commit d5e9e2ba609353dfc868c60d6556df031571fa47 Author: Michael Tremer Date: Mon Dec 15 16:11:51 2025 +0000 core199: Ship backup exclude Signed-off-by: Michael Tremer commit 92fa47e749e1eaf9955b5e48971e047e889c0fda Author: Adolf Belka Date: Fri Dec 12 17:38:11 2025 +0100 exclude: Add the suricata sgh cache directory to the list - Depending on the number of suricata rulesets that users have got enabled the suricata cache in /var/cache/suricata/sgh/ gets currently backed up in the ipfire .ipf file and some users are ending up with backup files that used to be 190MB and are now greater than 700MB, some even over 800MB. - This change excludes the cache from the backup as it seems that a restore with a cache from an earlier time does not make sense. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4022fbf53ea5e627b19d5affd50cfeb302ff33af Author: Adolf Belka Date: Fri Dec 12 15:07:07 2025 +0100 dracut-ng: Update the rootfile to include initqueue - In dracut-180 initqueue was removed from the base system and made its own set. This was missed when the original release was done and the initqueue entries were commented out. - Tested out with the new 6.18.0 kernel evaluation and initqueue was successfully installed and therefore also subsequently btrfs, lvm & mdraid that depended on initqueue Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit d656b7af6411d0306513b853a552f56d6713c174 Author: Michael Tremer Date: Tue Dec 2 11:27:11 2025 +0000 libvirt: Fix the update script I don't know why this all has to be copied like this, but the recent changes from the install script should be applied here, too. Signed-off-by: Michael Tremer commit c26c281d6447d40c26c421dbab42aff94cd9907b Author: Michael Tremer Date: Tue Dec 2 11:25:24 2025 +0000 qemu: Create the KVM group as system group Otherwise udev will ignore any rules that involve this group. This might require some manual intervention for users who are running this add-on on a system that has the kvm group created as a non-system group. Signed-off-by: Michael Tremer commit 5195e0085ef2b320fe9a6312e5135a72f6c030bc Author: Michael Tremer Date: Tue Dec 2 11:24:32 2025 +0000 libvirt: Create non-privileged users as system users Signed-off-by: Michael Tremer commit 75ecc4831af721e93f8eef3a6879a15c486137ed Author: Michael Tremer Date: Thu Nov 27 11:14:24 2025 +0000 manualpages: Add LLDP page Fixes: #13913 - Add LLDP helper button to lldp.cgi Signed-off-by: Michael Tremer commit 9f55a31459d6ca64f2827bc8eadb6e981245df75 Author: Michael Tremer Date: Thu Nov 27 11:11:49 2025 +0000 dracut-ng: Configure to create universally bootable initramdisks We don't want to build an initramdisk only for the current host so that IPFire devices will boot on various hardware. Signed-off-by: Michael Tremer commit 9457019809d8aa7dc1731a73e5edb131ce383026 Author: Michael Tremer Date: Thu Nov 27 11:09:58 2025 +0000 dracut-ng: Remove default configuration We don't need to install any example/default configuration as we are controlling our own configruation in 01-ipfire.conf. Signed-off-by: Michael Tremer commit 6026963e0f4a0b04ba2b3bc372007e4a2bfefd22 Author: Michael Tremer Date: Thu Nov 27 11:07:58 2025 +0000 dracut-ng: Move ipfire.conf to 01-ipfire.conf Signed-off-by: Michael Tremer commit ef61e8a0596ca5f0b56c139339a5a20d4745e786 Author: Michael Tremer Date: Thu Nov 27 11:02:52 2025 +0000 Run "./make.sh lang" Signed-off-by: Michael Tremer commit 3db5ec53f6da36cc9f0f886b641f30316f50aa48 Author: Michael Tremer Date: Thu Nov 27 11:02:29 2025 +0000 langs: Fix "D-Bus Daemon" string Signed-off-by: Michael Tremer commit a2097f8b43b23082c976ece3fadeb7da4b84cd89 Author: Stefan Schantl Date: Wed Nov 26 19:12:48 2025 +0100 services.cgi: Add status details for messagebus Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit c6ffbd2fcd2d155322d2fa989e6b9ee2e6bfced4 Author: Stefan Schantl Date: Wed Nov 26 19:12:47 2025 +0100 services.cgi: Add status details for LLDPD Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit dbc58c88907c9e38d803ac0c6a2200a364fc3e3f Author: Michael Tremer Date: Tue Nov 25 12:33:31 2025 +0100 core199: Regenerate QoS rules and restart during update Signed-off-by: Michael Tremer commit 77d9e3e4c2f3c0f573ac40318950e106755a236d Author: Michael Tremer Date: Tue Nov 25 12:31:56 2025 +0100 hostapd: Read the correct capabilities for the right band Some modules don't support the same capabilities in the 2.4/5 GHz bands. Therefore we need to abort parsing once we have found the correct capabilities. Signed-off-by: Michael Tremer commit fce1c71108c9e3ed2f574fb30ce58d8bcbd342a6 Author: Michael Tremer Date: Tue Nov 25 12:24:55 2025 +0100 hostapd: No longer fetch the device driver We used to need this for the filtering mechanism which has been removed. Signed-off-by: Michael Tremer commit 9745aa67b3ebdf2b6d4b574a25066fb25d0d0009 Merge: 05877ded9 2d7bc118d Author: Michael Tremer Date: Sun Nov 23 15:27:16 2025 +0000 Merge branch 'next' commit 2d7bc118d0222caebd06ce25c68b930f4e668e4d Author: Michael Tremer Date: Sun Nov 23 15:25:11 2025 +0000 Run ./make.sh update-contributors Signed-off-by: Michael Tremer commit 2fc10855417831b7a51faf01c83f9436e32ff069 Author: Michael Tremer Date: Sun Nov 23 15:24:44 2025 +0000 doc: Run ./make.sh lang Signed-off-by: Michael Tremer commit a05fdcf7d654e5b99dea4cbd8fde1407d6a01299 Author: Stefan Schantl Date: Sat Nov 15 11:09:22 2025 +0100 lldp: Add translations for invlid description input Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 2c4a1ed604044664a70f235d9aaa9cb68363278c Author: Stefan Schantl Date: Sat Nov 15 11:07:58 2025 +0100 lldp.cgi: Show discovered peers in alphabetical order Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 9953d4c1254615f6d80ac7497dabb2df8500ea5a Author: Stefan Schantl Date: Sat Nov 15 11:07:57 2025 +0100 lldp.cgi: Call binary for peers and do json stuff only if the service is enabled Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit e9fb498941ca734f1309a4cd25ec17d05b18b206 Author: Stefan Schantl Date: Sat Nov 15 11:07:56 2025 +0100 lldp.cgi: Add mission validation for description field Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit c1a85fac5a5661e0c2eaab868efa7820ef0b7672 Author: Stefan Schantl Date: Tue Nov 11 21:01:23 2025 +0100 lldpd: Set green address as management address At default the first available IP address (which heavily depends on your and your ISP assigned addresses) will be used as management address. This patch changes this behaviour to set the address of the green zone as management address and broadcast it. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit f42a8d3e2952f5c2ad104cbd64890f24b74acdec Author: Stefan Schantl Date: Tue Nov 11 21:01:22 2025 +0100 lldpd: Enable support for cisco discovery protocol Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit df81ace361109f953e2ce1e46ada7f6d743ec1cc Author: Michael Tremer Date: Sun Nov 23 15:21:43 2025 +0000 core199: Ship cURL Signed-off-by: Michael Tremer commit 0b49b2fa0468f8d65680e150afc7e7a964d3faf4 Author: Adolf Belka Date: Tue Nov 11 13:02:59 2025 +0100 curl: Update to version 8.17.0 - Update from version 8.16.0 to 8.17.0 - Update of rootfile - Changelog 8.17.0 Changes: build: drop Heimdal support build: drop the winbuild build system krb5: drop support for Kerberos FTP libssh2: up the minimum requirement to 1.9.0 multi: add notifications API progress: expand to use 6 characters per size ssl: support Apple SecTrust configurations tool_getparam: add --knownhosts vssh: drop support for wolfSSH wcurl: import v2025.11.04 write-out: make %header{} able to output *all* occurrences of a header Bugfixes: ares: fix leak in tracing asyn-ares: remove wrong comment about the callback argument asyn-ares: use the duped hostname pointer for all calls asyn-thrdd resolver: clear timeout when done asyn-thrdd: drop pthread_cancel autotools: add support for libgsasl auto-detection via pkg-config autotools: capitalize Rustls in the log output autotools: drop detection of ancient OpenSSL libs RSAglue and rsaref autotools: fix duplicate UNIX and BSD flags in buildinfo.txt autotools: fix silly mistake in clang detection for buildinfo.txt autotools: make --enable-code-coverage support llvm/clang autotools: merge `if`s in GnuTLS/OpenSSL feature detection aws-lc: re-enable large read-ahead with v1.61.0 again base64: accept zero length argument to base64_encode build: address some -Weverything warnings, update picky warnings build: avoid overriding system open and stat symbols build: avoid overriding system symbols for fopen functions build: avoid overriding system symbols for socket functions build: show llvm/clang in platform flags and buildinfo.txt c-ares: when resolving failed, persist error cf-h2-proxy: break loop on edge case cf-ip-happy: mention unix domain path, not port number cf-socket: always check Curl_cf_socket_peek() return code cf-socket: check params and remove accept procondition cf-socket: make set_local_ip void, and remove failf() cf-socket: set FD_CLOEXEC on all sockets opened cf-socket: tweak a memcpy() to read better cf-socket: use the right byte order for ports in bindlocal cfilter: unlink and discard cfilters: check return code from Curl_pollset_set_out_only() checksrc: allow disabling warnings on FIXME/TODO comments checksrc: catch banned functions when preceded by ( checksrc: fix possible endless loop when detecting BANNEDFUNC checksrc: fix possible endless loops in the banned function logic checksrc: fix to handle ) predecing a banned function checksrc: reduce directory-specific exceptions CI.md: refresh cmake/FindGSS: dedupe pkg-config module strings cmake/FindGSS: drop wrong header check for GNU GSS cmake/FindGSS: fix pkg-config fallback logic for CMake <3.16 cmake/FindGSS: simplify/de-dupe lib setup cmake/FindGSS: whitespace/formatting cmake: add and use local FindGnuTLS module cmake: add CURL_CODE_COVERAGE option cmake: build the "all" examples source list dynamically cmake: clang detection tidy-ups cmake: drop exclamation in comment looking like a name cmake: fix `HAVE_GNUTLS_SRP` detection after adding local FindGnuTLS module cmake: fix building docs when the base directory contains .3 cmake: fix Linux pre-fill `HAVE_POSIX_STRERROR_R` (when `_CURL_PREFILL=ON`) cmake: fix Linux pre-fills for non-glibc (when `_CURL_PREFILL=ON`) cmake: minor Heimdal flavour detection fix cmake: pre-fill three more type sizes on Windows cmake: say 'absolute path' in option descriptions and docs cmake: support building some complicated examples, build them in CI cmake: use modern alternatives for get_filename_component() cmake: use more COMPILER_OPTIONS, LINK_OPTIONS / LINK_FLAGS cmdline-docs: extended, clarified, refreshed cmdline-opts/_PROGRESS.md: explain the suffixes configure: add "-mt" for pthread support on HP-UX conn: fix hostname move on connection reuse conncache: prevent integer overflow in maxconnects calculation connect: for CONNECT_ONLY, CURLOPT_TIMEOUT does not apply connect: remove redundant condition in shutdown start cookie: avoid saving a cookie file if no transfer was done cookie: only count accepted cookies in Curl_cookie_add cookie: remove the temporary file on (all) errors cpool: make bundle->dest an array; fix UB curl.h: remove incorrect comment about CURLOPT_PINNEDPUBLICKEY curl_easy_getinfo: error code on NULL arg curl_easy_setopt.md: add missing CURLOPT_POSTFIELDS curl_mem_undef.h: limit to CURLDEBUG for non-memalloc overrides curl_ngtcp2: fix `-Wunreachable-code` with H3 !verbose !unity clang curl_osslq: error out properly if BIO_ADDR_rawmake() fails curl_path: make sure just whitespace is illegal Curl_resolv: fix comment. 'entry' argument is not optional curl_slist_append.md: clarify that a NULL pointer is not acceptable curl_threads: delete WinCE fallback branch CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well CURLOPT_COOKIEFILE.md: clarify when the cookies are loaded CURLOPT_COPYPOSTFIELDS.md: used with MQTT and RTSP as well CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1 CURLOPT_MAXLIFETIME_CONN: make default 24 hours CURLOPT_POSTFIELDSIZE*: these also work for MQTT and RTSP CURLOPT_SERVER_RESPONSE_TIMEOUT*: add default and see-also CURLOPT_SSL_VERIFYHOST.md: add see-also to two other VERIFYHOST options CURLOPT_TIMECONDITION.md: works for FILE and FTP as well cw-out: fix EAGAIN handling on pause cw-out: unify the error handling pattern in cw_out_do_write digest_sspi: fix two memory leaks in error branches dist: do not distribute CI.md docs/cmdline-opts: drop double quotes from GLOBBING and URL examples docs/libcurl: clarify some timeout option behavior docs/libcurl: remove ancient version references docs/libcurl: use lowercase must docs: expand on quoting rules for file names in SFTP quote docs: fix/tidy code fences doh: cleanup resources on error paths doswin: CloseHandle the thread on shutdown easy_getinfo: check magic, Curl_close safety ECH.md: make OpenSSL branch clone instructions work examples/chkspeed: portable printing when outputting curl_off_t values examples/http2-serverpush: fix file handle leaks examples/sessioninfo: cast printf string mask length to int examples/sessioninfo: do not disable security examples/synctime: fix null termination assumptions examples/synctime: make the sscanf not overflow the local buffer examples/usercertinmem: avoid stripping const examples/websocket: fix use of uninitialized rlen examples: call curl_global_cleanup() where missing examples: check more errors, fix cleanups, scope variables examples: drop unused curl/mprintf.h includes examples: fix build issues in 'complicated' examples examples: fix more potential resource leaks, and more examples: fix two build issues surfaced with WinCE examples: fix two issues found by CodeQL examples: fix two more cases of stat() TOCTOU examples: improve global init, error checks and returning errors examples: replace casts with `curl_off_t` printf masks examples: return curl_easy_perform() results firefox-db2pem.sh: add macOS support, tidy-ups form.md: drop reference to MANUAL ftp: add extra buffer length check ftp: check errors on remote ip for data connection ftp: fix ftp_do_more returning with *completep unset ftp: fix port number range loop for PORT commands ftp: fix the 213 scanner memchr buffer limit argument ftp: improve fragile check for first digit > 3 ftp: reduce size of some struct fields ftp: remove 'newhost' and 'newport' from the ftp_conn struct ftp: remove misleading comments ftp: remove the retr_size_saved struct field ftp: remove the state_saved struct field ftp: replace strstr() in ;type= handling ftp: simplify the 150/126 size scanner gnutls: check conversion of peer cert chain gnutls: fix re-handshake comments gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG gtls: avoid potential use of uninitialized variable in trace output gtls: check the return value of gnutls_pubkey_init() header.md: see-also --proxy-header and vice versa hmac: free memory properly on errors hostip: don't store negative resolves due unrelated errors hostip: fix infof() output for non-ipv6 builds using IPv6 address hostip: remove leftover INT_MAX check in Curl_dnscache_prune http2: check push header names by length first http2: cleanup pushed newhandle on fail http2: ingress handling edge cases HTTP3: clarify the status for "old" OpenSSL, not current http: check the return value of strdup http: fix `-Wunreachable-code` in !websockets !unity builds http: fix `-Wunused-variable` in !alt-svc !proxy !ws builds http: handle user-defined connection headers http: look for trailing 'type=' in ftp:// without strstr http: make Content-Length parser more WHATWG http: only accept ';' as a separator for custom headers http: return error for a second Location: header http_aws_sigv4: check the return value of curl_maprintf() http_proxy: fix adding custom proxy headers httpsrr: free old pointers when storing new httpsrr: send HTTPS query to the right target imap: fix custom FETCH commands to handle literal responses imap: parse and use UIDVALIDITY as a number imap: treat capabilities case insensitively INSTALL-CMAKE.md: add manual configuration examples INSTALL-CMAKE.md: document useful build targets INSTALL-CMAKE.md: fix descriptions for LDAP dependency options INSTALL: update the list of known operating systems INTERNALS: drop Winsock 2.2 from the dependency list ip-happy: do not set unnecessary timeout ip-happy: prevent event-based stall on retry kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic kerberos: drop logic for MIT Kerberos <1.2.3 (pre-2002) versions kerberos: stop including gssapi/gssapi_generic.h krb5: fix output_token allocators in the GSS debug stub (Windows) krb5: return appropriate error on send failures krb5_gssapi: fix memory leak on error path krb5_sspi: the chlg argument is NOT optional ldap: avoid null ptr deref on failure ldap: do not base64 encode zero length string ldap: do not pass a \n to failf() ldap: tidy-up types, fix error code confusion lib1514: fix return code mixup lib: delete unused crypto header includes lib: drop unused include and duplicate guards lib: fix build error with verbose strings disabled lib: remove newlines from failf() calls lib: remove personal names from comments lib: SSL connection reuse lib: stop NULL-checking conn->passwd and ->user lib: upgrade/multiplex handling libcurl-multi.md: added curl_multi_get_offt mention libcurl-security.md: mention long-running connections libssh/libssh2: reject quote command lines with too much data libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume libssh2/sftp: fix resume corruption by avoiding O_APPEND with rresume libssh2/sftp_realpath: change state consistently libssh2: avoid risking using an uninitialized local struct field libssh2: bail out on chgrp and chown number parsing errors libssh2: clarify that sshp->path is always at least one byte libssh2: drop two redundant null-terminations libssh2: error check and null-terminate in ssh_state_sftp_readdir_link() libssh2: fix EAGAIN return in ssh_state_auth_agent libssh2: fix return code for EAGAIN libssh2: use sockindex consistently libssh: acknowledge SSH_AGAIN in the SFTP state machine libssh: catch a resume point larger than the size libssh: clarify myssh_block2waitfor libssh: drop two unused assignments libssh: error on bad chgrp number libssh: error on bad chown number and store the value libssh: fix range parsing error handling mistake libssh: make atime and mtime cap the timestamp instead of wrap libssh: react on errors from ssh_scp_read libssh: return out of memory correctly if aprintf fails libssh: return the proper error for readdir problems Makefile.example: bump default example from FTP to HTTPS Makefile.example: fix option order Makefile.example: make default options more likely to work Makefile.example: simplify and make it configurable managen: ignore version mentions < 7.66.0 managen: render better manpage references/links managen: strict protocol check managen: verify the options used in example lines mbedtls: add support for 4.0.0 mbedtls: check result of setting ALPN mbedtls: fix building with <3.6.1 mbedtls: fix building with sha-256 missing from PSA mbedtls: handle WANT_WRITE from mbedtls_ssl_read() md4: drop mbedtls implementation (not available in mbedtls v3+) mdlinkcheck: reject URLs containing quotes memdup0: handle edge case mime: fix unpausing of readers mime: fix use of fseek() multi.h: add CURLMINFO_LASTENTRY multi: check the return value of strdup() multi_ev: remove unnecessary data check that confuses analysers netrc: when the cached file is discarded, unmark it as loaded nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header ngtcp2: add a comment explaining write result handling ngtcp2: adopt ngtcp2_conn_get_stream_user_data if available ngtcp2: check error code on connect failure ngtcp2: close just-opened QUIC stream when submit_request fails ngtcp2: compare idle timeout in ms to avoid overflow ngtcp2: fix early return ngtcp2: fix handling of blocked stream data ngtcp2: fix returns when TLS verify failed ngtcp2: overwrite rate-limits defaults noproxy: fix the IPV6 network mask pattern match NTLM: disable if DES support missing from OpenSSL or mbedTLS ntlm: improved error path on bad incoming NTLM TYPE3 message openldap/ldap; check for binary attribute case insensitively openldap: avoid indexing the result at -1 for blank responses openldap: check ber_sockbuf_add_io() return code openldap: check ldap_get_option() return codes openldap: do not pass newline to infof() openldap: fix memory-leak in error path openldap: fix memory-leak on oldap_do's exit path openldap: limit max incoming size openssl-quic: check results better openssl-quic: handle error in SSL_get_stream_read_error_code openssl-quic: ignore unexpected streams opened by server openssl: better return code checks when logging cert data openssl: call SSL_get_error() with proper error openssl: check CURL_SSLVERSION_MAX_DEFAULT properly openssl: clear retry flag on x509 error openssl: combine all the x509-store flags openssl: fail if more than MAX_ALLOWED_CERT_AMOUNT certs openssl: fail the transfer if ossl_certchain() fails openssl: fix build for v1.0.2 openssl: fix peer certificate leak in channel binding openssl: fix resource leak in provider error path openssl: fix unable do typo in failf() calls openssl: free UI_METHOD on exit path openssl: make the asn1_object_dump name null terminated openssl: only try engine/provider if a cert file/name is provided openssl: set io_need always openssl: skip session resumption when verifystatus is set os400: document threads handling in code. OS400: fix a use-after-free/double-free case osslq: set idle timeout to 0 pingpong: remove two old leftover debug infof() calls pop3: check for CAPA responses case insensitively pop3: fix CAPA response termination detection pop3: function could get the ->transfer field wrong pytest: skip specific tests for no-verbose builds quic: fix min TLS version handling quic: ignore EMSGSIZE on receive quic: improve UDP GRO receives quic: remove data_idle handling quiche: fix possible leaks on teardown quiche: fix verbose message when ip quadruple cannot be obtained. quiche: handle tls fail correctly quiche: when ingress processing fails, return that error code rtsp: use explicit postfieldsize if specified runtests: tag tests that require curl verbose strings rustls: exit on error rustls: fix clang-tidy warning rustls: fix comment describing cr_recv() rustls: limit snprintf proper in cr_keylog_log_cb() rustls: make read_file_into not reject good files rustls: pass the correct result to rustls_failf rustls: typecast variable for safer trace output rustls: use %zu for size_t in failf() format string sasl: clear canceled mechanism instead of toggling it schannel: assign result before using it schannel: fix memory leak schannel: handle Curl_conn_cf_send() errors better schannel: lower the maximum allowed time to block to 7 seconds schannel: properly close the certfile on error schannel_verify: do not call infof with an appended \n schannel_verify: fix mem-leak in Curl_verify_host schannel_verify: use more human friendly error messages scp/sftp: fix disconnect scripts: pass -- before passing xargs setopt: accept *_SSL_VERIFYHOST set to 2L setopt: allow CURLOPT_DNS_CACHE_TIMEOUT set to -1 setopt: fix unused variable warning in minimal build setopt: make CURLOPT_MAXREDIRS accept -1 (again) singleuse.pl: fix string warning smb: adjust buffer size checks smb: transfer debugassert to real check smtp: check EHLO responses case insensitively smtp: fix EOB handling smtp: return value ignored socks: advance iobuf instead of reset socks: avoid UAF risk in error path socks: deny server basic-auth if not configured socks: handle error in verbose trace gracefully socks: handle premature close socks: make Curl_blockread_all return CURLcode socks: properly maintain the status of 'done' socks: rewwork, cleaning up socks state handling socks_gssapi: also reset buffer length after free socks_gssapi: make the gss_context a local variable socks_gssapi: reject too long tokens socks_gssapi: remove superfluous releases of the gss_recv_token socks_gssapi: remove the forced "no protection" socks_gssapi: replace `gss_release_buffer()` with curl free socks_sspi: bail out on too long fields socks_sspi: fix memory cleanup calls socks_sspi: remove the enforced mode clearing socks_sspi: restore non-blocking socket on error paths socks_sspi: use the correct free function socksd: remove --bindonly mention, there is no such option spelling: fix new finds by typos-cli 1.39.0 src/var: remove dead code ssl-session-cache: check use on config and availability ssl-sessions.md: mark option experimental strerror: drop workaround for SalfordC win32 header bug sws: fix checking sscanf() return value sws: pass in socket reference to allow function to close it tcp-nodelay.md: expand the documentation telnet: ignore empty suboptions telnet: make bad_option() consider NULL a bad option too telnet: make printsub require another byte input telnet: print DISPlay LOCation in printsub without mutating buffer telnet: refuse IAC codes in content telnet: return error if WSAEventSelect fails telnet: return error on crazy TTYPE or XDISPLOC lengths telnet: send failure logged but not returned telnet: use pointer[0] for "unknown" option instead of pointer[i] test1100: fix missing `` section tests/libtest/cli*: fix init/deinit, leaks, and more tests/server: drop pointless memory allocation overrides tests/server: drop unsafe open() override in signal handler (Windows) tftp: check and act on tftp_set_timeouts() returning error tftp: check for trailing ";mode=" in URL without strstr tftp: default timeout per block is now 15 seconds tftp: error requests for blank filenames tftp: handle tftp_multi_statemach() return code tftp: pin the first used address tftp: propagate expired timer from tftp_state_timeout() tftp: return error if it hits an illegal state tftp: return error when sendto() fails thread: errno on thread creation tidy-up: assortment of small fixes tidy-up: avoid using the reserved macro namespace tidy-up: fcntl.h includes tidy-up: update MS links, allow long URLs via checksrc tidy-up: URLs time-cond.md: refer to the singular curl_getdate man page TLS: IP address verification, extend test TODO: fix a typo TODO: remove already implemented or bad items tool: fix exponential retry delay tool_cb_hdr: fix fwrite check in header callback tool_cb_hdr: size is always 1 tool_cb_rea: use poll instead of select if available tool_cfgable: remove superfluous free calls tool_doswin: fix to use curl socket functions tool_filetime: cap crazy file times instead of erroring tool_filetime: replace cast with the fitting printf mask (Windows) tool_formparse: rewrite the headers file parser tool_getparam/set_rate: skip the multiplication on overflow tool_getparam: always disable "lib-ids" for tracing tool_getparam: make --fail and --fail-with-body override each other tool_getparam: warn if provided header looks malformed tool_ipfs: check the return value of curl_url_get for gwpath tool_ipfs: simplify the ipfs gateway logic tool_msgs: make errorf() show if --show-error tool_operate: improve wording in retry message tool_operate: keep failed partial download for retry auto-resume tool_operate: keep the progress meter for --out-null tool_operate: move the checks that skip ca cert detection tool_operate: retry on HTTP response codes 522 and 524 tool_operate: return error on strdup() failure tool_paramhlp: remove outdated comment in str2tls_max() tool_parsecfg: detect and error on recursive --config use tool_progress: handle possible integer overflows tool_progress: make max5data() use an algorithm transfer: avoid busy loop with tiny speed limit transfer: fix retry for empty downloads on reuse transfer: reset retry count on each request unit1323: sync time types and printf masks, drop casts unit1664: drop casts, expand masks to full values url: make Curl_init_userdefined return void urldata: FILE is not a list-only protocol urldata: make 'retrycount' a single byte urldata: make redirect counter 16 bit vauth/digest: improve the digest parser version: add GSS backend name and version vquic: fix idle-timeout checks (ms<-->ns), 64-bit log & honor 0=no-timeout vquic: fix recvmsg loop for max_pkts vquic: handling of io improvements vquic: sending non-gso packets fix for EAGAIN vtls: alpn setting, check proto parameter vtls: check final cfilter node in find_ssl_filter vtls: drop duplicate `CURL_SHA256_DIGEST_LENGTH` definition vtls: properly handle SSL shutdown timeout vtls: remove call to PKCS12_PBE_add() vtls: unify the error handling in ssl_cf_connect(). vtls_int.h: clarify data_pending vtls_scache: fix race condition wcurl: sync to +dev snapshot windows: replace _beginthreadex() with CreateThread() windows: stop passing unused, optional argument for Win9x compatibility windows: use consistent format when showing error codes windows: use native error code types more wolfssl: check BIO read parameters wolfssl: clear variable to avoid uninitialized use wolfssl: fix error check in shutdown wolfssl: fix resource leak in verify_pinned error paths wolfssl: no double get_error() detail ws: clarify an error message ws: fix some edge cases ws: fix type conversion check ws: reject curl_ws_recv called with NULL buffer with a buflen Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4a2999cc9969b0e087f5e1e8dc90663ea70e7757 Author: Matthias Fischer Date: Fri Nov 21 17:39:59 2025 +0100 bind: Update ot 9.20.16 For details see: https://downloads.isc.org/isc/bind9/9.20.16/doc/arm/html/notes.html#notes-for-bind-9-20-16 "Notes for BIND 9.20.16 Bug Fixes Skip unsupported algorithms when looking for a signing key. A mix of supported and unsupported DNSSEC algorithms in the same zone could cause validation failures. Unsupported algorithms are now ignored when looking for signing keys. [GL #5622] Fix dnssec-keygen key collision checking for KEY RRtype keys. The dnssec-keygen utility program failed to detect possible KEY ID collisions with existing keys generated using the non-default -T KEY option (e.g., for SIG(0)). This has been fixed. [GL #5506] dnssec-verify now uses exit code 1 when failing due to illegal options. Previously, dnssec-verify exited with code 0 if the options could not be parsed. This has been fixed. [GL #5574] Prevent assertion failures of dig when a server is specified before the -b option. Previously, dig could exit with an assertion failure when a server was specified before the dig -b option. This has been fixed. [GL #5609] Skip buffer allocations if not logging. Previously, we allocated a 2KB buffer for IXFR change logging, regardless of the log level. This results in a 28% speedup in some scenarios." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 79da30641d5e3ab9ec33f78e842da851b469def6 Author: Adolf Belka Date: Mon Nov 17 18:30:47 2025 +0100 fwhosts.cgi: Don't check Country Code when locationgrp initially created - When a location group is initially created the Country Code variable is blank. This causes an error message that the Country Code is invalid before any country code has been selected. This was flagged up by a new forum member. - This change only checks the Country Code variable for being valid if it is not blank - If this is not the best way to fix this problem, feel free to modify or replace it. - Tested as working on my vm testbed. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c8b8237a34f35e89203df549fd68af20b48de78d Author: Adolf Belka Date: Thu Nov 20 15:22:29 2025 +0100 tshark: Update to version 4.6.1 - Update from version 4.6.0 to 4.6.1 - Update of rootfile - Changelog 4.6.1 Bug Fixes wnpa-sec-2025-05 BPv7 dissector crash. Issue 20770. wnpa-sec-2025-06 Kafka dissector crash. Issue 20823. The following bugs have been fixed: L2CAP dissector doesn’t understand retransmission mode. Issue 2241. DNS HIP dissector labels PK algorithm as HIT length. Issue 20768. clang-cl error in "packet-zbee-direct.c" Issue 20776. Writing to an LZ4-compressed output file might fail. Issue 20779. endian.h conflics with libc for building plugins. Issue 20786. TShark crash caused by Lua plugin. Issue 20794. Wireshark stalls for a few seconds when selecting specific messages. Issue 20797. TLS Abbreviated Handshake Using New Session Ticket. Issue 20802. Custom websocket dissector does not run. Issue 20803. WINREG QueryValue triggers dissector bug in packet-dcerpc.c. Issue 20813. Lua: FileHandler causing crash when reading packets. Issue 20817. Apply As Filter for field with FT_NONE and BASE_NONE for a single byte does not use the hex value. Issue 20818. Layout preference Pane 3 problem with selecting Packet Diagram or None. Issue 20819. TCP dissector creates invalid packet diagram. Issue 20820. Too many nested VLAN tags when opening as File Format. Issue 20831. Omnipeek files not working in 4.6.0. Issue 20842. Support UTF-16 strings in the IsoBus dissector for the string operations. Issue 20845. SNMP getBulkRequest request-id does not get filtered for correctly. Issue 20849. Fuzz job issue: fuzz-2025-11-12-12064814316.pcap. Issue 20852. UDP Port 853 (DoQ) should be decoded as QUIC. Issue 20856. Updated Protocol Support 802.11 Radiotap, AC DR, ASN.1 BER, ASN.1 PER, BPv7, BT L2CAP, CFM, Darwin, DNS, DTLS, EAPOL-MKA, HTTP, HTTP3, ISObus VT, KRB5, LTP, NAS-EPS, NETDFS, NMEA 0183, P1, RPC_NETLOGON, RTSE, SGP.22, SGP.32, SMB, SNMP, TCP, TECMP, TFTP, VLAN, WINREG, X509AF, X509SAT, and ZBD New and Updated Capture File Support Peektagged Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f181db761a25366905df5e402057b280e61450f3 Author: Adolf Belka Date: Thu Nov 20 15:22:28 2025 +0100 c-ares: Update to version 1.34.5 - Update from version 1.34.3 to 1.34.5 - Update of rootfile - Changelog 1.34.5 Security: CVE-2025-31498. A use-after-free bug has been uncovered in read_answers() that was introduced in v1.32.3. Please see CVE-2025-31498 Changes: Restore Windows XP support. PR #958 Bugfixes: A missing mutex initialization would make busy polling for configuration changes (platforms other than Windows, Linux, MacOS) eat too much CPU PR #974 Pkgconfig may be generated wrong for static builds in relation to -pthread PR #965 Localhost resolution can fail if only one address family is in /etc/hosts PR #947 1.34.4 Changes: QNX Port: Port to QNX 8, add primary config reading support, add CI build. PR #934, PR #937, PR #938 Bugfixes: Empty TXT records were not being preserved. PR #922 docs: update deprecation notices for ares_create_query() and ares_mkquery(). PR #910 license: some files weren’t properly updated. PR #920 Fix bind local device regression from 1.34.0. PR #929, PR #931, PR #935 CMake: set policy version to prevent deprecation warnings. PR #932 CMake: shared and static library names should be the same on unix platforms like autotools uses. PR #933 Update to latest autoconf archive macros for enhanced system compatibility. PR #936 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 073a159822b404f8ccd331115ce753646198b803 Author: Michael Tremer Date: Sun Nov 23 15:09:24 2025 +0000 installer: Load our own custom font again This is required to show cyrillic and other non-latin character sets correctly. Signed-off-by: Michael Tremer commit 08c93c3dd9328574694f3e985783330b3ef7b0b0 Author: Adolf Belka Date: Sat Nov 22 20:52:27 2025 +0100 btrfs-progs: Update to version 6.17.1 - Update from version 6.17 to 6.17.1 - No change in rootfile - Changelog 6.17.1 * inspect list-chunks: more sorting keys, descending order * fi resize: add support for offline (unmounted) growing of single device * device stats: add support for offline (unmounted) reads * quota status: new command, overview what mode is enabled, tunables * fi commit-stats: new command, print various commit stats from sysfs (since kernel 6.1) * balance start: print warning and delay start if there's a missing device in the filesystem * mkfs: * print zoned mode (native, emulated) * check: * verify device bytes in super block item and in chunk tree * other * updated CI, new and updated tests * cleanups, refactoring * documentation updates Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 03390e241bd0aa7b2cd6f9f0945688d5f1d5a1db Author: Adolf Belka Date: Sat Nov 22 20:45:04 2025 +0100 openvpn: Update to version 2.6.16 - Update from version 2.6.15 to 2.6.16 - No change to rootfile - Changelog 2.6.16 Security fixes: CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion on receiving spoofed TLS handshake packets in the OpenVPN server inefficient. Bug fixes: fix invalid pointer creation in tls_pre_decrypt() - technically this is a memory over-read issue, in practice, the compilers optimize it away so no negative effects could be observed. Windows: in the interactive service, fix the "undo DNS config" handling. Windows: in the interactive service, disallow using of "stdin" for the config file, unless the caller is authorized OpenVPN Administrator Windows: in the interactive service, change all netsh calls to use interface index and not interface name - sidesteps all possible attack avenues with special characters in interface names. Windows: in the interactive service, improve error handling in some "unlikely to happen" paths. auth plugin/script handling: properly check for errors in creation on $auth_failed_reason_file (arf). for incoming TCP connections, close-on-exec option was applied to the wrong socket fd, leaking socket FDs to child processes. sitnl: set close-on-exec flag on netlink socket ssl_mbedtls: fix missing perf_pop() call (optional performance profiling) Windows MSI changes since 2.6.15-I001: Built against OpenSSL 3.6.0 Included openvpn-gui updated to 11.58.0.0 Check the return value of GetProp() Make config path check similar to that in interactive service Escape the type id of password message received from openvpn Add a message source for event logging Check correct management daemon path when OpenVPN3 is enabled Fix OpenVPN3 radio button label size when OVPN3 is enabled Use GetTempPath() for debug file in plap as well Migrate all saved plain usernames to encrypted format Included win-dco driver updated to 2.8.0 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 65b5aa5d46a6c95933c321273fd2239f3e9e872c Author: Michael Tremer Date: Thu Nov 20 16:25:45 2025 +0000 lldpd: Create /etc/lldp.d in the target system Fixes: #13905 - LLDP daemon fails to start due to missing config directory and dependency Signed-off-by: Michael Tremer commit f3d937bb568e4ffadc3d1e999340f228393726a5 Author: Michael Tremer Date: Thu Nov 20 16:23:52 2025 +0000 libseccomp: Move the package into the core system This is required by lldpd. Fixes: #13905 - LLDP daemon fails to start due to missing config directory and dependency Signed-off-by: Michael Tremer commit 7cbadad4034ba90d8c4b70f0b7162b27bba547ec Author: Adolf Belka Date: Mon Nov 17 18:30:46 2025 +0100 core199: Ship general-functions.pl - This file was changed in CU198 but was not shipped so the changes were not included in CU198 updates. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b62aad216efe558954a2bb297e8fdcc2303df9b8 Author: Stefan Schantl Date: Mon Nov 17 12:49:55 2025 +0100 ffmpeg: Re-enable lame and SSL support The ffmpeg developers decided at some point in the past to change some defaults during configure and therefore we need to explit enable support for lame and openssl. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 64348ec49b49d18315e4a82b97c6b65d8fae6e86 Author: Matthias Fischer Date: Sun Nov 16 14:32:36 2025 +0100 nano: Update to 8.7 For details see: https://www.nano-editor.org/news.php "2025 November 12 - GNU nano 8.7 "Blue Highways" At the Execute prompt, preceding the command with two pipe symbols allows implementing a copy-to-clipboard feature in your nanorc (on terminals that support OSC 52). See the doc/sample.nanorc file." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 1b63c86e15af17336d4ac3e384a778fe56c555a6 Author: Arne Fitzenreiter Date: Mon Nov 17 10:49:26 2025 +0100 fmt: bump package version Signed-off-by: Arne Fitzenreiter commit 7a939196a74e2105799e2f4de383b84bcec4d7df Author: Arne Fitzenreiter Date: Mon Nov 17 10:41:16 2025 +0100 kernel: update to 6.12.58 Signed-off-by: Arne Fitzenreiter commit b56067deec4341a64a449ecb3666036b9ade20b5 Author: Robin Roevens Date: Tue Nov 11 22:11:59 2025 +0100 zabbix_agentd: Update to 7.0.21 (LTS) - Update of rootfile not required Improvements: - ZBXNEXT-9902 Changed timeout range for Zabbix JS and Zabbix get utilities Bugs fixed: - ZBX-25148 Added adjustments for sequential data entries with the same timestamp - ZBX-25263 Fixed Zabbix agent to attempt next refresh of active checks in 60 seconds in case of connection errors Full changelogs: - https://www.zabbix.com/rn/rn7.0.19 - https://www.zabbix.com/rn/rn7.0.20 - https://www.zabbix.com/rn/rn7.0.21 Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit af36f639de7c342b35808bede6b9512bf905b8c3 Author: Michael Tremer Date: Tue Nov 11 21:31:39 2025 +0000 installer: Ensure the console it configure to use UTF-8 Signed-off-by: Michael Tremer commit 94f7b3e59692b148fcc9d8bb1039514fb2b75a4d Author: Michael Tremer Date: Tue Nov 11 11:09:49 2025 +0000 installer: Use locales by their full handles Signed-off-by: Michael Tremer commit bf3603433743c33bd0c2f1b91feb92ebfbbee375 Author: Michael Tremer Date: Tue Nov 11 11:09:14 2025 +0000 installer: Install all supported locales Signed-off-by: Michael Tremer commit c33f9452373377df3a18b58848e6fcdaeaaa7b4f Author: Michael Tremer Date: Mon Nov 10 21:15:48 2025 +0000 qemu: Drop custom udev rules These rules are now included in the default udev rules. Signed-off-by: Michael Tremer commit 2244601d117e57c4b5cc7082a4843fcead167cff Author: Michael Tremer Date: Mon Nov 10 16:03:04 2025 +0000 lldpd: Build with the seccomp filter only on x86_64 Signed-off-by: Michael Tremer commit 0df5d1462e48d87ec966aab57e5d46b124461827 Author: Michael Tremer Date: Fri Nov 7 14:44:37 2025 +0000 suricata-reporter: Send reports at 1 am Signed-off-by: Michael Tremer commit 253bd31530838583238fc7ebb13d7db0e7540e52 Author: Michael Tremer Date: Fri Nov 7 14:39:27 2025 +0000 initscripts: dhcp: Tolerate running other dhcp servers Some users have been trying to run multiple instances of the DHCP server and restarting the main server won't work because the initscript refuses to launch the process if there is another one with the same command. Signed-off-by: Michael Tremer