commit dd2b2a07d2e7fe67016fae5e3cedc50764bb53ee Author: Michael Tremer Date: Mon Feb 23 11:29:08 2026 +0000 core200: Ship ids.cgi Signed-off-by: Michael Tremer commit 302a3565a26a141a9a80a89a3ec9705e13aa8a4c Author: Michael Tremer Date: Mon Feb 23 11:28:12 2026 +0000 suricata: Support separating email addresses by semicolon Signed-off-by: Michael Tremer commit 0ba18609bde216ef9ad8c485a8852e5080e32e34 Author: Michael Tremer Date: Mon Feb 23 11:22:15 2026 +0000 autoupdate.pl: Don't remove any custom lists Signed-off-by: Michael Tremer commit 5579862bfd16ed128fbcd85f111632dc4f0b56a0 Author: Michael Tremer Date: Mon Feb 23 10:51:22 2026 +0000 core200: Ship autoupdate.pl Signed-off-by: Michael Tremer commit 823149495e8ee9f3ac28699d57b0a4d41f2a4670 Author: Stefan Schantl Date: Sun Feb 22 20:07:53 2026 +0100 urlfilter: Fix syntax when calling chown Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 9a9f4dabb7abfa47c2de86664e1f6c67a5cdbb28 Author: Stefan Schantl Date: Sun Feb 22 20:07:52 2026 +0100 urlfiler: Cleanup list directory during update Cleanup the directory which contains the downloaded blocklists during the update process. As the same code is used for sheduled and manual updates/list installs this also cleans up old lists when switching the lists provider. Fixes #13820. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 336b389fb89eb5d182e85be5c10b26c825e8ae5f Author: Michael Tremer Date: Sun Feb 22 11:08:37 2026 +0000 hostapd: Bump package version due to changes in wlanap.cgi Signed-off-by: Michael Tremer commit d23791c9e6fe66f9245279f43a01225943e6b234 Author: Stefan Schantl Date: Fri Feb 20 19:29:21 2026 +0100 wlanap.cgi: Proper escape special characters in PSK Otherwise a used quote leads to not proper display the used PSK in the WUI. Fixes #13920 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit ce0189c9ec4ffd78386fdc5af0e487217110ac98 Author: Michael Tremer Date: Thu Feb 19 15:58:02 2026 +0000 Run "./make.sh lang" Signed-off-by: Michael Tremer commit 5b97316a4eae8a96c43c7737639d862571c8243f Author: Michael Tremer Date: Thu Feb 19 15:57:37 2026 +0000 core200: Ship general-functions.pl Signed-off-by: Michael Tremer commit b08e5775a2da42c73379cbe258519c4267ed72ce Author: Stefan Schantl Date: Wed Feb 18 19:25:17 2026 +0100 en.pl: Add missing language string for IPFire DBL Without this language string, the DBL cannot be proper used with suricata. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit f7c80e81f64653148b834a137cb08043ef021a8a Author: Stefan Schantl Date: Wed Feb 18 19:13:01 2026 +0100 general-functions.pl: Refactor GetCoreUpdateVersion function There is no need for a loop when only grab the first line of a file which only has one line. Also remove the newline from the grabbed line, which may cause malfunctions on further processing. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit ff0daa1660e064a51a26dbf0098bce0d25c11a5c Author: Michael Tremer Date: Wed Feb 4 11:04:20 2026 +0000 Revert "dhcpcd: Update to version 10.3.0" This reverts commit 7b5cba3151ff317084fa03e8ebfd22213cfbe85b. Fixes: #13933 - Reboot/Shutdown: stopping dhcpd on the red0 interface failes/stucks (with WiFi) Signed-off-by: Michael Tremer commit bee138720596ce50f82075e411f857cdd9f04344 Author: Michael Tremer Date: Tue Feb 3 10:15:51 2026 +0000 initscripts: Don't perform value filtering in readhash Since we now have a safe way to parse values from the configuration file, we should no longer require filtering any more. We will have to be very careful with working with these values. Signed-off-by: Michael Tremer commit fe9d3554182d541996af8df59acaf8a66cca0d81 Author: Michael Tremer Date: Tue Feb 3 10:14:43 2026 +0000 hostapd: Remove any previous HTCAPS/VHTCAPS settings These are no longer used and generate warnings from the configuration file parser. Signed-off-by: Michael Tremer commit e2d8be3b950f3119964ade54a62b72555c9b32e7 Author: Matthias Fischer Date: Sat Jan 31 15:38:35 2026 +0100 linux 6.18.7: Fix for rootfile (x86_64) Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit e3cf89f18806fa7dfaef5b84094787a325a5fabf Author: Michael Tremer Date: Thu Jan 29 17:06:40 2026 +0000 core200: Ship openssl Signed-off-by: Michael Tremer commit eaa2a1862a7601065ed18d843620dc57c2990861 Author: Adolf Belka Date: Wed Jan 28 22:44:03 2026 +0100 openssl: Update to version 3.6.1 - Update from version 3.6.0 to 3.6.1 - Update of rootfile - 12 CVE fixes - Changelog 3.6.1 OpenSSL 3.6.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification. ([CVE-2025-11187]) * Fixed Stack buffer overflow in CMS `AuthEnvelopedData` parsing. ([CVE-2025-15467]) * Fixed NULL dereference in `SSL_CIPHER_find()` function on unknown cipher ID. ([CVE-2025-15468]) * Fixed `openssl dgst` one-shot codepath silently truncates inputs >16 MiB. ([CVE-2025-15469]) * Fixed TLS 1.3 `CompressedCertificate` excessive memory allocation. ([CVE-2025-66199]) * Fixed Heap out-of-bounds write in `BIO_f_linebuffer` on short writes. ([CVE-2025-68160]) * Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB function calls. ([CVE-2025-69418]) * Fixed Out of bounds write in `PKCS12_get_friendlyname()` UTF-8 conversion. ([CVE-2025-69419]) * Fixed Missing `ASN1_TYPE` validation in `TS_RESP_verify_response()` function. ([CVE-2025-69420]) * Fixed NULL Pointer Dereference in `PKCS12_item_decrypt_d2i_ex()` function. ([CVE-2025-69421]) * Fixed Missing `ASN1_TYPE` validation in PKCS#12 parsing. ([CVE-2026-22795]) * Fixed `ASN1_TYPE` Type Confusion in the `PKCS7_digest_from_attributes()` function. ([CVE-2026-22796]) * Fixed a regression in `X509_V_FLAG_CRL_CHECK_ALL` flag handling by restoring its pre-3.6.0 behaviour. * Fixed a regression in handling stapled OCSP responses causing handshake failures for OpenSSL 3.6.0 servers with various client implementations. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ed3faee67cff796eec3e4d9cc0aff16d05d826bb Author: Michael Tremer Date: Wed Jan 28 11:27:52 2026 +0000 suricata-reporter: Update rootfile Signed-off-by: Michael Tremer commit 643427acc6bf4f87003a5639e242abe80684d953 Author: Michael Tremer Date: Tue Jan 27 17:32:47 2026 +0000 core200: Ship suricata-reporter Signed-off-by: Michael Tremer commit 636ba18de2f0e9d961f45f38470c23b15dcc9c01 Author: Michael Tremer Date: Tue Jan 27 17:31:59 2026 +0000 suricata-reporter: Update to 0.6 Signed-off-by: Michael Tremer commit 057ec0913f4bce2dd1dcf3e1e9f779fcec127ef3 Author: Matthias Fischer Date: Sun Jan 25 11:12:37 2026 +0100 tmux: Update to 3.6a For details see: https://raw.githubusercontent.com/tmux/tmux/3.6a/CHANGES "CHANGES FROM 3.6 TO 3.6a * Fix a buffer overread and an infinite loop in format processing (reported by Giorgi Kobakhia, issue 4735). * Allow drag in alternate screen again (issue 4743 reported by Brad King). * Fix y offset of mouse if status at top (issue 4738 from Michael Grant). * Add a missing skin tone (from Jake Stewart, issue 4736). * Allow characters to be combined in either order (issue 4726, reported by Jake Stewart). * Fix horizontal mouse resizing when pane status lines are on (from Michael Grant, issue 4720). * Fix noattr so it does not delete attributes set in the style itself (issue 4713). * Newer libevents do not allow event_del on a zero'd event (issue 4706). * Place cursor on correct line if message-line is not 0 (issue 4707). * Fix compile error on FreeBSD (from Yasuhiro Kimura, issue 4701). CHANGES FROM 3.5a TO 3.6 * Add seconds options for clock mode (issue 4697). * Add a resize callback for menus so that they are correctly moved on resize (issue 4696). * Make -v to source-file pass through to subsequent source-file commands (issue 4216). * If display-popup is used inside a popup, modify that popup (issue 4678). * Add selection-mode command to expilcitly set the selection mode in copy mode (issue 3842). * Save and restore images in alternate screen (issue 3732). * Ignore Hangul filler character (issue 3998). * Improve handling of regional indicators and emoji modifiers (issue 3998). * Preserve marked pane with swap-window and move-window (issue 3443). * Set and check COLORTERM as a hint for RGB colour. * If tmux receives a palette request (OSC 4) in a pane and the palette entry has not been set, send a request to the most recently used client and forward any response instead (based on change from Tim Culverhouse, issue 4665). * Add -l flag to command-prompt to disable splitting into multiple prompts (issue 4483). * Don't enter copy mode on mouse wheel in alternate screen (issue 3705). * Add commands to centre the cursor in copy mode (issue 4662). * Support case insensitive search in modes in the same way as copy mode (like emacs, so all-lowercase means case insensitive) (issue 4396). * Fix the logic of the no-detached case for the detach-on-destroy option (from Martin Louazel, issue 4649). * Add buffer_full format variable (from Mohammad AlSaleh, issue 4630). * Introduce a new window option, tiled-layout-max-columns, which configures the maximum number of columns in the tiled layout. * Add support for DECRQSS SP q (report cursor style), DECRQM ?12 (report cursor blink state) and DECRQM ?2004, ?1004, ?1006 (report mouse state) ( rom Andrea Alberti, issue 4618). * Fix missing argument from OSC 4 reply (issue 4596). * Add -k flag to display-popup which allows any key to dismiss the popup once the command has exited (from Meriel Luna Mittelbach, issue 4612). * Add nicer default second and third status lines (from Michael Grant, issue 4490). * Add a pane-border-lines "spaces" value to use spaces for pane borders (issue 4587). * Replace invalid UTF-8 characters with the placeholder instead of ignoring them (issue 4514). * Fix incorrect handling of Korean Hangul Jamo characters (from Roy Jung, issue 4546). * Allow uppercase letters in gray/grey color names (from Pavel Roskin, issue 4560). * Add sorting to W, P, L loop operators (from Michael Grant, issue 4516). * Detect support for OSC 52 using the device attributes report (from James Holderness, issue 4539). * Add noattr for styles and use in mode-style to allow whether attributes are ignored or used to be configured (issue 4498). * Add a set-default style attribute which replaces the current default colours and attributes completely. * Add -E to run-shell to forward stderr as well as stdout (issue 4246). * Add an option variation-selector-always-wide to instruct tmux not to always interpret VS16 as a wide character and assume the terminal does likewise. * Switch to getopt_long from OpenSSH (from Koichi Murase, issue 4492). * Add more features for boolean expressions in formats: 1) extend && and || to support arbitrarily many arguments and 2) add ! and !! for not and not-not (from David Mandelberg). * Do not mistake other DCS sequences for SIXEL sequences (from James Holderness, issue 4488). * Improve #? conditional expression in formats: add support for else if and default empty string if no else value (from David Mandelberg, issue 4451). * Add default-client-command to set the command used if tmux is run without a command; the default stays new-session (from David Mandelberg, issue 4422). * Add S-Up and S-Down to move windows in tree mode (from David Mandelberg, issue 4415). * Add mode 2031 support to automatically report dark or light theme. tmux will guess the theme from the background colour on terminals which do not themselves support the escape sequence (from Jonathan Slenders, issue 4353). * Add -M flag to capture-pane to use the copy mode screen (issue 4358). * Align index numbers in trees (from David Mandelberg, issue 4360). * Add display-message -C flag to update pane while message is displayed (from Vitaly Ostrosablin, issue 4363). * Make list-commands command show only one command if an argument is given (from Ilya Grigoriev, issue 4352). * Count line numbers correctly inside strings in configuration files (reported by Pedro Navarro, issue 4325). * Map bright black (colour 8) to white (7) if the background is black on terminals with only eight colours so the text is not invisible (from Dmytro Bagrii, issue 4322). * New codepoint-widths option allowing users to override the width of individual Unicode codepoints. * Add a nesting limit