Stefan Schantl [Wed, 18 Feb 2026 18:13:01 +0000 (19:13 +0100)]
general-functions.pl: Refactor GetCoreUpdateVersion function
There is no need for a loop when only grab the first line of a file
which only has one line. Also remove the newline from the grabbed line,
which may cause malfunctions on further processing.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 18 Feb 2026 11:46:48 +0000 (11:46 +0000)]
toolchain: Create a toolchain configuration file
This is needed because we are currently cross-compiling the toolchain
for riscv64 on x86_64. However, cmake does not take the time to figure
out what it should actually be doing and needs to be explicitely told.
So that we don't have to reinvent the wheel more than one we create the
configuration file at the beginning and automatically extend the cmake
command line with the settings that we need.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ummeegge [Tue, 17 Feb 2026 09:07:07 +0000 (09:07 +0000)]
RPZ: ignore ZONEMD records to prevent root priming failure
RPZ zones with apex ZONEMD RR (type 63) create phantom QNAME trigger for root
zone (.) after strip_dname_origin(), breaking DNSSEC priming:
"rpz: applied [dbl-ads] . rpz-local-data . DNSKEY IN"
Fixes: https://github.com/NLnetLabs/unbound/issues/1404 Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:40 +0000 (16:20 +0100)]
vim: Update to version 9.1.2147
- Update from version 9.1.2098 to 9.1.2147
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:38 +0000 (16:20 +0100)]
p11-kit: Update to version 0.26.2
- Update from version 0.26.1 to 0.26.2
- Update of rootfile
- One CVE fix
- Changelog
0.26.2
rpc: fix NULL dereference via C_DeriveKey with specific NULL parameters (CVE-2026-2100)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:37 +0000 (16:20 +0100)]
openvpn: Update to version 2.6.19
- Update from version 2.6.17 to 2.6.19
- No change to rootfile
- Changelog
2.6.19
Bugfixes
make dist would fail to pack unit_tests/openvpn/test_common.h, breaking make check
on the tarball if cmocka is installed. Fix.
2.6.18
New features / User visible changes
disable DCO if --bind-dev option is given (no support for this in the old
out-of-kernel Linux DCO implementation)
on Windows, if using --ip-win32 netsh and not using the interactive service, IPv4
addresses would be installed as "permanent", possibly causing problems later on
with using that IPv4 address on a different interface. Change to "store=active".
(GH: #915)
Code maintenance / Compat changes
backport fixes needed to build unit tests with cmocka 2.0.0 and -Werror (some parts
of the old API have been deprecated and would raise warnings)
backport "ensure that all unit tests use unbuffered stdout+stderr" change,
otherwise we get no output at all if a unit test crashes
add explicit error message for failing read in multi_process_file_closed()
(reported by SRL)
test framework: permit overriding the openvpn binary called
configure.ac: remove use of PKCS11_HELPER_LIBS in mbedTLS checks (old code, purpose
unclear, effects non-useful)
configure.ac: try to use pkg-config to detect mbedTLS
Documentation updates
improve pull-filter documentation, emphasizing possible problems if used as a naive
security measure (reported by SRLabs).
Bugfixes
p2mp server: fix incorrect file descriptor handling on "inotify" FD during a
SIGUSR1 restart (GH: #966)
management interface: fix bug where --management-forget-disconnect and
--management-signal could be executed even if password authentication to
managment interface was still pending (Zeropath finding)
repair client-side interaction on reconnect between DCO event handling and
--persist-tun - after a ping timeout and reconnect, the DCO event handler would
not be armed, and the next ping timeout would not be received by userland,
causing non-working connections with nothing in the openvpn log (Linux and
FreeBSD only, GH: #947)
prevent crash on invalid server-ipv6 argument, calling freeaddrinfo() with a NULL
pointer. This only affects OpenBSD. (Klemens Nanni).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:34 +0000 (16:20 +0100)]
libtalloc: Update to version 2.4.4
- Update from version 2.4.3 to 2.4.4
- Update of rootfile
- The last changelog recorded in the sourcde tarball is from 2007. The only place I
have found anything is by filtering the samba gitlab mirror to show the commits
related to talloc.
https://gitlab.com/samba-team/samba/-/commits/talloc-2.4.4?ref_type=tags
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:33 +0000 (16:20 +0100)]
libpng: Update to version 1.6.55
- Update from version 1.6.53 to 1.6.55
- Update of rootfile
- Three CVE fixes
- Changelog
1.6.55
Fixed CVE-2026-25646 (high severity):
Heap buffer overflow in `png_set_quantize`.
(Reported and fixed by Joshua Inscoe.)
Resolved an oss-fuzz build issue involving nalloc.
(Contributed by Philippe Antoine.)
1.6.54
Fixed CVE-2026-22695 (medium severity):
Heap buffer over-read in `png_image_read_direct_scaled`.
(Reported and fixed by Petr Simecek.)
Fixed CVE-2026-22801 (medium severity):
Integer truncation causing heap buffer over-read in `png_image_write_*`.
Implemented various improvements in oss-fuzz.
(Contributed by Philippe Antoine.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:32 +0000 (16:20 +0100)]
libgcrypt: Update to version 1.12.0
- Update from version 1.11.2 to 1.12.0
- Update of rootfile
- Changelog
1.12.0
* New and extended interfaces:
- Allow access to the FIPS service indicator via the new
GCRYCTL_FIPS_SERVICE_INDICATOR control code.
