Adolf Belka [Thu, 30 Oct 2025 16:23:55 +0000 (17:23 +0100)]
libvirt: Uncomment two lines in the rootfile
- These lines were new in with the previous update from 11.4.0 to 11.7.0 but I
incorrectly commented them out.
- This has been flagged up in the forum as it is stopping the user doing a virsh backup.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 30 Oct 2025 10:18:27 +0000 (11:18 +0100)]
expect: Allow build of expect for swtpm
- expect was previously only built in the toolchain. This allows expect to be built for
swtpm in the normal build.
- It is only used for the building of swtpm so the rootfile has all entries commented
out.
- LFS changed to allow build in the toolchain or in the normal build
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Oct 2025 15:41:43 +0000 (15:41 +0000)]
make.sh: Disable the toolchain during normal builds
This is a precaution because I have seen some files from the toolchain
being baked into the initrd. That should not happen and by keeping PATH
clean, there is no chance for any confusion.
In order to have the tools available that we need to build the initial
system, we will now have to pass a flag.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Oct 2025 17:13:44 +0000 (17:13 +0000)]
make.sh: Create a better PID 1 inside the environment
This is required so that we won't have any make processes locking up any
more. When the build process is getting aborted, this script will now
cleanly terminate anything inside the container and not block make as
PID 1.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 28 Oct 2025 09:41:56 +0000 (10:41 +0100)]
boost: Update to version 1.89.0
- Update from version 1.88.0 to 1.89.0
- Update of rootfiles for all three architectures.
- Changelog
1.89.0
New Libraries
Bloom:
filters, from Joaquín M López Muñoz.
Updated Libraries
Any:
Initial support for C++20 Modules. See the docs for more info.
Asio:
Added allocator constructors to execution_context, io_context and
thread_pool, with the supplied allocator being used for allocating
objects associated with the execution context.
Added a new configuration parameter "timer" / "heap_reserve" that may
be used to reserve space in the vector used for a timer queue's heap.
Added a new configuration parameter "resolver" / "threads" that
specifies the number of internal threads used by async_resolve to
emulate asynchronous address resolution.
Removed deadline_timer, basic_deadline_timer and time_traits from the
convenience header boost/asio.hpp.
Ensured that the Windows named pipes created by connect_pipe use
unique names that do not conflict if Asio is used in multiple,
independent plug-in DLLs.
Changed BOOST_ASIO_CONCURRENCY_HINT_SAFE to be consistent with the
io_context default constructor.
Fixed the documentation for BOOST_ASIO_CONCURRENCY_HINT_UNSAFE_IO to
reflect that registration locking is still enabled.
Added separate b2 and cmake build targets for optional dependencies.
Added the [[noreturn]] attribute to
boost::asio::detail::throw_exception.
Fixed co_spawn to adhere to the asynchronous operation requirement
for non-reentrant invocation of the completion handler.
Added a documentation note on basic_signal_set async signal safety.
Fixed various minor compilation errors on different platforms.
Consult the Revision History for further details.
Atomic:
Added TSAN instrumentation in asm-based x86, AArch32, AArch64 and PPC
backends. This silences TSAN false errors for code using Boost.Atomic
for thread synchronization.
Following the announcement in Boost 1.84, removed support for Windows
versions older than Windows 10.
A note to MinGW-w64 users. Since Windows SDK headers on MinGW-w64
define _WIN32_WINNT to an older Windows version by default,
you may need to define _WIN32_WINNT=0x0A00 or
BOOST_USE_WINAPI_VERSION=0x0A00 when compiling Boost.Atomic
and the code that uses Boost.Atomic.
Support for Windows CE is deprecated and will be removed in a future
release.
Added support for timed waiting operations.
Exposed thread_pause operation, which can be used as a backoff
measure in spin loops. Added support for PowerPC and improved support for AArch64 in thread_pause.
Removed BOOST_ATOMIC_NO_ATOMIC_FLAG_INIT macro definition. Since the
library now requires C++11, BOOST_ATOMIC_FLAG_INIT is always supported.
Enabled bitwise operations for atomic enumerations. This can be
useful when enumerations are used to implement bit masks.
Beast:
Fixes
Conditionally defined immediate_executor_type in async_base.
Added missing cstdint header to detail/cpu_info.hpp.
Fixed std::is_trivial deprecation warnings.
handshake_timeout now applies to closing handshakes during reads.
Improvements
Replaced detail/work_guard.hpp with net::executor_work_guard.
Fixed portability issues for building tests in MinGW.
Documentation
Removed moved sections from documentation.
Removed superfluous log messages from tests.
Acknowledgements
yliu1021
Charconv:
Fixed a performance degradation with from_chars for integer types
Fixed rounding and trailing decimal place bugs with to_chars for
specified precisions with floating point types
Cobalt:
Move assign fixed for generator & promise.
Fixed internal exceptions
Added IO library. Cobalt.io provides a large subset of asio as a
compiled library.
Compat:
Added move_only_function.hpp.
ContainerHash:
Added the hash_is_avalanching trait class.
Conversion:
Added an ability to use polymorphic_downcast and polymorphic_cast in
constexpr (requires C++20).
Core:
Fixed bit_ceil to return 1 for input 0 as per specification. (PR#199)
Added support for std::format to boost::core::string_view. (#190)
Detail:
Operators generated by BOOST_BITMASK now use underlying type of the
enum to implement bitwise operators. The operators are marked
noexcept and constexpr, when possible.
The function bitmask_set generated by BOOST_BITMASK is marked
deprecated. In a future release, BOOST_BITMASK will stop producing
this function. Users are recommended to use double negation (!!mask)
to test if the value is zero. This affects e.g. enums defined in
Boost.Filesystem.
DLL:
Fixed compiling and exporting on Cygwin. Many thanks to Luohao Wang
for the PR!
Fixed building on FreeBSD. Thanks to ash for the bug report!
Added BOOST_DLL_USE_STD_FS CMake option to match the preprocessor
option. Thanks to Yury Bura for the PR!
Filesystem:
Corrected ASAN warnings about comparing pointers to potentially
unrelated objects in path::append. (#335)
Geometry:
Major improvements
PR#1369 Rewrite of traversal
PR#1402 Add geometry polyhedral surface
Improvements
PR#1404 Performance improvements in buffer
PR#1405 Avoid static variables and functions in header files
Breaking changes
PR#1401 Remove deprecated headers
Solved issues
(#1221) Difference with rectilinear multipolygon with integer
coordinates produces invalid polygon with disconnected interior
(#1295) Wrong result in intersection (result polygon is equal to
the biggest of the input polygons)
(#1349) Difference of polygons giving wrong result
(#1382) Buffer operation creates self-intersection
Various fixes of errors and warnings
Hash2:
Added Blake2 algorithm (blake2s_256, blake2b_512).
Added XXH3 algorithm (xxh3_128).
Iterator:
Fixed filter_iterator copy/converting constructor, which could
previously produce an invalid iterator. (#92)
Removed usage of is_trivial in iterator_facade as it is deprecated in
C++26. (#93)
iterator_facade::operator[] now always returns a proxy rather than
conditionally returning a value or a proxy. This allows users to
bind a reference to the result of the operator, regardless of
whether the value type is trivially-copyable. (#61)
The proxy returned by iterator_facade::operator[] now supports
forwarding dereferencing operators to the referenced value. This
allows it[n]->foo() and (*it[n]).foo() expressions to compile.
The proxy returned by iterator_facade::operator[] now implementes
perfect forwarding in its assignment operator.
JSON:
Revamped documentation.
Optionals that are ranges are categorised as optionals.
Described class support is enabled for types with bases.
Log:
Added support for BOOST_LOG_WITHOUT_ASIO configuration macro, which
can be used to remove the dependency on Boost.Asio and disable the
related functionality.
Use locale-independent formatting of the file counter in
text_file_backend when composing log file names. This fixes failures
in the subsequent parsing of the file names in
file_collector::scan_for_files. (PR#246)
Added a new wrap_filter utility that simplifies injecting
user-defined function objects in filtering expressions. (#195)
Math:
Add explicit C++14 <type_traits> and constexpr requirement to builds
Collected fixes for GPU support on a variety of platforms
Fix lower incomplete gamma function with x = 0
Fix the external archive error in the jSO algorithm
Fix numeric underflow in ibeta
Fix inverse ibeta for large values of a and b
Fix variadic functions to make them safe with C++26
MQTT5:
Fixed incorrect parsing of URI paths in the list of brokers (#31).
