Adolf Belka [Thu, 7 Aug 2025 15:22:45 +0000 (17:22 +0200)]
bash: Update to patch level 3
- Update from patch level 0 to 3
- Update of rootfile not required
- Changelog
Patch 3
Bash leaves internal quoting in place when expanding array subscripts
that appear inside array subscripts in an arithmetic context, causing
expansion failures.
Patch 2
There are too many differences in the various implementations of shm_open(2)
to rely on it for bash's use.
Patch 1
In posix mode, `wait -n' with pid arguments does not restrict the set of
processes it considers to those arguments.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 29 Jul 2025 14:42:16 +0000 (14:42 +0000)]
network: Add support for bonds
This is a bare-minimum implementation to realise this. It changes the
bridge script because the two of them have quite a bit in common, so we
should avoid further code duplication.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 23 Jul 2025 19:02:31 +0000 (21:02 +0200)]
readline: Update to version 8.3 with patch version 1
- Update from version 8.2 with patch version 13 to 8.3 with patch version 1
- Update of rootfile
- Changelog
8.3
New Features in Readline
a. Output a newline if there is no prompt and readline reads an empty line.
b. The history library falls back to stdio when writing the history list if
mmap fails.
c. New bindable variable `search-ignore-case', causes readline to perform
case-insensitive incremental and non-incremental history searches.
d. rl_full_quoting_desired: new application-settable variable, causes all
completions to be quoted as if they were filenames.
e. rl_macro_display_hook: new application-settable function pointer, used if
the application wants to print macro values itself instead of letting
readline do it
f. rl_reparse_colors: new application-callable function, reparses $LS_COLORS
(presumably after the user changes it)
g. rl_completion_rewrite_hook: new application-settable function pointer,
called to modify the word being completed before comparing it against
pathnames from the file system.
h. execute-named-command: a new bindable command that reads the name of a
readline command from the standard input and executes it. Bound to M-x
in emacs mode by default.
i. Incremental and non-incremental searches now allow ^V/^Q (or, in the former
case, anything bound to quoted-insert) to quote characters in the search
string.
j. Documentation has been significantly updated.
k. New `force-meta-prefix' bindable variable, which forces the use of ESC as
the meta prefix when using "\M-" in key bindings instead of overloading
convert-meta.
l. The default value for `readline-colored-completion-prefix' no longer has a
leading `.'; the original report was based on a misunderstanding.
m. There is a new bindable command, `export-completions', which writes the
possible completions for a word to the standard output in a defined format.
n. Readline can reset its idea of the screen dimensions when executing after
a SIGCONT.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 23 Jul 2025 19:02:30 +0000 (21:02 +0200)]
bash: Update to version 5.3 with patch level 0
- Update from version 5.2 with patch level 37 to 5.3 with patch level 0
- Update rootfile
- remove bash-4.0-paths-1 patch file as this is not included in the current tarball.
- remove all the 5.2 version patches.
- Modify lfs so that the patch version can be added and then use this in the main part
of the lfs to automatically select the correct patches to merge.
- Successful build of bash-5.3 requires readline-8.3 to be installed
- Changelog
5.3
New Features in Bash
a. When checking whether a script file argument is a binary file, check the
first two lines of a script if the first line begins with `#!'.
b. Bash does a better job of preserving user-supplied quotes around a word
completion, instead of requoting it.
c. Bash reports the starting line number in an error message about an
unterminated compound command like `if' without a `fi'.
d. Implement the POSIX requirement that running the `jobs' builtin removes
jobs from the jobs list.
f. Call bash signal handlers while executing programmable completion commands,
instead of readline's.
g. Print an error message if a regular expression used with [[ fails to compile.
h. The `umask' builtin now has additional features for full POSIX conformance.
i. `type -a -P' reports both hashed pathnames and the result of a $PATH search.
j. `trap' has a new -P option that prints the trap action associated with each
signal argument.
k. The `command' builtin preceding a declaration builtin (e.g., `declare')
preserves the special asisgnment statement parsing for the declaration
builtin. This is a new POSIX requirement.
l. `printf' uses the `alternate form' for %q and %Q to force single quoting.
m. `printf' now interprets %ls (%S) and %lc (%C) as referring to wide strings
and characters, respectively, when in a multibyte locale.
n. The shell can be compiled with a different default value for the
patsub_replacement option.
o. Check for window size changes during trap commands, `bind -x' commands,
and programmable completion.
p. Treat a NULL value for $PATH as equivalent to ".".
p. New loadable builtins: kv, strptime
q. GLOBSORT: new variable to specify how to sort the results of pathname
expansion (name, size, blocks, mtime, atime, ctime, numeric, none) in
ascending or descending order.
r. `compgen' has a new option: -V varname. If supplied, it stores the generated
completions into VARNAME instead of printing them on stdout.
s. New form of command substitution: ${ command; } or ${|command;} to capture
the output of COMMAND without forking a child process and using pipes.
t. array_expand_once: new shopt option, replaces assoc_expand_once
u. complete/compopt new option: fullquote; sets rl_full_quoting_desired so all
possible completions are quoted as if they were filenames.
v. Command timing now allows precisions up to 6 digits instead of 3 in
$TIMEFORMAT.
w. BASH_MONOSECONDS: new dynamic variable that returns the value of the
system's monotonic clock, if one is available.
x. BASH_TRAPSIG: new variable, set to the numeric signal number of the trap
being executed while it's running.
y. The checkwinsize option can be used in subshell commands started from
interactive shells.
z. In posix mode, the test command < and > binary primaries compare strings
using the current locale.
aa. bind -x allows new key binding syntax: separate the key sequence and the
command string with whitespace, but require the command string to be
double-quoted if this is used. This allows different quoting options for
the command string.
bb. Print commands bound to key sequences using `bind -x' with the new key
binding syntax it allows.
cc. `read' has a new `-E' option to use readline but with the default bash
completion (including programmable completion).
dd. New bindable readline command name: `bash-vi-complete'.
ee. New test builtin behavior when parsing a parenthesized subexpression and
test was given more than 4 arguments: scan forward for a closing paren and
call posixtest() if there are 4 or fewer arguments between the parentheses.