to source-file (from Fadi Afani, issue 4223). * Add copy-mode-position-style and copy-mode-selection-style options for copy mode. * Add no-detach-on-destroy client option (issue 4242). * Add input-buffer-size option (from Ken Lau). * Add support for a scrollbar at the side of each pane. New options pane-scrollbars turn them on or off, pane-scrollbars-position sets the position (left or right), and pane-scrollbars-style to set the colours (from Michael Grant, issue 4221). * Allow control characters to be entered at the command prompt by prefixing with C-v (from Alexander Arch, issue 4206). * Do not attempt to search for zero length strings (from Alexander Arch, issue 4209). * Preserve tabs for copying and capture-pane (from Alexander Arch, issue 4201). * Increase the maximum for repeat-time. * Adjust how Ctrl and Meta keys are sent to use standard representation if available in mode 1 (from Stanislav Kljuhhin, issue 4188). * Allow attributes in menu style (from Japin Li, issue 4194). * Add a sixel_support format variable which is 1 if SIXEL is supported, always 0 on OpenBSD (requested by Misaki Masa, issue 4177). * Add prompt-cursor-colour and prompt-cursor-style to set the style of the cursor in the command prompt and remove the emulated cursor (from Alexander Arch, issue 4170). * Add initial-repeat-time option to allow the first repeat time to be increased and later reduced (from David le Blanc, issue 4164). * Send focus events to pane when entering or leaving popup (issue 3991). * Add copy-mode-position-format to configure the position indicator. * Add -y flag to disable confirmation prompts in modes (issue 4152). * Add -C and -P flags to the copy commands in copy mode: -C prevents the commands from sending the text to the clipboard and -P prevents them from adding the text as a paste buffer (issue 4153). * Preserve transparency and raster attribute dimensions when sending a SIXEL image, and avoid collapsing empty lines (issue 4149). * Bypass permission check for Cygwin (based on a change by Yuya Adachi via Rafael Kitover, issue 4148). * Add MSYSTEM to default update-environment (for Cgywin). * Set client stdout file descriptor also for Cgywin (from Michael Wild via Rafael Kitover, issue 4148). * Use global cursor style and colour options for modes instead of default (issue 4117). * Fix pasting so it does not interpret keys but instead copies the input without interpretation (reported by Mark Kelly). * Try to query window pixel size from the outside terminal if the values returned by TIOCGWINSZ are zero (Dmitry Galchinsky, issue 4099)." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 4f2509061feb556fe9516dbe072c450e7d3d0ccb Author: Stefan Schantl Date: Sun Jan 25 17:04:49 2026 +0100 rust-spdx: Fix rootfile Fix accidently replaced "+" on some license files. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 5bed6fd3c3d656b42ba72687129cdbde2f75e7a5 Author: Stefan Schantl Date: Sun Jan 25 17:04:48 2026 +0100 rust-wasip2: Fix rootfile Fix the accidently replaced "+" in the middle of the directory name. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit f7cb51d6efc62d552900a2f4c5ec28920f302426 Author: Arne Fitzenreiter Date: Tue Jan 27 09:02:19 2026 +0100 kernel: update to 6.18.7 Signed-off-by: Arne Fitzenreiter commit 139af25a8c8baf059964e95eba25c39c537b46f5 Author: Michael Tremer Date: Sat Jan 24 12:11:28 2026 +0000 make.sh: Exempt more rust packages from rootfile check Signed-off-by: Michael Tremer commit 123354a26fc5f6852049586c177483dbeb4762c2 Author: Michael Tremer Date: Sat Jan 24 12:06:53 2026 +0000 rust: Fix trailing whitespace after source checksums These caused that the source tarball could not be downloaded. Signed-off-by: Michael Tremer commit 59ee11c3fea569653c548198140b55df1bc13f5b Author: Michael Tremer Date: Fri Jan 23 14:54:39 2026 +0000 clamav: Bump package release Signed-off-by: Michael Tremer commit cf60194f7f571cf138aef0a6d03e76406103db4e Author: Adolf Belka Date: Fri Jan 23 14:59:08 2026 +0100 clamav: Update to version 1.5.1 - Update from version 1.4.3 to 1.5.1 - Update of rootfile - From version 1.5.0 clamav added signing/verification of the signature file downloads with external .sign files. -D CVD_CERTS_DIRECTORY=/etc/clamav/certs has been added as a build option to create the certs directory and to install the clamav.crt file - Tested out the execution of this version on a vm testbed. The .sign files were correctly downloaded and the databases approved. This was also the case with a reboot. This was where users had a problem with the version relaesed in CU199 after they had manually created a directory. - Changelog 1.5.1 ClamAV 1.5.1 is a patch release with the following fixes: * Fixed a significant performance issue when scanning some PE files * Fixed an issue recording file entries from a ZIP archive central directory which resulted in "Heuristics.Limits.Exceeded.MaxFiles" alerts when using the ClamScan --alert-exceeds-max command line option or ClamD AlertExceedsMax config file option * Improved performance when scanning TNEF email attachments * Fixed an issue with recording metadata for OOXML office documents * Fixed an issue with signature matches for VBA in OLE2 office documents * Loosened overly restrictive rules for embedded file identification and increased the limit for finding PE files embedded in other PE files * Fixed an issue with extracting some RAR archives embedded in other files * Fixed an issue with calculating fuzzy hashes affecting some images by updating the version for several Rust library dependencies * This release does not require a newer version of the Rust compiler toolchain than what was required for ClamAV 1.5.0 GitHub pull request 1.5.0 Major changes * Added checks to determine if an OLE2-based Microsoft Office document is encrypted. GitHub pull request * Added the ability to record URIs found in HTML if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record HTML URIs. The ClamScan command-line option is --json-store-html-uris=no. The clamd.conf config option is JsonStoreHTMLURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_HTML_URIS