commit f0acc9e4a3a446307684dfe9ee9031313407546a Author: Adolf Belka Date: Tue Apr 29 16:42:19 2025 +0200 backup.pl: Fix restores for ipsec backups before regen was fixed - Prior to the ipsec host cert regen fix, the backup did not include the serial or the index.txt files. - After the ipsec regen patch set, if a backup from before the change is retsored then the serial and index.attr could end up not matching. This would break the ipsec regen again. - All backups before the change will have hostcerts with serial numbers of 1. - This patch extracts the serial number from the restored hostcert.pem. If the serial number is 1 and if the existing serial number file does not contain 02, then the serial file contents are replaced by 02 and the index.txt contents are deleted. - If the restored hostcert.pem serial number is greater than 1 then the backup will contain the serial anf index.txt files. - If the restored hostcert.pem serial number is 1 and the serial file contains 02 then the ipsec regen will work correctly. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5f0a9eb10ee55181179dbb54985c9559e5390ba9 Author: Michael Tremer Date: Tue Apr 29 15:22:37 2025 +0000 core194: Fix missing whitespace and quote filenames Signed-off-by: Michael Tremer commit cc6e5188fa3f8ffaeb52f644e411195a7cfa12b8 Author: Adolf Belka Date: Tue Apr 29 12:10:49 2025 +0200 update.sh: Core 194 - increment ipsec serial file if x509 set exists - This is related to the fix patch set for bug13737. That patch set works with no problems if the root/host x509 set is created for the first time with that patch set merged. However if the x509 is already created previously then the contents of serial will still be 01 instead of 02. - This patch checks if the hostcert.pm file exists and that the index.txt file is empty, and then increments the serial content from 01 to 02. This means that when the x509 is regenerated the system will not complain that 01 cannot be used as it has already been revoked but will use 02 for the new host and everything works fine after that. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 73a2afbcf5b923c4b56637227d5621f7800d4d62 Author: Michael Tremer Date: Tue Apr 29 14:56:48 2025 +0000 dnsdist: Update to 1.9.9 We released PowerDNS DNSdist 1.9.9 today, an emergency release fixing a security issue tracked as CVE-2025-30194 where a remote, unauthenticated attacker can cause a denial of service via a crafted DNS over HTTPS connection. The issue was reported to us via our public GitHub tracker, so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible. Signed-off-by: Michael Tremer commit f9f02b4c244fea3025245348678bb08bbfbd48a8 Author: Michael Tremer Date: Mon Apr 28 09:45:51 2025 +0000 vpnmain.cgi: Fix editing connections that are using a PSK This patch takes care of properly decoding the PSK if it was already stored base64-encoded. If the connection is edited, it always will be stored base64-encoded upon save. It would have been nice to not send the PSK back to the browser again (although the security benefits would have been marginal), but that would make the code even messier than it is. Signed-off-by: Michael Tremer Tested-by: Adolf Belka Tested-by: Christian Hernmarck commit 610ed2f195d1447f8f56b9796d916edf2800661f Author: Adolf Belka Date: Mon Apr 7 20:43:45 2025 +0200 core194: Ship graphs.pl and netovpnrw.cgi for bug13838 fixes. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 264b564c9cf78116b21236472fed08aacfd2b8d1 Author: Adolf Belka Date: Mon Apr 7 20:43:44 2025 +0200 netovpnrw.cgi: Fixes bug13838 - additional file name correction for collectd-5.x - One location in netovpnrw.cgi was missed with a filename change coming from the collectd update. - This resulted in missing graph content for the openvpn road warrior graphs. - Tested out on my production IPFire system. Making the change resulted in the grahs being visible again. Fixes: Bug13838 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a5c82e0839b5e5f354b972c6c002f81a4f3ebad0 Author: Adolf Belka Date: Mon Apr 7 20:43:43 2025 +0200 graphs.pl: Fixes bug13838 - additional file name corrections for collectd-5.x - Two locations in graphs.pl were missed with filename changes coming from the collectd update. - These result in missing graph content for the openvpn road warrior graphs. - Tested out on my production IPFire system. Making the changes resulted in the grahs being visible again. Fixes: bug13838 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 678fa86af6129b960b6efe419a21a24507c6d993 Author: Matthias Fischer Date: Fri Apr 18 00:46:24 2025 +0200 bind: Update to 9.20.8 For details see: https://downloads.isc.org/isc/bind9/9.20.8/doc/arm/html/notes.html#notes-for-bind-9-20-8 Signed-off-by: Matthias Fischer Reviewed-by: Michael Tremer Signed-off-by: Michael Tremer commit 8460bc1ed8f6c22bea62c827383b4aa30d4a5da3 Author: Michael Tremer Date: Tue Apr 22 10:30:25 2025 +0000 core194: Ship libarchive Signed-off-by: Michael Tremer commit 057f84be8f06cc2b578b2f8a32751cf09d4dcdcf Author: Adolf Belka Date: Wed Apr 2 22:25:40 2025 +0200 libarchive: Update to version 3.7.9 - Update from version 3.7.7 to 3.7.9 - Update of rootfile - 3 CVE fixes in 3.7.8 - Changelog 3.7.9 Important bugfixes: a regression in libarchive 3.7.8 regarding GNU sparse entries was fixed (#2558) 3.7.8 Security fixes: tar reader: Handle truncation in the middle of a GNU long linkname (#2422, CVE-2024-57970) unzip: fix null pointer dereference (#2532, CVE-2025-1632) tar reader: fix unchecked return value in list_item_verbose() (#2532, CVE-2025-25724) Important bugfixes: 7zip reader: add SPARC (#2399) and POWERPC (#2459) filter support for non-LZMA compressors tar reader: Ignore ustar size when pax size is present (#2405) tar writer: Fix bug when -s/a/b/ used more than once with b flag (#2435) cpio: Fix a Y2038 bug on Windows (#2471) libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter (#2519) libarchive: Adding missing seeker function to archive_read_open_FILE() (#2539) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5426ee1d309a5d0f9c2ca9d36b9b1d4fae8ed009 Author: Adolf Belka Date: Tue Apr 8 23:37:27 2025 +0200 xz: Update to version 5.8.1 - Update from version 5.8.0 to 5.8.1 - Update of rootfile - Changelog 5.8.1 IMPORTANT: This includes a security fix for CVE-2025-31115 which affects XZ Utils from 5.3.3alpha to 5.8.0. No new 5.4.x or 5.6.x releases will be made, but the fix is in the v5.4 and v5.6 branches in the xz Git repository. A standalone patch for all affected versions is available as well. * Multithreaded .xz decoder (lzma_stream_decoder_mt()): - Fix a bug that could at least result in a crash with invalid input. (CVE-2025-31115) - Fix a performance bug: Only one thread was used if the whole input file was provided at once to lzma_code(), the output buffer was big enough, timeout was disabled, and LZMA_FINISH was used. There are no bug reports about this, thus it's possible that no real-world application was affected. * Avoid even with C11/C17 compilers. This fixes the build with Oracle Developer Studio 12.6 on Solaris 10 when the compiler is in C11 mode (the header doesn't exist). * Autotools: Restore compatibility with GNU make versions older than 4.0 by creating the package using GNU gettext 0.23.1 infrastructure instead of 0.24. * Update Croatian translation. Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Michael Tremer commit 7affb9a237f09a9c292a7d03f5410a2d610bc0af Merge: e3f17ee6b 39c5140fc Author: Arne Fitzenreiter Date: Fri Apr 18 12:08:35 2025 +0200 Merge remote-tracking branch 'origin/next' commit 39c5140fc2ed177b3133344ff9b4e174dd672d70 Author: Arne Fitzenreiter Date: Fri Apr 18 12:04:40 2025 +0200 mympd: update to 20.1.2 Signed-off-by: Arne Fitzenreiter commit 9abd7031778bfae07973af3c4a0952184678c2bb Author: Arne Fitzenreiter Date: Fri Apr 18 12:04:08 2025 +0200 mpd: update to 0.24.3 Signed-off-by: Arne Fitzenreiter commit 953db9f94ada76c517aec76622938a66cc3c468f Author: Arne Fitzenreiter Date: Fri Apr 18 12:01:26 2025 +0200 kernel: update to 6.12.23 Signed-off-by: Arne Fitzenreiter commit 12b518caca412a70a7bbb9aab72b2c3fb948c1b9 Author: Adolf Belka Date: Wed Apr 2 22:25:39 2025 +0200 kmod: Update to version 34.2 - Update from version 34.1 to 34.2 - Update of rootfile not required - Changelog 34.2 NEWS: squash a couple of typos libkmod: fix buffer-overflow in weakdep_to_char testsuite: Add modprobe -c test for weakdep autotools: Fix generated files in tarball kmod 34.2 libkmod: release memory on builtin error path libkmod: fix buffer-overflow in weakdep_to_char Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6c222efb537362f5a8283623166914361aabcba9 Author: Michael Tremer Date: Thu Apr 3 09:56:51 2025 +0000 core194: Ship jansson Signed-off-by: Michael Tremer commit 7d1d55e92590e33dddeae3f45914bea0d1c6e241 Author: Adolf Belka Date: Wed Apr 2 22:25:38 2025 +0200 jansson: Update to version 2.14.1 - Update from version 2.14 to 2.14.1 - Update of rootfile - Changelog 2.14.1 Fixes: - Fix thread safety of encoding and decoding when `uselocale` or `newlocale` is used to switch locales inside the threads (#674, #675, #677. Thanks to Bruno Haible for the report and help with fixing.) - Use David M. Gay's `dtoa()` algorithm to avoid misprinting issues of real numbers that are not exactly representable as a `double` (#680). If this is not desirable, use `./configure --disable-dtoa` or `cmake -DUSE_DTOA=OFF .` Build: - Make test output nicer in CMake based builds (#683) - Simplify tests (#685) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 819979edd9d2c14b805619832ba25679497332ad Author: Michael Tremer Date: Thu Apr 3 09:56:06 2025 +0000 core194: Ship gdbm Signed-off-by: Michael Tremer commit 43343a4ed6009f80bc51a72a27048af6a8913256 Author: Adolf Belka Date: Wed Apr 2 22:25:37 2025 +0200 gdbm: Update to version 1.25 - Update from version 1.24 to 1.25 - Update of rootfile not required - Changelog 1.25 New function: gdbm_open_ext This function provides a general-purpose interface for opening and creating GDBM files. It combines the possibilities of gdbm_open and gdbm_fd_open and provides detailed control over database file locking. New gdbmtool command: collisions The command prints the collision chains for the current bucket, or for the buckets identified by its arguments: collisions Display collisions for the current bucket. collisions N Display collisions for bucket N. collisions N0 N1 Display collisions for the range of buckets [N0, N1]. Pipelines in gdbmtool The output of a gdbmtool command can be connected to the input of a shell command using the traditional pipeline syntax. Fix a bug in block coalescing code Other bugfixes Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a62e8e043972593e15d8cc25d4b1cef23dfd115d Author: Adolf Belka Date: Wed Apr 2 22:25:36 2025 +0200 ffmpeg: Update to version 7.1.1 - Update from version 7.1 to 7.1.1 - Update of rootfile - Changelog 7.1.1 avformat/hls: Partially revert "reduce default max reload to 3" avformat/mov: (v4) fix get_eia608_packet avformat/iff: Check that we have a stream in read_dst_frame() avcodec/aac/aacdec_lpd: Limit get_unary() avcodec/aac/aacdec_usac: Simplify decode_usac_scale_factors() avcodec/aac/aacdec: Clear SFO on error avformat/mlvdec: fix size checks avformat/wavdec: Fix overflow of intermediate in block_align check avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() avformat/hls: Fix twitter avcodec/vvc/refs: fix negative pps_scaling_win offsets libavformat/hls: Be more restrictive on mpegts extensions avformat/hls: .ts is always ok even if its a mov/mp4 avcodec/h263dec: Check against previous dimensions instead of coded avformat/hls: Print input format in error message avformat/hls: Be more picky on extensions avformat/iamf_parse: ensure there's at most one of each parameter types in audio elements avformat/iamf_parse: add missing constrains for num_parameters in audio_element_oub() avformat/iamf_parse: add missing av_free() call on failure path lavc/hevcdec: unbreak WPP/progress2 code fate: Add a dependency on ffprobe for fate-flcl1905 checkasm: aacencdsp: Actually test nonzero values in quant_bands x86: aacencdsp: Fix negating signed values in aac_quantize_bands rtmpproto: Avoid rare crashes in the fail: codepath in rtmp_open configure: Improve the check for the rsync --contimeout option avutil/downmix_info: add missing semicolon doc/t2h: Support texinfo 7.1 and 7.2 pretest avfilter/drawtext: fix memory leak when using "reinit" runtime command avutil/downmix_info: zero the allocated buffer avformat/mov: fix overflow in drift timestamp calculation Changelog: update avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() avformat/iamf_reader: Initialize padding and check read in ff_iamf_read_packet() avformat/ipmovie: Check signature_buffer read avformat/wtvdec: Initialize buf avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex avformat/vqf: Propagate errors from add_metadata() avformat/vqf: Check avio_read() in add_metadata() avcodec/ffv1enc: Fix RCT for GBR colorspace avformat/dashdec: Check whitelist avutil/avstring: dont mess with NULL pointers in av_match_list() avfilter/vf_v360: Fix NULL pointer use avcodec/mpegvideo_enc: Check FLV1 resolution limits avcodec/ffv1enc: Fix handling of 32bit unsigned symbols avformat/mov: perform sanity checks for heif before index building avformat/mov: Factorize sanity check out avcodec/vc1dec: Clear block_index in vc1_decode_reset() avcodec/aacsbr_template: Clear n_q on error avformat/iamf_parse: Check output_channel_count avcodec/osq: Fixes several undefined overflows in do_decode() swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() avfilter/af_pan: Fix sscanf() use avfilter/vf_grayworld: Use the correct pointer for av_log() avfilter/vf_addroi: Add missing NULL termination to addroi_var_names[]() avcodec/get_buffer: Use av_buffer_mallocz() for audio same as its done for video avformat/jpegxl_anim_dec: clear buffer padding avformat/rmdec: check that buf if completely filled avcodec/cfhdenc: Clear dwt_tmp avcodec/hapdec: Clear tex buffer avformat/mxfdec: Check that key was read sucessfull avformat/hevc: fix writing hvcC when no arrays are provided in hvcC-formatted input avformat/rtpdec: int overflow in start_time_realtime avcodec/decode: Fix incorrect enum type used in side_data_map() avformat/mov: fix crash when trying to get a fragment time for a non-existing fragment avformat/libssh: fix credential variables typo avformat/hlsenc: check return value of avcodec_parameters_copy() avformat/dashdec: format open_demux_for_component() avformat/dashdec: check return code of avcodec_parameters_copy() avformat/dashdec: return ret directly in open_demux_for_component() avformat/smoothstreamingenc: check return value of avcodec_parameters_copy() avcodec/cbs_av1: fix variable shadowing in cbs_av1_split_fragment() doc/demuxers/dvdvideo: seeking is supported, remove outdated statement avformat/dvdvideodec: check return code of ff_dvdclut_yuv_to_rgb() avformat/dvdvideodec: fix missing last chapter marker due to off-by-one avformat/dvdvideodec: don't allow seeking beyond dvdnav reported duration avformat/dvdvideodec: discard duplicate or partial AC3 samples avformat/dvdvideodec: drop packets with unset PTS or DTS avformat/dvdvideodec: remove unnecessary need_parsing argument avformat/dvdvideodec: open subdemuxer after initializing IFO headers avformat/dvdvideodec: remove auto value for menu_lu option avformat/dvdvideodec: default menu_vts option to 1 and clarify description avformat/dvdvideodec: check the length of a NAV packet when reading titles avformat/dvdvideodec: reset the subdemuxer on discontinuity instead of flushing avformat/dvdvideodec: simplify dvdvideo_read_packet() avformat/dvdvideodec: enable chapter calculation for menus avformat/dvdvideodec: standardize the NAV packet event signal avformat/dvdvideodec: move memcpy below missed NAV packet warning avformat/dvdvideodec: remove "auto" value for -pg option, default to 1 avformat/dvdvideodec: measure duration of the current menu VOBU in state avformat/dvdvideodec: fix menu PGC number off-by-one in state avformat/dvdvideodec: remove unused headers lavc/aarch64: Fix ff_pred16x16_plane_neon_10 lavc/aarch64: Fix ff_pred8x8_plane_neon_10 aarch64/vvc: Fix clip in alf vp9: recon: Use emulated edge to prevent buffer overflows arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter avformat/rpl: Fix check for negative values avformat/mlvdec: Check avio_read() avcodec/aac/aacdec: Free channel layout avformat/mov: dereference pointer after null check avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV avformat/matroskadec: Check pre_ns for overflow tools/target_dec_fuzzer: Adjust threshold for EACMV tools/target_dec_fuzzer: Adjust threshold for MVC1 tools/target_dec_fuzzer: Adjust Threshold for indeo5 avutil/timecode: Avoid fps overflow in av_timecode_get_smpte_from_framenum() avcodec/aac/aacdec_usac: Dont leave type at a invalid value avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails avcodec/webp: Check ref_x/y avcodec/ilbcdec: Initialize tempbuff2 swscale/swscale_unscaled: Fix odd height with nv24_to_yuv420p_chroma() avcodec/hevc/hevcdec: initialize qp_y_tab avformat/qcp: Check for read failure in header avcodec/eatgq: Check bytestream2_get_buffer() for failure avformat/dxa: check bpc swscale/slice: clear allocated memory in alloc_lines() avcodec/h2645_parse: Ignore NAL with nuh_layer_id == 63 avcodec/mjpegdec: Disallow progressive bayer images avformat/icodec: fix integer overflow with nb_pal doc/developer: Document relationship between git accounts and MAINTAINERS doc/infra: Document trac backup system doc/infra: Document gitolite avformat/vividas: Check avio_read() for failure avformat/ilbc: Check avio_read() for failure avformat/nistspheredec: Clear buffer avformat/mccdec: Initialize and check rate.den avformat/rpl: check channels INSTALL: explain the circular dependency issue and solution avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen avformat/mxfdec: Fix overflow in midpoint computation swscale/output: used unsigned for bit accumulation swscale/rgb2rgb_template: Fix ff_rgb24toyv12_c() with odd height avcodec/rangecoder: only perform renorm check/loop for callers that need it avcodec/ffv1: add a named constant for the quant table size avcodec/ffv1: RCT is only possible with RGB avcodec/ffv1enc: Fix RCT with RGB64 avcodec/ffv1dec: Fix end computation with ec=2 avcodec/ffv1enc: Move slice termination into threads avcodec/ffv1enc: Prevent generation of files with broken slices avformat/matroskadec: Check desc_bytes so bits fit in 64bit avformat/mov: Avoid overflow in dts avcodec/ffv1enc: Correct error message about unsupported version avcodec/ffv1: Store and reuse sx/sy avcodec/ffv1enc: Slice combination is unsupported avcodec/ffv1enc: 2Pass mode is not possible with golomb coding avfilter/buffersrc: check for valid sample rate avcodec/libdav1d: clear the buffered Dav1dData on decoding failure avformat/iamf_writer: ensure the stream groups are not empty avformat/iamf_writer: fix setting num_samples_per_frame for OPUS avformat/iamf_parse: fix setting duration for the last subblock in a parameter definition avformat/iamf_parse: add checks to parameter definition durations avformat/iamf_parse: reject ambisonics mode > 1 checkasm: Print benchmarks of C-only functions avcodec/ac3dec: fix downmix logic for eac3 avcodec/codec_desc: remove Intra Only prop for AAC avcodec/mediacodecdec: set set keyframe flag in output frames avcodec/libfdk-aacenc: set keyframe in output packets avcodec/libfdk-aacdec: set keyframe flag and profile in output frames avcodec/audiotoolboxnec: set set keyframe flag in output packets avcodec/audiotoolboxdec: set set keyframe flag in output frames avcodec/aacenc: set keyframe flag in output packets avcodec/aac/aacdec: set keyframe flag in output frames avcodec/aac_parser: set key_frame and profile avformat/mov: don't unconditionally set all audio packets in fragments as key frames avformat/matroskadec: set all frames in a keyframe simple box as keyframes avformat/test/movenc: set audio packets as key frames avformat/movenc: write stss boxes for xHE-AAC avformat/spdifdec: parse headers for audio codecs avformat/movenc: don't disable edit lists when writing CMAF output avcodec/libfdk-aacenc: export CPB properties avformat/movenc: don't write a calculated avgBitrate when the provided one is unset libavutil/riscv: Make use of elf_aux_info() on FreeBSD / OpenBSD riscv libavutil/ppc: defines involving bit shifts should be unsigned libavutil/ppc: Include the hardware feature flags like the other archs lavu/riscv: fix compilation without Vector support avfilter/f_loop: fix aloop activate logic avfilter/f_loop: fix length of aloop leftover buffer avfilter/vf_zscale: align the frame buffers lavfi/vf_zscale: fix call to av_pix_fmt_count_planes lavfi/vf_zscale: fix tmp buffer ptr alignment for zimg_filter_graph_process avfilter/framepool: align the frame buffers avcodec/h2645_sei: use the RefStruct API for film_grain_characteristics avcodec/aom_film_grain: allocate film grain metadata dynamically avformat/mov: use an array of pointers for heif_item avformat/mov: split off heif item initialization to its own function avformat/mov: factorize getting the current item lavc/h264idct: fix RISC-V group multiplier lavc/h264dsp: move RISC-V fn pointers to .data.rel.ro avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value avcodec/cbs_h266: Fix regression in DVB clip introduced by 93281630a71c06642adfebebb0d4b105a4e02e91 avcodec/x86/vvc: add prototypes for OF functions Document stream specifier syntax change from 46cbe4ab5c fftools/ffplay: fix crash when vk renderer is null avutil/wchar_filename: re-introduce explicit cast of void* to char* fate/ffmpeg: add samples dependency to fate-ffmpeg-spec-disposition fftools/ffmpeg_filter: treat apad filter as a source lavc/avcodec: fix global/private option precendence avfilter/framesync: fix forward EOF pts avcodec/vaapi_encode: fix compilation without CONFIG_VAAPI_1 libavcodec: x86: Remove an explicit include of config.asm checkasm: lls: Use relative tolerances rather than absolute ones arm: Consistently use proper interworking function returns avcodec/libx265: unbreak build for X265_BUILD >= 213 fftools: log unconnected filter output label fftools: do not access out of bounds filtergraph avcodec/mediacodecenc: Fix access of uninitialized value avformat/img2enc: Fix integer truncation when frame_pts is enabled avformat/internal: Add ff_get_frame_filename avformat/mov: don't return the latest stream when an item stream is expected Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit d38aabc45e2ef60da07178340e30e563c40a6052 Author: Adolf Belka Date: Tue Apr 1 22:50:02 2025 +0200 backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc - This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to restart ipsec and ensure that the restored certs are all being used. - Tested this out on my vm testbed and confirmed that with this I could restore a backup and make the client connection as previously set up. - Without this I had to press the Save button on the ipsec WUI page to get the certs etc being used. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3014979c75a6e63cdb2698d1cf5c3ed9316fdccf Author: Michael Tremer Date: Wed Apr 2 09:59:12 2025 +0000 Revert "backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc" This reverts commit 1fda10e584da6b99237c94aa4e652d97589c7df6. Signed-off-by: Michael Tremer commit 973f41b88d6ea9864a0a63b634b111e9fbc04a75 Author: Adolf Belka Date: Tue Apr 1 20:08:02 2025 +0200 core194: Ship the backup file changes Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2639101b2dcf28dee6100d199c70591490f931de Author: Adolf Belka Date: Tue Apr 1 20:08:01 2025 +0200 core194: Ship the vpnmain.cgi changes Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1fda10e584da6b99237c94aa4e652d97589c7df6 Author: Adolf Belka Date: Tue Apr 1 20:08:00 2025 +0200 backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc - This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to restart ipsec and ensure that the restored certs are all being used. - Tested this out on my vm testbed and confirmed that with this I could restore a backup and make the client connection as previously set up. - Without this I had to press the Save button on the ipsec WUI page to get the certs etc being used. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 85c0d3c1c73dfd8f625c99256f0e1706979b895e Author: Adolf Belka Date: Tue Apr 1 20:07:59 2025 +0200 include: Add the contents of the ipsec certs directory to the backup - Previously only the .pem files were bacdked up from the /var/ipfire/certs/ directory. That was okay in the past as the serial and index files never changed after the root/host cert set waqs created. - With the renew process then the serial and index files get updated and these are needed to match with the cert status that was backed up. Otherwise you could end up with one set of values in the serial and index files that did not match with the restored certs. - This patch adds all the contents of the certs directory to the backup. - Tested out on my vm testbed and successfully restored a backup and was able to connect with the same client settings. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 41c7cc325e1e2f922de803842d0625e564f6771e Author: Adolf Belka Date: Tue Apr 1 20:07:58 2025 +0200 vpnmain.cgi: Fixes bug13737 - revoke any deleted client certificate - As the serial number is incremented now for each new cert that is created, then when a client cert is deleted from the ipsec list in the wui then that cert must be revoked otherwise it will still be listed in the .index file as a valid certificate and then the certificate name and DN could never be used again. - Running the revoke command when deleting a client cert leaves the details in the .index file but the same name can then be re-used and will get a new serial number etc. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 65434dcc7bc297e7d2feabd68f93de1eace598f3 Author: Adolf Belka Date: Tue Apr 1 20:07:57 2025 +0200 vpnmain.cgi: Fixes bug13737 - remove unneeded &cleanssldatabase calls - This first part removes all usages of &cleanssldatabase with the client certificates. This is not needed here. If used then the serial number would be moved back to 01 when an existing client certificate is removged or a new one created, even if no errors occurred. - The usage of &cleanssldatabase has also been removed from the root/host cert creation if it was successful, otherwise the index file is moved back to being empty and the serial file to containing 01. - The only usage now of the &cleanssldatabase is for when the root/host cert set is being created or if an uploaded cert has been checked as good to install. - This now means that each time a new client certificate is created the serial number is incremented. - The removal of the x509 root/host cert also unlinks all .pem files in the certs directory and therefore also all the 01.pem, 02.pem etc files so the &cleanssldatabase routine no longer needs to unlink the 01.pem file - The &newcleanssldatabase script is no longer needed, as the &cleanssldatabase commands used covers the required cleaning, so it has been removed. - This patch together with the others from this set have been tested out on my vm system and I was able to create a new root/host cert set and then new client certs and make an ipsec certificate connection successfully. I could then renew the host cert and the client connection still worked. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7ee3ce2371504df0e14b6cb19437d5290f38a6f1 Author: Arne Fitzenreiter Date: Wed Apr 2 09:58:27 2025 +0200 core194: add kernel to update Signed-off-by: Arne Fitzenreiter commit a4726d9aff6374f1efe95d67a283988d41e6f79d Author: Arne Fitzenreiter Date: Wed Apr 2 09:44:24 2025 +0200 kernel: update to 6.12.21 MD_LINEAR (JBOD) is now back in the mainline kernel Signed-off-by: Arne Fitzenreiter commit b9a677a20b3b9e65e2d8976649574af00f318ecc Author: Arne Fitzenreiter Date: Wed Apr 2 09:43:49 2025 +0200 mympd: update to 20.1.0 Signed-off-by: Arne Fitzenreiter commit b3818cfc11a611d465e04b63bad852d219ee9ca0 Author: Arne Fitzenreiter Date: Wed Apr 2 09:42:41 2025 +0200 ovmf: update to 2025.02-1 Signed-off-by: Arne Fitzenreiter commit 899c06d767943eea338ba9bbb47dde6576ae9279 Author: Adolf Belka Date: Tue Apr 1 14:26:50 2025 +0200 core194: Ship changed openssl.cnf file from CU184 - openssl.cnf had copy_extensions = copyall added to the [ IPFire ] section as part of the ipsec host cert renewal process but the file was missed to be shipped with the Core Update 184 update. So only users doing fresh installs of CU184 or later will have the updated openssl.cnf file. - This patch rectifies that situation. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 799aa347abb25ab304b4c162b6fef7af0daaee4e Author: Michael Tremer Date: Mon Mar 31 15:23:32 2025 +0000 core194: Ship changed firewall rules and aliases.cgi Signed-off-by: Michael Tremer commit 52c0e4819d07fc46339f9ea0b2fd66a74b69cfef Author: Michael Tremer Date: Mon Mar 31 17:16:24 2025 +0200 aliases.cgi: Reload firewall after updating aliases This is requried to update any REDNAT rules. Signed-off-by: Michael Tremer commit 1c1ff05cdc37fe9ccabda9413c270935c3a45478 Author: Michael Tremer Date: Mon Mar 31 16:35:26 2025 +0200 firewall: Explicitely don't NAT any aliases It seems that there is a problem with local connections that have preselected an outgoing interface. That will work just fine, but ultimately the packet will be NATed back to the primary RED IP address. To prevent this, we are adding some extra rules that skip the MASQUERADE target. Signed-off-by: Michael Tremer commit 8fa1831bff7e1d76eb83b145976211aa703062e1 Author: Michael Tremer Date: Mon Mar 31 16:31:43 2025 +0200 firewall: Collect all networks that should not be NATed in an array No functional changes. Signed-off-by: Michael Tremer commit e26b7aaa37c91fde4d7bc0fe338118bc93348dd3 Author: Michael Tremer Date: Mon Mar 31 15:22:14 2025 +0000 core194: Ship libxml2 Signed-off-by: Michael Tremer commit 4bbb98385f80537c50dd66d69afef97732149926 Author: Adolf Belka Date: Mon Mar 31 15:45:09 2025 +0200 tshark: Ship due to libxml sobump Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 0ffe4b075e8dc5f12aaa60235b771a2f0e2a0453 Author: Adolf Belka Date: Mon Mar 31 15:45:08 2025 +0200 rng-tools: Ship due to libxml sobump Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2e052e656a542d4784fba8ef4c035ebb56690a0f Author: Adolf Belka Date: Mon Mar 31 15:45:07 2025 +0200 nfs: Ship due to libxml sobump Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit fe75b1511278dead34aef04fcb051b5bcc7f1817 Author: Adolf Belka Date: Mon Mar 31 15:45:06 2025 +0200 libvirt: Ship due to libxml sobump Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4109b42e34cd85a5ae7b9a0d2cf3db0000e04068 Author: Adolf Belka Date: Mon Mar 31 15:45:05 2025 +0200 clamav: Ship due to libxml sobump Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e725c6691d8d2ca8470afcc1379e0794d43c6b6e Author: Adolf Belka Date: Mon Mar 31 15:45:04 2025 +0200 core194: Ship rrdtool Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 57cab5e367a89f1ddb4ba4b04f0f2094bf328335 Author: Adolf Belka Date: Mon Mar 31 15:45:03 2025 +0200 core194: Ship libxslt Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e8988295f2c9d2fc01a151296b1d5132a452a544 Author: Adolf Belka Date: Mon Mar 31 15:45:02 2025 +0200 core194: Ship collectd Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a5bea20c6a11c881294db4149c1a853781df20e5 Author: Adolf Belka Date: Mon Mar 31 15:45:01 2025 +0200 core194: Ship apache2 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ee5bd0ef6fc6ba437430cd0e025ce8aa4fb2591c Author: Adolf Belka Date: Mon Mar 31 15:45:00 2025 +0200 libxml2: Update to version 2.14.0 - Update from version 2.13.5 to 2.14.0 - Update of rootfile - sobump so ran find-dependencies. apache2, clamav, collectd, libvirt, libxslt, nfs, rng-tools, rrdtool and tshark are all linked against the lib bump. So additional patches are in this set to bump the PAK_VER and ship the addons and to ship the linkied core packages. Hope it is done correctly. Let me know if not. - 2 CVE fixes added into version 2.13.6 - Changelog 2.14.0 Major changes The HTML tokenizer now conforms fully to HTML5. Several non-standard syntax warnings were removed. Note that HTML5 tree construction isn't implemented yet. Binary compatibility is restricted to versions 2.14 or newer. On ELF systems, the soname was bumped from libxml2.so.2 to libxml2.so.16. The serialization API will now take user-provided or default encodings into account when serializing attribute values, matching the serialization of text and avoiding unnecessary escaping. The XML parser won't try to merge consecutive CDATA sections as before to align with web standards. Each CDATA section will create exactly one node or SAX callback. Support for RELAX NG can now be disabled with a new configuration option independently of XML Schemas support. It is still enabled by default. The "legacy" configuration option won't enable support for HTTP and LZMA anymore. These features will be removed in the next release. Parts of the xmllint executable were refactored, allowing the combination of more options. OOM errors should be reported reliably now. Several improvements were made to the build systems. Meson is fully supported now. Parts of the buffering code were reworked and simplified. Overflow checks before reallocations were hardenend. Some unprefixed symbols were renamed to avoid namespace pollution. New features Input callbacks can now be set on a parser context and an improved API to create parser input is available. The following new functions, taking a parser input object, were added: - xmlCtxtParseDocument - xmlCtxtParseContent as replacement for xmlParseBalancedChunkMemory and xmlParseInNodeContext - xmlCtxtParseDtd The xmlSave API now has additional options to replace global settings. Parser options XML_PARSE_UNZIP, XML_PARSE_NO_SYS_CATALOG and XML_PARSE_CATALOG_PI were added. An API function to install a custom character encoding converter is now available. This makes it possible to use ICU for encoding conversion even if libxml2 was compiled without ICU support, see example/icu.c. Deprecations Access to many public struct members is now deprecated. Several accessor functions were added to use instead. More internal functions were deprecated. Removals Metadata about the HTML4 content model was removed from the htmlElemDesc struct and related functions were deprecated. The FTP module and related functions were removed. Support for the range and point extensions of the xpointer() scheme was removed. The rest of the XPointer implementation isn't affected. The xpointer() scheme now behaves like the xpath1() scheme. Several legacy symbols and the functions in xmlunicode.h were removed. ELF version information was removed. The shell was moved from libxml2 to xmllint. Several related functions are no longer available. The libxml.m4 file containing autoconf macros was removed. The --with-tree configuration option was removed. The hack to detect single-threaded programs under glibc was removed. Planned removals Support for HTTP and LZMA compression is planned to be removed in the 2.15 release. The following features are considered for removal: - Modules API (xmlmodule.h) - Schematron support - Support for zlib compressed file I/O - Legacy Windows build system in win32 RELAX NG support is still in a bad state and a long-term removal candidate. 2.13.7 Regressions - tree: Fix xmlTextMerge with NULL args - io: Fix `compressed` flag for uncompressed stdin - parser: Fix parsing of DTD content 2.13.6 Security - [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements - [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd - pattern: Fix compilation of explicit child axis Regressions - xmllint: Support compressed input from stdin - uri: Fix handling of Windows drive letters - reader: Fix return value of xmlTextReaderReadString again - SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL Portability - dict: Handle ENOSYS from getentropy gracefully - Fix compilation with uclibc (Dario Binacchi) - python: Declare init func with PyMODINIT_FUNC - tests: Fix sanitizer version check on old Apple clang - cmake: Work around broken sys/random.h in old macOS SDKs Build - autotools: Set AC_CONFIG_AUX_DIR - cmake: Always build Python module as shared library - cmake: add missing `Bcrypt` link on Windows (Saleem Abdulrasool) - cmake: Fix compatibility in package version file Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer