Adolf Belka [Sat, 31 Jan 2026 20:40:13 +0000 (21:40 +0100)]
expat: Update to version 2.7.4
- Update from version 2.7.3 to 2.7.4
- Update of rootfile
- 2 CVE fixes are in this release.
- Changelog
2.7.4
Security fixes:
#1131 CVE-2026-24515 -- Function XML_ExternalEntityParserCreate
failed to copy the encoding handler data passed to
XML_SetUnknownEncodingHandler from the parent to the new
subparser. This can cause a NULL dereference (CWE-476) from
external entities that declare use of an unknown encoding.
The expected impact is denial of service. It takes use of
both functions XML_ExternalEntityParserCreate and
XML_SetUnknownEncodingHandler for an application to be
vulnerable.
#1075 CVE-2026-25210 -- Add missing check for integer overflow
related to buffer size determination in function doContent
Bug fixes:
#1073 lib: Fix missing undoing of group size expansion in doProlog
failure cases
#1107 xmlwf: Fix a memory leak
#1104 WASI: Fix format specifiers for 32bit WASI SDK
Other changes:
#1105 lib: Fix strict aliasing
#1106 lib: Leverage feature "flexible array member" of C99
#1051 lib: Swap (size_t)(-1) for C99 equivalent SIZE_MAX
#1109 lib|xmlwf: Return NULL instead of 0 for pointers
#1068 lib|Windows: Clean up use of macro _MSC_EXTENSIONS with MSVC
#1112 lib: Remove unused import
#1110 xmlwf: Warn about XXE in --help output (and man page)
#1102 #1103 WASI: Stop using getpid
#1113 #1130 Autotools: Drop file expat.m4 that provided obsolete Autoconf
macro AM_WITH_EXPAT
#1123 Autotools: Limit -Wno-pedantic-ms-format to MinGW
#1129 #1134 ..
#1087 Autotools|macOS: Sync CMake templates with CMake 4.0
#1139 #1140 Autotools|CMake: Introduce off-by-default symbol versioning
The related build system flags are:
- For Autotools, configure with --enable-symbol-versioning
- For CMake, configure with -DEXPAT_SYMBOL_VERSIONING=ON
Please double-check for consequences before activating
this inside distro packaging. Bug reports welcome!
#1117 Autotools|CMake: Remove libbsd support
#1105 Autotools|CMake: Stop using -fno-strict-aliasing, and use
-Wstrict-aliasing=3 instead
#1124 Autotools|CMake: Prefer command gsed (GNU sed) over sed
(e.g. for Solaris) inside fix-xmltest-log.sh
#1067 CMake: Detect and warn about unusable check_c_compiler_flag
#1137 CMake: Drop support for CMake <3.17
#1138 CMake|Windows: Fix libexpat.def.cmake version comments
#1086 #1110 docs: Add warning about external reference handlers and XXE
#1066 docs: Be explicit that parent parsers need to outlive
subparsers
#1089 ..
#1090 #1091 ..
#1092 #1093 ..
#1094 #1098 ..
#1115 #1116 docs: Misc non-content improvements to doc/reference.html
#1132 #1133 Version info bumped from 12:1:11 (libexpat*.so.1.11.1)
to 12:2:11 (libexpat*.so.1.11.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#1119 #1121 Document guidelines for contributing to Expat
#1120 Introduce a pull request template
#1074 CI: Stop using about-to-be-removed image "macos-13"
#1083 #1088 CI: Mitigate random Wine crashes
#1104 CI: Cover compilation with WASI SDK
#1116 CI: Enforce clean doc XML formatting
#1124 ..
#1135 #1136 CI: Cover Solaris 11.4
#1125 CI: Extend CI coverage of FreeBSD
#1139 #1140 CI: Cover symbol versioning
#1114 xmlwf: Reformat helpgen code (using Black 25.12.0)
#1071 .gitignore: Add files CPackConfig.cmake and
CPackSourceConfig.cmake
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 30 Jan 2026 14:13:33 +0000 (15:13 +0100)]
ruby: Update rootfile to remove architecture refs
- Don't know how I missed the messgaes at the end of my build but I didn,t replace
all the x86_64 by xxxMACHINExxx. I just tested re-running the build I had done
previously, without a clean, and it came back with a fail, the same as in the
nightlies. I somehow missed that.
- This patch corrects the rootfile to have xxxMACHINExxx in it.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Jan 2026 21:44:03 +0000 (22:44 +0100)]
openssl: Update to version 3.6.1
- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- 12 CVE fixes
- Changelog
3.6.1
OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
([CVE-2025-11187])
* Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
([CVE-2025-15467])
* Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
([CVE-2025-15468])
Adolf Belka [Wed, 28 Jan 2026 18:50:06 +0000 (19:50 +0100)]
installer: Increase size of mount for iso due to size increase
- download.sh defines a mount of 512M for downloading the iso for use with PXE.
Unfortunately since CU192 the iso sizes have been greater than 512M
- This was identified by a user on the forum as their PXE install failed to work.
- They had suggested increasing it to around 800M. As CU200 is already at 658M I
thought it made more sense to give a bit more room and so specified 1024M. If this
is considered too excessive then it can always be modified.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:32 +0000 (12:05 +0100)]
xfsprogs: Update to version 6.18.0
- Update from version 6.17.0 to 6.18.0
- Update of rootfile
- Changelog
6.18.0
mkfs: adjust_nr_zones for zoned file system on conventional devices (Christoph Hellwig)
xfs_logprint: fix pointer bug (Darrick J. Wong)
mdrestore: fix restore_v2() superblock length check (Pavel Reichl)
mkfs: add 2025 LTS config file (Darrick J. Wong)
mkfs: enable new features by default (Darrick J. Wong)
libfrog: fix incorrect FS_IOC_FSSETXATTR argument to ioctl() (Arkadiusz Miskiewicz)
xfs: prevent gc from picking the same zone twice (Christoph Hellwig)
xfs: improve default maximum number of open zones (Damien Le Moal)
xfs: fix log CRC mismatches between i386 and other architectures (Christoph Hellwig)
xfs: remove deprecated sysctl knobs (Darrick J. Wong)
xfs: remove deprecated mount options (Darrick J. Wong)
man2: fix getparents ioctl manpage (Darrick J. Wong)
xfs_db: document the rtsb command (Darrick J. Wong)
libxfs: fix build warnings (Darrick J. Wong)
xfs_scrub: fix null pointer crash in scrub_render_ino_descr (Darrick J. Wong)
metadump: catch used extent array overflow (Carlos Maiolino)
mkfs: fix zone capacity check for sequential zones (Carlos Maiolino)
libxfs: support reproducible filesystems using deterministic time/seed (Luca Di Maio)
Fix alloc/free of cache item (Torsten Rupp)
xfs_io: use the XFS_ERRTAG macro to generate injection targets (Christoph Hellwig)
repair/prefetch.c: Create one workqueue with multiple workers (Chandan Babu R)
libfrog: Prevent unnecessary waking of worker thread when using bounded workqueues (Chandan Babu R)
proto: fix file descriptor leak (Luca Di Maio)
mkfs: split zone reset from discard (Christoph Hellwig)
mkfs: move clearing LIBXFS_DIRECT into check_device_type (Christoph Hellwig)
mkfs: improve the error message in adjust_nr_zones (Christoph Hellwig)
mkfs: improve the error message from check_device_type (Christoph Hellwig)
xfs_copy: improve the error message when mkfs is in progress (Christoph Hellwig)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:31 +0000 (12:05 +0100)]
samba: Update to version 4.23.5
- Update from version 4.23.4 to 4.23.5
- No change to the rootfiles
- Changelog
4.23.5
* BUG 15959: New Spotlight default search field incorrectly initialized
* BUG 15972: Winbind group resolution failure
* BUG 15937: winbindd crashes with Bad talloc magic value - unknown value
* BUG 15790: Bind dlz 9.20
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:30 +0000 (12:05 +0100)]
ruby: Update to version 4.0.1
- Update from version 3.4.5 to 4.0.1
- Update of rootfile
- Changelog is too large to include here (> 1000 lines)
Details can be found at the following link
https://github.com/ruby/ruby/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:29 +0000 (12:05 +0100)]
pam: Update to version 1.7.2
- Update from version 1.7.1 to 1.7.2
- Update of rootfile
- Changelog
1.7.2
* build: enabled vendordir by default.
* pam_access: fixed stack overflow with huge configuration files.
* pam_env: enhanced error diagnostics when ignoring backslash at end of string.
* pam_faillock: skip clearing user's failed attempt when auth stack is not run.
* pam_mkhomedir: added support for vendordir skeleton directory.
* pam_unix: added support for pwaccessd.
* pam_unix: added support for PAM_CHANGE_EXPIRED_AUTHTOK.
* pam_unix: fixed password expiration warnings for large day values.
* pam_unix: hardened temporary file handling.
* Multiple minor bug fixes, build fixes, portability fixes,
documentation improvements, and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:28 +0000 (12:05 +0100)]
p11-kit: Update to version 0.26.1
- Update from version 0.25.10 to 0.26.1
- Update of rootfile
- Changelog
0.26.1
* trust: Ensure compatibility of CKA_NSS_TRUST and CKA_TRUST
0.26.0
* pkcs11: Update PKCS11 headers to version 3.2 [PR#731]
* trust: Lookup DNs in reverse order (RFC4514 section 2.1) [PR#732]
* Update translations [PR#734]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:27 +0000 (12:05 +0100)]
less: Update to version 691
- Update from version 685 to 691
- No change to rootfile
- Changelog
691
Add --autosave option (github #678).
Add ESC-f command (github #680).
Add column number to long prompt and = message.
Add prompt prototype sequences %C, %W, %Q and ?Q (github #685).
Map keypad keys, and use terminfo rather than termcap since keypad definitions don't exist in termcap (github #650).
Change HOME key to scroll fully left and END key to scroll fully right. Add shift-HOME and ctrl-HOME to scroll left and jump to top, and add shift-END and ctrl-END to scroll right and jump to end (github #658).
Add LESSNOCONFIG environment variable.
Add --without-termlib to configure (github #701).
When setting line number colors (-DN), don't force bold attribute. To set bold, you must append "d" or "*" to the color string (github #684).
While waiting for file data, only ^C or ^X will interrupt, not any command. This reverts to behavior that existed before less-670 (github #700).
When --save-marks is not used, retain any marks saved in the history file (github #662).
Defer sending the terminal init string until the first char is read from the input file (github #682).
Make SIGHUP do an orderly exit like SIGTERM.
Implement modeline handling in Windows build.
Fix bugs and improve behavior of screen resize on Windows.
Fix bug when entering search modifier key at start of non-empty search string (github #668).
Fix bug repainting screen with --form-feed (github #672).
Fix bugs passing invalid negative values to some command line options (github #675).
Fix incorrect display of Lit indicator (github #670).
Fix incorrect display when returning to a mark after resizeing window (github #681).
Fix bug using --pattern with --incsearch (github #696).
Disallow mouse click to open OSC8 link in SECURE mode (github #676).
Add SECURE_COMPILE environment variable for Windows builds.
Update Unicode tables.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:26 +0000 (12:05 +0100)]
jansson: Update to version 2.15.0
- Update from version 2.14.1 to 2.15.0
- Update of rootfile
- Changelog
12.15.0
* New features:
- Add support for realloc by adding `json_set_alloc_funcs2`, `json_get_alloc_funcs2`
(@WilhelmWiens in #717)
* Fixes:
- Optimize serialization (@WilhelmWiens in #658 and #719)
- Fix docstrings in hashtable.h (@WilhelmWiens in #718)
* Build
- Use target-based cmake settings (@Andrew-Au in #692)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:25 +0000 (12:05 +0100)]
harfbuzz: Update to version 12.3.2
- Update from version 12.3.0 to 12.3.2
- Update of rootfile
- Changelog
12.3.2
- Fix padding `gvar` table during subsetting when the original font uses long
format and subset font using short format.
- Various fuzzing fixes.
- Fix NULL pointer deference when malloc fails.
12.3.1
- Various speed optimizations.
- Build fixes for GCC 4.9.
