Adolf Belka [Tue, 20 Jan 2026 16:33:11 +0000 (17:33 +0100)]
libjpeg: Update to version 3.1.3
- Update from version 3.1.1 to 3.1.3
- No change to rootfile
- Changelog
3.1.3
Significant changes relative to 3.1.2:
1. Hardened the TurboJPEG API against hypothetical applications that may
erroneously call `tj*Compress*()` or `tj*Transform()` with a reused JPEG
destination buffer pointer while specifying a destination buffer size of 0.
2. Hardened the TurboJPEG API against hypothetical applications that may
erroneously set `TJPARAM_LOSSLESS` or `TJPARAM_COLORSPACE` prior to calling
`tj3EncodeYUV*8()` or `tj3CompressFromYUV*8()`. `tj3EncodeYUV*8()` and
`tj3CompressFromYUV*8()` now ignore `TJPARAM_LOSSLESS` and
`TJPARAM_COLORSPACE`.
3. Hardened the TurboJPEG Java API against hypothetical applications that may
erroneously pass huge X or Y offsets to one of the compression, YUV encoding,
decompression, or YUV decoding methods, leading to signed integer overflow in
the JNI wrapper's buffer size checks that rendered those checks ineffective.
4. Fixed an issue in the TurboJPEG Java API whereby
`TJCompressor.getSourceBuf()` sometimes returned the buffer from a previous
invocation of `TJCompressor.loadSourceImage()` if the target data precision was
changed before the most recent invocation.
5. Fixed an issue in the PPM reader that caused incorrect pixels to be
generated when using `tj3LoadImage*()` or `TJCompressor.loadSourceImage()` to
load a PBMPLUS (PPM/PGM) file into a CMYK buffer with a different data
precision than that of the file.
3.1.2
Significant changes relative to 3.1.1:
1. Fixed a regression introduced by 3.1 beta1[5] that caused a segfault in
TJBench if `-copy` or `-c` was passed as the last command-line argument.
2. The build system now uses wrappers rather than CMake object libraries to
compile source files for multiple data precisions. This improves code
readability and facilitates adapting the libjpeg-turbo source code to non-CMake
build systems.
3. Fixed an issue whereby decompressing a 4:2:0 or 4:2:2 JPEG image with merged
upsampling disabled/one-pass color quantization enabled, then reusing the same
API instance to decompress a 4:2:0 or 4:2:2 JPEG image with merged upsampling
enabled/color quantization disabled, caused `jpeg_skip_scanlines()` to use
freed memory. In practice, the freed memory was not reclaimed before it was
used. Thus, this issue did not cause a segfault or other user-visible errant
behavior (it was only detectable with ASan), and it did not likely pose a
security risk.
4. The AArch64 (Arm 64-bit) Neon SIMD extensions and accelerated Huffman codec
now support the Arm64EC ABI on Windows, which allows Windows/x64 applications
to call native Arm64 functions when running under the Windows/x64 emulator on
Windows/Arm.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:10 +0000 (17:33 +0100)]
libcap-ng: Update to version 0.9
- Update from version 0.8.5 to 0.9
- No change to rootfile
- Changelog
0.9
This release contains a significant new utility, cap-audit. Its purpose is to
audit the use of capabilities of a target program. When the program ends or
Ctl-c stops it, a report is generated about what was used. This can then be
used to lower capabilities instead of running as root.
Other changes in the release include:
Fix python path when invoking py-compile (Jan Palus)
Drop python2 bindings (Rudi Heitbaum)
Optimize capability name translation lookups
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:09 +0000 (17:33 +0100)]
libarchive: Update to version 3.8.5
- Update from version 3.8.3 to 3.8.5
- Update of rootfile
- Changelog
3.8.5
Notable bugxies:
bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix (#2809)
various small bugfixes in code and documentation
3.8.4
Notable bugxies:
bsdtar: Fix zero-length pattern issue (#2787)
lib: Fix regression introduced in libarchive 3.8.2 when walking enterable
but unreadable directories (#2797)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:07 +0000 (17:33 +0100)]
curl: Update to version 8.18.0
- Update from version 8.17.0 to 8.18.0
- No change to rootfile
- Changelog
8.18.0
Changes:
build: drop support for VS2008 (Windows)
build: drop Windows CE / CeGCC support
gnutls: drop support for GnuTLS < 3.6.5
gnutls: implement CURLOPT_CAINFO_BLOB
openssl: bump minimum OpenSSL version to 3.0.0
Bugfixes:
_PROGRESS.md: add the E unit, mention kibibyte
alt-svc: more flexibility on same destination
altsvc: accept ma/persist per alternative entry
altsvc: make it one malloc instead of three per entry
AmigaOS: increase minimum stack size for tool_main
apple sectrust: fix ancient evaluation
apple-sectrust: always ask when `native_ca_store` is in use
asyn-ares: handle Curl_dnscache_mk_entry() OOM error
asyn-ares: remove hostname free on OOM
asyn-thrdd: fix Curl_async_getaddrinfo() on systems without getaddrinfo
asyn-thrdd: release rrname if ares_init_options fails
auth: always treat Curl_auth_ntlm_get() returning NULL as OOM
autotools: add nettle library detection via pkg-config (for GnuTLS)
autotools: drop autoconf <2.59 compatibility code (zz60-xc-ovr)
autotools: fix LargeFile feature display on Windows (after prev patch)
autotools: tidy-up `if` expressions
badwords: add fist -> first, fix fallouts
badwords: catch and fix threading-related words
badwords: fix issues found in scripts and other files
badwords: fix issues found in tests
build: add build-level `CURL_DISABLE_TYPECHECK` options
build: exclude clang prereleases from compiler warning options
build: replace `-pedantic` with `-Wpedantic` when supported
build: set `-Wno-format-signedness`
build: tidy-up MSVC CRT warning suppression macros
ccsidcurl: make curl_mime_data_ccsid() use the converted size
cf-h1-proxy: support folded headers in CONNECT responses
cf-https-connect: allocate ctx at first in cf_hc_create()
cf-socket: drop feature check for `IPV6_V6ONLY` on Windows
cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs
cf-socket: limit use of `TCP_KEEP*` to Windows 10.0.16299+ at runtime
cf-socket: return OOM error if socket() fails due to OOM
cf-socket: trace ignored errors
cfilters: make conn_forget_socket a private libssh function
checksrc.pl: detect assign followed by more than one space
cmake: adjust defaults for target platforms not supporting shared libs
cmake: define dependencies as `IMPORTED` interface targets
cmake: delete unused file `CMake/CMakeConfigurableFile.in`
cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON`
cmake: fix `ws2_32` reference in `curl-config.cmake`
cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET`
cmake: replace deprecated `OPENSSL_FOUND` with `OpenSSL_FOUND`
cmake: replace deprecated `PERL_FOUND` with `Perl_FOUND`
cmake: save and restore `CMAKE_MODULE_PATH` in `curl-config.cmake`
cmake: set found status to OFF when not found (for compression deps)
code: minor indent fixes before closing braces
CODE_STYLE.md: sync banned function list with checksrc.pl
compressed.md: might generate a huge amount of bytes
config-win32.h: delete obsolete, non-Windows comments
config-win32.h: drop unused/obsolete `CURL_HAS_OPENLDAP_LDAPSDK`
config2setopts: add space in cookie header with multiple -b
config2setopts: bail out if curl_url_get() returns OOM
config2setopts: exit if curl_url_set() fails on OOM
configure: delete unused variable
conncache: silence `-Wnull-dereference` on gcc 14 RISC-V 64
conncontrol: reuse handling
connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition'
connection: attached transfer count
content_encoding: avoid strcpy
cookie. return proper error on OOM
cookie: allocate the main struct once cookie is fine
cookie: flush better
cookie: only keep and use the canonical cleaned up path
cookie: propagate errors better, cleanup the internal API
cookie: return error on OOM
cookie: when parsing a cookie header, delay all allocations until okay
cshutdn: acknowledge FD_SETSIZE for shutdown descriptors
curl: fix progress meter in parallel mode
curl_fopen: do not pass invalid mode flags to `open()` on Windows
curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer
curl_ntlm_core: fix DES_* symbols for some wolfSSL builds
curl_quiche: refuse headers with CR, LF or null bytes
curl_sasl: if redirected, require permission to use bearer
curl_sasl: make Curl_sasl_decode_mech compare case insensitively
curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS`
curl_setup.h: drop stray `#undef stat` (Windows)
curl_setup.h: drop superfluous parenthesis from `Curl_safefree` macro
curl_threads: don't do another malloc if the first fails
curl_trc: delete unused DoH remains
CURLINFO: remove 'get' and 'get the' from each short desc
CURLINFO_SCHEME/PROTOCOL: they return the "scheme" for a "transfer"
CURLINFO_TLS_SSL_PTR.md: remove CURLINFO_TLS_SESSION text
CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use
CURLOPT_ACCEPT_ENCODING.md: warn about the expansion
CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/
CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use
CURLOPT_READFUNCTION.md: clarify the size of the buffer
CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
curlx/fopen: replace open CRT functions their with `_s` counterparts
(Windows)
curlx/multibyte: stop setting macros for non-Windows
curlx/strerr: use `strerror_s()` on Windows
curlx: add `curlx_rename()`, fix to support long filenames on Windows
curlx: curlx_strcopy() instead of strcpy()
curlx: limit use of system allocators to the minimum possible
curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows)
curlx: replace `sprintf` with `snprintf`
curlx: use curl alloc in `curlx_win32_stat()` (Windows)
curlx: use curlx allocators in non-memdebug builds (Windows)
DEPRECATE: add CMake <3.18 deprecation for April 2026
digest: fix OWS and escaped quote handling
digest_sspi: fix a memory leak on error path
digest_sspi: properly free sspi identity
DISTROS.md: add OpenBSD
DISTROS: fix a Mageia URL
DISTROS: remove broken URLs for buildroot
doc: some returned in-memory data may not be altered
Dockerfile: update debian:bookworm-slim digest to e899040
docs/libcurl: fix C formatting nits
docs: add a note about --compressed to note about binary output
docs: clarify how to do unix domain sockets with SOCKS proxy
docs: fix checksrc `EQUALSPACE` warnings
docs: fix time_posttransfer output unit as seconds
docs: mention umask need when curl creates files
docs: remove dead URLs
docs: rename CURLcode variables to 'result'
docs: spell it Rustls with a capital R
docs: switch more URLs to https://
docs: use .example URLs for proxies
docs: use mresult as variable name for CURLMcode
escape: add a length check in curl_easy_escape
example: fix formatting nits
examples/crawler: fix variable
examples/multi-uv: fix invalid req->data access
examples/threaded-ssl: delete in favor of `examples/threaded`