Added for compatibility with coreutils test, dependent on the shell
compatibility level. Such expressions remain ambiguous.
ff. MULTIPLE_COPROCS is now enabled by default.
gg. The `bind' builtin interprets additional non-option arguments after -p or
-P as bindable command names and restricts output to the bindings for
those names.
hh. Bash now uses the login shell for $BASH if the shell is named `su' or `-su'.
ii. Bash now prints job notifications if an interactive shell is running a trap,
even though the shell is not interactive at that moment.
jj. Programmable completion allows a new compspec loaded after a completion
function returns 124 to be used in more cases.
kk. ./source has a new -p PATH option, which makes it use the PATH argument
instead of $PATH to look for the file.
ll. Documentation has been significantly updated.
mm. `wait -n' can now return terminated process substitutions, jobs about
which the user has already been notified (like `wait' without options),
nn. `wait -n' removes jobs from the jobs table or list of terminated children
when in posix mode.
oo. Changed the `wait' builtin behavior regarding process substitutions to
match the documentation.
pp. There is a new `bash_source_fullpath' shopt option, which makes bash put
full pathnames into BASH_SOURCE, and a way to set a default value for it
at configure time.
qq. Posix mode now forces job notifications to occur when the new edition of
POSIX specifies (since it now specifies them).
rr. Interactive shells don't print job notifications while sourcing scripts.
ss. The parser prints more information about the command it's trying to parse
when it encounters EOF before completing the command.
tt. Posix mode no longer requires function names to be valid shell identifiers.
uu. If `exit' is run in a trap and not supplied an exit status argument, it
uses the value of $? from before the trap only if it's run at the trap's
`top level' and would cause the trap to end (that is, not in a subshell).
This is from Posix interp 1602.
vv. There is a new `fltexpr' loadable builtin to perform floating-point
arithmetic similarly to `let'.
ww. The `install-strip' and `strip' Makefile targets now deal with cross-
compiling.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.65
"Changes with Apache 2.4.65
*) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
always evaluates to true in 2.4.64 (cve.mitre.org)
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
expr ..." tests evaluating as "true".
Users are recommended to upgrade to version 2.4.65, which fixes
the issue."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 23 Jul 2025 10:08:03 +0000 (12:08 +0200)]
samba: Update to version 4.22.3
- Update from version 4.22.2 to 4.22.3
- Update of rootfiles for all architectures
- Changelog
4.22.3
Important Change in Upcoming Microsoft Update
On 8th of July, Microsoft will release an important security update for
Active Directory Domain Controllers for Windows Server versions prior to
2025.
This update includes a change to the Microsoft RPC Netlogon protocol,
which improves security by tightening access checks for a set of RPC
requests. Samba running as domain members in these environments will be
impacted by this change if a specific configuration is used, see below
for which configuration is affected.
Windows Server version 2025 is already equipped with these specific
security hardenings, and Microsoft is now planning to deploy them to all
supported Windows Server versions down to Windows Server 2008.
Who is affected?
Samba installations acting as member servers in Windows AD domains will
be affected if they are configured to use the 'ad' idmapping backend.
Samba servers not using this configuration will not be affected by the
change – at least to our current knowledge and understanding of the
change – and no further action is required.
Current versions of Samba with the affected configuration will no longer
function correctly once the Microsoft update has been applied. Users
will not be able to connect to the SMB service provided by Samba for any
domain configured to use the 'ad' idmapping backend.
See https://bugzilla.samba.org/show_bug.cgi?id=15876.
* BUG 15854: samba-tool cannot add user to group whose name is exactly 16
characters long.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
* BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:59 +0000 (23:25 +0200)]
gnutls: Update to version 3.8.10
- Update from version 3.8.9 to 3.8.10
- Update of rootfile
- 4 CVE fixes in this version
- Changelog
3.8.10
** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
[CVE-2025-6395]
** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
Spotted by oss-fuzz and reported by OpenAI Security Research Team,
and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
CVSS: medium] [CVE-2025-32989]
** libgnutls: Fix double-free upon error when exporting otherName in SAN
Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
CVSS: low] [CVE-2025-32988]
** certtool: Fix 1-byte write buffer overrun when parsing template
Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
CVSS: low] [CVE-2025-32990]
** libgnutls: PKCS#11 modules can now be used to override the default
cryptographic backend. Use the [provider] section in the system-wide config
to specify path and pin to the module (see system-wide config Documentation).
** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update
support. The library running on the aforementioned version now utilizes the
kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted
TLS session. The --enable-ktls configure option as well as the system-wide
kTLS configuration(see GnuTLS Documentation) are still required to enable
this feature.
** libgnutls: liboqs support for PQC has been removed
For maintenance purposes, support for post-quantum cryptography
(PQC) is now only provided through leancrypto. The experimental key
exchange algorithm, X25519Kyber768Draft00, which is based on the
round 3 candidate of Kyber and only supported through liboqs has
also been removed altogether.
** libgnutls: TLS certificate compression methods can now be set with
cert-compression-alg configuration option in the gnutls priority file.
** libgnutls: All variants of ML-DSA private key formats are supported
While the previous implementation of ML-DSA was based on
draft-ietf-lamps-dilithium-certificates-04, this updates it to
draft-ietf-lamps-dilithium-certificates-12 with support for all 3
variants of private key formats: "seed", "expandedKey", and "both".
** libgnutls: ML-DSA signatures can now be used in TLS
The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and
ML-DSA-87, can now be used to digitally sign TLS handshake
messages.
** API and ABI modifications:
GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t
GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:58 +0000 (23:25 +0200)]
git: Update to version 2.50.1
- Update from version 2.50.0 to 2.50.1
- Update of rootfile not required
- Changelog
2.50.1
This release merges up the fixes that appear in v2.43.7, v2.44.4,
v2.45.4, v2.46.4, v2.47.3, v2.48.2, and v2.49.1 to address the
following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
CVE-2025-48386. See the release notes for v2.43.7 for details.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:26:01 +0000 (23:26 +0200)]
tshark: Update to version 4.4.8
- Update from version 4.4.7 to 4.4.8
- Update of rootfile
- Changelog
4.4.8
Bug Fixes
Renegotiated DTLS session is not being decrypted. Issue 20362.
Wireshark is completely stuck in initialization because androiddump recv()
is blocked. Issue 20526.
Fuzz job UTF-8 encoding issue: fuzz-2025-06-20-7318.pcap. Issue 20585.
Crash when showing packet in new window after reloading Lua plugins with a
certain gui.column.format preference. Issue 20588.
Bug in UDS dissector with Service ReadDataByPeriodicIdentifier Response.
Issue 20589.
Packet diagram doesn’t show non-standard field value representations.
Issue 20590.
Packet diagram shows representation twice when field type is FT_NONE.
Issue 20601.
application/x-www-form-urlencoded key parsed incorrectly following a
name-value byte sequence with no '=' Issue 20615.
DNP3 time stamp was unable to work after epoch time(year 2038) Issue 20618.
Updated Protocol Support
ASTERIX, DLT, DNP 3.0, DOF, DTLS, ETSI CAT, Gryphon, IPsec, ISObus VT,
KRB5, MBIM, RTCP, SLL, STCSIG, TETRA, UDS, and URL Encoded Form Data
New and Updated Capture File Support
pcapng
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:26:00 +0000 (23:26 +0200)]
strongswan: Update to version 6.0.2
- Update from version 6.0.1 to 6.0.2
- Update of rootfile
- Changelog
6.0.2
- Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+).
- Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+).
- POSIX regular expressions can be used to match remote identities.
- Switching configs based on EAP-Identities is supported. Setting
`remote.eap_id` now always initiates an EAP-Identity exchange.
- On Linux, sequence numbers from acquires are used when installing SAs. This
allows handling narrowing properly.
- During rekeying, the narrowed traffic selectors are now proposed instead of
the configured ones.
- The default AH/ESP proposals contain all supported key exchange methods plus
`none` to make PFS optional and accept proposals of older peers.
- GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance
if the esp4|6_offload modules are loaded.
- charon-nm sets the VPN connection as persistent, preventing NetworkManager
from tearing down the connection if the network connectivity changes.
- ML-KEM is supported via OpenSSL 3.5+.
- The wolfssl plugin is now compatible to wolfSSL's FIPS module.
- The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported
anymore.
- The long defunct uci plugin has been removed.
- Log messages by watcher_t are now logged in a separate log group (`wch`).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:57 +0000 (23:25 +0200)]
gettext: Update to version 0.26
- Update from version 0.25 to 0.26
- Update of rootfile
- Changelog
0.26
Programming languages support:
* JavaScript:
- xgettext now parses regular expressions with character classes
correctly.
* C, C++, Python, JavaScript, EmacsLisp, librep, Go, Ruby, awk, D, Tcl,
Perl, PHP:
- xgettext's heuristic recognition of format strings has been improved:
strings like "100% complete" (with a space flag in a format directive)
are no longer flagged as format strings by default, unless they occur
in a context that requires a format string. You can override this
heuristic by using a comment of the form /* xgettext: c-format */.
* Shell:
- The documentation now mentions two other approaches for
internationalizing messages with parameters in shell scripts.
- xgettext now recognizes format strings in the 'printf' command syntax.
They are marked as 'sh-printf-format' in POT and PO files.
- Two new programs 'printf_gettext' and 'printf_ngettext' are provided,
that do formatted output with a localized format string in a more
efficient way (without spawning a subshell).
- xgettext now recognizes the \c, \u, and \U escape sequences in dollar-
single-quoted strings $'...'.
Improvements for maintainers:
* xgettext:
- When extracting a message with plural that is some format string,
xgettext now verifies that the msgid and msgid_plural are compatible
as format strings. For most format string types, this still allows
omitting from msgid a placeholder that is used in msgid_plural. But
when a placeholder is used in both msgid and msgid_plural, its type
must be the same in both.
- xgettext now suggests a refactoring when a translatable string
contains an URL or email address.
Improvements for translators:
* msggrep:
- msggrep accepts two new options -W/--workflow-flags and -S/--sticky-flags
that allow to select only messages that have a specified flag.
Bug fixes:
- The AM_GNU_GETTEXT macro now rejects the dysfunctional gettext() function
in libc of Solaris 11.[0-3], Solaris OpenIndiana, and Solaris OmniOS.
- The AM_GNU_GETTEXT macro now recognizes, on MSVC, the GNU libintl built
as a shared library.
0.25.1
Bug fixes:
- autopoint no longer fails if configure.ac contains no
AM_GNU_GETTEXT_VERSION or AM_GNU_GETTEXT_REQUIRE_VERSION invocation.
- nls.m4 is installed again under $PREFIX/share/aclocal/.
Portability:
- Building on native Windows with MSVC and --enable-shared is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:56 +0000 (23:25 +0200)]
e2fsprogs: Update to version 1.47.3
- Update from version 1.47.2 to 1.47.3
- Update of rootfile not required
- Changelog
1.47.3
UI and Features
Mke2fs -d can now copy the fs-verity metadata and chattr flags into
newly created file system.
Add fuse2fs's support for the XATTR_CREATE and XATTR_REPLACE flags in
setxattr.
Add support for FALLOC_FL_ZERO_RANGE in fuse2fs.
Add support to fuse2fs for the setting file attributes via fsxattr,
including support for nanosecond timestamps.
Add support to fuse2fs to set newer chattr flags.
Add a lockfile command-line option to fuse2fs which is useful for
scripts that need to know when fuse2fs is done modifying the file system
after it is unmounted.
Add mke2fs.conf knobs to control whether the RAID stripe or stride sizes
from the storage device information depending on whether the storage
device is a rotational or non-rotational device. By default don't set
the RAID stripe size for non-rotational devices.
E2scrub no longer runs fstrim by default, since util-linux ships with a
fstrim.timer systemd file which will run fstrim on all mounted file
systems. This can be re-enabled in /etc/e2scrub.conf if for some reason
it is desireable to run the fstrim out of e2scrub.
Fixes
Fix "e2fsck -E unshare_blocks" to clear the shared_blocks flag when
there are no shared blocks to clear
Fix "e2fsck -n" to not abort when it trips across an EA inode which
is not referenced by any inodes in the file system.
Fix debugfs's dump and rdump commands to avoid looping forever when
it runs across an I/O error or corupt filesystem metadata.
Fix debugfs's dirsearch command on big-endian systems.
Fix many fuse2fs bugs found by running fstests, including fixing
support for O_APPEND, O_TRUNC, POSIX ACLs, and the immutable flag. Also
fix fuse2fs to correctly remove ea_inodes if the last reference to an
ea_inode is removed when an inode is removed, and to update timestmps
correctly after the mkdir(2) and symlink(2) operations.
Fix fuse2fs's error code handling for fallocate(), truncate() and
removexattr().
Fix an integer overflow bug which resulted in fuse2fs failing to delete
very large files. (Addresses Debian Bug: #1106241)
Fix a (hard to reproduce) extent tree corruption bug which could be
triggered by resize2fs or fuse2fs if the extent tree was especially
complex
Improve fuse2fs's handling of corrupted file systems.
Fuse2fs doesn't support renameat2()'s RENAME_EXCHANGE or RENAME_WHITEOUT
flags, so return ENOSYS instead of incorrectly handling the renameat2()
request.
Fuse2fs will avoid clearning the setgid bit in op_chmod if the file's
group ownership is one of the calling process's group list (instead of
just the primary group id).
Change fuse2fs to align with kernel's behaviors by (a) clearing
post-EOF on truncation, (b) validating FITRIM's parameters consistently
with how the kernel does things, (c) how the "ro" mount option will
replay the journal, (d) only supporting the xattr namespaces supported
by the kernel, (e) clamping timestamps to the minimum and maximum value
supported by the on-disk format, and (e) optionally delegating access
control decisions to the kernel.
Prevent fuse2fs from mounting file systems which have features that
fuse2fs can't deal with.
Fix error path handling in fuse2fs when servicing an op_create request.
Fix spurious warnings from fuse2fs while servicing an op_fallocate request.
Fix fuse2fs to correctly translate system errors from libext2fs to the
negative error codes expected by the FUSE kernel driver. There aren't
many; but in some cases, when the file system is corrupted, libext2fs
will return EOVERFLOW and we sent a nonsense error to the kernel.
Optimize ext2fs_extent_set_bmap() to avoid fragmenting the extent tree.
This fixes a problem where resize2fs is trying to relocate all of the
blocks in a file leading to the extent tree doubling in size, and
potentially leading to a corrupted extent tree.
Fix a bounding error in ext2fs_fallocate() which could cause it to
allocate far more blocks than was requested. This caused a failure in
fuse2fs while formatting a loopback file system stored in a large sparse
file.
Fix potential livelock bug in the unix_io manager.
Fix invaidation support in the unix_io manager.
Various man page cleanups.
Performance, Internal Implementation, Development Support etc.
Improve performance in e2fsck when replaying a journal with a large
number of revoke blocks (which can be the case on Lustre servers).
Improve tune2fs's performance by avoiding scanning the file system to
update quota inodes in cases when it's not necessary.
Improve fuse2fs's performance by returning inode and type information in
readdir() and to use the actal inode numbers instead of asking fuse
to make up inode numbers.
Fix various Coverity and compiler warnings.
Add two new flags for ext2fs_link(). The EXT2FS_LINK_APPEND flag
causes ext2fs_link() to only search the last block in the directory,
which imrpoves the scalability of creating a large number of files in a
directory. The EXT2FS_LINK_EXPAND() causes ext2fs_link() to
automatically expand the directory if there is no free space found to
create the requested directory entry.
Add a new function, ext2fs_mkdir2() which allows the flags parameter
to be passed to ext2fs_link(), allows the chattr flags to be set in the
newly created directory, and return the inode number for the newly
created directory.
Add new functions ext2fs_log2_u{32,64}() and ext2fs_log10_u{32,64}() so
we don't have multiple copies of these functions in various e2fsprogs
programs.
Improve debugging and logging in fuse2fs.
General code cleaups in fuse2fs.
Improve fuse2fs's performance by allowing a larger cache in unix_io and
using O_DIRECT to read and write the block device.
Fixed Windows portability problems intrduced in 1.47.2.
Fix various FreeBSD compile warnings and test issues.
Fix MacOS build issues when compiling with libarchive and FUSE support.
To avoid warning messages on newer versions of GNU grep, use "grep -E"
instead of "egrep" when possible.
Fix test failure for m_rootdir_acl when the build tree is hosted on
btrfs. (This was caused by btrfs returning extended attributes relating
to Posix ACL's in a different order than ext4 or xfs.)
Fixed potention races in the Makefiles which could show up when using
"make -j install".
Fixed build failures when libarchive is not available.
Fixed various Debian packaging issues. (Addresses Debian Bugs:
#1106799, #1107595)
Update Czech, Chinese, Dutch, French, Malay, Portuguese, Polish,
Romainian, Serbian, Spanish, Swedish, and Ukrainian translations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:55 +0000 (23:25 +0200)]
curl: Update to version 8.15.0
- Update from version 8.14.1 to 8.15.0
- Update of rootfile not required
- Changelog
8.15.0
changes:
o TLS: remove support for Secure Transport and BearSSL [19]
bugfixes:
o altsvc: accept 'clear' without semicolon as well [190]
o asyn-ares: remove redundant NULL check [152]
o asyn-thrdd: free the previous name before strdup'ing the new [84]
o autotools: detect and link `brotlicommon` library for brotli [130]
o autotools: drop `$top_builddir/src` from src header path [23]
o autotools: drop headers from src mk-unity rules (fixup) [136]
o autotools: drop no longer necessary `--srcdir` unity options [66]
o autotools: drop redundant `Makefile.inc` from `EXTRA_DIST` in src [127]
o autotools: simplify configuration in tests, examples [47]
o bufq: change read/write signatures [120]
o bufq: remove the unused Curl_bufq_unwrite function [143]
o build: assume `sys/socket.h`, `sys/time.h` on non-Windows (as in
`curl/curl.h`) [21]
o build: drop `HAVE_SYS_SOCKET_H` and `HAVE_SYS_TIME_H` macros [69]
o build: drop explicit curlx from hdr paths, refer headers with `curlx/`
prefix [150]
o build: drop unused variables in tests
o build: fix libcurltool with cmake and tunits, related tidy-ups [138]
o build: split `.c` and `.h` file lists in tests [128]
o build: stop checking for `sys/stat.h` [146]
o build: stubgss tidy-ups (in tests) [137]
o build: sync build scripts between client/libtest [49]
o build: tidy up `Makefile.inc` use in lib and src [116]
o build: tidy up header paths, use srcdir where possible [42]
o cf-socket: make socket data_pending a nop [175]
o checksrc-all: rewrite in Perl, remove `checksrc.bat` [217]
o checksrc: reduce exceptions, apply again to curlx [114]
o cmake/FindGSS: fix processing C header path options [160]
o cmake/FindGSS: initialize result variables [159]
o cmake: `curl_add_clang_tidy_test_target` tidy-ups [185]
o cmake: build `stubgss` library for libtests to match autotools [34]
o cmake: check USE_WINDOWS_SSPI when adding secur32 to CURL_LIBS [144]
o cmake: configure c-ares header directory in project root (was: lib) [106]
o cmake: document OpenSSL and ngtcp2 crypto lib custom variables [29]
o cmake: drop never propagated C macros [22]
o cmake: drop passing redundant `CURL_STATICLIB` in examples and clients [52]
o cmake: drop redundant macro from test clients [51]
o cmake: drop reference to future variable
o cmake: enable soversion by default for OpenHarmony OS [131]
o cmake: fix `curl_add_clang_tidy_test_target` when no `-D` option [155]
o cmake: fix generator expression in docs/examples [109]
o cmake: gather options recursively in `curl_add_clang_tidy_test_target` [156]
o cmake: make docs depend on support files [80]
o cmake: move `OUTPUT` argument in the `add_custom_command()` line [50]
o cmake: omit clang-tidy on internal libs curlu and curltool [64]
o cmake: replace `cmakelint` with `cmake-lint` from `cmakelang`, fix issues [20]
o cmake: replace the way clang-tidy verifies tests, fix issues found [101]
o cmake: simplify handling generated `lib1521.c` in libtests [24]
o cmake: sync `target_link_libraries()` order in tests more [44]
o cmake: sync tests scripts by using the variable `BUNDLE` [46]
o cmake: sync tests scripts with each other and autotools (more) [100]
o cmake: use `target_link_options()` when available [43]
o config-win32: fix default targets, shorten macro logic [227]
o configure: order LDAP after the SSL libraries
o connect: drop unused struct member [209]
o connection: clarify `transport` [197]
o connection: eliminate member `remote_addr` [10]
o curl-config: fix whitespace in usage text [122]
o curl.h: make CURL_IPRESOLVE_* symbols defined as longs [206]
o curl.h: make CURLSSLOPT_* symbols defined as longs [3]
o curl.h: remove the "RESERVED" error codes [2]
o curl: implement non-blocking STDIN read on Windows [28]
o curl: improve non-blocking STDIN performance [129]
o curl: remove the global argument from many functions [218]
o curl: unify pointer names to global config [219]
o curl_get_line: make sure lines end with newline [110]
o curl_memory.h: fix to undefine `accept4` [180]
o curl_path: make SFTP handle a path like /~ properly. [11]
o curlinfo: provide the 'digest' feature [168]
o CURLSHOPT_SHARE.md: mention multi-threading requires callbacks [161]
o DEPRECATE.md: add VS2005 removal to the list [214]
o digest: fix build with disabled digest auth [72]
o DISTROS: update NixOS link
o docs,tests: fix english grammar "allow to" -> "allow <something> to" [158]
o docs/CONTRIBUTE: fix broken link [173]
o docs/examples: add ftp-delete.c [5]
o docs: beef up examples/websocket.c [189]
o docs: fix broken link in CODE_REVIEW.md [67]
o docs: fix broken link in INSTALL.md [68]
o docs: fix docs for CURLOPT_PREQUOTE after #17616 [70]
o docs: fix documentation of connect_only 2 [78]
o docs: fix two typos [163]
o docs: mention that the netrc file works without port numbers [112]
o docs: mention the as-is concept generically [225]
o docs: note SSLS-EXPORT feature in -ssl-sessions doc [199]
o docs: reflect that delimiter-separated capath is only OpenSSL [135]
o docs: sync -tls-earlydata support w/ CURLOPT_SSL_OPTIONS [198]
o docs: warn about lifetime in CURLOPT_CLOSESOCKET* [54]
o easy: fix comment-documentation [36]
o easygetopt: fix curl logo in header comment [167]
o firefox-db2pem: avoid use of eval in script [103]
o ftp: fix prequotes for a directory in URL [83]
o ftplistparser: split parse_unix into sub functions [77]
o h2_serverpush: fix file handle leaks reported by clang-tidy [105]
o h3: fix query of concurrent streams [220]
o http/3: report handshake with version and cipher as for TCP connections [212]
o http2: do not delay RST send on aborted transfer [57]
o http2: fix var types in is_alive() implementations [222]
o http: explicitly ignore parsing errors for Retry-After [98]
o http: fix build with cookies and HSTS disabled [124]
o http_ntlm: protect against null deref [95]
o http_ntlm: remove unreachable code [88]
o INSTALL.md: cygwin details and add source code link [4]
o ldap: avoid automake caching issues with LDAP library names
o ldap: if ldap-lib is sufficient, add it to LIBS.
o ldap: initial support for --with-ldap option
o lib2082: drop `typedef struct` [118]
o lib: address singleuse issues [132]
o lib: avoid reusing unclean connection [73]
o lib: drop two interim macros in favor of native libcurl API calls [172]
o lib: fix unused parameter/function compiler warnings [186]
o lib: make `CURLX_SET_BINMODE()` and use it [39]
o lib: make `curlx_wait_ms()` and use it [40]
o lib: replace scache no-op macros with `#ifdef` [117]
o lib: stop `time()` debug overrides at the end of source in altsvc, hsts [211]
o lib: unify recv/send function signatures [92]
o libcurl-env.md: drop LOGNAME, USER and NTLMUSER [99]
o libcurl.m4: fix indentation [194]
o libssh2: remove use of 'initialised' for cleanup [208]
o libssh: de-complex myssh_statemach_act() [18]
o libssh: fix readdir issues [191]
o libtests: make test 1503,1504,1505 use the 1502 binary [90]
o libtests: more header tidy-ups [224]
o libtests: stop building the sames source multiple times [89]
o memdebug.h: #undef `fclose` before defining it
o memdebug.h: eliminate global macro `CURL_MT_LOGFNAME_BUFSIZE` [178]
o memdebug: include in unity batch [63]
o memory: stop overriding unused `wcsdup()`/`_wcsdup()` system functions [204]
o memory: tidy up `_tcsdup()` override [202]
o misc: fix typos [207]
o mk-lib1521: replace `printf` with `curl_mprintf` [141]
o multi: add dirty bitset [115]
o multi: do no expire a blocked transfer [56]
o multi: fix polling with pending input [60]
o multi: remove careful bounds check as coverity says it is not needed [174]
o multi: xfer table/bitset, handle limits [142]
o ngtcp2: fix coverity warning about result handling [166]
o openssl: enable readahead [91]
o openssl: error on SSL_ERROR_SYSCALL [94]
o openssl: fix handling of buffered data [82]
o openssl: fix openssl engine use [74]
o openssl: fix pkcs11 provider available check [154]
o os400: upgrade ILE/RPG bindings with latest definitions. [184]
o pingpong: on disconnect, check for unflushed pingpong state [12]
o projects/build-openssl.bat: remove [223]
o pytest test_07_70, weaken early data check [96]
o pytest: adapt for runs with openssl-1.1.1
o pytest: disable test_07_37 and test_07_36 with openssl's quic [1]
o quic: implement CURLINFO_TLS_SSL_PTR [176]
o RELEASE-PROCEDURE.md: update docs/VERSIONS [7]
o runtests.pl: fix sprintf() using one too many %s [134]
o runtests: fix `LD_PRELOAD` detection for cmake-built curl binaries [123]
o runtests: support memory-limits per test [193]
o rustls: apply memory function overrides, fixing an ECH buffer free [181]
o rustls: don't try printing the not provided file [104]
o schannel: allow partial chains for manual peer verification [79]
o schannel: drop Windows 2000 compatibility logic [26]
o scorecard: flame graphs and documentation [165]
o SCP/SFTP: avoid busy loop after EAGAIN [8]
o scripts: fix to quote the copyright email address [210]
o socks: fix query when filter context is null [221]
o system.h: remove some macros [6]
o test1117: reduce write delays [9]
o test1175: fix to run, and fix documentation issues detected [216]
o test1222: fix for out-of-tree and no-libcurl-manual builds [215]
o test1499, 1599: use `%LOGDIR` [226]
o test1499: verify two chunked responses on reused connection [145]
o test1596: let test pass after year 2036 [35]
o test1706: pass include directory to `managen` for out-of-tree builds [187]
o tests/client: drop autotools logic no longer necessary [45]
o tests/client: use `curl_mfprintf()` [48]
o tests/dnsd: read config from file [85]
o tests/http/clients: drop hack and use `curl_setup.h` again [58]
o tests/http/clients: move to tests/client [53]
o tests/http/requirements: remove multipart [183]
o tests/libtest: call `curlx_now_init()` for unit 1399, 2600 (Windows) [76]
o tests/libtest: drop `TEST_HANG_TIMEOUT` redefinition hack [108]
o tests/libtest: drop a checksrc exception [119]
o tests/libtest: use `curltime` from curlx [71]
o tests/server/util.c: include netinet/in6.h [113]
o tests/server: de-dupe/merge three `sockdaemon()` clones into one [149]
o tests/server: drop `memdebug.h` [111]
o tests/server: make all global vars/funcs static [41]
o tests/server: move memory init to `memptr.c` [140]
o tests/servers.pm: add more ways to figure out current user [17]
o tests: always make bundles, adapt build and tests [81]
o tests: bundle http clients, de-dupe, enable for MSVC [61]
o tests: constify, make consts static [139]
o tests: drop `BUNDLE_SRC` variable [59]
o tests: drop mk-bundle exceptions [25]
o tests: drop unused or redundant includes [153]
o tests: drop useless "nodist_SOURCES" assignments [93]
o tests: fail torture if !valgrind&threaded resolver [31]
o tests: fix 1301, 1308 to fail on error [177]
o tests: fix `BUNDLE` variable references in `Makefile.am` [125]
o tests: make all names < 75 characters long [182]
o tests: make individual test sources compile cleanly [107]
o tests: make sshserver less verbose [55]
o tests: move `curlcheck.h` to libtest as `unitcheck.h` [171]
o tests: move GSS-API dynamic stub into debug-mode libcurl [169]
o tests: torture: don't duplicate valgrind command [32]
o tests: use %b64[] to base64 data [151]
o tests: use %b64[] to base64 data in 2056, 2057 [126]
o tftpd: use `CURLMIN()` macro [38]
o tidy-up: replace `<memdebug.h>` with `"memdebug.h"` (src, units) [147]
o tls: remove Curl_ssl false_start [86]
o tool1621: drop unused internal libcurl headers [157]
o tool_getparam: fix --ftp-pasv [15]
o tool_operate: fix return code when --retry is used but not triggered [13]
o tool_paramhelp: fix language in comments [196]
o top-complexity: lower max allowed complexity threshold to 90 [33]
o unit tests: extract "private" prototypes at build time [170]
o unit1302: expand the base64 encode/decode tests [148]
o url: fix connection lifetime checks [14]
o url: fix NULL deref with bad password when no user is provided [87]
o urlapi: simplify and split into sub functions [16]
o urlapi: use uppercase hex encoding [133]
o vauth: move auth structs to conn meta data [30]
o vtls: change send/recv signatures of tls backends [65]
o vtls: fix a copy-pasted early data comment typo [200]
o vtls: log rustls negotiated KEX group name [201]
o vtls: prefer ciphersuite to cipher in msgs [203]
o vtls: prefer rustls-ffi ciphersuite name API [205]
o VULN-DISCLOSURE-POLICY.md: fix typos [164]
o VULN-DISCLOSURE-POLICY: all reports should be disclosed [102]
o VULN-DISCLOSURE-POLICY: exclude not installed software [121]
o VULN-DISCLOSURE-POLICY: minor language polish [162]
o warnless: drop parts of the `read`/`write` preprocessor hack (Windows) [37]
o warnless: replace `read()`/`write()` wrapper functions with macros
(Windows) [75]
o windows: drop redundant `curl_wcsdup_callback` callback [188]
o windows: fixup `fopen()` in `CURLDEBUG` builds [62]
o windows: reduce/stop loading DLLs at runtime [27]
o wolfssl: add support for ML_KEM hybrids [195]
o ws: drop redundant `CURL_EXTERN` from function definitions [179]
o xfer: manage pause bits [97]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 21:25:49 +0000 (23:25 +0200)]
automake: Update to version 1.18.1
- Update from version 1.18 to 1.18.1
- Update of rootfile not required
- Changelog
1.18.1
* Bugs fixed
- Undo change to mdate-sh; once again, it does not look at
SOURCE_DATE_EPOCH. This change was a misunderstanding that causes
problems, not fixes, for reproducible builds.
(https://lists.gnu.org/archive/html/automake/2025-06/msg00021.html)
- Improve debuggability of installcheck failures. (bug#78850)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Jul 2025 14:34:52 +0000 (16:34 +0200)]
ruleset-sources: Remove the abuse.ch SSL list from the suricata sources
- The abuse.ch ssl suricata list has stopped being updated since 2025-06-25
- Looking at all of the abuse.ch lists, none of them are being updated anymore so abuse.ch
becoming part of spamhaus looks to have stopped all work on free versions of the lists
- This change modifies the abuse.ch entry so that it no longer can be installed but also
if already installed it will remove it.
- The patch has also made a few minor typo corrections in comments.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.20.11/doc/arm/html/notes.html#notes-for-bind-9-20-11
"Notes for BIND 9.20.11
Security Fixes
Fix a possible assertion failure when stale-answer-client-timeout is
set to 0.
In specific circumstances the named resolver process could exit with an
assertion failure when stale answers were enabled and the
stale-answer-client-timeout configuration option was set to 0. This has
been fixed. (CVE-2025-40777) [GL #5372]
New Features
Add support for the CO flag to dig.
Add support for Compact Denial of Existence to dig. This includes
showing the CO (Compact Answers OK) flag when displaying messages and
adding an option to set the CO flag when making queries (dig +coflag).
[GL #5319]
Bug Fixes
Correct the default interface-interval from 60s to 60m.
When the interface-interval parser was changed from a uint32 parser to
a duration parser, the default value stayed at plain number 60 which
now means 60 seconds instead of 60 minutes. The documentation also
incorrectly states that the value is in minutes. That has been fixed.
[GL #5246]
Fix a purge-keys bug when using multiple views of a zone.
Previously, when a DNSSEC key was purged by one zone view, other zone
views would return an error about missing key files. This has been
fixed. [GL #5315]
Use IPv6 queries in delv +ns.
delv +ns invokes the same code to perform name resolution as named, but
it neglected to set up an IPv6 dispatch object first. Consequently, it
was behaving more like named -4. It now sets up dispatch objects for
both address families, and performs resolver queries to both IPv4 and
IPv6 addresses, except when one of the address families has been
suppressed by using delv -4 or delv -6. [GL #5352]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:03 +0000 (19:52 +0200)]
zabbix_agentd: Add LocationDB functionality
Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.locationdb.lookup[<ip>,<ip>,...]: Perform IPFire LocationDB lookups
from within Zabbix. Returns a JSON dict.
- ipfire.locationdb.version: Get LocationDB version timestamp in unixtime.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:02 +0000 (19:52 +0200)]
zabbix_agentd: Add WireGuard specific monitoring items
Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.wireguard.peers.discovery: Discovery of configured WireGuard
clients. Returns a JSON array.
- ipfire.wireguard.statusreport.get: Parses and returns output of
`wireguardctrl dump` as a JSON array.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:01 +0000 (19:52 +0200)]
zabbix_agentd: Add ARPing method for checking Internet Gateway
Since some ISP's block ICMP ping to their gateway ARPing can be an alternative.
This change adds arping alternatives for the regular (icmp) ping checks:
- ipfire.net.gateway.arping: Check if the Internet Gateway is reachable via ARPing
- ipfire.net.gateway.arpingtime: Measure the time it takes to ARPing the Internet Gateway
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 17 Jul 2025 17:52:00 +0000 (19:52 +0200)]
zabbix_agentd: Update to 7.0.16 (LTS)
- Update from version 7.0.11 to 7.0.16
- Update of rootfile not required
Bugs fixed:
ZBX-26080 Fixed old file descriptors being held when external log rotation is used
ZBX-26121 Added default flags to net.dns.get arguments when none are specified
ZBX-26055 Fixed failure to refresh active checks when next refresh was faster than 60 seconds
Full changelogs since 7.0.11:
- https://www.zabbix.com/rn/rn7.0.12
- https://www.zabbix.com/rn/rn7.0.13
- https://www.zabbix.com/rn/rn7.0.14
- https://www.zabbix.com/rn/rn7.0.15
- https://www.zabbix.com/rn/rn7.0.16
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 8 Jul 2025 08:49:47 +0000 (10:49 +0200)]
openvpn: Ignore existing PID files when starting processes
This is all not very organised and tidy. The init process seems to be
too cautious if there is a PID file left but there should not be any
harm in trying to start the same process twice when in doubt because
after all only one can bind to the same port at a time.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 3 Jun 2025 15:04:50 +0000 (17:04 +0200)]
ovpnmain.cgi: Only load status when the server is running
Otherwise we would show the status if the service is no longer running
and show clients as connected which have only been connected when the
server was stopped.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 16 Apr 2024 12:01:31 +0000 (14:01 +0200)]
ovpnmain.cgi: Restart instead of reload
The option to reload the server does not seem to work well. The running
is process is performing a number of checks that make very little sense
and PID files get written by the user that launches the process (i.e.
root) instead of the user that the process is running as later on (i.e.
nobody). Since there is no chance to keep any existing connections alive
this way, we may just as well restart the service for now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