- Fix NULL pointer deference when malloc fails.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 29 Jan 2026 11:05:16 +0000 (12:05 +0100)]
asciidoctor: Update to version 2.0.26
- Update from version 2.0.23 to 2.0.26
- Update of rootfile
- Changelog
2.0.26
Improvement::
* Use MathJax config recommended by MathJax itself; see https://docs.mathjax.org/en/latest/output/html.html#html-support (#4424)
* Use thin space between dots of an ellipsis (U+2026) in manpage output (#4568)
Bug Fixes::
* Don't use text of span as value of xreflabel when node has ID in DocBook output (#4539)
* Resolve attribute references (attributes substitution) in attrlist of toc macro (#4806)
* Cite stem macro specifically in warning message when macro has invalid substitutions (#4808)
2.0.25
Improvements::
* Don't freeze processor instance of extension to allow use of instance variables (#4782)
Bug Fixes::
* Fix false positive when looking for custom block macro, leading to superfluous debug message (#4785)
* Start sectlink after any supplemental anchors on section title when sectlinks is set (#2934)
* Remove trailing space after reftext in inline anchor shorthand (to accomodate trailing `]` in reftext) (#4789)
2.0.24
Compliance::
* Support link attribute on inline image macro when converting to DocBook (#4385)
* Add magic comment `backticks_javascript: true` to achieve compatibility with Opal 2.0 (#4775) (*@janbiedermann*)
* Extract the require logic of the OpenURI library for Asciidoctor.js compatibility (#4244) (*@ggrossetie*)
Improvements::
* Suppress warning about loading logger from stdlib when using Ruby 3.4 (#4769)
* Log error if unterminated preprocessor conditional directive is detected (#3545)
* Coerce names passed to the `positional_attrs` directive on an extension to strings (#4674)
* Ignore `SOURCE_DATE_EPOCH` environment variable if value is empty instead of exiting with non-zero exit code (#4631)
* Change Brazilian Portuguese translation for toc-title (#4653) (*@giflw*)
Bug Fixes::
* Consider `convert_` prefix when looking for missing convert method in converter (#4669) (*@eugoka*)
* Pass kwargs to Logger superclass and only assign defaults when kwarg is not specified (#4773)
* Set logdev to $stderr if no arguments are passed to Logger constructor (#4250)
* Don't push conditional onto stack if conditional preprocessor directive is invalid when skipping lines (#4603)
* Only style code tag as block element when inside pre in listing block; not inside verse block (#4610)
* Don't add role=include to link macro that replaces include directive when running in compat mode (#4608)
Documentation::
* Rewrite documentation for how to create a custom converter from scratch and make examples more thorough (#4699)
Build / Infrastructure::
* Fix classification of several substitution tests (#4691) (*@scouten*)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Jan 2026 21:44:03 +0000 (22:44 +0100)]
openssl: Update to version 3.6.1
- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- 12 CVE fixes
- Changelog
3.6.1
OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this
release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
([CVE-2025-11187])
* Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing.
([CVE-2025-15467])
* Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID.
([CVE-2025-15468])
Stefan Schantl [Wed, 28 Jan 2026 18:34:13 +0000 (19:34 +0100)]
rust: Cleanup/Drop unneeded modules
suricata and clamav are shipping the required modules for building with
their source tarballs, therefore we do not need to package those modules
anymore and they safely can be dropped.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* Fix a buffer overread and an infinite loop in format processing (reported by
Giorgi Kobakhia, issue 4735).
* Allow drag in alternate screen again (issue 4743 reported by Brad King).
* Fix y offset of mouse if status at top (issue 4738 from Michael Grant).
* Add a missing skin tone (from Jake Stewart, issue 4736).
* Allow characters to be combined in either order (issue 4726, reported by Jake
Stewart).
* Fix horizontal mouse resizing when pane status lines are on (from Michael
Grant, issue 4720).
* Fix noattr so it does not delete attributes set in the style itself (issue
4713).
* Newer libevents do not allow event_del on a zero'd event (issue 4706).
* Place cursor on correct line if message-line is not 0 (issue 4707).
* Fix compile error on FreeBSD (from Yasuhiro Kimura, issue 4701).
CHANGES FROM 3.5a TO 3.6
* Add seconds options for clock mode (issue 4697).
* Add a resize callback for menus so that they are correctly moved on resize
(issue 4696).
* Make -v to source-file pass through to subsequent source-file commands (issue
4216).
* If display-popup is used inside a popup, modify that popup (issue 4678).
* Add selection-mode command to expilcitly set the selection mode in copy mode
(issue 3842).
* Save and restore images in alternate screen (issue 3732).
* Ignore Hangul filler character (issue 3998).
* Improve handling of regional indicators and emoji modifiers (issue 3998).
* Preserve marked pane with swap-window and move-window (issue 3443).
* Set and check COLORTERM as a hint for RGB colour.
* If tmux receives a palette request (OSC 4) in a pane and the palette entry
has not been set, send a request to the most recently used client and
forward any response instead (based on change from Tim Culverhouse, issue
4665).
* Add -l flag to command-prompt to disable splitting into multiple prompts
(issue 4483).
* Don't enter copy mode on mouse wheel in alternate screen (issue 3705).
* Add commands to centre the cursor in copy mode (issue 4662).
* Support case insensitive search in modes in the same way as copy mode
(like emacs, so all-lowercase means case insensitive) (issue 4396).
* Fix the logic of the no-detached case for the detach-on-destroy option (from
Martin Louazel, issue 4649).
* Add buffer_full format variable (from Mohammad AlSaleh, issue 4630).
* Introduce a new window option, tiled-layout-max-columns, which configures the
maximum number of columns in the tiled layout.
* Add support for DECRQSS SP q (report cursor style), DECRQM ?12 (report cursor
blink state) and DECRQM ?2004, ?1004, ?1006 (report mouse state) ( rom
Andrea Alberti, issue 4618).
* Fix missing argument from OSC 4 reply (issue 4596).
* Add -k flag to display-popup which allows any key to dismiss the popup once
the command has exited (from Meriel Luna Mittelbach, issue 4612).
* Add nicer default second and third status lines (from Michael Grant, issue
4490).
* Add a pane-border-lines "spaces" value to use spaces for pane borders (issue
4587).
* Replace invalid UTF-8 characters with the placeholder instead of ignoring
them (issue 4514).
* Fix incorrect handling of Korean Hangul Jamo characters (from Roy Jung, issue
4546).
* Allow uppercase letters in gray/grey color names (from Pavel Roskin, issue
4560).
* Add sorting to W, P, L loop operators (from Michael Grant, issue 4516).
* Detect support for OSC 52 using the device attributes report (from James
Holderness, issue 4539).
* Add noattr for styles and use in mode-style to allow whether attributes are
ignored or used to be configured (issue 4498).
* Add a set-default style attribute which replaces the current default colours
and attributes completely.
* Add -E to run-shell to forward stderr as well as stdout (issue 4246).
* Add an option variation-selector-always-wide to instruct tmux not to
always interpret VS16 as a wide character and assume the terminal does
likewise.
* Switch to getopt_long from OpenSSH (from Koichi Murase, issue 4492).
* Add more features for boolean expressions in formats: 1) extend && and || to
support arbitrarily many arguments and 2) add ! and !! for not and not-not
(from David Mandelberg).
* Do not mistake other DCS sequences for SIXEL sequences (from James
Holderness, issue 4488).
* Improve #? conditional expression in formats: add support for else if and
default empty string if no else value (from David Mandelberg, issue 4451).
* Add default-client-command to set the command used if tmux is run without a
command; the default stays new-session (from David Mandelberg, issue
4422).
* Add S-Up and S-Down to move windows in tree mode (from David Mandelberg,
issue 4415).
* Add mode 2031 support to automatically report dark or light theme. tmux will
guess the theme from the background colour on terminals which do not
themselves support the escape sequence (from Jonathan Slenders, issue 4353).
* Add -M flag to capture-pane to use the copy mode screen (issue 4358).
* Align index numbers in trees (from David Mandelberg, issue 4360).
* Add display-message -C flag to update pane while message is displayed (from
Vitaly Ostrosablin, issue 4363).