examples/threaded: fix race condition
examples: fix minor typo
examples: make functions/data static where missing
examples: tidy-up headers and includes
examples: use 64-bit `fstat` on Windows
FAQ/TODO/KNOWN_BUGS: convert to markdown
FAQ: fix hackerone URL
file: do not pass invalid mode flags to `open()` on upload (Windows)
formdata: validate callback is non-NULL before use
ftp: make EPRT connections non-blocking
ftp: refactor a piece of code by merging the repeated part
ftp: remove #ifdef for define that is always defined
ftp: return better on OOM in two places
ftp: return from ftp_state_use_port immediately on OOM
getenv: drop internal 1-to-1 wrapper
getinfo: improve perf in debug mode
gnutls: add PROFILE_MEDIUM as default
gnutls: report accurate error when TLS-SRP is not built-in
gtls: add return checks and optimize the code
gtls: Call keylog_close in cleanup
gtls: skip session resumption when verifystatus is set
h2/h3: handle methods with spaces
headers: add length argument to Curl_headers_push()
hostcheck: fail wildcard match if host starts with a dot
hostip.h: drop redundant `setjmp.h` include
hostip: don't store negative lookup on OOM
hostip: make more functions return CURLcode
hostip: only store negative response for CURLE_COULDNT_RESOLVE_HOST
hsts: propagate and error out correctly on OOM
hsts: use one malloc instead of two per entry
http: acknowledge OOM errors from Curl_input_ntlm
http: avoid two strdup()s and do minor simplifications
http: error on OOM when creating range header
http: fix OOM exit in Curl_http_follow
http: handle oom error from Curl_input_digest()
http: replace atoi use in Curl_http_follow with curlx_str_number
http: return OOM errors from hsts properly
http: the :authority header should never contain user+password
http: unfold response headers earlier
idn: avoid allocations and wcslen on Windows
idn: clarify null-termination on Windows
idn: fix memory leak in `win32_ascii_to_idn()`
idn: use curlx allocators on Windows
imap: check buffer length before accessing it
imap: make sure Curl_pgrsSetDownloadSize() does not overflow
inet_ntop: avoid the strlen()
INSTALL-CMAKE.md: document static option defaults more
krb5: fix detecting channel binding feature
krb5_sspi: unify a part of error handling
ldap: call ldap_init() before setting the options
ldap: drop PP logic for old, unsupported, Windows SDKs
ldap: improve detection of Apple LDAP
ldap: provide version for "legacy" ldap as well
lib/sendf.h: forward declare two structs
lib: cleanup for some typos about spaces and code style
lib: create unitprotos.h in the builddir, not srcdir
lib: drop unused or duplicate `curlx/timeval.h` includes
lib: drop unused protocol headers
lib: eliminate size_t casts
lib: error for OOM when extracting URL query
lib: fix formatting nits (part 2)
lib: fix formatting nits (part 3)
lib: fix formatting nits
lib: fix gssapi.h include on IBMi
lib: name the main CURLMcode variable 'mresult'
lib: refactor the type of funcs which have useless return and checks
lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows)
lib: timer stats improvements
lib: use `SOCKET_WRITABLE()`/`SOCKET_READABLE()` where possible
libssh2: add paths to error messages for quote commands
libssh2: cleanup ssh_force_knownhost_key_type
libssh2: consider strdup() failures OOM and return correctly
libssh2: replace atoi() in ssh_force_knownhost_key_type
libssh: fix state machine loop to progress as it should
libssh: properly free sftp_attributes
libssh: require private key or user-agent for public key auth
libssh: set both knownhosts options to the same file
libtests: replace `atoi()` with `curlx_str_number()`
limit-rate: add example using --limit-rate and --max-time together
localtime: detect thread-safe alternatives and use them
m4/sectrust: fix test(1) operator
manage: expand the 'libcurl support required' message
mbedTLS: cleanup insecure/deprecated code
mbedtls: fix potential use of uninitialized `nread`
mbedtls: sync format across log messages
mbedtls_threadlock: avoid calloc, use array
mdlinkcheck: ignore IP numbers, allow '@' in raw URLs
mdlinkcheck: only look for markdown links in markdown files
memdebug: add mutex for thread safety
memdebug: fix realloc logging
mk-ca-bundle.md: the file format docs URL is permaredirected
mk-ca-bundle.pl: default to SHA256 fingerprints with `-t` option
mk-ca-bundle.pl: use `open()` with argument list to replace backticks
mqtt: reject overly big messages
mqtt: return error when a too large packet is decoded
multi: make max_total_* members size_t
multi: remove MSTATE_TUNNELING
multi: simplify admin handle processing
multibyte: limit `curlx_convert_*wchar*()` functions to Unicode builds
ngtcp2+openssl: fix leak of session
ngtcp2: remove the unused Curl_conn_is_ngtcp2 function
ngtcp2: retune window sizes
noproxy: fix build on systems without IPv6
noproxy: fix ipv6 handling
noproxy: replace atoi with curlx_str_number
openssl: exit properly on OOM when getting certchain
openssl: fix a potential memory leak of bio_out
openssl: fix a potential memory leak of params.cert
openssl: fix building against no-dsa openssl
openssl: fix building against no-ocsp openssl with Apple SecTrust
openssl: no verify failf message unless strict
openssl: release ssl_session if sess_reuse_cb fails
openssl: remove code handling default version
openssl: simplify `HAVE_KEYLOG_CALLBACK` guard
openssl: stop checking for `OPENSSL_NO_SHA*` macros
openssl: stop checking for `OPENSSL_NO_TLSEXT` macro
openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache
OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs
OS400/makefile.sh: fix shellcheck warning SC2038
os400sys: replace `strcpy()` with `memcpy()`
osslq: code readability
progress: make it one column narrower
progress: narrower time display, multiple fixes
progress: show fewer digits
projects/README.md: Markdown fixes
pytest fixes and improvements
pytest: add tests using sshd
pytest: disable two H3 earlydata tests for all platforms (was: macOS)
pytest: do not ignore server issues
pytest: enable OCSP test 17_08 for LibreSSL
pytest: fix and improve reliability
pytest: improve stragglers
pytest: quiche flakiness
pytest: skip H2 tests if feature missing from curl
quiche: use client writer
ratelimit blocking: fix busy loop
ratelimit: redesign
rtmp: fix double-free on URL parse errors
rtmp: precaution for a potential integer truncation
rtmp: stop redefining `setsockopt` system symbol on Windows
runner.pm: run memanalyzer as a Perl module
runtests: add options to set minimum number of tests, use them
runtests: detect bad libssh differently for test 1459
runtests: drop Python 2 support remains
runtests: enable torture testing with threaded resolver
runtests: improve XML prolog check, enable `-w` permanently, fix two tests
runtests: make memanalyzer a Perl module (for 1.1-2x speed-up per test run)
rustls: fix a potential memory issue
rustls: minor adjustment of sizeof()
rustls: simplify init err path
rustls: verify that verifier_builder is not NULL
schannel: cap the maximum allowed size for loading cert
schannel: fix memory leak of cert_store_path on four error paths
schannel: replace atoi() with curlx_str_number()
schannel: use Win8 `CERT_NAME_SEARCH_ALL_NAMES_FLAG` with old SDKs
schannel_verify: fix a memory leak of cert_context
scripts: fix shellcheck SC2046 warnings
scripts: use end-of-options marker in `find -exec` commands
setopt: disable CURLOPT_HAPROXY_CLIENT_IP on NULL
setopt: when setting bad protocols, don't store them
sftp: fix range downloads in both SSH backends
slist: constify Curl_slist_append_nodup() string argument
smb: fix a size check to be overflow safe
socketpair: drop redundant `_WIN32` branch and include
socks_sspi: use free() not FreeContextBuffer()
source: misc typos
speedcheck: do not trigger low speed cancel on transfers with
CURL_READFUNC_PAUSE
speedlimit: also reset on send unpausing
src: drop redundant definition of `BIT()`
src: fix formatting nits
ssh: tracing and better pollset handling
sspi: fix memory leaks on error paths in `Curl_create_sspi_identity()`
sws: fix binding to unix socket on Windows
synctime: tidy up, make it work on all platforms
telnet: abort on bad suboption sequence
telnet: replace atoi for BINARY handling with curlx_str_number
TEST-SUITE.md: correct the man page's path
test07_22: fix flakiness
test1475: consistently use %CR in headers
test1498: disable 'HTTP PUT from stdin' test on Windows
test2045: replace HTML multi-line comment markup with `#` comments
test318: tweak the name a little
test3207: enable memdebug for this test again
test363: delete stray character (typo) from a section tag
test568: fix codespell, catch it next time early in CI
test568: remove what looks like an email and a URL
test787: fix possible typo `&` -> `%` in curl option
test96: fix to accept non-unity memdump content with MSVC
tests/data: move `--libcurl` output to external data files
tests/data: replace hard-coded test numbers with `%TESTNUMBER`
tests/data: support using native newlines on disk, drop `.gitattributes`
tests/server: do not fall back to original data file in `test2fopen()`
tests/server: fix initialization on Windows Vista+
tests/server: replace `atoi()` and `atol()` with `curlx_str_number()`
tests: add `%AMP` macro, use it in two tests
tests: add a standard log line for alloc failures
tests: allow 2500-2503 to use ~2MB malloc
tests: drop redundant parenthesis from two macro expressions
tests: fix formatting nits
tests: rename CURLMcode variables to mresult
tftp: release filename if conn_get_remote_addr fails
tftpd: fix/tidy up `open()` mode flags
tidy-up: avoid `(())`, clang-format fixes and more
tidy-up: move `CURL_UNCONST()` out from macro `curl_unicodefree()`
tidy-up: URLs (cont.) and mdlinkcheck
tidy-up: URLs
TODO: remove a mandriva.com reference
tool: consider (some) curl_easy_setopt errors fatal
tool: log when loading .curlrc in verbose mode
tool_cfgable: free ssl-sessions at exit
tool_doswin: clear pointer when thread takes ownership
tool_doswin: increase allowable length of path sanitizer
tool_doswin: remove the max length check
tool_getparam: simplify the --rate parser
tool_getparam: use memdup0() instead of malloc + copy
tool_getparam: verify that a file exists for some options
tool_help: add checks to avoid unsigned wrap around
tool_ipfs: check return codes better
tool_msgs: make voutf() use stack instead of heap
tool_operate: exit on curl_share_setopt errors
tool_operate: fix a case of ignoring return code in operate()
tool_operate: fix case of ignoring return code in single_transfer
tool_operate: remove redundant condition
tool_operate: return error for OOM in append2query
tool_operate: use curlx_str_number instead of atoi
tool_paramhlp: refuse --proto remove all protocols
tool_paramhlp: remove a malloc+free from proto2num()