[T7338,rCd0db6a5abf,rCf51f4e9893]
- Add GCRYCTL_FIPS_REJECT_NON_FIPS control code. [T7338,rCe52adf0948]
- Add GCRY_FIPS_FLAG_REJECT_PK_FLAGS constant. [T7338,rC0414e126b9]
- Make SHA-1 non-FIPS internally for the 1.12 API. This introduces
the GCRY_FIPS_FLAG_REJECT_MD_SHA1 constant. [rC4ee91a94bc]
- Add GCRY_FIPS_FLAG_REJECT_PK_FLAGS. [rC0414e126b9]
- Provide macros for each KEM enum constant. [rCe9b1c3ec91]
- Add Dilithium (ML-DSA) support. [T7640]
- Support optional random-override and support byte string data.
[rCcbefff5fca,rC3bb4a54f43]
* Performance:
- Add VAES/AVX512 accelerated implementation for AES which boosts
OCB performance by about 2 times on AMD Zen5. [rC9e3af928ee]
- Avoid AVX512/AVX2/SSSE3 for single block processing with Zen5 for
ChaCha20. [rCc1d9fff3b2]
- Avoid AVX/AVX2/AVX512 when CPU has high vector inst latency like
Zen5 for Blake2. [rCe5bc3b2826]
- Various optimizations for Camellia.
[rCf5848080d4,rCb9bafd6c6c,rC8b538a8c76]
- Add POLYVAL acceleration for RISC-V and GCM-SIV. [rC00815c4207]
- Add RISC-V Zbb+Zbc implementation of CRC. [rCab4fa2a19c]
- Add RISC-V vector cryptography implementation of GHASH.
[rCcc2a4b6388]
- Add RISC-V vector cryptography implementation of AES.
[rCb000ab6025]
- Add RISC-V vector cryptography implementations of SHA256 and
SHA512. [rCcc1d5b0b5e]
- Add AVX2 and AVX512 code paths to improve CRC. [rCc30788969d]
* Bug fixes:
- Use secure MPI in _gcry_mpi_assign_limb_space. [rC6e77b09cff]
- Use CSIDL_COMMON_APPDATA instead of /etc on Windows. [rCd5e3cbfd88]
- Apply a Kyber patch from upstream. [rCbdc3724d72]
- Fix an edge case in Jent initialization. [rC0ceca9993f]
- mceliece6688128f: Fix stack overflow crash on win64/wine
[rC5bd9320171]
* Other:
- Add support for IBM z/OS, fixing -lpthread check with glibc.
[rC5af59d8454]
- Introduce mpi_tfr and use it for point_tfr to decrease EM signal
and increase EM noise. [rC4e65996bb8]
- Handle HAVE_BROKEN_MLOCK for the case of building with ASAN.
[T7889]
- Harden mask generation against branch optimization for several
algorithms. [e.g. rC4012e9a037,rCbf7546c502,rC052b03fb0c]
- Improve constant-time operation for ECDSA. [T7519,rC0bd4c77be6]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:31 +0000 (16:20 +0100)]
less: Update to version 692
- Update from version 691 to 692
- No change to rootfile
- Changelog
692
Revert HOME key to scroll to beginning of file and END key to scroll to end of file (github #658).
Configure tty to leave CR and NL unmodified (github #703).
Add commands to lesskey parser (forw-bell-hilite, goto-pos and osc8-jump).
Add key sequences to lesskey parser (\kE, \kF, \kH, \kI, \kM, and \kS).
Fix bug using negative value with -z option (github #709).
Fix bug handling empty terminfo capabilties (github #710).
Fix memory leak in setupterm (github #707).
Make lesstest ignore system locale (nl_langinfo) (github #708).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 10 Feb 2026 21:09:01 +0000 (22:09 +0100)]
7zip: Remove addon as not being updated.
- This package is p7zip, based on ther original 7zip that originally did not support
Linux. The original p7zip was no longer being updated after around 2018. A forked
version was found and used but then that stopped being updated after 2023.
- The original 7zip has had fixes done to it to address CVE's that were found to be
in very old code, that was likely present when the p7zip fork was carried out.
- As discussed in the Feb IPFire dev conf call this patch is to remove 7zip as an addon
from IPFire.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:39 +0000 (16:20 +0100)]
postfix: Update to version 3.10.7
- Update from version 3.10.6 to 3.10.7
- No change to rootfile
- Changelog
3.10.7
This patch addresses build errors on recent Linux distributions. With the patch,
Postfix builds will run the compiler with a backwards compatibility option that
is supported by Gcc and Clang. For other compilers, an error message provides
hints.
Background: the build errors are caused by C compilers that by default define a
'bool' type (size=1) that conflicts with Postfix's 'bool' type (an alias for
'int', typically size=4). Postfix 3.11 will support the new bool type, but that
change is too large for stable Postfix releases (too many lines in too many
files).