* Make list-commands command show only one command if an argument is given
(from Ilya Grigoriev, issue 4352).
* Count line numbers correctly inside strings in configuration files (reported
by Pedro Navarro, issue 4325).
* Map bright black (colour 8) to white (7) if the background is black on
terminals with only eight colours so the text is not invisible (from Dmytro
Bagrii, issue 4322).
* New codepoint-widths option allowing users to override the width of
individual Unicode codepoints.
* Add a nesting limit to source-file (from Fadi Afani, issue 4223).
* Add copy-mode-position-style and copy-mode-selection-style options for copy
mode.
* Add no-detach-on-destroy client option (issue 4242).
* Add input-buffer-size option (from Ken Lau).
* Add support for a scrollbar at the side of each pane. New options
pane-scrollbars turn them on or off, pane-scrollbars-position sets the
position (left or right), and pane-scrollbars-style to set the colours (from
Michael Grant, issue 4221).
* Allow control characters to be entered at the command prompt by prefixing
with C-v (from Alexander Arch, issue 4206).
* Do not attempt to search for zero length strings (from Alexander Arch, issue
4209).
* Preserve tabs for copying and capture-pane (from Alexander Arch, issue
4201).
* Increase the maximum for repeat-time.
* Adjust how Ctrl and Meta keys are sent to use standard representation if
available in mode 1 (from Stanislav Kljuhhin, issue 4188).
* Allow attributes in menu style (from Japin Li, issue 4194).
* Add a sixel_support format variable which is 1 if SIXEL is supported, always
0 on OpenBSD (requested by Misaki Masa, issue 4177).
* Add prompt-cursor-colour and prompt-cursor-style to set the style of the
cursor in the command prompt and remove the emulated cursor (from Alexander
Arch, issue 4170).
* Add initial-repeat-time option to allow the first repeat time to be increased
and later reduced (from David le Blanc, issue 4164).
* Send focus events to pane when entering or leaving popup (issue 3991).
* Add copy-mode-position-format to configure the position indicator.
* Add -y flag to disable confirmation prompts in modes (issue 4152).
* Add -C and -P flags to the copy commands in copy mode: -C prevents the
commands from sending the text to the clipboard and -P prevents them from
adding the text as a paste buffer (issue 4153).
* Preserve transparency and raster attribute dimensions when sending a SIXEL
image, and avoid collapsing empty lines (issue 4149).
* Bypass permission check for Cygwin (based on a change by Yuya Adachi via
Rafael Kitover, issue 4148).
* Add MSYSTEM to default update-environment (for Cgywin).
* Set client stdout file descriptor also for Cgywin (from Michael Wild via Rafael
Kitover, issue 4148).
* Use global cursor style and colour options for modes instead of default
(issue 4117).
* Fix pasting so it does not interpret keys but instead copies the input
without interpretation (reported by Mark Kelly).
* Try to query window pixel size from the outside terminal if the values
returned by TIOCGWINSZ are zero (Dmitry Galchinsky, issue 4099)."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 23 Jan 2026 13:59:08 +0000 (14:59 +0100)]
clamav: Update to version 1.5.1
- Update from version 1.4.3 to 1.5.1
- Update of rootfile
- From version 1.5.0 clamav added signing/verification of the signature file downloads
with external .sign files. -D CVD_CERTS_DIRECTORY=/etc/clamav/certs has been added
as a build option to create the certs directory and to install the clamav.crt file
- Tested out the execution of this version on a vm testbed. The .sign files were
correctly downloaded and the databases approved. This was also the case with a
reboot. This was where users had a problem with the version relaesed in CU199 after
they had manually created a directory.
- Changelog
1.5.1
ClamAV 1.5.1 is a patch release with the following fixes:
*
Fixed a significant performance issue when scanning some PE files
*
Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option
*
Improved performance when scanning TNEF email attachments
*
Fixed an issue with recording metadata for OOXML office documents
*
Fixed an issue with signature matches for VBA in OLE2 office documents
*
Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files
*
Fixed an issue with extracting some RAR archives embedded in other files
*
Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies
* This release does not require a newer version of the Rust compiler toolchain than what was required for ClamAV 1.5.0
*
Added checks to determine if an OLE2-based Microsoft Office document is encrypted.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1295>
*
Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record HTML URIs. The ClamScan command-line option is --json-store-html-uris=no. The clamd.conf config option is JsonStoreHTMLURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_HTML_URIS
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1281>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1482>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1514>
*
Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record PDF URIs. The ClamScan command-line option is --json-store-pdf-uris=no. The clamd.conf config option is JsonStorePDFURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_PDF_URIS
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1482>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1514>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1559>
GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1572>
*
Added regex support for the clamd.conf OnAccessExcludePath config option. This change courtesy of GitHub user b1tg.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1314>
*
Added CVD signing/verification with external .sign files.
Freshclam will now attempt to download external signature files to accompany existing .cvd databases and .cdiff patch files. Sigtool now has commands to sign and verify using the external signatures.
ClamAV now installs a 'certs' directory in the app config directory (e.g., <prefix>/etc/certs). The install path is configurable. The CMake option to configure the CVD certs directory is -D CVD_CERTS_DIRECTORY=PATH
New options to set an alternative CVD certs directory:
Added two new APIs to the public clamav.h header:
The original cl_cvdverify and cl_cvdunpack are deprecated.
Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR. You may set this option with cl_engine_set_str and get it with cl_engine_get_str, to override the compiled in default CVD certs directory.
Thank you to Mark Carey at SAP for inspiring work on this feature with an initial proof of concept for external-signature FIPS compliant CVD signing.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1417>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1478>
GitHub pull request #3<https://github.com/Cisco-Talos/clamav/pull/1489>
GitHub pull request #4<https://github.com/Cisco-Talos/clamav/pull/1491>
* The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is --cvdcertsdir PATH
* The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is CVD_CERTS_DIR
* The config option for Freshclam and ClamD is CVDCertsDirectory PATH
*
Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives (FPs).
For freshclam.conf and clamd.conf set this config option:
FIPSCryptoHashLimits yes
For clamscan and sigtool use this command-line option:
--fips-limits
For libclamav: Enable FIPS-limits for a ClamAV engine like this:
ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will automatically enable the FIPS-limits feature.
This change mitigates safety concerns over the use of MD5 and SHA1 algorithms to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection purposes or for informational purposes in FIPS-enabled environments and when the FIPS-limits option is enabled.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5). The clean-file cache algorithm is not configurable.
This change resolves safety concerns over the use of MD5 to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1560>
*
ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION.
The new clamd.conf options are:
This change courtesy of GitHub user ChaoticByte.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1502>
*
libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits:
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
ClamScan: Improved the precision of the bytes-scanned and bytes-read counters. The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB", or "B" as appropriate. Previously, it always reported "MB".