Default Maximum Packet Size now explicitly set in the CONNECT packet.
(#33).
Fixed high CPU usage with large Maximum Packet Size values (#33).
Multiprecision:
Major update.
Adds a new backend type: cpp_double_fp_backend
Fixes a namespace collision with Boost.Serialization
MySQL:
The caching_sha2_password authentication plugin can now be used
without TLS. This is the default in MySQL 8 and above. Plaintext
connections that attempt to use this plugin no longer fail with
client_errc::auth_plugin_requires_ssl (#313).
Fixed a problem causing client_errc::incomplete_message to be
returned during connection establishment when the target database
does not exist and the caching_sha2_password is used. The
appropriate server-generated diagnostic is now returned. See
issues #468 and #488.
The handshake algorithm is now more resilient to protocol violations
(#469).
Fixed a build failure with gcc-15 due to a missing include (PR#475).
Thanks hhoffstaette for the PR.
Added benchmarks against the official drivers.
Optimized metadata representation to be faster to construct and take
less memory (#461).
PFR:
Rewrite C++20 module following the new recommended Boost practice.
See the docs for more info.
Fixed C++26 compilation on modern clang compilers. Thanks to Valery
Mironov for the report!
Support types that use 'Arrays of Length Zero' compiler extension.
Fixed typos. Thanks to Egor for highlighting the issues!
Return std::array<std::string_view, 0> type for
boost::pfr::names_as_array(empty_struct{}) to allow compilation of for
(std::string_view name : boost::pfr::names_as_array(empty_struct{})).
Many thanks to sabudilovskiy for the bug report!
process:
Added v1.hpp to emulate v1 process.hpp include.
Fix to windows path escaping
Fixed exit-code issue wehre terminate & async_wait lead to a loss of
the exit-code value.
Random:
Fix NAN being generated by beta_distribution
Improve the performance of beta_distribution::operator()
TypeIndex:
Initial support for C++20 Modules. See the docs for more info.
Unordered:
Deprecated boost::unordered::hash_is_avalanching is now a
using-declaration of boost::hash_is_avalanching in
<boost/container_hash/hash_is_avalanching.hpp>. Use that header
directly instead. <boost/unordered/hash_traits.hpp> will be removed
in the future.
Added pull(const_iterator) to open-addressing containers. This
operation allows for efficient removal and retrieval of an element
via move construction.
Histogram:
Update CMake minimum version and Python detection in CMake
Improve documentation
Add example on how to make an axis which accepts multiple value
types that are not implicitly convertible
Show how to use histogram::fill with a multidimensional histogram
efficiently when data per dimension is already available as
contiguous data
Don't use deprecated form of user-defined literal operator
Add support for modular build structure with b2
Fixed warnings in MSVC about narrowed types
Added collector accumulator, which stores all values in a bin
Internal changes to tests and classes in detail namespace
Updated Tools
Build:
Includes release of B2 version 5.3.2.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 Oct 2025 16:05:36 +0000 (17:05 +0100)]
ovpnmain.cgi: Add newline after comment
This caused that the first line of the client's custom DHCP/DNS
configuration was ignored.
Fixes: #13895 - OpenVPN GUI does not apply DNS resolver settings for individual roadwarrrior connections Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 Oct 2025 15:52:43 +0000 (16:52 +0100)]
ovpnmain.cgi: Fix pushing all routes
If there were multiple client routes configured, the OpenVPN server was
only told about the first one. This patch fixes this and also cleans up
the code for pushing the server routes, too.
Fixes: #13901 - iroute line is only written for the first of the OpenVPN client routes Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 11:11:11 +0000 (12:11 +0100)]
xfsprogs: Update to version 6.17.0
- Update from version 6.16.0 to 6.17.0
- No change in rootfile
- Changelog
6.17.0
xfs_scrub_fail: reduce security lockdowns to avoid postfix problems (Darrick J. Wong)
mkfs: fix copy-paste error in calculate_rtgroup_geometry (Darrick J. Wong)
xfs_scrub: fix strerror_r usage yet again (Darrick J. Wong)
mkfs: fix libxfs_iget return value sign inversion (Darrick J. Wong)
xfs_scrub: Use POSIX-conformant strerror_r (A. Wilcox)
xfs_db: use file_setattr to copy attributes on special files with rdump (Andrey Albershteyn)
xfs_io: make ls/chattr work with special files (Andrey Albershteyn)
xfs_quota: utilize file_setattr to set prjid on special files (Andrey Albershteyn)
configure: Base NEED_INTERNAL_STATX on libc headers first (Johannes Nixdorf)
xfs_io: add FALLOC_FL_WRITE_ZEROES support (Zhang Yi)
xfsprogs: fix utcnow deprecation warning in xfs_scrub_all.py (Christian Kujau)
Improve information about logbsize valid values (Carlos Maiolino)
proto: add ability to populate a filesystem from a directory (Luca Di Maio)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 11:05:14 +0000 (12:05 +0100)]
usbutils: Update to version 019
- Update from version 018 to 019
- No change to rootfile
- Changelog
019
usbreset.1: fix typo in the busnum/devicenum example
lsusb.py: add usb.ids path for Debian
usbreset: fix swapped vendor and product ID in help/manpage
usbreset.1: fix groff warnings and small fixes
ci: stop manually creating build/
ci/codeql: use filter-sarif to filter meson-private
Remove commented out code in usbreset.c and list.h and container_of.h
lsusb: turn a FIXME comment for dump_comm_descriptor() into something real
lsusb: remove FIXME about wireless usb device
lsusb: change FIXME for bmEthernetStatistics into a TODO
lsusb.c: change TODO into a fixme in do_dualspeed()
usbreset: move the serial number forward in the output
usb-devices: fix up bash warning for $altset
usb-devices: fix up some minor shellcheck warning messages
usb-spec: remove vendor specific entry
usbreset: apply clang-format
usbreset: support resetting device by serial number
ci: Fix debian/ubuntu installation
lsusb: Show wBytesPerInterval field of the SS EP companion descriptor
usb-devices: Make devcount 'local' to handle recursion
usb-devices: Make devnum 'local' to handle recursion
lsusb-t: add verblevel 3 to print_usbdevice()
lsusb: improve usb2 device capability descriptor
Fix display of HID descriptors
ci: bump the all-actions group with 4 updates
ci: bump github/codeql-action in the all-actions group
ci: bump github/codeql-action in the all-actions group
ci: bump the all-actions group with 2 updates
ci: bump github/codeql-action in the all-actions group
ci: bump the all-actions group with 2 updates
ci: bump the all-actions group with 2 updates
ci: bump github/codeql-action in the all-actions group
ci: bump the all-actions group across 1 directory with 3 updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 11:01:15 +0000 (12:01 +0100)]
sysvinit: Update to version 3.14
- Update from version 3.11 to 3.14
- Update of rootfile
- Changelog
3.14
* Re-introduced DESTDIR flag in src/Makefile to assist building on Arch.
* Fixed typo in init.8 manual page.
* Expand process length in inittab to allow a command line 253 characters
(up from 127). Expand child process structure to accomidate 253
and some buffer room for newline/NULL.
* Clear buffer when reading long lines from inittab, avoids garbage left
over from old lines with long commands or comments.
* Drop lines which are too long from inttab conf and log warning rather
than truncate.
3.13
* Adjusted manual page install location. Patch provided
by Mark Hindley.
3.12
* There were instances of the ctime() function being called in multiple
files without checking the return value (can be NULL) and without
checking the length of the returned information. While there _should_
never be a case where ctime() fails assuming success and length of
returned string isn't ideal (or future-proof). We now check the return
value of ctime() in bootlogd, dowall, last, logsave, and shutdown.
Where no valid value is returned we supply a dummy value (usually a
space in place of the expected time stamp). We also no longer assume
returned string is at least 11-16 characters.
* Re-commit flexible Makefile for GoboLinux.
* Make sure pty.h and sys/sysmacros.h are included when building bootlogd on
systems with glibc.
* Fixed typos and syntax in manual page for init.8.
Edits provided by : Bjarni Ingi Gislason.
* Allow setting of location of the /usr directory in src/Makefile.
This is handled by the usrdir variable.
* Make sure src/Makefile uses sysconfdir (/etc by default) when installing
configuration files.
* Fix typos and syntax in pidof manual page.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 10:54:50 +0000 (11:54 +0100)]
ninja: Update to version 1.13.1
- Update from version 1.12.1 to 1.13.1
- No change in rootfile
- Changelog
1.13.1
Fix LINK : fatal error LNK1104: cannot open file on Windows in some cases #2616
Compatibility with older distros for Linux ARM version #2619
Restore "multiple rules generate" error with dyndep #2621
1.13.0
Ninja now automatically joins a GNU Make jobserver as a client (version 4.4 on
non-Windows systems required for "fifo" style) #1139
Print exit code of failed subcommands #1507
New tool ninja -t compdb-targets like compdb, but takes a list of targets
instead of rules #1544
Support for ANSI (color) escape codes in NINJA_STATUS #713
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 10:49:25 +0000 (11:49 +0100)]
fuse: Update to version 3.17.4
- Update from version 3.15.0 to 3.17.4
- Update of rootfile
- Changelog
3.17.4
- Try to detect mount-utils by checking for /run/mount/utab
and don't try to update mtab if it does not exist
- Fix a build warning when HAVE_BACKTRACE is undefined
- fuse_loop_mt.c: fix close-on-exec flag on clone fd
- Remove struct size assertions from fuse_common.h
3.17.3
* more conn->want / conn->want_ext conversion fixes
* Fix feature detection for close_range
* Avoid double unmount on FUSE_DESTROY
3.17.2
* Fixed uninitized bufsize value (compilation warning and real
issue when HAVE_SPLICE was not defined)
* Fixed initialization races related to buffer realocation when
large buf sizes are used (/proc/sys/fs/fuse/max_pages_limit)
* Fix build with kernel < 5.9
* Fix static_assert build failure with C++ version < 11
* Compilation fix (remove second fuse_main_real_versioned declaration)
* Another conn.want flag conversion fix for high-level applications
* Check if pthread_setname_np() exists before use it
* fix example/memfs_ll rename deadlock error
* signal handlers: Store fuse_session unconditionally and restore
previous behavior that with multiple sessions the last session
was used for the signal exist handler
3.17.1
* fuse: Fix want conn.want flag conversion
* Prevent re-usage of stdio FDs for fusermount
* PanFS added to fusermount whitelist
3.17.1-rc1
* several BSD fixes
* x86 (32bit) build fixes
* nested declarations moved out of the inlined functions to avoid
build warnings
* signify public key added for future 3.18
3.17.1-rc0
* Fix libfuse build with FUSE_USE_VERSION 30
* Fix build of memfs_ll without manual meson reconfigure
* Fix junk readdirplus results when filesystem not filling stat info
* Fix conn.want_ext truncation to 32bit
* Fix some build warnings with -Og
* Fix fuse_main_real symbols
* Several changes related to functions/symbols that added in
the libfuse version in 3.17
* Add thread names to libfuse threads
* With auto-umounts the FUSE_COMMFD2 (parent process fd is
exported to be able to silence leak checkers
3.17
* 3.11 and 3.14.2 introduced ABI incompatibilities, the ABI is restored
to 3.10, .so version was increased since there were releases with
the incompatible ABI
* The libfuse version a program was compiled against is now encoded into
that program, using inlined functions in fuse_lowlevel.h and fuse.h
* Allows to handle fatal signals and to print a backtrace.
New API function: fuse_set_fail_signal_handlers()
* Allows fuse_log() messages to be send to syslog instead of stderr
New API functions: fuse_log_enable_syslog() and fuse_log_close_syslog()
* Handle buffer misalignment for FUSE_WRITE
* Added support for filesystem passthrough read/write of files when
FUSE_PASSTHROUGH capability is enabled
New API functions: fuse_passthrough_open() and fuse_passthrough_close(),
also see example/passthrough_hp.cc
* Added fmask and dmask options to high-level API
- dmask: umask applied to directories
- fmask: umask applied to non-directories
* Added FUSE_FILL_DIR_DEFAULTS enum to support C++ programs using
fuse_fill_dir_t function
* Added support for FUSE_CAP_HANDLE_KILLPRIV_V2
Fixes:
* Fixed compilation failure on FreeBSD (mount_bsd.c now points to correct
header)
3.16.2
* Various small fixes and improvements.
3.16.1
* Readdir kernel cache can be enabled from high-level API.
3.15.1
Future libfuse releases will be signed with `signify`_ rather than PGP
This release is the last to be signed with PGP and contains the signify public
key for current (3.15.X) and upcoming (3.16.X) minor release cycle.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 10:35:41 +0000 (11:35 +0100)]
samba: Update to version 4.23.2
- Update from version 4.23.1 to 4.23.2
- No change to any of the rootfiles
- Changelog
4.23.2
This is a security release in order to address the following defects:
o CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr.
https://www.samba.org/samba/security/CVE-2025-9640.html
o CVE-2025-10230: Command injection via WINS server hook script.
https://www.samba.org/samba/security/CVE-2025-10230.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:37:54 +0000 (17:37 +0200)]
fetchmail: Update to version 6.5.7
- Update from version 6.5.6 to 6.5.7
- No change to rootfile
- Changelog
6.5.7
BUGFIXES:
* When authenticating to an SMTP server, the AUTH LOGIN method (which didn't
become a proposed standard, and is only the third method fetchmail would try,
if CRAM-MD5 and PLAIN weren't offered) required that the server returned
a 334 code followed by a blank and by a decodable base64 challenge we ignored
anyways. This is in line with RFC 4952.
However, to improve compatibility, fetchmail now accepts anything that
starts with "334 " and disregards the remainder of the line.
At the same time, AUTH LOGIN was deprecated. AUTH PLAIN should be available
everywhere AUTH LOGIN is, and is specified in IETF RFC 4616.
* When authenticating to an SMTP server, i. e. esmtpname/esmtppassword are
defined, check for errors, and skip servers that do not understand EHLO,
because we cannot negotiate supported authentication schemes with them.
This should avoid attempting to send a lot of messages and see them rejected.
* When authenticating to an SMTP server, do not send client abort "*" when
we receive any other server reply but 334.
* Extend 6.5.6's RFC-5321 address-literal fix to MAIL FROM. This might
apply when we only have a server's IP address and need to quality
addresses without domain. Fixes Debian Bug#1080025.
* SMTP AUTH can now look up passwords from the .netrc file - for that,
fetchmail's esmtpname setting must match the login for the given host in
.netrc. Fixes Debian Bug#1056651 by Ticker Berkin.
* Improve the GSSAPI (Kerberos V) build, which was pretty hard to get working.
This was improved. Recommendation:
- For autoconf builds (./configure), be sure to have the desired krb5-config
executable early on $PATH before running ./configure.
- For meson builds, be sure to list the path to your krb5-gssapi.pc file on
PKG_CONFIG_PATH. (meson will fall back to krb5-config, so if that's on PATH,
that should also work.)
TRANSLATION UPDATES were contributed by these fine people - thank you!
* The Italian translation is back - it had been missing from earlier 6.5.X
since it had fallen too far behind with the last update in 2010.
* cs: Petr Pisar [Czech]
* eo: Keith Bowes [Esperanto]
* es: Cristian Othón Martínez Vera [Spanish]
* fr: Frédéric Marchal [French]
* it: Luca Vercelli [Italian]
* ja: Takeshi Hamasaki [Japanese]
* pl: Jakub Bogusz [Polish]
* ro: Remus-Gabriel Chelu [Romanian]
* sq: Besnik Bleta [Albanian]
* sv: Göran Uddeborg [Swedish]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:28:57 +0000 (18:28 +0200)]
whois: Update to version 5.6.5
- Update from version 5.6.4 to 5.6.5
- No change to rootfile
- Changelog
5.6.5
* Updated the .co TLD server.
* Added some large KRNIC networks.
* Updated the second level .uk TLD servers.
* Removed the .pro TLD server.
* Removed 1 new gTLD which is no longer active.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:15:39 +0000 (18:15 +0200)]
pcre2: Update to version 10.47
- Update from version 10.46 to 10.47
- Update of rootfile
- Changelog
10.47
1. (#660, #655, #663) Expanded platforms tested by CI: FreeBSD, OpenBSD,
Solaris, MSYS (Cygwin), S390x, PPC64le, ARMv7, AARCH64, RiscV.
2. (#655) Made build clean of `/W3` warnings on MSVC. Further suppression of
minor build warnings on other platforms (various commits).
3. (#651) Added `--enable-Werror` flag to `./configure` to treat warnings as
errors (or `--enable-errwarn` for Solaris cc). Previously, you had to hackily
override the CPPFLAGS when calling make since you can't pass `-Werror` as a
CFLAG into `./configure` (it breaks compiler feature detection).
4. (#682) Added AM_MAINTAINER_MODE for Git tag releases. Users building with
the `./configure` script can check out the release tag using Git, which assigns
the current time as the modification time to each checked-out file. This caused
Autoconf to attempt to regenerate the configure script.
5. (#692) Add LICENSE file for sljit to the tarball release, to clarify that the
sljit code is governed separately by the 2-clause BSD license.
6. (#656, #695) Add full support for z/OS and native EBCDIC support. The z/OS
support is tested nightly using the XLC and IBM-Clang compilers, with Autoconf
and CMake. In addition, for test purposes, the EBCDIC support can now be enabled
on any platform using the new Autoconf `--enable-ebcdic-ignoring-compiler` and
CMake `-DPCRE2_EBCDIC_IGNORING_COMPILER` options.
7. (#700) Faster lookup of named capture groups during pattern compilation using
a hash table.
8. (#697, #756, #778) Improvements to pcre2test to increase code coverage:
-malloc argument; more detailed test assertions.
9. (#705, #710, #737, #738) Powerful new feature: pattern recursion of
the form "(?1(GROUP_NAME_OR_NUM,...))" acts as a subroutine call which
additionally returns the listed capturing groups to the calling context.
10. (#721) Add linker scripts to enable symbol versioning for the PCRE2 dynamic
libraries. Downstream Linux distributions may make use of this, or disable it
with the new Autoconf `--disable-symvers` and CMake `-DPCRE2_SYMVERS` options.
Currently, Linux, Solaris, and FreeBSD (GNU ld, LLVM lld, and Solaris ld) are
tested and supported.
11. (#733) New API function: pcre2_next_match(). This function makes it both
simpler and safer for clients to iterate over all matches in a subject. The
documentation in `pcre2api` also provides improved guidance in the section
"Iterating over all matches".
12. (#739, #744, #753) Modernize the CMake build files, to use standard
commands to export the PCRE2 targets. This makes use of the
"$<BUILD_INTERFACE:...>" and "$<INSTALL_INTERFACE:...>" expressions alongside
the built-in "install(EXPORT...)" command. This brings the CMake files in line
with the patches used by vcpkg to distribute PCRE2. The minimum CMake version
remains 3.15.
13. (#756) Improved error offsets and diagnostics for syntax errors during
pattern compilation.
14. (#708, #729, #724, #731, #777) Various updates to Bazel and Zig
build support.
15. (#775) Added PCRE2_CONFIG_EFFECTIVE_LINKSIZE option to pcre2_config(), to
report the actual number of code units used in compiled patterns for recording
string lengths and offsets.
16. (#801) Significant bugfix: Fix a crash in pcre2_callout_enumerate() which is
easily reachable on any pattern that contains a Unicode character class. If your
application uses this function, please read the details for this change and
evaluate its severity for your application.
17. (#806, #807) Improved input validation for pcre2_substitute() used with
PCRE2_SUBSTITUTE_MATCHED.
18. (#817) Add support for $+ replacement to pcre2_substitute().
19. (#818) New SIMD code generation in the JIT for AArch64.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:11:21 +0000 (18:11 +0200)]
libxml2: Update to version 2.15.1
- Update from version 2.15.0 to 2.15.1
- Update of rootfile
- Changelog
2.15.1
Regressions
- parser: Fix attribute normalization and standalone check
Build
- io: Handle clashing error codes on AIX
- Fixed compilation error on GCC versions prior to 4.5 (Lars Erik Wik)
- meson: Fix install dir of man pages
Deprecations
- tree: Undeprecate several struct members
- io: Undeprecate xmlOutputBuffer members
- valid: Undeprecate xmlValidGetPotentialChildren
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:07:55 +0000 (18:07 +0200)]
libarchive: Update to version 3.8.2
- Update from version 3.8.1 to 3.8.2
- Update of rootfile
- Changelog
3.8.2
Security fixes:
7zip: Fix out of boundary access (#2668)
tar reader: fix checking the result of the strftime (#2719, CVE-2025-25724)
Notable bugfixes:
bsdtar: Allow filename to have CRLF endings (#2717)
lib: archive_read_data: handle sparse holes at end of file correctly (#2665)
lib: improve filter process handling (#2659)
lib: fix error checking in writing files (#2672)
lib: handle possible errors from system calls (#2679)
lib: avoid leaking file descriptors into subprocesses (#2707)
lib: parse_date: handle dates in 2038 and beyond if time_t is big enough
(#2742)
RAR5 reader: fix multiple issues in extra field parsing function (#2713)
RAR5 reader: early fail when file declares data for a dir entry (#2716)
tar writer: fix replacing a regular file with a dir for
ARCHIVE_EXTRACT_SAFE_WRITES (#2477)
tar reader (Windows): check WCS pathname in header_gnutar before
overwriting (#2740)
tar reader: fix an infinite loop when parsing V headers (#2737)
zip writer: fix a memory leak if write callback error early (#2664)
zip writer: fix writing with ZSTD compression (#2670)
zstd write filter: enable Zstandard's checksum feature (#2678)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:02:40 +0000 (18:02 +0200)]
less: Update to version 685
- Update from version 679 to 685
- No change to rootfile
- Changelog
685
* Add --cmd option (github #624).
* Add LESS_TERMCAP_SUSPEND and LESS_TERMCAP_RESUME (github #654).
* Change --incsearch so that after typing each character of the pattern,
the search begins at the position where the search command was invoked,
not the current position (github #640).
* Allow mixing of option arguments and filename arguments on the
command line unless POSIXLY_CORRECT is set (github #653).
* Don't output U+00AD and U+200D, and fix some bugs handling emoji
modifier characters (github #637).
* Fix hang if a search using ^S modifier matches empty string (github #634).
* Fix bug using -g and -J (github #636).
* Fix bug when pasting a search pattern while --incsearch is active
(github #635).
* Fix bug in Windows build when autorepeating a search pattern (github #639).
* Fix lesskey bug using #stop directive.
* Fix lesskey bug using "invalid" action (github #643).
* Fix bug causing file to appear to end prematurely if an input command
was received during a file read (github #649).
* Fix performance issue in & filtering (github #638). Problem was introduced
in da2a9ecdf16beb642d0c030e35f0351c5f2e5a12 and released in less-673.
* Fix some problems reported by valgrind (github #659, github #660, github #661).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:55:49 +0000 (17:55 +0200)]
shairport-sync: Update to version 4.3.7 to work with ffmpeg-8.0
- Update from version 4.3.4 to 4.3.7
- No change to rootfile
- Changelog
4.3.7
This update comprises updates to GitHub Actions used for testing and for
building Docker. It also includes a small update to the Docker images: the
curl tool is included to facilitate automations.
No other changes have been made relative to the previous release, Version 4.3.6.
4.3.6
Bug Fix
Fix a potential bug (no issues reported) by checking that a buffer is not
zero before attempting to deallocate it.
Documentation Updates
Show how to use MQTTThing with Homebridge to represent Shairport Sync’s
active status.
Correct and clarify the statistics documentation.
The descriptions of Net Sync PPM and All Sync PPM were partly swapped
-- this has been corrected.
Generally clarify the language and harmonize the wording with the
introduction.
Fix a typo in the configuration file.
Docker Build Optimisation
Improve the Dockerfile build sequences as follows:
Build each dependency in a separate stage, facilitating parallel builds.
Define default value for ARGS, permitting easier local docker builds.
Clone the specified branch only, and to a depth of 1, thus getting
relevant data faster.
Copy files in a one-off command, reducing the amount of Docker layers
created.