GitHub pull request #1 GitHub pull request #2 GitHub pull request #3 * Added the ability to record URIs found in PDFs if the generate-JSON-metadata feature is enabled. Also adds an option to disable this in case you want the JSON metadata feature but do not want to record PDF URIs. The ClamScan command-line option is --json-store-pdf-uris=no. The clamd.conf config option is JsonStorePDFURIs no. The libclamav general scan option is CL_SCAN_GENERAL_STORE_PDF_URIS GitHub pull request #1 GitHub pull request #2 GitHub pull request #3 GitHub pull request #4 * Added regex support for the clamd.conf OnAccessExcludePath config option. This change courtesy of GitHub user b1tg. GitHub pull request * Added CVD signing/verification with external .sign files. Freshclam will now attempt to download external signature files to accompany existing .cvd databases and .cdiff patch files. Sigtool now has commands to sign and verify using the external signatures. ClamAV now installs a 'certs' directory in the app config directory (e.g., /etc/certs). The install path is configurable. The CMake option to configure the CVD certs directory is -D CVD_CERTS_DIRECTORY=PATH New options to set an alternative CVD certs directory: Added two new APIs to the public clamav.h header: cl_error_t cl_cvdverify_ex( const char *file, const char *certs_directory, uint32_t dboptions); cl_error_t cl_cvdunpack_ex( const char *file, const char *dir, const char *certs_directory, uint32_t dboptions); The original cl_cvdverify and cl_cvdunpack are deprecated. Added a cl_engine_field enum option CL_ENGINE_CVDCERTSDIR. You may set this option with cl_engine_set_str and get it with cl_engine_get_str, to override the compiled in default CVD certs directory. Thank you to Mark Carey at SAP for inspiring work on this feature with an initial proof of concept for external-signature FIPS compliant CVD signing. GitHub pull request #1 GitHub pull request #2 GitHub pull request #3 GitHub pull request #4 * The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is --cvdcertsdir PATH * The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is CVD_CERTS_DIR * The config option for Freshclam and ClamD is CVDCertsDirectory PATH * Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like limits disabling MD5 and SHA1 from being used for verifying digital signatures or for being used to trust a file when checking for false positives (FPs). For freshclam.conf and clamd.conf set this config option: FIPSCryptoHashLimits yes For clamscan and sigtool use this command-line option: --fips-limits For libclamav: Enable FIPS-limits for a ClamAV engine like this: cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1); ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will automatically enable the FIPS-limits feature. This change mitigates safety concerns over the use of MD5 and SHA1 algorithms to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments. Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection purposes or for informational purposes in FIPS-enabled environments and when the FIPS-limits option is enabled. GitHub pull request * Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5). The clean-file cache algorithm is not configurable. This change resolves safety concerns over the use of MD5 to trust files and is required to enable ClamAV to operate legitimately in FIPS-mode enabled environments. GitHub pull request #1 GitHub pull request #2 * ClamD: Added an option to disable select administrative commands including SHUTDOWN, RELOAD, STATS and VERSION. The new clamd.conf options are: EnableShutdownCommand yes EnableReloadCommand yes EnableStatsCommand yes EnableVersionCommand yes This change courtesy of GitHub user ChaoticByte. GitHub pull request * libclamav: Added extended hashing functions with a "flags" parameter that allows the caller to choose if they want to bypass FIPS hash algorithm limits: cl_error_t cl_hash_data_ex( const char *alg, const uint8_t *data, size_t data_len, uint8_t **hash, size_t *hash_len, uint32_t flags); cl_error_t cl_hash_init_ex( const char *alg, uint32_t flags, cl_hash_ctx_t **ctx_out); cl_error_t cl_update_hash_ex( cl_hash_ctx_t *ctx, const uint8_t *data, size_t length); cl_error_t cl_finish_hash_ex( cl_hash_ctx_t *ctx, uint8_t **hash, size_t *hash_len, uint32_t flags); void cl_hash_destroy(void *ctx); cl_error_t cl_hash_file_fd_ex( const char *alg, int fd, size_t offset, size_t length, uint8_t **hash, size_t *hash_len, uint32_t flags); GitHub pull request * ClamScan: Improved the precision of the bytes-scanned and bytes-read counters. The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB", or "B" as appropriate. Previously, it always reported "MB". GitHub pull request * ClamScan: Add hash & file-type in/out CLI options: We will not be adding this for ClamDScan, as we do not have a mechanism in the ClamD socket API to receive scan options or a way for ClamD to include scan metadata in the response. GitHub pull request * --hash-hint: The file hash so that libclamav does not need to calculate it. The type of hash must match the --hash-alg. * --log-hash: Print the file hash after each file scanned. The type of hash printed will match the --hash-alg. * --hash-alg: The hashing algorithm used for either --hash-hint or --log-hash. Supported algorithms are "md5", "sha1", "sha2-256". If not specified, the default is "sha2-256". * --file-type-hint: The file type hint so that libclamav can optimize scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with the specified type. See also: https://docs.clamav.net/appendix/FileTypes.html#file-types * --log-file-type: Print the file type after each file scanned. * libclamav: Added new scan functions that provide additional functionality: cl_error_t cl_scanfile_ex( const char *filename, cl_verdict_t *verdict_out, const char **last_alert_out, uint64_t *scanned_out, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context, const char *hash_hint, char **hash_out, const char *hash_alg, const char *file_type_hint, char **file_type_out); cl_error_t cl_scandesc_ex( int desc, const char *filename, cl_verdict_t *verdict_out, const char **last_alert_out, uint64_t *scanned_out, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context, const char *hash_hint, char **hash_out, const char *hash_alg, const char *file_type_hint, char **file_type_out); cl_error_t cl_scanmap_ex( cl_fmap_t *map, const char *filename, cl_verdict_t *verdict_out, const char **last_alert_out, uint64_t *scanned_out, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context, const char *hash_hint, char **hash_out, const char *hash_alg, const char *file_type_hint, char **file_type_out); The older cl_scan*() functions are now deprecated and may be removed in a future release. See clamav.h for more details. GitHub pull request * libclamav: Added a new engine option to toggle temp directory recursion. Temp directory recursion is the idea that each object scanned in ClamAV's recursive extract/scan process will get a new temp subdirectory, mimicking the nesting structure of the file. Temp directory recursion was introduced in ClamAV 0.103 and is enabled whenever --leave-temps / LeaveTemporaryFiles is enabled. In ClamAV 1.5, an application linking to libclamav can separately enable temp directory recursion if they wish. For ClamScan and ClamD, it will remain tied to --leave-temps / LeaveTemporaryFiles options. The new temp directory recursion option can be enabled with: cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1); GitHub pull request * libclamav: Added a class of scan callback functions that can be added with the following API function: void cl_engine_set_scan_callback(struct cl_engine *engine, clcb_scan callback, cl_scan_callback_t location); The scan callback location may be configured using the following five values: Each callback may alter scan behavior using the following return codes: Each callback is given a pointer to the current scan layer from which they can get previous layers, can get the layer's fmap, and then various attributes of the layer and of the fmap. To make this possible, there are new APIs to query scan-layer details and fmap details: cl_error_t cl_fmap_set_name(cl_fmap_t *map, const char *name); cl_error_t cl_fmap_get_name(cl_fmap_t *map, const char **name_out); cl_error_t cl_fmap_set_path(cl_fmap_t *map, const char *path); cl_error_t cl_fmap_get_path(cl_fmap_t *map, const char **path_out, size_t *offset_out, size_t *len_out); cl_error_t cl_fmap_get_fd(const cl_fmap_t *map, int *fd_out, size_t *offset_out, size_t *len_out); cl_error_t cl_fmap_get_size(const cl_fmap_t *map, size_t *size_out); cl_error_t cl_fmap_set_hash(const cl_fmap_t *map, const char *hash_alg, char hash); cl_error_t cl_fmap_have_hash(const cl_fmap_t *map, const char *hash_alg, bool *have_hash_out); cl_error_t cl_fmap_will_need_hash_later(const cl_fmap_t *map, const char *hash_alg); cl_error_t cl_fmap_get_hash(const cl_fmap_t *map, const char *hash_alg, char **hash_out); cl_error_t cl_fmap_get_data(const cl_fmap_t *map, size_t offset, size_t len, const uint8_t **data_out, size_t *data_len_out); cl_error_t cl_scan_layer_get_fmap(cl_scan_layer_t *layer, cl_fmap_t **fmap_out); cl_error_t cl_scan_layer_get_parent_layer(cl_scan_layer_t *layer, cl_scan_layer_t **parent_layer_out); cl_error_t cl_scan_layer_get_type(cl_scan_layer_t *layer, const char **type_out); cl_error_t cl_scan_layer_get_recursion_level(cl_scan_layer_t *layer, uint32_t *recursion_level_out); cl_error_t cl_scan_layer_get_object_id(cl_scan_layer_t *layer, uint64_t *object_id_out); cl_error_t cl_scan_layer_get_last_alert(cl_scan_layer_t *layer, const char **alert_name_out); cl_error_t cl_scan_layer_get_attributes(cl_scan_layer_t *layer, uint32_t *attributes_out); This deprecates, but does not immediately remove, the existing scan callbacks: void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback); void cl_engine_set_clcb_file_inspection(struct cl_engine *engine, clcb_file_inspection callback); void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback); void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback); void cl_engine_set_clcb_virus_found(struct cl_engine *engine, clcb_virus_found callback); void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback); There is an interactive test program to demonstrate the new callbacks. See: examples/ex_scan_callbacks.c GitHub pull request * CL_SCAN_CALLBACK_PRE_HASH: Occurs just after basic file-type detection and before any hashes have been calculated either for the cache or the gen-json metadata. * CL_SCAN_CALLBACK_PRE_SCAN: Occurs before parser modules run and before pattern matching. * CL_SCAN_CALLBACK_POST_SCAN: Occurs after pattern matching and after running parser modules. A.k.a. the scan is complete for this layer. * CL_SCAN_CALLBACK_ALERT: Occurs each time an alert (detection) would be triggered during a scan. * CL_SCAN_CALLBACK_FILE_TYPE: Occurs each time the file type determination is refined. This may happen more than once per layer. * CL_BREAK: Scan aborted by callback. The rest of the scan is skipped. This does not mark the file as clean or infected, it just skips the rest of the scan. * CL_SUCCESS / CL_CLEAN: File scan will continue. For CL_SCAN_CALLBACK_ALERT: This means you want to ignore this specific alert and keep scanning. This is different than CL_VERIFIED because it does not affect prior or future alerts. Return CL_VERIFIED instead if you want to remove prior alerts for this layer and skip the rest of the scan for this layer. * CL_VIRUS: This means you do not trust the file. A new alert will be added. For CL_SCAN_CALLBACK_ALERT: This means you agree with the alert and no extra alert is needed. * CL_VERIFIED: Layer explicitly trusted by the callback and previous alerts removed for THIS layer. You might want to do this if you trust the hash or verified a digital signature. The rest of the scan will be skipped for THIS layer. For contained files, this does NOT mean that the parent or adjacent layers are trusted. * Signature names that start with "Weak." will no longer alert. Instead, they will be tracked