tool_paramhlp: simplify number parsing
tool_progress: fix large time outputs and decimal size display
tool_urlglob: acknowledge OOM in peek_ipv6
tool_urlglob: clean up used memory on errors better
tool_urlglob: constify an argument
tool_urlglob: fix propagating OOM error from `sanitize_file_name()`
tool_urlglob: support globs as long as config line lengths
tool_writeout: bail out proper on OOM
url: fix return code for OOM in parse_proxy()
url: if curl_url_get() fails due to OOM, error out properly
url: if OOM in parse_proxy() return error
url: return error at once when OOM in netrc handling
urlapi: fix mem-leaks in curl_url_get error paths
urlapi: handle OOM properly when setting URL
urlapi: return OOM correctly from parse_hostname_login()
verify-release: update to avoid shellcheck warning SC2034
vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
vquic: do not pass invalid mode flags to `open()` (Windows)
vquic: do_sendmsg full init
vquic: ignore 0-length UDP packets
vquic: initialize new callback in nghttp3 1.14.0+
vtls: drop unused `use_alpn` from `ssl_connect_data` struct
vtls: fix CURLOPT_CAPATH use
vtls: handle possible malicious certs_num from peer
vtls: pinned key check
VULN-DISCLOSURE-POLICY.md: CRLF in data
wcurl: import v2025.11.09
wcurl: import v2026.01.05
windows: assume `USE_WIN32_LARGE_FILES`
windows: fix `CreateFile()` calls to support long filenames
windows: use `_strdup()` instead of `strdup()` where missing
wolfSSL: able to differentiate between IP and DNS in alt names
wolfssl: avoid NULL dereference in OOM situation
wolfssl: fix a potential memory leak of session
wolfssl: fix cipher list, skip 5.8.4 regression
wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds
wolfssl: proof use of wolfSSL_i2d_SSL_SESSION
wolfssl: simplify wssl_send_earlydata
ws: replace a cast by matching the format string
x509asn1: drop unused `hostcheck.h`, `vtls_int.h` includes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 20 Jan 2026 16:33:03 +0000 (17:33 +0100)]
alsa: Update to version 1.2.15.3
- Update from version 1.2.15.1 to 1.2.15.3
- Update of rootfile
- Changelog
1.2.15.3
alsa-lib
Sequencer API
seq: return back old snd_seq_drain_output behaviour for -EAGAIN
alsa-ucm-conf
Configuration
HDA-analog: Fix the phantom jack detection if block
HDA-analog: Use phantom jacks to determine the device for single
output
HDA-analog: Add output when only 'Master Playback' control exists
sof-hda-dsp: remove some debug lines
sof-hda-dsp: Headphone output is optional
ucm2: HDA: Fix headphone detection
USB-Audio: Add volume controls to Behringer UMCx0xHD direct profiles
USB-Audio: Fix UR22C firmware version condition
USB-Audio: Add support for UR24C firmware version channel differences
1.2.15.2
alsa-lib
Use Case Manager API
ucm: add some traces for the config filenames
Makefile.am
Makefile: remove dist-hook and remove tar option 'follow symlinks'
Error handler
error: fix the "return old snd_lib_error_set_handler() behaviour"
error: fix indendation in snd_lib_log_filter()
error: return old snd_lib_error_set_handler() behaviour
alsa-utils
ALSA Control (alsactl)
alsactl: fix sequence to clean card specific config files for UCM
alsactl: add missing call to clean card specific config files
alsaloop
alsaloop: only log xrun debug messages when verbose
aplay/arecord
aplay: add support for G.711 A_LAW enconding in AU file format
alsa-ucm-conf
Configuration
common: remove direct.conf and direct-verb.conf files
USB-Audio: update to use new DirectUseCase macro
common: introduce DirectUseCase macro
USB-Audio: Scarlett 18i20 gen4 - improve channel detection
USB-Audio: Add conditional channel count on Scarlett 18i20 version
USB-Audio: Steinberg UR22C - fix regex
ucm2: HDA: Create microphone devices optionally
ucm2: HDA: Headphone output may be optional
ucm2: sof-soundwire: cs42l45: Remove outdated DisableSequence
elements
ucm2: sof-soundwire: cs42l43: Remove outdated DisableSequence
elements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Jan 2026 12:55:09 +0000 (12:55 +0000)]
cdrom+flash-images: Check if we would remove any libraries
The filesystem-cleanup script has recently shown that it can create some
false-positives. By running it on top of the generated images we should
be able to catch these problems during the build stage.
I have unfortunately no way to run this for any add-on packages.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 20 Jan 2026 16:13:52 +0000 (16:13 +0000)]
glibc: Import fix for CVE-2025-15281
GLIBC-SA-2026-0003:
===================
wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory
Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the
GNU C Library version 2.0 to version 2.42 may cause the interface to
return uninitialized memory in the we_wordv member, which on subsequent
calls to wordfree may abort the process.
The implementation of WRDE_REUSE in conjunction with WRDE_APPEND fails
to clear the we_wordc member of the structure, and as such, when new
words are added internally, a leading we_wordc count number of entries
are skipped since they are assumed initialized. These skipped entries
are not initialized, but are the contents of a realloc-expanded array of
pointers. If the caller inspects the we_wordv array, it will
dereference invalid pointers and crash. If the caller calls wordfree,
the malloc implementation may detect the invalid pointers and abort the
process. Calls to wordexp using WRDE_REUSE and WRDE_APPEND have never
worked correctly and thus the existence of applications that make use of
this feature is unlikely.
Michael Tremer [Mon, 19 Jan 2026 11:05:15 +0000 (11:05 +0000)]
glibc: Add fixes for CVE-2026-0861 and CVE-2026-0915
GLIBC-SA-2026-0001:
===================
Integer overflow in memalign leads to heap corruption
Passing too large an alignment to the memalign suite of functions
(memalign, posix_memalign, aligned_alloc) in the GNU C Library version
2.30 to 2.42 may result in an integer overflow, which could consequently
result in a heap corruption.
Note that the attacker must have control over both, the size as well as
the alignment arguments of the memalign function to be able to exploit
this. The size parameter must be close enough to PTRDIFF_MAX so as to
overflow size_t along with the large alignment argument. This limits
the malicious inputs for the alignment for memalign to the range [1<<62
+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.
Typically the alignment argument passed to such functions is a known
constrained quantity (e.g. page size, block size, struct sizes) and is
not attacker controlled, because of which this may not be easily
exploitable in practice. An application bug could potentially result in
the input alignment being too large, e.g. due to a different buffer
overflow or integer overflow in the application or its dependent
libraries, but that is again an uncommon usage pattern given typical
sources of alignments.
Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf
that specifies the library's DNS backend for networks and queries for a
zero-valued network in the GNU C Library version 2.0 to version 2.42
can leak stack contents to the configured DNS resolver.
A defect in the _nss_dns_getnetbyaddr_r function which implements
getnetbyaddr and getnetbyaddr_r in the dns-based network database can
pass stack contents unmodified to the configured DNS resolver as part of
the network DNS query when the network queried is the default network
i.e. net == 0x0. This stack contents leaking in the query is considered
a loss of confidentiality for the host making the query. Typically it
is rare to call these APIs with a net value of zero, and if an attacker
can control the net value it can only leak adjacent stack, and so loss
of confidentiality is spatially limited. The leak might be used to
accelerate an ASLR bypass by knowing pointer values, but also requires
network adjacent access to snoop between the application and the
DNS server; making the attack complexity higher.
Adolf Belka [Fri, 16 Jan 2026 20:56:22 +0000 (21:56 +0100)]
tshark: Update to version 4.6.3
- Update from version 4.6.2 to 4.6.3
- Update of rootfile
- Changelog
4.6.3
The following vulnerabilities have been fixed:
wnpa-sec-2026-01 BLF file parser crash. Issue 20880.
wnpa-sec-2026-02 IEEE 802.11 dissector crash. Issue 20939.
wnpa-sec-2026-03 SOME/IP-SD dissector crash. Issue 20945.
wnpa-sec-2026-04 HTTP3 dissector infinite loop. Issue 20944.
The following bugs have been fixed:
Wireshark 4.6.0 build fails on Solaris: pcapio.c:441:21: error: request for
member '_flag' in something not a structure or union. Issue 20773.
RTP Player streams cannot be stopped. Issue 20879.
Additional ABI/API compatibility fixes. Issue 20881.
Missing data in pinfo→cinfo in HomePlug message CM_ATTEN_CHAR.IND.
Issue 20893.
maxmind_db: crash when switching from a profile where it’s disabled to one
where it’s enabled. Issue 20903.
Compilation warning or error if CFLAGS defines _FORTIFY_SOURCE to other
than 3 without first undefining it. Issue 20904.
IEEE 802.11: Incorrect parsing of QoS and Mesh Control Field when the frame
body contains an A-MSDU. Issue 20905.
OSS-Fuzz 473164101: Heap-buffer-overflow in dissect_idn_laser_data.
Issue 20936.
Bug in decoding 5G NAS message - Extended CAG information list IE.
Issue 20946.
Updated Protocol Support
DCT2000, DHCP, H.248, H.265, HomePlug AV, HTTP3, IDN, IEEE 802.11,
LTE RRC, NAS-5GS, PKCS12, QUIC, RTPS, SOME/IP-SD, SSH, and Thrift
New and Updated Capture File Support
3GPP TS 32.423 Trace, BLF, NetScreen, and Viavi Observer
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 16 Jan 2026 10:05:35 +0000 (10:05 +0000)]
gnupg: Ship all binaries
On new installations, GnuPG complained that it could not start gpg-agent
when it was importing the Pakfire keys for the first time. Although the
keys were imported successfully and fully functional, there was an error
message being shown at first boot which we don't want to see.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 15 Jan 2026 17:33:05 +0000 (18:33 +0100)]
ovpnmain.cgi: No longer include the CA in the client configuration
NetworkManager complains that it cannot use <ca>...</ca> when
<pkcs12>...</pkcs12> is being used as well. This makes somehwat sense as
the PKCS12 container also contains the CA certificate.
Therefore we are removing the <ca>...</ca> block for all clients as they
must all be able to read the PKCS12 container.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 Jan 2026 11:17:23 +0000 (12:17 +0100)]
tshark: Add libxxhash to dependency list
- From version 2.6.0 tshark added libxxhash as an option which is defined as ON by
default. As libxxhash is built as a dependency for rsync and borgbackup the tshark
build worked without problems but then the libxxhash library wass not present and so
tshark failed to run.
