commit 2112342dd3ccaf6008c742dddd4ca26b17c5651d Author: Michael Tremer Date: Wed Feb 19 15:13:42 2025 +0000 core192: Ship OpenSSH Signed-off-by: Michael Tremer commit 28e698dd30ec0dc53a92a8e8fbbeffee1ca1479d Author: Adolf Belka Date: Wed Feb 19 14:30:43 2025 +0100 openssh: Update to version 9.9p2 - Update from version 9.9p1 to 9.9p2 - Update of rootfile not required - Changelog 9.9p2 Security * Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1 (inclusive) contained a logic error that allowed an on-path attacker (a.k.a MITM) to impersonate any server when the VerifyHostKeyDNS option is enabled. This option is off by default. * Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1 (inclusive) is vulnerable to a memory/CPU denial-of-service related to the handling of SSH2_MSG_PING packets. This condition may be mitigated using the existing PerSourcePenalties feature. Both vulnerabilities were discovered and demonstrated to be exploitable by the Qualys Security Advisory team. We thank them for their detailed review of OpenSSH. Bugfixes * ssh(1), sshd(8): fix regression in Match directive that caused failures when predicates and their arguments were separated by '=' characters instead of whitespace (bz3739). * sshd(8): fix the "Match invalid-user" predicate, which was matching incorrectly in the initial pass of config evaluation. * ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key exchange on big-endian systems. * Fix a number of build problems on particular operating systems / configurations. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 09dd8d7085448ea01637c9cd14d7a8b63e9036d0 Author: Arne Fitzenreiter Date: Wed Feb 12 16:25:45 2025 +0100 openssl: update to 3.4.1 Signed-off-by: Arne Fitzenreiter commit 77a942d735713f3117f967f9995c0e7ca6d68d14 Author: Arne Fitzenreiter Date: Tue Feb 11 10:15:44 2025 +0100 core192: ship libyang Signed-off-by: Arne Fitzenreiter commit 9ad59410624beaccef5c75bcca4e1d4ddb0be98b Author: Arne Fitzenreiter Date: Tue Feb 11 08:49:51 2025 +0100 backup.cgi: allow iso backup only on x86_64 Signed-off-by: Arne Fitzenreiter commit a19e6bce428394ff596599b943a6bdf13f4e81f4 Author: Arne Fitzenreiter Date: Mon Feb 10 08:24:17 2025 +0100 samba: bump package Signed-off-by: Arne Fitzenreiter commit ffdf4462fc2d9984a5ce9df7f84f504448bdf189 Author: Arne Fitzenreiter Date: Sat Feb 8 21:07:39 2025 +0100 initskripts: remove symlinks for removed addons imspector and motion was removed years ago. removed the leftover initskript symlinks. Signed-off-by: Arne Fitzenreiter commit 4a991cd92943bb673b003aa475400a62f5a4804a Author: Arne Fitzenreiter Date: Sat Feb 8 20:25:33 2025 +0100 core192: remove cups symlinks Signed-off-by: Arne Fitzenreiter commit 89c366f3557f2b6e9ab99a93d2f33980cdd566c6 Author: Arne Fitzenreiter Date: Sat Feb 8 20:25:15 2025 +0100 kernel: update to 6.12.13 Signed-off-by: Arne Fitzenreiter commit 6fb6199bb71f3fd8ecff4ff688bba3612acd35e7 Author: Arne Fitzenreiter Date: Wed Feb 5 17:29:54 2025 +0100 samba: remove perl-JSON from deps Signed-off-by: Arne Fitzenreiter commit 1000035ea4f1c4ca1518878ce730e2e9f045bc5f Author: Arne Fitzenreiter Date: Wed Feb 5 15:32:34 2025 +0100 core192: remove dropped packages Signed-off-by: Arne Fitzenreiter commit 041adb61486a06517ece8323668b6ebb199f2825 Author: Arne Fitzenreiter Date: Wed Feb 5 06:53:38 2025 +0100 ovmf: add open virtual machine firmware this is needed for booting kvm machines in uEFI mode. Currently we unpack the firmware from the debain binary package. Maybee later we wuill compile self, but currently the needed compilers are missing in the IPFire build environment. Signed-off-by: Arne Fitzenreiter commit 43df1bce368a1bd3f176cce06ef227e4444eb44d Author: Arne Fitzenreiter Date: Sun Feb 2 15:19:32 2025 +0100 kernel: update to 6.12.12 Signed-off-by: Arne Fitzenreiter commit debac0e634bac4f6a0db970067ec85b9071c6f9a Author: Arne Fitzenreiter Date: Thu Jan 30 17:50:57 2025 +0100 collectd: cleanup iptables-filter-HOSTILE and HOSTILE_DROP this chains are splittet to seperate IN and OUT chains so this files are also useless. Signed-off-by: Arne Fitzenreiter commit 8c60e0425a9b2474b8f403888cfaaaa06b2e6c1a Author: Arne Fitzenreiter Date: Thu Jan 30 13:49:16 2025 +0100 collectd: add processes* to cleanup list The processes graph was removed some month ago but it was not correct cleaned. I asume because the updater has cleaned the ramdisk but not the persistant copy. Signed-off-by: Arne Fitzenreiter commit 7909dc2194718f7f929261cd33fba06f145fd856 Author: Arne Fitzenreiter Date: Thu Jan 30 12:52:51 2025 +0100 collectd: another fix at converting rrd databases Signed-off-by: Arne Fitzenreiter commit 23772010b193df17abfd5d250a8a7da165256475 Author: Arne Fitzenreiter Date: Thu Jan 30 10:25:43 2025 +0100 kernel: update riscv64 rootfile Signed-off-by: Arne Fitzenreiter commit ebceac121adffbf8b8690101e4a50e3f4c1566e5 Author: Arne Fitzenreiter Date: Thu Jan 30 10:23:10 2025 +0100 collectd: add more changes to the converter Signed-off-by: Arne Fitzenreiter commit 7ba01388d488ea2cefe704b31d14acf43648bfb8 Author: Arne Fitzenreiter Date: Thu Jan 30 10:18:01 2025 +0100 collectd: add some devices to the ignore list disks: cdroms, tape, loop and ram cooling-devices: 0-7 was already disabled but there are more possible Signed-off-by: Arne Fitzenreiter commit 2b892c6863960fd35034fb2bee6c1fd69372b587 Author: Arne Fitzenreiter Date: Mon Jan 27 19:08:04 2025 +0100 core192: ship system.cgi Signed-off-by: Arne Fitzenreiter commit 26997d4f9309d9f4409cfa9624ba7d49c27266f8 Author: Arne Fitzenreiter Date: Mon Jan 27 14:11:42 2025 +0100 core192: fix another typo Signed-off-by: Arne Fitzenreiter commit bad1dc36abed9d2a623e34d4e3add7080f53eb40 Author: Arne Fitzenreiter Date: Sun Jan 26 17:33:33 2025 +0100 core192: fix typo and add verbose output to rm for collectd data Signed-off-by: Arne Fitzenreiter commit 8d0df657b53e9f9930827278bf22a3892e47e456 Author: Arne Fitzenreiter Date: Sun Jan 26 11:41:54 2025 +0100 core192: fix some collectd convertion issues Signed-off-by: Arne Fitzenreiter commit cd2e22704336c533c188b8418f2f48c99513a466 Author: Arne Fitzenreiter Date: Sun Jan 26 11:22:44 2025 +0100 system.cgi: update cpufreq graph Signed-off-by: Arne Fitzenreiter commit 4d7c9a860f5e3e98b0289097d15c25a40e52de86 Author: Arne Fitzenreiter Date: Sun Jan 26 11:21:47 2025 +0100 graphs.pl: update cpufreq and themalzone graph Signed-off-by: Arne Fitzenreiter commit 6ca4e2f29feb17401815aac2fb046e4354c1def2 Author: Arne Fitzenreiter Date: Sun Jan 26 09:39:05 2025 +0100 toolchain: bump version Signed-off-by: Arne Fitzenreiter commit e556984600411ec7953efefddff5b60666103be9 Author: Arne Fitzenreiter Date: Fri Jan 24 14:27:31 2025 +0100 core192: ship protobuf Signed-off-by: Arne Fitzenreiter commit 6311a62c229ca08ee72687da341658ba4006a4b7 Author: Adolf Belka Date: Mon Jan 13 22:41:08 2025 +0100 protobuf: Update to version 29.3 - Update from version 28.3 to 29.3 - Update of rootfile - Changelog 29.3 Announcements Protobuf News may include additional announcements or pre-announcements for upcoming changes. C++ Fix cmake installation location of java and go features (#19773) (1dc5842) Other Add .bazeliskrc for protobuf repo to tell bazelisk to use 7.1.2 by default. (#19884) (9a5d2c3) Update artifact actions to v4 (#19703) (8e7e6b0) 29.2 Announcements Protobuf News may include additional announcements or pre-announcements for upcoming changes. C++ Automated rollback of commit 23aada2. (#19692) (1772657) Remove unused / invalid C++ lazy repeated field code from OSS. (#19682) (3649f87) Java Automated rollback of commit 23aada2. (#19692) (1772657) Other Export environment variables so bazelisk picks them up (#19690) (8b9d76c) Pin staleness check to Bazel 7 (#19689) (a1c9b6a) Remove CMake downgrade workaround from Windows CI tests (#19630) (3a7bb4a) 29.1 Announcements Protobuf News may include additional announcements or pre-announcements for upcoming changes. Java Rename maven to protobuf_maven in MODULE.bazel (#18641) (#19477) (ba6da44) Kotlin Rename maven to protobuf_maven in MODULE.bazel (#18641) (#19477) (ba6da44) Python Revert "Remove deprecated service.py usages from test". For 29.x only (#19434) (5864b50) 29.0 Announcements Protobuf News may include additional announcements or pre-announcements for upcoming changes. Bazel Add missing line to docstring after Args (#19213) (6f310d5) Fix proto_info_bzl (#18918) (083de5f) Use rules_cc everywhere in protobuf (ddadd0b) Upgrade rules_cc to 0.0.13 (3dd4835) Convert proto toolchain string to Label (aa181e2) Prepare supporting targets for testing (a748b10) Support --incompatible_enable_proto_toolchain_resolution (372ddb3) Move ProtoInfo and ProtoLangToolchainInfo from Bazel (426ca8a) Move java_{lite_}proto_library from Bazel repository (d77bdac) Move proto_toolchain from rules_proto to protobuf (9f9cb7a) Move proto_library from Bazel repository (3ff2cf0) Move proto_common implementation from Bazel binary (b19fbe6) Compiler Begin adding extension numbers to SourceCodeInfo and FileDescriptorSet for tooling purposes. (07e489d) Update protoc release to include editions language features proto for Go (#19013) (63d966b) Introduce lifetimes for individual feature values. (0b6e768) Windows - Fix handling of utf8 command line arguments (#17854) (b9d1800) Limit feature deprecation warnings to reduce noise. (5cd9a46) C++ Fix C++ ifndef_guard printer to also convert "-" to "_". (7331b77) Fix C++ codegen namespace printer to print closing namespaces in reverse order. (3bf9c40) Fix raw_ptr.cc on exotic architectures (#18193) (63f6262) Fix cord handling in DynamicMessage and oneofs. (9e8b30c) Fix packed reflection handling bug in edition 2023. (4c92328) Add JsonStreamToMessage method (0259cc3) Introduce lifetimes for individual feature values. (0b6e768) Insert software prefetches into merge functions. This improves performance when hardware prefetchers are disabled on AMD machines. (d993365) Insert software prefetches into proto parsing functions. This improves performance when hardware prefetchers are disabled on AMD platforms. (8aa0add) Add prefetching of subsequent extensions in ExtensionSet::ForEach. (9b019ee) Remove the AnyMetadata class and use free functions instead. (920d5c3) Add [[deprecated]] attribute when generating enums and classes. (23aada2) Use linear search instead of binary search in flat mode of ExtensionSet. (0ed61f0) Prepare MessageLite::GetTypeName to be upgraded to return (30a8ef5) Limit feature deprecation warnings to reduce noise. (5cd9a46) Add Compiler Condition to use inline assembly optimizations with ARM64 for Compatibility with MSVC (#17671) (c5f6231) Enable small object optimization (SOO) for RepeatedField in order to reduce data indirections. (e2525e6) Return backing array memory to arena in ExtensionSet. (5ac8ee1) In edition 2024, Enum_Name(value) functions return absl::string_view by default. (e3fa6aa) Add Prefetchers to Proto Copy Construct to help address load misses (cdb7238) Reduced nesting in GenerateByteSize: slight readability improvements in generated code. (162a740) Introduce FieldDescriptor::cpp_string_type() API to replace direct ctype inspection which will be removed in the next breaking change (d0e49df) Update the comment of TextFormat::Printer::RegisterMessagePrinter that the method takes ownerhip of the printer pointer. (d911161) Prepare the code for migrating return types from const std::string& to (e13b8e9) Java Remove deprecation warnings for Timestamp and Duration add/subtract/between that we do not yet have alternatives to. (f606c13) [29.x] Add missing java load (#19016) (bb287be) Give Kotlin jars an OSGi Manifest (#18812) (0c51eba) Re-export includingDefaultValueFields in deprecated state for important Cloud customer. (7321b2f) Restore compatibility with 3.22 gencode by re-adding mutableCopy helpers (1b1e90b) Speed up CodedOutputStream by extracting rarely-executed string formatting code (f8f5136) Return constant Value objects for true, false, and "" (4fbb0c5) Optimise CodedOutputStream.ArrayEncoder.writeFixed32NoTag/writeFixed64NoTag (a51f98c) CodedOutputStream: avoid updating position to go beyond end of array. (76ab5f2) Convert IndexOutOfBoundsException to OutOfSpaceException in UnsafeDirectNioEncoder (0e75d92) Suppress ReturnValueIgnored errorprone issues (bbbc7b9) Fix packed reflection handling bug in edition 2023. (4c92328) Move cc_proto_library from Bazel repository (5254448) Protobuf Lite ArrayLists: Defer allocating backing array until we have some idea how much to allocate. (05a8a40) Allocate correct-sized array when parsing packed fixed-width primitives (4e8469c) Bugfix: Make extensions beyond n=16 immutable. (ee419f2) Reserve capacity in ProtobufArrayList when calling Builder.addAllRepeatedMessage(Collection) (e3cc31a) Avoid allocating iterators when calling Message.Builder.addAllFoo(RandomAccess List) (bd1887e) Remove the AnyMetadata class and use free functions instead. (https://github.com/protocolbuffers/protobuf/com... Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 31457b85124fd445f585268ef3add1a6a2e8602d Author: Adolf Belka Date: Mon Jan 13 22:41:07 2025 +0100 postfix: Update to version 3.9.1 - Update from version 3.9.0 to 3.9.1 - Update of rootfile not required - Changelog 3.9.1 The mail_version configuration parameter did not have a three-number value (3.9 instead of 3.9.0; it still had the two-number version from the development releases postfix-3.9-yyyymmdd). This broke pathnames derived from the mail_version value, such as shlib_directory. Problem reported by Michael Orlitzky. Bugfix (defect introduced: Postfix 2.9, date 20111218): with "smtpd_sasl_auth_enable = no", the permit_sasl_authenticated feature ignored information that was received with the XCLIENT LOGIN command, so that the client was treated as unauthenticated. This was fixed by removing an unnecessary test. Problem reported by Antonin Verrier. Bugfix (defect introduced: postfix 3.0): the default master.cf syslog_name setting for the relay service did not preserve multi-instance information, which complicated logfile analysis. Found during a support discussion. Bugfix (defect introduced: Postfix 2.3, date 20051222): file descriptor leak after failure to connect to a Dovecot auth server. The impact is limited because Dovecot auth failures are rare, there are limits on the number of retries (one), on the number of errors per SMTP session (smtpd_hard_error_limit), on the number of sessions per SMTP server process (max_use), and on the number of file handles per process (managed with sysctl). Found during code maintenance. Bugfix (defect introduced: Postfix 3.4, date 20190121): the postsuper command failed with "open logfile '/path/to/file': Permission denied" when the maillog_file parameter specified a filename and Postfix was not running. This was fixed by opening the maillog_file before dropping root privileges. Found during code maintenance. Bugfix (defect introduced Postfix 3.0). No autodetection of UTF8 text when missing message headers were automatically added by Postfix (for example, a From: header with UTF8 full name information from the password file). This caused Postfix to send UTF8 in message headers without using the SMTPUTF8 protocol. Problem reported by Michael Tokarev. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 7488c240679fed1872ea3ed0514901bce3aa164e Author: Adolf Belka Date: Mon Jan 13 22:41:06 2025 +0100 frr: Update to version 10.2.1 - Update from version 10.1 to 10.2.1 - Update of rootfile not required - Changelog 10.2.1 Fixed CVE-2024-55553 More details: https://frrouting.org/security/cve-2024-55553 Bug Fixes bfdd retain remote dplane client socket bgpd Fix to pop items off zebra_announce FIFO for few EVPN triggers Check if as_type is not specified when peer is a peer-group member Do not reset peers on suppress-fib toggling Fix bgp core with a possible Intf delete Fix enforce-first-as per peer-group removal Fix evpn bestpath calculation when path is not established Fix graceful-restart for peer-groups Fix memory leak when creating BMP connection with a source interface Fix memory leak when reconfiguring a route distinguisher Fix unconfigure asdot neighbor Fix use single whitespace when displaying flowspec entries Fix version attribute is an int, not a string Import allowed routes with self AS if desired Initialize as_type for peer-group as AS_UNSPECIFIED Use gracefulRestart JSON field Validate both nexthop information (NEXTHOP and NLRI) Validate only affected RPKI prefixes instead of a full RIB When calling bgp_process, prevent infinite loop lib Allow setsockopt functions to return size set Fix session re-establishment Take ge/le into consideration when checking the prefix with the prefix-list Use backoff setsockopt option for freebsd ospfd OSPF multi-instance default origination fixes pimd Fix access-list memory leak in pimd Free igmp proxy joins on interface deletion igmp proxy joins should not be written as part of config Prevent crash of pim when auto-rp's socket is not initialized Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 77ccf4949b96f1326932d77496f64c76134428a8 Author: Adolf Belka Date: Mon Jan 13 22:41:04 2025 +0100 fetchmail: Update to version 6.5.2 - Update from version 6.4.39 to 6.5.2 - Update of rootfile not required - Changelog 6.5.2 ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS (There are no plans to remove features from a 6.5.X release, but they may be removed from a 6.6.0 or newer release.) * Support for operating systems that are not sufficiently POSIX compliant may be removed or operation on such systems may be suboptimal for future releases. * Future fetchmail releases may require compilers and operating systems that adhere to standards issued 2011 or later. (See README for requirements.) * Future fetchmail releases may tighten up security and lean towards it a bit more by, for instance, implementing recommendations from RFC-7817 or RFC-8314. This may, for instance, require that TLS v1.1 or newer be used. * The MX and host alias DNS lookups that fetchmail performs in multidrop mode are based on assumptions that are rarely met in practice, somewhat defective, deprecated and may be removed from a future fetchmail version. They have never supported IPv6 (including IPv6-mapped IPv4). Non-DNS based alias keywords such as "aka" will remain in fetchmail. * The monitor and interface options may be removed from a future fetchmail version as they are not reasonably portable across operating systems. * POP2 is obsolete, support will be removed from a future fetchmail version. * IMAP2 and IMAP4 (not IMAP4r1) are obsolete, support may be removed from a future fetchmail version. * RPOP is obsolete, support will be removed from a future fetchmail release. * The multidrop To/Cc guessing code along with the fragile duplicate suppressor is deprecated and may be removed from a future release. * The "envelope Received" option may be removed from a future release, because the Received header was never meant to be machine-readable, the format varies widely, and various other differences in behavior make parsing Received an unreliable undertaking. The envelope option as such will remain though, in order to support Delivered-To, X-Envelope-To, X-Original-To and similar. See also . * The "protocol auto" default inside fetchmail may be removed from a future fetchmail release. Explicit configuration of the protocol is recommended. * Kerberos IV support may be removed from a future fetchmail release. * Kerberos 5 support may be removed from a future fetchmail release. (Although GSS-API support should remain as long as it's viable.) * The --principal option may be removed from a future fetchmail release. * SIGHUP wakeup support may be removed from a future fetchmail release and cause fetchmail to terminate - it was broken for many years. * The maintainer may migrate fetchmail to C++, and impose further requirements (dependencies), such as Boost or other class libraries. * The softbounce option default will change to "false" in the next release. * The --bsmtp - mode of operation may be removed in a future release. * Fetchmailconf is deprecated and will be removed from a future release. * Fetchmail does not guarantee compatibility with EOL OpenSSL versions. Support for end-of-life OpenSSL versions may be removed even from patchlevel releases. * Nonstandard or by today's standards insufficiently secure authentication schemes (such as OPIE, RPA) may be removed from future fetchmail versions. * Nonstandard protocol extensions (such as SDPS/*ENV) may be removed from future fetchmail versions. * --auth ssh may be removed from future fetchmail versions. Use --auth implicit. * Future fetchmail releases (even minor ones) may change undocumented parts of the .netrc parser in incompatible ways to enhance compatibility with typical ftp(1) .netrc parsers. KNOWN BUGS AND WORKAROUNDS * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used. Please report issues with this. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. * For IMAP connections, fetchmail will print "will idle after poll" in verbose mode even though --idle is not given, as an artifact of the 6.4.22 security fixes. Fetchmail means "could idle after poll", but this would have required another loop through the translators. * aka ... hostnames are not considered for upstream server X.509 certificate verification, aka was meant for alias detection with multidrop mailboxes. * When compiled against wolfSSL, note that it is not a feature-complete emulation of OpenSSL. Main functionality is given, but some minor details may not work the same as in OpenSSL builds. * When compiled against LibreSSL (due to licensing, this only works on OpenBSD where LibreSSL is part of the OS), note that LibreSSL is somewhat behind recent OpenSSL versions, so prefer OpenSSL to LibreSSL if you can. * FreeBSD's OPIE implementation cannot be found when using a C++ compiler. This should not affect the normal build, which uses a C compiler. * Using ccache may trigger "implicit fallthrough" warnings because the comments that, for instance, GCC understands, are removed by ccache's separate preprocessing. Fixing this portably requires C++17. * Fetchmail's RFC-2047 encoder (used for localized Subject: lines of locally- originated e-mail messages) is simplistic and violates the RFC-2047 requirement that multibyte characters must not be split across encoded-words. TRANSLATIONS: fetchmail's translations were updated, courtesy of: * cs: Petr Pisar [Czech] * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] CHANGES: * Minor documentation consistency fixes (versions, dates). 6.5.1 BUG AND PORTABILITY FIXES: * Drop two wolfSSL compile-time checks that were for older 6.4 or for future 7.0 releases and broke compilation with wolfSSL 5.7.4. Fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282413#c4 * Use %p instead of non-portable %#p for one wolfSSL-related diagnostic message (FreeBSD defines %#p to be %p, on many other platforms it's undefined behavior). * Add regex_helper.c to list of files that contain translatable strings, which contains two strings we missed to translate. CHANGES: * Simplify EVP_MD_fetch API detection ("like OpenSSL 3" vs. "like OpenSSL 1") for version switch and base it on the claimed OpenSSL version of the crypto SSL, which works for LibreSSL (claims OpenSSL 2) and wolfSSL alike. TRANSLATIONS: fetchmail's messages were translated by these fine people: * sq: Besnik Bleta [Albanian] * es: Cristian Othón Martínez Vera [Spanish] * ro: Remus-Gabriel Chelu [Romanian] * fr: Frédéric Marchal [French] * pl: Jakub Bogusz [Polish] * sv: Göran Uddeborg [Swedish] * ja: Takeshi Hamasaki [Japanese] * eo: Keith Bowes [Esperanto] 6.5.0 SECURITY FIX: * .netrc now may not have more than 0700 permission if it contains passwords, else fetchmail will warn and ignore the file. REMOVED FEATURES * fetchmail no longer supports using an MDA as SMTP fallback. This is required to make deliveries consistent. The --enable-fallback configure option is gone. * fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have been removed and behave as though "--sslproto auto" had been given. INCOMPATIBLE CHANGES * fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525) * fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option. * fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option. * fetchmailconf now requires Python 3.7.0 or newer. * fetchmail, with --logfile, now logs time stamps into the file, in localtime and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through the environment variables LC_TIME (or LC_ALL) and TZ. Contributed by Holger Hoffstätte. * fetchmail sets the OPENSSL security level to 2 by default. Override is possible from an environment variable, see EXPERIMENTAL CHANGES below. * The ca, da, en_GB, id, it, nl, ru, zh_CN translations have been disabled, they are too far behind. CHANGED REQUIREMENTS * fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with XSI extension) compliant system. In particular, older fetchmail versions had workarounds or replacement code for several functions standardized in the Single Unix Specification v3, these have been removed. Hence: - The trio/ library has been removed from the distribution. - The libesmtp/getaddrinfo.? library has been removed from the distribution. - The KAME/getnameinfo.c file has been removed from the distribution. * fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL or wolfSSL, at a minimum OpenSSL v3.0.9 or wolfSSL v5.7.2. TRANSLATIONS: fetchmail's messages were translated by these fine people: * cs: Petr Pisar [Czech] * eo: Keith Bowes [Esperanto] * es: Cristian Othón Martínez Vera [Spanish] * fr: Frédéric Marchal [French] * ja: Takeshi Hamasaki [Japanese] * ro: Remus-Gabriel Chelu [Romanian] * sv: Göran Uddeborg [Swedish] * sq: Besnik Bleta [Albanian] * pl: Jakub Bogusz [Polish] BUG FIXES * fetchmail can now report mailbox sizes of 2^31 octets and beyond (2 GibiB). This required C99 support (for the long long type). Fixes Debian Bug#873668, reported by Andreas Schmidt. * fetchmail now defines its OpenSSL API level to 3.0.0 so as to expose the 3.0.0 APIs from OpenSSL. * The .netrc parser no longer permits "machine" after "default". * Add manpage info on the .netrc syntax, as ftp(1) is not standardized and may not be installed. Fixes Launchpad Bug #1976361 reported by Bill Yikes. * Received: lines now return GMT time if the tzoffset cannot be represented as whole minutes. Reported by @rriddicc via Gitlab #49. * If fetchmail was running localized, generated an error e-mail message locally, and if the selected translation would require the Subject: line to wrap inside an RFC-2047 encoded word (=?UTF-8?Q?...?=), the wrapped encoded-word was not indented, thus not marked as a continuation line. * SSL error handling was improved, fetchmail now consistently clears the thread/SSL error queue before SSL I/O operations and checks SSL_get_error afterwards. The SSL_connect() error handling has been revised to log more consistently. CHANGES * When fetchmail attempts to log out from an IMAP4 server and the server messes up its responses (it is supposed to send an untagged * BYE and a tagged A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than reporting a protocol error. We don't intend to chat any more so the protocol violation is harmless, and we know the server cannot send more untagged status responses. Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20. * The configure script now spends more effort for getting --with-ssl right, by running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS macro to obtain run-time library path setting flags. * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. * There is now a --idletimeout feature contributed by Eric Durand, to permit setting a shorter timeout for the --idle option, because many servers violate the protocol (requiring 30 minutes) and hang up sooner than the 28 minutes fetchmail waits before refreshing IDLE. GitLab merge request !35. * There is now a --forceidle feature to force idle mode even if not advertised in the server capabilities. This is a dangerous option, use it carefully. Courtesy of Eric Durand, GitLab merge request !39. * There is now a --moveto feature (only feasible in IMAP) that, instead of flushing mail, moves it to a user-specified folder. This is to assist with archiving, or when providers (G...) break the IMAP model. Courteously provided by Damjan Jovanovic. * rcfile parsing errors are now reported in more detail, and with -vv mode, also lead to a non-importable Python dump of what was obtained, for debugging. * fetchmail's --auth option ssh was renamed to implicit, to make clear that it does *NOT* imply any particular type or features of the --plugin. --auth ssh will be understood for a while for compatibility but fetchmail will report it as implicit. * fetchmail no longer warns about port/service mismatches with/without ssl option when a "plugin" is in use because fetchmail cannot know whether the plugin talks SSL or STARTTLS/STLS. Fixes Debian Bug#1076604. * fetchmail re-executes itself if the .netrc file's modification change is found to be newer at the beginning of a new run. * fetchmail can now use other digest algorithms than MD5 for the --sslfingerprint option. To use, specify the algorithm's name in curly braces as prefix in the finger print, say, --sslfingerprint '{SHA256}00:01:[...]:1F'. This will also switch the algorithm for printing. All algorithms supported by the TLS/SSL library can be specified. Fixes Gitlab issue #19, Debian Bug#700266. EXPERIMENTAL CHANGES - these are not documented anywhere else, only here: * fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that can be used to override the OpenSSL security level. Fetchmail by default raises the security level to 2 if lower. This variable can be used to lower it. Use with extreme caution. Note that levels 3 or higher will frequently cause incompabilities with servers because server-side data sizes are often too low. Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0. * fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that sets the cipher string (through two different OpenSSL functions) for SSL and TLS versions up to TLSv1.2. If setting the ciphers fails, fetchmail will not connect. If not given, defaults to Postfix's "medium" list, "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH". * fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable that sets the ciphersuites (a colon-separated list, without + ! -) for TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the ciphersuites fails, fetchmail refuses to connect. * NOTE the features above are simplistic. For instance, even though you configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause a connection abort. * fetchmail can be built with meson 1.30 or newer . fetchmail is not currently written in a way that supports unity (amalgamated) builds. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 46da743318cb03d76992541b6571e1a0af7fdfac Author: Adolf Belka Date: Mon Jan 13 22:41:03 2025 +0100 dnsdist: Update to version 1.9.8 - Update from version 1.9.7 to 1.9.8 - Update of rootfile not required - Changelog 1.9.8 Improvements Add the ability to load a given TLS tickets key References: pull request 14877 Custom metrics: better error messages, small doc improvements References: pull request 14978 Add elapsed time to dq object (@phonedph1) References: pull request 14887 Bug Fixes setTicketsKeyAddedHook: pass a std::string to the hook to avoid luawrapper to truncate content at potential null chars References: pull request 14878 Fix ECS zero-scope caching with incoming DoH queries References: #14959, pull request 14977 Allow resetting setWeightedBalancingFactor() to zero References: pull request 14929 Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 3caaf256c7c2652fa579ae5338a60429b1b58558 Author: Arne Fitzenreiter Date: Fri Jan 24 14:25:01 2025 +0100 core192: ship dma Signed-off-by: Arne Fitzenreiter commit d53adf3d1d434b139fde81a26be2d308e2c40a60 Author: Adolf Belka Date: Mon Jan 13 22:41:02 2025 +0100 dma: Update to version 0.14 - Update from version 0.13 to 0.14 - Update of rootfile not required - Changelog 0.14 https://github.com/corecode/dma/commits/v0.14/ Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 44b8e06f7814129c4c4cbc2800e5282042593333 Author: Adolf Belka Date: Mon Jan 13 22:40:32 2025 +0100 make.sh: Move python3-tomli to before qemu as it is now needed for the build Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 672af0ab2c6d3af01b879cfad0577c69f752d724 Author: Adolf Belka Date: Mon Jan 13 22:40:31 2025 +0100 qemu-ga: Update to version 9.2.0 - Update from version 9.0.2 to 9.2.0 - Update of rootfile not required - Changelog same as in the commit for qemu to 9.2.0 Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit ade79737a329213e7872a035a30a705f7a9e31f2 Author: Adolf Belka Date: Mon Jan 13 22:40:30 2025 +0100 qemu: Update to version 9.2.0 - Update from version 9.0.2 to 9.2.0 - Update of rootfile - Changelog 9.2.0 https://wiki.qemu.org/ChangeLog/9.2 9.1.0 https://wiki.qemu.org/ChangeLog/9.1 Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 38c13c04fcd4b7a5e2d08ffeb1b85a77b5461bec Author: Adolf Belka Date: Mon Jan 13 22:40:07 2025 +0100 asciidoctor: Update of rootfile to take account of ruby update to 3.4.0 branch Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 4234436fc76d48706b7c7f336e7ddb1503d56737 Author: Adolf Belka Date: Mon Jan 13 22:40:06 2025 +0100 ruby: Update to version 3.4.1 - Update from version 3.3.6 to 3.4.1 - Update of rootfile - Changelog 3.4.0 changes compared to 3.3.0 See file NEWS.md in source tarball Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit d226ab59914488fe9660542b6797711c9625779d Author: Arne Fitzenreiter Date: Fri Jan 24 14:14:27 2025 +0100 core192: ship backup exclude Signed-off-by: Arne Fitzenreiter commit 83df9ec1753af193da7d72f795af2894d528c031 Author: Adolf Belka Date: Mon Jan 13 13:24:42 2025 +0100 backup-exclude: Add suricata ruleset-sources to backup exclude file - This will ensure that an old version will no longer be restored back onto a users system. - The suricata ruleset-sources file should also be shipped in the CU that this will be applied to make sure that all usders have the correct version installed, in case they have done a restore from an old backup after doing a fresh install. - Tested on my vm testbed system and after making the change, the ruleset-sources file is no longer added to the backup set but also it is excluded from the restore if it is included in an old backup. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 7d42fc3576cbb130193361b4e68015398998b2c8 Author: Adolf Belka Date: Sat Jan 11 15:43:33 2025 +0100 tshark: Update to version 4.4.3 - Update from version 4.4.2 to 4.4.3 - Update of rootfile - Changelog 4.4.3 Bug Fixes Potential mis-match in GSM MAP dissector for uncertainty radius and its filter key. Issue 20247. Macro eNodeB ID and Extended Macro eNodeB ID not decoded by User Location Information. Issue 20276. The NFSv2 Dissector appears to be swapping Character Special File and Directory in mode decoding. Issue 20290. CMake discovers Strawberry Perl’s zlib DLL when it shouldn’t. Issue 20304. VOIP Calls call flow displaying hours. Issue 20311. Fuzz job issue: fuzz-2024-12-26-7898.pcap. Issue 20313. sFlow: Incorrect length passed to header sample dissector. Issue 20320. wsutil: Should link against -lm due to missing fabs() when built with -fno-builtin. Issue 20326. Updated Protocol Support ARTNET, ASN.1 PER, BACapp, BBLog, BT BR/EDR RF, CQL, Diameter, DOF, ECMP, FiveCo RAP, FTDI FT, GSM COMMON, GTPv2, HCI_MON, HSRP, HTTP2, ICMPv6, IEEE 802.11, Kafka, LTE RRC, MBIM, MMS, Modbus/TCP, MPEG PES, NAS-EPS, NFS, NGAP, NR RRC, PLDM, PN-DCP, POP, ProtoBuf, PTP, RLC, RPC, RTCP, sFlow, SIP, SRT, TCP, UCP, USBCCID, Wi-SUN, and ZigBee ZCL New and Updated Capture File Support CLLog EMS ERF Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 4657aed760f81c0c0faf7be5873238f98ef6ccff Author: Adolf Belka Date: Sat Jan 11 15:43:32 2025 +0100 samba: Update to version 4.21.3 - Update from version 4.21.2 to 4.21.3 - Update of rootfile not required - Changelog 4.21.3 * BUG 15701: More possible replication loops against Azure AD. * BUG 15697: Compound rename from Mac clients can fail with NT_STATUS_INTERNAL_ERROR if the file has a lease. * BUG 15724: vfs crossrename seems not work correctly. * BUG 6750: After 'machine password timeout' /etc/krb5.keytab is not updated. * BUG 15771: Memory leak wbcCtxLookupSid. * BUG 15765: Fix heap-user-after-free with association groups. * BUG 15758: Segfault in vfs_btrfs. * BUG 15755: Avoid event failure race when disabling an event script. * BUG 15724: vfs crossrename seems not work correctly. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 86f25118f96caf6e58433276acaa89fd27798aff Author: Arne Fitzenreiter Date: Fri Jan 24 14:11:56 2025 +0100 core192: ship nettle Signed-off-by: Arne Fitzenreiter commit c1dd437f246f23d683478ef582c93d8a3f8159a0 Author: Adolf Belka Date: Sat Jan 11 15:43:31 2025 +0100 nettle: Update to version 3.10.1 - Update from version 3.10 to 3.10.1 - Update of rootfile - Changelog 3.10.1 This is a maintenance release, with only a few bugfixes and portability improvements. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.10 and libhogweed.so.6.10, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix buffer overread in the new sha256 assembly for powerpc64, as well as a stack alignment issue. * Added missing nettle_mac structs for hmac-gosthash. * Fix configure test for valgrind, to not attempt to run valgrind on executables built using memory sanitizers. Optimizations: * Improved runtime detection of cpu features for OpenBSD and FreeBSD, using elf_aux_info when available. This also adds runtime detection for FreeBSD on arm64. Contributed by Brad Smith. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit b9671e1644b45a9353b81a3c7ca47d8b5ff04f5a Author: Arne Fitzenreiter Date: Fri Jan 24 14:11:05 2025 +0100 core192: ship nano Signed-off-by: Arne Fitzenreiter commit d6b378f3f0a86d78c5ef18d7a2243c8a57dd2a7b Author: Adolf Belka Date: Sat Jan 11 15:43:30 2025 +0100 nano: Update to version 8.3 - Update from version 8.2 to 8.3 - Update of rootfile not required - Changelog 8.3 • A build failure with gcc-15 is fixed. • Several translations were updated. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 1e3176c9074a480fd6bfe25aff5f9f4e1ab017f2 Author: Arne Fitzenreiter Date: Fri Jan 24 14:10:03 2025 +0100 core192: ship mdadm Signed-off-by: Arne Fitzenreiter commit 47fa1360ac84a1f4563d9ffc258017b2fb66c07d Author: Adolf Belka Date: Sat Jan 11 15:43:29 2025 +0100 mdadm: Update to version 4.4 - Update from version 4.3 to 4.4 - Update of rootfile not required - mdadm has been formally moved to github. - Changelog 4.4 Features: - Remobe custom bitmap file support from Yu Kuai. - Custom device policies implementation from Mariusz Tkaczyk. - Self encrypted drives (**SED**) support for IMSM metadata from Blazej Kucman. - Support more than 4 disks for **IMSM** RAID10 from Mateusz Kusiak. - Read **IMSM** license information from ACPI tables from Blazej Kucman. - Support devnode in **--Incremental --remove** from Mariusz Tkaczyk. - Printing **IMSM** license type in **--detail-platform** from Blazej Kucman. - README.md from Mariusz Tkaczyk and Anna Sztukowska. Fixes: - Tests improvements from Xiao Ni and Kinga Stefaniuk. - Mdmon's Checkpointing improvements from Mateusz Kusiak. - Pass mdadm environment flags to systemd-env to enable tests from Mateusz Kusiak. - Superblock 1.0 uuid printing fixes from Mariusz Tkaczyk. - Find VMD bus manually if link is not available from Mariusz Tkaczyk. - Unconditional devices count printing in --detail from Anna Sztukowska. - Improve SIGTERM handling during reshape, from Mateusz Kusiak. - **Monitor.c** renamed to **Mdmonitor.c** from Kinga Stefaniuk. - Mdmonitor service documentation update from Mariusz Tkaczyk. - Rework around writing to sysfs files from Mariusz Tkaczyk. - Drop of HOT_REMOVE_DISK ioctl in Manage in favour of sysfs from Mariusz Tkaczyk. - Delegate disk removal to managemon from Mariusz Tkaczyk. - Some clean-ups of legacy code and functionalities like **--auto=md** from Mariusz Tkaczyk. - Manual clean-up, references to old kernels removed from Mariusz Tkaczyk. - Various static code analysis fixes. In this release we created github repository and allowed participation through Github. It allowed us to use Github actions adn create CI. Currently, we have: - Compilation tests with various gcc. - **mdadm** tests. - Checkpatch test. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 3bdf61a453f8c6980309b70d890d8da59b6c0da1 Author: Arne Fitzenreiter Date: Fri Jan 24 14:08:59 2025 +0100 core192: ship libpng Signed-off-by: Arne Fitzenreiter