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
ClamScan: Add hash & file-type in/out CLI options:
We will not be adding this for ClamDScan, as we do not have a mechanism in the ClamD socket API to receive scan options or a way for ClamD to include scan metadata in the response.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
* --hash-hint: The file hash so that libclamav does not need to calculate it. The type of hash must match the --hash-alg.
* --log-hash: Print the file hash after each file scanned. The type of hash printed will match the --hash-alg.
* --hash-alg: The hashing algorithm used for either --hash-hint or --log-hash. Supported algorithms are "md5", "sha1", "sha2-256". If not specified, the default is "sha2-256".
* --file-type-hint: The file type hint so that libclamav can optimize scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with the specified type. See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
* --log-file-type: Print the file type after each file scanned.
*
libclamav: Added new scan functions that provide additional functionality:
The older cl_scan*() functions are now deprecated and may be removed in a future release. See clamav.h for more details.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
libclamav: Added a new engine option to toggle temp directory recursion.
Temp directory recursion is the idea that each object scanned in ClamAV's recursive extract/scan process will get a new temp subdirectory, mimicking the nesting structure of the file.
Temp directory recursion was introduced in ClamAV 0.103 and is enabled whenever --leave-temps / LeaveTemporaryFiles is enabled.
In ClamAV 1.5, an application linking to libclamav can separately enable temp directory recursion if they wish. For ClamScan and ClamD, it will remain tied to --leave-temps / LeaveTemporaryFiles options.
The new temp directory recursion option can be enabled with:
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
libclamav: Added a class of scan callback functions that can be added with the following API function:
The scan callback location may be configured using the following five values:
Each callback may alter scan behavior using the following return codes:
Each callback is given a pointer to the current scan layer from which they can get previous layers, can get the layer's fmap, and then various attributes of the layer and of the fmap. To make this possible, there are new APIs to query scan-layer details and fmap details:
There is an interactive test program to demonstrate the new callbacks. See: examples/ex_scan_callbacks.c
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
* CL_SCAN_CALLBACK_PRE_HASH: Occurs just after basic file-type detection and before any hashes have been calculated either for the cache or the gen-json metadata.
* CL_SCAN_CALLBACK_PRE_SCAN: Occurs before parser modules run and before pattern matching.
* CL_SCAN_CALLBACK_POST_SCAN: Occurs after pattern matching and after running parser modules. A.k.a. the scan is complete for this layer.
* CL_SCAN_CALLBACK_ALERT: Occurs each time an alert (detection) would be triggered during a scan.
* CL_SCAN_CALLBACK_FILE_TYPE: Occurs each time the file type determination is refined. This may happen more than once per layer.
*
CL_BREAK: Scan aborted by callback. The rest of the scan is skipped. This does not mark the file as clean or infected, it just skips the rest of the scan.
*
CL_SUCCESS / CL_CLEAN: File scan will continue.
For CL_SCAN_CALLBACK_ALERT: This means you want to ignore this specific alert and keep scanning.
This is different than CL_VERIFIED because it does not affect prior or future alerts. Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip the rest of the scan for this layer.
*
CL_VIRUS: This means you do not trust the file. A new alert will be added.
For CL_SCAN_CALLBACK_ALERT: This means you agree with the alert and no extra alert is needed.
*
CL_VERIFIED: Layer explicitly trusted by the callback and previous alerts removed for THIS layer. You might want to do this if you trust the hash or verified a digital signature. The rest of the scan will be skipped for THIS layer. For contained files, this does NOT mean that the parent or adjacent layers are trusted.
*
Signature names that start with "Weak." will no longer alert. Instead, they will be tracked internally and can be found in scan metadata JSON. This is a step towards enabling alerting signatures to depend on prior Weak indicator matches in the current layer or in child layers.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
For the "Generate Metadata JSON" feature:
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
The "Viruses" array of alert names has been replaced by two new arrays that include additional details beyond just signature name:
* "Indicators" records three types of indicators:
* Strong indicators are for traditional alerting signature matches and will halt the scan, except in all-match mode.
* Potentially Unwanted indicators will only cause an alert at the end of the scan unless a Strong indicator is found. They are treated the same as Strong indicators in all-match mode.
* Weak indicators do not alert and will be leveraged in a future version as a condition for logical signature matches.
* "Alerts" records only alerting indicators. Events that trust a file, such as false positive signatures, will remove affected indicators, and mark them as "Ignored" in the "Indicators" array.
*
Add new option to calculate and record additional hash types when the "generate metadata JSON" feature is enabled:
* libclamav option: CL_SCAN_GENERAL_STORE_EXTRA_HASHES
* ClamScan option: --json-store-extra-hashes (default off)
* clamd.conf option: JsonStoreExtraHashes (default 'no')
*
The file hash is now stored as "sha2-256" instead of "FileMD5". If you enable the "extra hashes" option, then it will also record "md5" and "sha1".
*
Each object scanned now has a unique "Object ID".
*
Sigtool: Renamed the sigtool option --sha256 to --sha2-256. The original option is still functional but is deprecated.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
Other improvements
*
Set a limit on the max-recursion config option. Users will no longer be able to set max-recursion higher than 100. This change prevents errors on start up or crashes if encountering a file with that many layers of recursion.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1264>
*
Build system: CMake improvements to support compiling for the AIX platform. This change is courtesy of GitHub user KamathForAIX.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1387>
*
Improve support for extracting malformed zip archives. This change is courtesy of Frederick Sell.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1460>
*
Windows: Code quality improvement for the ClamScan and ClamDScan --move and --remove options. This change is courtesy of Maxim Suhanov.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1470>
*
Added file type recognition for an initial set of AI model file types.
The file type is accessible to applications using libclamav via the scan callback functions and as an optional output parameter to the scan functions: cl_scanfile_ex(), cl_scanmap_ex(), and cl_scandesc_ex().
When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1476>
*
Added support for inline comments in ClamAV configuration files. This change is courtesy of GitHub user userwiths.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1308>
*
Disabled the MyDoom hardcoded/heuristic detection because of false positives.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1495>
*
Sigtool: Added support for creating .cdiff and .script patch files for CVDs that have underscores in the CVD name. Also improved support for relative paths with the --diff command.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1541>
*
Windows: Improved support for file names with UTF-8 characters not found in the ANSI or OEM code pages when printing scan results or showing activity in the ClamDTOP monitoring utility. Fixed a bug with opening files with such names with the Sigtool utility.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1461>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1537>
*
Improved the code quality of the ZIP module. Added inline documentation.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1548>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1552>
*
Always run scan callbacks for embedded files. Embedded files are found within other files through signature matches instead of by parsing. They will now be processed the same way and then they can trigger application callbacks (e.g., "pre-scan", "post-scan", etc.).