- This patch adds libxxhash to the dependency list for tshark
- No change to rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 13 Jan 2026 12:12:15 +0000 (13:12 +0100)]
mdadm: Update to version 4.5
- Update from version 4.4 to 4.5
- No change to rootfile
- From kernel 6.17.x onwards it produces an error message with version 4.4 and suggests
updating to version 4.5 as async del_gendisk mode will be removed in future. This
update also ensures we will not see that message in any released IPFire CU. I found it
in my testing of Arne's 6.18 kernel
- Changelog
4.5
Features:
Supports --logical-block-size in --create from Wu Guanghao
Create array with sync del gendisk mode from Xiao Ni
Update raid6check man page from Mingye Wang
Re-enable mdadm --monitor ... for /dev/mdX from Dr. Joachim Schneider
Use MAILFROM to set sendmail envelope sender address in mdmon from Martin
Wilck
Don't stop array after creating it during assemble from Xiao Ni
Use kernel raid headers from Mariusz Tkaczyk
Allow RAID0 to be created with v0.90 metadata from NeilBrown
Optimize DDF header search for widely used RAID controllers from lilinzhe
Persist properties of MD devices after switch_root from Antonio Alvarez Feijoo
Refactor continue_via_systemd() to make it more readable from Mateusz Kusiak
Remove --freeze-reshape logic in reshape from Mateusz Kusiak
Simplify remove logic in Incremental from Mariusz Tkaczyk
Fixes:
Fix crash with homehost=none in super1 from Martin Wilck
Moves memory management into Assemble to avoid null pointer dereference
from Xiao Ni
Wait a while before removing a member in Incremental from Xiao Ni
Some memleak issues from Wu Guanghao
Fix memleak in udev from Mariusz Tkaczyk
Support non-absolute name during monitor scan from QRPp
Mdcheck fix and improvment from Martin Wilck
Remove POSIX check for name from Mariusz Tkaczyk
Enable udev block for Incremental/Assemble to avoid race condition from
Nigel Croxon
Fix buiding errors from Xiao Ni
Use standard libc nftw from Xiao Ni
Allow any valid minor number in md device name from Martin Wilck
Fix RAID0 to RAID10 migration for imsm array from Blazej Kucman
Don't set badblock flag when adding a new disk from Wu Guanghao
Regression tests fix from Xiao Ni
Fix metadata corruption when managing new imsm array from Junxiao Bi
Add update_super in ddf to prevent crash when assembling ddf array from
lilinzhe
Disable legacy option ROM scan on UEFI machines for imsm array from Ross
Lagerwall
Add sbin path to env PATH to avoid command modprobe can't be found from
Coly Li
Add xmalloc.h to raid6check.c to fix building error from Xiao Ni
Do not start reshape before switchroot from Mateusz Kusiak
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Jan 2026 11:43:12 +0000 (11:43 +0000)]
suricata: Add IPFire DNSBL to the rule sources
Although this is not the primary use-case, there is a lot of value by
adding the DNSBL to Suricata for secondary filtering. Anything that is
trying to circumvent any local policy will be caught at the edge of the
network and therfore we will even be able to block access to any listed
domains when people are using a private resolver.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Jan 2026 11:37:18 +0000 (11:37 +0000)]
ids-functions.pl: Implement extracting any data from tarballs
Suricata rulesets are distributed as tarballs. Besides the rules, those
tarballs may contain additional data like datasets and so on. This data
was not extracted before.
For the IPFire DNSBL we are shipping any domains as a separate file
which is being parsed by Suricata as a dataset. Obviously these files
need to be extracted to be read by Suricata.
This patch extracts any data files in the first place and later copies
them into the rules directory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:36 +0000 (18:50 +0100)]
xz: Update to version 5.8.2
- Update from version 5.8.1 to 5.8.2
- Update of rootfile
- Changelog
5.8.2
* liblzma:
- Fix the build on ARM64 on glibc versions older than
2.24 (2016). They don't have HWCAP_CRC32 in <sys/auxv.h>.
- Disable CLMUL CRC code when building for 32-bit x86 with
old MSVC versions. This avoids a compiler bug. The exact
compiler version in which the issue was fixed is unknown,
but VS 2022 17.13 (MSVC 19.43.34808) is known to work, so
CLMUL CRC on 32-bit x86 is disabled with MSVC versions
older than that.
* xz:
- Add a workaround for Red Hat Enterprise Linux 9 kernel bug
which made xz fail with "xz: Failed to enable the sandbox".
It only occurs with xz 5.8.0 and 5.8.1 binaries built for
other distros. For example, running Debian 13 in a container
on RHEL/CentOS 9 would trigger the issue.
The bug was introduced in RHEL 9 kernel 5.14.0-603.el9
(2025-07-30) and fixed in 5.14.0-648.el9 (2025-12-05).
However, as of writing, the fixed kernel isn't available
to RHEL 9 users yet, so including the workaround in this
xz release seems reasonable. The workaround will be removed
when it's no longer needed.
xzdec was also affected by this issue.
- On AIX, don't use fsync() on directories because it fails.
- Fix the build on Emscripten.
- Fix the build on clang-cl on Windows.
- Take resource limits (RLIMIT_DATA, RLIMIT_AS, and RLIMIT_VMEM)
into account when determining the default memory usage limit
for multithreaded mode. This should prevent xz from failing
when a resource limit has been set to a value that is less
than 1/4 of total RAM. Other memory limits can still trigger
the same issue, for example, Linux cgroup v2 memory.max.
* Build systems:
- When symbol versioning is enabled, pass --undefined-version
to the linker if the option is supported. This fixes the
build when using LLVM's lld and some liblzma features have
been disabled at build time.
- ARM64: Fix autodetection of fast unaligned memory access when
using GCC and -mstrict-align is in effect. Previously the
build systems would incorrectly guess that unaligned access
is fast, which would result in much slower binaries than
needed. The fix is a workaround for GCC bug 111555;
autodetection already worked with Clang.
- LoongArch: Autodetect if fast unaligned memory access is
supported. This can improve compression speed by 15 % (but
not decompression speed).
* Translations:
- Update the Spanish translation.
- Add Swedish man page translations.
- Update Italian, Korean, Romanian, Serbian, and Ukrainian
man page translations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:35 +0000 (18:50 +0100)]
update.sh: Remove the gpl_affected file
- This file was no longer created for new installs several CU's ago and the file is no
longer needed so if it exists on the users system this will do the removal
housekeeping.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:34 +0000 (18:50 +0100)]
lvm2: Update to version 2.03.38
- Update from version 2.03.37 to 2.03.38
- No change to rootfile
- Changelog
2.03.38
Synchronize with udev after creating pool metadata spare volume.
Conversion to thin-pool removes activation skipping from converted LVs.
Configure now checks for xfs/xfs.h.
Workaround for libblkid returning old FSLASTBLOCK immediately after resize.
Enhance pvmove activation and deactivation.
LV locks whole device tree using such locked LV.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:32 +0000 (18:50 +0100)]
harfbuzz: Update to version 12.3.0
- Update from version 12.2.0 to 12.3.0
- Update of rootfile
- Changelog
12.3.0
- Invalid font tables (eg. GSUB/GPOS) are outright rejected, instead of
partially validated and used. This behavior is different from DirectWrite
and HarfRust, and is in line with CoreText. For context and reasoning see:
https://github.com/harfbuzz/harfbuzz/issues/5535#issuecomment-3573738217
- Various speed optimizations:
* AAT shaping: speed up state machine on Apple silicon using a fast-path.
12% faster in LucidaGrande benchmark.
* OpenType shaping: speed up (Chain)Context lookup shaping using a fast-path
and Coverage caching. 20% speedup in NotoNastaliqUrdu benchmark.
* Drawing mega variable-fonts: 30% speedup on GoogleSansFlex benchmark.
* Drawing `VARC` fonts: 5% speedup on varc-hanzi benchmark.
- Always apply synthetic slant around horizontal glyph origin in hb-draw API.
- Fix undefined C++ behavior in some uses union.
- Remove the disabled by default uniscribe-bug-compatible mode from Indic and
Khmer shapers, that used to be used when testing against Uniscribe shaping
behaviour.
- Support full instancing fonts with v2 `avar` table.
- Various subsetting, build, fuzzing, and documentation fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:31 +0000 (18:50 +0100)]
gnupg: Update to version 2.4.9
- Update from version 2.4.8 to 2.4.9
- No change to rootfile
- The stable version is now 2.5.16 with originally 2.5 being the development branch that
would become 2.6 but 2,5 has now been made the stable branch. The 2.4 branch will
become EOL in 6 months. As gnupg was just recently changed from the 1.4 branch to the
2.4 branch and hasn't been tested out in a Testing/Release version I have just
updated to the latest 2.4 version.
- Once version 2.4.9 has been proven and is in a released CVU then I will do the update
to the latest version in the 2.5 branch.
- Changelog
2.4.9
* gpg: Fix possible memory corruption in the armor parser. [T7906]
* gpg: Avoid potential downgrade to SHA1 in 3rd party key
signatures. [rGddb012be7f]
* gpg: Error out on unverified output for non-detached signatures.
[rG9d302f978b]
* gpg: Do not allow compressed key packets on import. [T7014]
* scd: Fix a harmless read buffer over-read in a function used by
PKCS#15 cards. [T7662]
* dirmngr: Do not require a keyserver for "gpg --fetch-key".
[T7693]
* agent: Fix ssh-agent's request_identities for skipped Brainpool
keys. [rG6bf5696c85]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:30 +0000 (18:50 +0100)]
gdb: Update to version 17.1
- Update from version 16.1 to 17.1
- Update of rootfile
- Changelog
17.1
* Debugging Linux programs that use x86-64 or x86-64 with 32-bit pointer
size (X32) Shadow Stacks are now supported.
* Support for the shadow stack pointer register on x86-64 or x86-64 with
32-bit pointer size (X32) GNU/Linux.
* Debugger Adapter Protocol changes
** GDB now supports the "completions" request.
* "set style" commands now supports numeric format for basic colors
from 0 to 255 and #RRGGBB format for TrueColor.
* New built-in convenience variable $_colorsupport provides comma-separated
list of color space names supported by terminal. Each color space name is one
of monochrome, ansi_8color, aixterm_16color, xterm_256color or rgb_24bit.
It is handy for conditionally using styling colors based on terminal features.
For example:
(gdb) if $_regex ($_colorsupport, ".*(^|,)rgb_24bit($|,).*")
>set style filename background #FACADE
>else
>if $_regex ($_colorsupport, ".*(^|,)xterm_256color($|,).*")
>set style filename background 224
>else
>set style filename background red
>end
>end
* UST (static tracepoint) support from gdbserver has been removed.
* Linux checkpoint code has been updated to work with multiple inferiors.
* The gcore and gdb-add-index scripts now have a -v or --version
option, which prints the version number, and then exits. As well as
a -h or --help option, which prints each options and a brief
description.
* On systems that support linker namespaces, the output of the command
"info sharedlibraries" may add one more column, NS, which identifies the
namespace into which the library was loaded, if more than one namespace
is active.
* New built-in convenience variables $linker_namespace_count and
$_linker_namespace. These show the number of active linker
namespaces, and the namespace to which the current location belongs to.