This patch will also apply to Postfix 3.6 all the way back to Postfix 3.0 with a
simple change: remove the Prereq: line, and remove the part that updates the
HISTORY file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:36 +0000 (16:20 +0100)]
nfs: Update to version 2.8.5
- Update from version 2.8.4 to 2.8.5
- No change to rootfile
- Changelog
2.8.5
- Changelog is just a list of the commits. The details can be found in the changelog at
https://sourceforge.net/projects/nfs/files/nfs-utils/2.8.5/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Feb 2026 15:20:28 +0000 (16:20 +0100)]
git: Update to version 2.53.0
- Update from version 2.52.0 to 2.53 0
- No change to rootfile
- Changelog
2.53.0
UI, Workflows & Features
"git maintenance" command learned "is-needed" subcommand to tell if
it is necessary to perform various maintenance tasks.
"git replay" (experimental) learned to perform ref updates itself
in a transaction by default, instead of emitting where each refs
should point at and leaving the actual update to another command.
"git blame" learns "--diff-algorithm=<algo>" option.
"git repo info" learned "--all" option.
Both "git apply" and "git diff" learn a new whitespace error class,
"incomplete-line".
Add a new manual that describes the data model.
"git fast-import" learns "--signed-commits=strip-if-invalid" option
to drop invalid cryptographic signature from objects.
The use of "revision" (a connected set of commits) has been
clarified in the "git replay" documentation.
A help message from "git branch" now mentions "git help" instead of
"man" when suggesting to read some documentation.
"git repo struct" learned to take "-z" as a synonym to "--format=nul".
More object database related information are shown in "git repo
structure" output.
Improve the error message when a bad argument is given to the
--onto option of "git replay". Test coverage of "git replay" has
been improved.
The iconv library on macOS fails to correctly handle stateful
ISO/IEC 2022:1994 encoded strings. Work it around instead of
replacing it wholesale from homebrew.
Upstream symbolic link support on Windows from Git-for-Windows.
Performance, Internal Implementation, Development Support etc.
The list of packfiles used in a running Git process is moved from
the packed_git structure into the packfile store.
Some ref backend storage can hold not just the object name of an
annotated tag, but the object name of the object the tag points at.
The code to handle this information has been streamlined.
As "git diff --quiet" only cares about the existence of any
changes, disable rename/copy detection to skip more expensive
processing whose result will be discarded anyway.
A part of code paths that deals with loose objects has been cleaned
up.
"make strip" has been taught to strip "scalar" as well as "git".
Dockerized jobs at the GitHub Actions CI have been taught to show
more details of failed tests.
Code refactoring around object database sources.
Halve the memory consumed by artificial filepairs created during
"git diff --find-copies-harder", also making the operation run
faster.
The "git_istream" abstraction has been revamped to make it easier
to interface with pluggable object database design.
Rewrite the only use of "mktemp()" that is subject to TOCTOU race
and Stop using the insecure "mktemp()" function.
(merge 10bba537c4 rs/ban-mktemp later to maint).
In-code comment update to clarify that single-letter options are
outside of the scope of command line completion script.
(merge dc8a00fafe jc/completion-no-single-letter-options later to maint).
MEMZERO_ARRAY() helper is introduced to avoid clearing only the
first N bytes of an N-element array whose elements are larger than
a byte.
"git diff-files -R --find-copies-harder" has been taught to use
the potential copy sources from the index correctly.
Require C99 style flexible array member support from all platforms.
The code path that enumerates promisor objects have been optimized
to skip pointlessly parsing blob objects.
Prepare test suite for Git for Windows that supports symbolic
links.
Import newer version of "clar", unit testing framework.
(merge 84071a6dea ps/clar-integers later to maint).
The packfile_store data structure is moved from object store to odb
source.
The object-info API has been cleaned up.
Further preparation to upstream symbolic link support on Windows.
Remove implicit reliance on the_repository global in the APIs
around tree objects and make it explicit which repository to work
in.
"git bugreport" and "git version --build-options" learned to
include use of gettext feature, to make it easier to diagnose
problems around l10n.
Dscho observed that SVN tests are taking too much time in CI leak
checking tasks, but most time is spent not in our code but in libsvn
code (which happen to be written in Perl), whose leaks have little
value to discover for us. Skip SVN, P4, and CVS tests in the leak
checking tasks.
(merge 047bd7dfe3 js/ci-leak-skip-svn later to maint).
Bug Fixes
Ever since we added whitespace rules for this project, we misspelt
an entry, which has been corrected.
(merge 358e94dc70 jc/gitattributes-whitespace-no-indent-fix later to maint).
The code to expand attribute macros has been rewritten to avoid
recursion to avoid running out of stack space in an uncontrolled
way.
(merge 42ed046866 jk/attr-macroexpand-wo-recursion later to maint).
Adding a repository that uses a different hash function is a no-no,
but "git submodule add" did not prevent it, which has been corrected.
(merge 6fe288bfbc bc/submodule-force-same-hash later to maint).
An earlier check added to osx keychain credential helper to avoid
storing the credential itself supplied was overeager and rejected
credential material supplied by other helper backends that it would
have wanted to store, which has been corrected.
(merge 4580bcd235 kn/osxkeychain-idempotent-store-fix later to maint).
The "git repo structure" subcommand tried to align its output but
mixed up byte count and display column width, which has been
corrected.
(merge 7a03a10a3a jx/repo-struct-utf8width-fix later to maint).
Yet another corner case fix around renames in the "ort" merge
strategy.
(merge a562d90a35 en/ort-rename-another-fix later to maint).
Test leakfix.
(merge 14b561e768 jk/test-mktemp-leakfix later to maint).
Update a version of action used at the GitHub Actions CI.
