Adolf Belka [Tue, 28 Oct 2025 09:41:56 +0000 (10:41 +0100)]
boost: Update to version 1.89.0
- Update from version 1.88.0 to 1.89.0
- Update of rootfiles for all three architectures.
- Changelog
1.89.0
New Libraries
Bloom:
filters, from Joaquín M López Muñoz.
Updated Libraries
Any:
Initial support for C++20 Modules. See the docs for more info.
Asio:
Added allocator constructors to execution_context, io_context and
thread_pool, with the supplied allocator being used for allocating
objects associated with the execution context.
Added a new configuration parameter "timer" / "heap_reserve" that may
be used to reserve space in the vector used for a timer queue's heap.
Added a new configuration parameter "resolver" / "threads" that
specifies the number of internal threads used by async_resolve to
emulate asynchronous address resolution.
Removed deadline_timer, basic_deadline_timer and time_traits from the
convenience header boost/asio.hpp.
Ensured that the Windows named pipes created by connect_pipe use
unique names that do not conflict if Asio is used in multiple,
independent plug-in DLLs.
Changed BOOST_ASIO_CONCURRENCY_HINT_SAFE to be consistent with the
io_context default constructor.
Fixed the documentation for BOOST_ASIO_CONCURRENCY_HINT_UNSAFE_IO to
reflect that registration locking is still enabled.
Added separate b2 and cmake build targets for optional dependencies.
Added the [[noreturn]] attribute to
boost::asio::detail::throw_exception.
Fixed co_spawn to adhere to the asynchronous operation requirement
for non-reentrant invocation of the completion handler.
Added a documentation note on basic_signal_set async signal safety.
Fixed various minor compilation errors on different platforms.
Consult the Revision History for further details.
Atomic:
Added TSAN instrumentation in asm-based x86, AArch32, AArch64 and PPC
backends. This silences TSAN false errors for code using Boost.Atomic
for thread synchronization.
Following the announcement in Boost 1.84, removed support for Windows
versions older than Windows 10.
A note to MinGW-w64 users. Since Windows SDK headers on MinGW-w64
define _WIN32_WINNT to an older Windows version by default,
you may need to define _WIN32_WINNT=0x0A00 or
BOOST_USE_WINAPI_VERSION=0x0A00 when compiling Boost.Atomic
and the code that uses Boost.Atomic.
Support for Windows CE is deprecated and will be removed in a future
release.
Added support for timed waiting operations.
Exposed thread_pause operation, which can be used as a backoff
measure in spin loops. Added support for PowerPC and improved support for AArch64 in thread_pause.
Removed BOOST_ATOMIC_NO_ATOMIC_FLAG_INIT macro definition. Since the
library now requires C++11, BOOST_ATOMIC_FLAG_INIT is always supported.
Enabled bitwise operations for atomic enumerations. This can be
useful when enumerations are used to implement bit masks.
Beast:
Fixes
Conditionally defined immediate_executor_type in async_base.
Added missing cstdint header to detail/cpu_info.hpp.
Fixed std::is_trivial deprecation warnings.
handshake_timeout now applies to closing handshakes during reads.
Improvements
Replaced detail/work_guard.hpp with net::executor_work_guard.
Fixed portability issues for building tests in MinGW.
Documentation
Removed moved sections from documentation.
Removed superfluous log messages from tests.
Acknowledgements
yliu1021
Charconv:
Fixed a performance degradation with from_chars for integer types
Fixed rounding and trailing decimal place bugs with to_chars for
specified precisions with floating point types
Cobalt:
Move assign fixed for generator & promise.
Fixed internal exceptions
Added IO library. Cobalt.io provides a large subset of asio as a
compiled library.
Compat:
Added move_only_function.hpp.
ContainerHash:
Added the hash_is_avalanching trait class.
Conversion:
Added an ability to use polymorphic_downcast and polymorphic_cast in
constexpr (requires C++20).
Core:
Fixed bit_ceil to return 1 for input 0 as per specification. (PR#199)
Added support for std::format to boost::core::string_view. (#190)
Detail:
Operators generated by BOOST_BITMASK now use underlying type of the
enum to implement bitwise operators. The operators are marked
noexcept and constexpr, when possible.
The function bitmask_set generated by BOOST_BITMASK is marked
deprecated. In a future release, BOOST_BITMASK will stop producing
this function. Users are recommended to use double negation (!!mask)
to test if the value is zero. This affects e.g. enums defined in
Boost.Filesystem.
DLL:
Fixed compiling and exporting on Cygwin. Many thanks to Luohao Wang
for the PR!
Fixed building on FreeBSD. Thanks to ash for the bug report!
Added BOOST_DLL_USE_STD_FS CMake option to match the preprocessor
option. Thanks to Yury Bura for the PR!
Filesystem:
Corrected ASAN warnings about comparing pointers to potentially
unrelated objects in path::append. (#335)
Geometry:
Major improvements
PR#1369 Rewrite of traversal
PR#1402 Add geometry polyhedral surface
Improvements
PR#1404 Performance improvements in buffer
PR#1405 Avoid static variables and functions in header files
Breaking changes
PR#1401 Remove deprecated headers
Solved issues
(#1221) Difference with rectilinear multipolygon with integer
coordinates produces invalid polygon with disconnected interior
(#1295) Wrong result in intersection (result polygon is equal to
the biggest of the input polygons)
(#1349) Difference of polygons giving wrong result
(#1382) Buffer operation creates self-intersection
Various fixes of errors and warnings
Hash2:
Added Blake2 algorithm (blake2s_256, blake2b_512).
Added XXH3 algorithm (xxh3_128).
Iterator:
Fixed filter_iterator copy/converting constructor, which could
previously produce an invalid iterator. (#92)
Removed usage of is_trivial in iterator_facade as it is deprecated in
C++26. (#93)
iterator_facade::operator[] now always returns a proxy rather than
conditionally returning a value or a proxy. This allows users to
bind a reference to the result of the operator, regardless of
whether the value type is trivially-copyable. (#61)
The proxy returned by iterator_facade::operator[] now supports
forwarding dereferencing operators to the referenced value. This
allows it[n]->foo() and (*it[n]).foo() expressions to compile.
The proxy returned by iterator_facade::operator[] now implementes
perfect forwarding in its assignment operator.
JSON:
Revamped documentation.
Optionals that are ranges are categorised as optionals.
Described class support is enabled for types with bases.
Log:
Added support for BOOST_LOG_WITHOUT_ASIO configuration macro, which
can be used to remove the dependency on Boost.Asio and disable the
related functionality.
Use locale-independent formatting of the file counter in
text_file_backend when composing log file names. This fixes failures
in the subsequent parsing of the file names in
file_collector::scan_for_files. (PR#246)
Added a new wrap_filter utility that simplifies injecting
user-defined function objects in filtering expressions. (#195)
Math:
Add explicit C++14 <type_traits> and constexpr requirement to builds
Collected fixes for GPU support on a variety of platforms
Fix lower incomplete gamma function with x = 0
Fix the external archive error in the jSO algorithm
Fix numeric underflow in ibeta
Fix inverse ibeta for large values of a and b
Fix variadic functions to make them safe with C++26
MQTT5:
Fixed incorrect parsing of URI paths in the list of brokers (#31).
Default Maximum Packet Size now explicitly set in the CONNECT packet.
(#33).
Fixed high CPU usage with large Maximum Packet Size values (#33).
Multiprecision:
Major update.
Adds a new backend type: cpp_double_fp_backend
Fixes a namespace collision with Boost.Serialization
MySQL:
The caching_sha2_password authentication plugin can now be used
without TLS. This is the default in MySQL 8 and above. Plaintext
connections that attempt to use this plugin no longer fail with
client_errc::auth_plugin_requires_ssl (#313).
Fixed a problem causing client_errc::incomplete_message to be
returned during connection establishment when the target database
does not exist and the caching_sha2_password is used. The
appropriate server-generated diagnostic is now returned. See
issues #468 and #488.
The handshake algorithm is now more resilient to protocol violations
(#469).
Fixed a build failure with gcc-15 due to a missing include (PR#475).
Thanks hhoffstaette for the PR.
Added benchmarks against the official drivers.
Optimized metadata representation to be faster to construct and take
less memory (#461).
PFR:
Rewrite C++20 module following the new recommended Boost practice.
See the docs for more info.
Fixed C++26 compilation on modern clang compilers. Thanks to Valery
Mironov for the report!
Support types that use 'Arrays of Length Zero' compiler extension.
Fixed typos. Thanks to Egor for highlighting the issues!
Return std::array<std::string_view, 0> type for
boost::pfr::names_as_array(empty_struct{}) to allow compilation of for
(std::string_view name : boost::pfr::names_as_array(empty_struct{})).
Many thanks to sabudilovskiy for the bug report!
process:
Added v1.hpp to emulate v1 process.hpp include.
Fix to windows path escaping
Fixed exit-code issue wehre terminate & async_wait lead to a loss of
the exit-code value.
Random:
Fix NAN being generated by beta_distribution
Improve the performance of beta_distribution::operator()
TypeIndex:
Initial support for C++20 Modules. See the docs for more info.
Unordered:
Deprecated boost::unordered::hash_is_avalanching is now a
using-declaration of boost::hash_is_avalanching in
<boost/container_hash/hash_is_avalanching.hpp>. Use that header
directly instead. <boost/unordered/hash_traits.hpp> will be removed
in the future.
Added pull(const_iterator) to open-addressing containers. This
operation allows for efficient removal and retrieval of an element
via move construction.
Histogram:
Update CMake minimum version and Python detection in CMake
Improve documentation
Add example on how to make an axis which accepts multiple value
types that are not implicitly convertible
Show how to use histogram::fill with a multidimensional histogram
efficiently when data per dimension is already available as
contiguous data
Don't use deprecated form of user-defined literal operator
Add support for modular build structure with b2
Fixed warnings in MSVC about narrowed types
Added collector accumulator, which stores all values in a bin
Internal changes to tests and classes in detail namespace
Updated Tools
Build:
Includes release of B2 version 5.3.2.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 Oct 2025 16:05:36 +0000 (17:05 +0100)]
ovpnmain.cgi: Add newline after comment
This caused that the first line of the client's custom DHCP/DNS
configuration was ignored.
Fixes: #13895 - OpenVPN GUI does not apply DNS resolver settings for individual roadwarrrior connections Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 Oct 2025 15:52:43 +0000 (16:52 +0100)]
ovpnmain.cgi: Fix pushing all routes
If there were multiple client routes configured, the OpenVPN server was
only told about the first one. This patch fixes this and also cleans up
the code for pushing the server routes, too.
Fixes: #13901 - iroute line is only written for the first of the OpenVPN client routes Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 11:11:11 +0000 (12:11 +0100)]
xfsprogs: Update to version 6.17.0
- Update from version 6.16.0 to 6.17.0
- No change in rootfile
- Changelog
6.17.0
xfs_scrub_fail: reduce security lockdowns to avoid postfix problems (Darrick J. Wong)
mkfs: fix copy-paste error in calculate_rtgroup_geometry (Darrick J. Wong)
xfs_scrub: fix strerror_r usage yet again (Darrick J. Wong)
mkfs: fix libxfs_iget return value sign inversion (Darrick J. Wong)
xfs_scrub: Use POSIX-conformant strerror_r (A. Wilcox)
xfs_db: use file_setattr to copy attributes on special files with rdump (Andrey Albershteyn)
xfs_io: make ls/chattr work with special files (Andrey Albershteyn)
xfs_quota: utilize file_setattr to set prjid on special files (Andrey Albershteyn)
configure: Base NEED_INTERNAL_STATX on libc headers first (Johannes Nixdorf)
xfs_io: add FALLOC_FL_WRITE_ZEROES support (Zhang Yi)
xfsprogs: fix utcnow deprecation warning in xfs_scrub_all.py (Christian Kujau)
Improve information about logbsize valid values (Carlos Maiolino)
proto: add ability to populate a filesystem from a directory (Luca Di Maio)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 11:05:14 +0000 (12:05 +0100)]
usbutils: Update to version 019
- Update from version 018 to 019
- No change to rootfile
- Changelog
019
usbreset.1: fix typo in the busnum/devicenum example
lsusb.py: add usb.ids path for Debian
usbreset: fix swapped vendor and product ID in help/manpage
usbreset.1: fix groff warnings and small fixes
ci: stop manually creating build/
ci/codeql: use filter-sarif to filter meson-private
Remove commented out code in usbreset.c and list.h and container_of.h
lsusb: turn a FIXME comment for dump_comm_descriptor() into something real
lsusb: remove FIXME about wireless usb device
lsusb: change FIXME for bmEthernetStatistics into a TODO
lsusb.c: change TODO into a fixme in do_dualspeed()
usbreset: move the serial number forward in the output
usb-devices: fix up bash warning for $altset
usb-devices: fix up some minor shellcheck warning messages
usb-spec: remove vendor specific entry
usbreset: apply clang-format
usbreset: support resetting device by serial number
ci: Fix debian/ubuntu installation
lsusb: Show wBytesPerInterval field of the SS EP companion descriptor
usb-devices: Make devcount 'local' to handle recursion
usb-devices: Make devnum 'local' to handle recursion
lsusb-t: add verblevel 3 to print_usbdevice()
lsusb: improve usb2 device capability descriptor
Fix display of HID descriptors
ci: bump the all-actions group with 4 updates
ci: bump github/codeql-action in the all-actions group
ci: bump github/codeql-action in the all-actions group
ci: bump the all-actions group with 2 updates
ci: bump github/codeql-action in the all-actions group
ci: bump the all-actions group with 2 updates
ci: bump the all-actions group with 2 updates
ci: bump github/codeql-action in the all-actions group
ci: bump the all-actions group across 1 directory with 3 updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 11:01:15 +0000 (12:01 +0100)]
sysvinit: Update to version 3.14
- Update from version 3.11 to 3.14
- Update of rootfile
- Changelog
3.14
* Re-introduced DESTDIR flag in src/Makefile to assist building on Arch.
* Fixed typo in init.8 manual page.
* Expand process length in inittab to allow a command line 253 characters
(up from 127). Expand child process structure to accomidate 253
and some buffer room for newline/NULL.
* Clear buffer when reading long lines from inittab, avoids garbage left
over from old lines with long commands or comments.
* Drop lines which are too long from inttab conf and log warning rather
than truncate.
3.13
* Adjusted manual page install location. Patch provided
by Mark Hindley.
3.12
* There were instances of the ctime() function being called in multiple
files without checking the return value (can be NULL) and without
checking the length of the returned information. While there _should_
never be a case where ctime() fails assuming success and length of
returned string isn't ideal (or future-proof). We now check the return
value of ctime() in bootlogd, dowall, last, logsave, and shutdown.
Where no valid value is returned we supply a dummy value (usually a
space in place of the expected time stamp). We also no longer assume
returned string is at least 11-16 characters.
* Re-commit flexible Makefile for GoboLinux.
* Make sure pty.h and sys/sysmacros.h are included when building bootlogd on
systems with glibc.
* Fixed typos and syntax in manual page for init.8.
Edits provided by : Bjarni Ingi Gislason.
* Allow setting of location of the /usr directory in src/Makefile.
This is handled by the usrdir variable.
* Make sure src/Makefile uses sysconfdir (/etc by default) when installing
configuration files.
* Fix typos and syntax in pidof manual page.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 10:54:50 +0000 (11:54 +0100)]
ninja: Update to version 1.13.1
- Update from version 1.12.1 to 1.13.1
- No change in rootfile
- Changelog
1.13.1
Fix LINK : fatal error LNK1104: cannot open file on Windows in some cases #2616
Compatibility with older distros for Linux ARM version #2619
Restore "multiple rules generate" error with dyndep #2621
1.13.0
Ninja now automatically joins a GNU Make jobserver as a client (version 4.4 on
non-Windows systems required for "fifo" style) #1139
Print exit code of failed subcommands #1507
New tool ninja -t compdb-targets like compdb, but takes a list of targets
instead of rules #1544
Support for ANSI (color) escape codes in NINJA_STATUS #713
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 10:49:25 +0000 (11:49 +0100)]
fuse: Update to version 3.17.4
- Update from version 3.15.0 to 3.17.4
- Update of rootfile
- Changelog
3.17.4
- Try to detect mount-utils by checking for /run/mount/utab
and don't try to update mtab if it does not exist
- Fix a build warning when HAVE_BACKTRACE is undefined
- fuse_loop_mt.c: fix close-on-exec flag on clone fd
- Remove struct size assertions from fuse_common.h
3.17.3
* more conn->want / conn->want_ext conversion fixes
* Fix feature detection for close_range
* Avoid double unmount on FUSE_DESTROY
3.17.2
* Fixed uninitized bufsize value (compilation warning and real
issue when HAVE_SPLICE was not defined)
* Fixed initialization races related to buffer realocation when
large buf sizes are used (/proc/sys/fs/fuse/max_pages_limit)
* Fix build with kernel < 5.9
* Fix static_assert build failure with C++ version < 11
* Compilation fix (remove second fuse_main_real_versioned declaration)
* Another conn.want flag conversion fix for high-level applications
* Check if pthread_setname_np() exists before use it
* fix example/memfs_ll rename deadlock error
* signal handlers: Store fuse_session unconditionally and restore
previous behavior that with multiple sessions the last session
was used for the signal exist handler
3.17.1
* fuse: Fix want conn.want flag conversion
* Prevent re-usage of stdio FDs for fusermount
* PanFS added to fusermount whitelist
3.17.1-rc1
* several BSD fixes
* x86 (32bit) build fixes
* nested declarations moved out of the inlined functions to avoid
build warnings
* signify public key added for future 3.18
3.17.1-rc0
* Fix libfuse build with FUSE_USE_VERSION 30
* Fix build of memfs_ll without manual meson reconfigure
* Fix junk readdirplus results when filesystem not filling stat info
* Fix conn.want_ext truncation to 32bit
* Fix some build warnings with -Og
* Fix fuse_main_real symbols
* Several changes related to functions/symbols that added in
the libfuse version in 3.17
* Add thread names to libfuse threads
* With auto-umounts the FUSE_COMMFD2 (parent process fd is
exported to be able to silence leak checkers
3.17
* 3.11 and 3.14.2 introduced ABI incompatibilities, the ABI is restored
to 3.10, .so version was increased since there were releases with
the incompatible ABI
* The libfuse version a program was compiled against is now encoded into
that program, using inlined functions in fuse_lowlevel.h and fuse.h
* Allows to handle fatal signals and to print a backtrace.
New API function: fuse_set_fail_signal_handlers()
* Allows fuse_log() messages to be send to syslog instead of stderr
New API functions: fuse_log_enable_syslog() and fuse_log_close_syslog()
* Handle buffer misalignment for FUSE_WRITE
* Added support for filesystem passthrough read/write of files when
FUSE_PASSTHROUGH capability is enabled
New API functions: fuse_passthrough_open() and fuse_passthrough_close(),
also see example/passthrough_hp.cc
* Added fmask and dmask options to high-level API
- dmask: umask applied to directories
- fmask: umask applied to non-directories
* Added FUSE_FILL_DIR_DEFAULTS enum to support C++ programs using
fuse_fill_dir_t function
* Added support for FUSE_CAP_HANDLE_KILLPRIV_V2
Fixes:
* Fixed compilation failure on FreeBSD (mount_bsd.c now points to correct
header)
3.16.2
* Various small fixes and improvements.
3.16.1
* Readdir kernel cache can be enabled from high-level API.
3.15.1
Future libfuse releases will be signed with `signify`_ rather than PGP
This release is the last to be signed with PGP and contains the signify public
key for current (3.15.X) and upcoming (3.16.X) minor release cycle.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 27 Oct 2025 10:35:41 +0000 (11:35 +0100)]
samba: Update to version 4.23.2
- Update from version 4.23.1 to 4.23.2
- No change to any of the rootfiles
- Changelog
4.23.2
This is a security release in order to address the following defects:
o CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr.
https://www.samba.org/samba/security/CVE-2025-9640.html
o CVE-2025-10230: Command injection via WINS server hook script.
https://www.samba.org/samba/security/CVE-2025-10230.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:37:54 +0000 (17:37 +0200)]
fetchmail: Update to version 6.5.7
- Update from version 6.5.6 to 6.5.7
- No change to rootfile
- Changelog
6.5.7
BUGFIXES:
* When authenticating to an SMTP server, the AUTH LOGIN method (which didn't
become a proposed standard, and is only the third method fetchmail would try,
if CRAM-MD5 and PLAIN weren't offered) required that the server returned
a 334 code followed by a blank and by a decodable base64 challenge we ignored
anyways. This is in line with RFC 4952.
However, to improve compatibility, fetchmail now accepts anything that
starts with "334 " and disregards the remainder of the line.
At the same time, AUTH LOGIN was deprecated. AUTH PLAIN should be available
everywhere AUTH LOGIN is, and is specified in IETF RFC 4616.
* When authenticating to an SMTP server, i. e. esmtpname/esmtppassword are
defined, check for errors, and skip servers that do not understand EHLO,
because we cannot negotiate supported authentication schemes with them.
This should avoid attempting to send a lot of messages and see them rejected.
* When authenticating to an SMTP server, do not send client abort "*" when
we receive any other server reply but 334.
* Extend 6.5.6's RFC-5321 address-literal fix to MAIL FROM. This might
apply when we only have a server's IP address and need to quality
addresses without domain. Fixes Debian Bug#1080025.
* SMTP AUTH can now look up passwords from the .netrc file - for that,
fetchmail's esmtpname setting must match the login for the given host in
.netrc. Fixes Debian Bug#1056651 by Ticker Berkin.
* Improve the GSSAPI (Kerberos V) build, which was pretty hard to get working.
This was improved. Recommendation:
- For autoconf builds (./configure), be sure to have the desired krb5-config
executable early on $PATH before running ./configure.
- For meson builds, be sure to list the path to your krb5-gssapi.pc file on
PKG_CONFIG_PATH. (meson will fall back to krb5-config, so if that's on PATH,
that should also work.)
TRANSLATION UPDATES were contributed by these fine people - thank you!
* The Italian translation is back - it had been missing from earlier 6.5.X
since it had fallen too far behind with the last update in 2010.
* cs: Petr Pisar [Czech]
* eo: Keith Bowes [Esperanto]
* es: Cristian Othón Martínez Vera [Spanish]
* fr: Frédéric Marchal [French]
* it: Luca Vercelli [Italian]
* ja: Takeshi Hamasaki [Japanese]
* pl: Jakub Bogusz [Polish]
* ro: Remus-Gabriel Chelu [Romanian]
* sq: Besnik Bleta [Albanian]
* sv: Göran Uddeborg [Swedish]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:28:57 +0000 (18:28 +0200)]
whois: Update to version 5.6.5
- Update from version 5.6.4 to 5.6.5
- No change to rootfile
- Changelog
5.6.5
* Updated the .co TLD server.
* Added some large KRNIC networks.
* Updated the second level .uk TLD servers.
* Removed the .pro TLD server.
* Removed 1 new gTLD which is no longer active.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:15:39 +0000 (18:15 +0200)]
pcre2: Update to version 10.47
- Update from version 10.46 to 10.47
- Update of rootfile
- Changelog
10.47
1. (#660, #655, #663) Expanded platforms tested by CI: FreeBSD, OpenBSD,
Solaris, MSYS (Cygwin), S390x, PPC64le, ARMv7, AARCH64, RiscV.
2. (#655) Made build clean of `/W3` warnings on MSVC. Further suppression of
minor build warnings on other platforms (various commits).
3. (#651) Added `--enable-Werror` flag to `./configure` to treat warnings as
errors (or `--enable-errwarn` for Solaris cc). Previously, you had to hackily
override the CPPFLAGS when calling make since you can't pass `-Werror` as a
CFLAG into `./configure` (it breaks compiler feature detection).
4. (#682) Added AM_MAINTAINER_MODE for Git tag releases. Users building with
the `./configure` script can check out the release tag using Git, which assigns
the current time as the modification time to each checked-out file. This caused
Autoconf to attempt to regenerate the configure script.
5. (#692) Add LICENSE file for sljit to the tarball release, to clarify that the
sljit code is governed separately by the 2-clause BSD license.
6. (#656, #695) Add full support for z/OS and native EBCDIC support. The z/OS
support is tested nightly using the XLC and IBM-Clang compilers, with Autoconf
and CMake. In addition, for test purposes, the EBCDIC support can now be enabled
on any platform using the new Autoconf `--enable-ebcdic-ignoring-compiler` and
CMake `-DPCRE2_EBCDIC_IGNORING_COMPILER` options.
7. (#700) Faster lookup of named capture groups during pattern compilation using
a hash table.
8. (#697, #756, #778) Improvements to pcre2test to increase code coverage:
-malloc argument; more detailed test assertions.
9. (#705, #710, #737, #738) Powerful new feature: pattern recursion of
the form "(?1(GROUP_NAME_OR_NUM,...))" acts as a subroutine call which
additionally returns the listed capturing groups to the calling context.
10. (#721) Add linker scripts to enable symbol versioning for the PCRE2 dynamic
libraries. Downstream Linux distributions may make use of this, or disable it
with the new Autoconf `--disable-symvers` and CMake `-DPCRE2_SYMVERS` options.
Currently, Linux, Solaris, and FreeBSD (GNU ld, LLVM lld, and Solaris ld) are
tested and supported.
11. (#733) New API function: pcre2_next_match(). This function makes it both
simpler and safer for clients to iterate over all matches in a subject. The
documentation in `pcre2api` also provides improved guidance in the section
"Iterating over all matches".
12. (#739, #744, #753) Modernize the CMake build files, to use standard
commands to export the PCRE2 targets. This makes use of the
"$<BUILD_INTERFACE:...>" and "$<INSTALL_INTERFACE:...>" expressions alongside
the built-in "install(EXPORT...)" command. This brings the CMake files in line
with the patches used by vcpkg to distribute PCRE2. The minimum CMake version
remains 3.15.
13. (#756) Improved error offsets and diagnostics for syntax errors during
pattern compilation.
14. (#708, #729, #724, #731, #777) Various updates to Bazel and Zig
build support.
15. (#775) Added PCRE2_CONFIG_EFFECTIVE_LINKSIZE option to pcre2_config(), to
report the actual number of code units used in compiled patterns for recording
string lengths and offsets.
16. (#801) Significant bugfix: Fix a crash in pcre2_callout_enumerate() which is
easily reachable on any pattern that contains a Unicode character class. If your
application uses this function, please read the details for this change and
evaluate its severity for your application.
17. (#806, #807) Improved input validation for pcre2_substitute() used with
PCRE2_SUBSTITUTE_MATCHED.
18. (#817) Add support for $+ replacement to pcre2_substitute().
19. (#818) New SIMD code generation in the JIT for AArch64.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:11:21 +0000 (18:11 +0200)]
libxml2: Update to version 2.15.1
- Update from version 2.15.0 to 2.15.1
- Update of rootfile
- Changelog
2.15.1
Regressions
- parser: Fix attribute normalization and standalone check
Build
- io: Handle clashing error codes on AIX
- Fixed compilation error on GCC versions prior to 4.5 (Lars Erik Wik)
- meson: Fix install dir of man pages
Deprecations
- tree: Undeprecate several struct members
- io: Undeprecate xmlOutputBuffer members
- valid: Undeprecate xmlValidGetPotentialChildren
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:07:55 +0000 (18:07 +0200)]
libarchive: Update to version 3.8.2
- Update from version 3.8.1 to 3.8.2
- Update of rootfile
- Changelog
3.8.2
Security fixes:
7zip: Fix out of boundary access (#2668)
tar reader: fix checking the result of the strftime (#2719, CVE-2025-25724)
Notable bugfixes:
bsdtar: Allow filename to have CRLF endings (#2717)
lib: archive_read_data: handle sparse holes at end of file correctly (#2665)
lib: improve filter process handling (#2659)
lib: fix error checking in writing files (#2672)
lib: handle possible errors from system calls (#2679)
lib: avoid leaking file descriptors into subprocesses (#2707)
lib: parse_date: handle dates in 2038 and beyond if time_t is big enough
(#2742)
RAR5 reader: fix multiple issues in extra field parsing function (#2713)
RAR5 reader: early fail when file declares data for a dir entry (#2716)
tar writer: fix replacing a regular file with a dir for
ARCHIVE_EXTRACT_SAFE_WRITES (#2477)
tar reader (Windows): check WCS pathname in header_gnutar before
overwriting (#2740)
tar reader: fix an infinite loop when parsing V headers (#2737)
zip writer: fix a memory leak if write callback error early (#2664)
zip writer: fix writing with ZSTD compression (#2670)
zstd write filter: enable Zstandard's checksum feature (#2678)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 16:02:40 +0000 (18:02 +0200)]
less: Update to version 685
- Update from version 679 to 685
- No change to rootfile
- Changelog
685
* Add --cmd option (github #624).
* Add LESS_TERMCAP_SUSPEND and LESS_TERMCAP_RESUME (github #654).
* Change --incsearch so that after typing each character of the pattern,
the search begins at the position where the search command was invoked,
not the current position (github #640).
* Allow mixing of option arguments and filename arguments on the
command line unless POSIXLY_CORRECT is set (github #653).
* Don't output U+00AD and U+200D, and fix some bugs handling emoji
modifier characters (github #637).
* Fix hang if a search using ^S modifier matches empty string (github #634).
* Fix bug using -g and -J (github #636).
* Fix bug when pasting a search pattern while --incsearch is active
(github #635).
* Fix bug in Windows build when autorepeating a search pattern (github #639).
* Fix lesskey bug using #stop directive.
* Fix lesskey bug using "invalid" action (github #643).
* Fix bug causing file to appear to end prematurely if an input command
was received during a file read (github #649).
* Fix performance issue in & filtering (github #638). Problem was introduced
in da2a9ecdf16beb642d0c030e35f0351c5f2e5a12 and released in less-673.
* Fix some problems reported by valgrind (github #659, github #660, github #661).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:55:49 +0000 (17:55 +0200)]
shairport-sync: Update to version 4.3.7 to work with ffmpeg-8.0
- Update from version 4.3.4 to 4.3.7
- No change to rootfile
- Changelog
4.3.7
This update comprises updates to GitHub Actions used for testing and for
building Docker. It also includes a small update to the Docker images: the
curl tool is included to facilitate automations.
No other changes have been made relative to the previous release, Version 4.3.6.
4.3.6
Bug Fix
Fix a potential bug (no issues reported) by checking that a buffer is not
zero before attempting to deallocate it.
Documentation Updates
Show how to use MQTTThing with Homebridge to represent Shairport Sync’s
active status.
Correct and clarify the statistics documentation.
The descriptions of Net Sync PPM and All Sync PPM were partly swapped
-- this has been corrected.
Generally clarify the language and harmonize the wording with the
introduction.
Fix a typo in the configuration file.
Docker Build Optimisation
Improve the Dockerfile build sequences as follows:
Build each dependency in a separate stage, facilitating parallel builds.
Define default value for ARGS, permitting easier local docker builds.
Clone the specified branch only, and to a depth of 1, thus getting
relevant data faster.
Copy files in a one-off command, reducing the amount of Docker layers
created.
4.3.5
Enhancements
Add Home Assistant MQTT Auto-Discovery and active/playing State Messages.
Send pvol metadata on mute.
Ensure the PipeWire backend is initially inactive and that it goes active
at the start of a play session and inactive at the end. This is to
facilitate external activity-monitoring software. Note that in
AirPlay 2, play often stops momentarily between tracks, and so there
will be momentary changes from active to inactive and back to active
again in the PipeWire backend. This may change as the backend improves.
Update comments in the sndio section of the sample configuration file.
Docker Enhancements
The AirPlay 2 Docker image now incorporates the PipeWire backend.
Bug Fixes
Update the sndio backend (native to OpenBSD, also used in FreeBSD) to deal
with an intermittent bug. Specifically, use an explicit is_running
flag to keep track of the playing status of the backend.
Fix a bug in the Jack Audio backend. If the system's Jack Audio server was
running at anything other than 44,100 frames per second, the delay
information being returned by the backend was incorrect.
Fix an incompatibility with the recently-introduced FFmpeg version 7.
Stop advertising the SFTP and SSH services on Bonjour.
Deprecations
The soundio backend is deprecated and will be removed in a future update.
It seems that nobody is using it, and as it stands it is very inflexible.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 25 Oct 2025 15:55:48 +0000 (17:55 +0200)]
ffmpeg: Update to version 8.0
- Update from version 7.1.1 to 8.0
- Update of rootfile
- Due to sobump from ffmpeg, mpd and minidlna must be shipped.
- Due to changes in ffmpeg, shairport-sync has to be updated to work with this version
- Changelog
8.0
- Whisper filter
- Drop support for OpenSSL < 1.1.0
- Enable TLS peer certificate verification by default (on next major version bump)
- yasm support dropped, users need to use nasm
- VVC VAAPI decoder
- RealVideo 6.0 decoder
- OpenMAX encoders deprecated
- libx265 alpha layer encoding
- ADPCM IMA Xbox decoder
- Enhanced FLV v2: Multitrack audio/video, modern codec support
- Animated JPEG XL encoding (via libjxl)
- VVC in Matroska
- CENC AV1 support in MP4 muxer
- pngenc: set default prediction method to PAETH
- APV decoder and APV raw bitstream muxing and demuxing
- APV parser
- APV encoding support through a libopenapv wrapper
- VVC decoder supports all content of SCC (Screen Content Coding):
IBC (Inter Block Copy), Palette Mode and ACT (Adaptive Color Transform
- G.728 decoder
- pad_cuda filter
- Sanyo LD-ADPCM decoder
- APV in MP4/ISOBMFF muxing and demuxing
- OpenHarmony hardware decoder/encoder
- Colordetect filter
- Add vf_scale_d3d11 filter
- No longer disabling GCC autovectorization, on X86, ARM and AArch64
- VP9 Vulkan hwaccel
- AV1 Vulkan encoder
- ProRes RAW decoder
- ProRes RAW Vulkan hwaccel
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Should anyone wonder where 9.20.14 has gone:
"The BIND 9.20.14 release was withdrawn after the discovery of a regression
in a security fix in it during pre-release testing."
"Notes for BIND 9.20.15
Security Fixes
DNSSEC validation fails if matching but invalid DNSKEY is found.
(CVE-2025-8677)
Previously, if a matching but cryptographically invalid key was
encountered during DNSSEC validation, the key was skipped and not
counted towards validation failures. named now treats such DNSSEC keys
as hard failures and the DNSSEC validation fails immediately, instead
of continuing with the next DNSKEYs in the RRset.
ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention. [GL #5343]
Address various spoofing attacks. (CVE-2025-40778)
Previously, several issues could be exploited to poison a DNS cache
with spoofed records for zones which were not DNSSEC-signed or if the
resolver was configured to not do DNSSEC validation. These issues were
assigned CVE-2025-40778 and have now been fixed.
As an additional layer of protection, named no longer accepts DNAME
records or extraneous NS records in the AUTHORITY section unless these
are received via spoofing-resistant transport (TCP, UDP with DNS
cookies, TSIG, or SIG(0)).
ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
Duan from Tsinghua University for bringing this vulnerability to our
attention. [GL #5414]
Cache-poisoning due to weak pseudo-random number generator.
(CVE-2025-40780)
It was discovered during research for an upcoming academic paper that a
xoshiro128** internal state can be recovered by an external 3rd party,
allowing the prediction of UDP ports and DNS IDs in outgoing queries.
This could lead to an attacker spoofing the DNS answers with great
efficiency and poisoning the DNS cache.
The internal random generator has been changed to a cryptographically
secure pseudo-random generator.
ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from
Hebrew University of Jerusalem for bringing this vulnerability to our
attention. [GL #5484]
New Features
Add dnssec-policy keys configuration check to named-checkconf.
A new option -k was added to named-checkconf that allows checking the
dnssec-policy keys configuration against the configured key stores. If
the found key files are not in sync with the given dnssec-policy, the
check will fail.
This is useful to run before migrating to dnssec-policy. [GL #5486]
Bug Fixes
Missing DNSSEC information when CD bit is set in query.
The RRSIGs for glue records were not being cached correctly for CD=1
queries. This has been fixed. [GL #5502]
rndc sign during ZSK rollover will now replace signatures.
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
rndc sign command now signs the zone completely with the successor key,
replacing all zone signatures from the predecessor key with new ones.
[GL #5483]
Use signer name when disabling DNSSEC algorithms.
disable-algorithms could cause DNSSEC validation failures when the
parent zone was signed with the algorithms that were being disabled for
the child zone. This has been fixed; disable-algorithms now works on a
whole-of-zone basis.
If the zone's name is at or below the disable-algorithms name the
algorithm is disabled for that zone, using deepest match when there are
multiple disable-algorithms clauses. [GL #5165]
Preserve cache when reload fails and reload the server again.
This fixes an issue where failing to reconfigure/reload the server
would fail to preserve the views' caches for subsequent server
reconfigurations/reloads. [GL #5523]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 24 Oct 2025 16:42:55 +0000 (18:42 +0200)]
nasm: Use only with x86_64
- nasm is linked in to syslinux and libjpeg.
- libjpeg will only require nasm if CET has been enabled in glibc and the architecture is
x86_64. CET is not enabled in IPFire, therefore libjpeg does not require nasm for
building in x86_64 and is not required at all for libjpeg under aarch64 or riscv64
- syslinux requires nasm to build but only in x86_64.
- This patch sets the supported architecture to x86_64 only. The build of nasm will be
skipped in aarch64 and riscv64.
- The x86_64 build ran as normal. The build was also tested for aarch64 and the build of
nasm was skipped. syslinux is skipped and libjpeg built successfully confirming that
nasm does not need to be built for aarch64 or riscv64.
- The patch is removed as it is only required for building nasm for an arm architecture
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 22 Oct 2025 15:34:23 +0000 (17:34 +0200)]
wlanap.cgi: Save IEEE80211W 'optional' value correctly
The v1 patch used defined-or (//), which allowed arbitrary values to be written.
This v2 patch validates that IEEE80211W is one of 'off',
'optional', or 'on', defaulting to 'off' if invalid.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 20 Oct 2025 10:48:29 +0000 (12:48 +0200)]
proxy.cgi: Mitigation for CVE-2025-62168 on squid
- The full fix for CVE-2025-62168 is in version squid-7.2
- However there are a lot of changes in squid from version 6 to 7 with all the error
language files no longer provided directly, they have to be obtained from separate
langauage packs now. Also several tools like cachmgr.cgi have been removed as the
options can be obtained via different approaches.
- I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
time to be sure it is working properly.
- In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
that is referenced in the CVE report.
- If someone else has already worked on squid-7.2 and has it ready to go now or soon,
then this patch can be dropped.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 20 Oct 2025 10:48:29 +0000 (12:48 +0200)]
proxy.cgi: Mitigation for CVE-2025-62168 on squid
- The full fix for CVE-2025-62168 is in version squid-7.2
- However there are a lot of changes in squid from version 6 to 7 with all the error
language files no longer provided directly, they have to be obtained from separate
langauage packs now. Also several tools like cachmgr.cgi have been removed as the
options can be obtained via different approaches.
- I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
time to be sure it is working properly.
- In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
that is referenced in the CVE report.
- If someone else has already worked on squid-7.2 and has it ready to go now or soon,
then this patch can be dropped.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Oct 2025 11:09:24 +0000 (13:09 +0200)]
suricata: Support Zabbix requirements
- The Zabbix addon will use the unix socket and also the suricatasc tool.
- Update configure to enable unix-socket
- Update rootfile to uncomment suricatasc
- This v2 version also sets the unix socket to yes in suricata.yaml
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Oct 2025 11:03:49 +0000 (13:03 +0200)]
clamav: Update to version 1.5.1
- Update from version 1.5.0 to 1.5.1
- No change in rootfile
- Changelog
1.5.1
- Fixed a significant performance issue when scanning some PE files.
- Fixed an issue recording file entries from a ZIP archive central directory
which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the
ClamScan `--alert-exceeds-max` command line option or ClamD `AlertExceedsMax`
config file option.
- Improved performance when scanning TNEF email attachments.
- Fixed an issue with recording metadata for OOXML office documents.
- Fixed an issue with signature matches for VBA in OLE2 office documents.
- Loosened overly restrictive rules for embedded file identification and
increased the limit for finding PE files embedded in other PE files.
- Fixed an issue with extracting some RAR archives embedded in other files.
- Fixed an issue with calculating fuzzy hashes affecting some images by updating
the version for several Rust library dependencies.
- This release does not require a newer version of the Rust compiler toolchain
than what was required for ClamAV 1.5.0.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 16:32:06 +0000 (18:32 +0200)]
openssl: Update to version 3.6.0
- Update from version 3.5.4 to 3.6.0
- Update of rootfile
- The changelog mentions that some changes might be significant or incompatible in
certain situations. I had a look through it and didn't believe that these would
apply to IPFire but it would be good for someone else to confirm.
- What I did do was to install this version of openssl into my vm testbed and then
tested out running openvpn rw & n2n. Everything worked fine.
- I then cleared the x509 root/host certificate set and then created a new one followed
by new client certificates. All these were successfully created without any issues.
- Changelog
3.6.0
Feature release adding significant new functionality to OpenSSL.
This release incorporates the following potentially significant or incompatible
changes:
Added NIST security categories for PKEY objects.
Added support for EVP_SKEY opaque symmetric key objects to the key
derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(),
EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY() functions.
Added LMS signature verification support as per [SP 800-208]..
This support is present in both the FIPS and default providers.
An ANSI-C toolchain is no longer sufficient for building OpenSSL.
The code should be built using compilers supporting C-99 features.
Support for the VxWorks platforms has been removed.
Added an openssl configutl utility for processing the OpenSSL
configuration file and dumping the equal configuration file.
Added support for FIPS 186-5 deterministic ECDSA signature
generation to the FIPS provider.
Deprecated EVP_PKEY_ASN1_METHOD-related functions.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:08:00 +0000 (15:08 +0200)]
vim: Update to version 9.1.1854
- Update from version 9.1.1406 to 9.1.1854
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:58 +0000 (15:07 +0200)]
openssh: Update to version 10.2p1
- Update from version 10.0p1 to 10.2p1
- No change to rootfile
- Changelog
10.2p1
Future deprecation warning
* A future release of OpenSSH will deprecate support for SHA1 SSHFP
records due to weaknesses in the SHA1 hash function. SHA1 SSHFP
DNS records will be ignored and ssh-keygen -r will generate only
SHA256 SSHFP records.
The SHA256 hash algorithm, which has no known weaknesses, has
been supported for SSHFP records since OpenSSH 6.1, released in
2012.
Bugfixes
* ssh(1): fix mishandling of terminal connections when
ControlPersist was active that rendered the session unusable.
bz3872
* ssh-keygen(1): fix download of keys from PKCS#11 tokens.
* ssh-keygen(1): fix CA signing operations when the CA key is held
in a ssh-agent(1). bz3877
10.1p1
Future deprecation warning
* A future release of OpenSSH will deprecate support for SHA1 SSHFP
records due to weaknesses in the SHA1 hash function. SHA1 SSHFP
DNS records will be ignored and ssh-keygen -r will generate only
SHA256 SSHFP records.
The SHA256 hash algorithm, which has no known weaknesses, has
been supported for SSHFP records since OpenSSH 6.1, released in
2012.
Potentially-incompatible changes
* ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
This warning has been added due to the risk of "store now, decrypt
later" attacks. More details at https://openssh.com/pq.html
This warning may be controlled via a new WarnWeakCrypto ssh_config
option, defaulting to on. This option is likely to control
additional weak crypto warnings in the future.
* ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS
In both client and server the default DSCP (a.k.a IPQoS) values
were revised and the way these values are used during runtime has
changed.
Interactive traffic is now assigned to the EF (Expedited
Forwarding) class by default. This provides more appropriate
packet prioritisation information for the intermediate network,
such as wireless media (cf. RFC 8325). Non-interactive traffic
will now use the operating system default DSCP marking. Both the
interactive and non-interactive DSCP values may be overridden via
the IPQoS keyword, described in ssh_config(5) and sshd_config(5).
The appropriate DSCP marking is now automatically selected and
updated as needed over the course of a connection's lifetime.
ssh(1) and sshd(8) will switch between the interactive and
non-interactive IPQoS values depending on the type of SSH
channels open at the time. For example, if an sftp session is
using the connection alongside a shell session, then the non-
interactive value will be used for the duration of the sftp. A
connection which contains only interactive sessions is marked EF.
* ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.
Type of Service (ToS) was deprecated in the late nineties and
replaced with the Differentiated Services architecture, which
has significant advantages for operators because it offers more
granularity.
OpenSSH switched its default IPQoS from ToS to DSCP values in
2018 (openssh-7.7).
IPQoS configurations with 'lowdelay', 'reliability', or
'throughput' will be ignored and will instead use the system
default QoS settings. Additionally, a debug message will be logged
about the deprecation with a suggestion to use DSCP QoS instead.
* ssh-add(1): when adding certificates to an agent, set the expiry
to the certificate expiry time plus a short (5 min) grace period.
This will cause the agent to automatically remove certificates
shortly after they expire. A new ssh-add -N option disables this
behaviour.
* All: remove experimental support for XMSS keys. This was never
enabled by default. We expect to implement a new post-quantum
signature scheme in the near future.
* ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
in sshd(8).
This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use keys
in an agent.
Moving the default directory has the consequence that the OS will
no longer clean up stale agent sockets, so ssh-agent now gains
this ability.
To support $HOME on NFS, the socket path includes a truncated
hash of the hostname. ssh-agent will, by default, only clean up
sockets from the same hostname.
ssh-agent(1) gains some new flags: -U suppresses the automatic
cleanup of stale sockets when it starts. -u forces a cleanup
without keeping a running agent, -uu forces a cleanup that ignores
the hostname. -T makes ssh-agent put the socket back in /tmp.
Security
* ssh(1): disallow control characters in usernames passed via the
commandline or expanded using %-sequences from the configuration
file, and disallow \0 characters in ssh:// URIs.
If an ssh(1) commandline was constructed using usernames or URIs
obtained from an untrusted source, and if a ProxyCommand that uses
the %r expansion was configured, then it may be possible for an
attacker to inject shell expressions that may be executed when the
proxy command is started.
We strongly recommend against using untrusted inputs to construct
ssh(1) commandlines.
This change also relaxes the validity checks in one small way:
usernames supplied via the configuration file as literals (i.e.
that have no % expansion characters) are not subject to these
validity checks. This allows usernames that contain arbitrary
characters to be used, but only via configuration files. This is
done on the basis that ssh's configuration is trusted.
New features
* ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
* sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
* ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
tokens.
* ssh(1): add an ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a
configuration, terminates ssh(1) with an error message that
contains the argument to the option.
This may be useful for expressing reminders or warnings in config
files, for example:
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
* sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allow people to use X11DisplayOffset
to configure much higher port ranges if they really want, while
not changing the default behaviour.
* unit tests: the unit test framework now includes some basic
benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes"
on OpenBSD or "make unit-bench" on Portable OpenSSH.
Bugfixes
* sshd(8): fix mistracking of MaxStartups process exits in some
situations. At worst, this could cause all MaxStartups slots to
fill and sshd to refuse new connections.
* ssh(1): fix delay on X client startup when ObscureKeystrokeTiming
is enabled. bz#3820
* sshd(8): increase the maximum size of the supported configuration
from 256KB to 4MB, which ought to be enough for anybody. Fail
early and visibly when this limit is breached. bz3808
* sftp(1): during sftp uploads, avoid a condition where a failed
write could be ignored if a subsequent write succeeded. This is
unlikely but technically possible because sftp servers are
allowed to reorder requests.
* sshd(8): avoid a race condition when the sshd-auth process exits
that could cause a spurious error message to be logged.
* sshd(8): log at level INFO when PerSourcePenalties actually
blocks access to a source address range. Previously this was
logged at level VERBOSE, which hid enforcement actions under
default config settings.
* sshd(8): GssStrictAcceptor was missing from sshd -T output; fix
* sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised. bz3859
* ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
* sshd(8): make "Match !final" not trigger a second parsing pass
of ssh_config (unless hostname canonicalisation or a separate
"Match final" does). bz3843
* ssh(1): better debug diagnostics when loading keys. Will now list
key fingerprint and algorithm (not just algorithm number) as well
as making it explicit which keys didn't load.
* All: fix a number of memory leaks found by LeakSanitizer,
Coverity and manual inspection.
* sshd(8): Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password". bz#3788
* ssh(1): make writing known_hosts lines more atomic by writing
the entire line in one operation and using unbuffered stdio.
Usually writes to this file are serialised on the "Are you sure
you want to continue connecting?" prompt, but if host key
checking is disabled and connections were being made with high
concurrency then interleaved writes might have been possible.
Portability
* sshd(8): check the username didn't change during the PAM
transactions.
PAM modules can change the user during their execution, but
this is not supported by sshd(8). If such a case was incorrectly
configured by the system administrator, then sshd(8) could end up
using a different username to the one authorised by PAM.
* sshd(8): don't log audit messages with UNKNOWN hostname to avoid
slow DNS lookups in the audit subsystem.
* All: when making a copy of struct passwd, ensure struct fields are
non-NULL. Android libc can return NULL pw_gecos, for example.
* All: Remove status bits from OpenSSL >=3 version check.
* sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun
forwarding from other OSes fails as soon as the first IPv6 message
is sent by the other side (which is usually a Router Solicitation
ICMPv6 message which is sent as soon as the interface is up).
* ssh(1), ssh-agent(8): check for nlist function presence before
attempting to use it instead of relying on the presence of the
nlist.h header. Mac OS X, for example, has the header but not
the function in the 64bit libraries.
* All: fill in missing system header files.
Create replacement header files inside openbsd-compat for common
headers that are missing on a given platform. Usually these are
just empty, but in some cases they'll include the equivalent file.
This avoids having to wrap those includes in '#ifdef HAVE_FOO_H'
and reduces the diff between Portable OpenSSH and OpenBSD.
* sshd(8): handle futex_time64 properly in seccomp sandbox
Previously we only allowed __NR_futex, but some 32-bit systems
apparently support __NR_futex_time64. We had support for this
in the sandbox, but because of a macro error only __NR_futex was
allowlisted.
* Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
* sshd(8): let ga_init() fail gracefully if getgrouplist does.
Apparently getgrouplist() can fail on OSX when passed a
non-existent group name. Other platforms seem to return a group
list consisting of the numeric gid passed to the function. bz3848
* ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".
* build: wrap some autoconf macros in AC_CACHE_CHECK.
This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
or linker flags. E.g.
$ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
[...]
checking if cc supports compile flag -fzero-call-used-regs=used
and linking succeeds... (cached) no
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:57 +0000 (15:07 +0200)]
libgpg-error: Update to version 1.56
- Update from version 1.54 to 1.56
- Update of rootfile
- Changelog
1.56
* Support the %b conversion specifier in the estream printf
functions. [rE6ac5332e4f]
* New spawn GPGRT_PROCESS_STDIO_NUL to be used on Windows to share
the "nul" device. [T7723]
* Support pipe I/O for GPGRT_PROCESS_DETACHED on Windows. [T7716]
* New mode keyword "share=xxx" for gpgrt_fopen. [rE461cb5a8ea]
* Change the default method to get the number of fds to close. This
fixes a spawning problem on certain POSIX machine. [T7696]
* Fix some cases of inheriting HANDLEs on Windows. [T7716]
* New system configurations for 64-bit Android, i686 Android, x86_64
Android and an armv7a alias to arm for Android.
* Set build specific build variable for zOS [rE7ee191f54c]
* Interface changes relative to the 1.55 release:
GPG_ERR_UNEXPECTED_PACKET NEW.
GPGRT_PROCESS_STDIO_NUL NEW.
1.55
* Rewrite the extended length path handling under Windows.
[T5754,rEfba44d619d]
* Add new test commands to the gpg-error tool. Allow command w/o
dashes and reformat the help. [rEc002490a8f]
* Silence warning from gcc 15. [T7621]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:56 +0000 (15:07 +0200)]
kbd: Update to version 2.9.0
- Update from version 2.8.0 to 2.9.0
- Update of rootfile
- Changelog
2.9.0
keymaps:
Add console keymap for Mac swiss german keyboards.
libkbdfile:
Detect archive type based on content.
Add support for decompressing files without using utilities. Use
ELF_DLOPEN_METADATA if possible.
utils:
loadkeys: Add --tkeymap to dump the keymap as text.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:54 +0000 (15:07 +0200)]
fetchmail: Update to version 6.5.6
- Update from version 6.5.5 to 6.5.6
- No change to rootfile
- Changelog
6.5.6
SECURITY BUGFIX:
* fetchmail-SA-2025-01.txt: CVE pending assignment by MITRE
An SMTP server advertising EHLO and AUTH, and if fetchmail is configured to
authenticate (esmtpname and esmtppassword given and non-empty), the server
might crash fetchmail by sending a "334" response without further blank to
fetchmail's AUTH request. This is in violation of applicable RFC-4952 though.
Fetchmail now detects this situation and reports it separately as
malformed server reply.
Fetchmail 6.5.6 has been released without waiting for translation updates
or CVE identifier, these will be provided in followup releases.
BUGFIXES:
* RFC-5321: When the --smtpaddress, --smtphost, --smtpname, -D or -S argument
is an numeric address literal such as 192.0.2.2 or 2001:0DB8::4321, properly
format that as such in the SMTP RCPT command as user@[192.0.2.2] or
user@[IPv6:2001:0DB8::4321].
* When printing output on the console while fetching mail, do not intersperse
another copy of our program name and date in the middle of a log line.
Workaround for older versions: --logfile /dev/tty (might also use
--logfile /dev/stderr) - but note this changes buffering behavior and may
output to appear later and without ticker marks.
* A few low-priority memory leaks in the command-line options parser were
fixed. Since this parser runs only once, leaks are harmless.
* Some minor code cleanups and robustness fixes were made, and we should
see fewer compiler warnings as a result.
CHANGES:
* Given the slow update schedules of some distributions, already add code
that checks if time_t() is good beyond the year 2038,
meaning time_t is either unsigned (which would last until 2106) or
64 bits wide. If the system isn't safe, warn on every launch of fetchmail
beginning 2028-01-01 at 00:00 GMT so users have 10 years to plan.
Fetchmail will also print a warning if time(time_t *t) overflows.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 14 Oct 2025 13:07:53 +0000 (15:07 +0200)]
btrfs-progs: Update to version 6.17
- Update from veresion 6.16 to 6.17
- No change to rootfile
- Changelog
6.17
* inspect list-chunks: more sorting keys, descending order
* fi resize: add support for offline (unmounted) growing of single device
* device stats: add support for offline (unmounted) reads
* quota status: new command, overview what mode is enabled, tunables
* fi commit-stats: new command, print various commit stats from sysfs (since
kernel 6.1)
* balance start: print warning and delay start if there's a missing device
in the filesystem
* mkfs:
* print zoned mode (native, emulated)
* check:
* verify device bytes in super block item and in chunk tree
* other
* updated CI, new and updated tests
* cleanups, refactoring
* documentation updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 25 Sep 2025 17:56:33 +0000 (17:56 +0000)]
kernel: Disable preemption debugging
From the kernel configuration:
If you say Y here then the kernel will use a debug variant of the
commonly used smp_processor_id() function and will print warnings
if kernel code uses it in a preemption-unsafe way. Also, the kernel
will detect preemption count underflows.
This option has potential to introduce high runtime overhead,
depending on workload as it triggers debugging routines for each
this_cpu operation. It should only be used for debugging purposes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 10:39:52 +0000 (12:39 +0200)]
rust: Update to version 1.85.0
- Update from version 1.83.0 to 1.85.0
- The latest version of rust is at 1.90.0 but that version requires some existing rust
modules to also be updated. I will do that as a separate step once this patch is
in place.
- Update of rootfiles for all three architectures.
- Changelog
1.85.0
Language
The 2024 Edition is now stable. See the edition guide for more details.
Stabilize async closures See RFC 3668 for more details.
Stabilize #[diagnostic::do_not_recommend]
Add unpredictable_function_pointer_comparisons lint to warn against
function pointer comparisons
Lint on combining #[no_mangle] and #[export_name] attributes.
Compiler
The unstable flag -Zpolymorphize has been removed, see
https://github.com/rust-lang/compiler-team/issues/810 for some
background.
Platform Support
Promote powerpc64le-unknown-linux-musl to tier 2 with host tools
Refer to Rust’s platform support page for more information on Rust’s
tiered platform support.
Libraries
Panics in the standard library now have a leading library/ in their path
std::env::home_dir() on Windows now ignores the non-standard $HOME
environment variable
It will be un-deprecated in a subsequent release.
Add AsyncFn* to the prelude in all editions.
Stabilized APIs
BuildHasherDefault::new
ptr::fn_addr_eq
io::ErrorKind::QuotaExceeded
io::ErrorKind::CrossesDevices
{float}::midpoint
Unsigned {integer}::midpoint
NonZeroU*::midpoint
impl std::iter::Extend for tuples with arity 1 through 12
FromIterator<(A, ...)> for tuples with arity 1 through 12
std::task::Waker::noop
These APIs are now stable in const contexts:
mem::size_of_val
mem::align_of_val
Layout::for_value
Layout::align_to
Layout::pad_to_align
Layout::extend
Layout::array
std::mem::swap
std::ptr::swap
NonNull::new
HashMap::with_hasher
HashSet::with_hasher
BuildHasherDefault::new
<float>::recip
<float>::to_degrees
<float>::to_radians
<float>::max
<float>::min
<float>::clamp
<float>::abs
<float>::signum
<float>::copysign
MaybeUninit::write
Cargo
Add future-incompatibility warning against keywords in cfgs and add
raw-idents
Stabilize higher precedence trailing flags
Pass CARGO_CFG_FEATURE to build scripts
Rustdoc
Doc comment on impl blocks shows the first line, even when the impl block
is collapsed
Compatibility Notes
rustc no longer treats the test cfg as a well known check-cfg, instead it
is up to the build systems and users of --check-cfg1 to set it as a
well known cfg using --check-cfg=cfg(test).
This is done to enable build systems like Cargo to set it conditionally,
as not all source files are suitable for unit tests. Cargo (for now)
unconditionally sets the test cfg as a well known cfg.
Disable potentially incorrect type inference if there are trivial and
non-trivial where-clauses
std::env::home_dir() has been deprecated for years, because it can give
surprising results in some Windows configurations if the HOME
environment variable is set (which is not the normal configuration on
Windows). We had previously avoided changing its behavior, out of
concern for compatibility with code depending on this non-standard
configuration. Given how long this function has been deprecated, we’re
now fixing its behavior as a bugfix. A subsequent release will remove
the deprecation for this function.
Make core::ffi::c_char signedness more closely match that of the
platform-default char
This changed c_char from an i8 to u8 or vice versa on many Tier 2 and 3
targets (mostly Arm and RISC-V embedded targets). The new definition
may result in compilation failures but fixes compatibility issues with C.
The libc crate matches this change as of its 0.2.169 release.
When compiling a nested macro_rules macro from an external crate, the
content of the inner macro_rules is now built with the edition of the
external crate, not the local crate.
Increase sparcv9-sun-solaris and x86_64-pc-solaris Solaris baseline to 11.4.
Show abi_unsupported_vector_types lint in future breakage reports
Error if multiple super-trait instantiations of dyn Trait need associated
types to be specified but only one is provided
Change powerpc64-ibm-aix default codemodel to large
Internal Changes
These changes do not affect any public interfaces of Rust, but they
represent significant improvements to the performance or internals of
rustc and related tools.
Build x86_64-unknown-linux-gnu with LTO for C/C++ code (e.g., jemalloc)
1.84.1
Fix ICE 132920 in duplicate-crate diagnostics.
Fix errors for overlapping impls in incremental rebuilds.
Fix slow compilation related to the next-generation trait solver.
Fix debuginfo when LLVM’s location discriminator value limit is exceeded.
Fixes for building Rust from source:
Only try to distribute llvm-objcopy if llvm tools are enabled.
Add Profile Override for Non-Git Sources.
Resolve symlinks of LLVM tool binaries before copying them.
Make it possible to use ci-rustc on tarball sources.
1.84.0
Language
Allow #[deny] inside #[forbid] as a no-op
Show a warning when -Ctarget-feature is used to toggle features that can
lead to unsoundness due to ABI mismatches
Use the next-generation trait solver in coherence
Allow coercions to drop the principal of trait objects
Support / as the path separator for include!() in all cases on Windows
Taking a raw ref (raw (const|mut)) of a deref of a pointer (*ptr) is now safe
Stabilize s390x inline assembly
Stabilize Arm64EC inline assembly
Lint against creating pointers to immediately dropped temporaries
Execute drop glue when unwinding in an extern "C" function
Compiler
Add --print host-tuple flag to print the host target tuple and affirm the
“target tuple” terminology over “target triple”
Declaring functions with a calling convention not supported on the current
target now triggers a hard error
Set up indirect access to external data for
loongarch64-unknown-linux-{musl,ohos}
Enable XRay instrumentation for LoongArch Linux targets
Extend the unexpected_cfgs lint to also warn in external macros
Stabilize WebAssembly multivalue, reference-types, and tail-call target
features
Added Tier 2 support for the wasm32v1-none target
Libraries
Implement From<&mut {slice}> for Box/Rc/Arc<{slice}>
Move <float>::copysign, <float>::abs, <float>::signum to core
Add LowerExp and UpperExp implementations to NonZero
Implement FromStr for CString and TryFrom<CString> for String
std::os::darwin has been made public
Stabilized APIs
Ipv6Addr::is_unique_local
Ipv6Addr::is_unicast_link_local
core::ptr::with_exposed_provenance
core::ptr::with_exposed_provenance_mut
<ptr>::addr
<ptr>::expose_provenance
<ptr>::with_addr
<ptr>::map_addr
<int>::isqrt
<int>::checked_isqrt
<uint>::isqrt
NonZero::isqrt
core::ptr::without_provenance
core::ptr::without_provenance_mut
core::ptr::dangling
core::ptr::dangling_mut
Pin::as_deref_mut
These APIs are now stable in const contexts
AtomicBool::from_ptr
AtomicPtr::from_ptr
AtomicU8::from_ptr
AtomicU16::from_ptr
AtomicU32::from_ptr
AtomicU64::from_ptr
AtomicUsize::from_ptr
AtomicI8::from_ptr
AtomicI16::from_ptr
AtomicI32::from_ptr
AtomicI64::from_ptr
AtomicIsize::from_ptr
<ptr>::is_null
<ptr>::as_ref
<ptr>::as_mut
Pin::new
Pin::new_unchecked
Pin::get_ref
Pin::into_ref
Pin::get_mut
Pin::get_unchecked_mut
Pin::static_ref
Pin::static_mut
Cargo
Stabilize MSRV-aware resolver config
Stabilize resolver v3
Rustdoc
rustdoc-search: improve type-driven search
Compatibility Notes
Enable by default the LSX target feature for LoongArch Linux targets
The unstable -Zprofile flag (“gcov-style” coverage instrumentation) has
been removed. This does not affect the stable flags for coverage
instrumentation (-Cinstrument-coverage) and profile-guided
optimization (-Cprofile-generate, -Cprofile-use), which are unrelated
and remain available.
Support for the target named wasm32-wasi has been removed as the target is
now named wasm32-wasip1. This completes the transition plan for this
target following the introduction of wasm32-wasip1 in Rust 1.78.
Compiler warnings on use of wasm32-wasi introduced in Rust 1.81 are
now gone as well as the target is removed.
The syntax &pin (mut|const) T is now parsed as a type which in theory
could affect macro expansion results in some edge cases
Legacy syntax for calling std::arch functions is no longer permitted to
declare items or bodies (such as closures, inline consts, or async
blocks).
Declaring functions with a calling convention not supported on the current
target now triggers a hard error
The next-generation trait solver is now enabled for coherence, fixing
multiple soundness issues
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 10:39:51 +0000 (12:39 +0200)]
clamav: Update to version 1.5.0
- Update from version 1.4.3 to 1.5.0
- Update of rootfile
- Required an update to rust as clamav required a rust version with edition2024. Patch
for that combined in this set.
- Changelog
1.5.0
Major changes
- Added checks to determine if an OLE2-based Microsoft Office document is
encrypted.
- Added the ability to record URIs found in HTML if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but do not want to record HTML URIs.
The ClamScan command-line option is `--json-store-html-uris=no`.
The `clamd.conf` config option is `JsonStoreHTMLURIs no`.
The libclamav general scan option is `CL_SCAN_GENERAL_STORE_HTML_URIS`
- Added the ability to record URIs found in PDFs if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but do not want to record PDF URIs.
The ClamScan command-line option is `--json-store-pdf-uris=no`.
The `clamd.conf` config option is `JsonStorePDFURIs no`.
The libclamav general scan option is `CL_SCAN_GENERAL_STORE_PDF_URIS`
- Added regex support for the `clamd.conf` `OnAccessExcludePath` config option.
This change courtesy of GitHub user b1tg.
- Added CVD signing/verification with external `.sign` files.
Freshclam will now attempt to download external signature files to accompany
existing `.cvd` databases and `.cdiff` patch files. Sigtool now has commands
to sign and verify using the external signatures.
ClamAV now installs a 'certs' directory in the app config directory
(e.g., `<prefix>/etc/certs`). The install path is configurable.
The CMake option to configure the CVD certs directory is
`-D CVD_CERTS_DIRECTORY=PATH`
New options to set an alternative CVD certs directory:
- The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is
`--cvdcertsdir PATH`
- The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is
`CVD_CERTS_DIR`
- The config option for Freshclam and ClamD is
`CVDCertsDirectory PATH`
Added two new APIs to the public clamav.h header:
```c
cl_error_t cl_cvdverify_ex(
const char *file,
const char *certs_directory,
uint32_t dboptions);
cl_error_t cl_cvdunpack_ex(
const char *file,
const char *dir,
const char *certs_directory,
uint32_t dboptions);
```
The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
Added a `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
You may set this option with `cl_engine_set_str` and get it with
`cl_engine_get_str`, to override the compiled in default CVD certs directory.
Thank you to Mark Carey at SAP for inspiring work on this feature with an
initial proof of concept for external-signature FIPS compliant CVD signing.
- Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like
limits disabling MD5 and SHA1 from being used for verifying digital signatures
or for being used to trust a file when checking for false positives (FPs).
For `freshclam.conf` and `clamd.conf` set this config option:
```
FIPSCryptoHashLimits yes
```
For `clamscan` and `sigtool` use this command-line option:
```
--fips-limits
```
For libclamav: Enable FIPS-limits for a ClamAV engine like this:
```C
cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
```
ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will
automatically enable the FIPS-limits feature.
This change mitigates safety concerns over the use of MD5 and SHA1 algorithms
to trust files and is required to enable ClamAV to operate legitimately in
FIPS-mode enabled environments.
Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection
purposes or for informational purposes in FIPS-enabled environments and when
the FIPS-limits option is enabled.
- Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5).
The clean-file cache algorithm is not configurable.
This change resolves safety concerns over the use of MD5 to trust files and
is required to enable ClamAV to operate legitimately in FIPS-mode enabled
environments.
- ClamD: Added an option to disable select administrative commands including
`SHUTDOWN`, `RELOAD`, `STATS` and `VERSION`.
The new `clamd.conf` options are:
```
EnableShutdownCommand yes
EnableReloadCommand yes
EnableStatsCommand yes
EnableVersionCommand yes
```
- libclamav: Added extended hashing functions with a "flags" parameter that
allows the caller to choose if they want to bypass FIPS hash algorithm limits:
```c
cl_error_t cl_hash_data_ex(
const char *alg,
const uint8_t *data,
size_t data_len,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
cl_error_t cl_hash_init_ex(
const char *alg,
uint32_t flags,
cl_hash_ctx_t **ctx_out);
cl_error_t cl_update_hash_ex(
cl_hash_ctx_t *ctx,
const uint8_t *data,
size_t length);
cl_error_t cl_finish_hash_ex(
cl_hash_ctx_t *ctx,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
void cl_hash_destroy(void *ctx);
cl_error_t cl_hash_file_fd_ex(
const char *alg,
int fd,
size_t offset,
size_t length,
uint8_t **hash,
size_t *hash_len,
uint32_t flags);
```
- ClamScan: Improved the precision of the bytes-scanned and bytes-read counters.
The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB",
or "B" as appropriate. Previously, it always reported "MB".
- ClamScan: Add hash & file-type in/out CLI options:
- `--hash-hint`: The file hash so that libclamav does not need to calculate
it. The type of hash must match the `--hash-alg`.
- `--log-hash`: Print the file hash after each file scanned. The type of hash
printed will match the `--hash-alg`.
- `--hash-alg`: The hashing algorithm used for either `--hash-hint` or
`--log-hash`. Supported algorithms are "md5", "sha1", "sha2-256".
If not specified, the default is "sha2-256".
- `--file-type-hint`: The file type hint so that libclamav can optimize
scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names
such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with
the specified type.
See also: https://docs.clamav.net/appendix/FileTypes.html#file-types
- `--log-file-type`: Print the file type after each file scanned.
We will not be adding this for ClamDScan, as we do not have a mechanism in the
ClamD socket API to receive scan options or a way for ClamD to include scan
metadata in the response.
- libclamav: Added new scan functions that provide additional functionality:
```c
cl_error_t cl_scanfile_ex(
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
cl_error_t cl_scandesc_ex(
int desc,
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
cl_error_t cl_scanmap_ex(
cl_fmap_t *map,
const char *filename,
cl_verdict_t *verdict_out,
const char **last_alert_out,
uint64_t *scanned_out,
const struct cl_engine *engine,
struct cl_scan_options *scanoptions,
void *context,
const char *hash_hint,
char **hash_out,
const char *hash_alg,
const char *file_type_hint,
char **file_type_out);
```
The older `cl_scan*()` functions are now deprecated and may be removed in a
future release. See `clamav.h` for more details.
- libclamav: Added a new engine option to toggle temp directory recursion.
Temp directory recursion is the idea that each object scanned in ClamAV's
recursive extract/scan process will get a new temp subdirectory, mimicking
the nesting structure of the file.
Temp directory recursion was introduced in ClamAV 0.103 and is enabled
whenever `--leave-temps` / `LeaveTemporaryFiles` is enabled.
In ClamAV 1.5, an application linking to libclamav can separately enable temp
directory recursion if they wish.
For ClamScan and ClamD, it will remain tied to `--leave-temps` /
`LeaveTemporaryFiles` options.
The new temp directory recursion option can be enabled with:
```c
cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
```
- libclamav: Added a class of scan callback functions that can be added with the
following API function:
```c
void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location);
```
The scan callback location may be configured using the following five values:
- `CL_SCAN_CALLBACK_PRE_HASH`: Occurs just after basic file-type detection and
before any hashes have been calculated either for the cache or the gen-json
metadata.
- `CL_SCAN_CALLBACK_PRE_SCAN`: Occurs before parser modules run and before
pattern matching.
- `CL_SCAN_CALLBACK_POST_SCAN`: Occurs after pattern matching and after
running parser modules. A.k.a. the scan is complete for this layer.
- `CL_SCAN_CALLBACK_ALERT`: Occurs each time an alert (detection) would be
triggered during a scan.
- `CL_SCAN_CALLBACK_FILE_TYPE`: Occurs each time the file type determination
is refined. This may happen more than once per layer.
Each callback may alter scan behavior using the following return codes:
- `CL_BREAK`: Scan aborted by callback. The rest of the scan is skipped.
This does not mark the file as clean or infected, it just skips the rest of
the scan.
- `CL_SUCCESS` / `CL_CLEAN`: File scan will continue.
For `CL_SCAN_CALLBACK_ALERT`: This means you want to ignore this specific
alert and keep scanning.
This is different than `CL_VERIFIED` because it does not affect prior or
future alerts. Return `CL_VERIFIED` instead if you want to remove prior
alerts for this layer and skip the rest of the scan for this layer.
- `CL_VIRUS`: This means you do not trust the file. A new alert will be added.
For `CL_SCAN_CALLBACK_ALERT`: This means you agree with the alert and no
extra alert is needed.
- `CL_VERIFIED`: Layer explicitly trusted by the callback and previous alerts
removed for THIS layer. You might want to do this if you trust the hash or
verified a digital signature. The rest of the scan will be skipped for THIS
layer. For contained files, this does NOT mean that the parent or adjacent
layers are trusted.
Each callback is given a pointer to the current scan layer from which they can
get previous layers, can get the layer's fmap, and then various attributes of
the layer and of the fmap. To make this possible, there are new APIs to
query scan-layer details and fmap details:
```c
cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name);
cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out);
cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path);
cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out);
cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out);
cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out);
cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash);
cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out);
cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg);
cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out);
cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out);
cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out);
cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out);
cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out);
cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out);
cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out);
cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out);
cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out);
```
This deprecates, but does not immediately remove, the existing scan callbacks:
```c
void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);
void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback);
void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);
void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);
void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback);
void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);
```
There is an interactive test program to demonstrate the new callbacks.
See: `examples/ex_scan_callbacks.c`
- Signature names that start with "Weak." will no longer alert.
Instead, they will be tracked internally and can be found in scan metadata
JSON. This is a step towards enabling alerting signatures to depend on prior
Weak indicator matches in the current layer or in child layers.
- For the "Generate Metadata JSON" feature:
- The "Viruses" array of alert names has been replaced by two new arrays that
include additional details beyond just signature name:
- "Indicators" records three types of indicators:
- **Strong** indicators are for traditional alerting signature matches and
will halt the scan, except in all-match mode.
- **Potentially Unwanted** indicators will only cause an alert at the end of
the scan unless a Strong indicator is found. They are treated the same
as Strong indicators in all-match mode.
- **Weak** indicators do not alert and will be leveraged in a future version
as a condition for logical signature matches.
- "Alerts" records only alerting indicators. Events that trust a file, such
as false positive signatures, will remove affected indicators, and mark
them as "Ignored" in the "Indicators" array.
- Add new option to calculate and record additional hash types when the
"generate metadata JSON" feature is enabled:
- libclamav option: `CL_SCAN_GENERAL_STORE_EXTRA_HASHES`
- ClamScan option: `--json-store-extra-hashes` (default off)
- `clamd.conf` option: `JsonStoreExtraHashes` (default 'no')
- The file hash is now stored as "sha2-256" instead of "FileMD5". If you
enable the "extra hashes" option, then it will also record "md5" and "sha1".
- Each object scanned now has a unique "Object ID".
- Sigtool: Renamed the sigtool option `--sha256` to `--sha2-256`.
The original option is still functional but is deprecated.
Other improvements
- Set a limit on the max-recursion config option. Users will no longer be
able to set max-recursion higher than 100.
This change prevents errors on start up or crashes if encountering
a file with that many layers of recursion.
- Build system: CMake improvements to support compiling for the AIX platform.
This change is courtesy of GitHub user KamathForAIX.
- Improve support for extracting malformed zip archives.
This change is courtesy of Frederick Sell.
- Windows: Code quality improvement for the ClamScan and ClamDScan `--move`
and `--remove` options.
This change is courtesy of Maxim Suhanov.
- Added file type recognition for an initial set of AI model file types.
The file type is accessible to applications using libclamav via the scan
callback functions and as an optional output parameter to the scan functions:
`cl_scanfile_ex()`, `cl_scanmap_ex()`, and `cl_scandesc_ex()`.
When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of
"CL_TYPE_BINARY_DATA".
- Added support for inline comments in ClamAV configuration files.
This change is courtesy of GitHub user userwiths.
- Disabled the MyDoom hardcoded/heuristic detection because of false positives.
- Sigtool: Added support for creating `.cdiff` and `.script` patch files for
CVDs that have underscores in the CVD name.
Also improved support for relative paths with the `--diff` command.
- Windows: Improved support for file names with UTF-8 characters not found in
the ANSI or OEM code pages when printing scan results or showing activity in
the ClamDTOP monitoring utility.
Fixed a bug with opening files with such names with the Sigtool utility.
- Improved the code quality of the ZIP module. Added inline documentation.
- Always run scan callbacks for embedded files. Embedded files are found within
other files through signature matches instead of by parsing. They will now
be processed the same way and then they can trigger application callbacks
(e.g., "pre-scan", "post-scan", etc.).
A consequence of this change is that each embedded file will be pattern-
matched just like any other extracted file. To minimize excessive pattern
matching, file header validation checks were added for ZIP, ARJ, and CAB.
Also fixed a bug with embedded PE file scanning to reduce unnecessary matching.
This change will impact scans with both the "leave-temps" feature and the
"force-to-disk" feature enabled, resulting in additional temporary files.
- Added DevContainer templates to the ClamAV Git repository in order to make it
easier to set up AlmaLinux or Debian development environments.
- Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended
alerts based on system state.
- Improved support for compiling on Solaris.
- Improved support for compiling on GNU/Hurd.
- Improved support for linking with the NCurses library dependency when
libtinfo is built as a separate library.
Bug fixes
- Reduced email multipart message parser complexity.
- Fixed possible undefined behavior in inflate64 module.
The inflate64 module is a modified version of the zlib library, taken from
version 1.2.3 with some customization and with some cherry-picked fixes.
This adds one additional fix from zlib 1.2.9.
Thank you to TITAN Team for reporting this issue.
- Fixed a bug in ClamD that broke reporting of memory usage on Linux.
The STATS command can be used to monitor ClamD directly or through ClamDTOP.
The memory stats feature does not work on all platforms (e.g., Windows).
- Windows: Fixed a build issue when the same library dependency is found in
two different locations.
- Fixed an infinite loop when scanning some email files in debug-mode.
This fix is courtesy of Yoann Lecuyer.
- Fixed a stack buffer overflow bug in the phishing signature load process.
This fix is courtesy of GitHub user Shivam7-1.
- Fixed a race condition in the Freshclam feature tests.
This fix is courtesy of GitHub user rma-x.
- Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests.
This fix is courtesy of GitHub user Sophie0x2E.
- Fix double-extraction of OOXML-based office documents.
- ClamBC: Fixed crashes on startup.
- Fixed an assortment of issues found with Coverity static analysis.
- Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures
affecting some platforms.
- Fixed crash in the Sigtool program when using the `--html-normalize` option.
- Fixed some potential NULL-pointer dereference issues if memory allocations
fail.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 12 Oct 2025 11:51:42 +0000 (13:51 +0200)]
mympd: Update to version 22.1.1
- Update from version 22.0.4 to 22.1.1
- Addition of cmake option to not create the systemd startup files
- Removal of patch to make mympd work with coreutils-9.8 as this latest update already
includes the change in it.
- Changelog
22.1.1
- Upd: Logging improvements
- Fix: Now playing indicator in Queue View
- Fix: Detection of ca cert store #1469
- Fix: Ending newline detection in build script #1470
22.1.0
This is the first release that supports a system-wide installed libmpdclient
library. If the library was not found or is too old, the build process falls
back to the embedded libmpdclient.
- Feat: Support string normalization option (MPD 0.25)
- Feat: Support shared libmpdclient (v2.24.0) #874
- Upd: Rework album implementation to work with upstream libmpdclient
- Upd: Mongoose 7.19
- Upd: Bootstrap 5.3.8
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Oct 2025 09:18:28 +0000 (11:18 +0200)]
dns.cgi: Correction to typo
- Spotted by a new user on the forum as part of their CU198 Testing.
- Causes an Internal Server Error when trying to access the Domain Name System page.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 10 Oct 2025 15:51:54 +0000 (17:51 +0200)]
tshark: Update to version 4.6.0
- Update from ver4sion 4.4.9 to 4.6.0
- Update of rootfile
- Changelog
4.6.0
New and Updated Features
The following features are new (or have been significantly updated) since
version 4.6.0rc1:
Wireshark can dissect process information, packet metadata, flow IDs,
drop information, and other information provided by tcpdump on macOS.
The following features are either new or have been significantly updated
since version 4.4.0:
The Windows installers now ship with Npcap 1.83. They previously
shipped with Npcap 1.79.
The Windows and macOS installers now ship with Qt 6.9.3. They
previously shipped with Qt 6.5.3.
We now ship universal macOS installers instead of separate packages
for Arm64 and Intel. Issue 17294
WinPcap is no longer supported. On Windows, use Npcap instead,
uninstalling WinPcap if necessary. The final release of WinPcap was
version 4.1.3 in 2013. It only supports up to Windows 8, which is no
longer supported by Microsoft or Wireshark.
A new “Plots” dialog has been added, which provides scatter plots in
contrast to the “I/O Graphs” dialog, which provides histograms. The
Plots dialog window supports multiple plots, markers, and automatic
scrolling.
Live captures can be compressed while writing. (Previously there was
support for compressing when performing multiple file capture, at
file rotation time.) The --compress option in TShark works on live
captures as well. Issue 9311
Absolute time fields, regardless of field display in the Packet
Details, are always written in ISO 8601 format in UTC with -T json.
This was already the case for -T ek since version 4.2.0. JSON is
primarily a data interchange format read by software, so a standard
format is desirable.
When absolute times field are output with -T fields, the "show" field
of -T pdml, or in custom columns (including CSV output of columns),
the formatting similar to asctime (e.g., Dec 18, 2017
05:28:39.071704055 EST) has been deprecated in favor of ISO 8601. For
backwards compatibility, a preference has been added,
protocols.display_abs_time_ascii, which can be set to continue to
format times as before. This preference can also be set to never use
ASCII time and to use ISO 8601 time formatting in the protocol tree
(Packet Details) as well. It is possible that a future release will
remove the ascitime style formatting entirely.
UTC frame time column formats (including "Time (format as specified)"
when a UTC time display format is selected) have a "Z" suffix per
ISO 8601. Local time formats remain unqualified (including if the
local time zone is UTC.) Custom columns displaying FT_ABSOLUTE_TIME
already had time zone indication.
The TShark -G option for generating glossary reports does not need to
be the first option given on the command line anymore. In addition,
the reports now are affected by other command line options such as
-o, -d, and --disable-protocol, in addition to the -C option, which
was already supported. (The defaultprefs report remains unaffected by
any other options.) As a part of this change, -G with no argument,
which was previously deprecated, is no longer supported. Use
tshark -G fields to produce the same report. Also, the syntax for
only listing fields with a certain prefix has changed to tshark -G
fields,prefix.
The underlying type of EUI-64 fields has been switched to bytes when
packet matching, similar to most other address formats. This means
that EUI-64 addresses can be sliced and compared to other bytes
types, e.g. the filter wpan.src64[:3] == eth.src[:3]. Fields can
still be specified using 64-bit unsigned integer literals, though
arithmetic with other integers is no longer supported.
Wireshark can now decrypt NTP packets using NTS (Network Time Security).
To decrypt packets, the NTS-KE (Network Time Security Key
Establishment Protocol) packets need to be present, alongside the TLS
client and exporter secrets. Additionally, the parts of a NTP packet
which can be cryptographically authenticated (from NTP packet header
until the end of the last extension field that precedes the NTS
Authenticator and Encrypted Extension Fields extension field) are
checked for validity.
Wireshark’s ability to decrypt MACsec packets has been expanded to
either use the SAK unwrapped by the MKA dissector, or the PSK
configured in the MACsec dissector. To enable the MKA dissector to
unwrap the SAK, the CAK for the applicable CKN can be entered in the
extended CKN/CAK Info UAT in the MKA dissector preferences. The
ability of the MACsec dissector to decrypt packets using a PSK has
been extended to a list of PSKs, which can entered through a new UAT.
The TCP Stream Graph axes now use units with SI prefixes. Issue 20197
Custom columns have an option to show the values using the same format
as in Packet Details.
Custom column complex expressions (e.g., with arithmetic, filter
functions, etc.) that return numeric results are sorted numerically
instead of lexicographically.
Display filter functions float and double are added to allow
explicitly converting field types like integers and times to single
and double precision floats. They can be used to perform further
arithmetic operations on fields of different types, including in
custom column definitions.
The minimum width of the I/O Graph dialog window has been reduced, so
it should work better on small resolution desktops, especially in
certain languages. To enable this, some checkbox controls were moved
to the graph right-click context menu. Issue 20147
X.509 certificates, used in TLS and elsewhere, can be exported via the
File › Export Objects menu in Wireshark (under the name "X509AF")
and --export-objects in TShark (with the protocol name x509af.)
Zstandard Content-Encoding is supported in the HTTP and HTTP/2
dissectors.
Follow Stream is supported for MPEG 2 Transport Stream PIDs, and for
Packetized Elementary Streams contained within MPEG 2 TS. The latter
can be used to extract audio or video for playback with other tools.
DNP 3 (Distributed Network Protocol 3) is now supported in the
Conversations and Endpoints table dialogs.
The Lua supplied preloaded libraries bit and rex_pcre2 are loaded in a
way that adds them to the package.loaded table, as though through
require, so that require("bit") and require("rex_pcre2") statements
in Lua dissectors, while usually superfluous, behave as expected.
Issue 20213
The packet list (Wireshark) and event list (Stratoshark) no longer
support rows with multiple lines. Issue 14424
The ethers file can also contain EUI-64 to name mappings. Issue 15487
Wireshark’s "Import from Hex Dump" feature and text2pcap now support
byte groups with 2 to 4 bytes (with an option for little-endian byte
order), and support hexadecimal offsets with a 0x or 0X prefix (as
produced by tcpdump -x, among others). Issue 16193
Frame timestamps can be added as preamble to hex dumps in Wireshark
from the "Print" and "Export Packet Dissection" dialogs, and in
TShark with the --hexdump time option. Issue 17132
Lua now has a Conversation object, which exposes conversations and
conversation data to Lua. Issue 15396
An Edit › Copy › as HTML menu item has been added, along with
associated context menu items and a keyboard shortcut. It provides an
option (via knobs in preferences) to copy plain text with aligned
columns along with an ability to select a copy format to be used when
copied via keyboard shortcut.
The "no duplicate keys" version of JSON output that tshark has
supported since 2.6.0 is available through the GUI Export Dissections
Dialog. Note that this format does not necessarily preserve the
ordering of all children in a tree, if sibling with identical keys
are not consecutive.
The GUI Export Dissections Dialog can output raw hex bytes of the
frame data for each field with or without exporting the field values,
the same formats as the "-T json -x" and "-T jsonraw" output modes,
respectively, of TShark.
The Conversations and Endpoints dialogs have an option to display byte
counts and bit rates in exact counts instead of human-readable
numbers with SI units. The default setting when opening a dialog is
controlled by a Statistics preference, "conv.machine_readable". The
same preference controls whether precise byte counts are used in the
TShark "-z conv" and "-z endpoints" taps.
The output format for some TShark statistics taps (those selected with
"-z <tap>,tree", which use the stats_tree system) can be controlled
via a preference "-o statistics.output_format".
The color scheme can be set to Light or Dark mode independently of the
current OS default on Windows and macOS, if Wireshark is built with
Qt 6.8 or later as the official installers are. Issue 19328
libxml2 is now a required dependency. Note that Wireshark will not
build with libxml2 2.15.0, but other versions should work.
The View menu has an option to Redissect Packets manually, which can
be useful when address resolution or decryption secrets have changed.
HTTP2 tracking of 3GPP session over 5G Service Based Interfaces is now
optional available. When enabled "Associate IMSI" will be add on
HTTP2 streams which has been found belong to a session.
Building the documentation on Windows no longer requires Java.
On Linux, capture filters that use BPF extensions like "inbound",
"outbound", and "ifindex" can be used for capturing (and compiled by
the Compiled Filter dialog). Instead of always being rejected by the
syntax checker, they will be marked as unknown.
Removed Features and Support
Wireshark no longer supports AirPcap and WinPcap.
Wireshark no longer supports libnl versions 1 or 2.
The ENABLE_STATIC CMake option has been deprecated in favor of
BUILD_SHARED_LIBS
New File Format Decoding Support
Resource Interchange File Format (RIFF) and TTL File Format
New Protocol Support
Asymmetric Key Packages (AKP), Binary HTTP, BIST TotalView-ITCH
protocol (BIST-ITCH), BIST TotalView-OUCH protocol (BIST-OUCH),
Bluetooth Android HCI (HCI ANDROID), Bluetooth Intel HCI (HCI INTEL),
BPSec COSE Context, BPSec Default SC, Commsignia Capture Protocol
(C2P), DECT NR+ (DECT-2020 New Radio), DLMS/COSEM, Ephemeral
Diffie-Hellman Over COSE, Identifier-Locator Network Protocol (ILNP),
LDA Neo Device trailer (LDA_NEO_TRAILER), Lenbrook Service Discovery
Protocol (LSDP), LLC V1, Navitrol messaging, Network Time Security
Key Establishment Protocol (NTS-KE), Ouster VLP-16, Private Line
Emulation (PLE), RC V3, RCG, Roughtime, SBAS L5 Navigation Message,
SGP.22 GSMA Remote SIM Provisioning (SGP.22), SGP.32 GSMA Remote SIM
Provisioning (SGP.32), SICK CoLA Ascii and CoLA Binary protocols,
Silabs Debug Channel, Universal Measurement and Calibration Protocol
(XCP), USB Picture Transfer Protocol (USB-PTP), VLP-16 Data and
Position messaging, and vSomeIP Internal Protocol (vSomeIP)
Updated Protocol Support
Too many protocol updates have been made to list them all here.
New and Updated Capture File Support
BLF is now improved (including writing to BLF)
New and Updated Capture Interfaces support
On Windows, etwdump’s user-friendliness has been greatly improved
thanks to various extcap changes. It should also now display the raw
bytes of unknown events.
Major API Changes
The Lua API now supports Libgcrypt symmetric cipher functions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:18:00 +0000 (12:18 +0200)]
mpd: Update to version 0.24.5
- Update from version 0.24.4 to 0.24.5
- Update of rootfile not required
- Changelog
0.24.5
* database
- fix disappearing playlist files
* decoder
- ffmpeg: handle "*.aif" files
- mpg123: add option "full_scan"
- mpg123: support seeking on remote files
- mpg123: work around libmpg123 ID3 corruption bug
- sidplay: add support for PSID files
* output
- pipewire: fix resuming playback after it was paused by "single" mode
* Windows
- fix libfmt error "what(): invalid utf8"
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:59 +0000 (12:17 +0200)]
libmpdclient: Update to version 2.23
- Update from version 2.22 to 2.23
- Update of rootfile
- Changelog
2.23
* support MPD protocol 0.24.0
- allow window for listplaylist and listplaylistinfo
- command "playlistlength", "protocol", "stickertypes", "stickernamestypes",
"searchplaylist"
- tag "ShowMovement"
- new sticker find api
- new subcommands for "tagtypes": "available", "reset"
* Support open end for mpd_search_add_window
* format floating-point numbers with the POSIX localew
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:58 +0000 (12:17 +0200)]
mympd: Update to version 22.0.4 and work with coreutils-9.8
- Update from version 21.0.1 to 22.0.4
- Add config options to stop doc and man page creation.
- Add patch to fix working with coreutils-9.8
- Update of rootfile
- Changelog
22.0.4
- Upd: Restrict sticker names (forbid equal sign)
- Fix: Really shuffle the playlist #1455
- Fix: Relax search expression validation #1455
- Fix: Alpine packaging
- Fix: Detection of local playback features #1452
22.0.3
- Upd: Create cache und workdir in init script
- Upd: Feature detection for local playback output selection #1452
22.0.2
- Fix: MYMPD_API_JUKEBOX_RESTART requires MPD connection #1448
22.0.1
- Fix: Respect backgroundImage setting #1446
- Fix: Alpine packaging
22.0.0
Notes
- This release enables certificate checking for outgoing https connections.
The system CA cert store should be autodetected, open an issue if it fails.
- The startup process of myMPD was reworked. myMPD no longer drops privileges,
the included startup scripts are using now the init system to do this.
- The default listening ports are now 8080 for HTTP and 8443 for HTTPS.
API changes
- MYMPD_API_SCRIPT_VERIFY_SIG: new
- MYMPD_API_HOME_WIDGET_IFRAME_SAVE: new
- MYMPD_API_HOME_WIDGET_SCRIPT_SAVE: new
- MYMPD_API_HOME_WIDGET_SAVE: removed
Scripting changes
- Feat: `mympd.tblvalue_in_list()` - Checks a Lua table of tags against a comma separated list.
- Upd: Executing external scripts is now disabled by default.
Changelog
- Feat: iFrames for home screen #1429
- Feat: Feat: Add custom css and js #1428
- Feat: Use system provided ca store for ssl certificate checking #1427
- Feat: Sign and verify scripts from mympd-scripts repository #1426
- Feat: Add trigger `mympd_playlistart`, `mympd_folderart`
- Feat: Sort list of timers and triggers #1425
- Feat: Allow changing output device with local playback #1434
- Upd: Improve "Edit Script"-Layout
- Upd: Bootstrap v5.3.7
- Upd: Mongoose 7.18
- Upd: libmympdclient 1.0.34 (libmpdclient 2.24.0)
- Upd: Incbin
- Upd: Replaced mjson with mongoose implementation
- Fix: Improve MPD search expression validation #1435
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Oct 2025 10:17:56 +0000 (12:17 +0200)]
coreutils: Update to version 9.8
- Update from version 9.7 to 9.8
- Update of rootfile not required
- Changelog
9.8
Bug fixes
'b2sum' will diagnose --length values that are too big.
Previously it would have silently assumed 512 for any larger values.
[bug introduced in coreutils-9.6]
'base32' and 'base64' when decoding will again diagnose partially
padded data that ends with a newline.
[bug introduced in coreutils-9.5]
'basenc -d -i' will now strip '=' characters from the input
in encodings where padding characters are not valid.
[bug introduced with the basenc program in coreutils-8.31]
'cp -p' had spurious "Operation not supported" failures when
copying to non-NFS files from NFSv4 files with trivial ACLs.
[bug introduced in coreutils-9.6]
'cp --sparse=always' missed some opportunities to create holes.
That is, although the copies had the correct data, sometimes
data zeros used extents rather than holes.
[This bug was present in "the beginning".]
cp missed opportunities to create holes when copying from file
systems like squashfs that support SEEK_HOLE only trivially.
[bug introduced in coreutils-9.0]
cp, install, and mv now avoid possible data corruption on
glibc 2.41 and 2.42 systems when copy_file_range is used with ranges > 2GiB,
avoiding https://sourceware.org/PR33245
[bug triggered since coreutils-9.0]
'date' supports specifying multiple named formats with the last taking
precedence. Previously multiple specifications would induce an error.
[bug introduced in coreutils-5.90]
'dd oflag=seek_bytes' no longer mistakenly reports errors when the
output file exists on GNU/Hurd.
[bug introduced in coreutils-8.16]
'fold' no longer exhausts memory when processing large inputs
with a very large --width argument.
[This bug was present in "the beginning".]
'install -d' now produces the correct diagnostic upon failure
to create a directory. Previously it would have produced
a confusing error about changing permissions.
[This bug was present in "the beginning".]
"ls --size --block-size=\'k" could misalign output in locales
with multi-byte thousands grouping characters.
[This bug was present in "the beginning".]
'nohup' avoids implementation defined behavior setting umask,
avoiding a FORTIFY runtime failure on Bionic libc.
[This bug was present in "the beginning".]
'od --strings' with '-N' now works correctly. Previously od might
write a NUL byte after a heap buffer, or output invalid addresses.
[These bugs were present in "the beginning".]
'od -w0' will now issue a diagnostic and exit gracefully.
Previously it would have aborted.
[bug introduced in coreutils-9.3]
'od -w' no longer silently mishandles enormous widths like 3037000500.
Instead, it either outputs correctly or diagnoses a too-large width.
[This bug was present in "the beginning".]
'od +N.' (where N is a decimal number) works again as per POSIX.
[bug introduced in textutils-2.0]
'od /dev/null ++0' no longer mistakenly treats the ++0 as an offset.
[This bug was present in "the beginning".]
'sort' with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer. For example:
'sort +0.18446744073709551615R input' on 64 bit systems.
[bug introduced in coreutils-7.2]
stdbuf now works on AIX. Previously it would have been ineffective.
[bug introduced with the stdbuf program in coreutils-7.5]
'tail -n NUM' no longer can output more than NUM lines if stdin
is a largish regular file with a nonzero initial offset, and grows
while 'tail' is reading it.
[This bug was present in "the beginning".]
'tail -f -n +NUM' no longer mishandles NUM values >= UINTMAX_MAX
when the input is seekable.
[bug introduced in coreutils-9.6]
'tail --pid' avoids some unlikely races if the kernel reuses PIDs.
[bug introduced in coreutils-9.5]
'tty' now exits with status 4 with a special diagnostic if ttyname
fails even though standard input is a tty. Formerly it quietly
pretended that standard input was not a tty.
[This bug was present in "the beginning".]
New Features
basenc supports the --base58 option to encode and decode
the visually unambiguous Base58 encoding.
'cksum -a' now supports the 'sha3' argument, to use the SHA3-224,
SHA3-256, SHA3-384, SHA3-512 message digest algorithms depending on
the argument passed to the required --length (-l) option.
'cksum -a' now supports the 'sha2' argument, as a more consistent
interface than the existing 'sha224', 'sha256', 'sha384', 'sha512'
arguments, which are now selected with the --length (-l) option.
'date' now outputs dates in the country's native calendar for the
Iranian locale (fa_IR) and for the Ethiopian locale (am_ET), and also
does so more consistently for the Thailand locale (th_TH.UTF-8).
fold now supports multi-byte characters, honoring their column width.
Also the --characters (-c) option was added to wrap at a certain
number of characters, similarly to --bytes in uni-byte locales.
nproc now honors any cgroup v2 configured CPU quotas,
which may reduce the effective number of processors available.
stty supports setting arbitrary baud rates on supported systems,
like Hurd, Linux with glibc >= 2.42, and some BSDs.
Also on other systems the full set of supported baud rates
is determined at build time if possible.
Commands that support hardware acceleration like cksum and wc
can now disable this acceleration at runtime through the
commonly used GLIBC_TUNABLES environment variable. For example
to disable the use of AVX512 instructions in cksum, you can:
export GLIBC_TUNABLES='glibc.cpu.hwcaps=-AVX512F'
Changes to conform better to POSIX.1-2024
readlink now defaults to being verbose if the POSIXLY_CORRECT
environment variable is set.
realpath now supports -E, which specifies the default behavior.
The corresponding long option is --canonicalize.
tsort now accepts and ignores -w.
Improvements
'factor' is now much faster at identifying large prime numbers,
and significantly faster on composite numbers greater than 2^128.
fold now exits immediately upon receiving a write error,
which is significant when reading large / unbounded inputs.
'seq' is more accurate with large integer start values.
Previously 'seq 18446744073709551617 inf | head -n1' would
output the number before the user specified start value.
Build-related
cksum was not compilable by Apple LLVM 10.0.0 x86-64, which
lacks support for checking for the VPCLMULQDQ instruction.
[bug introduced in coreutils-9.6]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 Oct 2025 17:24:29 +0000 (18:24 +0100)]
ovpnmain.cgi: Enable multihome when using UDP
If the client is connecting from an internal network instead of the
internet, the OpenVPN server replies with the public IP address as the
source address. This won't allow to establish a connection.
Enabling multihome changes the behaviour to reply with whatever IP
address the client has connected to.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 8 Oct 2025 20:49:00 +0000 (20:49 +0000)]
Tor: Update to 0.4.8.19
Changes in version 0.4.8.19 - 2025-10-06
This release fixes two major bugfixes for a LibreSSL issue and a flow control
C-tor specific problem (not protocol). We strongly recommend you upgrade as
soon as possible.
o Major bugfixes (client, TLS):
- Fix some clients not being able to connect to LibreSSL relays.
Fixes bug 41134; bugfix on 0.4.8.17
o Major bugfixes (stream flow control performance):
- Use a 5 ms grace period to allow an edge connection to flush its
stream data to the socket before sending an XOFF. This
significantly reduces the number of XON/XOFF messages sent when
(1) the application is reading stream data at a fast rate, and (2)
when conflux is enabled. Fixes part of bug 41130; bugfix
on 0.4.7.2-alpha
o Minor features (fallbackdir):
- Regenerate fallback directories generated on October 06, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/10/06.
o Minor bugfix (process):
- Avoid closing all possible FDs when spawning a process (PT). On
some systems, this could lead to 3+ minutes hang. Fixes bug 40990;
bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 8 Oct 2025 20:28:46 +0000 (22:28 +0200)]
samba: Update to version 4.23.1
- Update from version 4.22.4 to 4.23.1
- Update of rootfile fo0r all architectures
- Changelog
4.23.1
* BUG 15920: Incomplete bind configuration causes DLZ plugin to crash.
* BUG 15914: winbind can crash at startup.
* BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for
fsync_send.
* BUG 15904: CTDB does not support PCP 7.0.0.
* BUG 15921: CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set.
* BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev for
fsync_send.
4.23.0
NEW FEATURES/CHANGES
Enable SMB3 Unix Extensions by default
Starting with Samba 4.23, the SMB3 UNIX Extensions are enabled by
default. These extensions provide first-class support for POSIX semantics
over SMB3, allowing UNIX and Linux clients to access file services with
features such as proper POSIX permissions, symlink handling, hardlinks,
and special file types.
Enabling this feature by default improves interoperability for UNIX/Linux
clients without requiring additional configuration. Windows clients that
do not support the extensions will continue to function normally, by
using standard SMB3 behavior.
Add support for SMB3 over QUIC
The new "client smb transports" and "server smb transport"
allow a more flexible configuration for the used tcp
sockets.
It also got the ability specify "quic" as possible transport.
If quic should be used in addition to the defaults something
like "server smb transports = +quic" can be used.
For the client quic only works with name based uncs,
ip address based uncs are not supported.
Note for the server 'quic' requires the quic.ko kernel module
for Linux from https://github.com/lxin/quic (tested with Linux 6.14).
Future Linux versions may support it natively, here's the
branch that will hopefully accepted upstream soon:
https://github.com/lxin/net-next/commits/quic/
For the client side there's a fallback to the userspace ngtcp2
library if the quic kernel module is not available.
Check the smb.conf manpage for additional hints
about the "client smb transports" and "server smb transport"
options and interactions with tls related options.
Modern write time update logic
Samba 4.23 changes file timestamp handling to match modern Windows
servers.
Earlier releases used delayed write time updates, where
last_write_time was
only refreshed after a short idle period. Now Samba applies immediate
timestamp updates consistent with modern Windows 10/Server 2016 or newer.
Initial version of smb_prometheus_endpoint
Samba 4.23 introduces the smb_prometheus_endpoint utility, which exports
Samba server metrics in Prometheus-compatible format. This enables
seamless
integration of Samba performance and status monitoring into existing
Prometheus and Grafana environments. For usage and configuration details,
refer to the new smb_prometheus_endpoint man page.
samba-tool domain backup --no-secrets avoids confidential attributes
The --no-secrets option creates a back-up without secret attributes
(e.g. passwords), suitable for use in a lab domain. Until now it could
still contain confidential attributes, including BitLocker recovery
data and KDS root keys. Objects in the classes msKds-ProvRootKey,
msFVE-RecoveryInformation, and msTPM-InformationObject will now be
entirely removed from the backup, as these objects are required by
schema to have confidential attributes and are no use without them.
CTDB changes
CTDB now supports loading tunables from
/etc/ctdb/tunables.d/*.tunables, in addition to the standard
/etc/ctdb/tunables.conf. See the ctdb-tunables(7) manual page for
more details. Note that the above locations are examples - the
actual location of these files will depend on compile time
configuration.
It isn't expected that many users will require a directory of tunables
files, since most users do not need to change tunables from their
default values. However, this allows vendors to ship their required
tunables settings (for example, in one or more files marked "do not
edit") while still allowing local administrators to add their own
tunables settings (in one or more separate files).
Per-share profiling stats
Starting with Samba 4.23, users can collect profile counters at a
per-share level. This feature requires building Samba with profiling
data enabled and adding an appropriate `smb.conf` parameter for
specific shares. It's particularly useful for deployments with a large
number of active shares, allowing administrators to monitor individual
share activity and identify potential bottlenecks or hot-spots. When
enabled, users can inspect current per-share profile information
("Extended Profile") using the standard `smbstatus` utility.
Currently, this functionality is supported only by the default and
`ceph_new` VFS modules.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
smbd profiling share New no
client smb transports New tcp, nbt
server smb transports New tcp, nbt
winbind varlink service New no
Bugs
* BUG 15911: samba.tests.safe_tarfile fails on Python 3.13 with additional
security fixes for tarfile support.
* BUG 15904: CTDB does not support PCP 7.0.0.
* BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
* BUG 15908: Uninitialized read leads to hanging rpcd_spoolss.
* BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
* BUG 15907: Stack buffer overflow in samba3.smb2.dirlease.fileserver.
* BUG 15902: Regression in gssproxy support in 4.23.rc1+.
* BUG 15900: 'net ads group' failed to list domain groups.
* BUG 15843: macOS Finder client DFS broken on 4.22.0.
* BUG 15899: Self-signed certificates don't have X509v3 Subject Alternative
Name for DNS.
* BUG 15893: Improve handling of principals and realms in client tools.
* BUG 15896: libquic build fixes.
* BUG 15844: getpwuid does not shift to new DC when current DC is down.
* BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
calls like netr_DsRGetDCName.
* BUG 15896: libquic build fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
