commit 351113e21eecd730b33a2d73c1bb74eff9fcb845 Author: Michael Tremer Date: Fri Aug 29 11:40:06 2025 +0100 ovpnmain.cgi: Initialize some checkboxes when storing settiings This should hopefully resolve this problem: https://lists.ipfire.org/development/118761f0-24cd-4a62-b064-8d87dffc6b89@ipfire.org/ Signed-off-by: Michael Tremer commit 7c86a0354a4e5d0dc970c0500864a95ff60f04a3 Author: Michael Tremer Date: Fri Aug 29 11:35:50 2025 +0100 Revert "ovpnmain.cgi: Apply default settings when neccessary" This reverts commit e04f5376ba18767a6a9eccf104c472295a75340b. Signed-off-by: Michael Tremer commit 676ce3b4cfdc72c758380da512ee3a00c370623e Author: Michael Tremer Date: Fri Aug 29 11:33:48 2025 +0100 Revert "update.sh: Ensure ncp-disable is removed from config and DATACIPHERS added" This reverts commit 198025111e37a80944dbab9ddd57967945e27949. Signed-off-by: Michael Tremer commit 5339b5bc1ada6b4148384bc7db5e5b91b519c895 Author: Michael Tremer Date: Fri Aug 29 11:33:32 2025 +0100 Revert "backup.pl: Ensure ncp-disable is removed from old backups and DATACIPHERS added" This reverts commit 7245ddf773b78be5fd0675d2e260b3da7855ac2c. Signed-off-by: Michael Tremer commit 6c35b21c6760c6f9f6cfa57dbca0a5a917baa470 Author: Michael Tremer Date: Fri Aug 29 11:28:17 2025 +0100 ovpnmain.cgi: Remove dead code Signed-off-by: Michael Tremer commit 198025111e37a80944dbab9ddd57967945e27949 Author: Adolf Belka Date: Mon Aug 25 11:19:14 2025 +0200 update.sh: Ensure ncp-disable is removed from config and DATACIPHERS added - This is doing the same thing as the other patch of this series dealing with backup.pl Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7245ddf773b78be5fd0675d2e260b3da7855ac2c Author: Adolf Belka Date: Mon Aug 25 11:19:13 2025 +0200 backup.pl: Ensure ncp-disable is removed from old backups and DATACIPHERS added - With commit https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=e04f5376ba18767a6a9eccf104c472295a75340b then the settings file which is hashed into %vpnsettings already exists and so none of the defaults are set. Running the ovpnmain.cgi code resolves this for most of the settings but not for ncp-disable being present in server.conf and no DATACIPHERS entry in the settings file. ncp-disable then causes the openvpn server to fail to start as it is no longer recognised in OpenVPN-2.6 - This patch checks if ncp-disable is in the server.conf file from the restored backup and if it is it is then removed and the default values for DATACIPHERS is added into the settings file. - Tested out in my vm testbed and successfully worked. The previously found issue after the above patch was added in has been resolved. - Associated patch in this set is to do a similar thing for the update.sh file for CU197 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 97469fbdd20c7c47b9d1f2df6b57f60ccda16560 Author: Adolf Belka Date: Sat Aug 23 15:46:09 2025 +0200 backup.pl: Restart openvpn daemons after restore. - As the daemons are running when the restore is done then if the daemons are not restarted the running daemon stays with the previous config and not with the restored version. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c293ac4b282da94f2d4b7449738c4be2a590c86e Author: Adolf Belka Date: Wed Aug 20 18:51:47 2025 +0200 ovpnmain.cgi: Fixes bug13869 - shows values from vpnsettings in advanced server page - In the previous version the cgiparams hash was filled from the ovpn/settings file. However with the new version of this file that is no longer done. For the values of protocol, redirect_gw, mssfix, dataciphers, route_push the hash file was changed from %cgiparams to %vpnsettings. This was not done for the values of dciphers, dauth or tlsauth. These values still got their entries from the %cgiparams hash but this hash is empty as it has not been filled. - This patch replaces the use of $cgiparams with $vpnsettings. - Tested this out on my vm testbed and confirmed that the saved values are now shown on the advanced settings wui page. Fixes: bug13869 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e04f5376ba18767a6a9eccf104c472295a75340b Author: Stefan Schantl Date: Tue Aug 19 20:39:16 2025 +0200 ovpnmain.cgi: Apply default settings when neccessary Only apply the default settings in case nothing has been configured yet, otherwise existing settings may get overwritten. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 8d611ffd0424ba20aac45f63f5bdaa398b4cb557 Author: Michael Tremer Date: Thu Aug 14 11:03:04 2025 +0100 core197: Rewrite the entire OpenVPN server configuration This also updates all CCD configuration files. Signed-off-by: Michael Tremer commit 3e82d9990cbdd4b0f022e16aecec164008926717 Author: Michael Tremer Date: Thu Aug 14 11:01:23 2025 +0100 ovpnmain.cgi: Add option to rewrite all configuration files Signed-off-by: Michael Tremer commit 4c0b4194ff24e4ddeb8a1311facfec71d2101a39 Author: Michael Tremer Date: Thu Aug 14 11:01:10 2025 +0100 ovpnmain.cgi: Disable logging warnings Signed-off-by: Michael Tremer commit 87e1047a08ca522f28807b3fde7a2f2faa75b733 Merge: 1f200cb1c ceb35099f Author: Michael Tremer Date: Fri Aug 8 14:55:49 2025 +0000 Merge branch 'next' commit ceb35099fa8af7c2ac85fa2487e1e5ec4e36d2ce Author: Michael Tremer Date: Fri Aug 8 14:55:27 2025 +0000 make.sh: Update langs Signed-off-by: Michael Tremer commit baee54153bd2a2f0fd126e98d9499f54169af6f3 Author: Adolf Belka Date: Thu Aug 7 17:22:46 2025 +0200 borgbackup: Fix bug13868 - add libxxhash to dependencies - forgotten in CU189 - Add libxxhash to dependenc list and increment PAK_VER. - Update of rootfile not required Fixes: bug13868 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 0fb4546ddf85187a423ca56a7b012f5074d9c089 Author: Adolf Belka Date: Thu Aug 7 17:22:45 2025 +0200 bash: Update to patch level 3 - Update from patch level 0 to 3 - Update of rootfile not required - Changelog Patch 3 Bash leaves internal quoting in place when expanding array subscripts that appear inside array subscripts in an arithmetic context, causing expansion failures. Patch 2 There are too many differences in the various implementations of shm_open(2) to rely on it for bash's use. Patch 1 In posix mode, `wait -n' with pid arguments does not restrict the set of processes it considers to those arguments. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9983bc12ca0e1508aa4e3b69a9ce34f5caa685cd Author: Michael Tremer Date: Thu Aug 7 16:42:18 2025 +0000 arpwatch: Fix rootfile Signed-off-by: Michael Tremer commit ebfcb022fb29b17abfb6c8352e72274a72ca6dd6 Author: Michael Tremer Date: Mon Aug 4 21:06:26 2025 +0000 arpwatch: Fix download of ethercodes.dat Signed-off-by: Michael Tremer commit 306516d99a8333ca7d91adba835c206ebbaf9b9b Author: Michael Tremer Date: Mon Aug 4 16:24:29 2025 +0200 ovpnmain.cgi: Fix layout issues when editing N2N No functional changes. Signed-off-by: Michael Tremer commit 52d53e52737f05ff8cba02c3245bcb74d1b8cfbe Author: Michael Tremer Date: Tue Jul 29 14:50:17 2025 +0000 core197: Ship bonding changes Signed-off-by: Michael Tremer commit 993d5838f31ceeef8bc103b177e6a95f371f36c3 Author: Michael Tremer Date: Tue Jul 29 14:42:20 2025 +0000 network: Ensure that we only run once at a time Signed-off-by: Michael Tremer commit a5a1b2c2c16473990b9eee81cf9502af369bcdf6 Author: Michael Tremer Date: Tue Jul 29 14:42:19 2025 +0000 network: Add support for some more auxiliary zones Signed-off-by: Michael Tremer commit dd67715a493e372936d815cd9d46904fa4681073 Author: Michael Tremer Date: Tue Jul 29 14:42:18 2025 +0000 network: Fail if no master device has been configured for slave zones Signed-off-by: Michael Tremer commit 5152d450ff943eeea0be1c0aa1bcc87e1c89755a Author: Michael Tremer Date: Tue Jul 29 14:42:17 2025 +0000 network: Rename the bridge hotplug script Since it is now creating more than just bridges, this had to have a new name. Signed-off-by: Michael Tremer commit 991e99a4fbfca7f1992c4d57b2686a58bde05ef7 Author: Michael Tremer Date: Tue Jul 29 14:42:16 2025 +0000 network: Add support for bonds This is a bare-minimum implementation to realise this. It changes the bridge script because the two of them have quite a bit in common, so we should avoid further code duplication. Signed-off-by: Michael Tremer commit 5c903c529978dff6c100819dff785ffc9b507a0b Author: Michael Tremer Date: Tue Jul 29 14:42:15 2025 +0000 linux: Don't create bond0 when bonding is being loaded Signed-off-by: Michael Tremer commit f5f70cb85c1537de6f760869f20cb29abc0a95f4 Author: Michael Tremer Date: Tue Jul 29 14:38:20 2025 +0000 firewall: Completely throw away any output when restarting Tor Signed-off-by: Michael Tremer commit 8aa06d9fc3f7024611b00f00ca02ce14392d1e33 Author: Michael Tremer Date: Tue Jul 29 14:36:54 2025 +0000 initscripts: Fix process check for processes with PID file This check tests whether a process is still alive, but it fails for those processes when we are using a PID file. Signed-off-by: Michael Tremer commit c8540f81307e1027e05dc5e8953f0b722ad44233 Author: Michael Tremer Date: Tue Jul 29 14:34:28 2025 +0000 arpwatch: New package This allows to receive an email notification if a new host is detected on a network. Signed-off-by: Michael Tremer commit 0105e8685da8dac43690d7e47ed8531550ce5863 Author: Arne Fitzenreiter Date: Sat Aug 2 09:18:26 2025 +0200 kernel: update to 6.12.41 Signed-off-by: Arne Fitzenreiter commit 6add597f163df40e008bccc115b33eeaf353548d Author: Adolf Belka Date: Sun Jul 27 10:26:34 2025 +0200 core197: Ship vpnmain.cgi as it was missed in CU196 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit d089188f86f2ea1ed9c09d1e2bee833bd6dd6dfc Author: Michael Tremer Date: Fri Jul 25 13:10:21 2025 +0000 core197: Ship readline & bash Signed-off-by: Michael Tremer commit b50fa04efc2bbe1e2c94995eb37c7bd45d7c458a Author: Adolf Belka Date: Wed Jul 23 21:02:31 2025 +0200 readline: Update to version 8.3 with patch version 1 - Update from version 8.2 with patch version 13 to 8.3 with patch version 1 - Update of rootfile - Changelog 8.3 New Features in Readline a. Output a newline if there is no prompt and readline reads an empty line. b. The history library falls back to stdio when writing the history list if mmap fails. c. New bindable variable `search-ignore-case', causes readline to perform case-insensitive incremental and non-incremental history searches. d. rl_full_quoting_desired: new application-settable variable, causes all completions to be quoted as if they were filenames. e. rl_macro_display_hook: new application-settable function pointer, used if the application wants to print macro values itself instead of letting readline do it f. rl_reparse_colors: new application-callable function, reparses $LS_COLORS (presumably after the user changes it) g. rl_completion_rewrite_hook: new application-settable function pointer, called to modify the word being completed before comparing it against pathnames from the file system. h. execute-named-command: a new bindable command that reads the name of a readline command from the standard input and executes it. Bound to M-x in emacs mode by default. i. Incremental and non-incremental searches now allow ^V/^Q (or, in the former case, anything bound to quoted-insert) to quote characters in the search string. j. Documentation has been significantly updated. k. New `force-meta-prefix' bindable variable, which forces the use of ESC as the meta prefix when using "\M-" in key bindings instead of overloading convert-meta. l. The default value for `readline-colored-completion-prefix' no longer has a leading `.'; the original report was based on a misunderstanding. m. There is a new bindable command, `export-completions', which writes the possible completions for a word to the standard output in a defined format. n. Readline can reset its idea of the screen dimensions when executing after a SIGCONT. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit daaa94e999f81cbef3caf29708359bc0c97db4b8 Author: Adolf Belka Date: Wed Jul 23 21:02:30 2025 +0200 bash: Update to version 5.3 with patch level 0 - Update from version 5.2 with patch level 37 to 5.3 with patch level 0 - Update rootfile - remove bash-4.0-paths-1 patch file as this is not included in the current tarball. - remove all the 5.2 version patches. - Modify lfs so that the patch version can be added and then use this in the main part of the lfs to automatically select the correct patches to merge. - Successful build of bash-5.3 requires readline-8.3 to be installed - Changelog 5.3 New Features in Bash a. When checking whether a script file argument is a binary file, check the first two lines of a script if the first line begins with `#!'