(merge cd99203f86 js/ci-github-setup-go-update later to maint).
The "return errno = EFOO, -1" construct, which is heavily used in
compat/mingw.c and triggers warnings under "-Wcomma", has been
rewritten to avoid the warnings.
(merge af3919816f js/mingw-assign-comma-fix later to maint).
Makefile based build have recently been updated to build a
libgit.a that also has reftable and xdiff objects; CMake based
build procedure has been updated to match.
(merge b0d5c88cca js/cmake-libgit-fix later to maint).
Under-allocation fix.
(merge d22a488482 js/wincred-get-credential-alloc-fix later to maint).
"git worktree list" attempts to show paths to worktrees while
aligning them, but miscounted display columns for the paths when
non-ASCII characters were involved, which has been corrected.
(merge 08dfa59835 pw/worktree-list-display-width-fix later to maint).
"Windows+meson" job at the GitHub Actions CI was hard to debug, as
it did not show and save failed test artifacts, which has been
corrected.
(merge 17bd1108ea jk/ci-windows-meson-test-fix later to maint).
Emulation code clean-up.
(merge 2367c6bcd6 gf/win32-pthread-cond-wait-err later to maint).
Various issues detected by Asan have been corrected.
(merge a031b6181a jk/asan-bonanza later to maint).
"git config get --path" segfaulted on an ":(optional)path" that
does not exist, which has been corrected.
(merge 0bd16856ff jc/optional-path later to maint).
The "--committer-date-is-author-date" option of "git am/rebase" is
a misguided one. The documentation is updated to discourage its
use.
(merge fbf3d0669f kh/doc-committer-date-is-author-date later to maint).
The option help text given by "git config unset -h" described
the "--all" option to "replace", not "unset", multiple variables,
which has been corrected.
(merge 18bf67b753 rs/config-unset-opthelp-fix later to maint).
The error message given by "git config set", when the variable
being updated has more than one values defined, used old style "git
config" syntax with an incorrect option in its hint, both of which
have been corrected.
(merge df963f0df4 rs/config-set-multi-error-message-fix later to maint).
"git replay" forgot to omit the "gpgsig-sha256" extended header
from the resulting commit the same way it omits "gpgsig", which has
been corrected.
(merge 9f3a115087 pw/replay-exclude-gpgsig-fix later to maint).
A few tests have been updated to work under the shell compatible
mode of zsh.
(merge a92f243a94 bc/zsh-testsuite later to maint).
The way patience diff finds LCS has been optimized.
(merge c7e3b8085b yc/xdiff-patience-optim later to maint).
Recent optimization to "last-modified" command introduced use of
uninitialized block of memory, which has been corrected.
(merge fe4e60759b tc/last-modified-active-paths-optimization later to maint).
"git last-modified" used to mishandle "--" to mark the beginning of
pathspec, which has been corrected.
(merge 05491b90ce js/last-modified-with-sparse-checkouts later to maint).
Emulation code clean-up.
(merge 42aa7603aa gf/win32-pthread-cond-init later to maint).
"git submodule add" to add a submodule under <name> segfaulted,
when a submodule.<name>.something is already in .gitmodules file
without defining where its submodule.<name>.path is, which has been
corrected.
(merge dd8e8c786e jc/submodule-add later to maint).
"git fetch" that involves fetching tags, when a tag being fetched
needs to overwrite existing one, failed to fetch other tags, which
has been corrected.
(merge b7b17ec8a6 kn/fix-fetch-backfill-tag-with-batched-ref-updates later to maint).
Document "rev-list --filter-provided-objects" better.
(merge 6d8dc99478 jt/doc-rev-list-filter-provided-objects later to maint).
Even when there is no changes in the packfile and no need to
recompute bitmaps, "git repack" recomputed and updated the MIDX
file, which has been corrected.
(merge 6ce9d558ce ps/repack-avoid-noop-midx-rewrite later to maint).
Update HTTP tests to adjust for changes in curl 8.18.0
(merge 17f4b01da7 jk/test-curl-updates later to maint).
Workaround the "iconv" shipped as part of macOS, which is broken
handling stateful ISO/IEC 2022 encoded strings.
(merge cee341e9dd rs/macos-iconv-workaround later to maint).
Running "git diff" with "--name-only" and other options that allows
us not to look at the blob contents, while objects that are lazily
fetched from a promisor remote, caused use-after-free, which has
been corrected.
The ort merge machinery hit an assertion failure in a history with
criss-cross merges renamed a directory and a non-directory, which
has been corrected.
(merge 979ee83e8a en/ort-recursive-d-f-conflict-fix later to maint).
Diagnose invalid bundle-URI that lack the URI entry, instead of
crashing.
(merge 7796c14a1a sb/bundle-uri-without-uri later to maint).
Mailmap update for Karsten
(merge e97678c4ef js/mailmap-karsten-blees later to maint).
Perf-test fixes.
(merge 79d301c767 jk/t-perf-fixes later to maint).
Fix for a performance regression in "git cat-file".
(merge 9e8b448dd8 jk/cat-file-avoid-bitmap-when-unneeded later to maint).
Update a FAQ entry on synching two separate repositories using the
"git stash export/import" recently introduced.
(merge 02fc44a989 bc/doc-stash-import-export later to maint).
"git fsck" used inconsistent set of refs to show a confused
warning, which has been corrected.
Some error messages from the http transport layer lacked the
terminating newline, which has been corrected.
(merge a8227ae8d5 kt/http-backend-errors later to maint).
"git repack --geometric" did not work with promisor packs, which
has been corrected.
The logic that avoids reusing MIDX files with a wrong checksum was
broken, which has been corrected.
Other code cleanup, docfix, build fix, etc.
(merge 46207a54cc qj/doc-http-bad-want-response later to maint).
(merge df90eccd93 kh/doc-commit-extra-references later to maint).
(merge f18aa68861 rs/xmkstemp-simplify later to maint).
(merge fddba8f737 ja/doc-synopsis-style later to maint).
(merge 22ce0cb639 en/xdiff-cleanup-2 later to maint).
(merge 8ef7355a8f je/doc-pull later to maint).
(merge 48176f953f jc/capability-leak later to maint).
(merge 8cbbdc92f7 kh/doc-pre-commit-fix later to maint).
(merge d4bc39a4d9 mh/doc-config-gui-gcwarning later to maint).
(merge 41d425008a kh/doc-send-email-paragraph-fix later to maint).
(merge d4b732899e jc/macports-darwinports later to maint).
(merge bab391761d kj/pull-options-decl-cleanup later to maint).
(merge 007b8994d4 rs/t4014-git-version-string-fix later to maint).
(merge 4ce170c522 ds/doc-scalar-config later to maint).
(merge a0c813951a jc/doc-commit-signoff-config later to maint).
(merge 8ee262985a ja/doc-misc-fixes later to maint).
(merge 1722c2244b mh/doc-core-attributesfile later to maint).
(merge c469ca26c5 dk/ci-rust-fix later to maint).
(merge 12f0be0857 gf/clear-path-cache-cleanup later to maint).
(merge 949df6ed6b js/test-func-comment-fix later to maint).
(merge 93f894c001 bc/checkout-error-message-fix later to maint).
(merge abf05d856f rs/show-branch-prio-queue later to maint).
(merge 06188ea5f3 rs/parse-config-expiry-simplify later to maint).
(merge 861dbb1586 dd/t5403-modernise later to maint).
(merge acffc5e9e5 ja/doc-synopsis-style-more later to maint).
(merge 6c5c7e7071 ac/t1420-use-more-direct-check later to maint).
(merge 2ac93bfcbc ds/builtin-doc-update later to maint).
(merge 3f051fc9c9 kh/doc-patch-id later to maint).
(merge 555c8464e5 je/doc-reset later to maint).
(merge 220f888d7e ps/t1410-cleanup later to maint).
(merge 5814b04c02 ps/config-doc-get-urlmatch-fix later to maint).
(merge 5ae594f30b sb/doc-update-ref-markup-fix later to maint).
(merge bc8556d066 ty/t1005-test-path-is-helpers later to maint).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 6 Feb 2026 15:00:19 +0000 (16:00 +0100)]
langs: Fix bug13935 - Neighbourhood scan meaning is inverted
- In the wlanap.cgi code the NOSCAN variable is on when the checkbox has been checked
but the wording is Neighborhood Scan so users check this to ensure that Neighborhood
Scanning is enabled but in fact NOSCAN=on is taken as being disabled.
- To stay matched with the NOSCAN meanings in hostapd initscript this patch changes the
wording from Neighborhood Scan to Disable Neighborhood Scan.
- For the English, German, Spanish and French language files, I took the Disable word in
the warning text and added it to the displayed wording for Neighborhood Scan.
- For the two Chinese language files I was unable to do that as I could not determine
which characters were the required ones. So for those two language files I removed
the two entries for the Neighborhood Scan and the warning. This makes them the same
as the Italian, Netherlands, Polish, Russian and Turkish language files as they have
no entries for this and therefore the English language version is automatically used.
Fixes: Bug13935 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Feb 2026 22:00:59 +0000 (23:00 +0100)]
procps: Update to version 4.0.6
- Update from version 4.0.5 to 4.0.6
- Update of rootfile
- Changelog
4.0.6
* library
version: inc revision to 1 now 1:1:0
internal: Use openat for files under /proc/<PID>
internal: Don't check for sd_booted Debian #1108549
internal: Address potential race leading to segfault issues #380, #390
* local: guard SIGPOLL for MacOS merge !246
* pgrep: Fix unhex breakage for signal numbers issue #369
* pgrep: Match on process ID Debian #612146
* pgrep: Add process_mrelease merge !250
* pgrep: Add shell quoting merge !248
* pgrep: Use pidfd_send_signal() issue #207
* pgrep.1: Note that we can only go to 100th of second issue #376
* pgrep: Add --quiet option issue #404
* pmap: add -k option to print raw names from kernel merge !251
* ps: parse --help correctly issue #381
* ps: Add --delimiter option issue #118
* ps: ps f forest works under pid 1 issue #102
* ps: no longer fails with many pids & the 'p' option issue #387
* ps.1: cols and collums alias width option Debian #926361
* ps.1: Add format equivalents Debian #925437
* ps: avoid potential segfault due to library race issue #380
* ps: Fix -ad option conflict issue #395
* ps: ppid of 0 is ok, fix parser issue #405
* slabtop: Increase column width Debian #959375
* sysctl: Return error if EPERM or EISDIR merge !228
* sysctl: Use options after --system Debian #978989
* top: provides for ignoring configuration file(s) issue #365
* top: fix legacy configuration file vulnerability issue #384
* top: added a new help screen for specialized keys
* top: avoid potential segfault due to library race issue #390
* top: new feature to show physical core percentages
* w: Add terminal mode to show all terminal sessions issue #375
* w: Use process TTY as backup for user TTY Debian #1080335
* w: Use correct return value for sd_get_sessions Debian #1068904
* w: Don't check for sd_booted Debian #1108549
* w: Don't crash with pids in terminal mode issue #407
* watch: Add --follow option Debian #469156
* watch: 256 color support issue #44
* watch.1: Warn about -d permanent option Debian #883638
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Feb 2026 22:00:58 +0000 (23:00 +0100)]
libnetfilter_conntrack: Update to version 1.1.1
- Update from version 1.1.0 to 1.1.1
- No change to rootfile
- Changelog
1.1.1
- Support for the new CTA_TIMESTAMP_EVENT attribute, available since
Linux kernel >= 6.14
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Feb 2026 22:00:57 +0000 (23:00 +0100)]
gettext: Update to version 1.0
- Update from version 0.26 to 1.0
- Update of rootfile
- Changelog
1.0
Improvements for maintainers and distributors:
* In a po/ directory, the PO files are now exactly those that the
translators submitted or committed in version control, or a
translation project's daemon committed on behalf of the translators.