internally and can be found in scan metadata JSON. This is a step towards enabling alerting signatures to depend on prior Weak indicator matches in the current layer or in child layers. GitHub pull request * For the "Generate Metadata JSON" feature: GitHub pull request * The "Viruses" array of alert names has been replaced by two new arrays that include additional details beyond just signature name: * "Indicators" records three types of indicators: * Strong indicators are for traditional alerting signature matches and will halt the scan, except in all-match mode. * Potentially Unwanted indicators will only cause an alert at the end of the scan unless a Strong indicator is found. They are treated the same as Strong indicators in all-match mode. * Weak indicators do not alert and will be leveraged in a future version as a condition for logical signature matches. * "Alerts" records only alerting indicators. Events that trust a file, such as false positive signatures, will remove affected indicators, and mark them as "Ignored" in the "Indicators" array. * Add new option to calculate and record additional hash types when the "generate metadata JSON" feature is enabled: * libclamav option: CL_SCAN_GENERAL_STORE_EXTRA_HASHES * ClamScan option: --json-store-extra-hashes (default off) * clamd.conf option: JsonStoreExtraHashes (default 'no') * The file hash is now stored as "sha2-256" instead of "FileMD5". If you enable the "extra hashes" option, then it will also record "md5" and "sha1". * Each object scanned now has a unique "Object ID". * Sigtool: Renamed the sigtool option --sha256 to --sha2-256. The original option is still functional but is deprecated. GitHub pull request Other improvements * Set a limit on the max-recursion config option. Users will no longer be able to set max-recursion higher than 100. This change prevents errors on start up or crashes if encountering a file with that many layers of recursion. GitHub pull request * Build system: CMake improvements to support compiling for the AIX platform. This change is courtesy of GitHub user KamathForAIX. GitHub pull request * Improve support for extracting malformed zip archives. This change is courtesy of Frederick Sell. GitHub pull request * Windows: Code quality improvement for the ClamScan and ClamDScan --move and --remove options. This change is courtesy of Maxim Suhanov. GitHub pull request * Added file type recognition for an initial set of AI model file types. The file type is accessible to applications using libclamav via the scan callback functions and as an optional output parameter to the scan functions: cl_scanfile_ex(), cl_scanmap_ex(), and cl_scandesc_ex(). When scanning these files, type will now show "CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA". GitHub pull request * Added support for inline comments in ClamAV configuration files. This change is courtesy of GitHub user userwiths. GitHub pull request * Disabled the MyDoom hardcoded/heuristic detection because of false positives. GitHub pull request * Sigtool: Added support for creating .cdiff and .script patch files for CVDs that have underscores in the CVD name. Also improved support for relative paths with the --diff command. GitHub pull request * Windows: Improved support for file names with UTF-8 characters not found in the ANSI or OEM code pages when printing scan results or showing activity in the ClamDTOP monitoring utility. Fixed a bug with opening files with such names with the Sigtool utility. GitHub pull request #1 GitHub pull request #2 * Improved the code quality of the ZIP module. Added inline documentation. GitHub pull request #1 GitHub pull request #2 * Always run scan callbacks for embedded files. Embedded files are found within other files through signature matches instead of by parsing. They will now be processed the same way and then they can trigger application callbacks (e.g., "pre-scan", "post-scan", etc.). A consequence of this change is that each embedded file will be pattern- matched just like any other extracted file. To minimize excessive pattern matching, file header validation checks were added for ZIP, ARJ, and CAB. Also fixed a bug with embedded PE file scanning to reduce unnecessary matching. This change will impact scans with both the "leave-temps" feature and the "force-to-disk" feature enabled, resulting in additional temporary files. GitHub pull request #1 GitHub pull request #2 * Added DevContainer templates to the ClamAV Git repository in order to make it easier to set up AlmaLinux or Debian development environments. GitHub pull request * Removed the "Heuristics.XZ.DicSizeLimit" alert because of potential unintended alerts based on system state. GitHub pull request * Improved support for compiling on Solaris. This fix courtesy of Andrew Watkins. GitHub pull request * Improved support for compiling on GNU/Hurd. This fix courtesy of Pino Toscano. GitHub pull request * Improved support for linking with the NCurses library dependency when libtinfo is built as a separate library. GitHub pull request Bug fixes * Reduced email multipart message parser complexity. GitHub pull request * Fixed possible undefined behavior in inflate64 module. The inflate64 module is a modified version of the zlib library, taken from version 1.2.3 with some customization and with some cherry-picked fixes. This adds one additional fix from zlib 1.2.9. Thank you to TITAN Team for reporting this issue. GitHub pull request * Fixed a bug in ClamD that broke reporting of memory usage on Linux. The STATS command can be used to monitor ClamD directly or through ClamDTOP. The memory stats feature does not work on all platforms (e.g., Windows). GitHub pull request * Windows: Fixed a build issue when the same library dependency is found in two different locations. GitHub pull request * Fixed an infinite loop when scanning some email files in debug-mode. This fix is courtesy of Yoann Lecuyer. GitHub pull request * Fixed a stack buffer overflow bug in the phishing signature load process. This fix is courtesy of GitHub user Shivam7-1. GitHub pull request * Fixed a race condition in the Freshclam feature tests. This fix is courtesy of GitHub user rma-x. GitHub pull request * Windows: Fixed a 5-byte heap buffer overread in the Windows unit tests. This fix is courtesy of GitHub user Sophie0x2E. GitHub pull request * Fix double-extraction of OOXML-based office documents. GitHub pull request * ClamBC: Fixed crashes on startup. GitHub pull request * Fixed an assortment of issues found with Coverity static analysis. GitHub pull request #1 GitHub pull request #2 * Fixed libclamav unit test, ClamD, and ClamDScan Valgrind test failures affecting some platforms. GitHub pull request #1 GitHub pull request #2 * Fixed crash in the Sigtool program when using the --html-normalize option. GitHub pull request * Fixed some potential NULL-pointer dereference issues if memory allocations fail. Fix courtesy of GitHub user JiangJias. GitHub pull request Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit da2bd7ada59884d736c7ea8a843b3f22a865c3a0 Author: Michael Tremer Date: Fri Jan 23 14:51:48 2026 +0000 oci-cli: Add missing dependencies Since the last update, the OCI CLI package requires some extra Python dependenices. I find it very annoying that Python won't check this during build time, so I added an extra step where we will run "oci --help" and see if the command is coming up at all. Hopefully that will be sufficient any no further Python modules will be loaded whenever they are needed. Signed-off-by: Michael Tremer commit dafb967f5bcaafb1f412326e2f755dc382f47dbf Author: Michael Tremer Date: Fri Jan 23 10:34:48 2026 +0000 python3-cryptography: Bump package version due to the Rust update Signed-off-by: Michael Tremer commit 934a30f84f8b3e2b659f5c6d76ca6177186da6e3 Author: Michael Tremer Date: Fri Jan 23 10:34:23 2026 +0000 clamav: Bump package version due to the Rust update Signed-off-by: Michael Tremer commit 00a30415384d82d205780556be7e19f5df1f791a Author: Stefan Schantl Date: Fri Jan 23 06:26:55 2026 +0100 cbindgen: New package cbindgen creates C/C++11 headers for Rust libraries which expose a public C API. This tool is required to build the patched version of suricata and any upcomming major versions of suricata. * Add a lot of new rust modules in order to provide all dependencies and their dependencies in order to build the tool. * Adjusted build order in make.sh Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 48b14104f63556df61d156b5b4faebc789c29fde Author: Stefan Schantl Date: Fri Jan 23 06:26:54 2026 +0100 rust: Update to 1.92.0 This is an update to the latest stable release of rust Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit cbcffd36c0b50e542037eaa8ae411ac746833c4b Author: Stefan Schantl Date: Fri Jan 23 06:26:53 2026 +0100 suricata: Add upstream patch to purge sgh-mpm-caches This patch is collection of the recently merged upstream patches to allow purging the sgh-mpm-cache (hyperscan) after a specified amount of time. (https://github.com/OISF/suricata/pull/14630) I've set this to the upstreams example default of 7 days for now. Fixes #13926. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit ca92f93c45dbc63d2ac71d3b3ed15e1df7e2a0d3 Author: Michael Tremer Date: Fri Jan 23 09:48:15 2026 +0000 core200: Ship /etc/rc.d/init.d/functions Signed-off-by: Michael Tremer commit 2a241fd28afb46527a6827630fc4f4576d71b343 Author: Michael Tremer Date: Mon Jan 19 16:21:40 2026 +0000 hostapd: Bump package version Signed-off-by: Michael Tremer commit e539a5967ea724c7228fb7fffa47e85d85b6fae3 Author: Michael Tremer Date: Mon Jan 19 16:21:39 2026 +0000 initscripts: functions: Permit ! in the value of key/value files Signed-off-by: Michael Tremer commit 378d863d0b458883ea3bd9ee56d425c70bd965f0 Author: Michael Tremer Date: Mon Jan 19 16:21:38 2026 +0000 readhash: Fix the quote check The single quotes changed bash's behaviour to interpret the * character literally, but this is not what we wanted here. We need to escape the single quotes. Signed-off-by: Michael Tremer Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit c7cdc586abdccdfa635e7100b7a0d2293a58fc9e Author: Michael Tremer Date: Mon Jan 19 16:21:37 2026 +0000 hostapd: Use the new readhash implementation to read configuration files Signed-off-by: Michael Tremer Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 64ea5031476bb7acc0a65c1b7140193d7093187e Author: Michael Tremer Date: Mon Jan 19 16:21:36 2026 +0000 hostapd: Bring back support for 802.11g/a I just have a little bit of easily accessible testing hardware in form of USB devices which are very suitable for testing, but the one that I found in my drawer doesn't support 802.11n. Signed-off-by: Michael Tremer Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 6818b2b07e7de4fc7ff6609603e11e574c2cb14e Author: Matthias Fischer Date: Thu Jan 22 22:05:48 2026 +0100 bind: Update to 9.20.18 For details see: https://downloads.isc.org/isc/bind9/9.20.18/doc/arm/html/notes.html#notes-for-bind-9-20-18 "Notes for BIND 9.20.18 Security Fixes Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878) Malformed BRID and HHIT records could trigger an assertion failure. This has been fixed. ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing this vulnerability to our attention. [GL #5616] Feature Changes Add more information to the rndc recursing output about fetches. This adds more information about active fetches, for debugging and diagnostic purposes. [GL !11305] Bug Fixes Make DNSSEC key rollovers more robust. A manual rollover when the zone was in an invalid DNSSEC state caused predecessor keys to be removed too quickly. Additional safeguards to prevent this have been added: DNSSEC records are not removed from the zone until the underlying state machine has moved back into a valid DNSSEC state. [GL #5458] Fix a catalog zone issue, where member zones could fail to load. A catalog zone member zone could fail to load in some rare cases, when the internally generated zone configuration string exceeded 512 bytes. That condition by itself was not enough for the issue to arise, but it was necessary. This could happen if, for