In systems that don't support linker namespaces, or if the inferior hasn't
started yet, these always return the integer 0.
* Add record full support for rv64gc architectures
* Debugging Linux programs that use AArch64 Guarded Control Stacks is now
supported.
* New "--binary-output" command line option instructs GDB to set the
translation mode of its stdout/stderr to binary mode. This disables
Line Feed translation. MS-Windows only.
* New commands
maintenance check psymtabs
Renamed from maintenance check-psymtabs
maintenance check symtabs
Renamed from maintenance check-symtabs
maintenance canonicalize
Show the canonical form of a C++ name.
set riscv numeric-register-names on|off
show riscv numeric-register-names
Controls whether GDB refers to risc-v registers by their numeric names
(e.g 'x1') or their abi names (e.g. 'ra').
Defaults to 'off', matching the old behaviour (abi names).
set style emoji on|off|auto
show style emoji
Controls whether GDB can display emoji. The default is "auto",
which means emoji will be displayed in some situations when
the host charset is UTF-8.
set style warning-prefix STRING
set style error-prefix STRING
These commands control the prefix that is printed before warnings
and errors, respectively. This functionality is intended for use
with emoji display, and so the prefixes are only displayed if emoji
styling is enabled.
info linker-namespaces
info linker-namespaces [[N]]
Print information about the given linker namespace (identified as N),
or about all the namespaces if no argument is given.
* Changed commands
info sharedlibrary
On Linux and FreeBSD, the addresses shown in the output of this
command are now for the full memory range allocated to the shared
library.
info threads [-gid] [-stopped] [-running] [ID]...
If no threads match the given ID(s) or filter options, GDB now prints
No threads matched.
without printing the provided arguments. The newly added '-stopped'
option makes GDB list the stopped threads only. Similarly,
'-running' makes GDB list the running threads only. If both options
are given together, both stopped and running threads are listed.
These new flags can be useful to get a reduced list when there is a
large number of threads.
* GDB-internal Thread Local Storage (TLS) support
** Linux targets for the x86_64, aarch64, ppc64, s390x, and riscv
architectures now have GDB-internal support for TLS address
lookup in addition to that traditionally provided by the
libthread_db library. This internal support works for programs
linked against either the GLIBC or MUSL C libraries. For
programs linked against MUSL, this new internal support provides
new debug functionality, allowing access to TLS variables, due to
the fact that MUSL does not implement the libthread_db library.
Internal TLS support is also useful in cross-debugging
situations, debugging statically linked binaries, and debugging
programs linked against GLIBC 2.33 and earlier, but which are not
linked against libpthread.
** The command 'maint set force-internal-tls-address-lookup on' may
be used to force the internal TLS lookup mechanisms to be used.
Otherwise, TLS lookup via libthread_db will still be preferred,
when available.
* Python API
** GDB no longer supports Python versions less than 3.4.
** New class gdb.Color for dealing with colors.
** New constant gdb.PARAM_COLOR represents color type of a
gdb.Parameter.value. Parameter's value is gdb.Color instance.
** The memory_source argument (the second argument) has been removed
from gdb.disassembler.builtin_disassemble. This argument was
never used by GDB, and was added by mistake. The unused argument
was never documented in the GDB manual, so users should not have
been using it.
** gdb.execute has an additional 'styling' argument. When True, then
output will be styled. The default for this argument is True
when output is going to standard output, and False when output is
going to a string.
** Setting the documentation string (__doc__) of a gdb.Parameter
sub-class to the empty string, means GDB will only display the
set_doc or show_doc strings in the set/show help output.
** New gdb.ParameterPrefix class. This can be used to create 'set'
and 'show' gdb.Command prefixes, suitable for use with new
gdb.Parameters.
** Prefix commands (gdb.Command sub-classes) that don't have an
invoke method will now behave like builtin prefix commands when
invoked without a sub-command name. This means printing the help
text for all sub-commands, unless the prefix command is a 'show'
command, in which case the value of all sub-commands is printed.
** New gdb.warning() function that takes a string and prints it as a
warning, with GDB's standard 'warning' prefix.
** New attribute gdb.Value.is_unavailable, this checks for
unavailability like gdb.Value.is_optimized_out checks for
optimized out values.
* Guile API
** New type <gdb:color> for dealing with colors.
** New constant PARAM_COLOR represents color type of a value
of a <gdb:parameter> object. Parameter's value is <gdb::color> instance.
** Eliding the #:doc string from make-parameter now means that GDB
will use a default documentation string. Setting #:doc to the
empty string for make-parameter means GDB will only display the
#:set_doc or #:show_doc strings in the set/show help output.
** Prefix commands (using make-command) that don't have a #:invoke
property will now behave like builtin prefix commands when
invoked without a sub-command name. This means printing the help
text for all sub-commands, unless the prefix command is a 'show'
command, in which case the value of all sub-commands is printed.
* New remote packets
binary-upload in qSupported reply
If the stub sends back 'binary-upload+' in it's qSupported reply,
then GDB will, where possible, make use of the 'x' packet. If the
stub doesn't report this feature supported, then GDB will not use
the 'x' packet.
vFile:lstat
Return information about files on the remote system. Like
vFile:stat but if the filename is a symbolic link, return
information about the link itself, the file the link refers to.
* Changed remote packets
qXfer:threads:read
The XML that is sent as a response can now include an "id_str"
attribute for a thread element. The attribute indicates what GDB
should print as the target ID of the thread, for example in the
"info threads" command or when switching to the thread.
vFile:stat
Previously, gdbserver incorrectly implemented this packet using
lstat rather than stat. This has now been corrected. The
documentation has also been clarified.
* MI changes
** The =library-unloaded event now includes the 'ranges' field, which
has the same meaning as for the =library-loaded event.
** The =library-unloaded event now includes the 'still-in-use' field.
This field is 'true' when a library is unloaded (removed from the
inferior's list of loaded libraries), but the mapping within the
inferior's address space is retained, as the library was mapped
multiple times, and the same mapping was being reused. In all
other cases, this field will have the value 'false'.
* Support for stabs debugging format and the a.out/dbx object format is
deprecated, and will be removed in GDB 18.
* Configure changes
--enable-binary-file-formats=[FORMAT,...]
--enable-binary-file-formats=all
A user can now decide to only compile support for certain file formats.
The available formats at this point are: dbx, coff, xcoff, elf, mach-o
and mips. Some targets require specific file formats to be available,
and in such cases, the configure script will warn the user and add
support anyway. By default, all formats will be compiled in, to
continue the behavior from before adding the switch.
* A new configure option was added, allowing support for the compile
subsystem to be disabled at configure time, in the form of
--disable-gdb-compile.
* A new configure option was added, allowing support for DWARF debug
information to be disabled at configure time. The flag is
--disable-gdb-dwarf-support.
* A new configure option was added, allowing support for mdebug/ecoff
debug information to be disabled at configure time. The flag to do
that is --disable-gdb-mdebug-support.
* The Alpha target now supports target descriptions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jan 2026 17:50:27 +0000 (18:50 +0100)]
alsa: Update to version 1.2.15.1
- Update from version 1.2.14 to 1.2.15.1
- Update of rootfile
- Changelog
1.2.15.1
alsa-lib
Core
ucm: use closefrom instead of close_range
Use Case Manager API
ucm: exec - fix maxfd used warning
ucm: use closefrom instead of close_range
Configuration
conf: cards: unify whitespace - use tabs and remove trailing spaces
conf: pistachio-card: define pcm configuration block only one time
conf: YMF744: define pcm configuration block only one time
conf: VX222,VXPocket: define pcm configuration block only one time
conf: VIA686A,VIA82xx: define pcm configuration block only one time
conf: TRID4DWAVENX: define pcm configuration block only one time
conf: SI7018: define pcm configuration block only one time
conf: SB-XFi: define pcm configuration block only one time
conf: RME96[35][26]: define pcm configuration block only one time
conf: PS3: define pcm configuration block only one time
conf: PMac,PMacToonie: define pcm configuration block only one time
conf: PC-Speaker: define pcm configuration block only one time
conf: NFORCE: define pcm configuration block only one time
conf: Maestro3: define pcm configuration block only one time
conf: Loopback: define pcm configuration block only one time
conf: ICH,ICH4,ICH-MODEM: define pcm configuration block only one time
conf: ICE17[12][24]: define pcm configuration block only one time
conf: HdmiLpeAudio: define pcm configuration block only one time
conf: GUS: define pcm configuration block only one time
conf: FWSpeakers: define pcm configuration block only one time
conf: FM801: define pcm configuration block only one time
conf: FireWave: define pcm configuration block only one time
conf: ES1968: define pcm configuration block only one time
conf: ENS137[01]: define pcm configuration block only one time
conf: EMU10K1X: define pcm configuration block only one time
conf: EMU10K1: define pcm configuration block only one time
conf: Aureon51: define pcm configuration block only one time
conf: Echo3G: define pcm configuration block only one time
conf: CS46xx: define pcm configuration block only one time
conf: CMI8xxx: define pcm configuration block only one time
conf: CA0106: define pcm configuration block only one time
conf: AU88[123]0: define pcm configuration block only one time
conf: Aureon: define pcm configuration block only one time
conf: Audigy: define pcm configuration block only one time
conf: AACI,ATIIXP: define pcm configuration block only one time
conf: vc4-hdmi: define pcm configuration block only one time
conf: HDA-Intel: define pcm configuration block only one time
conf: USB-Audio: define pcm configuration block only one time
Revert "conf: fix load_for_all_cards() - do not merge the card specific
contents"
conf: fix possible memory leak in config_file_open() - error path
conf: merge card specific contents per file (whole) after parsing
alsa-utils
ALSA Control (alsactl)
alsactl: fix build when in subdirectory
aplay/arecord
aplay: add missing break before the default case
alsa-ucm-conf
Configuration
ucm2: codecs: rt722: add condition to SetLED for mic
ucm2: sof-soundwire: Simplify cs42l45 configs
sof-soundwire: third fix for multi-codec
1.2.15
alsa-lib
Core
include: fix typo in error.h to avoid compile error when gcc <= 2.95
include: list.h - add list_splice() and list_splice_init() functions
github: add coverity.yml
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
error: add missing log_priority/interface functions to header file
configure: bumb version to 1.2.13pre1 (for alsa-utils)
include: remove local SNDMSG/SYSMSG defines (no longer used)
huge correction of tabulators and whitespaces
log: implement filter based on string configuration (env LIBASOUND_DEBUG).