. b. Bash does a better job of preserving user-supplied quotes around a word completion, instead of requoting it. c. Bash reports the starting line number in an error message about an unterminated compound command like `if' without a `fi'. d. Implement the POSIX requirement that running the `jobs' builtin removes jobs from the jobs list. f. Call bash signal handlers while executing programmable completion commands, instead of readline's. g. Print an error message if a regular expression used with [[ fails to compile. h. The `umask' builtin now has additional features for full POSIX conformance. i. `type -a -P' reports both hashed pathnames and the result of a $PATH search. j. `trap' has a new -P option that prints the trap action associated with each signal argument. k. The `command' builtin preceding a declaration builtin (e.g., `declare') preserves the special asisgnment statement parsing for the declaration builtin. This is a new POSIX requirement. l. `printf' uses the `alternate form' for %q and %Q to force single quoting. m. `printf' now interprets %ls (%S) and %lc (%C) as referring to wide strings and characters, respectively, when in a multibyte locale. n. The shell can be compiled with a different default value for the patsub_replacement option. o. Check for window size changes during trap commands, `bind -x' commands, and programmable completion. p. Treat a NULL value for $PATH as equivalent to ".". p. New loadable builtins: kv, strptime q. GLOBSORT: new variable to specify how to sort the results of pathname expansion (name, size, blocks, mtime, atime, ctime, numeric, none) in ascending or descending order. r. `compgen' has a new option: -V varname. If supplied, it stores the generated completions into VARNAME instead of printing them on stdout. s. New form of command substitution: ${ command; } or ${|command;} to capture the output of COMMAND without forking a child process and using pipes. t. array_expand_once: new shopt option, replaces assoc_expand_once u. complete/compopt new option: fullquote; sets rl_full_quoting_desired so all possible completions are quoted as if they were filenames. v. Command timing now allows precisions up to 6 digits instead of 3 in $TIMEFORMAT. w. BASH_MONOSECONDS: new dynamic variable that returns the value of the system's monotonic clock, if one is available. x. BASH_TRAPSIG: new variable, set to the numeric signal number of the trap being executed while it's running. y. The checkwinsize option can be used in subshell commands started from interactive shells. z. In posix mode, the test command < and > binary primaries compare strings using the current locale. aa. bind -x allows new key binding syntax: separate the key sequence and the command string with whitespace, but require the command string to be double-quoted if this is used. This allows different quoting options for the command string. bb. Print commands bound to key sequences using `bind -x' with the new key binding syntax it allows. cc. `read' has a new `-E' option to use readline but with the default bash completion (including programmable completion). dd. New bindable readline command name: `bash-vi-complete'. ee. New test builtin behavior when parsing a parenthesized subexpression and test was given more than 4 arguments: scan forward for a closing paren and call posixtest() if there are 4 or fewer arguments between the parentheses. Added for compatibility with coreutils test, dependent on the shell compatibility level. Such expressions remain ambiguous. ff. MULTIPLE_COPROCS is now enabled by default. gg. The `bind' builtin interprets additional non-option arguments after -p or -P as bindable command names and restricts output to the bindings for those names. hh. Bash now uses the login shell for $BASH if the shell is named `su' or `-su'. ii. Bash now prints job notifications if an interactive shell is running a trap, even though the shell is not interactive at that moment. jj. Programmable completion allows a new compspec loaded after a completion function returns 124 to be used in more cases. kk. ./source has a new -p PATH option, which makes it use the PATH argument instead of $PATH to look for the file. ll. Documentation has been significantly updated. mm. `wait -n' can now return terminated process substitutions, jobs about which the user has already been notified (like `wait' without options), nn. `wait -n' removes jobs from the jobs table or list of terminated children when in posix mode. oo. Changed the `wait' builtin behavior regarding process substitutions to match the documentation. pp. There