A consequence of this change is that each embedded file will be pattern- matched just like any other extracted file. To minimize excessive pattern matching, file header validation checks were added for ZIP, ARJ, and CAB. Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
This change will impact scans with both the "leave-temps" feature and the "force-to-disk" feature enabled, resulting in additional temporary files.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1532>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1571>
*
Added DevContainer templates to the ClamAV Git repository in order to make it easier to set up AlmaLinux or Debian development environments.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1462>
*
Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended alerts based on system state.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1573>
*
Improved support for compiling on Solaris.
This fix courtesy of Andrew Watkins.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
*
Improved support for compiling on GNU/Hurd.
This fix courtesy of Pino Toscano.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1569>
*
Improved support for linking with the NCurses library dependency when libtinfo is built as a separate library.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1356>
Bug fixes
*
Reduced email multipart message parser complexity.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1347>
*
Fixed possible undefined behavior in inflate64 module. The inflate64 module is a modified version of the zlib library, taken from version 1.2.3 with some customization and with some cherry-picked fixes. This adds one additional fix from zlib 1.2.9. Thank you to TITAN Team for reporting this issue.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1469>
*
Fixed a bug in ClamD that broke reporting of memory usage on Linux. The STATS command can be used to monitor ClamD directly or through ClamDTOP. The memory stats feature does not work on all platforms (e.g., Windows).
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1465>
*
Windows: Fixed a build issue when the same library dependency is found in two different locations.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1453>
*
Fixed an infinite loop when scanning some email files in debug-mode. This fix is courtesy of Yoann Lecuyer.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1445>
*
Fixed a stack buffer overflow bug in the phishing signature load process. This fix is courtesy of GitHub user Shivam7-1.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1486>
*
Fixed a race condition in the Freshclam feature tests. This fix is courtesy of GitHub user rma-x.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1513>
*
Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests. This fix is courtesy of GitHub user Sophie0x2E.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1542>
*
Fix double-extraction of OOXML-based office documents.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
ClamBC: Fixed crashes on startup.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1532>
*
Fixed an assortment of issues found with Coverity static analysis.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1574>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1582>
*
Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures affecting some platforms.
GitHub pull request #1<https://github.com/Cisco-Talos/clamav/pull/1554>
GitHub pull request #2<https://github.com/Cisco-Talos/clamav/pull/1570>
*
Fixed crash in the Sigtool program when using the --html-normalize option.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1556>
*
Fixed some potential NULL-pointer dereference issues if memory allocations fail.
Fix courtesy of GitHub user JiangJias.
GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1581>
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 23 Jan 2026 14:51:48 +0000 (14:51 +0000)]
oci-cli: Add missing dependencies
Since the last update, the OCI CLI package requires some extra Python
dependenices. I find it very annoying that Python won't check this
during build time, so I added an extra step where we will run "oci
--help" and see if the command is coming up at all. Hopefully that will
be sufficient any no further Python modules will be loaded whenever they
are needed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 23 Jan 2026 05:26:55 +0000 (06:26 +0100)]
cbindgen: New package
cbindgen creates C/C++11 headers for Rust libraries which expose a public C API.
This tool is required to build the patched version of suricata and any
upcomming major versions of suricata.
* Add a lot of new rust modules in order to provide all dependencies and
their dependencies in order to build the tool.
* Adjusted build order in make.sh
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 23 Jan 2026 05:26:53 +0000 (06:26 +0100)]
suricata: Add upstream patch to purge sgh-mpm-caches
This patch is collection of the recently merged upstream patches to
allow purging the sgh-mpm-cache (hyperscan) after a specified amount of
time. (https://github.com/OISF/suricata/pull/14630)
I've set this to the upstreams example default of 7 days for now.
Fixes #13926.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 19 Jan 2026 16:21:38 +0000 (16:21 +0000)]
readhash: Fix the quote check
The single quotes changed bash's behaviour to interpret the * character
literally, but this is not what we wanted here. We need to escape the
single quotes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 19 Jan 2026 16:21:37 +0000 (16:21 +0000)]
hostapd: Use the new readhash implementation to read configuration files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 19 Jan 2026 16:21:36 +0000 (16:21 +0000)]
hostapd: Bring back support for 802.11g/a
I just have a little bit of easily accessible testing hardware in form
of USB devices which are very suitable for testing, but the one that I
found in my drawer doesn't support 802.11n.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)
Malformed BRID and HHIT records could trigger an assertion failure.
This has been fixed.
ISC would like to thank Vlatko Kosturjak from Marlink Cyber for
bringing this vulnerability to our attention. [GL #5616]
Feature Changes
Add more information to the rndc recursing output about fetches.
This adds more information about active fetches, for debugging and
diagnostic purposes. [GL !11305]
Bug Fixes
Make DNSSEC key rollovers more robust.
A manual rollover when the zone was in an invalid DNSSEC state caused
predecessor keys to be removed too quickly. Additional safeguards to
prevent this have been added: DNSSEC records are not removed from the
zone until the underlying state machine has moved back into a valid
DNSSEC state. [GL #5458]
Fix a catalog zone issue, where member zones could fail to load.
A catalog zone member zone could fail to load in some rare cases, when
the internally generated zone configuration string exceeded 512 bytes.
That condition by itself was not enough for the issue to arise, but it
was necessary. This could happen if, for example, the catalog zone's
default primary servers list contained a large number of items. This
has been fixed. [GL #5658]
Allow glue in delegations with QTYPE=ANY.
When a query for type ANY triggered a delegation response, all
additional data was omitted from the response, including mandatory
glue. This has been fixed. [GL #5659]
Fix slow speed when signing a large delegation zone with NSEC3 opt-out.
BIND 9.20+ took much longer signing a large delegation zone with NSEC3
opt-out compared to version 9.18. This has been fixed. [GL #5672]
Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.
A zone that was signed with NSEC3, had opt-out enabled, and was then
reconfigured to use NSEC, was published with missing NSEC records. This
has been fixed. [GL #5679]
Fix a possible catalog zone issue during reconfiguration.
The named process could terminate unexpectedly during reconfiguration
when a catalog zone update was taking place at the same time. This has
been fixed. [GL !11366]
Fix the charts in the statistics channel.
The charts in the statistics channel could sometimes fail to render in
the browser and were completely disabled for Mozilla-based browsers,
for historical reasons. This has been fixed. [GL !11018]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
v0.19.0:
print progress of curl http uploads
do not load js scripts if ecmascript is disabled by disallow.txt or allow.txt
v0.19.0rc1:
option document.browse.margin_auto #360 (hard margins)
TERM=dumb for js tests. #361
option document.html.compress_empty_lines #362
css visiblity: hidden support
experimental iframe support
spartan protocol
window.scroll in js
inline images support in html documents (meson option kitty)
and options document.html.kitty and document.html.sixel. Note that need
also enable kitty or sixel in terminal options
include-fragment support (now is easier to download something from github)
experimental libuv support
allow to set color0 to color255 as color
toggle-ecmascript-keys action to toggle between Application or Browser mode
requestAnimationFrame in js
option ui.sessions.auto_save_position #392
option document.html.display_unfinished
meson options avif and webp
option protocol.mailcap.allow_empty_referrer
option ui.leds.redraw_interval
fixes in DOS version related to temporary files creation
length can be bigger than int in http protocol #396
ignore result of verification for gemini protocol #397
meson option win32-vt100-native for Windows 10 and newer
support for chawan's extensions for mailcap (x-ansioutput and x-htmloutput)
Polish translation update
Serbian translation update
elinks.get_option(name) and elinks.set_option(name, value) in Python scripting #406
other small fixes
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:07 +0000 (14:39 +0100)]
vim: Update to version 9.1.2098
- Update from version 9.1.1854 to 9.1.2098
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:06 +0000 (14:39 +0100)]
samba: Update to version 4.23.4
- Update from 4.23.2 to 4.23.4
- No change to the roofiles
- Changelog
4.23.4
* BUG 15926: Samba 4.22 breaks Time Machine
* BUG 15947: mdssvc doesn't support $time.iso dates before 1970
* BUG 15963: Fix winbind cache consistency
* BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/')
in vfswrap_openat
* BUG 15950: ctdb can crash with inconsistent cluster lock configuration
* BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/')
in vfswrap_openat
* BUG 15809: samba-bgqd: rework man page
* BUG 15936: samba-bgqd can't find [printers] share
* BUG 15955: Winbind can hang forever in gssapi if there are network issues.
* BUG 15961: libldb requires linking libreplace on Linux
4.23.3
* BUG 15926: Samba 4.22 breaks Time Machine.
* BUG 15927: Spotlight search restriction for shares incomplete and default
search searches in too many attributes.
* BUG 15930: Searching for numbers doesn't work with Spotlight.
* BUG 15931: rpcd_mdssvc may crash because name mangling is not initialized.
* BUG 15933: Only increment lease epoch if a lease was granted.
* BUG 15940: vfs_recycle does not update mtime.
* BUG 15943: samba-log-parser fails with UnicodeDecodeError: 'utf-8' codec
can't decode byte.
* BUG 15935: Crash in ctdbd on failed updateip.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:05 +0000 (14:39 +0100)]
opus: Update to version 1.6.1
- Update from version 1.5.2 to 1.6.1
- Update of rootfile
- Changelog
1.6.1
fixes several minor issues that were discovered since the 1.6 release.
1.6.0
Opus 1.6 builds on the new ML-based features introduced in Opus 1.5.
Major changes since 1.5 include:
- A new wideband-to-fullband bandwidth extension (BWE) module
- Support for 96 kHz audio with Opus HD
- Significant improvement to Deep Redundancy (DRED)
- A new 24-bit encoder/decoder API
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:01 +0000 (14:39 +0100)]
libtpms: Update to version 0.10.2
- Update from version 0.10.1 to 0.10.2
- Update of rootfile
- CVE fix
- Changelog
0.10.2
- tpm2: Fix memory leak by freeing KDF context
- tpm2: Fix retrieval of updated IV when using OpenSSL >= 3.0 (CVE-2026-21444)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:39:00 +0000 (14:39 +0100)]
libtasn1: Update to version 4.21.0
- Update from version 4.20.0 to 4.21.0
- Update of rootfile
- CVE fix
- Changelog
4.21.0
- Undocumented asn1Decoding --debug flag removed, thanks to Andrew Hamilton.
- Code coverage for src/ went from 35% to 82%, thanks to Andrew Hamilton.
- Fix of ASN.1 typo in manual, thanks to Masatake YAMATO.
- NEWS renamed to NEWS.md and uses markdown syntax.
- Update gnulib files and various build/maintenance fixes.
- Fix for vulnerability CVE-2025-13151 Stack-based buffer overflow
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:38:59 +0000 (14:38 +0100)]
libplist: Update to version 2.7.0
- Update from version 2.4.0 to 2.7.0
- Update of rootfile
- Changelog
2.7.0
- Changes:
* Add plist_new_unix_date, plist_get_unix_date_val, plist_set_unix_date_val
functions that work with int64_t values representing a UNIX timestamp
instead of using the 'MAC epoch'.
These new functions should be used instead of plist_new_date,
plist_get_date_val, and plist_set_date_val, which are now marked deprecated
and might be removed in a future version of libplist.
* Allow building the library without tool(s)
* Switch to more generic global initializer method
* json: Allow e+/E+ in exponent as per RFC 8259
* C++: Add more convenience functions to the interface
* C++: Add more type variants to different constructors and operators
- Bugfixes:
* Fix segmentation fault when calling plist_sort() on an empty dictionary
* Fix compilation on MSVC
* C++: Fix bug in internal helper function of Array class
* C++: Fix String::GetValue memory leaking and support assignment of const
char*
2.6.0
- Changes:
* Revert back API change around PLIST_DATA to use char* again
2.5.0
- Changes:
* Change API around PLIST_DATA to use uint8_t* instead of char*
* Add PLIST_DICT helper functions for different operations
* Require Cython 3.0 for python bindings
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:38:58 +0000 (14:38 +0100)]
libpcap: Update to version 1.10.6
- Update from version 1.10.5 to 1.10.6
- Update of rootfile
- Two CVE fixes
- Changelog
1.10.6
General:
Fix "tcpdump -i <n>" for something-only libpcap builds.
gencode: Fix an undefined behavior in gen_mcode().
gencode: Add a missing free() in gen_scode().
Remove "DLT_" from the descriptions of two dlt_choices[] entries.
Report the size of time_t in the version string.
Validate remote capture source strings better.
CVE-2025-11961: Fix OOBR and OOBW in pcap_ether_aton().
Source code:
Remove some unneeded includes.
pcapint_find_function() changed to return "void *" to avoid
warnings.
Clean up code that computes the length of a netmask.
Mind netmap support in pcap_lib_version().
Link-layer types:
Add LINKTYPE_ETW/DLT_ETW.
Add LINKTYPE_NETANALYZER_NG/DLT_NETANALYZER_NG (pull request #1008).
Add LINKTYPE_ZBOSS_NCP/DLT_ZBOSS_NCP.
Add LINKTYPE_USB_2_0_LOW_SPEED/DLT_USB_2_0_LOW_SPEED,
LINKTYPE_USB_2_0_FULL_SPEED/DLT_USB_2_0_FULL_SPEED,
LINKTYPE_USB_2_0_HIGH_SPEED/DLT_USB_2_0_HIGH_SPEED
Add LINKTYPE_AUERSWALD_LOG/DLT_AUERSWALD_LOG.
Add LINKTYPE_ZWAVE_TAP/DLT_ZWAVE_TAP.
Add LINKTYPE_SILABS_DEBUG_CHANNEL/DLT_SILABS_DEBUG_CHANNEL.
Add LINKTYPE_FIRA_UCI/DLT_FIRA_UCI.
Rename LINKTYPE_IPMB_LINUX/DLT_IPMB_LINUX to
LINKTYPE_I2C_LINUX/DLT_I2C_LINUX, as it's really just an
encapsulation of I2C, and is also being used for HDMI DDC.
Keep DLT_IPMB_LINUX around as a #define for backwards
compatibility.
Add LINKTYPE_MDB/DLT_MDB.
Add LINKTYPE_DECT_NR/DLT_DECT_NR.
Add LINKTYPE_EDK2_MM/DLT_EDK2_MM.
Add LINKTYPE_DEBUG_ONLY/DLT_DEBUG_ONLY.
Packet filtering:
Make the chunk allocator's alignment more general and
platform-independent.
IEEE 802.11: Fix three undefined behaviors in grammar.y.
Fix IPv4 multicast filtering to only include 224.0.0.0/4.
Fix "(arp|rarp) host NAME" to ignore IPv6 quietly.
Fix ARCnet address parsing.
Linux:
Fix check for mac80211 phydev.
Don't create monitor-mode interface if we're capturing on one.
Expand the table of DSA tag types to include all current types.
Fix an error message when deleting a monN interface.
Fix returning PCAP_ERROR_RFMON_NOTSUP with libnl.
Fix the error message when capure permission is denied.
Fix the error message if PF_PACKET sockets aren't supported.
Fix a file descriptor leak in an error case (pull request #1537).
Handle errors better when checking for a DSA-tagged interface.
Use DLT_DEBUG_ONLY for DSA tags that do not [yet] have a better support.
FreeBSD:
Fix detection and enabling of zero-copy support.
Fix errors in the zero-copy code.
Solaris:
Fix not to ignore logical interfaces in fad-gifc.c and
fad-glifc.c.
Fix attempts to open all-numeric device names with DLPI to
return "no such device".
Fix error returns and messages when an interface has no DLPI
device.
Return all interfaces in pcap_findalldevs() even if they can't be
opened.
HP-UX:
Fix attempts to open all-numeric device names to return
"no such device".
Fix error message if there's no /dev/dlpi device.
Return all interfaces in pcap_findalldevs() even if they can't be
opened.
Windows:
Fix filtering for VLAN-tagged frames.
Add support for Npcap's nanosecond-resolution time stamps in
captures.
CVE-2025-11964: Fix a bug in error message character encoding mapping
from UTF-16 to UTF-8.
Check at create time whether the NPF driver supports nanosecond
precision.
D-Bus:
Fix message leak.
Capture file writing:
Don't close the output stream if it's stdout, just flush it.
Documentation:
Explicitly document that closing a pcap_t for a savefile opened
with pcap_fopen_offline() will close the standard I/O stream.
Building and testing:
Makefile.in: Include instrument-functions.c in the release tarball.
CMake: Fix libnl usage with pkg-config.
CMake: Fix build with CMake 3.31.
CI: Report CMake version in builds.
CI: Visual Studio 2022 builds added, including ARM64 builds;
Visual Studio 2015 builds dropped.
Don't build with sslutils.c if we don't have a TLS library.
Build on Windows with a newer version of OpenSSL.
CMake: generalize handling of non-x86 Windows architectures.
CI: use the -A flag for all Visual Studio generators.
Remove the fuzzing props from the release tarball.
Autoconf: Use AC_SYS_YEAR2038_RECOMMENDED when possible if the
environment variable BUILD_YEAR2038 = yes (via autogen.sh)
DPDK: don't enable it by default.
Update Npcap SDK to 1.15.
autogen.sh: Allow to configure Autoconf warnings.
autogen.sh: Delete all trailing blank lines at end of configure.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 21 Jan 2026 13:38:57 +0000 (14:38 +0100)]
freeradius: Update to version 3.2.8
- Update from version 3.2.7 to 3.2.8
- Update of rootfile
- The 3.2.8 version shgould also fix the incompatibility with openssl > 3.5.1
- Changelog
3.2.8
Feature Improvements
Add support for automated fuzzing. This doesn't affect normal operations,
but it does allow for testing of the RADIUS decoder.
Allow tagged attributes to use ":V" as a tag in some cases The tag is then
read from the value which is being assigned to the attribute. This
functionality is allowed in 'update' sections, including 'update' in
module configurations See mods-available/ldap for an example.
Add kafka module. See mods-available/kafka.
Allow &control:Packet-SRC-IP-Address to be used when proxying needs a
given source address.
Change lower limit for reject_delay to 0.5s. Apparently some NASes will
panic and go crazy with a 1s reject_delay.
Rate limit complaints when limiting new connections.
Update raddb/certs/Makefile to support DER output.
Elapsed statistics for packets do not include proxy timers, which helps
clarify where any issues are. The total time is still available by
adding "our" time to the "proxy" time.
Added kafka module. See mods-available/kafka.
json module can now print dates as integers See mods-available/json.
The debug output now points to the online documentation in many cases,
when there are syntax errors in the configuration.
Add support for 389ds password hashes. Patch from Gerald Vogt.
reject_delay does not _add_ a delay, but instead ensures that the reject
is delayed for _at least_ that time. This change means that
reject_delay can be set in more situations, including for proxies.
Add delay_proxy_rejects. By default, proxied rejects are not delayed.
Setting this flag means that reject_delay is applied to proxied
rejects, too.
The proxy_rate_limit module can now be listed in the "authorize" section.
Update dpsk module to be faster, and be easier to configure with
databases. See mods-available/dpsk.
Bug Fixes
Move assertion in thread / queue code, which only affects debug builds.
Fixes #5512.
Update CRL checks to avoid crash in some cases. Fixes #5515.
More tweaks to the TEAP code.
Allow building when OpenSSL is missing PSK. Fixes #5520.
Move assertion so that it isn't triggered when the incoming queue is full,
and the server is blocked. Fixes #5512.
Fix crash when multiple certs are used along with CRL distribution points.
Fixes #5515.
Fix typo in rlm_cache which could cause crashes. Fixes #5522.
Be more forgiving about '%' in strings. Fixes #5525.
Move assertion in threading code.
Fixes to interaction with python interpreter.
Don't crash when setting client hostname in RADIUS/TLS Fixes #5552.
Ignore ".dpkg*" and ".rpm*" files when loading configuration directories.
Package managers can leave these around.
Complain more loudly if all of the "authorize" etc. sections have been
removed, but the server is still configured to process Access-Request
packets.
Use OCIStmtPrepare2 to prepare Oracle queries. Fixes #5540.
Allow dynamic clients with TCP listeners.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