example, the catalog zone's default primary servers list contained a large number of items. This has been fixed. [GL #5658] Allow glue in delegations with QTYPE=ANY. When a query for type ANY triggered a delegation response, all additional data was omitted from the response, including mandatory glue. This has been fixed. [GL #5659] Fix slow speed when signing a large delegation zone with NSEC3 opt-out. BIND 9.20+ took much longer signing a large delegation zone with NSEC3 opt-out compared to version 9.18. This has been fixed. [GL #5672] Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid. A zone that was signed with NSEC3, had opt-out enabled, and was then reconfigured to use NSEC, was published with missing NSEC records. This has been fixed. [GL #5679] Fix a possible catalog zone issue during reconfiguration. The named process could terminate unexpectedly during reconfiguration when a catalog zone update was taking place at the same time. This has been fixed. [GL !11366] Fix the charts in the statistics channel. The charts in the statistics channel could sometimes fail to render in the browser and were completely disabled for Mozilla-based browsers, for historical reasons. This has been fixed. [GL !11018]" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit edb12c10d24c809642e1287d7c67a027e4dc5bc7 Author: Adolf Belka Date: Wed Jan 21 14:38:56 2026 +0100 core200: Ship vim Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit cef2d5c21fd394460802459b2a753098e3af9af8 Author: Arne Fitzenreiter Date: Fri Jan 23 10:01:41 2026 +0100 make.sh: bump toolchain version Signed-off-by: Arne Fitzenreiter commit 9db65d9b6120a2b6cbb4e9d9d3596869a1214209 Author: Arne Fitzenreiter Date: Wed Jan 21 16:06:20 2026 +0100 core200: ship elinks Signed-off-by: Arne Fitzenreiter commit facb64b87e5ad1ed42dab340d215e22cd435c1fa Author: Arne Fitzenreiter Date: Wed Jan 21 16:02:37 2026 +0100 elinks: update to 0.19.0 v0.19.0: print progress of curl http uploads do not load js scripts if ecmascript is disabled by disallow.txt or allow.txt v0.19.0rc1: option document.browse.margin_auto #360 (hard margins) TERM=dumb for js tests. #361 option document.html.compress_empty_lines #362 css visiblity: hidden support experimental iframe support spartan protocol window.scroll in js inline images support in html documents (meson option kitty) and options document.html.kitty and document.html.sixel. Note that need also enable kitty or sixel in terminal options include-fragment support (now is easier to download something from github) experimental libuv support allow to set color0 to color255 as color toggle-ecmascript-keys action to toggle between Application or Browser mode requestAnimationFrame in js option ui.sessions.auto_save_position #392 option document.html.display_unfinished meson options avif and webp option protocol.mailcap.allow_empty_referrer option ui.leds.redraw_interval fixes in DOS version related to temporary files creation length can be bigger than int in http protocol #396 ignore result of verification for gemini protocol #397 meson option win32-vt100-native for Windows 10 and newer support for chawan's extensions for mailcap (x-ansioutput and x-htmloutput) Polish translation update Serbian translation update elinks.get_option(name) and elinks.set_option(name, value) in Python scripting #406 other small fixes Signed-off-by: Arne Fitzenreiter commit 86321a550f587d18c60c3d070447d071135d6f5b Author: Adolf Belka Date: Wed Jan 21 14:39:07 2026 +0100 vim: Update to version 9.1.2098 - Update from version 9.1.1854 to 9.1.2098 - Update of rootfile - Changelog is not available. Generally each patch version number update is related to a commit entry in the git repository. The details for all the commit changes can be found at https://github.com/vim/vim/commits/master/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit bace4712356de951f62328e4b5036a7ab91417f4 Author: Adolf Belka Date: Wed Jan 21 14:39:06 2026 +0100 samba: Update to version 4.23.4 - Update from 4.23.2 to 4.23.4 - No change to the roofiles - Changelog 4.23.4 * BUG 15926: Samba 4.22 breaks Time Machine * BUG 15947: mdssvc doesn't support $time.iso dates before 1970 * BUG 15963: Fix winbind cache consistency * BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/') in vfswrap_openat * BUG 15950: ctdb can crash with inconsistent cluster lock configuration * BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/') in vfswrap_openat * BUG 15809: samba-bgqd: rework man page * BUG 15936: samba-bgqd can't find [printers] share * BUG 15955: Winbind can hang forever in gssapi if there are network issues. * BUG 15961: libldb requires linking libreplace on Linux 4.23.3 * BUG 15926: Samba 4.22 breaks Time Machine. * BUG 15927: Spotlight search restriction for shares incomplete and default search searches in too many attributes. * BUG 15930: Searching for numbers doesn't work with Spotlight. * BUG 15931: rpcd_mdssvc may crash because name mangling is not initialized. * BUG 15933: Only increment lease epoch if a lease was granted. * BUG 15940: vfs_recycle does not update mtime. * BUG 15943: samba-log-parser fails with UnicodeDecodeError: 'utf-8' codec can't decode byte. * BUG 15935: Crash in ctdbd on failed updateip. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 73a000ea6d6e71ed3f0ba8e50737aa4ab69104c2 Author: Adolf Belka Date: Wed Jan 21 14:39:05 2026 +0100 opus: Update to version 1.6.1 - Update from version 1.5.2 to 1.6.1 - Update of rootfile - Changelog 1.6.1 fixes several minor issues that were discovered since the 1.6 release. 1.6.0 Opus 1.6 builds on the new ML-based features introduced in Opus 1.5. Major changes since 1.5 include: - A new wideband-to-fullband bandwidth extension (BWE) module - Support for 96 kHz audio with Opus HD - Significant improvement to Deep Redundancy (DRED) - A new 24-bit encoder/decoder API Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1ec964d26118daee00dfa56ebfa4779aeb3c64cf Author: Adolf Belka Date: Wed Jan 21 14:38:55 2026 +0100 core200: Ship ninja Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer