Stefan Schantl [Sun, 8 Mar 2026 17:31:14 +0000 (18:31 +0100)]
perl-Net-LibIDN2: New package
This perl package provides C bindings to the libidn2,
and can be used to convert international domain names into
the "idn ascii" format and vice versa.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Jan 2026 12:25:09 +0000 (12:25 +0000)]
unbound: Refactor Safe Search
Formerly this required the system to be online and we resolved IP
addresses once when Unbound was startet. Since Unbound is already not
very fast when reloading, we needed to get rid of this long step and
create some static configuration that is simply being loaded into
Unbound.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Mar 2026 17:11:24 +0000 (18:11 +0100)]
vim: Update to version 9.2.0089
- Update from version 9.1.2147 to 9.2.0089
- Update of rootfile
- Changelog is not available. Generally each patch version number update is related to
a commit entry in the git repository. The details for all the commit changes can be
found at https://github.com/vim/vim/commits/master/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Mar 2026 17:11:23 +0000 (18:11 +0100)]
samba: Update to version 4.23.6
- Update from version 4.23.5 to 4.23.6
- No change to rootfile
- Changelog
4.23.6
* BUG 15990: No function _python_sysroot defined
* BUG 15978: leases torture test flappy
* BUG 15984: smbd: in contend_dirleases() don't bother checking when not
enabled
* BUG 15979: possible memory leak on rpc_spoolss
* BUG 15964: "net offlinejoin requestodj" manpage entry incorrectly mentiones
provided credentials
* BUG 15789: "use-kerberos=desired" broken
* BUG 15958: pthreadpool_tevent has race conditions accessing both
pthreadpool_tevent.jobs list and pthreadpool_tevent.glue_list
* BUG 15979: possible memory leak on rpc_spoolss
* BUG 15938: CTDB's statd_callout fails on sm-notify
* BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses
their state
* BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses
their state
* BUG 15977: ctdbd socket documentation is wrong
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Mar 2026 17:11:22 +0000 (18:11 +0100)]
libksba: Update to version 1.6.8
- Update from version 1.6.7 to 1.6.8
- Update of rootfile
- Changelog
1.6.8
* Fix double increment in DN parser while counting hexdigits. [T8104]
* Fix a memory leak in the BER decoder's error handling. [T8105]
* Fix an assertion failure in the OCSP code. [T8111]
* Support SHA256 based CertIDs in OCSP. [rK2dd35bef66]
* Use nonstring attribute for gcc-15. [T7624]
* Remove remaining WindowsCE support.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Mar 2026 17:11:21 +0000 (18:11 +0100)]
iptables: Update to version 1.8.13
- Update from version 1.8.12 to 1.8.13
- No change to rootfile
- Changelog
1.8.13
We have identified that iptables version 1.8.12 contains a regression that
breaks Docker networking functionality. To resolve this issue, we recommend
upgrading to the latest iptables release.
* Revert "libxtables: refuse to run under file capabilities"
* configure: Bump version for 1.8.13 release
* src: fix discards 'const' qualifier
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Mar 2026 17:11:19 +0000 (18:11 +0100)]
file: Update to version 5.47
- Update from version 5.45 to 5.47
- No change to rootfile
- Changelog
5.47
* Better multi-compound document identification by following the
order of the directories entries. (Thomas Ledoux)
* if stat fails, don't attempt to restore times (Steven Grubb)
* PR/622: Odd_Bloke: Handle negative offsets in file_buffer(),
when fd is not available.
* PR/655: jsummers: Obey str_flags in strings like we do for search
and regex
* PR/659: Pitzl: Apply MAGIC_CONTINUE to annotations; i.e. print
only the first, unless -k is specified.
* PR/592: allow + in format strings
* PR/592: signed operations should be done in signed context
* PR/578: jsummers: Don't crash on cygwin when tm_mon == -1
* PR/579: net147: Fix stack overrun.
5.46
* Add OFFPOSITIVE
* avoid leaking symbols in libmagic
* PR/562: jsummers: Search/regex offsets are absolute to the
beginning of the file, so adjust them by subtracting the
offset that the "use" starts so that we don't double-count it.
* PR/543: matshch: bump nbuf so we can get the flags into the buffer.
* Add Android elf notes (enh)
* Add limit for number of magic warnings allowed
* check regex bounds (found by clusterfuzz)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Mar 2026 17:11:15 +0000 (18:11 +0100)]
clamav: Update to version 1.5.2
- Update from version 1.5.1 to 1.5.2
- Update of rootfile
- CVE fix in update
- Changelog
1.5.2
- [CVE-2026-20031](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20031):
Fixed an error handling bug in the HTML file parser that may crash the program
and cause a denial-of-service (DoS) condition.
This issue was introduced in version 1.1.0.
The fix is included in 1.5.2 and 1.4.4.
- Fixed a possible infinite loop when scanning some JPEG files by upgrading
affected ClamAV dependency, a Rust image library.
Unfortunately, this change requires a newer Rust compiler for ClamAV.
The minimum Rust version for ClamAV 1.4.3 was 1.85.1.
The minimum Rust version for ClamAV 1.4.4 is now 1.87.0.
- Fixed a possible crash on Windows when scanning some files while using the
`LeaveTemporaryFiles` and `TemporaryDirectory` features.
- The CVD verification process will now ignore certificate files in the CVD
certs directory when the user lacks read permissions.
- Freshclam: Fixed CLD verification bug with `PrivateMirror` option.
- Upgraded the Rust `bytes` dependency to a newer version to resolve the
RUSTSEC-2026-0007 advisory.
- Fixed a possible crash caused by invalid pointer alignment on some platforms.
This fix is courtesy of Hsuan-Ming Chen at Synology PSIRT.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fix a use-after-free error in dns_client_resolve() triggered by a DNAME
response.
This issue only affected the delv tool and it has now been fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention. [GL #5728]
Feature Changes
Record query time for all dnstap responses.
Not all DNS responses had the query time set in their corresponding
dnstap messages. This has been fixed. [GL #3695]
Optimize TCP source port selection on Linux.
Enable the IP_LOCAL_PORT_RANGE socket option on the outgoing TCP
sockets to allow faster selection of the source <address,port> tuple
for different destination <address,port> tuples, when nearing over
70-80% of the source port utilization. [GL !11569]
Bug Fixes
Fix an assertion failure triggered by non-minimal IXFRs.
Processing an IXFR that included an RRset whose contents were not
changed by the transfer triggered an assertion failure. This has been
fixed. [GL #5759]
Fix a crash when retrying a NOTIFY over TCP.
Furthermore, do not attempt to retry over TCP at all if the source
address is not available. [GL #5457]
Fetch loop detection improvements.
Fix a case where an in-domain nameserver with expired glue would fail
to resolve. [GL #5588]
Randomize nameserver selection.
Since BIND 9.20.17, when selecting nameserver addresses to be looked
up, named selected them in DNSSEC order from the start of the NS RRset.
This could lead to a resolution failure despite there being an address
that could be resolved using the other nameserver names. named now
randomizes the order in which nameserver addresses are looked up. [GL
#5695] [GL #5745]
Fix dnstap logging of forwarded queries. [GL #5724]
A stale answer could have been served in case of multiple upstream
failures when following CNAME chains. This has been fixed. [GL #5751]
Fail DNSKEY validation when supported but invalid DS is found.
A regression was introduced in BIND 9.20.6 when adding the EDE code for
unsupported DNSKEY and DS algorithms. When the parent had both
supported and unsupported algorithms in the DS record, the validator
would treat the supported DS algorithm as insecure instead of bogus
when validating DNSKEY records. This has no security impact, as the
rest of the child zone correctly ends with bogus status, but it is
incorrect and thus the regression has been fixed. [GL #5757]
Importing an invalid SKR file might corrupt stack memory.
If an administrator imported an invalid SKR file, the local stack in
the import function might overflow. This could lead to a memory
corruption on the stack and ultimately a server crash. This has been
fixed. [GL #5758]
Return FORMERR for queries with the EDNS Client Subnet FAMILY field set
to 0.
RFC 7871 only defines families 1 (IPv4) and 2 (IPv6), and requires
FORMERR to be returned for all unknown families. Queries with the EDNS
Client Subnet FAMILY field set to 0 now elicit responses with
RCODE=FORMERR. [GL !11565]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 27 Feb 2026 18:18:36 +0000 (19:18 +0100)]
minicom: Update to version 2.11
- Update from version 2.9 to 2.11
- No change to rootfile
- Changelog
2.11
- fix baudrate setting on Linux when compiled against glibc >= 2.42
- Support multi-column character for window drawing
- Add 1843200 to the baud rate list
- Allow any baud rate to be set
- Updates translations: ka, fr, ro, pl, ko, de, ja, sv
2.10
- Add third locking method if file-based lock does not work.
https://salsa.debian.org/minicom-team/minicom/-/issues/9
- Make colors enabled the default.
- ESC-] (OSC) sequences are recognized and discarded.
- Code cleanups.
- Updates translations: nb
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 27 Feb 2026 18:18:34 +0000 (19:18 +0100)]
iptables: Update to version 1.8.12
- Update from version 1.8.11 to 1.8.12
- No change to rootfile
- Changelog
1.8.12
configure: Avoid addition assignment operators
libxtables: refuse to run under file capabilities
man: iptables-restore.8: document flush behaviour for user-defined chains
nft: revert compat expressions in userdata
ip[6]tables-translate: fix test failures when WESP is defined
nft: fix interface comparisons in `-C` commands
extensions: libebt_redirect: prevent translation
configure: Bump version for 1.8.12 release
nft: Drop interface mask leftovers from post_parse callbacks
nft: Make add_log() static
nft: ruleparse: Introduce nft_parse_rule_expr()
nft: __add_{match,target}() can't fail
nft: Introduce UDATA_TYPE_COMPAT_EXT
nft-ruleparse: Fallback to compat expressions in userdata
nft: Pass nft_handle into add_{action,match}()
nft: Embed compat extensions in rule userdata
tests: iptables-test: Add nft-compat variant
extensions: icmp: Support info-request/-reply type names
xshared: Accept an option if any given command allows it
extensions: sctp: Translate bare '-m sctp' match
libxtables: Promote xtopt_esize_by_type() as xtopt_psize getter
Revert "libxtables: Promote xtopt_esize_by_type() as xtopt_psize getter"
xtables-monitor: Print -X command for base chains, too
nft: Support replacing a rule added in the same batch
libxtables: Store all requested target types
ruleparse: arp: Fix for all-zero mask on Big Endian
tests: shell: Review nft-only/0009-needless-bitwise_0
configure: Auto-detect libz unless explicitly requested
iptables: fix null dereference parsing bitwise operations
extensions: man: Add a note about route_localnet sysctl
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 27 Feb 2026 18:18:38 +0000 (19:18 +0100)]
wireless-regdb: Update to version 2026.02.04
- Update from version 2025.10.07 to 2026.02.04
- No change to rootfile
- Changelog
2026.02.04
wireless-regdb: Update broken link in regulatory.bin(5) manpage
wireless-regdb: Update regulatory info for Malaysia (MY) for 2024
wireless-regdb: Update regulatory info for Malaysia (MY) for 2025
wireless-regdb: Update regulatory info for Canada (CA) for 2025
wireless-regdb: update regulatory database based on preceding changes
wireless-regdb: Update regulatory info for Tunisia (TN) on 6GHz for 2025
wireless-regdb: Update regulatory info for Australia (AU) for 2025
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 27 Feb 2026 18:18:37 +0000 (19:18 +0100)]
tshark: Update to version 4.6.4
- Update from version 4.6.3 to 4.6.4
- Update of rootfile
- 3 CVE fixes
- Changelog
4.6.4
Bug Fixes
wnpa-sec-2026-05 USB HID dissector memory exhaustion. Issue 20972. CVE-2026-3201.
wnpa-sec-2026-06 NTS-KE dissector crash. Issue 21000. CVE-2026-3202.
wnpa-sec-2026-07 RF4CE Profile dissector crash. Issue 21009. CVE-2026-3203.
Wireshark doesn’t start if Npcap is configured with "Restrict Npcap driver’s
Access to Administrators only" Issue 20828.
PQC signature algorithm not reported in signature_algorithms. Issue 20953.
Unexpected JA4 ALPN values when space characters sent. Issue 20966.
Expert Info seems to have quadratic performance (gets slower and slower) Issue 20970.
IKEv2 EMERGENCY_CALL_NUMBERS Notify payload cannot be decoded. Issue 20974.
TShark and editcap fails with segmentation fault when output format (-F) set to
blf. Issue 20976.
Fuzz job crash: fuzz-2026-02-01-12944805400.pcap [Zigbee Direct Tunneling Zigbee
NWK PDUs NULL hash table] Issue 20977.
Wiretap writes pcapng custom options with string values invalidly. Issue 20978.
RDM status in Output Status (GoodOutputB) field incorrectly decoded in Art-Net
PollReply dissector. Issue 20980.
Wiretap writes invalid pcapng Darwin option blocks. Issue 20991.
TDS dissector desynchronizes on RPC DATENTYPE (0x28) due to incorrect expectation
of TYPE_VARLEN (MaxLen) Issue 21001.
Only first HTTP POST is parsed inside SOCKS with "Decode As". Issue 21006.
TShark: Bogus "Dissector bug" messages generated in pipelines where something
after tshark exits before reading all its input. Issue 21011.
New Diameter RAT-Types in TS 29.212 not decoded. Issue 21012.
Malformed packet error on Trigger HE Basic frames. Issue 21032.
Updated Protocol Support
Art-Net, AT, BGP, GSM DTAP, GSM SIM, IEEE 802.11, IPv6, ISAKMP, MBIM, MySQL,
NAS-5GS, NTS-KE, SGP.22, Silabs DCH, Socks, TDS, TECMP, USB HID, ZB TLV, and ZBD
New and Updated Capture File Support
BLF, pcapng, and TTL
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 27 Feb 2026 18:18:33 +0000 (19:18 +0100)]
fping: Update to version 5.5
- Update from version 5.4 to 5.5
- No change to rootfile
- Changelog
5.5
New features
- New option -J / --json for JSON output. See doc/fping-json.md for
the JSON schema. This feature is still in alpha and the schema
might change in future releases (#386, thanks @bonkf,
@JoshIPT, @sebast-gsnw, and @auerswal).
- The -g, --generate option now also supports IPv6 addresses (#376,
thanks @auerswal)
- New option --seqmap-timeout to control the time after which sequence
numbers can be used again (#388, thanks @auerswal)
Bugfixes and other changes
- Fix OpenBSD sprintf() warning (#394, thanks @gsnw-sebast)
- Fix fallback to SO\_TIMESTAMP if SO\_TIMESTAMPNS is not available (#375,
thanks @auerswal)
- When reading target names from file or standard input, lines longer
than the static buffer are no longer interpreted as more than one line
(#378, thanks @auerswal)
- Typo fix in error message when SO\_BINDTODEVICE fails
- Options --print-tos and --print-ttl now also work for IPv6, and no
longer require privileges (#384, thanks @auerswal)
- Report received ICMPv6 error messages (#391, thanks @auerswal)
- Suppress duplicate reports in count mode with -q, --quiet or -Q, --squiet
(#392, thanks @gsnw-sebast and @auerswal)
- Switch to alpine-based multi-stage Docker build to reduce image size
and improve build performance; add OpenContainers-compatible labels
(#399, thanks @hoodadt)
- Print receive ping moved to new functions (#400, thanks @gsnw-sebast)
- Avoid unsigned overflow when determining the memory size to save
response times on systems where size\_t is the same as unsigned int
(#412 by @auerswal)
- Document the new minimum value for the -p option (#414, thanks @auerswal)
- Fix build without IPv6 support (#416, thanks @auerswal)
- Fix debug build use of dbg_printf in fping.c (#415, thanks @auerswal)
- Remove MacOS-specific test for -I option (#407)
- GitHub Actions fixes (thanks @gsnw-sebast)
- Fix measurement of time for timed reports (-Q) to start after DNS name
resolution.
- Updated autoconf from 2.71 to 2.72
- Updated automake from 1.16.5 to 1.18.1
- Updated libtool from 2.4.6 to 2.5.4
- Implemented verification of autotools tarballs in Github actions.
- Implemented stricter flag value checking (e.g. -c 10xyz is not accepted
anymore).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 27 Feb 2026 18:18:32 +0000 (19:18 +0100)]
ddrescue: Update to version 1.30
- Update from version 1.29 to 1.30
- No change to rootfile
- Changelog
1.30
* Replace pass 5 of copying with a sweeping phase after trimming.
* New option '-N, --no-sweep' to disable reading of skipped areas.
Reassign short name '-N' from option '--no-trim' to '--no-sweep'.
* main.cc. Make '--size=output' use the size of outfile.
(Suggested by Stefan Monnier).
(do_rescue): Make '-x 0' extend outfile to size of infile.
* main_common.cc (strtoll_): New function accepting underscores.
* rescuebook.cc (fcopy_non_tried, rcopy_non_tried): Limit pass 2 to
blocks adjacent to a finished block. (Delimit bad area as a whole).
(trim_errors): Trim only edges adjacent to a finished block.
Initial skip size now defaults to (infile_size / 32_768).
Only retrim blocks adjacent to a non-tried or finished block.
(update_rates): Don't force update of a_rate, c_rate, ts.
(Rescuebook): Estimate remaining time from last 60 seconds.
(Suggested by Stefan Monnier).
* genbook.cc (format_time), loggers.cc (format_time_dhms): Add years.
* loggers.cc (Event_logger): Add finished_size, a_rate, read errors.
* ddrescuelog.cc: New option '-H, --make-test'.
* ddrescue.texi: Document rescue with lziprecover's recovery record.
1.29.1
* New option '--bad-sector-data'. (Suggested by Eliyahu Saks).
* main_common.cc (format_num3): New function.
* mapbook.cc (input_pos_error): Print pos and size aligned.
* ddrescue.texi: Document use of -p and -x with --domain-mapfile.
(Reported by Bret Quigley II).
* block.h: Rename to mapfile.h.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 22 Feb 2026 19:07:52 +0000 (20:07 +0100)]
urlfiler: Cleanup list directory during update
Cleanup the directory which contains the downloaded blocklists during
the update process. As the same code is used for sheduled and manual
updates/list installs this also cleans up old lists when switching the
lists provider.
Fixes #13820.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Python 3.10 or newer is now required for running the system test suite.
The required Python packages and their version requirements are now
tracked in the file bin/tests/system/requirements.txt. [GL #5690] [GL
#5614]
Bug Fixes
Fix inbound IXFR performance regression.
Very large inbound IXFR transfers were much slower compared to BIND
9.18. The performance was improved by adding specialized logic to
handle IXFR transfers. [GL #5442]
Make catalog zone names and member zones' entry names case-insensitive.
[GL #5693]
Fix implementation of BRID and HHIT record types. [GL #5710]
Fix implementation of DSYNC record type. [GL #5711]
Fix response policy and catalog zones to work with $INCLUDE directive.
Reloading a RPZ or a catalog zone could have failed when $INCLUDE was
in use. [GL #5714]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 18 Feb 2026 18:13:01 +0000 (19:13 +0100)]
general-functions.pl: Refactor GetCoreUpdateVersion function
There is no need for a loop when only grab the first line of a file
which only has one line. Also remove the newline from the grabbed line,
which may cause malfunctions on further processing.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 18 Feb 2026 11:46:48 +0000 (11:46 +0000)]
toolchain: Create a toolchain configuration file
This is needed because we are currently cross-compiling the toolchain
for riscv64 on x86_64. However, cmake does not take the time to figure
out what it should actually be doing and needs to be explicitely told.
So that we don't have to reinvent the wheel more than one we create the
configuration file at the beginning and automatically extend the cmake
command line with the settings that we need.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