They are no longer regularly updated with respect to the POT file
in the same directory.
The advantage for maintainers is that the maintainer may commit the
PO files in version control, without getting
- lots of modified files shown by "git status",
- frequent merge conflicts when merging between branches,
- a voluminous version control history.
The advantage for distributors is that the role of files in a
release tarball are clearer: The PO files are source code, whereas
the POT file and the *.gmo files are generated files.
ATTENTION translators!
Translators who work directly on a package's source code (without
going through a translation project) now need to run "msginit"
before starting work on a PO file.
* A new program 'po-fetch' is provided, that fetches the translated
PO files from a translation project's site on the internet, and
updates the LINGUAS file accordingly.
* In a po/ directory, a new script 'fetch-po' is now added by 'gettextize'.
It provides the standard interface for fetching the translated PO files.
It typically either invokes the 'po-fetch' program or does nothing.
Improvements for translators:
* msginit:
- When the PO file already exists, 'msginit' now updates it w.r.t. the
POT file, like 'msgmerge' would do. Previously, 'msginit' failed with
an error message in this situation.
* Pretranslation:
- Two new programs, 'msgpre' and 'spit', are provided, that implement
machine translation through a locally installed Large Language Model
(LLM). 'msgpre' applies to an entire PO file, 'spit' to a single
message.
- The documentation has a new chapter "Pretranslation".
Improvements for maintainers:
* xgettext:
- The refactoring suggestion when a translatable string contains an URL
or email address can now be inhibited through a command-line option
'--no-check=url' or '--no-check=email', or through a comment in the
source code of the form
/* xgettext: no-url-check */
or
/* xgettext: no-email-check */
Programming languages support:
* OCaml:
- xgettext now supports OCaml.
- 'msgfmt -c' now verifies the syntax of translations of OCaml format
strings.
- A new example 'hello-ocaml' has been added.
* Rust:
- xgettext now recognizes 'gettextrs::gettext' invocations, like 'gettext'
invocations.
libgettextpo library:
* The function 'po_message_get_format' now supports distinguishing whether
a negative format string mark, such as 'no-c-format', is set or not.
* The new functions
po_message_has_workflow_flag
po_message_set_workflow_flag
po_message_workflow_flags_iterator, po_flag_next, po_flag_iterator_free
can be used to manipulate or inspect the workflow flags of a message.
* The new functions
po_message_has_sticky_flag
po_message_set_sticky_flag
po_message_sticky_flags_iterator, po_flag_next, po_flag_iterator_free
can be used to manipulate or inspect the sticky flags of a messsage.
Emacs PO mode:
Restore syntax highlighting in Emacs version 30 or newer.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Feb 2026 22:00:56 +0000 (23:00 +0100)]
fuse: Update to version 3.18.1
- Update from version 3.17.4 to 3.18.1
- Update of rootfile
- Changelog
3.18.1
* Fix a critical ABI issue compared to libfuse-3.17.3+
* Note: This breaks ABI compatibility to libfuse-3.18.0
(given that 3.18.0 is out for 2 days only, probably the lesser evil)
3.18.0
New Features
* fuse-over-io-uring communication
* statx support
* Request timeouts: Prevent hung operations
* FUSE_NOTIFY_INC_EPOCH: New notification mechanism for epoch counters
Important Fixes
* Fixed double unmount on FUSE_DESTROY
* Fixed junk readdirplus results when filesystem doesn't fill stat info
* Fixed memory deallocation in fuse_session_loop_remember
* Fixed COPY_FILE_RANGE interface
Platform Support
* Improved FreeBSD support (mount error reporting, test runner, build fixes)
* Fixed 32-bit architecture builds
* Fixed build with musl libc and older kernels (< 5.9)
Other Improvements
* Added PanFS to fusermount whitelist
* Thread naming support for easier debugging
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Feb 2026 22:00:50 +0000 (23:00 +0100)]
conntrack-tools: Update to version 1.4.9
- Update from version 1.4.8 to 1.4.9
- No change to rootfile
- Changelog
1.4.9
This release contains bugfixes, for the conntrack cli:
- skip ENOSPC on updates when ct label is not available
- don't print [USERSPACE] information in case of XML output
- fix parsing of tuple-port-src and tuple-port-dst
- improve --secmark,--id,--zone parser
- improve --mark parser
- fix for ENOENT in delete to align behaviour with updates
- fix compiler warnings with -Wcalloc-transposed-args
- prefer kernel-provided event timestamp via CTA_TIMESTAMP_EVENT
if it is available
- introduce --labelmap option to specify connlabel.conf path
- Extend error message for EBUSY when registering userspace helper
and the conntrackd daemon:
- don't add expectation table entry for RPC portmap port
- fix signal handler race-condition
- restrict multicast reception, otherwise multicast sync messages
can be received from any interface if your firewall policy does
not restrict the interface used for sending and receiving them.
- remove double close() in multicast resulting in EBADFD
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 3 Feb 2026 10:15:51 +0000 (10:15 +0000)]
initscripts: Don't perform value filtering in readhash
Since we now have a safe way to parse values from the configuration
file, we should no longer require filtering any more. We will have to be
very careful with working with these values.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 31 Jan 2026 20:40:13 +0000 (21:40 +0100)]
expat: Update to version 2.7.4
- Update from version 2.7.3 to 2.7.4
- Update of rootfile
- 2 CVE fixes are in this release.
- Changelog
2.7.4
Security fixes:
#1131 CVE-2026-24515 -- Function XML_ExternalEntityParserCreate
failed to copy the encoding handler data passed to
XML_SetUnknownEncodingHandler from the parent to the new
subparser. This can cause a NULL dereference (CWE-476) from
external entities that declare use of an unknown encoding.
The expected impact is denial of service. It takes use of
both functions XML_ExternalEntityParserCreate and
XML_SetUnknownEncodingHandler for an application to be
vulnerable.
#1075 CVE-2026-25210 -- Add missing check for integer overflow
related to buffer size determination in function doContent
Bug fixes:
#1073 lib: Fix missing undoing of group size expansion in doProlog
failure cases
#1107 xmlwf: Fix a memory leak
#1104 WASI: Fix format specifiers for 32bit WASI SDK
Other changes:
#1105 lib: Fix strict aliasing
#1106 lib: Leverage feature "flexible array member" of C99
#1051 lib: Swap (size_t)(-1) for C99 equivalent SIZE_MAX
#1109 lib|xmlwf: Return NULL instead of 0 for pointers
#1068 lib|Windows: Clean up use of macro _MSC_EXTENSIONS with MSVC
#1112 lib: Remove unused import
#1110 xmlwf: Warn about XXE in --help output (and man page)
#1102 #1103 WASI: Stop using getpid
#1113 #1130 Autotools: Drop file expat.m4 that provided obsolete Autoconf
macro AM_WITH_EXPAT
#1123 Autotools: Limit -Wno-pedantic-ms-format to MinGW
#1129 #1134 ..
#1087 Autotools|macOS: Sync CMake templates with CMake 4.0
#1139 #1140 Autotools|CMake: Introduce off-by-default symbol versioning
The related build system flags are:
- For Autotools, configure with --enable-symbol-versioning
- For CMake, configure with -DEXPAT_SYMBOL_VERSIONING=ON
Please double-check for consequences before activating
this inside distro packaging. Bug reports welcome!
#1117 Autotools|CMake: Remove libbsd support
#1105 Autotools|CMake: Stop using -fno-strict-aliasing, and use
-Wstrict-aliasing=3 instead
#1124 Autotools|CMake: Prefer command gsed (GNU sed) over sed
(e.g. for Solaris) inside fix-xmltest-log.sh
#1067 CMake: Detect and warn about unusable check_c_compiler_flag
#1137 CMake: Drop support for CMake <3.17
#1138 CMake|Windows: Fix libexpat.def.cmake version comments
#1086 #1110 docs: Add warning about external reference handlers and XXE
#1066 docs: Be explicit that parent parsers need to outlive
subparsers
#1089 ..
#1090 #1091 ..
#1092 #1093 ..
#1094 #1098 ..
#1115 #1116 docs: Misc non-content improvements to doc/reference.html
#1132 #1133 Version info bumped from 12:1:11 (libexpat*.so.1.11.1)
to 12:2:11 (libexpat*.so.1.11.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#1119 #1121 Document guidelines for contributing to Expat
#1120 Introduce a pull request template
#1074 CI: Stop using about-to-be-removed image "macos-13"
#1083 #1088 CI: Mitigate random Wine crashes
#1104 CI: Cover compilation with WASI SDK
#1116 CI: Enforce clean doc XML formatting
#1124 ..
#1135 #1136 CI: Cover Solaris 11.4
#1125 CI: Extend CI coverage of FreeBSD
#1139 #1140 CI: Cover symbol versioning
#1114 xmlwf: Reformat helpgen code (using Black 25.12.0)
#1071 .gitignore: Add files CPackConfig.cmake and
CPackSourceConfig.cmake
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 30 Jan 2026 14:13:33 +0000 (15:13 +0100)]
ruby: Update rootfile to remove architecture refs
- Don't know how I missed the messgaes at the end of my build but I didn,t replace
all the x86_64 by xxxMACHINExxx. I just tested re-running the build I had done
previously, without a clean, and it came back with a fail, the same as in the
nightlies. I somehow missed that.
- This patch corrects the rootfile to have xxxMACHINExxx in it.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Jan 2026 21:44:03 +0000 (22:44 +0100)]
openssl: Update to version 3.6.1
- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- 12 CVE fixes
- Changelog
3.6.1
OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
([CVE-2025-11187])
* Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
([CVE-2025-15467])
* Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
([CVE-2025-15468])
Adolf Belka [Wed, 28 Jan 2026 18:50:06 +0000 (19:50 +0100)]
installer: Increase size of mount for iso due to size increase
- download.sh defines a mount of 512M for downloading the iso for use with PXE.
Unfortunately since CU192 the iso sizes have been greater than 512M
- This was identified by a user on the forum as their PXE install failed to work.
- They had suggested increasing it to around 800M. As CU200 is already at 658M I
thought it made more sense to give a bit more room and so specified 1024M. If this
is considered too excessive then it can always be modified.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:32 +0000 (12:05 +0100)]
xfsprogs: Update to version 6.18.0
- Update from version 6.17.0 to 6.18.0
- Update of rootfile
- Changelog
6.18.0
mkfs: adjust_nr_zones for zoned file system on conventional devices (Christoph Hellwig)
xfs_logprint: fix pointer bug (Darrick J. Wong)
mdrestore: fix restore_v2() superblock length check (Pavel Reichl)
mkfs: add 2025 LTS config file (Darrick J. Wong)
mkfs: enable new features by default (Darrick J. Wong)
libfrog: fix incorrect FS_IOC_FSSETXATTR argument to ioctl() (Arkadiusz Miskiewicz)
xfs: prevent gc from picking the same zone twice (Christoph Hellwig)
xfs: improve default maximum number of open zones (Damien Le Moal)
xfs: fix log CRC mismatches between i386 and other architectures (Christoph Hellwig)
xfs: remove deprecated sysctl knobs (Darrick J. Wong)
xfs: remove deprecated mount options (Darrick J. Wong)
man2: fix getparents ioctl manpage (Darrick J. Wong)
xfs_db: document the rtsb command (Darrick J. Wong)
libxfs: fix build warnings (Darrick J. Wong)
xfs_scrub: fix null pointer crash in scrub_render_ino_descr (Darrick J. Wong)
metadump: catch used extent array overflow (Carlos Maiolino)
mkfs: fix zone capacity check for sequential zones (Carlos Maiolino)
libxfs: support reproducible filesystems using deterministic time/seed (Luca Di Maio)
Fix alloc/free of cache item (Torsten Rupp)
xfs_io: use the XFS_ERRTAG macro to generate injection targets (Christoph Hellwig)
repair/prefetch.c: Create one workqueue with multiple workers (Chandan Babu R)
libfrog: Prevent unnecessary waking of worker thread when using bounded workqueues (Chandan Babu R)
proto: fix file descriptor leak (Luca Di Maio)
mkfs: split zone reset from discard (Christoph Hellwig)
mkfs: move clearing LIBXFS_DIRECT into check_device_type (Christoph Hellwig)
mkfs: improve the error message in adjust_nr_zones (Christoph Hellwig)
mkfs: improve the error message from check_device_type (Christoph Hellwig)
xfs_copy: improve the error message when mkfs is in progress (Christoph Hellwig)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:31 +0000 (12:05 +0100)]
samba: Update to version 4.23.5
- Update from version 4.23.4 to 4.23.5
- No change to the rootfiles
- Changelog
4.23.5
* BUG 15959: New Spotlight default search field incorrectly initialized
* BUG 15972: Winbind group resolution failure
* BUG 15937: winbindd crashes with Bad talloc magic value - unknown value
* BUG 15790: Bind dlz 9.20
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:30 +0000 (12:05 +0100)]
ruby: Update to version 4.0.1
- Update from version 3.4.5 to 4.0.1
- Update of rootfile
- Changelog is too large to include here (> 1000 lines)
Details can be found at the following link
https://github.com/ruby/ruby/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:29 +0000 (12:05 +0100)]
pam: Update to version 1.7.2
- Update from version 1.7.1 to 1.7.2
- Update of rootfile
- Changelog
1.7.2
* build: enabled vendordir by default.
* pam_access: fixed stack overflow with huge configuration files.
* pam_env: enhanced error diagnostics when ignoring backslash at end of string.
* pam_faillock: skip clearing user's failed attempt when auth stack is not run.
* pam_mkhomedir: added support for vendordir skeleton directory.
* pam_unix: added support for pwaccessd.
* pam_unix: added support for PAM_CHANGE_EXPIRED_AUTHTOK.
* pam_unix: fixed password expiration warnings for large day values.
* pam_unix: hardened temporary file handling.
* Multiple minor bug fixes, build fixes, portability fixes,
documentation improvements, and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:28 +0000 (12:05 +0100)]
p11-kit: Update to version 0.26.1
- Update from version 0.25.10 to 0.26.1
- Update of rootfile
- Changelog
0.26.1
* trust: Ensure compatibility of CKA_NSS_TRUST and CKA_TRUST
0.26.0
* pkcs11: Update PKCS11 headers to version 3.2 [PR#731]
* trust: Lookup DNs in reverse order (RFC4514 section 2.1) [PR#732]
* Update translations [PR#734]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