4.3.5
Enhancements
Add Home Assistant MQTT Auto-Discovery and active/playing State Messages.
Send pvol metadata on mute.
Ensure the PipeWire backend is initially inactive and that it goes active
at the start of a play session and inactive at the end. This is to
facilitate external activity-monitoring software. Note that in
AirPlay 2, play often stops momentarily between tracks, and so there
will be momentary changes from active to inactive and back to active
again in the PipeWire backend. This may change as the backend improves.
Update comments in the sndio section of the sample configuration file.
Docker Enhancements
The AirPlay 2 Docker image now incorporates the PipeWire backend.
Bug Fixes
Update the sndio backend (native to OpenBSD, also used in FreeBSD) to deal
with an intermittent bug. Specifically, use an explicit is_running
flag to keep track of the playing status of the backend.
Fix a bug in the Jack Audio backend. If the system's Jack Audio server was
running at anything other than 44,100 frames per second, the delay
information being returned by the backend was incorrect.
Fix an incompatibility with the recently-introduced FFmpeg version 7.
Stop advertising the SFTP and SSH services on Bonjour.
Deprecations
The soundio backend is deprecated and will be removed in a future update.
It seems that nobody is using it, and as it stands it is very inflexible.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:55:48 +0000 (17:55 +0200)]
ffmpeg: Update to version 8.0
- Update from version 7.1.1 to 8.0
- Update of rootfile
- Due to sobump from ffmpeg, mpd and minidlna must be shipped.
- Due to changes in ffmpeg, shairport-sync has to be updated to work with this version
- Changelog
8.0
- Whisper filter
- Drop support for OpenSSL < 1.1.0
- Enable TLS peer certificate verification by default (on next major version bump)
- yasm support dropped, users need to use nasm
- VVC VAAPI decoder
- RealVideo 6.0 decoder
- OpenMAX encoders deprecated
- libx265 alpha layer encoding
- ADPCM IMA Xbox decoder
- Enhanced FLV v2: Multitrack audio/video, modern codec support
- Animated JPEG XL encoding (via libjxl)
- VVC in Matroska
- CENC AV1 support in MP4 muxer
- pngenc: set default prediction method to PAETH
- APV decoder and APV raw bitstream muxing and demuxing
- APV parser
- APV encoding support through a libopenapv wrapper
- VVC decoder supports all content of SCC (Screen Content Coding):
IBC (Inter Block Copy), Palette Mode and ACT (Adaptive Color Transform
- G.728 decoder
- pad_cuda filter
- Sanyo LD-ADPCM decoder
- APV in MP4/ISOBMFF muxing and demuxing
- OpenHarmony hardware decoder/encoder
- Colordetect filter
- Add vf_scale_d3d11 filter
- No longer disabling GCC autovectorization, on X86, ARM and AArch64
- VP9 Vulkan hwaccel
- AV1 Vulkan encoder
- ProRes RAW decoder
- ProRes RAW Vulkan hwaccel
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Should anyone wonder where 9.20.14 has gone:
"The BIND 9.20.14 release was withdrawn after the discovery of a regression
in a security fix in it during pre-release testing."
"Notes for BIND 9.20.15
Security Fixes
DNSSEC validation fails if matching but invalid DNSKEY is found.
(CVE-2025-8677)
Previously, if a matching but cryptographically invalid key was
encountered during DNSSEC validation, the key was skipped and not
counted towards validation failures. named now treats such DNSSEC keys
as hard failures and the DNSSEC validation fails immediately, instead
of continuing with the next DNSKEYs in the RRset.
ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention. [GL #5343]
Address various spoofing attacks. (CVE-2025-40778)
Previously, several issues could be exploited to poison a DNS cache
with spoofed records for zones which were not DNSSEC-signed or if the
resolver was configured to not do DNSSEC validation. These issues were
assigned CVE-2025-40778 and have now been fixed.
As an additional layer of protection, named no longer accepts DNAME
records or extraneous NS records in the AUTHORITY section unless these
are received via spoofing-resistant transport (TCP, UDP with DNS
cookies, TSIG, or SIG(0)).
ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
Duan from Tsinghua University for bringing this vulnerability to our
attention. [GL #5414]
Cache-poisoning due to weak pseudo-random number generator.
(CVE-2025-40780)
It was discovered during research for an upcoming academic paper that a
xoshiro128** internal state can be recovered by an external 3rd party,
allowing the prediction of UDP ports and DNS IDs in outgoing queries.
This could lead to an attacker spoofing the DNS answers with great
efficiency and poisoning the DNS cache.
The internal random generator has been changed to a cryptographically
secure pseudo-random generator.
ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from
Hebrew University of Jerusalem for bringing this vulnerability to our
attention. [GL #5484]
New Features
Add dnssec-policy keys configuration check to named-checkconf.
A new option -k was added to named-checkconf that allows checking the
dnssec-policy keys configuration against the configured key stores. If
the found key files are not in sync with the given dnssec-policy, the
check will fail.
This is useful to run before migrating to dnssec-policy. [GL #5486]
Bug Fixes
Missing DNSSEC information when CD bit is set in query.
The RRSIGs for glue records were not being cached correctly for CD=1
queries. This has been fixed. [GL #5502]
rndc sign during ZSK rollover will now replace signatures.
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
rndc sign command now signs the zone completely with the successor key,
replacing all zone signatures from the predecessor key with new ones.
[GL #5483]
Use signer name when disabling DNSSEC algorithms.
disable-algorithms could cause DNSSEC validation failures when the
parent zone was signed with the algorithms that were being disabled for
the child zone. This has been fixed; disable-algorithms now works on a
whole-of-zone basis.
If the zone's name is at or below the disable-algorithms name the
algorithm is disabled for that zone, using deepest match when there are
multiple disable-algorithms clauses. [GL #5165]
Preserve cache when reload fails and reload the server again.
This fixes an issue where failing to reconfigure/reload the server
would fail to preserve the views' caches for subsequent server
reconfigurations/reloads. [GL #5523]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 24 Oct 2025 16:42:55 +0000 (18:42 +0200)]
nasm: Use only with x86_64
- nasm is linked in to syslinux and libjpeg.
- libjpeg will only require nasm if CET has been enabled in glibc and the architecture is
x86_64. CET is not enabled in IPFire, therefore libjpeg does not require nasm for
building in x86_64 and is not required at all for libjpeg under aarch64 or riscv64
- syslinux requires nasm to build but only in x86_64.
- This patch sets the supported architecture to x86_64 only. The build of nasm will be
skipped in aarch64 and riscv64.
- The x86_64 build ran as normal. The build was also tested for aarch64 and the build of
nasm was skipped. syslinux is skipped and libjpeg built successfully confirming that
nasm does not need to be built for aarch64 or riscv64.
- The patch is removed as it is only required for building nasm for an arm architecture
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 22 Oct 2025 15:34:23 +0000 (17:34 +0200)]
wlanap.cgi: Save IEEE80211W 'optional' value correctly
The v1 patch used defined-or (//), which allowed arbitrary values to be written.
This v2 patch validates that IEEE80211W is one of 'off',
'optional', or 'on', defaulting to 'off' if invalid.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 20 Oct 2025 10:48:29 +0000 (12:48 +0200)]
proxy.cgi: Mitigation for CVE-2025-62168 on squid
- The full fix for CVE-2025-62168 is in version squid-7.2
- However there are a lot of changes in squid from version 6 to 7 with all the error
language files no longer provided directly, they have to be obtained from separate
langauage packs now. Also several tools like cachmgr.cgi have been removed as the
options can be obtained via different approaches.
- I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
time to be sure it is working properly.
- In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
that is referenced in the CVE report.
- If someone else has already worked on squid-7.2 and has it ready to go now or soon,
then this patch can be dropped.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Oct 2025 11:09:24 +0000 (13:09 +0200)]
suricata: Support Zabbix requirements
- The Zabbix addon will use the unix socket and also the suricatasc tool.
- Update configure to enable unix-socket
- Update rootfile to uncomment suricatasc
- This v2 version also sets the unix socket to yes in suricata.yaml
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Oct 2025 11:03:49 +0000 (13:03 +0200)]
clamav: Update to version 1.5.1
- Update from version 1.5.0 to 1.5.1
- No change in rootfile
- Changelog
1.5.1
- Fixed a significant performance issue when scanning some PE files.
- Fixed an issue recording file entries from a ZIP archive central directory
which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the
ClamScan `--alert-exceeds-max` command line option or ClamD `AlertExceedsMax`
config file option.
- Improved performance when scanning TNEF email attachments.
- Fixed an issue with recording metadata for OOXML office documents.
- Fixed an issue with signature matches for VBA in OLE2 office documents.
- Loosened overly restrictive rules for embedded file identification and
increased the limit for finding PE files embedded in other PE files.
- Fixed an issue with extracting some RAR archives embedded in other files.
- Fixed an issue with calculating fuzzy hashes affecting some images by updating
the version for several Rust library dependencies.
- This release does not require a newer version of the Rust compiler toolchain
than what was required for ClamAV 1.5.0.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 16:32:06 +0000 (18:32 +0200)]
openssl: Update to version 3.6.0
- Update from version 3.5.4 to 3.6.0
- Update of rootfile
- The changelog mentions that some changes might be significant or incompatible in
certain situations. I had a look through it and didn't believe that these would
apply to IPFire but it would be good for someone else to confirm.
- What I did do was to install this version of openssl into my vm testbed and then
tested out running openvpn rw & n2n. Everything worked fine.
- I then cleared the x509 root/host certificate set and then created a new one followed
by new client certificates. All these were successfully created without any issues.
- Changelog
3.6.0
Feature release adding significant new functionality to OpenSSL.
This release incorporates the following potentially significant or incompatible
changes:
Added NIST security categories for PKEY objects.
Added support for EVP_SKEY opaque symmetric key objects to the key
derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(),
EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY() functions.
Added LMS signature verification support as per [SP 800-208]..
This support is present in both the FIPS and default providers.
An ANSI-C toolchain is no longer sufficient for building OpenSSL.
The code should be built using compilers supporting C-99 features.
Support for the VxWorks platforms has been removed.
Added an openssl configutl utility for processing the OpenSSL
configuration file and dumping the equal configuration file.
Added support for FIPS 186-5 deterministic ECDSA signature
generation to the FIPS provider.
Deprecated EVP_PKEY_ASN1_METHOD-related functions.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:08:00 +0000 (15:08 +0200)]
vim: Update to version 9.1.1854
- Update from version 9.1.1406 to 9.1.1854
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:58 +0000 (15:07 +0200)]
openssh: Update to version 10.2p1
- Update from version 10.0p1 to 10.2p1
- No change to rootfile
- Changelog
10.2p1
Future deprecation warning
* A future release of OpenSSH will deprecate support for SHA1 SSHFP
records due to weaknesses in the SHA1 hash function. SHA1 SSHFP
DNS records will be ignored and ssh-keygen -r will generate only
SHA256 SSHFP records.
The SHA256 hash algorithm, which has no known weaknesses, has
been supported for SSHFP records since OpenSSH 6.1, released in
2012.
Bugfixes
* ssh(1): fix mishandling of terminal connections when
ControlPersist was active that rendered the session unusable.
bz3872
* ssh-keygen(1): fix download of keys from PKCS#11 tokens.
* ssh-keygen(1): fix CA signing operations when the CA key is held
in a ssh-agent(1). bz3877
10.1p1
Future deprecation warning
* A future release of OpenSSH will deprecate support for SHA1 SSHFP
records due to weaknesses in the SHA1 hash function. SHA1 SSHFP
DNS records will be ignored and ssh-keygen -r will generate only
SHA256 SSHFP records.
The SHA256 hash algorithm, which has no known weaknesses, has
been supported for SSHFP records since OpenSSH 6.1, released in
2012.
Potentially-incompatible changes
* ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
This warning has been added due to the risk of "store now, decrypt
later" attacks. More details at https://openssh.com/pq.html
This warning may be controlled via a new WarnWeakCrypto ssh_config
option, defaulting to on. This option is likely to control
additional weak crypto warnings in the future.
* ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS
In both client and server the default DSCP (a.k.a IPQoS) values
were revised and the way these values are used during runtime has
changed.
Interactive traffic is now assigned to the EF (Expedited
Forwarding) class by default. This provides more appropriate
packet prioritisation information for the intermediate network,
such as wireless media (cf. RFC 8325). Non-interactive traffic
will now use the operating system default DSCP marking. Both the
interactive and non-interactive DSCP values may be overridden via
the IPQoS keyword, described in ssh_config(5) and sshd_config(5).
The appropriate DSCP marking is now automatically selected and
updated as needed over the course of a connection's lifetime.
ssh(1) and sshd(8) will switch between the interactive and
non-interactive IPQoS values depending on the type of SSH
channels open at the time. For example, if an sftp session is
using the connection alongside a shell session, then the non-
interactive value will be used for the duration of the sftp. A
connection which contains only interactive sessions is marked EF.
* ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.
Type of Service (ToS) was deprecated in the late nineties and
replaced with the Differentiated Services architecture, which
has significant advantages for operators because it offers more
granularity.
OpenSSH switched its default IPQoS from ToS to DSCP values in
2018 (openssh-7.7).
IPQoS configurations with 'lowdelay', 'reliability', or
'throughput' will be ignored and will instead use the system
default QoS settings. Additionally, a debug message will be logged
about the deprecation with a suggestion to use DSCP QoS instead.
* ssh-add(1): when adding certificates to an agent, set the expiry
to the certificate expiry time plus a short (5 min) grace period.
This will cause the agent to automatically remove certificates
shortly after they expire. A new ssh-add -N option disables this
behaviour.
* All: remove experimental support for XMSS keys. This was never
enabled by default. We expect to implement a new post-quantum
signature scheme in the near future.
* ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
in sshd(8).
This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use keys
in an agent.
Moving the default directory has the consequence that the OS will
no longer clean up stale agent sockets, so ssh-agent now gains
this ability.
To support $HOME on NFS, the socket path includes a truncated
hash of the hostname. ssh-agent will, by default, only clean up
sockets from the same hostname.
ssh-agent(1) gains some new flags: -U suppresses the automatic
cleanup of stale sockets when it starts. -u forces a cleanup
without keeping a running agent, -uu forces a cleanup that ignores
the hostname. -T makes ssh-agent put the socket back in /tmp.
Security
* ssh(1): disallow control characters in usernames passed via the
commandline or expanded using %-sequences from the configuration
file, and disallow \0 characters in ssh:// URIs.
If an ssh(1) commandline was constructed using usernames or URIs
obtained from an untrusted source, and if a ProxyCommand that uses
the %r expansion was configured, then it may be possible for an
attacker to inject shell expressions that may be executed when the
proxy command is started.
We strongly recommend against using untrusted inputs to construct
ssh(1) commandlines.
This change also relaxes the validity checks in one small way:
usernames supplied via the configuration file as literals (i.e.
that have no % expansion characters) are not subject to these
validity checks. This allows usernames that contain arbitrary
characters to be used, but only via configuration files. This is
done on the basis that ssh's configuration is trusted.
New features
* ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
* sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
* ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
tokens.
* ssh(1): add an ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a
configuration, terminates ssh(1) with an error message that
contains the argument to the option.
This may be useful for expressing reminders or warnings in config
files, for example:
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
* sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allow people to use X11DisplayOffset
to configure much higher port ranges if they really want, while
not changing the default behaviour.
* unit tests: the unit test framework now includes some basic
benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes"
on OpenBSD or "make unit-bench" on Portable OpenSSH.
Bugfixes
* sshd(8): fix mistracking of MaxStartups process exits in some
situations. At worst, this could cause all MaxStartups slots to
fill and sshd to refuse new connections.
* ssh(1): fix delay on X client startup when ObscureKeystrokeTiming
is enabled. bz#3820
* sshd(8): increase the maximum size of the supported configuration
from 256KB to 4MB, which ought to be enough for anybody. Fail
early and visibly when this limit is breached. bz3808
* sftp(1): during sftp uploads, avoid a condition where a failed
write could be ignored if a subsequent write succeeded. This is
unlikely but technically possible because sftp servers are
allowed to reorder requests.
* sshd(8): avoid a race condition when the sshd-auth process exits
that could cause a spurious error message to be logged.
* sshd(8): log at level INFO when PerSourcePenalties actually
blocks access to a source address range. Previously this was
logged at level VERBOSE, which hid enforcement actions under
default config settings.
* sshd(8): GssStrictAcceptor was missing from sshd -T output; fix
* sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised. bz3859
* ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
* sshd(8): make "Match !final" not trigger a second parsing pass
of ssh_config (unless hostname canonicalisation or a separate
"Match final" does). bz3843
* ssh(1): better debug diagnostics when loading keys. Will now list
key fingerprint and algorithm (not just algorithm number) as well
as making it explicit which keys didn't load.
* All: fix a number of memory leaks found by LeakSanitizer,
Coverity and manual inspection.
* sshd(8): Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password". bz#3788
* ssh(1): make writing known_hosts lines more atomic by writing
the entire line in one operation and using unbuffered stdio.
Usually writes to this file are serialised on the "Are you sure
you want to continue connecting?" prompt, but if host key
checking is disabled and connections were being made with high
concurrency then interleaved writes might have been possible.
Portability
* sshd(8): check the username didn't change during the PAM
transactions.
PAM modules can change the user during their execution, but
this is not supported by sshd(8). If such a case was incorrectly
configured by the system administrator, then sshd(8) could end up
using a different username to the one authorised by PAM.
* sshd(8): don't log audit messages with UNKNOWN hostname to avoid
slow DNS lookups in the audit subsystem.
* All: when making a copy of struct passwd, ensure struct fields are
non-NULL. Android libc can return NULL pw_gecos, for example.
* All: Remove status bits from OpenSSL >=3 version check.
* sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun
forwarding from other OSes fails as soon as the first IPv6 message
is sent by the other side (which is usually a Router Solicitation
ICMPv6 message which is sent as soon as the interface is up).
* ssh(1), ssh-agent(8): check for nlist function presence before
attempting to use it instead of relying on the presence of the
nlist.h header. Mac OS X, for example, has the header but not
the function in the 64bit libraries.
* All: fill in missing system header files.
Create replacement header files inside openbsd-compat for common
headers that are missing on a given platform. Usually these are
just empty, but in some cases they'll include the equivalent file.
This avoids having to wrap those includes in '#ifdef HAVE_FOO_H'
and reduces the diff between Portable OpenSSH and OpenBSD.
* sshd(8): handle futex_time64 properly in seccomp sandbox
Previously we only allowed __NR_futex, but some 32-bit systems
apparently support __NR_futex_time64. We had support for this
in the sandbox, but because of a macro error only __NR_futex was
allowlisted.
* Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
* sshd(8): let ga_init() fail gracefully if getgrouplist does.
Apparently getgrouplist() can fail on OSX when passed a
non-existent group name. Other platforms seem to return a group
list consisting of the numeric gid passed to the function. bz3848
* ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".
* build: wrap some autoconf macros in AC_CACHE_CHECK.
This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
or linker flags. E.g.
$ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
[...]
checking if cc supports compile flag -fzero-call-used-regs=used
and linking succeeds... (cached) no
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:57 +0000 (15:07 +0200)]
libgpg-error: Update to version 1.56
- Update from version 1.54 to 1.56
- Update of rootfile
- Changelog
1.56
* Support the %b conversion specifier in the estream printf
functions. [rE6ac5332e4f]
* New spawn GPGRT_PROCESS_STDIO_NUL to be used on Windows to share
the "nul" device. [T7723]
* Support pipe I/O for GPGRT_PROCESS_DETACHED on Windows. [T7716]
* New mode keyword "share=xxx" for gpgrt_fopen. [rE461cb5a8ea]
* Change the default method to get the number of fds to close. This
fixes a spawning problem on certain POSIX machine. [T7696]
* Fix some cases of inheriting HANDLEs on Windows. [T7716]
* New system configurations for 64-bit Android, i686 Android, x86_64
Android and an armv7a alias to arm for Android.
* Set build specific build variable for zOS [rE7ee191f54c]
* Interface changes relative to the 1.55 release:
GPG_ERR_UNEXPECTED_PACKET NEW.
GPGRT_PROCESS_STDIO_NUL NEW.
1.55
* Rewrite the extended length path handling under Windows.
[T5754,rEfba44d619d]
* Add new test commands to the gpg-error tool. Allow command w/o
dashes and reformat the help. [rEc002490a8f]
* Silence warning from gcc 15. [T7621]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:56 +0000 (15:07 +0200)]
kbd: Update to version 2.9.0
- Update from version 2.8.0 to 2.9.0
- Update of rootfile
- Changelog
2.9.0
keymaps:
Add console keymap for Mac swiss german keyboards.
libkbdfile:
Detect archive type based on content.
Add support for decompressing files without using utilities. Use
ELF_DLOPEN_METADATA if possible.
utils:
loadkeys: Add --tkeymap to dump the keymap as text.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:54 +0000 (15:07 +0200)]
fetchmail: Update to version 6.5.6
- Update from version 6.5.5 to 6.5.6
- No change to rootfile
- Changelog
6.5.6
SECURITY BUGFIX:
* fetchmail-SA-2025-01.txt: CVE pending assignment by MITRE
An SMTP server advertising EHLO and AUTH, and if fetchmail is configured to
authenticate (esmtpname and esmtppassword given and non-empty), the server
might crash fetchmail by sending a "334" response without further blank to
fetchmail's AUTH request. This is in violation of applicable RFC-4952 though.
Fetchmail now detects this situation and reports it separately as
malformed server reply.
Fetchmail 6.5.6 has been released without waiting for translation updates
or CVE identifier, these will be provided in followup releases.
BUGFIXES:
* RFC-5321: When the --smtpaddress, --smtphost, --smtpname, -D or -S argument
is an numeric address literal such as 192.0.2.2 or 2001:0DB8::4321, properly
format that as such in the SMTP RCPT command as user@[192.0.2.2] or
user@[IPv6:2001:0DB8::4321].
* When printing output on the console while fetching mail, do not intersperse
another copy of our program name and date in the middle of a log line.
Workaround for older versions: --logfile /dev/tty (might also use
--logfile /dev/stderr) - but note this changes buffering behavior and may
output to appear later and without ticker marks.
* A few low-priority memory leaks in the command-line options parser were
fixed. Since this parser runs only once, leaks are harmless.
* Some minor code cleanups and robustness fixes were made, and we should
see fewer compiler warnings as a result.
CHANGES:
* Given the slow update schedules of some distributions, already add code
that checks if time_t() is good beyond the year 2038,
meaning time_t is either unsigned (which would last until 2106) or
64 bits wide. If the system isn't safe, warn on every launch of fetchmail
beginning 2028-01-01 at 00:00 GMT so users have 10 years to plan.
Fetchmail will also print a warning if time(time_t *t) overflows.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:53 +0000 (15:07 +0200)]
btrfs-progs: Update to version 6.17
- Update from veresion 6.16 to 6.17
- No change to rootfile
- Changelog
6.17
* inspect list-chunks: more sorting keys, descending order
* fi resize: add support for offline (unmounted) growing of single device
* device stats: add support for offline (unmounted) reads
* quota status: new command, overview what mode is enabled, tunables
* fi commit-stats: new command, print various commit stats from sysfs (since
kernel 6.1)
* balance start: print warning and delay start if there's a missing device
in the filesystem
* mkfs:
* print zoned mode (native, emulated)
* check:
* verify device bytes in super block item and in chunk tree
* other
* updated CI, new and updated tests
* cleanups, refactoring
* documentation updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 25 Sep 2025 17:56:33 +0000 (17:56 +0000)]
kernel: Disable preemption debugging
From the kernel configuration:
If you say Y here then the kernel will use a debug variant of the
commonly used smp_processor_id() function and will print warnings
if kernel code uses it in a preemption-unsafe way. Also, the kernel
will detect preemption count underflows.
This option has potential to introduce high runtime overhead,
depending on workload as it triggers debugging routines for each
this_cpu operation. It should only be used for debugging purposes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 10:39:52 +0000 (12:39 +0200)]
rust: Update to version 1.85.0
- Update from version 1.83.0 to 1.85.0
- The latest version of rust is at 1.90.0 but that version requires some existing rust
modules to also be updated. I will do that as a separate step once this patch is
in place.
- Update of rootfiles for all three architectures.
- Changelog
1.85.0
Language
The 2024 Edition is now stable. See the edition guide for more details.
Stabilize async closures See RFC 3668 for more details.
Stabilize #[diagnostic::do_not_recommend]
Add unpredictable_function_pointer_comparisons lint to warn against
function pointer comparisons
Lint on combining #[no_mangle] and #[export_name] attributes.
Compiler
The unstable flag -Zpolymorphize has been removed, see
https://github.com/rust-lang/compiler-team/issues/810 for some
background.
Platform Support
Promote powerpc64le-unknown-linux-musl to tier 2 with host tools
Refer to Rust’s platform support page for more information on Rust’s
tiered platform support.
Libraries
Panics in the standard library now have a leading library/ in their path
std::env::home_dir() on Windows now ignores the non-standard $HOME
environment variable
It will be un-deprecated in a subsequent release.
Add AsyncFn* to the prelude in all editions.
Stabilized APIs
BuildHasherDefault::new
ptr::fn_addr_eq
io::ErrorKind::QuotaExceeded
io::ErrorKind::CrossesDevices
{float}::midpoint
Unsigned {integer}::midpoint
NonZeroU*::midpoint
impl std::iter::Extend for tuples with arity 1 through 12
FromIterator<(A, ...)> for tuples with arity 1 through 12
std::task::Waker::noop
These APIs are now stable in const contexts:
mem::size_of_val
mem::align_of_val
Layout::for_value
Layout::align_to
Layout::pad_to_align
Layout::extend
Layout::array
std::mem::swap
std::ptr::swap
NonNull::new
HashMap::with_hasher
HashSet::with_hasher
BuildHasherDefault::new
<float>::recip
<float>::to_degrees
<float>::to_radians
<float>::max
<float>::min
<float>::clamp
<float>::abs
<float>::signum
<float>::copysign
MaybeUninit::write
Cargo
Add future-incompatibility warning against keywords in cfgs and add
raw-idents
Stabilize higher precedence trailing flags
Pass CARGO_CFG_FEATURE to build scripts
Rustdoc
Doc comment on impl blocks shows the first line, even when the impl block
is collapsed
Compatibility Notes
rustc no longer treats the test cfg as a well known check-cfg, instead it
is up to the build systems and users of --check-cfg1 to set it as a
well known cfg using --check-cfg=cfg(test).
This is done to enable build systems like Cargo to set it conditionally,
as not all source files are suitable for unit tests. Cargo (for now)
unconditionally sets the test cfg as a well known cfg.
Disable potentially incorrect type inference if there are trivial and
non-trivial where-clauses
std::env::home_dir() has been deprecated for years, because it can give
surprising results in some Windows configurations if the HOME
environment variable is set (which is not the normal configuration on
Windows). We had previously avoided changing its behavior, out of
concern for compatibility with code depending on this non-standard
configuration. Given how long this function has been deprecated, we’re
now fixing its behavior as a bugfix. A subsequent release will remove
the deprecation for this function.
Make core::ffi::c_char signedness more closely match that of the
platform-default char
This changed c_char from an i8 to u8 or vice versa on many Tier 2 and 3
targets (mostly Arm and RISC-V embedded targets). The new definition
may result in compilation failures but fixes compatibility issues with C.
The libc crate matches this change as of its 0.2.169 release.
When compiling a nested macro_rules macro from an external crate, the
content of the inner macro_rules is now built with the edition of the
external crate, not the local crate.
Increase sparcv9-sun-solaris and x86_64-pc-solaris Solaris baseline to 11.4.
Show abi_unsupported_vector_types lint in future breakage reports
Error if multiple super-trait instantiations of dyn Trait need associated
types to be specified but only one is provided
Change powerpc64-ibm-aix default codemodel to large
Internal Changes
These changes do not affect any public interfaces of Rust, but they
represent significant improvements to the performance or internals of
rustc and related tools.
Build x86_64-unknown-linux-gnu with LTO for C/C++ code (e.g., jemalloc)
1.84.1
Fix ICE 132920 in duplicate-crate diagnostics.
Fix errors for overlapping impls in incremental rebuilds.
Fix slow compilation related to the next-generation trait solver.
Fix debuginfo when LLVM’s location discriminator value limit is exceeded.
Fixes for building Rust from source:
Only try to distribute llvm-objcopy if llvm tools are enabled.
Add Profile Override for Non-Git Sources.
Resolve symlinks of LLVM tool binaries before copying them.
Make it possible to use ci-rustc on tarball sources.
1.84.0
Language
Allow #[deny] inside #[forbid] as a no-op
Show a warning when -Ctarget-feature is used to toggle features that can
lead to unsoundness due to ABI mismatches
Use the next-generation trait solver in coherence
Allow coercions to drop the principal of trait objects
Support / as the path separator for include!() in all cases on Windows
Taking a raw ref (raw (const|mut)) of a deref of a pointer (*ptr) is now safe
Stabilize s390x inline assembly
Stabilize Arm64EC inline assembly
Lint against creating pointers to immediately dropped temporaries
Execute drop glue when unwinding in an extern "C" function
Compiler
Add --print host-tuple flag to print the host target tuple and affirm the
“target tuple” terminology over “target triple”
Declaring functions with a calling convention not supported on the current
target now triggers a hard error
Set up indirect access to external data for
loongarch64-unknown-linux-{musl,ohos}
Enable XRay instrumentation for LoongArch Linux targets
Extend the unexpected_cfgs lint to also warn in external macros
Stabilize WebAssembly multivalue, reference-types, and tail-call target
features
Added Tier 2 support for the wasm32v1-none target
Libraries
Implement From<&mut {slice}> for Box/Rc/Arc<{slice}>
Move <float>::copysign, <float>::abs, <float>::signum to core
Add LowerExp and UpperExp implementations to NonZero
Implement FromStr for CString and TryFrom<CString> for String
std::os::darwin has been made public
Stabilized APIs
Ipv6Addr::is_unique_local
Ipv6Addr::is_unicast_link_local
core::ptr::with_exposed_provenance
core::ptr::with_exposed_provenance_mut
<ptr>::addr
<ptr>::expose_provenance
<ptr>::with_addr
<ptr>::map_addr
<int>::isqrt
<int>::checked_isqrt
<uint>::isqrt
NonZero::isqrt
core::ptr::without_provenance
core::ptr::without_provenance_mut
core::ptr::dangling
core::ptr::dangling_mut
Pin::as_deref_mut
These APIs are now stable in const contexts
AtomicBool::from_ptr
AtomicPtr::from_ptr
AtomicU8::from_ptr
AtomicU16::from_ptr
AtomicU32::from_ptr
AtomicU64::from_ptr
AtomicUsize::from_ptr
AtomicI8::from_ptr
AtomicI16::from_ptr
AtomicI32::from_ptr
AtomicI64::from_ptr
AtomicIsize::from_ptr
<ptr>::is_null
<ptr>::as_ref
<ptr>::as_mut
Pin::new
Pin::new_unchecked
Pin::get_ref
Pin::into_ref
Pin::get_mut
Pin::get_unchecked_mut
Pin::static_ref
Pin::static_mut
Cargo
Stabilize MSRV-aware resolver config
Stabilize resolver v3
Rustdoc
rustdoc-search: improve type-driven search
Compatibility Notes
Enable by default the LSX target feature for LoongArch Linux targets
The unstable -Zprofile flag (“gcov-style” coverage instrumentation) has
been removed. This does not affect the stable flags for coverage
instrumentation (-Cinstrument-coverage) and profile-guided
optimization (-Cprofile-generate, -Cprofile-use), which are unrelated
and remain available.
Support for the target named wasm32-wasi has been removed as the target is
now named wasm32-wasip1. This completes the transition plan for this
target following the introduction of wasm32-wasip1 in Rust 1.78.
Compiler warnings on use of wasm32-wasi introduced in Rust 1.81 are
now gone as well as the target is removed.
The syntax &pin (mut|const) T is now parsed as a type which in theory
could affect macro expansion results in some edge cases
Legacy syntax for calling std::arch functions is no longer permitted to
declare items or bodies (such as closures, inline consts, or async
blocks).
Declaring functions with a calling convention not supported on the current
target now triggers a hard error
The next-generation trait solver is now enabled for coherence, fixing
multiple soundness issues
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
