH LOGIN was deprecated. AUTH PLAIN should be available
everywhere AUTH LOGIN is, and is specified in IETF RFC 4616.
* When authenticating to an SMTP server, i. e. esmtpname/esmtppassword are
defined, check for errors, and skip servers that do not understand EHLO,
because we cannot negotiate supported authentication schemes with them.
This should avoid attempting to send a lot of messages and see them rejected.
* When authenticating to an SMTP server, do not send client abort "*" when
we receive any other server reply but 334.
* Extend 6.5.6's RFC-5321 address-literal fix to MAIL FROM. This might
apply when we only have a server's IP address and need to quality
addresses without domain. Fixes Debian Bug#1080025.
* SMTP AUTH can now look up passwords from the .netrc file - for that,
fetchmail's esmtpname setting must match the login for the given host in
.netrc. Fixes Debian Bug#1056651 by Ticker Berkin.
* Improve the GSSAPI (Kerberos V) build, which was pretty hard to get working.
This was improved. Recommendation:
- For autoconf builds (./configure), be sure to have the desired krb5-config
executable early on $PATH before running ./configure.
- For meson builds, be sure to list the path to your krb5-gssapi.pc file on
PKG_CONFIG_PATH. (meson will fall back to krb5-config, so if that's on PATH,
that should also work.)
TRANSLATION UPDATES were contributed by these fine people - thank you!
* The Italian translation is back - it had been missing from earlier 6.5.X
since it had fallen too far behind with the last update in 2010.
* cs: Petr Pisar [Czech]
* eo: Keith Bowes [Esperanto]
* es: Cristian Othón Martínez Vera [Spanish]
* fr: Frédéric Marchal [French]
* it: Luca Vercelli [Italian]
* ja: Takeshi Hamasaki [Japanese]
* pl: Jakub Bogusz [Polish]
* ro: Remus-Gabriel Chelu [Romanian]
* sq: Besnik Bleta [Albanian]
* sv: Göran Uddeborg [Swedish]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:28:57 +0000 (18:28 +0200)]
whois: Update to version 5.6.5
- Update from version 5.6.4 to 5.6.5
- No change to rootfile
- Changelog
5.6.5
* Updated the .co TLD server.
* Added some large KRNIC networks.
* Updated the second level .uk TLD servers.
* Removed the .pro TLD server.
* Removed 1 new gTLD which is no longer active.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:15:39 +0000 (18:15 +0200)]
pcre2: Update to version 10.47
- Update from version 10.46 to 10.47
- Update of rootfile
- Changelog
10.47
1. (#660, #655, #663) Expanded platforms tested by CI: FreeBSD, OpenBSD,
Solaris, MSYS (Cygwin), S390x, PPC64le, ARMv7, AARCH64, RiscV.
2. (#655) Made build clean of `/W3` warnings on MSVC. Further suppression of
minor build warnings on other platforms (various commits).
3. (#651) Added `--enable-Werror` flag to `./configure` to treat warnings as
errors (or `--enable-errwarn` for Solaris cc). Previously, you had to hackily
override the CPPFLAGS when calling make since you can't pass `-Werror` as a
CFLAG into `./configure` (it breaks compiler feature detection).
4. (#682) Added AM_MAINTAINER_MODE for Git tag releases. Users building with
the `./configure` script can check out the release tag using Git, which assigns
the current time as the modification time to each checked-out file. This caused
Autoconf to attempt to regenerate the configure script.
5. (#692) Add LICENSE file for sljit to the tarball release, to clarify that the
sljit code is governed separately by the 2-clause BSD license.
6. (#656, #695) Add full support for z/OS and native EBCDIC support. The z/OS
support is tested nightly using the XLC and IBM-Clang compilers, with Autoconf
and CMake. In addition, for test purposes, the EBCDIC support can now be enabled
on any platform using the new Autoconf `--enable-ebcdic-ignoring-compiler` and
CMake `-DPCRE2_EBCDIC_IGNORING_COMPILER` options.
7. (#700) Faster lookup of named capture groups during pattern compilation using
a hash table.
8. (#697, #756, #778) Improvements to pcre2test to increase code coverage:
-malloc argument; more detailed test assertions.
9. (#705, #710, #737, #738) Powerful new feature: pattern recursion of
the form "(?1(GROUP_NAME_OR_NUM,...))" acts as a subroutine call which
additionally returns the listed capturing groups to the calling context.
10. (#721) Add linker scripts to enable symbol versioning for the PCRE2 dynamic
libraries. Downstream Linux distributions may make use of this, or disable it
with the new Autoconf `--disable-symvers` and CMake `-DPCRE2_SYMVERS` options.
Currently, Linux, Solaris, and FreeBSD (GNU ld, LLVM lld, and Solaris ld) are
tested and supported.
11. (#733) New API function: pcre2_next_match(). This function makes it both
simpler and safer for clients to iterate over all matches in a subject. The
documentation in `pcre2api` also provides improved guidance in the section
"Iterating over all matches".
12. (#739, #744, #753) Modernize the CMake build files, to use standard
commands to export the PCRE2 targets. This makes use of the
"$<BUILD_INTERFACE:...>" and "$<INSTALL_INTERFACE:...>" expressions alongside
the built-in "install(EXPORT...)" command. This brings the CMake files in line
with the patches used by vcpkg to distribute PCRE2. The minimum CMake version
remains 3.15.
13. (#756) Improved error offsets and diagnostics for syntax errors during
pattern compilation.
14. (#708, #729, #724, #731, #777) Various updates to Bazel and Zig
build support.
15. (#775) Added PCRE2_CONFIG_EFFECTIVE_LINKSIZE option to pcre2_config(), to
report the actual number of code units used in compiled patterns for recording
string lengths and offsets.
16. (#801) Significant bugfix: Fix a crash in pcre2_callout_enumerate() which is
easily reachable on any pattern that contains a Unicode character class. If your
application uses this function, please read the details for this change and
evaluate its severity for your application.
17. (#806, #807) Improved input validation for pcre2_substitute() used with
PCRE2_SUBSTITUTE_MATCHED.
18. (#817) Add support for $+ replacement to pcre2_substitute().
19. (#818) New SIMD code generation in the JIT for AArch64.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:11:21 +0000 (18:11 +0200)]
libxml2: Update to version 2.15.1
- Update from version 2.15.0 to 2.15.1
- Update of rootfile
- Changelog
2.15.1
Regressions
- parser: Fix attribute normalization and standalone check
Build
- io: Handle clashing error codes on AIX
- Fixed compilation error on GCC versions prior to 4.5 (Lars Erik Wik)
- meson: Fix install dir of man pages
Deprecations
- tree: Undeprecate several struct members
- io: Undeprecate xmlOutputBuffer members
- valid: Undeprecate xmlValidGetPotentialChildren
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:07:55 +0000 (18:07 +0200)]
libarchive: Update to version 3.8.2
- Update from version 3.8.1 to 3.8.2
- Update of rootfile
- Changelog
3.8.2
Security fixes:
7zip: Fix out of boundary access (#2668)
tar reader: fix checking the result of the strftime (#2719, CVE-2025-25724)
Notable bugfixes:
bsdtar: Allow filename to have CRLF endings (#2717)
lib: archive_read_data: handle sparse holes at end of file correctly (#2665)
lib: improve filter process handling (#2659)
lib: fix error checking in writing files (#2672)
lib: handle possible errors from system calls (#2679)
lib: avoid leaking file descriptors into subprocesses (#2707)
lib: parse_date: handle dates in 2038 and beyond if time_t is big enough
(#2742)
RAR5 reader: fix multiple issues in extra field parsing function (#2713)
RAR5 reader: early fail when file declares data for a dir entry (#2716)
tar writer: fix replacing a regular file with a dir for
ARCHIVE_EXTRACT_SAFE_WRITES (#2477)
tar reader (Windows): check WCS pathname in header_gnutar before
overwriting (#2740)
tar reader: fix an infinite loop when parsing V headers (#2737)
zip writer: fix a memory leak if write callback error early (#2664)
zip writer: fix writing with ZSTD compression (#2670)
zstd write filter: enable Zstandard's checksum feature (#2678)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:02:40 +0000 (18:02 +0200)]
less: Update to version 685
- Update from version 679 to 685
- No change to rootfile
- Changelog
685
* Add --cmd option (github #624).
* Add LESS_TERMCAP_SUSPEND and LESS_TERMCAP_RESUME (github #654).
* Change --incsearch so that after typing each character of the pattern,
the search begins at the position where the search command was invoked,
not the current position (github #640).
* Allow mixing of option arguments and filename arguments on the
command line unless POSIXLY_CORRECT is set (github #653).
* Don't output U+00AD and U+200D, and fix some bugs handling emoji
modifier characters (github #637).
* Fix hang if a search using ^S modifier matches empty string (github #634).
* Fix bug using -g and -J (github #636).
* Fix bug when pasting a search pattern while --incsearch is active
(github #635).
* Fix bug in Windows build when autorepeating a search pattern (github #639).
* Fix lesskey bug using #stop directive.
* Fix lesskey bug using "invalid" action (github #643).
* Fix bug causing file to appear to end prematurely if an input command
was received during a file read (github #649).
* Fix performance issue in & filtering (github #638). Problem was introduced
in da2a9ecdf16beb642d0c030e35f0351c5f2e5a12 and released in less-673.
* Fix some problems reported by valgrind (github #659, github #660, github #661).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:55:49 +0000 (17:55 +0200)]
shairport-sync: Update to version 4.3.7 to work with ffmpeg-8.0
- Update from version 4.3.4 to 4.3.7
- No change to rootfile
- Changelog
4.3.7
This update comprises updates to GitHub Actions used for testing and for
building Docker. It also includes a small update to the Docker images: the
curl tool is included to facilitate automations.
No other changes have been made relative to the previous release, Version 4.3.6.
4.3.6
Bug Fix
Fix a potential bug (no issues reported) by checking that a buffer is not
zero before attempting to deallocate it.
Documentation Updates
Show how to use MQTTThing with Homebridge to represent Shairport Sync’s
active status.
Correct and clarify the statistics documentation.
The descriptions of Net Sync PPM and All Sync PPM were partly swapped
-- this has been corrected.
Generally clarify the language and harmonize the wording with the
introduction.
Fix a typo in the configuration file.
Docker Build Optimisation
Improve the Dockerfile build sequences as follows:
Build each dependency in a separate stage, facilitating parallel builds.
Define default value for ARGS, permitting easier local docker builds.
Clone the specified branch only, and to a depth of 1, thus getting
relevant data faster.
Copy files in a one-off command, reducing the amount of Docker layers
created.
4.3.5
Enhancements
Add Home Assistant MQTT Auto-Discovery and active/playing State Messages.
Send pvol metadata on mute.
Ensure the PipeWire backend is initially inactive and that it goes active
at the start of a play session and inactive at the end. This is to
facilitate external activity-monitoring software. Note that in
AirPlay 2, play often stops momentarily between tracks, and so there
will be momentary changes from active to inactive and back to active
again in the PipeWire backend. This may change as the backend improves.
Update comments in the sndio section of the sample configuration file.
Docker Enhancements
The AirPlay 2 Docker image now incorporates the PipeWire backend.
Bug Fixes
Update the sndio backend (native to OpenBSD, also used in FreeBSD) to deal
with an intermittent bug. Specifically, use an explicit is_running
flag to keep track of the playing status of the backend.
Fix a bug in the Jack Audio backend. If the system's Jack Audio server was
running at anything other than 44,100 frames per second, the delay
information being returned by the backend was incorrect.
Fix an incompatibility with the recently-introduced FFmpeg version 7.
Stop advertising the SFTP and SSH services on Bonjour.
Deprecations
The soundio backend is deprecated and will be removed in a future update.
It seems that nobody is using it, and as it stands it is very inflexible.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:55:48 +0000 (17:55 +0200)]
ffmpeg: Update to version 8.0
- Update from version 7.1.1 to 8.0
- Update of rootfile
- Due to sobump from ffmpeg, mpd and minidlna must be shipped.
- Due to changes in ffmpeg, shairport-sync has to be updated to work with this version
- Changelog
8.0
- Whisper filter
- Drop support for OpenSSL < 1.1.0
- Enable TLS peer certificate verification by default (on next major version bump)
- yasm support dropped, users need to use nasm
- VVC VAAPI decoder
- RealVideo 6.0 decoder
- OpenMAX encoders deprecated
- libx265 alpha layer encoding
- ADPCM IMA Xbox decoder
- Enhanced FLV v2: Multitrack audio/video, modern codec support
- Animated JPEG XL encoding (via libjxl)
- VVC in Matroska
- CENC AV1 support in MP4 muxer
- pngenc: set default prediction method to PAETH
- APV decoder and APV raw bitstream muxing and demuxing
- APV parser
- APV encoding support through a libopenapv wrapper
- VVC decoder supports all content of SCC (Screen Content Coding):
IBC (Inter Block Copy), Palette Mode and ACT (Adaptive Color Transform
- G.728 decoder
- pad_cuda filter
- Sanyo LD-ADPCM decoder
- APV in MP4/ISOBMFF muxing and demuxing
- OpenHarmony hardware decoder/encoder
- Colordetect filter
- Add vf_scale_d3d11 filter
- No longer disabling GCC autovectorization, on X86, ARM and AArch64
- VP9 Vulkan hwaccel
- AV1 Vulkan encoder
- ProRes RAW decoder
- ProRes RAW Vulkan hwaccel
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Should anyone wonder where 9.20.14 has gone:
"The BIND 9.20.14 release was withdrawn after the discovery of a regression
in a security fix in it during pre-release testing."
"Notes for BIND 9.20.15
Security Fixes
DNSSEC validation fails if matching but invalid DNSKEY is found.
(CVE-2025-8677)
Previously, if a matching but cryptographically invalid key was
encountered during DNSSEC validation, the key was skipped and not
counted towards validation failures. named now treats such DNSSEC keys
as hard failures and the DNSSEC validation fails immediately, instead
of continuing with the next DNSKEYs in the RRset.
ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention. [GL #5343]
Address various spoofing attacks. (CVE-2025-40778)
Previously, several issues could be exploited to poison a DNS cache
with spoofed records for zones which were not DNSSEC-signed or if the
resolver was configured to not do DNSSEC validation. These issues were
assigned CVE-2025-40778 and have now been fixed.
As an additional layer of protection, named no longer accepts DNAME
records or extraneous NS records in the AUTHORITY section unless these
are received via spoofing-resistant transport (TCP, UDP with DNS
cookies, TSIG, or SIG(0)).
ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
Duan from Tsinghua University for bringing this vulnerability to our
attention. [GL #5414]
Cache-poisoning due to weak pseudo-random number generator.
(CVE-2025-40780)
It was discovered during research for an upcoming academic paper that a
xoshiro128** internal state can be recovered by an external 3rd party,
allowing the prediction of UDP ports and DNS IDs in outgoing queries.
This could lead to an attacker spoofing the DNS answers with great
efficiency and poisoning the DNS cache.
The internal random generator has been changed to a cryptographically
secure pseudo-random generator.
ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from
Hebrew University of Jerusalem for bringing this vulnerability to our
attention. [GL #5484]
New Features
Add dnssec-policy keys configuration check to named-checkconf.
A new option -k was added to named-checkconf that allows checking the
dnssec-policy keys configuration against the configured key stores. If
the found key files are not in sync with the given dnssec-policy, the
check will fail.
This is useful to run before migrating to dnssec-policy. [GL #5486]
Bug Fixes
Missing DNSSEC information when CD bit is set in query.
The RRSIGs for glue records were not being cached correctly for CD=1
queries. This has been fixed. [GL #5502]
rndc sign during ZSK rollover will now replace signatures.
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
rndc sign command now signs the zone completely with the successor key,
replacing all zone signatures from the predecessor key with new ones.
[GL #5483]
Use signer name when disabling DNSSEC algorithms.
disable-algorithms could cause DNSSEC validation failures when the
parent zone was signed with the algorithms that were being disabled for
the child zone. This has been fixed; disable-algorithms now works on a
whole-of-zone basis.
If the zone's name is at or below the disable-algorithms name the
algorithm is disabled for that zone, using deepest match when there are
multiple disable-algorithms clauses. [GL #5165]
Preserve cache when reload fails and reload the server again.
This fixes an issue where failing to reconfigure/reload the server
would fail to preserve the views' caches for subsequent server
reconfigurations/reloads. [GL #5523]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 24 Oct 2025 16:42:55 +0000 (18:42 +0200)]
nasm: Use only with x86_64
- nasm is linked in to syslinux and libjpeg.
- libjpeg will only require nasm if CET has been enabled in glibc and the architecture is
x86_64. CET is not enabled in IPFire, therefore libjpeg does not require nasm for
building in x86_64 and is not required at all for libjpeg under aarch64 or riscv64
- syslinux requires nasm to build but only in x86_64.
- This patch sets the supported architecture to x86_64 only. The build of nasm will be
skipped in aarch64 and riscv64.
- The x86_64 build ran as normal. The build was also tested for aarch64 and the build of
nasm was skipped. syslinux is skipped and libjpeg built successfully confirming that
nasm does not need to be built for aarch64 or riscv64.
- The patch is removed as it is only required for building nasm for an arm architecture
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 22 Oct 2025 15:34:23 +0000 (17:34 +0200)]
wlanap.cgi: Save IEEE80211W 'optional' value correctly
The v1 patch used defined-or (//), which allowed arbitrary values to be written.
This v2 patch validates that IEEE80211W is one of 'off',
'optional', or 'on', defaulting to 'off' if invalid.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 20 Oct 2025 10:48:29 +0000 (12:48 +0200)]
proxy.cgi: Mitigation for CVE-2025-62168 on squid
- The full fix for CVE-2025-62168 is in version squid-7.2
- However there are a lot of changes in squid from version 6 to 7 with all the error
language files no longer provided directly, they have to be obtained from separate
langauage packs now. Also several tools like cachmgr.cgi have been removed as the
options can be obtained via different approaches.
- I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
time to be sure it is working properly.
- In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
that is referenced in the CVE report.
- If someone else has already worked on squid-7.2 and has it ready to go now or soon,
then this patch can be dropped.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 20 Oct 2025 10:48:29 +0000 (12:48 +0200)]
proxy.cgi: Mitigation for CVE-2025-62168 on squid
- The full fix for CVE-2025-62168 is in version squid-7.2
- However there are a lot of changes in squid from version 6 to 7 with all the error
language files no longer provided directly, they have to be obtained from separate
langauage packs now. Also several tools like cachmgr.cgi have been removed as the
options can be obtained via different approaches.
- I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
time to be sure it is working properly.
- In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
that is referenced in the CVE report.
- If someone else has already worked on squid-7.2 and has it ready to go now or soon,
then this patch can be dropped.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Oct 2025 11:09:24 +0000 (13:09 +0200)]
suricata: Support Zabbix requirements
- The Zabbix addon will use the unix socket and also the suricatasc tool.
- Update configure to enable unix-socket
- Update rootfile to uncomment suricatasc
- This v2 version also sets the unix socket to yes in suricata.yaml
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Oct 2025 11:03:49 +0000 (13:03 +0200)]
clamav: Update to version 1.5.1
- Update from version 1.5.0 to 1.5.1
- No change in rootfile
- Changelog
1.5.1
- Fixed a significant performance issue when scanning some PE files.
- Fixed an issue recording file entries from a ZIP archive central directory
which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the
ClamScan `--alert-exceeds-max` command line option or ClamD `AlertExceedsMax`
config file option.
- Improved performance when scanning TNEF email attachments.
- Fixed an issue with recording metadata for OOXML office documents.
- Fixed an issue with signature matches for VBA in OLE2 office documents.
- Loosened overly restrictive rules for embedded file identification and
increased the limit for finding PE files embedded in other PE files.
- Fixed an issue with extracting some RAR archives embedded in other files.
- Fixed an issue with calculating fuzzy hashes affecting some images by updating
the version for several Rust library dependencies.
- This release does not require a newer version of the Rust compiler toolchain
than what was required for ClamAV 1.5.0.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 16:32:06 +0000 (18:32 +0200)]
openssl: Update to version 3.6.0
- Update from version 3.5.4 to 3.6.0
- Update of rootfile
- The changelog mentions that some changes might be significant or incompatible in
certain situations. I had a look through it and didn't believe that these would
apply to IPFire but it would be good for someone else to confirm.
- What I did do was to install this version of openssl into my vm testbed and then
tested out running openvpn rw & n2n. Everything worked fine.
- I then cleared the x509 root/host certificate set and then created a new one followed
by new client certificates. All these were successfully created without any issues.
- Changelog
3.6.0
Feature release adding significant new functionality to OpenSSL.
This release incorporates the following potentially significant or incompatible
changes:
Added NIST security categories for PKEY objects.
Added support for EVP_SKEY opaque symmetric key objects to the key
derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(),
EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY() functions.
Added LMS signature verification support as per [SP 800-208]..
This support is present in both the FIPS and default providers.
An ANSI-C toolchain is no longer sufficient for building OpenSSL.
The code should be built using compilers supporting C-99 features.
Support for the VxWorks platforms has been removed.
Added an openssl configutl utility for processing the OpenSSL
configuration file and dumping the equal configuration file.
Added support for FIPS 186-5 deterministic ECDSA signature
generation to the FIPS provider.
Deprecated EVP_PKEY_ASN1_METHOD-related functions.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:08:00 +0000 (15:08 +0200)]
vim: Update to version 9.1.1854
- Update from version 9.1.1406 to 9.1.1854
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:58 +0000 (15:07 +0200)]
openssh: Update to version 10.2p1
- Update from version 10.0p1 to 10.2p1
- No change to rootfile
- Changelog
10.2p1
Future deprecation warning
* A future release of OpenSSH will deprecate support for SHA1 SSHFP
records due to weaknesses in the SHA1 hash function. SHA1 SSHFP
DNS records will be ignored and ssh-keygen -r will generate only
SHA256 SSHFP records.
The SHA256 hash algorithm, which has no known weaknesses, has
been supported for SSHFP records since OpenSSH 6.1, released in
2012.
Bugfixes
* ssh(1): fix mishandling of terminal connections when
ControlPersist was active that rendered the session unusable.
bz3872
* ssh-keygen(1): fix download of keys from PKCS#11 tokens.
* ssh-keygen(1): fix CA signing operations when the CA key is held
in a ssh-agent(1). bz3877
10.1p1
Future deprecation warning
* A future release of OpenSSH will deprecate support for SHA1 SSHFP
records due to weaknesses in the SHA1 hash function. SHA1 SSHFP
DNS records will be ignored and ssh-keygen -r will generate only
SHA256 SSHFP records.
The SHA256 hash algorithm, which has no known weaknesses, has
been supported for SSHFP records since OpenSSH 6.1, released in
2012.
Potentially-incompatible changes
* ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
This warning has been added due to the risk of "store now, decrypt
later" attacks. More details at https://openssh.com/pq.html
This warning may be controlled via a new WarnWeakCrypto ssh_config
option, defaulting to on. This option is likely to control
additional weak crypto warnings in the future.
* ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS
In both client and server the default DSCP (a.k.a IPQoS) values
were revised and the way these values are used during runtime has
changed.
Interactive traffic is now assigned to the EF (Expedited
Forwarding) class by default. This provides more appropriate
packet prioritisation information for the intermediate network,
such as wireless media (cf. RFC 8325). Non-interactive traffic
will now use the operating system default DSCP marking. Both the
interactive and non-interactive DSCP values may be overridden via
the IPQoS keyword, described in ssh_config(5) and sshd_config(5).
The appropriate DSCP marking is now automatically selected and
updated as needed over the course of a connection's lifetime.
ssh(1) and sshd(8) will switch between the interactive and
non-interactive IPQoS values depending on the type of SSH
channels open at the time. For example, if an sftp session is
using the connection alongside a shell session, then the non-
interactive value will be used for the duration of the sftp. A
connection which contains only interactive sessions is marked EF.
* ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.
Type of Service (ToS) was deprecated in the late nineties and
replaced with the Differentiated Services architecture, which
has significant advantages for operators because it offers more
granularity.
OpenSSH switched its default IPQoS from ToS to DSCP values in
2018 (openssh-7.7).
IPQoS configurations with 'lowdelay', 'reliability', or
'throughput' will be ignored and will instead use the system
default QoS settings. Additionally, a debug message will be logged
about the deprecation with a suggestion to use DSCP QoS instead.
* ssh-add(1): when adding certificates to an agent, set the expiry
to the certificate expiry time plus a short (5 min) grace period.
This will cause the agent to automatically remove certificates
shortly after they expire. A new ssh-add -N option disables this
behaviour.
* All: remove experimental support for XMSS keys. This was never
enabled by default. We expect to implement a new post-quantum
signature scheme in the near future.
* ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
in sshd(8).
This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use keys
in an agent.
Moving the default directory has the consequence that the OS will
no longer clean up stale agent sockets, so ssh-agent now gains
this ability.
To support $HOME on NFS, the socket path includes a truncated
hash of the hostname. ssh-agent will, by default, only clean up
sockets from the same hostname.
ssh-agent(1) gains some new flags: -U suppresses the automatic
cleanup of stale sockets when it starts. -u forces a cleanup
without keeping a running agent, -uu forces a cleanup that ignores
the hostname. -T makes ssh-agent put the socket back in /tmp.
Security
* ssh(1): disallow control characters in usernames passed via the
commandline or expanded using %-sequences from the configuration
file, and disallow \0 characters in ssh:// URIs.
If an ssh(1) commandline was constructed using usernames or URIs
obtained from an untrusted source, and if a ProxyCommand that uses
the %r expansion was configured, then it may be possible for an
attacker to inject shell expressions that may be executed when the
proxy command is started.
We strongly recommend against using untrusted inputs to construct
ssh(1) commandlines.
This change also relaxes the validity checks in one small way:
usernames supplied via the configuration file as literals (i.e.
that have no % expansion characters) are not subject to these
validity checks. This allows usernames that contain arbitrary
characters to be used, but only via configuration files. This is
done on the basis that ssh's configuration is trusted.
New features
* ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
* sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
* ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
tokens.
* ssh(1): add an ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a
configuration, terminates ssh(1) with an error message that
contains the argument to the option.
This may be useful for expressing reminders or warnings in config
files, for example:
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
* sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allow people to use X11DisplayOffset
to configure much higher port ranges if they really want, while
not changing the default behaviour.
* unit tests: the unit test framework now includes some basic
benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes"
on OpenBSD or "make unit-bench" on Portable OpenSSH.
Bugfixes
* sshd(8): fix mistracking of MaxStartups process exits in some
situations. At worst, this could cause all MaxStartups slots to
fill and sshd to refuse new connections.
* ssh(1): fix delay on X client startup when ObscureKeystrokeTiming
is enabled. bz#3820
* sshd(8): increase the maximum size of the supported configuration
from 256KB to 4MB, which ought to be enough for anybody. Fail
early and visibly when this limit is breached. bz3808
* sftp(1): during sftp uploads, avoid a condition where a failed
write could be ignored if a subsequent write succeeded. This is
unlikely but technically possible because sftp servers are
allowed to reorder requests.
* sshd(8): avoid a race condition when the sshd-auth process exits
that could cause a spurious error message to be logged.
* sshd(8): log at level INFO when PerSourcePenalties actually
blocks access to a source address range. Previously this was
logged at level VERBOSE, which hid enforcement actions under
default config settings.
* sshd(8): GssStrictAcceptor was missing from sshd -T output; fix
* sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised. bz3859
* ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
* sshd(8): make "Match !final" not trigger a second parsing pass
of ssh_config (unless hostname canonicalisation or a separate
"Match final" does). bz3843
* ssh(1): better debug diagnostics when loading keys. Will now list
key fingerprint and algorithm (not just algorithm number) as well
as making it explicit which keys didn't load.
* All: fix a number of memory leaks found by LeakSanitizer,
Coverity and manual inspection.
* sshd(8): Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password". bz#3788
* ssh(1): make writing known_hosts lines more atomic by writing
the entire line in one operation and using unbuffered stdio.
Usually writes to this file are serialised on the "Are you sure
you want to continue connecting?" prompt, but if host key
checking is disabled and connections were being made with high
concurrency then interleaved writes might have been possible.
Portability
* sshd(8): check the username didn't change during the PAM
transactions.
PAM modules can change the user during their execution, but
this is not supported by sshd(8). If such a case was incorrectly
configured by the system administrator, then sshd(8) could end up
using a different username to the one authorised by PAM.
* sshd(8): don't log audit messages with UNKNOWN hostname to avoid
slow DNS lookups in the audit subsystem.
* All: when making a copy of struct passwd, ensure struct fields are
non-NULL. Android libc can return NULL pw_gecos, for example.
* All: Remove status bits from OpenSSL >=3 version check.
* sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun
forwarding from other OSes fails as soon as the first IPv6 message
is sent by the other side (which is usually a Router Solicitation
ICMPv6 message which is sent as soon as the interface is up).
* ssh(1), ssh-agent(8): check for nlist function presence before
attempting to use it instead of relying on the presence of the
nlist.h header. Mac OS X, for example, has the header but not
the function in the 64bit libraries.
* All: fill in missing system header files.
Create replacement header files inside openbsd-compat for common
headers that are missing on a given platform. Usually these are
just empty, but in some cases they'll include the equivalent file.
This avoids having to wrap those includes in '#ifdef HAVE_FOO_H'
and reduces the diff between Portable OpenSSH and OpenBSD.
* sshd(8): handle futex_time64 properly in seccomp sandbox
Previously we only allowed __NR_futex, but some 32-bit systems
apparently support __NR_futex_time64. We had support for this
in the sandbox, but because of a macro error only __NR_futex was
allowlisted.
* Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
* sshd(8): let ga_init() fail gracefully if getgrouplist does.
Apparently getgrouplist() can fail on OSX when passed a
non-existent group name. Other platforms seem to return a group
list consisting of the numeric gid passed to the function. bz3848
* ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".
* build: wrap some autoconf macros in AC_CACHE_CHECK.
This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
or linker flags. E.g.
$ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
[...]
checking if cc supports compile flag -fzero-call-used-regs=used
and linking succeeds... (cached) no
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:57 +0000 (15:07 +0200)]
libgpg-error: Update to version 1.56
- Update from version 1.54 to 1.56
- Update of rootfile
- Changelog
1.56
* Support the %b conversion specifier in the estream printf
functions. [rE6ac5332e4f]
* New spawn GPGRT_PROCESS_STDIO_NUL to be used on Windows to share
the "nul" device. [T7723]
* Support pipe I/O for GPGRT_PROCESS_DETACHED on Windows. [T7716]
* New mode keyword "share=xxx" for gpgrt_fopen. [rE461cb5a8ea]
* Change the default method to get the number of fds to close. This
fixes a spawning problem on certain POSIX machine. [T7696]
* Fix some cases of inheriting HANDLEs on Windows. [T7716]
* New system configurations for 64-bit Android, i686 Android, x86_64
Android and an armv7a alias to arm for Android.
* Set build specific build variable for zOS [rE7ee191f54c]
* Interface changes relative to the 1.55 release:
GPG_ERR_UNEXPECTED_PACKET NEW.
GPGRT_PROCESS_STDIO_NUL NEW.
1.55
* Rewrite the extended length path handling under Windows.
[T5754,rEfba44d619d]
* Add new test commands to the gpg-error tool. Allow command w/o
dashes and reformat the help. [rEc002490a8f]
* Silence warning from gcc 15. [T7621]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:56 +0000 (15:07 +0200)]
kbd: Update to version 2.9.0
- Update from version 2.8.0 to 2.9.0
- Update of rootfile
- Changelog
2.9.0
keymaps:
Add console keymap for Mac swiss german keyboards.
libkbdfile:
Detect archive type based on content.
Add support for decompressing files without using utilities. Use
ELF_DLOPEN_METADATA if possible.
utils:
loadkeys: Add --tkeymap to dump the keymap as text.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:54 +0000 (15:07 +0200)]
fetchmail: Update to version 6.5.6
- Update from version 6.5.5 to 6.5.6
- No change to rootfile
- Changelog
6.5.6
SECURITY BUGFIX:
* fetchmail-SA-2025-01.txt: CVE pending assignment by MITRE
An SMTP server advertising EHLO and AUTH, and if fetchmail is configured to
authenticate (esmtpname and esmtppassword given and non-empty), the server
might crash fetchmail by sending a "334" response without further blank to
fetchmail's AUTH request. This is in violation of applicable RFC-4952 though.
Fetchmail now detects this situation and reports it separately as
malformed server reply.
Fetchmail 6.5.6 has been released without waiting for translation updates
or CVE identifier, these will be provided in followup releases.
BUGFIXES:
* RFC-5321: When the --smtpaddress, --smtphost, --smtpname, -D or -S argument
is an numeric address literal such as 192.0.2.2 or 2001:0DB8::4321, properly
format that as such in the SMTP RCPT command as user@[192.0.2.2] or
user@[IPv6:2001:0DB8::4321].
* When printing output on the console while fetching mail, do not intersperse
another copy of our program name and date in the middle of a log line.
Workaround for older versions: --logfile /dev/tty (might also use
--logfile /dev/stderr) - but note this changes buffering behavior and may
output to appear later and without ticker marks.
* A few low-priority memory leaks in the command-line options parser were
fixed. Since this parser runs only once, leaks are harmless.
* Some minor code cleanups and robustness fixes were made, and we should
see fewer compiler warnings as a result.
CHANGES:
* Given the slow update schedules of some distributions, already add code
that checks if time_t() is good beyond the year 2038,
meaning time_t is either unsigned (which would last until 2106) or
64 bits wide. If the system isn't safe, warn on every launch of fetchmail
beginning 2028-01-01 at 00:00 GMT so users have 10 years to plan.
Fetchmail will also print a warning if time(time_t *t) overflows.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:53 +0000 (15:07 +0200)]
btrfs-progs: Update to version 6.17
- Update from veresion 6.16 to 6.17
- No change to rootfile
- Changelog
6.17
* inspect list-chunks: more sorting keys, descending order
* fi resize: add support for offline (unmounted) growing of single device
* device stats: add support for offline (unmounted) reads
* quota status: new command, overview what mode is enabled, tunables
* fi commit-stats: new command, print various commit stats from sysfs (since
kernel 6.1)
* balance start: print warning and delay start if there's a missing device
in the filesystem
* mkfs:
* print zoned mode (native, emulated)
* check:
* verify device bytes in super block item and in chunk tree
* other
* updated CI, new and updated tests
* cleanups, refactoring
* documentation updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 25 Sep 2025 17:56:33 +0000 (17:56 +0000)]
kernel: Disable preemption debugging
From the kernel configuration:
If you say Y here then the kernel will use a debug variant of the
commonly used smp_processor_id() function and will print warnings
if kernel code uses it in a preemption-unsafe way. Also, the kernel
will detect preemption count underflows.
This option has potential to introduce high runtime overhead,
depending on workload as it triggers debugging routines for each
this_cpu operation. It should only be used for debugging purposes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 10:39:52 +0000 (12:39 +0200)]
rust: Update to version 1.85.0
- Update from version 1.83.0 to 1.85.0
- The latest version of rust is at 1.90.0 but that version requires some existing rust
modules to also be updated. I will do that as a separate step once this patch is
in place.
- Update of rootfiles for all three architectures.
- Changelog
1.85.0
Language
The 2024 Edition is now stable. See the edition guide for more details.
Stabilize async closures See RFC 3668 for more details.
Stabilize #[diagnostic::do_not_recommend]
Add unpredictable_function_pointer_comparisons lint to warn against
function pointer comparisons
Lint on combining #[no_mangle] and #[export_name] attributes.
Compiler
The unstable flag -Zpolymorphize has been removed, see
https://github.com/rust-lang/compiler-team/issues/810 for some
background.
Platform Support
Promote powerpc64le-unknown-linux-musl to tier 2 with host tools
Refer to Rust’s platform support page for more information on Rust’s
tiered platform support.
Libraries
Panics in the standard library now have a leading library/ in their path
std::env::home_dir() on Windows now ignores the non-standard $HOME
environment variable
It will be un-deprecated in a subsequent release.
Add AsyncFn* to the prelude in all editions.
Stabilized APIs
BuildHasherDefault::new
ptr::fn_addr_eq
io::ErrorKind::QuotaExceeded
io::ErrorKind::CrossesDevices
{float}::midpoint
Unsigned {integer}::midpoint
NonZeroU*::midpoint
impl std::iter::Extend for tuples with arity 1 through 12
FromIterator<(A, ...)> for tuples with arity 1 through 12
std::task::Waker::noop
These APIs are now stable in const contexts:
mem::size_of_val
mem::align_of_val
Layout::for_value
Layout::align_to
Layout::pad_to_align
Layout::extend
Layout::array
std::mem::swap
std::ptr::swap
NonNull::new
HashMap::with_hasher
HashSet::with_hasher
BuildHasherDefault::new
<float>::recip
<float>::to_degrees
<float>::to_radians
<float>::max
<float>::min
<float>::clamp
<float>::abs
<float>::signum
<float>::copysign
MaybeUninit::write
Cargo
Add future-incompatibility warning against keywords in cfgs and add
raw-idents
Stabilize higher precedence trailing flags
Pass CARGO_CFG_FEATURE to build scripts
Rustdoc
Doc comment on impl blocks shows the first line, even when the impl block
is collapsed
Compatibility Notes
rustc no longer treats the test cfg as a well known check-cfg, instead it
is up to the build systems and users of --check-cfg1 to set it as a
well known cfg using --check-cfg=cfg(test).
This is done to enable build systems like Cargo to set it conditionally,
as not all source files are suitable for unit tests. Cargo (for now)
unconditionally sets the test cfg as a well known cfg.
Disable potentially incorrect type inference if there are trivial and
non-trivial where-clauses
std::env::home_dir() has been deprecated for years, because it can give
surprising results in some Windows configurations if the HOME
environment variable is set (which is not the normal configuration on
Windows). We had previously avoided changing its behavior, out of
concern for compatibility with code depending on this non-standard
configuration. Given how long this function has been deprecated, we’re
now fixing its behavior as a bugfix. A subsequent release will remove
the deprecation for this function.
Make core::ffi::c_char signedness more closely match that of the
platform-default char
This changed c_char from an i8 to u8 or vice versa on many Tier 2 and 3
targets (mostly Arm and RISC-V embedded targets). The new definition
may result in compilation failures but fixes compatibility issues with C.
The libc crate matches this change as of its 0.2.169 release.
When compiling a nested macro_rules macro from an external crate, the
content of the inner macro_rules is now built with the edition of the
external crate, not the local crate.
Increase sparcv9-sun-solaris and x86_64-pc-solaris Solaris baseline to 11.4.
Show abi_unsupported_vector_types lint in future breakage reports
Error if multiple super-trait instantiations of dyn Trait need associated
types to be specified but only one is provided
Change powerpc64-ibm-aix default codemodel to large
Internal Changes
These changes do not affect any public interfaces of Rust, but they
represent significant improvements to the performance or internals of
rustc and related tools.
Build x86_64-unknown-linux-gnu with LTO for C/C++ code (e.g., jemalloc)
1.84.1
Fix ICE 132920 in duplicate-crate diagnostics.
Fix errors for overlapping impls in incremental rebuilds.
Fix slow compilation related to the next-generation trait solver.
Fix debuginfo when LLVM’s location discriminator value limit is exceeded.
Fixes for building Rust from source:
Only try to distribute llvm-objcopy if llvm tools are enabled.
Add Profile Override for Non-Git Sources.
Resolve symlinks of LLVM tool binaries before copying them.
Make it possible to use ci-rustc on tarball sources.
1.84.0
Language
Allow #[deny] inside #[forbid] as a no-op
Show a warning when -Ctarget-feature is used to toggle features that can
lead to unsoundness due to ABI mismatches
Use the next-generation trait solver in coherence
Allow coercions to drop the principal of trait objects
Support / as the path separator for include!() in all cases on Windows
Taking a raw ref (raw (const|mut)) of a deref of a pointer (*ptr) is now safe
Stabilize s390x inline assembly
Stabilize Arm64EC inline assembly
Lint against creating pointers to immediately dropped temporaries
Execute drop glue when unwinding in an extern "C" function
Compiler
Add --print host-tuple flag to print the host target tuple and affirm the
“target tuple” terminology over “target triple”
Declaring functions with a calling convention not supported on the current
target now triggers a hard error
Set up indirect access to external data for
loongarch64-unknown-linux-{musl,ohos}
Enable XRay instrumentation for LoongArch Linux targets
Extend the unexpected_cfgs lint to also warn in external macros
Stabilize WebAssembly multivalue, reference-types, and tail-call target
features
Added Tier 2 support for the wasm32v1-none target
Libraries
Implement From<&mut {slice}> for Box/Rc/Arc<{slice}>
Move <float>::copysign, <float>::abs, <float>::signum to core
Add LowerExp and UpperExp implementations to NonZero
Implement FromStr for CString and TryFrom<CString> for String
std::os::darwin has been made public
Stabilized APIs
Ipv6Addr::is_unique_local
Ipv6Addr::is_unicast_link_local
core::ptr::with_exposed_provenance
core::ptr::with_exposed_provenance_mut
<ptr>::addr
<ptr>::expose_provenance
<ptr>::with_addr
<ptr>::map_addr
<int>::isqrt
<int>::checked_isqrt
<uint>::isqrt
NonZero::isqrt
core::ptr::without_provenance
core::ptr::without_provenance_mut
core::ptr::dangling
core::ptr::dangling_mut
Pin::as_deref_mut
These APIs are now stable in const contexts
AtomicBool::from_ptr
AtomicPtr::from_ptr
AtomicU8::from_ptr
AtomicU16::from_ptr
AtomicU32::from_ptr
AtomicU64::from_ptr
AtomicUsize::from_ptr
AtomicI8::from_ptr
AtomicI16::from_ptr
AtomicI32::from_ptr
AtomicI64::from_ptr
AtomicIsize::from_ptr
<ptr>::is_null
<ptr>::as_ref
<ptr>::as_mut
Pin::new
Pin::new_unchecked
Pin::get_ref
Pin::into_ref
Pin::get_mut
Pin::get_unchecked_mut
Pin::static_ref
Pin::static_mut
Cargo
Stabilize MSRV-aware resolver config
Stabilize resolver v3
Rustdoc
rustdoc-search: improve type-driven search
Compatibility Notes
Enable by default the LSX target feature for LoongArch Linux targets
The unstable -Zprofile flag (“gcov-style” coverage instrumentation) has
been removed. This does not affect the stable flags for coverage
instrumentation (-Cinstrument-coverage) and profile-guided
optimization (-Cprofile-generate, -Cprofile-use), which are unrelated
and remain available.
Support for the target named wasm32-wasi has been removed as the target is
now named wasm32-wasip1. This completes the transition plan for this
target following the introduction of wasm32-wasip1 in Rust 1.78.
Compiler warnings on use of wasm32-wasi introduced in Rust 1.81 are
now gone as well as the target is removed.
The syntax &pin (mut|const) T is now parsed as a type which in theory
could affect macro expansion results in some edge cases
Legacy syntax for calling std::arch functions is no longer permitted to
declare items or bodies (such as closures, inline consts, or async
blocks).
Declaring functions with a calling convention not supported on the current
target now triggers a hard error
The next-generation trait solver is now enabled for coherence, fixing
multiple soundness issues
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 10:39:51 +0000 (12:39 +0200)]
clamav: Update to version 1.5.0
- Update from version 1.4.3 to 1.5.0
- Update of rootfile
- Required an update to rust as clamav required a rust version with edition2024. Patch
for that combined in this set.
- Changelog
1.5.0
Major changes
- Added checks to determine if an OLE2-based Microsoft Office document is
encrypted.
- Added the ability to record URIs found in HTML if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but do not want to record HTML URIs.
The ClamScan command-line option is `--json-store-html-uris=no`.
The `clamd.conf` config option is `JsonStoreHTMLURIs no`.
The libclamav general scan option is `CL_SCAN_GENERAL_STORE_HTML_URIS`
- Added the ability to record URIs found in PDFs if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but do not want to record PDF URIs.
The ClamScan command-line option is `--json-store-pdf-uris=no`.
The `clamd.conf` config option is `JsonStorePDFURIs no`.
The libclamav general scan option is `CL_SCAN_GENERAL_STORE_PDF_URIS`
- Added regex support for the `clamd.conf` `OnAccessExcludePath` config option.
This change courtesy of GitHub user b1tg.
- Added CVD signing/verification with external `.sign` files.
Freshclam will now attempt to download external signature files to accompany
existing `.cvd` databases and `.cdiff` patch files. Sigtool now has commands
to sign and verify using the external signatures.
ClamAV now installs a 'certs' directory in the app config directory
(e.g., `<prefix>/etc/certs`). The install path is configurable.
The CMake option to configure the CVD certs directory is
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is
`--cvdcertsdir PATH`
- The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is
`CVD_CERTS_DIR`
- The config option for Freshclam and ClamD is
`CVDCertsDirectory PATH`
Added two new APIs to the public clamav.h header:
```c
cl_error_t cl_cvdverify_ex(
const char *file,
const char *certs_directory,
uint32_t dboptions);
cl_error_t cl_cvdunpack_ex(
const char *file,
const char *dir,
const char *certs_directory,
uint32_t dboptions);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
Added a `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it with
`cl_engine_get_str`, to override the compiled in default CVD certs directory.
Thank you to Mark Carey at SAP for inspiring work on this feature with an
initial proof of concept for external-signature FIPS compliant CVD signing.
- Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like
limits disabling MD5 and SHA1 from being used for verifying digital signatures
or for being used to trust a file when checking for false positives (FPs).
For `freshclam.conf` and `clamd.conf` set this config option:
```
FIPSCryptoHashLimits yes
```
For `clamscan` and `sigtool` use this command-line option:
```
--fips-limits
```
For libclamav: Enable FIPS-limits for a ClamAV engine like this:
```C
cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
```
ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will
automatically enable the FIPS-limits feature.
This change mitigates safety concerns over the use of MD5 and SHA1 algorithms
to trust files and is required to enable ClamAV to operate legitimately in
FIPS-mode enabled environments.
Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection
purposes or for informational purposes in FIPS-enabled environments and when
the FIPS-limits option is enabled.
- Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5).
The clean-file cache algorithm is not configurable.
This change resolves safety concerns over the use of MD5 to trust files and
is required to enable ClamAV to operate legitimately in FIPS-mode enabled
environments.
- ClamD: Added an option to disable select administrative commands including
`SHUTDOWN`, `RELOAD`, `STATS` and `VERSION`.
The new `clamd.conf` options are:
```
EnableShutdownCommand yes
EnableReloadCommand yes
EnableStatsCommand yes
EnableVersionCommand yes
```
- libclamav: Added extended hashing functions with a "flags" parameter that
allows the caller to choose if they want to bypass FIPS hash algorithm limits:
```c
cl_error_t cl_hash_data_ex(
const char *alg,
const uint8_t *data,
size_t data_len,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
cl_error_t cl_hash_init_ex(
const char *alg,
uint32_t flags,
cl_hash_ctx_t **ctx_out);
cl_error_t cl_update_hash_ex(
cl_hash_ctx_t *ctx,
const uint8_t *data,
size_t length);
cl_error_t cl_finish_hash_ex(
cl_hash_ctx_t *ctx,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
void cl_hash_destroy(void *ctx);
cl_error_t cl_hash_file_fd_ex(
const char *alg,
int fd,
size_t offset,
size_t length,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
```
- ClamScan: Improved the precision of the bytes-scanned and bytes-read counters.
The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB",
or "B" as appropriate. Previously, it always reported "MB".
- ClamScan: Add hash & file-type in/out CLI options:
- `--hash-hint`: The file hash so that libclamav does not need to calculate
it. The type of hash must match the `--hash-alg`.
- `--log-hash`: Print the file hash after each file scanned. The type of hash
printed will match the `--hash-alg`.
- `--hash-alg`: The hashing algorithm used for either `--hash-hint` or
`--log-hash`. Supported algorithms are "md5", "sha1", "sha2-256".
If not specified, the default is "sha2-256".
- `--file-type-hint`: The file type hint so that libclamav can optimize
scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names
such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with
the specified type.
See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
- `--log-file-type`: Print the file type after each file scanned.
We will not be adding this for ClamDScan, as we do not have a mechanism in the
ClamD socket API to receive scan options or a way for ClamD to include scan
metadata in the response.
- libclamav: Added new scan functions that provide additional functionality:
```c
cl_error_t cl_scanfile_ex(
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
cl_error_t cl_scandesc_ex(
int desc,
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
cl_error_t cl_scanmap_ex(
cl_fmap_t *map,
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
```
The older `cl_scan*()` functions are now deprecated and may be removed in a
future release. See `clamav.h` for more details.
- libclamav: Added a new engine option to toggle temp directory recursion.
Temp directory recursion is the idea that each object scanned in ClamAV's
recursive extract/scan process will get a new temp subdirectory, mimicking
the nesting structure of the file.
Temp directory recursion was introduced in ClamAV 0.103 and is enabled
whenever `--leave-temps` / `LeaveTemporaryFiles` is enabled.
In ClamAV 1.5, an application linking to libclamav can separately enable temp
directory recursion if they wish.
For ClamScan and ClamD, it will remain tied to `--leave-temps` /
`LeaveTemporaryFiles` options.
The new temp directory recursion option can be enabled with:
```c
cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
```
- libclamav: Added a class of scan callback functions that can be added with the
following API function:
```c
void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location);
```
The scan callback location may be configured using the following five values:
- `CL_SCAN_CALLBACK_PRE_HASH`: Occurs just after basic file-type detection and
before any hashes have been calculated either for the cache or the gen-json
metadata.
- `CL_SCAN_CALLBACK_PRE_SCAN`: Occurs before parser modules run and before
pattern matching.
- `CL_SCAN_CALLBACK_POST_SCAN`: Occurs after pattern matching and after
running parser modules. A.k.a. the scan is complete for this layer.
- `CL_SCAN_CALLBACK_ALERT`: Occurs each time an alert (detection) would be
triggered during a scan.
- `CL_SCAN_CALLBACK_FILE_TYPE`: Occurs each time the file type determination
is refined. This may happen more than once per layer.
Each callback may alter scan behavior using the following return codes:
- `CL_BREAK`: Scan aborted by callback. The rest of the scan is skipped.
This does not mark the file as clean or infected, it just skips the rest of
the scan.
- `CL_SUCCESS` / `CL_CLEAN`: File scan will continue.
For `CL_SCAN_CALLBACK_ALERT`: This means you want to ignore this specific
alert and keep scanning.
This is different than `CL_VERIFIED` because it does not affect prior or
future alerts. Return `CL_VERIFIED` instead if you want to remove prior
alerts for this layer and skip the rest of the scan for this layer.
- `CL_VIRUS`: This means you do not trust the file. A new alert will be added.
For `CL_SCAN_CALLBACK_ALERT`: This means you agree with the alert and no
extra alert is needed.
- `CL_VERIFIED`: Layer explicitly trusted by the callback and previous alerts
removed for THIS layer. You might want to do this if you trust the hash or
verified a digital signature. The rest of the scan will be skipped for THIS
layer. For contained files, this does NOT mean that the parent or adjacent
layers are trusted.
Each callback is given a pointer to the current scan layer from which they can
get previous layers, can get the layer's fmap, and then various attributes of
the layer and of the fmap. To make this possible, there are new APIs to
query scan-layer details and fmap details:
```c
cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);
cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);
cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);
cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);
cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);
cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);
cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);
cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);
cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);
cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out);
cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);
cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);
cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);
cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);
cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);
cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);
cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);
cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);
```
This deprecates, but does not immediately remove, the existing scan callbacks:
```c
void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);
void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);
void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);
void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);
void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);
void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);
```
There is an interactive test program to demonstrate the new callbacks.
See: `examples/ex_scan_callbacks.c`
- Signature names that start with "Weak." will no longer alert.
Instead, they will be tracked internally and can be found in scan metadata
JSON. This is a step towards enabling alerting signatures to depend on prior
Weak indicator matches in the current layer or in child layers.
- For the "Generate Metadata JSON" feature:
- The "Viruses" array of alert names has been replaced by two new arrays that
include additional details beyond just signature name:
- "Indicators" records three types of indicators:
- **Strong** indicators are for traditional alerting signature matches and
will halt the scan, except in all-match mode.
- **Potentially Unwanted** indicators will only cause an alert at the end of
the scan unless a Strong indicator is found. They are treated the same
as Strong indicators in all-match mode.
- **Weak** indicators do not alert and will be leveraged in a future version
as a condition for logical signature matches.
- "Alerts" records only alerting indicators. Events that trust a file, such
as false positive signatures, will remove affected indicators, and mark
them as "Ignored" in the "Indicators" array.
- Add new option to calculate and record additional hash types when the
"generate metadata JSON" feature is enabled:
- libclamav option: `CL_SCAN_GENERAL_STORE_EXTRA_HASHES`
- ClamScan option: `--json-store-extra-hashes` (default off)
- `clamd.conf` option: `JsonStoreExtraHashes` (default 'no')
- The file hash is now stored as "sha2-256" instead of "FileMD5". If you
enable the "extra hashes" option, then it will also record "md5" and "sha1".
- Each object scanned now has a unique "Object ID".
- Sigtool: Renamed the sigtool option `--sha256` to `--sha2-256`.
The original option is still functional but is deprecated.
Other improvements
- Set a limit on the max-recursion config option. Users will no longer be
able to set max-recursion higher than 100.
This change prevents errors on start up or crashes if encountering
a file with that many layers of recursion.
- Build system: CMake improvements to support compiling for the AIX platform.
This change is courtesy of GitHub user KamathForAIX.
- Improve support for extracting malformed zip archives.
This change is courtesy of Frederick Sell.
- Windows: Code quality improvement for the ClamScan and ClamDScan `--move`
and `--remove` options.
This change is courtesy of Maxim Suhanov.
- Added file type recognition for an initial set of AI model file types.
The file type is accessible to applications using libclamav via the scan
callback functions and as an optional output parameter to the scan functions:
`cl_scanfile_ex()`, `cl_scanmap_ex()`, and `cl_scandesc_ex()`.
When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of
"CL_TYPE_BINARY_DATA".
- Added support for inline comments in ClamAV configuration files.
This change is courtesy of GitHub user userwiths.
- Disabled the MyDoom hardcoded/heuristic detection because of false positives.
- Sigtool: Added support for creating `.cdiff` and `.script` patch files for
CVDs that have underscores in the CVD name.
Also improved support for relative paths with the `--diff` command.
- Windows: Improved support for file names with UTF-8 characters not found in
the ANSI or OEM code pages when printing scan results or showing activity in
the ClamDTOP monitoring utility.
Fixed a bug with opening files with such names with the Sigtool utility.
- Improved the code quality of the ZIP module. Added inline documentation.
- Always run scan callbacks for embedded files. Embedded files are found within
other files through signature matches instead of by parsing. They will now
be processed the same way and then they can trigger application callbacks
(e.g., "pre-scan", "post-scan", etc.).
A consequence of this change is that each embedded file will be pattern-
matched just like any other extracted file. To minimize excessive pattern
matching, file header validation checks were added for ZIP, ARJ, and CAB.
Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
This change will impact scans with both the "leave-temps" feature and the
"force-to-disk" feature enabled, resulting in additional temporary files.
- Added DevContainer templates to the ClamAV Git repository in order to make it
easier to set up AlmaLinux or Debian development environments.
- Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended
alerts based on system state.
- Improved support for compiling on Solaris.
- Improved support for compiling on GNU/Hurd.
- Improved support for linking with the NCurses library dependency when
libtinfo is built as a separate library.
Bug fixes
- Reduced email multipart message parser complexity.
- Fixed possible undefined behavior in inflate64 module.
The inflate64 module is a modified version of the zlib library, taken from
version 1.2.3 with some customization and with some cherry-picked fixes.
This adds one additional fix from zlib 1.2.9.
Thank you to TITAN Team for reporting this issue.
- Fixed a bug in ClamD that broke reporting of memory usage on Linux.
The STATS command can be used to monitor ClamD directly or through ClamDTOP.
The memory stats feature does not work on all platforms (e.g., Windows).
- Windows: Fixed a build issue when the same library dependency is found in
two different locations.
- Fixed an infinite loop when scanning some email files in debug-mode.
This fix is courtesy of Yoann Lecuyer.
- Fixed a stack buffer overflow bug in the phishing signature load process.
This fix is courtesy of GitHub user Shivam7-1.
- Fixed a race condition in the Freshclam feature tests.
This fix is courtesy of GitHub user rma-x.
- Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests.
This fix is courtesy of GitHub user Sophie0x2E.
- Fix double-extraction of OOXML-based office documents.
- ClamBC: Fixed crashes on startup.
- Fixed an assortment of issues found with Coverity static analysis.
- Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures
affecting some platforms.
- Fixed crash in the Sigtool program when using the `--html-normalize` option.
- Fixed some potential NULL-pointer dereference issues if memory allocations
fail.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 12 Oct 2025 11:51:42 +0000 (13:51 +0200)]
mympd: Update to version 22.1.1
- Update from version 22.0.4 to 22.1.1
- Addition of cmake option to not create the systemd startup files
- Removal of patch to make mympd work with coreutils-9.8 as this latest update already
includes the change in it.
- Changelog
22.1.1
- Upd: Logging improvements
- Fix: Now playing indicator in Queue View
- Fix: Detection of ca cert store #1469
- Fix: Ending newline detection in build script #1470
22.1.0
This is the first release that supports a system-wide installed libmpdclient
library. If the library was not found or is too old, the build process falls
back to the embedded libmpdclient.
- Feat: Support string normalization option (MPD 0.25)
- Feat: Support shared libmpdclient (v2.24.0) #874
- Upd: Rework album implementation to work with upstream libmpdclient
- Upd: Mongoose 7.19
- Upd: Bootstrap 5.3.8
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 09:18:28 +0000 (11:18 +0200)]
dns.cgi: Correction to typo
- Spotted by a new user on the forum as part of their CU198 Testing.
- Causes an Internal Server Error when trying to access the Domain Name System page.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 10 Oct 2025 15:51:54 +0000 (17:51 +0200)]
tshark: Update to version 4.6.0
- Update from ver4sion 4.4.9 to 4.6.0
- Update of rootfile
- Changelog
4.6.0
New and Updated Features
The following features are new (or have been significantly updated) since
version 4.6.0rc1:
Wireshark can dissect process information, packet metadata, flow IDs,
drop information, and other information provided by tcpdump on macOS.
The following features are either new or have been significantly updated
since version 4.4.0:
The Windows installers now ship with Npcap 1.83. They previously
shipped with Npcap 1.79.
The Windows and macOS installers now ship with Qt 6.9.3. They
previously shipped with Qt 6.5.3.
We now ship universal macOS installers instead of separate packages
for Arm64 and Intel. Issue 17294
WinPcap is no longer supported. On Windows, use Npcap instead,
uninstalling WinPcap if necessary. The final release of WinPcap was
version 4.1.3 in 2013. It only supports up to Windows 8, which is no
longer supported by Microsoft or Wireshark.
A new “Plots” dialog has been added, which provides scatter plots in
contrast to the “I/O Graphs” dialog, which provides histograms. The
Plots dialog window supports multiple plots, markers, and automatic
scrolling.
Live captures can be compressed while writing. (Previously there was
support for compressing when performing multiple file capture, at
file rotation time.) The --compress option in TShark works on live
captures as well. Issue 9311
Absolute time fields, regardless of field display in the Packet
Details, are always written in ISO 8601 format in UTC with -T json.
This was already the case for -T ek since version 4.2.0. JSON is
primarily a data interchange format read by software, so a standard
format is desirable.
When absolute times field are output with -T fields, the "show" field
of -T pdml, or in custom columns (including CSV output of columns),
the formatting similar to asctime (e.g., Dec 18, 2017
05:28:39.071704055 EST) has been deprecated in favor of ISO 8601. For
backwards compatibility, a preference has been added,
protocols.display_abs_time_ascii, which can be set to continue to
format times as before. This preference can also be set to never use
ASCII time and to use ISO 8601 time formatting in the protocol tree
(Packet Details) as well. It is possible that a future release will
remove the ascitime style formatting entirely.
UTC frame time column formats (including "Time (format as specified)"
when a UTC time display format is selected) have a "Z" suffix per
ISO 8601. Local time formats remain unqualified (including if the
local time zone is UTC.) Custom columns displaying FT_ABSOLUTE_TIME
already had time zone indication.
The TShark -G option for generating glossary reports does not need to
be the first option given on the command line anymore. In addition,
the reports now are affected by other command line options such as
-o, -d, and --disable-protocol, in addition to the -C option, which
was already supported. (The defaultprefs report remains unaffected by
any other options.) As a part of this change, -G with no argument,
which was previously deprecated, is no longer supported. Use
tshark -G fields to produce the same report. Also, the syntax for
only listing fields with a certain prefix has changed to tshark -G
fields,prefix.
The underlying type of EUI-64 fields has been switched to bytes when
packet matching, similar to most other address formats. This means
that EUI-64 addresses can be sliced and compared to other bytes
types, e.g. the filter wpan.src64[:3] == eth.src[:3]. Fields can
still be specified using 64-bit unsigned integer literals, though
arithmetic with other integers is no longer supported.
Wireshark can now decrypt NTP packets using NTS (Network Time Security).
To decrypt packets, the NTS-KE (Network Time Security Key
Establishment Protocol) packets need to be present, alongside the TLS
client and exporter secrets. Additionally, the parts of a NTP packet
which can be cryptographically authenticated (from NTP packet header
until the end of the last extension field that precedes the NTS
Authenticator and Encrypted Extension Fields extension field) are
checked for validity.
Wireshark’s ability to decrypt MACsec packets has been expanded to
either use the SAK unwrapped by the MKA dissector, or the PSK
configured in the MACsec dissector. To enable the MKA dissector to
unwrap the SAK, the CAK for the applicable CKN can be entered in the
extended CKN/CAK Info UAT in the MKA dissector preferences. The
ability of the MACsec dissector to decrypt packets using a PSK has
been extended to a list of PSKs, which can entered through a new UAT.
The TCP Stream Graph axes now use units with SI prefixes. Issue 20197
Custom columns have an option to show the values using the same format
as in Packet Details.
Custom column complex expressions (e.g., with arithmetic, filter
functions, etc.) that return numeric results are sorted numerically
instead of lexicographically.
Display filter functions float and double are added to allow
explicitly converting field types like integers and times to single
and double precision floats. They can be used to perform further
arithmetic operations on fields of different types, including in
custom column definitions.
The minimum width of the I/O Graph dialog window has been reduced, so
it should work better on small resolution desktops, especially in
certain languages. To enable this, some checkbox controls were moved
to the graph right-click context menu. Issue 20147
X.509 certificates, used in TLS and elsewhere, can be exported via the
File › Export Objects menu in Wireshark (under the name "X509AF")
and --export-objects in TShark (with the protocol name x509af.)
Zstandard Content-Encoding is supported in the HTTP and HTTP/2
dissectors.
Follow Stream is supported for MPEG 2 Transport Stream PIDs, and for
Packetized Elementary Streams contained within MPEG 2 TS. The latter
can be used to extract audio or video for playback with other tools.
DNP 3 (Distributed Network Protocol 3) is now supported in the
Conversations and Endpoints table dialogs.
The Lua supplied preloaded libraries bit and rex_pcre2 are loaded in a
way that adds them to the package.loaded table, as though through
require, so that require("bit") and require("rex_pcre2") statements
in Lua dissectors, while usually superfluous, behave as expected.
Issue 20213
The packet list (Wireshark) and event list (Stratoshark) no longer
support rows with multiple lines. Issue 14424
The ethers file can also contain EUI-64 to name mappings. Issue 15487
Wireshark’s "Import from Hex Dump" feature and text2pcap now support
byte groups with 2 to 4 bytes (with an option for little-endian byte
order), and support hexadecimal offsets with a 0x or 0X prefix (as
produced by tcpdump -x, among others). Issue 16193
Frame timestamps can be added as preamble to hex dumps in Wireshark
from the "Print" and "Export Packet Dissection" dialogs, and in
TShark with the --hexdump time option. Issue 17132
Lua now has a Conversation object, which exposes conversations and
conversation data to Lua. Issue 15396
An Edit › Copy › as HTML menu item has been added, along with
associated context menu items and a keyboard shortcut. It provides an
option (via knobs in preferences) to copy plain text with aligned
columns along with an ability to select a copy format to be used when
copied via keyboard shortcut.
The "no duplicate keys" version of JSON output that tshark has
supported since 2.6.0 is available through the GUI Export Dissections
Dialog. Note that this format does not necessarily preserve the
ordering of all children in a tree, if sibling with identical keys
are not consecutive.
The GUI Export Dissections Dialog can output raw hex bytes of the
frame data for each field with or without exporting the field values,
the same formats as the "-T json -x" and "-T jsonraw" output modes,
respectively, of TShark.
The Conversations and Endpoints dialogs have an option to display byte
counts and bit rates in exact counts instead of human-readable
numbers with SI units. The default setting when opening a dialog is
controlled by a Statistics preference, "conv.machine_readable". The
same preference controls whether precise byte counts are used in the
TShark "-z conv" and "-z endpoints" taps.
The output format for some TShark statistics taps (those selected with
"-z <tap>,tree", which use the stats_tree system) can be controlled
via a preference "-o statistics.output_format".
The color scheme can be set to Light or Dark mode independently of the
current OS default on Windows and macOS, if Wireshark is built with
Qt 6.8 or later as the official installers are. Issue 19328
libxml2 is now a required dependency. Note that Wireshark will not
build with libxml2 2.15.0, but other versions should work.
The View menu has an option to Redissect Packets manually, which can
be useful when address resolution or decryption secrets have changed.
HTTP2 tracking of 3GPP session over 5G Service Based Interfaces is now
optional available. When enabled "Associate IMSI" will be add on
HTTP2 streams which has been found belong to a session.
Building the documentation on Windows no longer requires Java.
On Linux, capture filters that use BPF extensions like "inbound",
"outbound", and "ifindex" can be used for capturing (and compiled by
the Compiled Filter dialog). Instead of always being rejected by the
syntax checker, they will be marked as unknown.
Removed Features and Support
Wireshark no longer supports AirPcap and WinPcap.
Wireshark no longer supports libnl versions 1 or 2.
The ENABLE_STATIC CMake option has been deprecated in favor of
BUILD_SHARED_LIBS
New File Format Decoding Support
Resource Interchange File Format (RIFF) and TTL File Format
New Protocol Support
Asymmetric Key Packages (AKP), Binary HTTP, BIST TotalView-ITCH
protocol (BIST-ITCH), BIST TotalView-OUCH protocol (BIST-OUCH),
Bluetooth Android HCI (HCI ANDROID), Bluetooth Intel HCI (HCI INTEL),
BPSec COSE Context, BPSec Default SC, Commsignia Capture Protocol
(C2P), DECT NR+ (DECT-2020 New Radio), DLMS/COSEM, Ephemeral
Diffie-Hellman Over COSE, Identifier-Locator Network Protocol (ILNP),
LDA Neo Device trailer (LDA_NEO_TRAILER), Lenbrook Service Discovery
Protocol (LSDP), LLC V1, Navitrol messaging, Network Time Security
Key Establishment Protocol (NTS-KE), Ouster VLP-16, Private Line
Emulation (PLE), RC V3, RCG, Roughtime, SBAS L5 Navigation Message,
SGP.22 GSMA Remote SIM Provisioning (SGP.22), SGP.32 GSMA Remote SIM
Provisioning (SGP.32), SICK CoLA Ascii and CoLA Binary protocols,
Silabs Debug Channel, Universal Measurement and Calibration Protocol
(XCP), USB Picture Transfer Protocol (USB-PTP), VLP-16 Data and
Position messaging, and vSomeIP Internal Protocol (vSomeIP)
Updated Protocol Support
Too many protocol updates have been made to list them all here.
New and Updated Capture File Support
BLF is now improved (including writing to BLF)
New and Updated Capture Interfaces support
On Windows, etwdump’s user-friendliness has been greatly improved
thanks to various extcap changes. It should also now display the raw
bytes of unknown events.
Major API Changes
The Lua API now supports Libgcrypt symmetric cipher functions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:18:00 +0000 (12:18 +0200)]
mpd: Update to version 0.24.5
- Update from version 0.24.4 to 0.24.5
- Update of rootfile not required
- Changelog
0.24.5
* database
- fix disappearing playlist files
* decoder
- ffmpeg: handle "*.aif" files
- mpg123: add option "full_scan"
- mpg123: support seeking on remote files
- mpg123: work around libmpg123 ID3 corruption bug
- sidplay: add support for PSID files
* output
- pipewire: fix resuming playback after it was paused by "single" mode
* Windows
- fix libfmt error "what(): invalid utf8"
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:59 +0000 (12:17 +0200)]
libmpdclient: Update to version 2.23
- Update from version 2.22 to 2.23
- Update of rootfile
- Changelog
2.23
* support MPD protocol 0.24.0
- allow window for listplaylist and listplaylistinfo
- command "playlistlength", "protocol", "stickertypes", "stickernamestypes",
"searchplaylist"
- tag "ShowMovement"
- new sticker find api
- new subcommands for "tagtypes": "available", "reset"
* Support open end for mpd_search_add_window
* format floating-point numbers with the POSIX localew
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:58 +0000 (12:17 +0200)]
mympd: Update to version 22.0.4 and work with coreutils-9.8
- Update from version 21.0.1 to 22.0.4
- Add config options to stop doc and man page creation.
- Add patch to fix working with coreutils-9.8
- Update of rootfile
- Changelog
22.0.4
- Upd: Restrict sticker names (forbid equal sign)
- Fix: Really shuffle the playlist #1455
- Fix: Relax search expression validation #1455
- Fix: Alpine packaging
- Fix: Detection of local playback features #1452
22.0.3
- Upd: Create cache und workdir in init script
- Upd: Feature detection for local playback output selection #1452
22.0.2
- Fix: MYMPD_API_JUKEBOX_RESTART requires MPD connection #1448
22.0.1
- Fix: Respect backgroundImage setting #1446
- Fix: Alpine packaging
22.0.0
Notes
- This release enables certificate checking for outgoing https connections.
The system CA cert store should be autodetected, open an issue if it fails.
- The startup process of myMPD was reworked. myMPD no longer drops privileges,
the included startup scripts are using now the init system to do this.
- The default listening ports are now 8080 for HTTP and 8443 for HTTPS.
API changes
- MYMPD_API_SCRIPT_VERIFY_SIG: new
- MYMPD_API_HOME_WIDGET_IFRAME_SAVE: new
- MYMPD_API_HOME_WIDGET_SCRIPT_SAVE: new
- MYMPD_API_HOME_WIDGET_SAVE: removed
Scripting changes
- Feat: `mympd.tblvalue_in_list()` - Checks a Lua table of tags against a comma separated list.
- Upd: Executing external scripts is now disabled by default.
Changelog
- Feat: iFrames for home screen #1429
- Feat: Feat: Add custom css and js #1428
- Feat: Use system provided ca store for ssl certificate checking #1427
- Feat: Sign and verify scripts from mympd-scripts repository #1426
- Feat: Add trigger `mympd_playlistart`, `mympd_folderart`
- Feat: Sort list of timers and triggers #1425
- Feat: Allow changing output device with local playback #1434
- Upd: Improve "Edit Script"-Layout
- Upd: Bootstrap v5.3.7
- Upd: Mongoose 7.18
- Upd: libmympdclient 1.0.34 (libmpdclient 2.24.0)
- Upd: Incbin
- Upd: Replaced mjson with mongoose implementation
- Fix: Improve MPD search expression validation #1435
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:56 +0000 (12:17 +0200)]
coreutils: Update to version 9.8
- Update from version 9.7 to 9.8
- Update of rootfile not required
- Changelog
9.8
Bug fixes
'b2sum' will diagnose --length values that are too big.
Previously it would have silently assumed 512 for any larger values.
[bug introduced in coreutils-9.6]
'base32' and 'base64' when decoding will again diagnose partially
padded data that ends with a newline.
[bug introduced in coreutils-9.5]
'basenc -d -i' will now strip '=' characters from the input
in encodings where padding characters are not valid.
[bug introduced with the basenc program in coreutils-8.31]
'cp -p' had spurious "Operation not supported" failures when
copying to non-NFS files from NFSv4 files with trivial ACLs.
[bug introduced in coreutils-9.6]
'cp --sparse=always' missed some opportunities to create holes.
That is, although the copies had the correct data, sometimes
data zeros used extents rather than holes.
[This bug was present in "the beginning".]
cp missed opportunities to create holes when copying from file
systems like squashfs that support SEEK_HOLE only trivially.
[bug introduced in coreutils-9.0]
cp, install, and mv now avoid possible data corruption on
glibc 2.41 and 2.42 systems when copy_file_range is used with ranges > 2GiB,
avoiding https://sourceware.org/PR33245
[bug triggered since coreutils-9.0]
'date' supports specifying multiple named formats with the last taking
precedence. Previously multiple specifications would induce an error.
[bug introduced in coreutils-5.90]
'dd oflag=seek_bytes' no longer mistakenly reports errors when the
output file exists on GNU/Hurd.
[bug introduced in coreutils-8.16]
'fold' no longer exhausts memory when processing large inputs
with a very large --width argument.
[This bug was present in "the beginning".]
'install -d' now produces the correct diagnostic upon failure
to create a directory. Previously it would have produced
a confusing error about changing permissions.
[This bug was present in "the beginning".]
"ls --size --block-size=\'k" could misalign output in locales
with multi-byte thousands grouping characters.
[This bug was present in "the beginning".]
'nohup' avoids implementation defined behavior setting umask,
avoiding a FORTIFY runtime failure on Bionic libc.
[This bug was present in "the beginning".]
'od --strings' with '-N' now works correctly. Previously od might
write a NUL byte after a heap buffer, or output invalid addresses.
[These bugs were present in "the beginning".]
'od -w0' will now issue a diagnostic and exit gracefully.
Previously it would have aborted.
[bug introduced in coreutils-9.3]
'od -w' no longer silently mishandles enormous widths like 3037000500.
Instead, it either outputs correctly or diagnoses a too-large width.
[This bug was present in "the beginning".]
'od +N.' (where N is a decimal number) works again as per POSIX.
[bug introduced in textutils-2.0]
'od /dev/null ++0' no longer mistakenly treats the ++0 as an offset.
[This bug was present in "the beginning".]
'sort' with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer. For example:
'sort +0.18446744073709551615R input' on 64 bit systems.
[bug introduced in coreutils-7.2]
stdbuf now works on AIX. Previously it would have been ineffective.
[bug introduced with the stdbuf program in coreutils-7.5]
'tail -n NUM' no longer can output more than NUM lines if stdin
is a largish regular file with a nonzero initial offset, and grows
while 'tail' is reading it.
[This bug was present in "the beginning".]
'tail -f -n +NUM' no longer mishandles NUM values >= UINTMAX_MAX
when the input is seekable.
[bug introduced in coreutils-9.6]
'tail --pid' avoids some unlikely races if the kernel reuses PIDs.
[bug introduced in coreutils-9.5]
'tty' now exits with status 4 with a special diagnostic if ttyname
fails even though standard input is a tty. Formerly it quietly
pretended that standard input was not a tty.
[This bug was present in "the beginning".]
New Features
basenc supports the --base58 option to encode and decode
the visually unambiguous Base58 encoding.
'cksum -a' now supports the 'sha3' argument, to use the SHA3-224,
SHA3-256, SHA3-384, SHA3-512 message digest algorithms depending on
the argument passed to the required --length (-l) option.
'cksum -a' now supports the 'sha2' argument, as a more consistent
interface than the existing 'sha224', 'sha256', 'sha384', 'sha512'
arguments, which are now selected with the --length (-l) option.
'date' now outputs dates in the country's native calendar for the
Iranian locale (fa_IR) and for the Ethiopian locale (am_ET), and also
does so more consistently for the Thailand locale (th_TH.UTF-8).
fold now supports multi-byte characters, honoring their column width.
Also the --characters (-c) option was added to wrap at a certain
number of characters, similarly to --bytes in uni-byte locales.
nproc now honors any cgroup v2 configured CPU quotas,
which may reduce the effective number of processors available.
stty supports setting arbitrary baud rates on supported systems,
like Hurd, Linux with glibc >= 2.42, and some BSDs.
Also on other systems the full set of supported baud rates
is determined at build time if possible.
Commands that support hardware acceleration like cksum and wc
can now disable this acceleration at runtime through the
commonly used GLIBC_TUNABLES environment variable. For example
to disable the use of AVX512 instructions in cksum, you can:
export GLIBC_TUNABLES='glibc.cpu.hwcaps=-AVX512F'
Changes to conform better to POSIX.1-2024
readlink now defaults to being verbose if the POSIXLY_CORRECT
environment variable is set.
realpath now supports -E, which specifies the default behavior.
The corresponding long option is --canonicalize.
tsort now accepts and ignores -w.
Improvements
'factor' is now much faster at identifying large prime numbers,
and significantly faster on composite numbers greater than 2^128.
fold now exits immediately upon receiving a write error,
which is significant when reading large / unbounded inputs.
'seq' is more accurate with large integer start values.
Previously 'seq 18446744073709551617 inf | head -n1' would
output the number before the user specified start value.
Build-related
cksum was not compilable by Apple LLVM 10.0.0 x86-64, which
lacks support for checking for the VPCLMULQDQ instruction.
[bug introduced in coreutils-9.6]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 Oct 2025 17:24:29 +0000 (18:24 +0100)]
ovpnmain.cgi: Enable multihome when using UDP
If the client is connecting from an internal network instead of the
internet, the OpenVPN server replies with the public IP address as the
source address. This won't allow to establish a connection.
Enabling multihome changes the behaviour to reply with whatever IP
address the client has connected to.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 8 Oct 2025 20:49:00 +0000 (20:49 +0000)]
Tor: Update to 0.4.8.19
Changes in version 0.4.8.19 - 2025-10-06
This release fixes two major bugfixes for a LibreSSL issue and a flow control
C-tor specific problem (not protocol). We strongly recommend you upgrade as
soon as possible.
o Major bugfixes (client, TLS):
- Fix some clients not being able to connect to LibreSSL relays.
Fixes bug 41134; bugfix on 0.4.8.17
o Major bugfixes (stream flow control performance):
- Use a 5 ms grace period to allow an edge connection to flush its
stream data to the socket before sending an XOFF. This
significantly reduces the number of XON/XOFF messages sent when
(1) the application is reading stream data at a fast rate, and (2)
when conflux is enabled. Fixes part of bug 41130; bugfix
on 0.4.7.2-alpha
o Minor features (fallbackdir):
- Regenerate fallback directories generated on October 06, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/10/06.
o Minor bugfix (process):
- Avoid closing all possible FDs when spawning a process (PT). On
some systems, this could lead to 3+ minutes hang. Fixes bug 40990;
bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 8 Oct 2025 20:28:46 +0000 (22:28 +0200)]
samba: Update to version 4.23.1
- Update from version 4.22.4 to 4.23.1
- Update of rootfile fo0r all architectures
- Changelog
4.23.1
* BUG 15920: Incomplete bind configuration causes DLZ plugin to crash.
* BUG 15914: winbind can crash at startup.
* BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for
fsync_send.
* BUG 15904: CTDB does not support PCP 7.0.0.
* BUG 15921: CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set.
* BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for
fsync_send.
4.23.0
NEW FEATURES/CHANGES
Enable SMB3 Unix Extensions by default
Starting with Samba 4.23, the SMB3 UNIX Extensions are enabled by
default. These extensions provide first-class support for POSIX semantics
over SMB3, allowing UNIX and Linux clients to access file services with
features such as proper POSIX permissions, symlink handling, hardlinks,
and special file types.
Enabling this feature by default improves interoperability for UNIX/Linux
clients without requiring additional configuration. Windows clients that
do not support the extensions will continue to function normally, by
using standard SMB3 behavior.
Add support for SMB3 over QUIC
The new "client smb transports" and "server smb transport"
allow a more flexible configuration for the used tcp
sockets.
It also got the ability specify "quic" as possible transport.
If quic should be used in addition to the defaults something
like "server smb transports = +quic" can be used.
For the client quic only works with name based uncs,
ip address based uncs are not supported.
Note for the server 'quic' requires the quic.ko kernel module
for Linux from https://github.com/lxin/quic (tested with Linux 6.14).
Future Linux versions may support it natively, here's the
branch that will hopefully accepted upstream soon:
https://github.com/lxin/net-next/commits/quic/
For the client side there's a fallback to the userspace ngtcp2
library if the quic kernel module is not available.
Check the smb.conf manpage for additional hints
about the "client smb transports" and "server smb transport"
options and interactions with tls related options.
Modern write time update logic
Samba 4.23 changes file timestamp handling to match modern Windows
servers.
Earlier releases used delayed write time updates, where
last_write_time was
only refreshed after a short idle period. Now Samba applies immediate
timestamp updates consistent with modern Windows 10/Server 2016 or newer.
Initial version of smb_prometheus_endpoint
Samba 4.23 introduces the smb_prometheus_endpoint utility, which exports
Samba server metrics in Prometheus-compatible format. This enables
seamless
integration of Samba performance and status monitoring into existing
Prometheus and Grafana environments. For usage and configuration details,
refer to the new smb_prometheus_endpoint man page.
samba-tool domain backup --no-secrets avoids confidential attributes
The --no-secrets option creates a back-up without secret attributes
(e.g. passwords), suitable for use in a lab domain. Until now it could
still contain confidential attributes, including BitLocker recovery
data and KDS root keys. Objects in the classes msKds-ProvRootKey,
msFVE-RecoveryInformation, and msTPM-InformationObject will now be
entirely removed from the backup, as these objects are required by
schema to have confidential attributes and are no use without them.
CTDB changes
CTDB now supports loading tunables from
/etc/ctdb/tunables.d/*.tunables, in addition to the standard
/etc/ctdb/tunables.conf. See the ctdb-tunables(7) manual page for
more details. Note that the above locations are examples - the
actual location of these files will depend on compile time
configuration.
It isn't expected that many users will require a directory of tunables
files, since most users do not need to change tunables from their
default values. However, this allows vendors to ship their required
tunables settings (for example, in one or more files marked "do not
edit") while still allowing local administrators to add their own
tunables settings (in one or more separate files).
Per-share profiling stats
Starting with Samba 4.23, users can collect profile counters at a
per-share level. This feature requires building Samba with profiling
data enabled and adding an appropriate `smb.conf` parameter for
specific shares. It's particularly useful for deployments with a large
number of active shares, allowing administrators to monitor individual
share activity and identify potential bottlenecks or hot-spots. When
enabled, users can inspect current per-share profile information
("Extended Profile") using the standard `smbstatus` utility.
Currently, this functionality is supported only by the default and
`ceph_new` VFS modules.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
smbd profiling share New no
client smb transports New tcp, nbt
server smb transports New tcp, nbt
winbind varlink service New no
Bugs
* BUG 15911: samba.tests.safe_tarfile fails on Python 3.13 with additional
security fixes for tarfile support.
* BUG 15904: CTDB does not support PCP 7.0.0.
* BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
* BUG 15908: Uninitialized read leads to hanging rpcd_spoolss.
* BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
* BUG 15907: Stack buffer overflow in samba3.smb2.dirlease.fileserver.
* BUG 15902: Regression in gssproxy support in 4.23.rc1+.
* BUG 15900: 'net ads group' failed to list domain groups.
* BUG 15843: macOS Finder client DFS broken on 4.22.0.
* BUG 15899: Self-signed certificates don't have X509v3 Subject Alternative
Name for DNS.
* BUG 15893: Improve handling of principals and realms in client tools.
* BUG 15896: libquic build fixes.
* BUG 15844: getpwuid does not shift to new DC when current DC is down.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
* BUG 15896: libquic build fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 6 Oct 2025 15:32:37 +0000 (17:32 +0200)]
nasm: Add patch fix for typo in le32toh function name
- nasm failed to build with aarch64 due to a typo in the 3.00 source tarball where
l32toh had been written in bytesex.h instead of le32toh
- This patch includes the fix for that. The applied patch will be able to be removed
when the next release after 3.00 is issued.
- Tested the build on the aarch64 builder and nasm successfully built with the patch
applied.
- Update of rootfile not required
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 18:18:08 +0000 (20:18 +0200)]
glib: Update to version 2.86.0
- Update from version 2.83.0 to 2.86.0
- Update of rootfile
- Changelog
2.86.0
* Rework how platform-specific introspected GIO APIs have to be imported to fix
problems with backwards-compatibility provision for it, by removing duplicate
platform-specific symbols from `Gio-2.0`. Users of platform-specific GIO APIs
should be unaffected, as `GIRepository` will now automatically import
`GioWin32-2.0` or `GioUnix-2.0` when asked to import `Gio-2.0`. However,
projects generating introspection data which depends on types from either of
those platform-specific GIRs must make sure they depend on those GIRs
explicitly, rather than just transitively depending on them through `Gio-2.0`
(#3744, work by Emmanuele Bassi, Marco Trevisan, Florian Müllner, and others)
* Fix file existence queries on Solaris, broken due to unexpected flags handling
within `faccessat()` (#3770, work by Niveditha Rau)
* Bugs fixed:
- #3744 GDesktopAppInfo API disappeared after girepository-2.0 port (Emmanuele
Bassi)
- #3768 g_test_trap_subprocess does not check G_TEST_SUBPROCESS_INHERIT_STDIN
(Philip Withnall)
- !4751 gtestutils: Fix a slightly broken example in a doc comment
- !4754 Update Polish translation 250825
- !4758 Update Swedish translation
- !4762 gio: gmemorymonitorpsi: Replace GRegex with g_str_has_prefix()
- !4765 girepository: Add an assertion to help scan-build
- !4767 glocalfile: Disable faccessat()-based query_exists on Solaris
- !4768 gmessages: Fix win32_keep_fatal_message regression
- !4769 docs: Fix typos
- !4770 Update Chinese translation
- !4771 Update Georgian translation
- !4772 po: Update Persian translation.
* Translation updates:
- Chinese (China) (lumingzh)
- Georgian (NorwayFun)
- Persian (Danial Behzadi)
- Polish (Piotr Drąg)
- Swedish (Anders Jonsson)
2.85.4
* Follow symlink (instead of overwriting it) when updating `mimeapps.list`
(#3579, work by Rafael Girão)
* Bugs fixed:
- #3579 mimeapps.list is overwritten if it is a symlink (Rafael Girão)
- #3724 Crash in g_hash_table_add after 252645135 elements (Tobias Stoeckmann)
- #3743 g_utf8_validate out parameter has wrong type (two)
- #3751 meta: clang-format refers to a broken link (Rafael Girão)
- #3758 Out-of-bounds read in GMemoryMonitorPoll (Philip Withnall)
- #3760 Stack overflow when recursing within g_log_structured() with
`G_LOG_FLAG_RECURSION` (Tobias Stoeckmann)
- #3761 Regression in g_printf() - can no longer output formatted values
containing NUL bytes (Luca Bacci)
- #3766 Update sl.po (Slovenian) (Martin)
- !4714 gmain: Reformat docs to fully use gi-docgen and match style guide
- !4720 Disable GMemoryMonitorPsi on Solaris
- !4727 garray: Improve and migrate documentation to gi-docgen
- !4735 build: Fix stp files for development versions
- !4736 systemtap: Use correct formatters/types
- !4738 docs: Add Thomas Haller as a co-maintainer of GObject
- !4739 Annotate ref/unref functions as transfer full
- !4740 gstrfuncs: Check parameter validity
- !4742 garray: Fix g_array_binary_search description
- !4743 Update Russian translation
- !4744 tests/gio: skip Unix socket-mock tests on Windows
- !4747 tests/printf: Use proper compare helper for unsigned types
- !4748 gconstructor: Add attribute used for TLS callback pointer
* Translation updates:
- Russian (jtux270)
- Slovenian (Martin)
2.85.3
* Fix encoding of output from `g_print()` and `g_printerr()` when locale is set
to `.utf8` on Windows (#3341, work by Luca Bacci)
* Bugs fixed:
- #3341 `g_print` and `g_printerr` will cause encoding errors on Windows when
locale is set to `.utf8` (Luca Bacci)
- #3739 Crash in accept_ready() of GThreadedSocketService Under High Load
(Philip Withnall)
- #3740 Documentation of g_win32_error_message does not contain information
about the behaviour when FormatMessageW failed (Philip Withnall)
- #3755 AIX: Unwanted symbol needs to be removed for AIX platform: getpwnam_r,
getpwuid_r (Parth Patel)
- !4706 gthreadpool: Clean up when g_thread_pool_new fails
- !4707 tests: Skip slow mainloop test on valgrind
- !4708 gfilenamecompleter: Fix g_object_unref() of undefined value
- !4709 tests: Connect to GMemoryMonitor signals earlier
- !4712 tests/thread-pool: Add a thread-pool fail test
- !4713 Fix test error for GMemoryMonitor
- !4715 gdbuserror: Reformat docs to fully use gi-docgen and match style guide
- !4722 tests: Add missing unistd.h header to thread-pool test
- !4723 tests: Add a missing poll condition to socket-listener test
- !4724 garray: Pass errors through GByteArray functions
- !4725 garray: Add checks to g_ptr_array_extend_and_steal
- !4726 Add a basic GFilenameCompleter test
- !4728 gbitlock: Fix documentation issues
- !4729 [RFC] Tests: do not set a timeout in Python tests
- !4730 gstrfuncs: Always treat G_MININT64 in g_ascii_strtoll
- !4731 glocalfile: Disable faccessat()-based query_exists on OpenBSD
- !4733 gvalue: Reformat docs to fully use gi-docgen and match style guide
- !4734 gspawn: Improve docstring for g_spawn_async()
2.85.2
* New Linux PSI based backend for `GMemoryMonitor` as an option to use instead
of the existing Low Memory Monitor daemon backend (!4481, work by Kate Hsuan)
* Bugs fixed:
- #1443 Deadlock between g_module_open() and dlopen() when called from a
constructor
- #2848 Doc: clarification request regarding g_match_info_fetch_pos return
value (Mark Lautman)
- #3712 Crash in g_thread_pool_new_full
- #3713 call g_file_enumerator_close in g_file_enumerator_finalize is not safe
(fbrouille)
- #3716 (CVE-2025-7039) (#YWH-PGM9867-104) Buffer Under-read on GLib through
glib/gfileutils.c via get_tmp_file() (Michael Catanzaro)
- #3721 GFile leak in g_local_file_set_display_name during error handling
(Philip Withnall, Michael Catanzaro)
- #3725 Deadlock on source_destroy_lock inside g_main_context_unref() and
g_source_destroy() (with child sources) (Matthew Waters)
- #3726 GApplication sometimes fails to call before_emit (Matthias Clasen)
- !4481 gio: gmemorymonitorpsi: Replace GMemoryMonitor backend with kernel PSI
event
- !4665 gio: enums: Fix GBusNameOwnerFlags's annotation
- !4667 Incorrect output parameter handling in closure helper of
g_settings_bind_with_mapping_closures
- !4669 Add missing `(array zero-terminated=1)` annotations
- !4676 Fix IPv6 scope-id from DNS responses being lost
- !4680 gbacktrace: Correctly wait for children on Unix
- !4681 (CVE-2025-6052) gstring: Improve
g_string_expand/g_string_append_len_inline checks
- !4682 gio-tool-launch: fix %k field code expansion
- !4683 gio-tool-launch: Fix mismatched curly quotes in translatable strings
- !4684 garray: Support unallocated zero terminated arrays
- !4685 garray: Use g_array_elt_len/pos where appropriate
- !4687 gstring: Fix g_string_append_vprintf overflow
- !4690 garray: Fix out of boundary write in g_ptr_array_copy
- !4692 tests: Fix a minor leak in array-test
- !4693 tests: Loosen string comparison assertion in gio-tool.py
- !4694 tests: Do not always skip array overflow checks
- !4695 garray: Add more element_size > 0 checks
- !4698 garray: Avoid exponential growth in g_array_copy
- !4699 garray: Set capacity in terminated take functions
- !4700 gfileutils: Fix OOB read in g_build_path(name)_va
- !4701 gbacktrace: Fix OOB write in stack_trace
- !4702 gio/filenamecompleter: Fix leaks
- !4703 application: NULL check for options
- !4704 tests: Add a regression test for GApplication command line handling
2.85.1
* Re-add the option of a singleton to `GIRepository` (#3664, work by
Christian Hergert)
* Add support for the `e` flag (O_CLOEXEC) to `g_fopen()` (!4564, work by
Luca Bacci and Philip Withnall)
* Make the `sysprof` Meson option yield when using GLib as a subproject (!4659,
work by Matthias Clasen)
* Use the Meson built-in `localedir` option (!4661, work by
Kleis Auke Wolthuizen)
* Bugs fixed:
- #1665 g_file_trash() should return PERMISSION_DENIED if files can't be
deleted (Ignacy Kuchciński)
- #3664 Lack of g_irepository_get_default() equivalent makes cross-library
integration extremely difficult (Christian Hergert)
- #3698 Misleading autogenerated hints in the documentation of
g_async_queue_pop() (Alicia Boya García)
- !4560 glib/gnulib/printf.c: Sync with gnulib
- !4564 gstdio: Add support for the `e` flag (O_CLOEXEC) to g_fopen()
- !4637 Rework Windows implementation of g_getenv()
- !4641 [th/gobj-drop-bit-lock] gobject: drop object_bit_lock() functions
- !4642 [th/gobj-empty-notify-queue] gobject: optimize notify-queue handling
for a single freeze
- !4643 GRegex: apply monospace typeface in description
- !4644 gio: add annotations on parameters of 'g_file_monitor_emit_event' and
of 'g_vfs_get_file_for_path'
- !4645 gregex: Clarify docs for end_pos
- !4646 GRegex: update class description
- !4649 GAsyncQueue: assert non-null data in push_sorted()
- !4650 tests: Add atomics to asyncqueue test global variables
- !4651 Meson: Add libglib_static dependency for use in tests
- !4652 gobject: clarify in documentation that g_value_set_boxed copies
- !4654 Fix buffer overflow in string-test
- !4655 gstring: Fix overflow check when expanding the string
- !4657 docs: Stop hiding the Unix-like APIs which are in Gio-2.0.gir
- !4658 gmarkup: make documentation more discoverable
- !4659 Make the sysprof feature yield
- !4661 meson: Use the appropriate localedir option
2.85.0
* Preserve mode for existing file when creating a temporary file for atomic
updates with g_file_set_contents() (dconf#76, work by Wesley Hershberger)
* Fix race conditions between g_main_context_unref() and g_source_*() methods
(#803, work by Matthew Waters)
* Allow file handles inside nested containers when using the `gdbus call`
command (#3624, work by Julian Sparber)
* Fix DNS resolution of local addresses in offline mode (#3641, work by
Patrick Griffis)
* Various performance improvements to GObject locking (various MRs by
Thomas Haller)
* Prefer matches occurring earlier in the string when searching
`GDesktopAppInfo`s, improving search for apps in gnome-shell (!4369, work by
Fina Wilke)
* Fix thread safety of `GClosure` flags (!4575, !4577, work by Sam James and
Philip Withnall)
* Bugs fixed:
- GNOME/dconf#76 dconf update can set incorrect permissions to dconf system db
(Wesley Hershberger)
- #490 Not clearly documented behavior of g_key_file_set_comment function.
(marklkram)
- #803 g_main_context_unref() versus g_source_*() race (Matthew Waters)
- #1002 GObject doesn't support removing a weak reference in a GWeakNotify for
the same object
- #1250 gsocketlistener: Fix IPv4 listen() error-handling resulting in use-
after-free
- #2377 Document that `g_socket_address_get_native_size()` can return `-1` on
errors
- #2544 Consider `g_log_always_fatal` for aborting in
`g_log_structured_array()` (sid)
- #3405 Enable -Wconversion warnings by default (progress towards this, but it
is not complete)
- #3616 docs: Broken link in GioActionEntry (Philip Withnall)
- #3617 Add generalised version of g_date_get_monday_week_of_year() (Philip
Withnall)
- #3624 `gdbus call` should look for file handles inside nested containers
(Julian Sparber)
- #3630 2.84.0 build failure on Linux: ../gio/gnetworkmonitornetlink.c:47:10:
fatal error: netlink/netlink_route.h: No such file or directory (Philip
Withnall)
- #3634 test failure with gobject-introspection 1.83.4: warning: element
doc:format from state 3 is unknown, ignoring (Philip Withnall)
- #3636 gio/trash does not handle special characters well
- #3641 GResolver: Local DNS resolution failure in offline mode (Patrick
Griffis)
- #3642 `g_cancellable_connect()` documentation incorrect (Marco Trevisan
(Treviño))
- #3643 g_cancellable_connect(): is it safe to unref cancellable from
callback? (Marco Trevisan (Treviño))
- #3649 Crash with some registry key values in GWin32AppInfo (Philip Withnall)
- #3656 Set SYSLOG_IDENTIFIER when logging to journald (Axel Karjalainen)
- #3657 girepository: Wrong typelib path on Windows
- #3663 Cannot use GZlibCompressor in GTK testsuite (Benjamin Otte)
- #3684 UAF in GSignalGroup weak notify callbacks (Thomas Haller)
- #3686 docs.gtk.org doesn't mention that GSourceFuncs.finalize may be NULL
(BZZZZ)
- #3693 Random failures in debian-i386-stable
- !4185 [th/gobject-no-object-locks-pt1-notify] use
`g_datalist_id_update_atomic()` instead of OPTIONAL_BIT_LOCK_NOTIFY
- !4247 mappedfile: Avoid some allocations
- !4369 gdesktopappinfo: Prefer matches that occur earlier in the match string
- !4387 Fix various -Wshorten-64-to-32 warnings
- !4484 Memory sanitizer fixes
- !4489 gobject: Be consistent in using atomic logic to handle the
GParamSpecPool
- !4520 [th/gdataset-cleanup] minor cleanups of gdataset
- !4536 [th/gobj-closure-array-atomic] use g_datalist_id_update_atomic() for
array of closure watches
- !4541 gsettings: Port docs to gi-docgen format, add missing annotations and
make various improvements
- !4544 tests: Don't install runner scripts without installed_tests
- !4545 Update French translation
- !4547 Update Catalan translation
- !4548 Update Turkish translation
- !4551 Updated Danish translation
- !4552 Update Persian translation
- !4553 docs: Document GSignalFlags members added after 2.0
- !4554 Update Indonesian translation
- !4555 tests: Add a test for g_object_freeze_notify() being called too often
- !4557 gfileinfo: Slightly expand docs for
g_file_info_get_attribute_as_string()
- !4558 gi: Dynamically set doc-format
- !4561 tests: Various fixes to create temporary files in /tmp rather than the
build directory
- !4562 gdbusnameowning: Convert docs to gi-docgen linking syntax
- !4563 giounix-private: Fix macro for checking for epoll_create1()
- !4565 Fix LGPL in header
- !4567 gutils: make documentation of g_set_prgname() clearer
- !4568 docs: Add some detail
- !4569 Update Romanian translation
- !4570 gspawn-win32: Fix potential integer overflows in argv handling
- !4571 gvarianttype: Improve docs on type validation
- !4575 gclosure: fix ATOMIC_CHANGE_FIELD to read vint atomically
- !4577 gclosure: Allow full set of closure flags to be queried atomically
- !4578 [th/bit-lock-and-set] bitlock: add g_bit_lock_and_get() and
g_bit_unlock_and_set() API
- !4579 tests: Add missing unistd.h include to scannerapi.c
- !4581 [th/gobj-no-weak-ref-lock] drop OPTIONAL_BIT_LOCK_WEAK_REFS object
lock for `g_object_weak_{ref,unref}()`
- !4583 thread: fix Linux detection
- !4585 gfile: Expand documentation around file info for inaccessible files
- !4586 [th/gobj-doc-weakref] clear #GWeakRef earlier in
g_object_run_dispose() and reword docs about #GWeakRef
- !4588 gstring: carefully handle gssize parameters
- !4590 Various -Wsign-conversion warning fixes
- !4591 gthreadedresolver: fix crash in loopback interface check
- !4592 gstring: Make len_unsigned unsigned
- !4594 Enable -Wsign-conversion for girepository, gthread, gmodule
- !4596 docs: Mention how to run the test suite in CONTRIBUTING.md
- !4598 gtlsconnection: Fix annotation
- !4599 Mark pointer as (type gpointer)
- !4601 garray: Fix annotations
- !4602 docs: fix typo glong: ULONG_MAX -> LONG_MAX
- !4603 Fix GNetworkMonitorNetlink operation under a FreeBSD jail with shared
network stack
- !4604 cocoa: add support for GBytesIcon in notification backend
- !4605 gparamspecs: Use standard min/max constants rather than literals
- !4606 gobject, girepository: Fix several -Wsign-conversion warnings on macOS
- !4609 Update Portuguese translation
- !4610 Update Ukrainian translation
- !4613 Update macOS job for new CI runner
- !4615 shell: Handle empty comment gracefully
- !4619 gslist: Improve documentation for append / prepend / insert methods
- !4620 glocalfile: Disable faccessat()-based query_exists on Android
- !4621 gallocator: mark as deprecated
- !4627 [th/gsignalgroup-dispose] gsignalgroup: make GSignalGroup.dispose() a
bit more reentrant
- !4628 [th/gdataset-fix-zero-key] fix and cleanup related to using a zero
GQuark for keys in GData
- !4631 Update German translation
- !4632 win32: Only print one OS version
- !4633 gzlibcompressor: Convert docs to gi-docgen linking syntax
- !4638 docs: Fix formatting of definition lists
* Translation updates:
- Catalan (Jordi Mas)
- Danish (Ask Hjorth Larsen)
- French (Vincent Chatelain)
- German (Philipp Kiemle)
- Indonesian (Andika Triwidada)
- Persian (Danial Behzadi)
- Portuguese (Hugo Carvalho)
- Romanian (Antonio Marin)
- Turkish (Sabri Ünal)
- Ukrainian (Yuri Chornoivan)
2.84.1
* Fix test failure when building against gobject-introspection ≥1.83.4 (#3634,
work by Philip Withnall)
* Bugs fixed:
- #3630 2.84.0 build failure on Linux: ../gio/gnetworkmonitornetlink.c:47:10:
fatal error: netlink/netlink_route.h: No such file or directory (Philip
Withnall)
- #3634 test failure with gobject-introspection 1.83.4: warning: element
doc:format from state 3 is unknown, ignoring (Philip Withnall)
- #3636 gio/trash does not handle special characters well
- #3642 `g_cancellable_connect()` documentation incorrect (Marco Trevisan
(Treviño))
- #3643 g_cancellable_connect(): is it safe to unref cancellable from
callback? (Marco Trevisan (Treviño))
- #3649 Crash with some registry key values in GWin32AppInfo (Philip Withnall)
- !4484 Memory sanitizer fixes
- !4489 gobject: Be consistent in using atomic logic to handle the
GParamSpecPool
- !4541 gsettings: Port docs to gi-docgen format, add missing annotations and
make various improvements
- !4544 tests: Don't install runner scripts without installed_tests
- !4545 Update French translation
- !4547 Update Catalan translation
- !4548 Update Turkish translation
- !4551 Updated Danish translation
- !4552 Update Persian translation
- !4553 docs: Document GSignalFlags members added after 2.0
- !4554 Update Indonesian translation
- !4555 tests: Add a test for g_object_freeze_notify() being called too often
- !4557 gfileinfo: Slightly expand docs for
g_file_info_get_attribute_as_string()
- !4558 gi: Dynamically set doc-format
- !4561 tests: Various fixes to create temporary files in /tmp rather than the
build directory
- !4562 gdbusnameowning: Convert docs to gi-docgen linking syntax
- !4563 giounix-private: Fix macro for checking for epoll_create1()
- !4565 Fix LGPL in header
- !4567 gutils: make documentation of g_set_prgname() clearer
- !4568 docs: Add some detail
- !4569 Update Romanian translation
- !4570 gspawn-win32: Fix potential integer overflows in argv handling
- !4571 gvarianttype: Improve docs on type validation
* Translation updates:
- Catalan (Jordi Mas)
- Danish (Ask Hjorth Larsen)
- French (Vincent Chatelain)
- Indonesian (Andika Triwidada)
- Persian (Danial Behzadi)
- Romanian (Antonio Marin)
- Turkish (Sabri Ünal)
2.84.0
* Bugs fixed:
- #3590 Update Slovenian (sl) translation in glib
- !4539 Update Korean translation
- !4540 tests: Minor fixes to reference and stream-rw_all tests
- !4542 gdebugcontrollerdbus: Fix a minor typo in a code example in the docs
- !4543 Update Hungarian translation
* Translation updates:
- Hungarian (Balázs Úr)
- Korean (Changwoo Ryu)
- Slovenian (Martin)
2.83.5
* A few improvements for when GLib is used as a subproject (#3625, #3626, work
by Simon McVittie)
* Fix out-of-order parameters in a marshaller generated by `gdbus-codegen`
(!4524, work by Ryan Gonzalez)
* Bugs fixed:
- #3272 gutils-user-database test crashes in CI with G_DISABLE_ASSERT and -m
thorough (Philip Withnall)
- #3424 Update the release instructions (Philip Withnall)
- #3615 Use of timeout in GApplication example code (Reuben Thomas)
- #3625 when GLib is a subproject, check-missing-install-tag.py asserts that
the parent project has install tags (Simon McVittie)
- #3626 when GLib is a subproject and pcre2 is a subproject, pcre2's tests are
run (Simon McVittie)
- !4507 [th/gdataset-misc] minor improvements in gdataset.c (around
g_datalist_id_remove_multiple())
- !4508 [th/datalist-update-atomic-no-keyid] gdataset: drop "key_id" argument
from GDataListUpdateAtomicFunc
- !4509 tests: Search the appropriate directories for our GIR XML inputs
- !4510 doc: Simplify instructions for testing with Automake
- !4511 Update Georgian translation
- !4512 Update Czech translation
- !4513 [th/gobject-inline-private-call] gobject: avoid GLIB_PRIVATE_CALL()
for g_datalist_id_update_atomic
- !4514 Update Ukrainian translation
- !4515 doc: point to iconv(3) and iconv(3posix) for more details about iconv
- !4516 Update Bulgarian translation
- !4517 Update file fa.po
- !4518 Update Chinese translation
- !4521 docs: Fix man page link for xattrs
- !4522 Meson: Disable lint+no-valgrind tests when tests option is set to
false
- !4523 [th/gobj-performance-fixes] improvements and fixes for gobject's
`performance.c` benchmark
- !4524 gdbus-codegen: Fix callback GUnixFDList parameter order
- !4526 [th/gobj-performance-2] more improvements to GObject's `performance.c`
and add test "property-set-signaled"
- !4527 Updated Lithuanian translation
- !4529 Update Portuguese translation
- !4531 Update Swedish translation
- !4535 Update Galician translations
* Translation updates:
- Bulgarian (Alexander Shopov)
- Chinese (China) (lumingzh)
- Czech (AsciiWolf)
- Galician (Fran Diéguez)
- Georgian (NorwayFun)
- Lithuanian (Aurimas Černius)
- Persian (Danial Behzadi)
- Portuguese (Hugo Carvalho)
- Swedish (Anders Jonsson)
- Ukrainian (Yuri Chornoivan)
2.83.4
* Fix Python shebang paths so they work on Windows again (#3331, work by
Dan Yeaw and others)
* Fix refcounting semantics of `g_dbus_connection_register_object_with_closures()`
by adding a replacement API (#3560, work by Philip Withnall)
* Support static vfuncs in GIRepository (!4457, work by Philip Chimento)
* Add support for QNX8.0 (!4466, work by Felix Xing)
* Add a soft dependency on C11 — if your toolchain doesn’t support C11, you have
six months to tell us before this becomes a hard dependency (!4473)
* Port from `net.hadess.PowerProfiles` to `org.freedesktop.UPower.PowerProfiles`
for `GPowerProfileMonitorDBus` (!4478, work by Marco Trevisan)
* Bugs fixed:
- #3331 Windows build broken because of Python paths (Dan Yeaw)
- #3448 Use after free in GCancellableSource test (Marco Trevisan (Treviño))
- #3560 Fix refcounting semantics of
g_dbus_connection_register_object_with_closures() (Philip Withnall)
- #3578 gkeyfile: Honor C in $LANGUAGE as gettext does (Gaël Bonithon)
- #3587 g_app_info_launch crashes on macos (Andre Miranda)
- #3592 GDBusConnection does not handle serial number overflow (Philip
Withnall)
- #3595 Toolchain documentation should mention that GLib assumes functions can
be called through wrongly-typed function pointers (Demi Obenour)
- #3612 cancellable unit test crashes in /cancellable-source/threaded-dispose
(Marco Trevisan (Treviño))
- #3613 Potentially revert g_win32_com_clear() due to pulling in windows.h
- !3255 Drop TypeNode reference counting
- !4046 Add G_OPTION_FLAG_DEPRECATED
- !4457 Support static vfuncs in GIRepository
- !4461 docs: Update the release documentation for the new release workflow
- !4464 gosxappinfo: Fix leak
- !4466 Add support for QNX8.0
- !4468 Registry backend fixes
- !4471 glib.supp: Ignore once-per-thread leak from SysprofCollector
- !4472 gkeyfile: Convert docs to gi-docgen linking syntax
- !4473 build: Add a soft dependency on C11
- !4475 docs: Fix invalid references and broken links
- !4476 tests: Cleanup python tests and add tests for gi-compile-repository
and gi-inspect-typelib
- !4477 gcancellable: remove sketchy source ref/unref
- !4478 gio/powerprofilemonitordbus: Use newer D-Bus API
- !4479 docs: Make docs more markdown-ish
- !4483 tests: Fix a memory leak if a callable-info test is skipped
- !4486 meson: Fix typo in comment about python shebang
- !4487 gio/gfilemonitor: Use atomic API to get / store cancelled state
- !4488 gmain: Use atomic logic to handle internal GSource flags
- !4490 gio/subprocess: Lock while writing on shared pid and status values
- !4491 Update Brazilian Portuguese translation
- !4492 gfilemonitor: Various cleanups and minor fixes to property handling
- !4493 gdbus: Add g_clear_dbus_signal_subscription() inline convenience
function
- !4494 gio/subprocess: Initialize pid variable to 0
- !4495 gio/gvolumemonitor: Suggest disconnecting signals
- !4496 Update Polish translation for GNOME 48
- !4497 tests: Fix a minor leak in a new GSubprocess test
- !4498 gdatetime: Fix integer overflow when parsing very long ISO8601 inputs
* Translation updates:
- Polish (Piotr Drąg)
- Portuguese (Brazil) (Rafael Fontenelle)
2.83.3
* Fix build-time paths appearing in generated `Gio-2.0.gir` and
`GioUnix-2.0.gir` files (#3564, work by Simon McVittie)
* Fix crash on macOS when opening links (#3568, work by John Ralls)
* Bugs fixed:
- #3558 Recent `(inout)` changes caused unintended side-effects with
`GWeakRef` (Michael Catanzaro)
- #3561 Missing nullable annotation on parameter user_data and on the return
value of GVfsFileLookupFunc callback (fbrouille)
- #3562 GBytes semantics of handling empty strings are inconsistent and
confusing (Philip Withnall)
- #3563 Bad anchor link in g_signal_connect() documentation
- #3564 build-time paths to gio/gunixmounts.h, etc. end up in Gio-2.0.gir,
GioUnix-2.0.gir (Simon McVittie)
- #3568 Links crash application on MacOS due to lack of machine-id file (John
Ralls)
- #3569 Requirement of GUnixMountMonitor for a Valid Timestamp from
unix_mount_at is not Suffeciently Documented (Philip Withnall)
- #3582 gmacros: _G_BOOLEAN_EXPR_IMPL is incompatible with c++ functions
marked constexpr
- !3885 [th/gdataset-index] add a lookup index (GHashTable) to `GData`
- !4392 GWin32: Add g_win32_com_clear()
- !4436 docs: Add --generate-md to the gdbus-codegen documentation
- !4437 docs: Fix some backslash escaping issues in doc comments
- !4440 gio, gobject: Improve reproducibility of enumtypes headers
- !4441 gstrfuncs: Drop a redundant paragraph
- !4442 Don't define test setups unless we're testing
- !4443 build: Make the introspection feature yield
- !4444 Fix pointer-to-paramref syntax in docs
- !4446 gio: Fix a link to a specifications document
- !4449 Add several assertions to help static analysis and fix some GIR
annotations
- !4450 Fix GCC version detection for GUINT*_SWAP_LE_BE
- !4454 gioenums: Add deprecation for FLAGS_NONE
- !4455 docs: Use gi-docgen syntax in main-loop.md
- !4458 docs: Document more extension points
- !4460 docs: Clarify that g_array_unref() works like g_ptr_array_unref().