error: add priority and interface strings to the log messages
redesign the message log functions
error: do not export internal snd_err_msg variable
github: fix Fedora workflow (awk package dependency)
Config API
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
huge correction of tabulators and whitespaces
Control API
coverity.com fixes - initial round
snd_tlv_convert_to_dB: Fix mute handling for MINMAX_MUTE type
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
huge correction of tabulators and whitespaces
redesign the message log functions
HWDEP API
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
Mixer API
mixer: abst - reshuffle snd_mixer_simple_basic_register code to be more
logical
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
huge correction of tabulators and whitespaces
mixer: bag - fix bag_del_all implementation (missing free)
Mixer Abstraction API
huge correction of tabulators and whitespaces
PCM API
pcm: plugin - avoid 32-bit to 64-bit return value conversions
add missing return value changes for snd_config_get_string() calls
add missing return value changes for snd_config_get_id() calls
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
pcm route: suppress false positive warning for gcc 8+
pcm: add a loop to snd_pcm_avail_delay() to avoid bogus delay values
Rawmidi API
rawmidi: Fix SNDRV_RAWMIDI_INFO_STREAM_INACTIVE duplicate definition
rawmidi: Fix the prefix of the inactive stream flag
Sequencer API
seq: fix snd_seq_drain_output return value for partial drain
seq: hw - notify if running mode / pversion ioctl fails
Topology API
add missing return value changes for snd_config_get_id() calls
topology: fix nibble warning in tplg_save_quoted()
Use Case Manager API
ucm: add ValueGlobals section to the top configuration file
ucm: fix the DefineRegex issue where multiple variables were set to empty
string
ucm: Include directive - add optional behaviour
ucm: complete dependency graphs for conflicting/supported device lists
ucm: implement DeviceVariant configuration extension
ucm: implement ValueDefaults.BootCardGroup and define use
ucm: keep original device name for logs
ucm: sort devices by priority
ucm: doc - add examples for device name with descriptors (colon)
ucm: be more restrictive for device name with descriptor
ucm: strip device index when the device type is present only one time
ucm: add support for device names with colon (':')
ucm: normalize device names
ucm: add possibility to inline Verb configurations to the main
configuration file
ucm: add Prepend and Append block handling for If conditions (syntax 8+)
add missing return value changes for snd_config_get_string() calls
ucm: add missing stdbool.h include to ucm_local.h
ucm: fix variant issue where variables or macros are overwritten
ucm: remove 'error: ' prefix from error messages (duplication)
ucm: remove uc_dbg macro and callers
ucm: replace uc_error with snd_error calls
ucm: add a basic set of trace/debug log calls
ucm: use close_range on _GNU_SOURCE
Force to use alphasort64() sorting function for Harmony OS
ucm: regex: fix the error message (missing argument)
Revert "ucm: do not bump syntax version to 8"
ALSA Server
coverity.com fixes - initial round
huge correction of tabulators and whitespaces
replace SNDMSG,SYSMSG,SNDERR,SYSERR with new log macros
Async helpers
coverity.com fixes - initial round
replace SNDMSG,SYSMSG,SNDERR,SYSERR with new log macros
Configuration
coverity.com fixes - initial round
add missing return value changes for snd_config_get_string() calls
add missing return value changes for snd_config_get_id() calls
conf/pistachio: fix syntax
config: do not print errno in snd_config_check_hop()
redesign the message log functions
conf: fix load_for_all_cards() - do not merge the card specific contents
conf: fix parse_array_def - merge arrays
conf: Revert "conf: fix load_for_all_cards()"
conf: fix parse_array_def override code path
Force to use alphasort64() sorting function for Harmony OS
conf: aliases: add hda-acpi -> HDA-Intel alias
Documentation
doc: add missing include pcm_plugin.h to source files
doxygen: fix warnings and add missing ALSA_LIBRARY_BUILD define
Error handler
coverity.com fixes - initial round
error: make prio/interface output a bit shorter in default log handler
log: implement filter based on string configuration (env LIBASOUND_DEBUG).
error: add priority and interface strings to the log messages
redesign the message log functions
error: do not export internal snd_err_msg variable
Simple Abstraction Mixer Modules
replace SNDMSG,SYSMSG,SNDERR,SYSERR with new log macros
Test/Example code
test: ucm - remove old syntax configuration files (incomplete anyway)
test: update midifile library to ANSI C
alsa-utils
Core
configure: Allow systemd service installation without systemd.pc
github: coverity.yml - run at 4am on Sunday
github: add coverity.yml (coverity.com) workflow
github: CI: add awk package for Fedora to build.yml
ALSA Control (alsactl)
alsactl: fix error message arguments (remove card)
alsactl: fix error handling in check_control_cdev()
alsactl: ucm: restore controls for other cards in group
alsactl: move udev/systemd files to conf subdirectory
alsactl: update state file correctly when initialization failed
alsactl: fix state restore to handle dynamic user control elements
alsactl: add systemd service to handle deferred card initialization
alsactl: ucm: add wrestore command and wait_for_card() for boot
synchronization
alsactl: add -Y option to export card states as key=value pairs
alsactl: ucm: implement boot parameters and card group sync infrastructure
alsactl: free scandir list in snd_card_clean_cfgdir
alsactl: add support for new log handler (alsa-lib 1.2.15)
alsactl: restore udev rules - fix HDA analog device check
ALSA RawMidi Utility (amidi)
amidi: Ignore inactive MIDI ports as default at listing
aconnect
aconnect: add support for new log handler (alsa-lib 1.2.15)
alsamixer
alsamixer: add support for new log handler (alsa-lib 1.2.15)
aplay/arecord
aplay: reorganize format handling in begin_wave()
Revert "aplay: fix S24_LE wav header"
alsactl: add support for new log handler (alsa-lib 1.2.15)
bat (basic audio tester)
bat: Fix buffer time configuration
alsa-ucm-conf
Configuration
USB-Audio: add support for conf.d configurations
USB-Audio: Steinberg UR22C - fix capture channels for older firmware
USB-Audio: GoXLR: enable detection of beta firmware (25 channels)
USB-Audio: Add jack controls for HP Thunderbolt Dock G2
ucm2: sof-soundwire: Update cs42l45 JackControls
ucm2: IO-Boards: Toradex: aquila: add support
ucm2: Qualcomm: fix indentation for TUXEDO Elite 14
ucm2: Qualcomm: fix HDMI0 name for TUXEDO Elite 14
ucm2: Qualcomm: add TUXEDO Elite 14 support
rt713: add mic led support
USB-Audio: Add Audient iD14 MK2 support
sof-soundwire: second fix for -sdca variants for multi-codec
common: led.conf - don't use If.0 blocks
common: split.conf - don't use If.0 blocks
USB-Audio: Add support for DualSense PS5 controller
ucm2: Add setting LED Mode in SetLED macro
sof-soundwire: fix for -sdca variants for multi-codec
ucm2: rt712: simplify the init settings
ucm2: sof-soundwire: support rt713vb codec
ucm2: soundwire: cs42l45: Add support for CS42L45 codec
ucm2: Add support for MT8196 Rauru Rev0 Chromebook with SOF
USB-Audio: fix Steinberg UR22mkII device names
ucm2: codecs: rx-macro: add Headset Left enable/disable
ucm2: codecs: pm4125: add ucm for codec
ucm2: Qualcomm: x1e80100: T14s: add USB DisplayPort playback
Qualcomm: qcs615: Add TALOS EVK HiFi config
ucm2: Add support for Steinberg UR22mkII
ucm2: Qualcomm: Radxa: fix Displayport SectionDevice
ucm2: Qualcomm: Add MONACO-EVK HiFi config
ucm2: Qualcomm: sa8775p: Move lemans-evk hifi to sa8775p subdir
Qualcomm: Kaanapali: Add Kaanapali MTP HiFi config
The X1E80100-EVK needs basically the same configuration as
ucm2: MediaTek: mt8391-evk: Add alsa-ucm support
Add support for RME Fireface UCX (heavily based on RME Fireface UCX II
config)
ucm2: Qualcomm: Add Microsoft Surface Pro 12in config
ucm2: Qualcomm: x1e80100: Add X1E001DE-DEVKIT configuration
ucm2: Qualcomm: add Radxa Dragon Q6A
ucm2: sof-soundwire: add rt721 ucm support
ucm2: Qualcomm: add Lenovo Ideapad 5 (Slim 5x / 2in1) support
ucm2: Qualcomm: Rename qcs6490-rb3gen2 and qcs9075-iq-evk ucm2 conf
ucm2: Qualcomm: Add Dell Latitude 7455 / Inspiron 14 Plus
ucm2: codecs: lpass-rx-macro: move mixers that do not belong
UR44: Add stereo inputs to the HiFi profile, relabel the inputs and outputs
Recognize one more Steinberg UR44 variant
ucm2: sof-soundwire: add rt712+rt1320 amplifier
ucm2: MediaTek: mt8395-evk: Add support for SOF
Behringer UCM204HD/404HD: Fix the macro evaluation for Syntax 7+
UCM2: Intel: sof-hda-dsp: HiFi: IPC3 mono DMIC is exposed as stereo PCM
codecs/hda/hdmi.conf - add support for zero device
ucm2: MediaTek: mt8365-evk: Add SOF support
ucm2: USB-Audio: Add Teufel CAGE PRO
add MSI MAG B850M Mortar Wifi to USB-Audio.conf
ucm2: sof-soundwire: add rt712-vb device
UCM2: Intel: sof-hda-dsp: HiFi: Fix handling of mono DMICs
ucm2: Qualcomm: Update the HIFI enable mixer commands for qcm6490-idp and
qcs6490-rb3gen2
ucm2: Qualcomm: Update the QCM6490 and QCS6490 hifi conf files
Qualcomm: Add QCS9075-IQ-EVK HiFi config
Changed 'Stream Mix' channel names to match the latest Window
ucm2: Qualcomm: add ASUS Vivobook S 15 support
USB-Audio: Added Beacn Mic and Studio Support
USB-Audio: Solid State Labs SSL 2 - fix capture channels
ucm2: IO-Boards: Toradex: smarc: add support
ucm2: USB-Audio: Behringer: Flow8: fix conflicting
ucm2: tegra: max98090: fix headphones conflicting device
ucm2: Qualcomm: sm8650: QRD: fix headset jack hw mute
ucm2: Qualcomm: sc8280xp: fix internal microphones device
Fix Presonus Revelator IO44 HWChannels count
tegra: max98089: fix cset names
ucm2: Qualcomm: Add Surface Laptop 7
ucm2: Qualcomm: x1e80100: Also match DMI board name
USB-Audio: Solid State Labs SSL 2+ - fix capture channels
USB-Audio: Remove useless sections for Solid State Labs SSL 2+
acp3x-alc5682-max98357: Fix path of HiFi.conf
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reduce the number of outgoing queries when resolving the nameservers
for delegation points. This helps a DNS resolver with a cold cache
resolve client queries with complex delegation chains and redirections.
[GL !11148]
Provide more information when memory allocation fails.
BIND now provides more information about the failure when memory
allocation fails. [GL !11272]
Bug Fixes
Adding NSEC3 opt-out records could leave invalid records in chain.
When creating an NSEC3 opt-out chain, a node in the chain could be
removed too soon. The previous NSEC3 would therefore not be found,
resulting in invalid NSEC3 records being left in the zone. This has
been fixed. [GL #5671]
Fix spurious timeouts while resolving names.
Sometimes, loops in the resolving process (e.g., to resolve or validate
ns1.example.com, we need to resolve ns1.example.com) were not properly
detected, leading to a spurious 10-second delay. This has been fixed,
and such loops are properly detected. [GL #3033] [GL #5578]
Fix bug where zone switches from NSEC3 to NSEC after retransfer.
When a zone was re-transferred but the zone journal on an
inline-signing secondary was out of sync, the zone could fall back to
using NSEC records instead of NSEC3. This has been fixed. [GL #5527]
AMTRELAY type 0 presentation format handling was wrong.
RFC 8777 specifies a placeholder value of . for the gateway field when
the gateway type is 0 (no gateway). This was not being checked for, nor
was it emitted when displaying the record. This has been corrected.
Instances of this record will need the placeholder period added to them
when upgrading. [GL #5639]
Fix parsing bug in remote-servers with key or TLS.
The remote-servers clause enables the following pattern using a named
server-list:
remote-servers a { 1.2.3.4; ... };
remote-servers b { a key foo; };
However, such a configuration was wrongly rejected, with an unexpected
token 'foo' error. This configuration is now accepted. [GL #5646]
Fix DoT reconfigure/reload bug in the resolver.
If client-side TLS transport was in use (for example, when forwarding
queries to a DoT server), named could terminate unexpectedly when
reconfiguring or reloading. This has been fixed. [GL #5653]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 5 Jan 2026 15:56:00 +0000 (15:56 +0000)]
Tor: Update to 0.4.8.21
Changes in version 0.4.8.21 - 2025-11-17
This release is a continuation of the previous one and addresses additional
Conflux-related issues identified through further testing and feedback from
relay operators. We strongly recommend upgrading as soon as possible.
o Major bugfixes (conflux, exit):
- When dequeuing out-of-order conflux cells, the circuit could be
close in between two dequeue which could lead to a mishandling of
a NULL pointer. Fixes bug 41162; bugfix on 0.4.8.4.
o Minor feature (compiler flag):
- Add -mbranch-protection=standard for arm64.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 17, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/11/17.
o Minor bugfixes (bridges, pluggable transport):
- Fix a bug causing the initial tor process to hang intead of
exiting with RunAsDaemon, when pluggable transports are used.
Fixes bug 41088; bugfix on 0.4.8.1-alpha.
Changes in version 0.4.8.20 - 2025-11-10
This release fixes several bugfixes related to Conflux edge cases as well as
adding a new hardening compiler flag if supported. We strongly recommend to
upgrade as soon as possible.
o Minor feature (compiler flag):
- Add -fcf-protection=full if supported by the compiler.
Fixes 41139.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on October 06, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/11/10.
o Minor bugfixes (conflux fragile asserts):
- Fix the root cause of some conflux fragile asserts when a control
port listener is attached. Fixes bug 41037; bugfix on 0.4.8.16.
o Minor bugfixes (conflux, relay):
- Fix a series of conflux edge cases about sequence number
arithmetic and OOM handler kicking in under heavy memory pressure.
Fixes bug 41155; bugfix on 0.4.8.4.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 12:55:47 +0000 (13:55 +0100)]
wireless-regdb: Update to version 2025.10.07
- Update from version 2023.05.03 to 2025.10.07
- Update of rootfile
- Changelog
2025.10.07
Permit lower 6 GHz band for Kazakhstan (KZ)
Update regulatory info including bandwidth for Costa Rica (CR) for 2023
update regulatory rules for Sint Marteen (SX) for 2018
update regulatory rules for Botswana (BW) for 2022
2025.07.10
update regulatory rules for Bosnia and Herzegovina (BA) for 6 GHz
Update regulatory info for CEPT countries for 6GHz listed by WiFi Alliance
update regulatory rules for Paraguay (PY) on 6 GHz for 2025
Update regulatory info for Estonia (EE) for 2024
Update regulatory info for Vietnam (VN) for 2025
Update regulatory rules for Brazil (BR) on 6GHz
Update regulatory info for Egypt (EG) for 2024
Permit 320 MHz bandwidth in 6 GHz band for GB
Update regulatory info for Indonesia (ID) for 2025
2025.02.20
Update frequency range with NO-INDOOR for Oman (OM)
Update regulatory rules for Iran (IR) on both 2.4 and 5Ghz for 2021
allow NO-INDOOR flag in db.txt
Update regulatory info for Cayman Islands (KY) for 2024
Update regulatory rules for Austria (AT)
Permit 320 MHz bandwidth in 6 GHz band in ETSI/CEPT
Update regulatory rules for Armenia (AM) on 2.4 and 5 GHz
Update regulatory info for Oman (OM)
Update regulatory info for Azerbaijan (AZ) on 6GHz for 2024
Update regulatory info for Moldova (MD) on 6GHz for 2022
Update regulatory info for Syria (SY) for 2020
assert and correct maximum bandwidth within frequency difference
2024.10.07
Update regulatory info for Tanzania (TZ) for 2024
Update regulatory info for Pakistan (PK) for 2024
Update regulatory info for Serbia (RS) for 2024
Revert Update regulatory info for Serbia (SR) for 2024
Correct regulatory rules of 6GHz frequency for Türkiye (TR)
Update regulatory info for Honduras (HN) for 2023
Update regulatory info for Israel (IL) for 2021
Update regulatory info for Kuwait (KW) for 2022
Update regulatory info for Serbia (SR) for 2024
Add .b4-config
Update .gitignore
Correct regulatory rules for China (CN)
Update regulatory info for Philippines (PH) on 6GHz
Update regulatory info for Guatemala (GT) for 2020
Update regulatory info for Bahrain (BH) for 2024
Add regulatory info for Namibia (NA) for 2023
Update regulatory info for Togo (TG) for 2022
Update regulatory info for El Salvador (SV) on 6GHz
Update regulatory info for Peru (PE) on 6GHz
Update regulatory info for New Zealand (NZ) for 2022
Update regulatory info for Qatar (QA) on 6GHz
2024.07.04
Update regulatory info for Macao (MO) for 2024
Update regulatory info for Kenya (KE) for 2022
Update regulatory info for Jordan (JO) for 2022
Update regulatory info for Liechtenstein (LI) on 6GHz
Update regulatory info for Dominican Republic (DO) on 6GHz
Update regulatory info for Costa Rica (CR) for 2021
Update regulatory info for Colombia (CO) on 6GHz
Update regulatory info for United Arab Emirates (AE) on 6GHz
Update regulatory info for Argentina (AR) on 6GHz
Update regulatory info for Mauritius(MU) on 6GHz
Update regulatory info for Iceland (IS) on 6GHz
Update regulatory info for Mexico (MX) on 6GHz
Update regulatory info for Chile (CL) on 6GHz
Update regulatory info for Morocco (MA) on 6GHz
Update regulatory info for Malaysia (MY) for 2022
Update regulatory info for Thailand (TH) on 6GHz
Update regulatory rules for South Africa (ZA) on 6GHz
Update regulatory rules for Saudi Arabia (SA) on 6GHz
Update regulatory rules for Mongolia (MN) on 6GHz
2024.05.08
Update regulatory rules for Taiwan (TW) on 6GHz
Revert Update and disable 5470-5730MHz band according to TPC requirement for
Singapore (SG)
2024.01.23
Update and disable 5470-5730MHz band according to TPC requirement for
Singapore (SG)
Update regulatory rules for Singapore (SG) for September 2023
Update regulatory rules for Japan (JP) for December 2023
Update regulatory rules for China (CN)
Makefile Reproducible signatures
Update keys and maintainer information
2023.09.01
Update regulatory rules for Australia (AU) for June 2023
Update regulatory info for Türkiye (TR)
Update regulatory rules for Egypt (EG) from March 2022 guidelines
Update regulatory rules for Philippines (PH)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:05 +0000 (11:28 +0100)]
readline: Update to version 8.3 patch 3
- Update from version 8.3 patch 1 to 8.3 patch 3
- No change to rootfile
- Changelog
8.3-003
A SIGINT during a reverse i-search can cause a segmentation fault due to
accessing data freed by a signal handler.
8.3-002
If an application calls rl_save_prompt, which sets rl_prompt to NULL,
without calling rl_set_prompt to set it to a new value, readline redisplay
can dereference a NULL pointer.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:04 +0000 (11:28 +0100)]
oath-toolkit: Update to version 2.6.13
- Update from version 2.6.12 to 2.6.13
- No change to rootfile
- Changelog
2.6.13
liboath/libpskc: Fix _FORTIFY_SOURCE build problem and allow configuration.
Some platforms (e.g., Ubuntu 24.10) set _FORTIFY_SOURCE in the default
compiler settings, and this caused build failures since our code
unconditionally #define'd _FORTIFY_SOURCE to 2. We now allow you to
override the desired level by running, for example ./configure
CPPFLAGS=-D_FORTIFY_SOURCE=3 or CPPFLAGS=-D_FORTIFY_SOURCE=0.
liboath: Fix --with-openssl builds, and test for it in pipeline.
Reported by Tomasz Kłoczko in
<https://codeberg.org/oath-toolkit/oath-toolkit/issues/36>.
Git hosting moved from gitlab.com to codeberg.org.
The new URL is https://codeberg.org/oath-toolkit/oath-toolkit although
the old GitLab project will continue to be used for pipelines:
https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines
Various build fixes including updated gnulib files.
Gnulib files are no longer stored in git version control. As a
consequence, gnulib is a required build dependency when building from
git, see CONTRIBUTING.md.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:03 +0000 (11:28 +0100)]
libpng: Update to version 1.6.53
- Update from version 1.6.51 to 1.6.53
- Update of rootfile
- CVE fix from version 1.6.52
- Changelog
1.6.53
Fixed a build failure on RISC-V RVV caused by a misspelled intrinsic.
(Contributed by Alexander Smorkalov.)
Fixed a build failure with CMake 4.1 or newer, on Windows, when using
Visual C++ without MASM installed.
1.6.52
Fixed CVE-2025-66293 (high severity):
Out-of-bounds read in `png_image_read_composite`.
(Reported by flyfish101 <flyfish101@users.noreply.github.com>.)
Fixed the Paeth filter handling in the RISC-V RVV implementation.
(Reported by Filip Wasil; fixed by Liang Junzhao.)
Improved the performance of the RISC-V RVV implementation.
(Contributed by Liang Junzhao.)
Added allocation failure fuzzing to oss-fuzz.
(Contributed by Philippe Antoine.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:02 +0000 (11:28 +0100)]
libidn2: Update to version 2.3.8
- Update from version 2.3.7 to 2.3.8
- No change to rootfile
- Changelog
2.3.8
Unicode 15.1.0 table updates. Now U+19DA is DISALLOWED again
(see version 2.3.4 release notes).
The release tarball is now reproducible.
We publish a minimal source-only tarball generated by 'git archive'.
The release tarball uses tar --format=ustar.
The idn2 tool now binds the "gnulib" domain for translations.
Update gnulib files and various build/maintenance fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:28:01 +0000 (11:28 +0100)]
libgpg-error: Update to version 1.58
- Update from version 1.56 to 1.58
- Update of rootfile
- Changelog
1.58
Fix building of static libraries on Windows. [rE421e101cf9]
1.57
The sysconfdir as provided by the configure run is now used for the
default global config files of the argparser. [T7894]
New function gpgrt_fconcat and improved the existing
gpgrt_fnameconcat and gpgrt_absfnameconcat. [T7894,rE34dba88757]
On Windows use the UI language instead of the locale for
translations. [T7874]
Some minor build improvements for zOS.
Updated the Swedish and Portuguese translations.
Interface changes relative to the 1.56 release:
gpgrt_fconcat NEW.
GPGRT_FCONCAT_ABS NEW.
GPGRT_FCONCAT_TILDE NEW.
GPGRT_FCONCAT_SYSCONF NEW.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Dec 2025 10:27:55 +0000 (11:27 +0100)]
bash: Update to version 5.3 patch 9
- Update from version 5.3 patch 8 to 5.3 patch 9
- No change to rootfile
- Changelog
5.3-009
A SIGINT during a reverse i-search can cause a segmentation fault due to
accessing data freed by a signal handler.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 15 Dec 2025 21:46:50 +0000 (22:46 +0100)]
strongswan: Update to version 6.0.4
- Update from version 6.0.3 to 6.0.4
- No change to the rootfile
- Changelog
6.0.4
Vulnerabilities
Fixed a vulnerability in the NetworkManager plugin that potentially allows
using credentials of other local users. This vulnerability has been
registered as CVE-2025-9615. Please refer to our blog for details.
Enhancements and Optimizations
Concurrent requests to fetch the same CRL URI by multiple threads are now
combined by the revocation plugin (#2918). Only the first thread
actually fetches it, the others wait for that result. This is
particularly helpful if the CRL can currently not be fetched due to DNS
or HTTP/LDAP timeouts as it avoids that each thread has to wait
individually, reducing the number of SAs that can concurrently be
established as threads are blocked longer. A negative result is cached
for a while (currently 30 seconds) so requests can fail quickly and
threads can continue establishing SAs if they use a relaxed revocation
policy.
The maximum supported length for section names in swanctl.conf has been
increased to the upper limit of 256 characters that's enforced by VICI
(#2936).
Fixes
Prevent a crash if a confused peer rekeys a Child SA twice before sending a
delete (#2945).
Fixed a memory leak if a peer's self-signed certificate is untrusted (#2954).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 14 Dec 2025 14:02:17 +0000 (15:02 +0100)]
tzdata: Update to version 2025c
- Update from version 2025b to 2025c
- No change in rootfile
- Changelog
2025c
Changes to past timestamps
Baja California agreed with California’s DST rules in 1953 and in
1961 through 1975, instead of observing standard time all year.
(Thanks to Alois Treindl.)
Changes to build procedure
Files in distributed tarballs now have correct commit times.
Formerly, the committer’s time zone was incorrectly ignored.
Distribution products (*.asc, *.gz, and *.lz) now have
reproducible timestamps. Formerly, only the contents of the
compressed tarballs had reproducible timestamps.
By default, distributed formatted man pages (*.txt) now use UTF-8
and are left-adjusted more consistently. A new Makefile macro
MANFLAGS can override these defaults. (Thanks to G. Branden
Robinson for inspiring these changes.)
Changes to code
An unset TZ is no longer invalid when /etc/localtime is missing,
and is abbreviated "UTC" not "-00". This reverts to 2024b behavior.
(Problem and patch reported by Dag-Erling Smørgrav.)
New function offtime_r, short for fixed-offset localtime_rz.
It is defined if STD_INSPIRED is defined.
(Patch from Dag-Erling Smørgrav.)
tzset etc. are now more cautious about questionable TZ settings.
Privileged programs now reject TZ settings that start with '/',
unless they are TZDEFAULT (default "/etc/localtime") or
start with TZDIR then '/' (default "/usr/share/zoneinfo/").
Unprivileged programs now require files to be regular files
and reject relative names containing ".." directory components;
formerly, only privileged programs did those two things.
These changes were inspired by similar behavior in FreeBSD.
On NetBSD, unprivileged programs now use O_REGULAR to check
whether a TZ setting starting with '/' names a regular file,
avoiding a minor security race still present elsewhere.
TZ strings taken from tzalloc arguments are now treated with
no less caution than TZ strings taken from the environment, as
the old undocumented behavior would have been hard to explain.
tzset etc. no longer use the ‘access’ system call to check access;
instead they now use the system calls issetugid, getauxval,
getresuid/getresgid, and geteuid/getegid/getuid/getgid (whichever
first works) to test whether a program is privileged.
Compile with -DHAVE_SYS_AUXV_H=[01] to enable or disable
<sys/auxv.h> which (if it defines AT_SECURE) enables getauxval,
and compile with -DHAVE_ISSETUGID=[01], -DHAVE_GETRESUID=[01], and
-DHAVE_GETEUID=[01] to enable or disable the other calls’ use.
The new CFLAGS option -DTZ_CHANGE_INTERVAL=N makes tzset etc.
check for TZif file changes if the in-memory data are N seconds
old or more, and are derived from the TZ environment variable.
This is intended for platforms that want tzset etc. to reflect
changes to whatever file TZ selects (including changes to
/etc/localtime if TZ is unset). If N is negative (the default)
these checks are omitted; this is the traditional behavior.
The new CFLAGS options -DHAVE_STRUCT_STAT_ST_CTIM=0 and
-DHAVE_STRUCT_TIMESPEC=0 port to non-POSIX.1-2008 platforms
that lack st_ctim and struct timespec, respectively.
tzset etc. now treat ' ' like '_' in time zone abbreviations,
just as they treat other invalid bytes. This continues the
transition begun in release 96k, which removed spaces in tzdata
because the spaces break time string parsers.
The new CFLAGS option -DTHREAD_PREFER_SINGLE causes tzcode
in single-threaded processes to avoid locks, as FreeBSD does.
This can save time in single-threaded apps. The threadedness
testing costs CPU time and energy in multi-threaded apps.
New options -DHAVE___ISTHREADED and -DHAVE_SYS_SINGLE_THREADED_H
can help configure how to test for single-threadedness.
The new CFLAGS option -DTHREAD_RWLOCK uses read-write locks, as
macOS does, instead of mutexes. This saves real time when TZ is
rarely changing and many threads call tzcode simultaneously.
It costs more CPU time and energy.
The new CFLAGS option -TTHREAD_TM_MULTI causes localtime to return
a pointer to thread-specific memory, as FreeBSD does, instead of
to the same memory in all threads. This supports unportable
programs that incorrectly use localtime instead of localtime_r.
This option affects gmtime and offtime similarly to localtime.
Because the corresponding storage is freed on thread exit, this
option is incompatible with POSIX.1-2024 and earlier. It also
costs CPU time and memory.
tzfree now preserves errno, consistently with POSIX.1-2024 ‘free’.
tzcode now uses mempcpy if available, guessing its availability.
Compile with -DHAVE_MEMPCPY=1 or 0 to override the guess.
tzcode now uses strnlen to improve asymptotic performance a bit.
Compile with -DHAVE_STRNLEN=0 if your platform lacks it.
tzcode now hand-declares unistd.h-provided symbols like getopt
if HAVE_UNISTD_H=0, not if HAVE_POSIX_DECLS=0.
tzset etc. now have an experimental OPENAT_TZDIR option;
see Makefile and localtime.c for details.
On platforms like GNU/Hurd that do not define PATH_MAX,
exceedingly long TZ strings no longer fail merely because they
exceed an arbitrary file name length limit imposed by tzcode.
zic has new options inspired by FreeBSD. ‘-D’ skips creation of
output ancestor directories, ‘-m MODE’ sets output files’ mode,
and ‘-u OWNER[:GROUP]’ sets output files’ owner and group.
zic now uses the fdopen function, which was standardized by
POSIX.1-1988 and is now safe to use in portable code.
This replaces its use of the older umask function, which
complicated maintenance.
Changes to commentary
The leapseconds file contains commentary about the IERS and NIST
last-modified and expiration timestamps for leap second data.
(Thanks to Judah Levine.)
Commentary now also uses characters from the set –‘’“”•≤ as this
can be useful and should work with current applications. This
also affects data in iso3166.tab and zone1970.tab, which now
contain strings like “Côte d’Ivoire” instead of “Côte d'Ivoire”.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Dec 2025 16:38:11 +0000 (17:38 +0100)]
exclude: Add the suricata sgh cache directory to the list
- Depending on the number of suricata rulesets that users have got enabled the suricata
cache in /var/cache/suricata/sgh/ gets currently backed up in the ipfire .ipf file
and some users are ending up with backup files that used to be 190MB and are now
greater than 700MB, some even over 800MB.
- This change excludes the cache from the backup as it seems that a restore with a cache
from an earlier time does not make sense.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Dec 2025 14:07:07 +0000 (15:07 +0100)]
dracut-ng: Update the rootfile to include initqueue
- In dracut-180 initqueue was removed from the base system and made its own set. This
was missed when the original release was done and the initqueue entries were
commented out.
- Tested out with the new 6.18.0 kernel evaluation and initqueue was successfully
installed and therefore also subsequently btrfs, lvm & mdraid that depended on
initqueue
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Dec 2025 16:38:11 +0000 (17:38 +0100)]
exclude: Add the suricata sgh cache directory to the list
- Depending on the number of suricata rulesets that users have got enabled the suricata
cache in /var/cache/suricata/sgh/ gets currently backed up in the ipfire .ipf file
and some users are ending up with backup files that used to be 190MB and are now
greater than 700MB, some even over 800MB.
- This change excludes the cache from the backup as it seems that a restore with a cache
from an earlier time does not make sense.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Dec 2025 14:07:07 +0000 (15:07 +0100)]
dracut-ng: Update the rootfile to include initqueue
- In dracut-180 initqueue was removed from the base system and made its own set. This
was missed when the original release was done and the initqueue entries were
commented out.
- Tested out with the new 6.18.0 kernel evaluation and initqueue was successfully
installed and therefore also subsequently btrfs, lvm & mdraid that depended on
initqueue
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