is a new `bash_source_fullpath' shopt option, which makes bash put full pathnames into BASH_SOURCE, and a way to set a default value for it at configure time. qq. Posix mode now forces job notifications to occur when the new edition of POSIX specifies (since it now specifies them). rr. Interactive shells don't print job notifications while sourcing scripts. ss. The parser prints more information about the command it's trying to parse when it encounters EOF before completing the command. tt. Posix mode no longer requires function names to be valid shell identifiers. uu. If `exit' is run in a trap and not supplied an exit status argument, it uses the value of $? from before the trap only if it's run at the trap's `top level' and would cause the trap to end (that is, not in a subshell). This is from Posix interp 1602. vv. There is a new `fltexpr' loadable builtin to perform floating-point arithmetic similarly to `let'. ww. The `install-strip' and `strip' Makefile targets now deal with cross- compiling. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c13d784f9d4f3d3609e3924425e2cbb0577aeab6 Author: Michael Tremer Date: Fri Jul 25 12:51:42 2025 +0000 core197: Ship apache Signed-off-by: Michael Tremer commit 00eed335bf6af187b58155dbd64c30e340931975 Author: Matthias Fischer Date: Thu Jul 24 23:33:51 2025 +0200 apache: Update to 2.4.65 For details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.65 "Changes with Apache 2.4.65 *) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64 (cve.mitre.org) A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit d0f48c93fa06f5eb4c6835ad3aa333815f6bca77 Author: Adolf Belka Date: Wed Jul 23 12:08:03 2025 +0200 samba: Update to version 4.22.3 - Update from version 4.22.2 to 4.22.3 - Update of rootfiles for all architectures - Changelog 4.22.3 Important Change in Upcoming Microsoft Update On 8th of July, Microsoft will release an important security update for Active Directory Domain Controllers for Windows Server versions prior to 2025. This update includes a change to the Microsoft RPC Netlogon protocol, which improves security by tightening access checks for a set of RPC requests. Samba running as domain members in these environments will be impacted by this change if a specific configuration is used, see below for which configuration is affected. Windows Server version 2025 is already equipped with these specific security hardenings, and Microsoft is now planning to deploy them to all supported Windows Server versions down to Windows Server 2008. Who is affected? Samba installations acting as member servers in Windows AD domains will be affected if they are configured to use the 'ad' idmapping backend. Samba servers not using this configuration will not be affected by the change – at least to our current knowledge and understanding of the change – and no further action is required. Current versions of Samba with the affected configuration will no longer function correctly once the Microsoft update has been applied. Users will not be able to connect to the SMB service provided by Samba for any domain configured to use the 'ad' idmapping backend. See https://bugzilla.samba.org/show_bug.cgi?id=15876. * BUG 15854: samba-tool cannot add user to group whose name is exactly 16 characters long. * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName. * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc calls like netr_DsRGetDCName. * BUG 15869: Startup messages of rpc deamons fills /var/log/messages. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3eefc5fc6d98b6a117284c30c8ef0b3f67440c52 Author: Michael Tremer Date: Wed Jul 23 09:02:25 2025 +0000 core197: Restart the firewall This is required so that all new OpenVPN chains are available. Signed-off-by: Michael Tremer commit 39172586ac8778d34392ef881dda3eca797239a4 Author: Michael Tremer Date: Wed Jul 23 09:00:09 2025 +0000 openvpn: Silence when loading the tun module goes wrong Signed-off-by: Michael Tremer commit 81e867c96620ac5f000f68afa6b4cc36066f1a78 Author: Michael Tremer Date: Wed Jul 23 08:58:43 2025 +0000 core197: Escape slashes in path in sed command I think I have been too fast... Signed-off-by: Michael Tremer commit a9febdb8dd3547950f7581eb0ae0e619e0d2d21e Author: Adolf Belka Date: Mon Jul 21 23:25:59 2025 +0200 gnutls: Update to version 3.8.10 - Update from version 3.8.9 to 3.8.10 - Update of rootfile - 4 CVE fixes in this version - Changelog 3.8.10 ** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395] ** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989] ** libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988] ** certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [CVE-2025-32990] ** libgnutls: PKCS#11 modules can now be used to override the default cryptographic backend. Use the [provider] section in the system-wide config to specify path and pin to the module (see system-wide config Documentation). ** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update support. The library running on the aforementioned version now utilizes the kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted TLS session. The --enable-ktls configure option as well as the system-wide kTLS configuration(see GnuTLS Documentation) are still required to enable this feature. ** libgnutls: liboqs support for PQC has been removed For maintenance purposes, support for post-quantum cryptography (PQC) is now only provided through leancrypto. The experimental key exchange algorithm, X25519Kyber768Draft00, which is based on the round 3 candidate of Kyber and only supported through liboqs has also been removed altogether. ** libgnutls: TLS certificate compression methods can now be set with cert-compression-alg configuration option in the gnutls priority file. ** libgnutls: All variants of ML-DSA private key formats are supported While the previous implementation of ML-DSA was based on draft-ietf-lamps-dilithium-certificates-04, this updates it to draft-ietf-lamps-dilithium-certificates-12 with support for all 3 variants of private key formats: "seed", "expandedKey", and "both". ** libgnutls: ML-DSA signatures can now be used in TLS The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and ML-DSA-87, can now be used to digitally sign TLS handshake messages. ** API and ABI modifications: GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 16e602e3512b65497ed16ed7d1606a6ff6ea3e52 Author: Adolf Belka Date: Mon Jul 21 23:25:58 2025 +0200 git: Update to version 2.50.1 - Update from version 2.50.0 to 2.50.1 - Update of rootfile not required - Changelog 2.50.1 This release merges up the fixes that appear in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, and v2.49.1 to address the following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release notes for v2.43.7 for details. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 44a287f38fd2249143982fb6fe942ab8c00d8a17 Author: Adolf Belka Date: Mon Jul 21 23:26:01 2025 +0200 tshark: Update to version 4.4.8 - Update from version 4.4.7 to 4.4.8 - Update of rootfile - Changelog 4.4.8 Bug Fixes Renegotiated DTLS session is not being decrypted. Issue 20362. Wireshark is completely stuck in initialization because androiddump recv() is blocked. Issue 20526. Fuzz job UTF-8 encoding issue: fuzz-2025-06-20-7318.pcap. Issue 20585. Crash when showing packet in new window after reloading Lua plugins with a certain gui.column.format preference. Issue 20588. Bug in UDS dissector with Service ReadDataByPeriodicIdentifier Response. Issue 20589. Packet diagram doesn’t show non-standard field value representations. Issue 20590. Packet diagram shows representation twice when field type is FT_NONE. Issue 20601. application/x-www-form-urlencoded key parsed incorrectly following a name-value byte sequence with no '=' Issue 20615. DNP3 time stamp was unable to work after epoch time(year 2038) Issue 20618. Updated Protocol Support ASTERIX, DLT, DNP 3.0, DOF, DTLS, ETSI CAT, Gryphon, IPsec, ISObus VT, KRB5, MBIM, RTCP, SLL, STCSIG, TETRA, UDS, and URL Encoded Form Data New and Updated Capture File Support pcapng Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ad02d9406ea35431a4bb6c7a07a06105a9ba9fb6 Author: Michael Tremer Date: Tue Jul 22 09:14:55 2025 +0000 core197: Restart strongSwan Signed-off-by: Michael Tremer commit 143e7771cc09e11c9ec8a6c3f66fd77462c235d8 Author: Adolf Belka Date: Mon Jul 21 23:25:54 2025 +0200 core 197: Ship strongswan Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6502d48b6bc8c442331112669afe892a38b02691 Author: Adolf Belka Date: Mon Jul 21 23:26:00 2025 +0200 strongswan: Update to version 6.0.2 - Update from version 6.0.1 to 6.0.2 - Update of rootfile - Changelog 6.0.2 - Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+). - Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+). - POSIX regular expressions can be used to match remote identities. - Switching configs based on EAP-Identities is supported. Setting `remote.eap_id` now always initiates an EAP-Identity exchange. - On Linux, sequence numbers from acquires are used when installing SAs. This allows handling narrowing properly. - During rekeying, the narrowed traffic selectors are now proposed instead of the configured ones. - The default AH/ESP proposals contain all supported key exchange methods plus `none` to make PFS optional and accept proposals of older peers. - GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance if the esp4|6_offload modules are loaded. - charon-nm sets the VPN connection as persistent, preventing NetworkManager from tearing down the connection if the network connectivity changes. - ML-KEM is supported via OpenSSL 3.5+. - The wolfssl plugin is now compatible to wolfSSL's FIPS module. - The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported anymore. - The long defunct uci plugin has been removed. - Log messages by watcher_t are now logged in a separate log group (`wch`). Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ffd7e8234d181b21149488c04f2de2cbb060a82e Author: Adolf Belka Date: Mon Jul 21 23:25:53 2025 +0200 core 197: Ship gettext Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 93c9eb0b668c0576747d1307b431c77af1cb644d Author: Adolf Belka Date: Mon Jul 21 23:25:57 2025 +0200 gettext: Update to version 0.26 - Update from version 0.25 to 0.26 - Update of rootfile - Changelog 0.26 Programming languages support: * JavaScript: - xgettext now parses regular expressions with character classes correctly. * C, C++, Python, JavaScript, EmacsLisp, librep, Go, Ruby, awk, D, Tcl, Perl, PHP: - xgettext's heuristic recognition of format strings has been improved: strings like "100% complete" (with a space flag in a format directive) are no longer flagged as format strings by default, unless they occur in a context that requires a format string. You can override this heuristic by using a comment of the form /* xgettext: c-format */. * Shell: - The documentation now mentions two other approaches for internationalizing messages with parameters in shell scripts. - xgettext now recognizes format strings in the 'printf' command syntax. They are marked as 'sh-printf-format' in POT and PO files. - Two new programs 'printf_gettext' and 'printf_ngettext' are provided, that do formatted output with a localized format string in a more efficient way (without spawning a subshell). - xgettext now recognizes the \c, \u, and \U escape sequences in dollar- single-quoted strings $'...'. Improvements for maintainers: * xgettext: - When extracting a message with plural that is some format string, xgettext now verifies that the msgid and msgid_plural are compatible as format strings. For most format string types, this still allows omitting from msgid a placeholder that is used in msgid_plural. But when a placeholder is used in both msgid and msgid_plural, its type must be the same in both. - xgettext now suggests a refactoring when a translatable string contains an URL or email address. Improvements for translators: * msggrep: - msggrep accepts two new options -W/--workflow-flags and -S/--sticky-flags that allow to select only messages that have a specified flag. Bug fixes: - The AM_GNU_GETTEXT macro now rejects the dysfunctional gettext() function in libc of Solaris 11.[0-3], Solaris OpenIndiana, and Solaris OmniOS. - The AM_GNU_GETTEXT macro now recognizes, on MSVC, the GNU libintl built as a shared library. 0.25.1 Bug fixes: - autopoint no longer fails if configure.ac contains no AM_GNU_GETTEXT_VERSION or AM_GNU_GETTEXT_REQUIRE_VERSION invocation. - nls.m4 is installed again under $PREFIX/share/aclocal/. Portability: - Building on native Windows with MSVC and --enable-shared is now supported. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 18c8ea7717b380b6c37b5a7ca5fed8e37944d4c0 Author: Adolf Belka Date: Mon Jul 21 23:25:52 2025 +0200 core 197: Ship e2fsprogs Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer