Adolf Belka [Mon, 6 Oct 2025 15:32:37 +0000 (17:32 +0200)]
nasm: Add patch fix for typo in le32toh function name
- nasm failed to build with aarch64 due to a typo in the 3.00 source tarball where
l32toh had been written in bytesex.h instead of le32toh
- This patch includes the fix for that. The applied patch will be able to be removed
when the next release after 3.00 is issued.
- Tested the build on the aarch64 builder and nasm successfully built with the patch
applied.
- Update of rootfile not required
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 18:18:08 +0000 (20:18 +0200)]
glib: Update to version 2.86.0
- Update from version 2.83.0 to 2.86.0
- Update of rootfile
- Changelog
2.86.0
* Rework how platform-specific introspected GIO APIs have to be imported to fix
problems with backwards-compatibility provision for it, by removing duplicate
platform-specific symbols from `Gio-2.0`. Users of platform-specific GIO APIs
should be unaffected, as `GIRepository` will now automatically import
`GioWin32-2.0` or `GioUnix-2.0` when asked to import `Gio-2.0`. However,
projects generating introspection data which depends on types from either of
those platform-specific GIRs must make sure they depend on those GIRs
explicitly, rather than just transitively depending on them through `Gio-2.0`
(#3744, work by Emmanuele Bassi, Marco Trevisan, Florian Müllner, and others)
* Fix file existence queries on Solaris, broken due to unexpected flags handling
within `faccessat()` (#3770, work by Niveditha Rau)
* Bugs fixed:
- #3744 GDesktopAppInfo API disappeared after girepository-2.0 port (Emmanuele
Bassi)
- #3768 g_test_trap_subprocess does not check G_TEST_SUBPROCESS_INHERIT_STDIN
(Philip Withnall)
- !4751 gtestutils: Fix a slightly broken example in a doc comment
- !4754 Update Polish translation 250825
- !4758 Update Swedish translation
- !4762 gio: gmemorymonitorpsi: Replace GRegex with g_str_has_prefix()
- !4765 girepository: Add an assertion to help scan-build
- !4767 glocalfile: Disable faccessat()-based query_exists on Solaris
- !4768 gmessages: Fix win32_keep_fatal_message regression
- !4769 docs: Fix typos
- !4770 Update Chinese translation
- !4771 Update Georgian translation
- !4772 po: Update Persian translation.
* Translation updates:
- Chinese (China) (lumingzh)
- Georgian (NorwayFun)
- Persian (Danial Behzadi)
- Polish (Piotr Drąg)
- Swedish (Anders Jonsson)
2.85.4
* Follow symlink (instead of overwriting it) when updating `mimeapps.list`
(#3579, work by Rafael Girão)
* Bugs fixed:
- #3579 mimeapps.list is overwritten if it is a symlink (Rafael Girão)
- #3724 Crash in g_hash_table_add after 252645135 elements (Tobias Stoeckmann)
- #3743 g_utf8_validate out parameter has wrong type (two)
- #3751 meta: clang-format refers to a broken link (Rafael Girão)
- #3758 Out-of-bounds read in GMemoryMonitorPoll (Philip Withnall)
- #3760 Stack overflow when recursing within g_log_structured() with
`G_LOG_FLAG_RECURSION` (Tobias Stoeckmann)
- #3761 Regression in g_printf() - can no longer output formatted values
containing NUL bytes (Luca Bacci)
- #3766 Update sl.po (Slovenian) (Martin)
- !4714 gmain: Reformat docs to fully use gi-docgen and match style guide
- !4720 Disable GMemoryMonitorPsi on Solaris
- !4727 garray: Improve and migrate documentation to gi-docgen
- !4735 build: Fix stp files for development versions
- !4736 systemtap: Use correct formatters/types
- !4738 docs: Add Thomas Haller as a co-maintainer of GObject
- !4739 Annotate ref/unref functions as transfer full
- !4740 gstrfuncs: Check parameter validity
- !4742 garray: Fix g_array_binary_search description
- !4743 Update Russian translation
- !4744 tests/gio: skip Unix socket-mock tests on Windows
- !4747 tests/printf: Use proper compare helper for unsigned types
- !4748 gconstructor: Add attribute used for TLS callback pointer
* Translation updates:
- Russian (jtux270)
- Slovenian (Martin)
2.85.3
* Fix encoding of output from `g_print()` and `g_printerr()` when locale is set
to `.utf8` on Windows (#3341, work by Luca Bacci)
* Bugs fixed:
- #3341 `g_print` and `g_printerr` will cause encoding errors on Windows when
locale is set to `.utf8` (Luca Bacci)
- #3739 Crash in accept_ready() of GThreadedSocketService Under High Load
(Philip Withnall)
- #3740 Documentation of g_win32_error_message does not contain information
about the behaviour when FormatMessageW failed (Philip Withnall)
- #3755 AIX: Unwanted symbol needs to be removed for AIX platform: getpwnam_r,
getpwuid_r (Parth Patel)
- !4706 gthreadpool: Clean up when g_thread_pool_new fails
- !4707 tests: Skip slow mainloop test on valgrind
- !4708 gfilenamecompleter: Fix g_object_unref() of undefined value
- !4709 tests: Connect to GMemoryMonitor signals earlier
- !4712 tests/thread-pool: Add a thread-pool fail test
- !4713 Fix test error for GMemoryMonitor
- !4715 gdbuserror: Reformat docs to fully use gi-docgen and match style guide
- !4722 tests: Add missing unistd.h header to thread-pool test
- !4723 tests: Add a missing poll condition to socket-listener test
- !4724 garray: Pass errors through GByteArray functions
- !4725 garray: Add checks to g_ptr_array_extend_and_steal
- !4726 Add a basic GFilenameCompleter test
- !4728 gbitlock: Fix documentation issues
- !4729 [RFC] Tests: do not set a timeout in Python tests
- !4730 gstrfuncs: Always treat G_MININT64 in g_ascii_strtoll
- !4731 glocalfile: Disable faccessat()-based query_exists on OpenBSD
- !4733 gvalue: Reformat docs to fully use gi-docgen and match style guide
- !4734 gspawn: Improve docstring for g_spawn_async()
2.85.2
* New Linux PSI based backend for `GMemoryMonitor` as an option to use instead
of the existing Low Memory Monitor daemon backend (!4481, work by Kate Hsuan)
* Bugs fixed:
- #1443 Deadlock between g_module_open() and dlopen() when called from a
constructor
- #2848 Doc: clarification request regarding g_match_info_fetch_pos return
value (Mark Lautman)
- #3712 Crash in g_thread_pool_new_full
- #3713 call g_file_enumerator_close in g_file_enumerator_finalize is not safe
(fbrouille)
- #3716 (CVE-2025-7039) (#YWH-PGM9867-104) Buffer Under-read on GLib through
glib/gfileutils.c via get_tmp_file() (Michael Catanzaro)
- #3721 GFile leak in g_local_file_set_display_name during error handling
(Philip Withnall, Michael Catanzaro)
- #3725 Deadlock on source_destroy_lock inside g_main_context_unref() and
g_source_destroy() (with child sources) (Matthew Waters)
- #3726 GApplication sometimes fails to call before_emit (Matthias Clasen)
- !4481 gio: gmemorymonitorpsi: Replace GMemoryMonitor backend with kernel PSI
event
- !4665 gio: enums: Fix GBusNameOwnerFlags's annotation
- !4667 Incorrect output parameter handling in closure helper of
g_settings_bind_with_mapping_closures
- !4669 Add missing `(array zero-terminated=1)` annotations
- !4676 Fix IPv6 scope-id from DNS responses being lost
- !4680 gbacktrace: Correctly wait for children on Unix
- !4681 (CVE-2025-6052) gstring: Improve
g_string_expand/g_string_append_len_inline checks
- !4682 gio-tool-launch: fix %k field code expansion
- !4683 gio-tool-launch: Fix mismatched curly quotes in translatable strings
- !4684 garray: Support unallocated zero terminated arrays
- !4685 garray: Use g_array_elt_len/pos where appropriate
- !4687 gstring: Fix g_string_append_vprintf overflow
- !4690 garray: Fix out of boundary write in g_ptr_array_copy
- !4692 tests: Fix a minor leak in array-test
- !4693 tests: Loosen string comparison assertion in gio-tool.py
- !4694 tests: Do not always skip array overflow checks
- !4695 garray: Add more element_size > 0 checks
- !4698 garray: Avoid exponential growth in g_array_copy
- !4699 garray: Set capacity in terminated take functions
- !4700 gfileutils: Fix OOB read in g_build_path(name)_va
- !4701 gbacktrace: Fix OOB write in stack_trace
- !4702 gio/filenamecompleter: Fix leaks
- !4703 application: NULL check for options
- !4704 tests: Add a regression test for GApplication command line handling
2.85.1
* Re-add the option of a singleton to `GIRepository` (#3664, work by
Christian Hergert)
* Add support for the `e` flag (O_CLOEXEC) to `g_fopen()` (!4564, work by
Luca Bacci and Philip Withnall)
* Make the `sysprof` Meson option yield when using GLib as a subproject (!4659,
work by Matthias Clasen)
* Use the Meson built-in `localedir` option (!4661, work by
Kleis Auke Wolthuizen)
* Bugs fixed:
- #1665 g_file_trash() should return PERMISSION_DENIED if files can't be
deleted (Ignacy Kuchciński)
- #3664 Lack of g_irepository_get_default() equivalent makes cross-library
integration extremely difficult (Christian Hergert)
- #3698 Misleading autogenerated hints in the documentation of
g_async_queue_pop() (Alicia Boya García)
- !4560 glib/gnulib/printf.c: Sync with gnulib
- !4564 gstdio: Add support for the `e` flag (O_CLOEXEC) to g_fopen()
- !4637 Rework Windows implementation of g_getenv()
- !4641 [th/gobj-drop-bit-lock] gobject: drop object_bit_lock() functions
- !4642 [th/gobj-empty-notify-queue] gobject: optimize notify-queue handling
for a single freeze
- !4643 GRegex: apply monospace typeface in description
- !4644 gio: add annotations on parameters of 'g_file_monitor_emit_event' and
of 'g_vfs_get_file_for_path'
- !4645 gregex: Clarify docs for end_pos
- !4646 GRegex: update class description
- !4649 GAsyncQueue: assert non-null data in push_sorted()
- !4650 tests: Add atomics to asyncqueue test global variables
- !4651 Meson: Add libglib_static dependency for use in tests
- !4652 gobject: clarify in documentation that g_value_set_boxed copies
- !4654 Fix buffer overflow in string-test
- !4655 gstring: Fix overflow check when expanding the string
- !4657 docs: Stop hiding the Unix-like APIs which are in Gio-2.0.gir
- !4658 gmarkup: make documentation more discoverable
- !4659 Make the sysprof feature yield
- !4661 meson: Use the appropriate localedir option
2.85.0
* Preserve mode for existing file when creating a temporary file for atomic
updates with g_file_set_contents() (dconf#76, work by Wesley Hershberger)
* Fix race conditions between g_main_context_unref() and g_source_*() methods
(#803, work by Matthew Waters)
* Allow file handles inside nested containers when using the `gdbus call`
command (#3624, work by Julian Sparber)
* Fix DNS resolution of local addresses in offline mode (#3641, work by
Patrick Griffis)
* Various performance improvements to GObject locking (various MRs by
Thomas Haller)
* Prefer matches occurring earlier in the string when searching
`GDesktopAppInfo`s, improving search for apps in gnome-shell (!4369, work by
Fina Wilke)
* Fix thread safety of `GClosure` flags (!4575, !4577, work by Sam James and
Philip Withnall)
* Bugs fixed:
- GNOME/dconf#76 dconf update can set incorrect permissions to dconf system db
(Wesley Hershberger)
- #490 Not clearly documented behavior of g_key_file_set_comment function.
(marklkram)
- #803 g_main_context_unref() versus g_source_*() race (Matthew Waters)
- #1002 GObject doesn't support removing a weak reference in a GWeakNotify for
the same object
- #1250 gsocketlistener: Fix IPv4 listen() error-handling resulting in use-
after-free
- #2377 Document that `g_socket_address_get_native_size()` can return `-1` on
errors
- #2544 Consider `g_log_always_fatal` for aborting in
`g_log_structured_array()` (sid)
- #3405 Enable -Wconversion warnings by default (progress towards this, but it
is not complete)
- #3616 docs: Broken link in GioActionEntry (Philip Withnall)
- #3617 Add generalised version of g_date_get_monday_week_of_year() (Philip
Withnall)
- #3624 `gdbus call` should look for file handles inside nested containers
(Julian Sparber)
- #3630 2.84.0 build failure on Linux: ../gio/gnetworkmonitornetlink.c:47:10:
fatal error: netlink/netlink_route.h: No such file or directory (Philip
Withnall)
- #3634 test failure with gobject-introspection 1.83.4: warning: element
doc:format from state 3 is unknown, ignoring (Philip Withnall)
- #3636 gio/trash does not handle special characters well
- #3641 GResolver: Local DNS resolution failure in offline mode (Patrick
Griffis)
- #3642 `g_cancellable_connect()` documentation incorrect (Marco Trevisan
(Treviño))
- #3643 g_cancellable_connect(): is it safe to unref cancellable from
callback? (Marco Trevisan (Treviño))
- #3649 Crash with some registry key values in GWin32AppInfo (Philip Withnall)
- #3656 Set SYSLOG_IDENTIFIER when logging to journald (Axel Karjalainen)
- #3657 girepository: Wrong typelib path on Windows
- #3663 Cannot use GZlibCompressor in GTK testsuite (Benjamin Otte)
- #3684 UAF in GSignalGroup weak notify callbacks (Thomas Haller)
- #3686 docs.gtk.org doesn't mention that GSourceFuncs.finalize may be NULL
(BZZZZ)
- #3693 Random failures in debian-i386-stable
- !4185 [th/gobject-no-object-locks-pt1-notify] use
`g_datalist_id_update_atomic()` instead of OPTIONAL_BIT_LOCK_NOTIFY
- !4247 mappedfile: Avoid some allocations
- !4369 gdesktopappinfo: Prefer matches that occur earlier in the match string
- !4387 Fix various -Wshorten-64-to-32 warnings
- !4484 Memory sanitizer fixes
- !4489 gobject: Be consistent in using atomic logic to handle the
GParamSpecPool
- !4520 [th/gdataset-cleanup] minor cleanups of gdataset
- !4536 [th/gobj-closure-array-atomic] use g_datalist_id_update_atomic() for
array of closure watches
- !4541 gsettings: Port docs to gi-docgen format, add missing annotations and
make various improvements
- !4544 tests: Don't install runner scripts without installed_tests
- !4545 Update French translation
- !4547 Update Catalan translation
- !4548 Update Turkish translation
- !4551 Updated Danish translation
- !4552 Update Persian translation
- !4553 docs: Document GSignalFlags members added after 2.0
- !4554 Update Indonesian translation
- !4555 tests: Add a test for g_object_freeze_notify() being called too often
- !4557 gfileinfo: Slightly expand docs for
g_file_info_get_attribute_as_string()
- !4558 gi: Dynamically set doc-format
- !4561 tests: Various fixes to create temporary files in /tmp rather than the
build directory
- !4562 gdbusnameowning: Convert docs to gi-docgen linking syntax
- !4563 giounix-private: Fix macro for checking for epoll_create1()
- !4565 Fix LGPL in header
- !4567 gutils: make documentation of g_set_prgname() clearer
- !4568 docs: Add some detail
- !4569 Update Romanian translation
- !4570 gspawn-win32: Fix potential integer overflows in argv handling
- !4571 gvarianttype: Improve docs on type validation
- !4575 gclosure: fix ATOMIC_CHANGE_FIELD to read vint atomically
- !4577 gclosure: Allow full set of closure flags to be queried atomically
- !4578 [th/bit-lock-and-set] bitlock: add g_bit_lock_and_get() and
g_bit_unlock_and_set() API
- !4579 tests: Add missing unistd.h include to scannerapi.c
- !4581 [th/gobj-no-weak-ref-lock] drop OPTIONAL_BIT_LOCK_WEAK_REFS object
lock for `g_object_weak_{ref,unref}()`
- !4583 thread: fix Linux detection
- !4585 gfile: Expand documentation around file info for inaccessible files
- !4586 [th/gobj-doc-weakref] clear #GWeakRef earlier in
g_object_run_dispose() and reword docs about #GWeakRef
- !4588 gstring: carefully handle gssize parameters
- !4590 Various -Wsign-conversion warning fixes
- !4591 gthreadedresolver: fix crash in loopback interface check
- !4592 gstring: Make len_unsigned unsigned
- !4594 Enable -Wsign-conversion for girepository, gthread, gmodule
- !4596 docs: Mention how to run the test suite in CONTRIBUTING.md
- !4598 gtlsconnection: Fix annotation
- !4599 Mark pointer as (type gpointer)
- !4601 garray: Fix annotations
- !4602 docs: fix typo glong: ULONG_MAX -> LONG_MAX
- !4603 Fix GNetworkMonitorNetlink operation under a FreeBSD jail with shared
network stack
- !4604 cocoa: add support for GBytesIcon in notification backend
- !4605 gparamspecs: Use standard min/max constants rather than literals
- !4606 gobject, girepository: Fix several -Wsign-conversion warnings on macOS
- !4609 Update Portuguese translation
- !4610 Update Ukrainian translation
- !4613 Update macOS job for new CI runner
- !4615 shell: Handle empty comment gracefully
- !4619 gslist: Improve documentation for append / prepend / insert methods
- !4620 glocalfile: Disable faccessat()-based query_exists on Android
- !4621 gallocator: mark as deprecated
- !4627 [th/gsignalgroup-dispose] gsignalgroup: make GSignalGroup.dispose() a
bit more reentrant
- !4628 [th/gdataset-fix-zero-key] fix and cleanup related to using a zero
GQuark for keys in GData
- !4631 Update German translation
- !4632 win32: Only print one OS version
- !4633 gzlibcompressor: Convert docs to gi-docgen linking syntax
- !4638 docs: Fix formatting of definition lists
* Translation updates:
- Catalan (Jordi Mas)
- Danish (Ask Hjorth Larsen)
- French (Vincent Chatelain)
- German (Philipp Kiemle)
- Indonesian (Andika Triwidada)
- Persian (Danial Behzadi)
- Portuguese (Hugo Carvalho)
- Romanian (Antonio Marin)
- Turkish (Sabri Ünal)
- Ukrainian (Yuri Chornoivan)
2.84.1
* Fix test failure when building against gobject-introspection ≥1.83.4 (#3634,
work by Philip Withnall)
* Bugs fixed:
- #3630 2.84.0 build failure on Linux: ../gio/gnetworkmonitornetlink.c:47:10:
fatal error: netlink/netlink_route.h: No such file or directory (Philip
Withnall)
- #3634 test failure with gobject-introspection 1.83.4: warning: element
doc:format from state 3 is unknown, ignoring (Philip Withnall)
- #3636 gio/trash does not handle special characters well
- #3642 `g_cancellable_connect()` documentation incorrect (Marco Trevisan
(Treviño))
- #3643 g_cancellable_connect(): is it safe to unref cancellable from
callback? (Marco Trevisan (Treviño))
- #3649 Crash with some registry key values in GWin32AppInfo (Philip Withnall)
- !4484 Memory sanitizer fixes
- !4489 gobject: Be consistent in using atomic logic to handle the
GParamSpecPool
- !4541 gsettings: Port docs to gi-docgen format, add missing annotations and
make various improvements
- !4544 tests: Don't install runner scripts without installed_tests
- !4545 Update French translation
- !4547 Update Catalan translation
- !4548 Update Turkish translation
- !4551 Updated Danish translation
- !4552 Update Persian translation
- !4553 docs: Document GSignalFlags members added after 2.0
- !4554 Update Indonesian translation
- !4555 tests: Add a test for g_object_freeze_notify() being called too often
- !4557 gfileinfo: Slightly expand docs for
g_file_info_get_attribute_as_string()
- !4558 gi: Dynamically set doc-format
- !4561 tests: Various fixes to create temporary files in /tmp rather than the
build directory
- !4562 gdbusnameowning: Convert docs to gi-docgen linking syntax
- !4563 giounix-private: Fix macro for checking for epoll_create1()
- !4565 Fix LGPL in header
- !4567 gutils: make documentation of g_set_prgname() clearer
- !4568 docs: Add some detail
- !4569 Update Romanian translation
- !4570 gspawn-win32: Fix potential integer overflows in argv handling
- !4571 gvarianttype: Improve docs on type validation
* Translation updates:
- Catalan (Jordi Mas)
- Danish (Ask Hjorth Larsen)
- French (Vincent Chatelain)
- Indonesian (Andika Triwidada)
- Persian (Danial Behzadi)
- Romanian (Antonio Marin)
- Turkish (Sabri Ünal)
2.84.0
* Bugs fixed:
- #3590 Update Slovenian (sl) translation in glib
- !4539 Update Korean translation
- !4540 tests: Minor fixes to reference and stream-rw_all tests
- !4542 gdebugcontrollerdbus: Fix a minor typo in a code example in the docs
- !4543 Update Hungarian translation
* Translation updates:
- Hungarian (Balázs Úr)
- Korean (Changwoo Ryu)
- Slovenian (Martin)
2.83.5
* A few improvements for when GLib is used as a subproject (#3625, #3626, work
by Simon McVittie)
* Fix out-of-order parameters in a marshaller generated by `gdbus-codegen`
(!4524, work by Ryan Gonzalez)
* Bugs fixed:
- #3272 gutils-user-database test crashes in CI with G_DISABLE_ASSERT and -m
thorough (Philip Withnall)
- #3424 Update the release instructions (Philip Withnall)
- #3615 Use of timeout in GApplication example code (Reuben Thomas)
- #3625 when GLib is a subproject, check-missing-install-tag.py asserts that
the parent project has install tags (Simon McVittie)
- #3626 when GLib is a subproject and pcre2 is a subproject, pcre2's tests are
run (Simon McVittie)
- !4507 [th/gdataset-misc] minor improvements in gdataset.c (around
g_datalist_id_remove_multiple())
- !4508 [th/datalist-update-atomic-no-keyid] gdataset: drop "key_id" argument
from GDataListUpdateAtomicFunc
- !4509 tests: Search the appropriate directories for our GIR XML inputs
- !4510 doc: Simplify instructions for testing with Automake
- !4511 Update Georgian translation
- !4512 Update Czech translation
- !4513 [th/gobject-inline-private-call] gobject: avoid GLIB_PRIVATE_CALL()
for g_datalist_id_update_atomic
- !4514 Update Ukrainian translation
- !4515 doc: point to iconv(3) and iconv(3posix) for more details about iconv
- !4516 Update Bulgarian translation
- !4517 Update file fa.po
- !4518 Update Chinese translation
- !4521 docs: Fix man page link for xattrs
- !4522 Meson: Disable lint+no-valgrind tests when tests option is set to
false
- !4523 [th/gobj-performance-fixes] improvements and fixes for gobject's
`performance.c` benchmark
- !4524 gdbus-codegen: Fix callback GUnixFDList parameter order
- !4526 [th/gobj-performance-2] more improvements to GObject's `performance.c`
and add test "property-set-signaled"
- !4527 Updated Lithuanian translation
- !4529 Update Portuguese translation
- !4531 Update Swedish translation
- !4535 Update Galician translations
* Translation updates:
- Bulgarian (Alexander Shopov)
- Chinese (China) (lumingzh)
- Czech (AsciiWolf)
- Galician (Fran Diéguez)
- Georgian (NorwayFun)
- Lithuanian (Aurimas Černius)
- Persian (Danial Behzadi)
- Portuguese (Hugo Carvalho)
- Swedish (Anders Jonsson)
- Ukrainian (Yuri Chornoivan)
2.83.4
* Fix Python shebang paths so they work on Windows again (#3331, work by
Dan Yeaw and others)
* Fix refcounting semantics of `g_dbus_connection_register_object_with_closures()`
by adding a replacement API (#3560, work by Philip Withnall)
* Support static vfuncs in GIRepository (!4457, work by Philip Chimento)
* Add support for QNX8.0 (!4466, work by Felix Xing)
* Add a soft dependency on C11 — if your toolchain doesn’t support C11, you have
six months to tell us before this becomes a hard dependency (!4473)
* Port from `net.hadess.PowerProfiles` to `org.freedesktop.UPower.PowerProfiles`
for `GPowerProfileMonitorDBus` (!4478, work by Marco Trevisan)
* Bugs fixed:
- #3331 Windows build broken because of Python paths (Dan Yeaw)
- #3448 Use after free in GCancellableSource test (Marco Trevisan (Treviño))
- #3560 Fix refcounting semantics of
g_dbus_connection_register_object_with_closures() (Philip Withnall)
- #3578 gkeyfile: Honor C in $LANGUAGE as gettext does (Gaël Bonithon)
- #3587 g_app_info_launch crashes on macos (Andre Miranda)
- #3592 GDBusConnection does not handle serial number overflow (Philip
Withnall)
- #3595 Toolchain documentation should mention that GLib assumes functions can
be called through wrongly-typed function pointers (Demi Obenour)
- #3612 cancellable unit test crashes in /cancellable-source/threaded-dispose
(Marco Trevisan (Treviño))
- #3613 Potentially revert g_win32_com_clear() due to pulling in windows.h
- !3255 Drop TypeNode reference counting
- !4046 Add G_OPTION_FLAG_DEPRECATED
- !4457 Support static vfuncs in GIRepository
- !4461 docs: Update the release documentation for the new release workflow
- !4464 gosxappinfo: Fix leak
- !4466 Add support for QNX8.0
- !4468 Registry backend fixes
- !4471 glib.supp: Ignore once-per-thread leak from SysprofCollector
- !4472 gkeyfile: Convert docs to gi-docgen linking syntax
- !4473 build: Add a soft dependency on C11
- !4475 docs: Fix invalid references and broken links
- !4476 tests: Cleanup python tests and add tests for gi-compile-repository
and gi-inspect-typelib
- !4477 gcancellable: remove sketchy source ref/unref
- !4478 gio/powerprofilemonitordbus: Use newer D-Bus API
- !4479 docs: Make docs more markdown-ish
- !4483 tests: Fix a memory leak if a callable-info test is skipped
- !4486 meson: Fix typo in comment about python shebang
- !4487 gio/gfilemonitor: Use atomic API to get / store cancelled state
- !4488 gmain: Use atomic logic to handle internal GSource flags
- !4490 gio/subprocess: Lock while writing on shared pid and status values
- !4491 Update Brazilian Portuguese translation
- !4492 gfilemonitor: Various cleanups and minor fixes to property handling
- !4493 gdbus: Add g_clear_dbus_signal_subscription() inline convenience
function
- !4494 gio/subprocess: Initialize pid variable to 0
- !4495 gio/gvolumemonitor: Suggest disconnecting signals
- !4496 Update Polish translation for GNOME 48
- !4497 tests: Fix a minor leak in a new GSubprocess test
- !4498 gdatetime: Fix integer overflow when parsing very long ISO8601 inputs
* Translation updates:
- Polish (Piotr Drąg)
- Portuguese (Brazil) (Rafael Fontenelle)
2.83.3
* Fix build-time paths appearing in generated `Gio-2.0.gir` and
`GioUnix-2.0.gir` files (#3564, work by Simon McVittie)
* Fix crash on macOS when opening links (#3568, work by John Ralls)
* Bugs fixed:
- #3558 Recent `(inout)` changes caused unintended side-effects with
`GWeakRef` (Michael Catanzaro)
- #3561 Missing nullable annotation on parameter user_data and on the return
value of GVfsFileLookupFunc callback (fbrouille)
- #3562 GBytes semantics of handling empty strings are inconsistent and
confusing (Philip Withnall)
- #3563 Bad anchor link in g_signal_connect() documentation
- #3564 build-time paths to gio/gunixmounts.h, etc. end up in Gio-2.0.gir,
GioUnix-2.0.gir (Simon McVittie)
- #3568 Links crash application on MacOS due to lack of machine-id file (John
Ralls)
- #3569 Requirement of GUnixMountMonitor for a Valid Timestamp from
unix_mount_at is not Suffeciently Documented (Philip Withnall)
- #3582 gmacros: _G_BOOLEAN_EXPR_IMPL is incompatible with c++ functions
marked constexpr
- !3885 [th/gdataset-index] add a lookup index (GHashTable) to `GData`
- !4392 GWin32: Add g_win32_com_clear()
- !4436 docs: Add --generate-md to the gdbus-codegen documentation
- !4437 docs: Fix some backslash escaping issues in doc comments
- !4440 gio, gobject: Improve reproducibility of enumtypes headers
- !4441 gstrfuncs: Drop a redundant paragraph
- !4442 Don't define test setups unless we're testing
- !4443 build: Make the introspection feature yield
- !4444 Fix pointer-to-paramref syntax in docs
- !4446 gio: Fix a link to a specifications document
- !4449 Add several assertions to help static analysis and fix some GIR
annotations
- !4450 Fix GCC version detection for GUINT*_SWAP_LE_BE
- !4454 gioenums: Add deprecation for FLAGS_NONE
- !4455 docs: Use gi-docgen syntax in main-loop.md
- !4458 docs: Document more extension points
- !4460 docs: Clarify that g_array_unref() works like g_ptr_array_unref().
2.83.2
* This release has the same code as 2.83.1, but contains a fix for release
archive generation which means that 2.83.1 does not have a release archive
* Bugs fixed:
- !4433 ci: Enable -Dintrospection for dist builds
2.83.1
* Bugs fixed:
- #1251 gio/tests/contenttype fails on OS X: "public.directory" !=
"public.folder"
- #3441 Bump minimum supported version of macOS (John Ralls)
- #3493 Heap buffer overflow read in utf8_verify_ascii() (Philip Withnall)
- #3511 Build failure “'ifunc' is not supported on this target” with muslc
(Philip Withnall)
- #3517 Silent linked-list corruption in g_static_resource_init() on redundant
calls
- #3524 Wrong parameter type for g_enum_register_static in GObject-2.0.gir
(Jan-Willem Harmannij)
- #3526 Segfault in statically linked binary during initialization of ifuncs
since 2.83.0 (Philip Withnall)
- #3532 g_converter_output_stream_write() can return 0 (Benjamin Otte)
- #3540 g_signal_connect on "notify::non-existant-property" doesn't warn for
invalid property (Sid)
- #3545 Modernize the default value for g_thread_pool_set_max_unused_threads
(Matthias Clasen)
- #3546 Make the thread name available (Matthias Clasen)
- #3548 Fix g_settings_schema_has_key() to work with extended schemas
- #3552 Missing nullable annotation for `log_domain` in `GLogFunc` callback
(Roberto Leinardi)
- #3559 2.82.3 regression: lollypop crashes on startup (Philip Withnall)
- !4232 refstring: Fix race between releasing and re-acquiring an interned
GRefString
- !4382 girepository: gi_object_info_find_signal(): Avoid repeated allocations
- !4384 test utils: Make nonfatal assertions an option
- !4385 gutf8: Skip ASan instrumentation for load_word
- !4389 macos: Add extra content type tests
- !4393 Replace procfs linuxism with kinfo freebsdism
- !4395 appmonitor: Fix warning building test
- !4396 tests: Factor out a function to convert FD to path
- !4398 grefstring: Mark a variable as potentially unused
- !4399 meson: Add variables to -uninstalled.pc files
- !4401 testutils: Documentation improvements
- !4403 Revert "CI: Rebuild a slightly newer version of ninja for debian-
stable-i386"
- !4406 glib/gbytes: Be more careful when saving a GBytes of NULL
- !4407 guri: Fix paths starting with ‘//’ when parsing
- !4410 threadpool: Simplify pool thread naming
- !4411 gdbusconnection: Allow creating connection with cross-namespace
- !4412 gmessages: Treat DEBUG_INVOCATION=1 same as G_MESSAGES_DEBUG=all
- !4413 gunicode: Update some comments in gunicode.h for Unicode 16.0.0
- !4414 gdbus: Add a few missing `(nullable)` annotations to GDBus method
invocation related functions
- !4415 gdbus: Fix leak of method invocation when registering an object with
closures
- !4421 gparam: Add link to constructed vfunc to CONSTRUCT
- !4422 docs: Fix dead link in CONTRIBUTING
- !4423 gio-tool: Clarify that `gio mount -l` only lists user-interesting
things
- !4424 ci: Ensure all variables are quoted in .gitlab-ci.yml
- !4425 tests: Skip unsupported dbus-appinfo test on GNU/Hurd for the moment
- !4428 girepository: Expose gi-compile-repository and gi-* tools in pkg-
config
- !4429 gdbus: Add nullable annotations for fd list outs
- !4432 ci: Add release component to automate tarball publishing
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 13:22:16 +0000 (15:22 +0200)]
protobuf: Update to version 32.1
- Update from version 30.2 to 32.1
- Update of rootfile
- Changelog
32.1
Compiler
Ship all option dependencies to plugins along with regular ones. (34d6c85)
Unify plugin and built-in generators to use request/response interface
(b98f6ee)
Disable symbol visibility enforcement by default in C++ runtime (aad0daa)
C++
Disable symbol visibility enforcement by default in C++ runtime (aad0daa)
Java
Fix handling of optional dependencies in java generator. (892e0d5)
Restore Protobuf Java extension modifiers in gencode that were previously
removed in 7bff169 (4a18be6)
Restore ABI compatibility for extension methods which was previously
(knowingly) broken with 4.x: 94a2a44 (501f4a5)
Cherrypick test improvements (d365736)
Fix handling of optional dependencies in java generator. (9325480)
Ship all option dependencies to plugins along with regular ones. (34d6c85)
Unify plugin and built-in generators to use request/response interface
(b98f6ee)
Csharp
Regenerate stale files (299774c)
PHP
Fix: remove provide from composer.json (bc5f303)
32.0
Bazel
Migrates some Java test protos using java_features.proto to edition 2024
(6f4a990)
Add generated message reflection unittest for import option and
option_deps test proto in edition 2024. (c51df73)
Replace the usage of cc_info.debug_context with _debug_context (776c5f2)
Generate .pyi files in py_proto_library (#10366) (#21567) (e3e56c7)
Introduce denylisted_protos as a preferred replacement for
blacklisted_protos attribute. (795ab9d)
Use native.proto_library for Bazel 7 and explicitly error for Bazel 6
which is incompatible and out of support. (da0077e)
Require ProtoInfo provider instead of proto_library rule for bazel
cc_proto_library deps. (639f1c9)
Compiler
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Deprecate google.protobuf.Method.syntax and google.protobuf.Method.edition
(9ec241e)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Ban import weak and weak field option in edition 2024 in protoc (parser
and c++ runtime). (a2a0511)
C++
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Add generated message reflection unittest for import option and
option_deps test proto in edition 2024. (c51df73)
Remove the flag requirement for Bazel+MSVC users. (c6ba697)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Cast GetCachedTID() to unsigned to prevent left-shifting a negative
number. (3e935cf)
Update comment at the top of message.h and message_lite.h to document that
it should only be extended by gencode and not user code. (6a6ba52)
Treat warnings encountered in chromium builds as errors. (21c3c53)
Ban import weak and weak field option in edition 2024 in protoc (parser
and c++ runtime). (a2a0511)
Java
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Remove CollectExtensions check banning unknown custom options since
unknown custom options are now expected when using import option and
option_deps which exclude the options from the "builder" pool
(aka "import" pool). (694eedd)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Migrates some Java test protos using java_features.proto to edition 2024
(6f4a990)
Restore compatibility of runtime with pre-3.22.x gencode impacted by
CVE-2022-3171 (adf556f)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Restore the long-deprecated static functions on TextFormat. (5777d3b)
Add Kotlin class name helpers to names.h (527b2ab)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Update Java gencode base class documentation to clarify that it is not
supported to extend them. (c3177fb)
Add a FieldMaskUtil#trim overload that accepts TrimOptions and allows
retaining unset primitive field state. (84c5b63)
Csharp
Update staleness (0014173)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Include also ARM build of protoc in nuget package (#21568) (c2b4040)
Improve C# handling of Any JSON serialization/deserialization (dc4e429)
Objective-C
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Rust
Rust: remove DEP_UPB_VERSION check in codegen crate (#22764) (6f6012a)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Update Rust generator to output minidescriptors instead of C minitables
(1b4b5fc)
Add [clear_and_]parse_dont_enforce_required() to Rust protobuf. (e2fd7a0)
Add #[non_exhaustive] on the oneof-case enum (aba2075)
Impl Clone for RepeatedIter (aca1ed5)
See also UPB changes below, which may affect Rust.
Python
Strip extensions from option imports that are known in CollectExtensions
due to polluted pool from protoc parse when used with protoc full +
java built in generator. (ef3f9ca)
Manually migrate top-level protobuf unittest protos from edition 2023 to
edition 2024. (7359f75)
Raise warnings for float_precision from python json_format. (#23042)
(1a7e012)
Raise warnings when assign bool to int/enum (#23030) (0b25f7b)
Update python edition default maximum edition to 2024 (#22889) (72abf95)
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Add Python deprecation warnings for Descriptor Label. (64a76e6)
Updating setuptools to patch CVE-2025-47273 (#22094) (508aba1)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Extend gencode compatibility support back to 3.20.0 (1af7fd4)
Change proto_api work with custom pool for upb and pure python. (49d9e2d)
Python pyi print "import datetime" for Duration/Timestamp field (f59b84a)
Add reference leak check to Python well_known_types_test. Fix two refleak
bugs. (e5f9ab4)
Add reference leak check to Python timestamp_test and duration_test. Fix a
refleak bug when assign datetime/duration to Timestamp/Duration (e004c8b)
Add recursion depth limits to pure python (17838be)
Remove calls to Label within Protobuf Python. (f69180a)
Change Python .pyi stubs to generated _Optional[] for bool fields same
with (6972464)
Remove internal/api_implementation.Version() (cbad456)
Fix python proto_api to work with messages that required fields are not
set. (f63ed55)
Fix python upb crashes on map/repeated reference stub destructor (4274909)
Mark Py JSON float_precision deprecated. (727a8ed)
PHP
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Fix(php): use count instead of ->count() to avoid bug in c-extension
(9fbce62)
[php][compiler][ext] - Add missing has* methods and other well known types
(#20636) (01a7429)
Fix PHP 8.4 deprecation in GPBDecodeException (#21232) (676666e)
PHP C-Extension
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Change 'getLabel is deprecated' to E_USER_DEPRECATED (158d8ac)
[php][compiler][ext] - Add missing has* methods and other well known types
(#20636) (01a7429)
See also UPB changes below, which may affect PHP C-Extension.
Ruby
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Enable edition 2024 support in protoc and language generators for cpp,
hpb, java, kotlin, objectivec, php, python, pyi, rust. (26843b3)
Fix silent failure of rb_test rules to run test (#21733) (4f74764)
Ruby C-Extension
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Removed wrap_memcpy.c compatibility shim for pre-2.14 glibc (4ba9733)
See also UPB changes below, which may affect Ruby C-Extension.
UPB (Python/PHP/Ruby C-Extension)
Update our compiled_edition_default's maximum_edition to 2024 (#22870)
(6216ae4)
Make protobuf codebase compatible with
--incompatible_config_setting_private_default_visibility (#22745)
(5e2838e)
Add upb_Message_SetExtensionMessage as a helper for setting a extension
field that is a message. This is the extension equivalent of
upb_Message_SetBaseFieldMessage. (f15d28a)
Other
Update github major version tags to be formatted v..- for clarity (e001d57)
Upgrade Abseil dependency to 20250512.1 (ee68ed1)
Patch rules_ruby to apply neverlink = True to the jars rule (#21416)
(88e11bd)
31.1
Compiler
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
C++
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Java
Add missing copts attribute (#21982) (bec5b5a)
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Python
Support allowing late injection of language feature set defaults from
FeatureSet extensions while getting feature set extension values.
(3419598)
Python pyi print "import datetime" for Duration/Timestamp field (#21885)
(0fe099a)
Add recursion depth limits to pure python (a3921fb)
Other
Fix cmake staleness test (96a9ef6)
31.0
Bazel
Loosen py_proto_library check to be on the import path instead of full
directory (i.e. excluding external/module-name prefix). (a4be867)
Compiler
Add support for import option for protoc.(9901db6)
Add notices.h with information about our dependencies' licenses and add
--notices flag to protoc to print the contents of that file. (7a26486)
Move upb minitable code generator into protoc (dce6b0f)
Upgrade abseil-cpp to 20250127 and use @com_google_absl -> @abseil-cpp and
com_google_googletest -> @googletest canonical BCR names. (ba6b54d)
C++
Remove fast-path check for non-clang compilers in MessageCreator. (aa5410d)
Add missing include. (d390631)
Add weak attribute to GetClassData to speed up clang builds. (d896480)
Add nontemporal software prefetcher to repeated ptr field dtor to improve
performance. (73f3469)
Warn on unused RepeatedPtrField. (683e9d2)
Add notices.h with information about our dependencies' licenses and add
--notices flag to protoc to print the contents of that file. (7a26486)
Fix a bug in handling of implicit-presence string_view fields. (bd70a7c)
Control bounds checks via BUILD flags. (d21e8ef)
Upgrade abseil-cpp to 20250127 and use @com_google_absl -> @abseil-cpp and
com_google_googletest -> @googletest canonical BCR names. (ba6b54d)
Create hardened versions of Get and Mutable for repeated_field. (ffade4a)
Java
Add weak attribute to GetClassData to speed up clang builds. (d896480)
Use ProtobufToStringOutput to control the output format of
AbstractMessage.Builder.toString. (f5cb162)
Implement Protobuf Java Immutable API nest_in_file_class feature for
Edition 2024. (0416c3e)
Introduce a Generated annotation to eventually replace
javax.annotation.Generated (31e57fc)
Add volatile to featuresResolved (9e03ca5)
Fix Java concurrency issue in feature resolution for old <=3.25.x gencode
using lazy feature resolution. (fafb0fd)
Remove Java runtime classes from kotlin release. (079be27)
Split maven dependencies into dev vs local (#20549) (e045fc6)
Improve error messaging when detecting and erroring out on integer
overflow of byte count limit variables. (097fdb8)
Kotlin
Remove Java runtime classes from kotlin release. (079be27)
Csharp
Remove "experimental API" warnings from members in the .NET protobuf
runtime. (afea52f)
Improve performace of repeated packed fixedSize fields (#19667) (85507b9)
Objective-C
[ObjC] Deprecate GPBFieldDescriptor.isOptional. (86ab252)
[ObjC] Raise the library version and enable new generated code. (a639cf8)
Rust
Cherry-pick Rust fix to 31.x (#21617) (01b42bb)
Add upb_Map_GetMutable API to upb (dd5bf5e)
See also UPB changes below, which may affect Rust.
Python
Update GetCurrentTime to use datetime.datetime.now (01b154c)
Make Py JSON float_precision apply to both float and double fields. (5b54ee3)
-Add '+' and '-' annotations for Timestamp and Duration in Python (fff783e)
Bug fix for FieldMask.MergeFrom() with unset fields. (1c87ac3)
Make python text_format able to skip unknown fields for repeated messages
(dcafca2)
Fix segment fault for UPB Pyhon 'in' method of empty repeated extensions
(da04261)
Fix upb to escape DefinitelyNeedsEscape (like " and ') for bytes field
(b234305)
Check with fallback descriptorDB for
FindExtensionByNumber()/FindAllExtensions in UPB python pool. (9fd28d9)
Add clear() method to repeated fields in Python. (0324f39)
Register Scalar/MessageMapContainerTypes as virtual subclasses of (9a0b591)
Fix python codegen crash when C++ features are used. (308aaf4)
Add more detail to the comment for GetMessageClassesForFiles (9befb58)
Add constructing unpack routine to Python Protobuf Any API. (fb78c09)
Implement typing for proto Timestamp/Duration assignments. (0e3326b)
PHP
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Feat(php): improve return typehint when repeatedfield (#11734) (e04fe69)
PHP C-Extension
Automated rollback of commit f9863df. (#21355) (a59988c)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Feat(php): improve return typehint when repeatedfield (#11734) (e04fe69)
See also UPB changes below, which may affect PHP C-Extension.
Ruby
Fix silent failure of rb_test rules to run test (#21733) (0cf5489)
Ruby | Add support for a protobuf debug build (#21060) (59e1f0f)
Ruby | Support installing the gem via git and some other small build
tweaks (#21061) (d3560e7)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
[Ruby]Implement #to_hash for message classes (#20866) (5596f6d)
Drop Ruby 3.0 (5de7c80)
Fixes #18726 by backslash escaping descriptor data containing # if the
hashmark appears immediately before any of $, {, or @. (fffa3da)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Ruby: fix bug in Map.hash (b968d0d)
Ruby C-Extension
Ruby | Add support for a protobuf debug build (#21060) (59e1f0f)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Ruby: fix bug in Map.hash (b968d0d)
See also UPB changes below, which may affect Ruby C-Extension.
UPB (Python/PHP/Ruby C-Extension)
Fixed LTO-only linker error in upb linker arrays. (3434a21)
Deprecate Descriptor Label. As an alternative, add helper methods for
checking whether a field is required or repeated. (d82de8f)
Add upb_Map_GetMutable API to upb (dd5bf5e)
Fix upb to escape DefinitelyNeedsEscape (like " and ') for bytes field
(b234305)
Upb: delete functions in map_gencode_util. They're unused after the Map
iterator API change. (f398807)
Upb: Update _upb_map_next signature to return a boolean and remove the
_nextmutable Map iterator API. (e4cdf44)
Change upb C generated map iteration function to not hand out MapEntry
pointers. (3a3d697)
Ruby: Allow to get a file descriptor by a file name (#20287) (c398592)
Expose the upb_ByteSize function to upb clients. Note that the current
naive implementation is no more efficient than serializing the message
yourself and noting the resulting size. (121fdaa)
Move upb minitable code generator into protoc (dce6b0f)
Tolerate message set extensions encoded as normal deliminited submessages
(c63fd56)
Automated rollback of commit 6bde8c4. (8ef81fb)
Fix UPB fast table build. (46f9e29)
Other
Patch rules_ruby to apply neverlink = True to the jars rule (#21416)
(#21505) (664d94a)
Restore JDK8 compatibility in Bazel for libraries with dependencies from
Maven (e.g. //java/util) (e8edc5d)
Protobuf: add //:go_features_proto Bazel alias (f79be3e)
Fixes -lpthread problem when building with android_arm64 config (#20337)
(4f5968a)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:56:31 +0000 (14:56 +0200)]
pango: Update to version 1.57.0
- Update from version 1.56.4 to 1.57.0
- Update of rootfile
- Changelog
1.57.0
Bugs fixed:
- #841 Synthetic small caps does not work with Core Text on Mac (Xavid
Pretzer)
- #864 Possible performance issue under windows (Luca Bacci)
- #866 U+FE0E (text-style selector) ignored when COLRv1 emoji fonts are
present (Matthias Clasen)
Changes:
- !874 Remove conditional code for pre-GLib 2.80 support
- !875 Fix OpenType features set for all petite caps
- !876 Add Cocoa window support for pango-view on macOS
- !877 fc: Update against fontconfig 2.17
- !878 coretext: remove fallback for macOS 10.7 (EOL 2012) and earlier
- !879 meson: Rework introspection handling
- !881 Fix -Wenum-conversion warning with PangoFontColor
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:53:19 +0000 (14:53 +0200)]
nasm: Update to version 3.00
- Update from version 2.16.03 to 3.00
- Update of rootfile not required
- Changelog
3.00
Improve the documentation for building from source (appendix D).
Add support for the APX and AVX10 instruction sets, and various
miscellaneous new instructions.
Add new preprocessor functions: %b2hs(), %chr(), %depend(), %find(),
%findi(), %hs2b(), %null(), %ord(), %pathsearch(), and %realpath().
See section 5.4.
New preprocessor directive %note to insert a note in the list file,
without issuing an external diagnosic. Unlike a comment, it is
optionally macro-expanded, see section 5.11.
New preprocessor directive %iffile (and corresponding function %isfile())
to test for the existence of a file. See section 5.6.12.
New preprocessor directive %ifdirective to test for the existence of a
preprocessor directive, assembly directive, or pseudo-instruction; see
section 5.6.10.
Fix a number of invalid memory references (usually causing crashes) on
various invalid inputs.
Fix multiple bugs in the handling of $–escaped symbols.
The use of $ as a prefix for hexadecimal numbers has been deprecated, and
will now issue a warning. A new directive [DOLLARHEX] can be used to
disable this syntax entirely, see section 8.12.
Fix the generation of segment selector references (mainly used in the obj
output format.)
Fix crash in the obj backend when code was emitted into the default
segment, without any labels having been defined.
Clean up the command-line help text (-h) and break it down into individual
topics, as the previous output was just too verbose to be practical
as a quick reference.
The implicit DEFAULT ABS in 64-bit mode is deprecated and may be changed
to REL in the future. See section 8.2. A warning is now emitted for
this condition.
It is now possible to set the REL/ABS default for memory accesses using
FS: or GS:, see section 8.2.
The __?DEFAULT?__ standard macro now reflects the settings of the DEFAULT
directive. See section 6.4.
The NASM preprocessor now assumes that an unknown directive starting
with %if or %elif is a misspelled or not yet implemented conditional
directive, and tries to match it with a corresponding %endif. See
section 5.6.14.
The masm macro package now defines a macro for x87 register syntax. See
section 7.5.
A new macro package, vtern, to simplify generation of the control
immediates for the VPTERNLOGD and VPTERNLOGQ instructions. See
section 7.6.
A new command line option -LF allows overriding [LIST -] directives.
In the obj output format, allow a segment in the FLAT pseudo-group to also
belong to another (real) group. Used on OS/2.
Add a new build_version directive to the Mach-O backend. See section 9.8.6.
Fix a spec violation in the generation of DWARF debugging information on ELF.
Response files can now be nested.
Many documentation improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:45:08 +0000 (14:45 +0200)]
libxml2: Update to version 2.15.0
- Update from version 2.14.6 to 2.15.0
- Update of rootfile
- Changelog
2.15.0
Major changes
The API documentation is now generated with Doxygen. Building the
documentation requires the new --with-docs configuration option as well
as Doxygen, xsltproc and the DocBook 4 XSLT stylesheets.
The Python bindings are disabled by default now. Building the bindings
also requires Doxygen.
Support for Schematron is now disabled by default.
The parser option XML_PARSE_UNZIP is now required to read compressed data.
HTML serialization and handling of character encodings is more in line
with the HTML5 spec now.
More accessors for xmlParserCtxt were added.
Deprecations
More internal functions and struct members were deprecated.
Removals
The built-in HTTP client and support for LZMA compression were removed.
The custom Windows build system in `win32` was removed in favor of CMake.
Planned removals
The Python bindings and support for Schematron validation are planned to
be removed in the 2.16 release.
The following features are considered for removal:
- Modules API (xmlmodule.h)
- Support for zlib compressed file I/O
RELAX NG support is still in a bad state and a long-term removal
candidate.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:39:32 +0000 (14:39 +0200)]
iproute2: Update to version 6.17.0
- Update from version 6.16.0 to 6.17.0
- Update of rootfile
- Changelog is not provided. Details of changes can be found from the git commit changes
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:35:56 +0000 (14:35 +0200)]
harfbuzz: Update to version 12.1.0
- Update from version 11.4.5 to 12.1.0
- Update of rootfile
- Changelog
12.1.0
- Build fixes with GCC 15 on some 32 bit platforms.
- Fix misaligned pointer use.
- New API, `hb_ot_layout_lookup_collect_glyph_alternates()`, to collect glyph
substitutions from single and alternate substitution lookups in one call,
instead of getting substitutions one by one using
`hb_ot_layout_lookup_get_glyph_alternates()`.
- New API
+hb_ot_layout_lookup_collect_glyph_alternates()
12.0.0
- The major feature of this release is that the Variable Composites /
Components (`VARC` table) addition to the ISO OpenFontFormat has graduated
from experimental, and is now enabled by default. It can be disabled at
compile time by defining the `HB_NO_VAR_COMPOSITES`z macro.
`VARC` table is a new way to store glyph outlines, that allows for better
shape reuse, and can reduce font file size for Chinese, Japanese, Korean, and
some other scripts drastically. Some font design tools provide a similar
feature to designers, known as "smart components". This technology brings the
same idea to the compiled font file. For the format specification, see:
https://github.com/harfbuzz/boring-expansion-spec/blob/main/VARC.md
Test fonts can be found at:
https://github.com/notofonts/noto-cjk-varco/releases/tag/v0.003
The Fontra font editor already supports this technology.
Note that this new format involves just the HarfBuzz draw API and does not
affect shaping.
- Correctly handle `markFilteringSet` lookup field during subsetting.
- Deduplicate features during subsetting.
- Disable “more” buffer messages that give more verbose output when using
buffer messages callbacks, as it has a performance overhead. Users/tools that
need the more verbose messages should define `HB_BUFFER_MESSAGE_MORE` to 1
when building HarfBuzz.
- Shaping and instancing optimizations.
- Fix subsetting issues when building with GCC 12.
11.5.1
- Optimized partial-instancing of fonts with a large number of axes. Now over
two times faster.
- Fix C++ STL atomics implementation.
11.5.0
- Update to Unicode 17.0.0.
- Subsetter optimizations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 17:31:06 +0000 (19:31 +0200)]
fetchmail: Update to version 6.5.5
- Update from version 6.5.4 to 6.5.5
- Update of rootfile not required
- Changelog
6.5.5
LICENSING CHANGE OF WOLFSSL:
* Note that wolfSSL 5.8.2 switched license from GPLv2 to GPLv3, so if
a distribution links fetchmail against wolfSSL, this implies the use
of the "or-any-later-version" clause of the GPLv2-or-later licensed material
in fetchmail, and the combined work can also only ship as GPLv3.
This may or may not apply to later versions of wolfSSL - be sure to check!
BUGFIXES:
==-- note that these comprise C23 compatibility fixes (GCC 15) --==
* Support t.operation when the running user is different from the one
mentioned in the $USER variable. Fix courtesy of Corey Halpin.
* The kerberos*_auth() functions for v4 and v5 have prototypes now,
so they can be compiled by the most modern C compilers.
* AC_TYPE_* type-checking macros seem unnecessary, strip them, also from
config.h.meson which would not fill them from build.meson. We expect
the operating system to provide us pid_t, size_t, uint32_t.
* Our res_search() autoconf check was broken on compilers adhering to newer
standards (C23), for instance GCC 15, disabling several DNS-based features
in autotools-based builds, but not meson-based builds.
Strip the bogus "extern int res_search();" declaration without prototype,
we would need to have the prototype from the system either way.
IMPORTANT CHANGE:
* Fetchmail is now more careful to actually clear password and like buffers
in memory, so that is less likely that other processes could access them
should they happen to access similar memory regions after fetchmail's exit.
Fetchmail now uses memset_explicit(), explicit_bzero(), or its own
explicit_bzero() implementation to clear memory buffers that contain
passwords or like secrets, or their base64 equivalents, and also buffers
that it uses to visualize such strings, instead of just using memset().
The motivating reason is that a plain memset() that does not have
/observable/ effects, i. e. when we do not read from the buffer or
transfer it, can be removed by the compiler's optimizer in the so-called
dead store elimination, voiding our attempt to clear the buffer contents
before releasing it to the heap.
The named alternative functions are not being optimized away.
WORKAROUND:
* IMAP: Recognize SASL_IR advertisement of Cyrus IMAP 3.10.0...3.12.? as
synonymous to SASL-IR per RFC4959. Upstream bug reported at
https://github.com/cyrusimap/cyrus-imapd/issues/5481 - and it was
quickly fixed in all their supported branches by patch releases.
CHANGES:
* Several documentation tweaks.
* As long as SOURCE_DATE_EPOCH is set, the source tarball build may
be reproducible now. Tested on Fedora 42.
* The Japanese translation [ja] has been updated by Takeshi Hamasaki.
* The Makefile should be compatible across a wider set of make implementations,
beyond GNU make.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 14:12:04 +0000 (16:12 +0200)]
openvpn: Update to version 2.6.15
- Update from version 2.6.14 to 2.6.15
- Update of rootfile not required
- Changelog
2.6.15
dco: add standard mi prefix handling to multi_process_incoming_dco()
Check message id/acked ids too when doing sessionid cookie checks
GHA: Pin version of CMake for MinGW build
GHA: Dependency and Actions update April 2025 (2.6)
GHA: Update dependencies July 2025 (2.6)
Fix compiler warning in reliable.c with --disable-debug
dco linux: avoid redefining ovpn enums (2.6)
Update text of GPL to latest version from FSF
unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
replace assert() calls with ASSERT()
remove newline characters at the end of msg() calls
fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
Fix t_net.sh / networking_testdriver after 'broadcast' change
preparing release 2.6.15
Fix tmp-dir documentation
dco: support float notifications on FreeBSD
dco-win: Ensure correct OVERLAPPED scope
win: replace wmic invocation with powershell
openvpnserv: Fix writing messages to the event log
Validate DNS domain name before powershell invocation
Makefile: fix 'make dist'
GHA: collect more artifacts for mingw builds
dco: backport OS-independent part of peer float support
Bugfix: Set broadcast address on interface.
Fix MBEDTLS_DEPRECATED_REMOVED build errors
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 14:08:13 +0000 (16:08 +0200)]
openvmtools: Update to version 13.0.5
- Update from version 12.5.0 to 13.0.5
- Update of rootfile not required
- 2 CVE fixes.
- Changelog
13.0.5
Resolved Issues
This release resolves CVE-2025-41244.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0015.
A patch to address CVE-2025-41244 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-41244.patch.
Guest OS Customization updated to use "systemctl reboot".
Currently the "telinit 6" command is used to reboot a Linux VM following
Guest OS Customization. As the classic Linux init system, SysVinit, is
deprecated in favor of a newer init system, systemd, the telinit
command may not be available on the base Linux OS.
This change adds support to Guest OS Customization for the systemd init
system. If the modern init system, systemd, is available, then a
"systemctl reboot" command will be used to trigger reboot. Otherwise,
the "telinit 6" command will be used assuming the traditional init
system, SysVinit, is still available.
13.0.0
Resolved Issues
The following github.com/vmware/open-vm-tools pull requests and issues has
been addressed.
FTBFS: --std=c23 conflicting types between function definition and
declaration MXUserTryAcquireForceFail()
Fixes Issue #750
Pull request #751
Provide tools.conf settings to deactivate one-time and periodic time
synchronization
The new tools.conf settings disable-all and disable-periodic allow the
guest OS administrator to deactivate one-time and periodic time
synchronization without rebooting the VM or restarting the guest OS.
Fixes Issue #302
Fix xmlsec detection when cross-compiling with pkg-config
Pull request #732
After October 25, 2024, with open-vm-tools earlier than 13.0.0, the
salt-minion component is not installed or fails to install in a guest
operating system through the VMware Component Manager
When you configure the salt-minion component in the present state, its
last status is set to 102 (not installed) or 103 (installation failed),
never reaching the installed state 100.
The VM advanced setting with the key
"guestinfo./vmware.components.salt_minion.desiredstate" has a value
present.
The VM advanced setting with the key
"guestinfo.vmware.components.salt_minion.laststatus" has a value 102
or 103.
The salt-minion component installs a log file with traces indicating
failure to access the online salt repository on
https://repo.saltproject.io. The "vmware-svtminion.sh-install-*.log"
file for the failed install shows a trace similar to:
<date+time> INFO: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download attempting download of file 'repo.json'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '0' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '1' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '2' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '3' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '4' attempt, retcode '6'
<date+time> ERROR: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' after '5' attempts
This issue is resolved in this release.
The new versions of the salt-minion integration scripts supporting the
new Salt Project repository locations are available at:
https://packages.broadcom.com/artifactory/saltproject-generic/onedir/
12.5.4
Product Support Notice
Beginning with the next major release, we will be reducing the number
of supported localization languages. The three supported languages
will be:
Japanese
Spanish
French
The following languages will no longer be supported:
Italian
German
Brazilian Portuguese
Traditional Chinese
Korean
Simplified Chinese
Impact:
Users who have been using the deprecated languages will no longer
receive updates or support in these languages.
All user interfaces, message catalogs, help documentation, and
customer support will be available only in English or in the
three supported languages mentioned above.
Resolved Issues
This release resolves CVE-2025-41244.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0015.
A patch to address CVE-2025-41244 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-41244.patch.
12.5.2
Resolved Issues
This release resolves CVE-2025-22247.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0007
A patch to address CVE-2025-22247 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-22247.patch.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 3 Oct 2025 14:04:35 +0000 (16:04 +0200)]
openssl: Update to version 3.5.4
- Update from version 3.5.1 to 3.5.4
- Update of rootfile
- Changelog
3.5.4
* Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
Issue summary: An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.
Impact summary: This out-of-bounds read may trigger a crash which leads to
Denial of Service for an application. The out-of-bounds write can cause
a memory corruption which can have various consequences including
a Denial of Service or Execution of attacker-supplied code.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9230])
* Fix Timing side-channel in SM2 algorithm on 64 bit ARM
Issue summary: A timing side-channel which could potentially allow remote
recovery of the private key exists in the SM2 algorithm implementation on
64 bit ARM platforms.
Impact summary: A timing side-channel in SM2 signature computations on
64 bit ARM platforms could allow recovering the private key by an attacker.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9231])
* Fix Out-of-bounds read in HTTP client no_proxy handling
Issue summary: An application using the OpenSSL HTTP client API functions
may trigger an out-of-bounds read if the "no_proxy" environment variable is
set and the host portion of the authority component of the HTTP URL is an
IPv6 address.
Impact summary: An out-of-bounds read can trigger a crash which leads to
Denial of Service for an application.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9232])
* The FIPS provider no longer performs a PCT on key import for ECX keys
(that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
* Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted
signatures.
* Reverted the synthesised `OPENSSL_VERSION_NUMBER` change for the release
builds, as it broke some exiting applications that relied on the previous
3.x semantics, as documented in `OpenSSL_version(3)`.
3.5.3
* Avoided a potential race condition introduced in 3.5.1, where
`OSSL_STORE_CTX` kept open during lookup while potentially being used
by multiple threads simultaneously, that could lead to potential crashes
when multiple concurrent TLS connections are served.
* The FIPS provider no longer performs a PCT on key import for RSA, DH,
and EC keys (that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
* Secure memory allocation calls are no longer used for HMAC keys.
* `openssl req` no longer generates certificates with an empty extension list
when SKID/AKID are set to `none` during generation.
* The man page date is now derived from the release date provided
in `VERSION.dat` and not the current date for the released builds.
* Hardened the provider implementation of the RSA public key "encrypt"
operation to add a missing check that the caller-indicated output buffer
size is at least as large as the byte count of the RSA modulus. The issue
was reported by Arash Ale Ebrahim from SYSPWN.
This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that
in fact provide a sufficiently large buffer, but fail to correctly indicate
its size may now encounter unexpected errors. In applications that attempt
RSA public encryption into a buffer that is too small, an out-of-bounds
write is now avoided and an error is reported instead.
* Added FIPS 140-3 PCT on DH key generation.
* Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
3.5.2
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Oct 2025 11:10:15 +0000 (13:10 +0200)]
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)]
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Oct 2025 11:10:15 +0000 (13:10 +0200)]
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
'dmz' => 'AÇIK BÖLGE',
'dmz pinhole configuration' => 'Açık bölge yapılandırma',
'dmz pinhole rule added' => 'Açık bölge kuralı eklendi; Açık bölge
yeniden başlatılıyor',
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
since the last update made changes for the webinterface of OpenVPN, it's
time to remove unused translations and update the remaining ones for
downloading the client configuration.
Starting here with the German translation.
Best regards
Peer Dietzmann
'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt;
Starte DMZ-Schlupfloch neu',
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 21:06:00 +0000 (21:06 +0000)]
OpenSSH: Amend upstream default cipher changes
This patch implements the following change made to OpenSSH server
upstream in version 10.0:
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the default
key exchange in OpenSSH for the last 14 years.
In addition, for both OpenSSH server and client, the following upstream
change made in version 9.9 is implemented:
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 21:05:00 +0000 (21:05 +0000)]
OpenSSH: Prefer AES-GCM ciphers over AES-CTR
This reflects the following change made upstream in OpenSSH 9.9:
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
However, we keep preferring AES-GCM over Chacha/Poly, as hardware
acceleration often grants the former a better performance, while there
is no security advance of Chacha/Poly usage over 256 bit AES-GCM.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 19:51:00 +0000 (19:51 +0000)]
initscripts: Always wait for xtables lock when running iptables commands
If not explicitly instructed to do so, iptables by default aborts with
an error message such as
> Can't lock /run/xtables.lock: Resource temporarily unavailable
> Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
if the Xtables lock is still set, i.e., another iptables operation is
currently in progress. This causes iptables commands not to be executed
at all if there are delays during the boot procedure, e.g. due to slow
PPPoE dial-up procedure or similar.
To ensure deterministic behavior, this match modifies initscripts to
always execute iptables to wait for the Xtables lock to be removed, to
make sure iptables rules are installed properly (the "firewall"
initscript is doing so already).
Fixes: #13896 - OpenVPN RW port not opened in firewall after reboot Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 22:29:00 +0000 (22:29 +0000)]
Tor: Update to 0.4.8.18
Changes in version 0.4.8.18 - 2025-09-16
This is a minor release with a major onion service directory cache (HSDir)
bug fix. A series of minor bugfixes as well. As always, we strongly recommend
to upgrade as soon as possible.
o Major bugfixes (onion service directory cache):
- Preserve the download counter of an onion service descriptor
across descriptor uploads, so that recently updated descriptors
don't get pruned if there is memory pressure soon after update.
Additionally, create a separate torrc option MaxHSDirCacheBytes
that defaults to the former 20% of MaxMemInQueues threshold, but
can be controlled by relay operators under DoS. Also enforce this
theshold during HSDir uploads. Fixes bug 41006; bugfix
on 0.4.8.14.
o Minor feature (padding, logging):
- Reduce the amount of messages being logged related to channel
padding timeout when log level is "notice".
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 16, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/09/16.
o Minor bugfix (conflux):
- Remove the pending nonce if we realize that the nonce of the
unlinked circuit is not tracked anymore. Should avoid the non
fatal assert triggered with a control port circuit event. Fixes
bug 41037; bugfix on 0.4.8.15.
o Minor bugfixes (circuit handling):
- Prevent circuit_mark_for_close() from being called twice on the
same circuit. Second fix attempt Fixes bug 41106; bugfix
on 0.4.8.17
o Minor bugfixes (threads):
- Make thread control POSIX compliant. Fixes bug 41109; bugfix
on 0.4.8.17-dev.
Changes in version 0.4.8.17 - 2025-06-30
This is a minor providing a series of minor features especially in the realm
of TLS. It also brings a new set of recommended and required sub protocols.
And finally, few minor bugfixes, nothing major. As always, we strongly
recommend you upgrade as soon as possible.
o Minor features (security, TLS):
- When we are running with OpenSSL 3.5.0 or later, support using the
ML-KEM768 for post-quantum key agreement. Closes ticket 41041.
o Minor feature (client, TLS):
- Set the TLS 1.3 cipher list instead of falling back on the
default value.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 30, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/06/30.
o Minor features (hsdesc POW):
- Tolerate multiple PoW schemes in onion service descriptors, for
future extensibility. Implements torspec ticket 272.
o Minor features (performance TLS):
- When running with with OpenSSL 3.0.0 or later, support using
X25519 for TLS key agreement. (This should slightly improve
performance for TLS session establishment.)
o Minor features (portability):
- Fix warnings when compiling with GCC 15. Closes ticket 41079.
o Minor features (recommended protocols):
- Directory authorities now vote to recommend that clients support
certain protocols beyond those that are required. These include
improved support for connecting to relays on IPv6, NtorV3, and
congestion control. Part of ticket 40836.
o Minor features (required protocols):
- Directory authorities now vote to require clients to support the
authenticated SENDME feature, which was introduced in
0.4.1.1-alpha. Part of ticket 40836.
- Directory authorities now vote to require relays to support
certain protocols, all of which have been implemented since
0.4.7.4-alpha or earlier. These include improved support for
connecting to relays on IPv6, NtorV3, running as a rate-limited
introduction point, authenticated SENDMEs, and congestion control.
Part of ticket 40836.
o Minor bugfix (conflux):
- Avoid a non fatal assert when describing a conflux circuit on the
control port after being prepped to be freed. Fixes bug 41037;
bugfix on 0.4.8.15.
o Minor bugfixes (circuit handling):
- Prevent circuit_mark_for_close() from being called twice on the
same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev.
o Minor bugfixes (compiler warnings):
- Make sure the two bitfields in the half-closed edge struct are
unsigned, as we're using them for boolean values and assign 1 to
them. Fixes bug 40911; bugfix on 0.4.7.2-alpha.
o Minor bugfixes (threads, memory):
- Improvements in cleanup of resources used by threads. Fixes bug
40991; bugfix on 0.4.8.13-dev.
- Rework start and exit of worker threads.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 17:22:53 +0000 (19:22 +0200)]
expat: Update to version 2.7.3
- Update from version 2.7.2 to 2.7.3
- Update of rootfile
- Changelog
2.7.3
Security fixes:
Fix alignment of internal allocations for some non-amd64
architectures (e.g. sparc32); fixes up on the fix to
CVE-2025-59375 from #1034 (of Expat 2.7.2 and related
backports)
Fix a class of false positives where input should have been
rejected with error XML_ERROR_ASYNC_ENTITY; regression from
CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and
related backports). Please check the added unit tests for
example documents.
Other changes:
Prove and regression-proof absence of integer overflow
from function expat_realloc
Remove "harmless" cast that truncated a size_t to unsigned
Autotools: Remove "ln -s" discovery
docs: Be consistent with use of floating point around
XML_SetAllocTrackerMaximumAmplification
docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0
docs: Better integrate the effect of the activation thresholds
docs: Fix an in-comment typo in expat.h
docs: Fix a typo in README.md
docs: Improve change log of release 2.7.2
xmlwf: Resolve use of functions XML_GetErrorLineNumber
and XML_GetErrorColumnNumber
Windows: Normalize .bat files to CRLF line endings
Version info bumped from 12:0:11 (libexpat*.so.1.11.0)
to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cleanup UndefinedBehaviorSanitizer fatality
CI|Linux: Stop aborting at first job failure
CI|FreeBSD: Upgrade to FreeBSD 15.0
CI|FreeBSD: Do not install CMake meta-package
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 17:22:53 +0000 (19:22 +0200)]
expat: Update to version 2.7.3
- Update from version 2.7.2 to 2.7.3
- Update of rootfile
- Changelog
2.7.3
Security fixes:
Fix alignment of internal allocations for some non-amd64
architectures (e.g. sparc32); fixes up on the fix to
CVE-2025-59375 from #1034 (of Expat 2.7.2 and related
backports)
Fix a class of false positives where input should have been
rejected with error XML_ERROR_ASYNC_ENTITY; regression from
CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and
related backports). Please check the added unit tests for
example documents.
Other changes:
Prove and regression-proof absence of integer overflow
from function expat_realloc
Remove "harmless" cast that truncated a size_t to unsigned
Autotools: Remove "ln -s" discovery
docs: Be consistent with use of floating point around
XML_SetAllocTrackerMaximumAmplification
docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0
docs: Better integrate the effect of the activation thresholds
docs: Fix an in-comment typo in expat.h
docs: Fix a typo in README.md
docs: Improve change log of release 2.7.2
xmlwf: Resolve use of functions XML_GetErrorLineNumber
and XML_GetErrorColumnNumber
Windows: Normalize .bat files to CRLF line endings
Version info bumped from 12:0:11 (libexpat*.so.1.11.0)
to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cleanup UndefinedBehaviorSanitizer fatality
CI|Linux: Stop aborting at first job failure
CI|FreeBSD: Upgrade to FreeBSD 15.0
CI|FreeBSD: Do not install CMake meta-package
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)]
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