2.83.2
* This release has the same code as 2.83.1, but contains a fix for release
archive generation which means that 2.83.1 does not have a release archive
* Bugs fixed:
- !4433 ci: Enable -Dintrospection for dist builds
2.83.1
* Bugs fixed:
- #1251 gio/tests/contenttype fails on OS X: "public.directory" !=
"public.folder"
- #3441 Bump minimum supported version of macOS (John Ralls)
- #3493 Heap buffer overflow read in utf8_verify_ascii() (Philip Withnall)
- #3511 Build failure “'ifunc' is not supported on this target” with muslc
(Philip Withnall)
- #3517 Silent linked-list corruption in g_static_resource_init() on redundant
calls
- #3524 Wrong parameter type for g_enum_register_static in GObject-2.0.gir
(Jan-Willem Harmannij)
- #3526 Segfault in statically linked binary during initialization of ifuncs
since 2.83.0 (Philip Withnall)
- #3532 g_converter_output_stream_write() can return 0 (Benjamin Otte)
- #3540 g_signal_connect on "notify::non-existant-property" doesn't warn for
invalid property (Sid)
- #3545 Modernize the default value for g_thread_pool_set_max_unused_threads
(Matthias Clasen)
- #3546 Make the thread name available (Matthias Clasen)
- #3548 Fix g_settings_schema_has_key() to work with extended schemas
- #3552 Missing nullable annotation for `log_domain` in `GLogFunc` callback
(Roberto Leinardi)
- #3559 2.82.3 regression: lollypop crashes on startup (Philip Withnall)
- !4232 refstring: Fix race between releasing and re-acquiring an interned
GRefString
- !4382 girepository: gi_object_info_find_signal(): Avoid repeated allocations
- !4384 test utils: Make nonfatal assertions an option
- !4385 gutf8: Skip ASan instrumentation for load_word
- !4389 macos: Add extra content type tests
- !4393 Replace procfs linuxism with kinfo freebsdism
- !4395 appmonitor: Fix warning building test
- !4396 tests: Factor out a function to convert FD to path
- !4398 grefstring: Mark a variable as potentially unused
- !4399 meson: Add variables to -uninstalled.pc files
- !4401 testutils: Documentation improvements
- !4403 Revert "CI: Rebuild a slightly newer version of ninja for debian-
stable-i386"
- !4406 glib/gbytes: Be more careful when saving a GBytes of NULL
- !4407 guri: Fix paths starting with ‘//’ when parsing
- !4410 threadpool: Simplify pool thread naming
- !4411 gdbusconnection: Allow creating connection with cross-namespace
- !4412 gmessages: Treat DEBUG_INVOCATION=1 same as G_MESSAGES_DEBUG=all
- !4413 gunicode: Update some comments in gunicode.h for Unicode 16.0.0
- !4414 gdbus: Add a few missing `(nullable)` annotations to GDBus method
invocation related functions
- !4415 gdbus: Fix leak of method invocation when registering an object with
closures
- !4421 gparam: Add link to constructed vfunc to CONSTRUCT
- !4422 docs: Fix dead link in CONTRIBUTING
- !4423 gio-tool: Clarify that `gio mount -l` only lists user-interesting
things
- !4424 ci: Ensure all variables are quoted in .gitlab-ci.yml
- !4425 tests: Skip unsupported dbus-appinfo test on GNU/Hurd for the moment
- !4428 girepository: Expose gi-compile-repository and gi-* tools in pkg-
config
- !4429 gdbus: Add nullable annotations for fd list outs
- !4432 ci: Add release component to automate tarball publishing
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 13:22:16 +0000 (15:22 +0200)]
protobuf: Update to version 32.1
- Update from version 30.2 to 32.1
- Update of rootfile
- Changelog
32.1
Compiler
Ship all option dependencies to plugins along with regular ones. (34d6c85)
Unify plugin and built-in generators to use request/response interface
(b98f6ee)
Disable symbol visibility enforcement by default in C++ runtime (aad0daa)
C++
Disable symbol visibility enforcement by default in C++ runtime (aad0daa)
Java
Fix handling of optional dependencies in java generator. (892e0d5)
Restore Protobuf Java extension modifiers in gencode that were previously
removed in 7bff169 (4a18be6)
Restore ABI compatibility for extension methods which was previously
(knowingly) broken with 4.x: 94a2a44 (501f4a5)
Cherrypick test improvements (d365736)
Fix handling of optional dependencies in java generator. (9325480)
Ship all option dependencies to plugins along with regular ones. (34d6c85)
Unify plugin and built-in generators to use request/response interface
(b98f6ee)
Csharp
Regenerate stale files (299774c)
PHP
Fix: remove provide from composer.json (bc5f303)
32.0
Bazel
Migrates some Java test protos using java_features.proto to edition 2024
(6f4a990)
Add generated message reflection unittest for import option and
option_deps test proto in edition 2024. (c51df73)
Replace the usage of cc_info.debug_context with _debug_context (776c5f2)
Generate .pyi files in py_proto_library (#10366) (#21567) (e3e56c7)
Introduce denylisted_protos as a preferred replacement for
blacklisted_protos attribute. (795ab9d)
Use native.proto_library for Bazel 7 and explicitly error for Bazel 6
which is incompatible and out of support. (da0077e)
Require ProtoInfo provider instead of proto_library rule for bazel
cc_proto_library deps. (639f1c9)
Compiler
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Deprecate google.protobuf.Method.syntax and google.protobuf.Method.edition
(9ec241e)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Ban import weak and weak field option in edition 2024 in protoc (parser
and c++ runtime). (a2a0511)
C++
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Add generated message reflection unittest for import option and
option_deps test proto in edition 2024. (c51df73)
Remove the flag requirement for Bazel+MSVC users. (c6ba697)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Cast GetCachedTID() to unsigned to prevent left-shifting a negative
number. (3e935cf)
Update comment at the top of message.h and message_lite.h to document that
it should only be extended by gencode and not user code. (6a6ba52)
Treat warnings encountered in chromium builds as errors. (21c3c53)
Ban import weak and weak field option in edition 2024 in protoc (parser
and c++ runtime). (a2a0511)
Java
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Remove CollectExtensions check banning unknown custom options since
unknown custom options are now expected when using import option and
option_deps which exclude the options from the "builder" pool
(aka "import" pool). (694eedd)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Migrates some Java test protos using java_features.proto to edition 2024
(6f4a990)
Restore compatibility of runtime with pre-3.22.x gencode impacted by
CVE-2022-3171 (adf556f)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Restore the long-deprecated static functions on TextFormat. (5777d3b)
Add Kotlin class name helpers to names.h (527b2ab)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Update Java gencode base class documentation to clarify that it is not
supported to extend them. (c3177fb)
Add a FieldMaskUtil#trim overload that accepts TrimOptions and allows
retaining unset primitive field state. (84c5b63)
Csharp
Update staleness (0014173)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Include also ARM build of protoc in nuget package (#21568) (c2b4040)
Improve C# handling of Any JSON serialization/deserialization (dc4e429)
Objective-C
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Rust
Rust: remove DEP_UPB_VERSION check in codegen crate (#22764) (6f6012a)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Update Rust generator to output minidescriptors instead of C minitables
(1b4b5fc)
Add [clear_and_]parse_dont_enforce_required() to Rust protobuf. (e2fd7a0)
Add #[non_exhaustive] on the oneof-case enum (aba2075)
Impl Clone for RepeatedIter (aca1ed5)
See also UPB changes below, which may affect Rust.
Python
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Raise warnings for float_precision from python json_format. (#23042)
(1a7e012)
Raise warnings when assign bool to int/enum (#23030) (0b25f7b)
Update python edition default maximum edition to 2024 (#22889) (72abf95)
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Add Python deprecation warnings for Descriptor Label. (64a76e6)
Updating setuptools to patch CVE-2025-47273 (#22094) (508aba1)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Extend gencode compatibility support back to 3.20.0 (1af7fd4)
Change proto_api work with custom pool for upb and pure python. (49d9e2d)
Python pyi print "import datetime" for Duration/Timestamp field (f59b84a)
Add reference leak check to Python well_known_types_test. Fix two refleak
bugs. (e5f9ab4)
Add reference leak check to Python timestamp_test and duration_test. Fix a
refleak bug when assign datetime/duration to Timestamp/Duration (e004c8b)
Add recursion depth limits to pure python (17838be)
Remove calls to Label within Protobuf Python. (f69180a)
Change Python .pyi stubs to generated _Optional[] for bool fields same
with (6972464)
Remove internal/api_implementation.Version() (cbad456)
Fix python proto_api to work with messages that required fields are not
set. (f63ed55)
Fix python upb crashes on map/repeated reference stub destructor (4274909)
Mark Py JSON float_precision deprecated. (727a8ed)
PHP
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Fix(php): use count instead of ->count() to avoid bug in c-extension
(9fbce62)
[php][compiler][ext] - Add missing has* methods and other well known types
(#20636) (01a7429)
Fix PHP 8.4 deprecation in GPBDecodeException (#21232) (676666e)
PHP C-Extension
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Change 'getLabel is deprecated' to E_USER_DEPRECATED (158d8ac)
[php][compiler][ext] - Add missing has* methods and other well known types
(#20636) (01a7429)
See also UPB changes below, which may affect PHP C-Extension.
Ruby
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Fix silent failure of rb_test rules to run test (#21733) (4f74764)
Ruby C-Extension
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Removed wrap_memcpy.c compatibility shim for pre-2.14 glibc (4ba9733)
See also UPB changes below, which may affect Ruby C-Extension.
UPB (Python/PHP/Ruby C-Extension)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Add upb_Message_SetExtensionMessage as a helper for setting a extension
field that is a message. This is the extension equivalent of
upb_Message_SetBaseFieldMessage. (f15d28a)
Other
Update github major version tags to be formatted v..- for clarity (e001d57)
Upgrade Abseil dependency to 20250512.1 (ee68ed1)
Patch rules_ruby to apply neverlink = True to the jars rule (#21416)
(88e11bd)
31.1
Compiler
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
C++
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Java
Add missing copts attribute (#21982) (bec5b5a)
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Python
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Python pyi print "import datetime" for Duration/Timestamp field (#21885)
(0fe099a)
Add recursion depth limits to pure python (a3921fb)
Other
Fix cmake staleness test (96a9ef6)
31.0
Bazel
Loosen py_proto_library check to be on the import path instead of full
directory (i.e. excluding external/module-name prefix). (a4be867)
Compiler
Add support for import option for protoc.(9901db6)
Add notices.h with information about our dependencies' licenses and add
--notices flag to protoc to print the contents of that file. (7a26486)
Move upb minitable code generator into protoc (dce6b0f)
Upgrade abseil-cpp to 20250127 and use @com_google_absl -> @abseil-cpp and
com_google_googletest -> @googletest canonical BCR names. (ba6b54d)
C++
Remove fast-path check for non-clang compilers in MessageCreator. (aa5410d)
Add missing include. (d390631)
Add weak attribute to GetClassData to speed up clang builds. (d896480)
Add nontemporal software prefetcher to repeated ptr field dtor to improve
performance. (73f3469)
Warn on unused RepeatedPtrField. (683e9d2)
Add notices.h with information about our dependencies' licenses and add
--notices flag to protoc to print the contents of that file. (7a26486)
Fix a bug in handling of implicit-presence string_view fields. (bd70a7c)
Control bounds checks via BUILD flags. (d21e8ef)
Upgrade abseil-cpp to 20250127 and use @com_google_absl -> @abseil-cpp and
com_google_googletest -> @googletest canonical BCR names. (ba6b54d)
Create hardened versions of Get and Mutable for repeated_field. (ffade4a)
Java
Add weak attribute to GetClassData to speed up clang builds. (d896480)
Use ProtobufToStringOutput to control the output format of
AbstractMessage.Builder.toString. (f5cb162)
Implement Protobuf Java Immutable API nest_in_file_class feature for
Edition 2024. (0416c3e)
Introduce a Generated annotation to eventually replace
javax.annotation.Generated (31e57fc)
Add volatile to featuresResolved (9e03ca5)
Fix Java concurrency issue in feature resolution for old <=3.25.x gencode
using lazy feature resolution. (fafb0fd)
Remove Java runtime classes from kotlin release. (079be27)
Split maven dependencies into dev vs local (#20549) (e045fc6)
Improve error messaging when detecting and erroring out on integer
overflow of byte count limit variables. (097fdb8)
Kotlin
Remove Java runtime classes from kotlin release. (079be27)
Csharp
Remove "experimental API" warnings from members in the .NET protobuf
runtime. (afea52f)
Improve performace of repeated packed fixedSize fields (#19667) (85507b9)
Objective-C
[ObjC] Deprecate GPBFieldDescriptor.isOptional. (86ab252)
[ObjC] Raise the library version and enable new generated code. (a639cf8)
Rust
Cherry-pick Rust fix to 31.x (#21617) (01b42bb)
Add upb_Map_GetMutable API to upb (dd5bf5e)
See also UPB changes below, which may affect Rust.
Python
Update GetCurrentTime to use datetime.datetime.now (01b154c)
Make Py JSON float_precision apply to both float and double fields. (5b54ee3)
-Add '+' and '-' annotations for Timestamp and Duration in Python (fff783e)
Bug fix for FieldMask.MergeFrom() with unset fields. (1c87ac3)
Make python text_format able to skip unknown fields for repeated messages
(dcafca2)
Fix segment fault for UPB Pyhon 'in' method of empty repeated extensions
(da04261)
Fix upb to escape DefinitelyNeedsEscape (like " and ') for bytes field
(b234305)
Check with fallback descriptorDB for
FindExtensionByNumber()/FindAllExtensions in UPB python pool. (9fd28d9)
Add clear() method to repeated fields in Python. (0324f39)
Register Scalar/MessageMapContainerTypes as virtual subclasses of (9a0b591)
Fix python codegen crash when C++ features are used. (308aaf4)
Add more detail to the comment for GetMessageClassesForFiles (9befb58)
Add constructing unpack routine to Python Protobuf Any API. (fb78c09)
Implement typing for proto Timestamp/Duration assignments. (0e3326b)
PHP
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Feat(php): improve return typehint when repeatedfield (#11734) (e04fe69)
PHP C-Extension
Automated rollback of commit f9863df. (#21355) (a59988c)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Feat(php): improve return typehint when repeatedfield (#11734) (e04fe69)
See also UPB changes below, which may affect PHP C-Extension.
Ruby
Fix silent failure of rb_test rules to run test (#21733) (0cf5489)
Ruby | Add support for a protobuf debug build (#21060) (59e1f0f)
Ruby | Support installing the gem via git and some other small build
tweaks (#21061) (d3560e7)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
[Ruby]Implement #to_hash for message classes (#20866) (5596f6d)
Drop Ruby 3.0 (5de7c80)
Fixes #18726 by backslash escaping descriptor data containing # if the
hashmark appears immediately before any of $, {, or @. (fffa3da)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Ruby: fix bug in Map.hash (b968d0d)
Ruby C-Extension
Ruby | Add support for a protobuf debug build (#21060) (59e1f0f)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Ruby: fix bug in Map.hash (b968d0d)
See also UPB changes below, which may affect Ruby C-Extension.
UPB (Python/PHP/Ruby C-Extension)
Fixed LTO-only linker error in upb linker arrays. (3434a21)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Add upb_Map_GetMutable API to upb (dd5bf5e)
Fix upb to escape DefinitelyNeedsEscape (like " and ') for bytes field
(b234305)
Upb: delete functions in map_gencode_util. They're unused after the Map
iterator API change. (f398807)
Upb: Update _upb_map_next signature to return a boolean and remove the
_nextmutable Map iterator API. (e4cdf44)
Change upb C generated map iteration function to not hand out MapEntry
pointers. (3a3d697)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Expose the upb_ByteSize function to upb clients. Note that the current
naive implementation is no more efficient than serializing the message
yourself and noting the resulting size. (121fdaa)
Move upb minitable code generator into protoc (dce6b0f)
Tolerate message set extensions encoded as normal deliminited submessages
(c63fd56)
Automated rollback of commit 6bde8c4. (8ef81fb)
Fix UPB fast table build. (46f9e29)
Other
Patch rules_ruby to apply neverlink = True to the jars rule (#21416)
(#21505) (664d94a)
Restore JDK8 compatibility in Bazel for libraries with dependencies from
Maven (e.g. //java/util) (e8edc5d)
Protobuf: add //:go_features_proto Bazel alias (f79be3e)
Fixes -lpthread problem when building with android_arm64 config (#20337)
(4f5968a)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:56:31 +0000 (14:56 +0200)]
pango: Update to version 1.57.0
- Update from version 1.56.4 to 1.57.0
- Update of rootfile
- Changelog
1.57.0
Bugs fixed:
- #841 Synthetic small caps does not work with Core Text on Mac (Xavid
Pretzer)
- #864 Possible performance issue under windows (Luca Bacci)
- #866 U+FE0E (text-style selector) ignored when COLRv1 emoji fonts are
present (Matthias Clasen)
Changes:
- !874 Remove conditional code for pre-GLib 2.80 support
- !875 Fix OpenType features set for all petite caps
- !876 Add Cocoa window support for pango-view on macOS
- !877 fc: Update against fontconfig 2.17
- !878 coretext: remove fallback for macOS 10.7 (EOL 2012) and earlier
- !879 meson: Rework introspection handling
- !881 Fix -Wenum-conversion warning with PangoFontColor
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
