commit a565452c975fb9567c6bc85c8a32eec872d47d78 Author: Matthias Fischer Date: Tue Mar 25 19:08:51 2025 +0100 suricata: Update to 7.0.10 For details see: https://suricata.io/2025/03/25/suricata-7-0-10-released/ "This is an extra release to address a critical issue in 7.0.9 affecting AF_PACKET users: setting a BPF would cause Suricata to fail to start up. As this affected many users, we’ve decided to push this release earlier than originally planned. Our QA processes have been updated to avoid similar issues going forward." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit ee8b09e77d006492f89f7a8d39c4ef3787f279c4 Author: Michael Tremer Date: Tue Mar 25 15:46:54 2025 +0000 core194: Remove libidn Signed-off-by: Michael Tremer commit 28867b07c217d0cb2a855c1e1e6ac42ac2f5f32e Author: Adolf Belka Date: Mon Mar 24 18:44:26 2025 +0100 libidn: Removal of package as no longer needed. - A while back elinks changed from using libidn to libidn2. At that time that left ghostscript as the only package still using libidn. With the removal of cups and associated packages, including ghostscript, libidn is no longer used. libidn2 is used where required now. - This removes the lfs and rootfiles and removes the entry from the make.sh file. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 52d025342d0b804d71e1238a5c6c88d59fd973a0 Author: Adolf Belka Date: Mon Mar 24 18:44:25 2025 +0100 cifs-utils: Update to version 7.3 - Update from version 7.1 to 7.3 - Update of rootfile not required. - Changelog 7.3 Fix regression in mount.cifs with guest mount option cldap_ping: Fix socket fd leak resolve_host.c: Initialize site_name 7.2 cifs-utils: Skip TGT check if valid service ticket is already available docs: update actimeo description docs: add max_cached_dirs description docs: add esize description cifs-utils: support and document password2 mount option use enums to check password or password2 in set_password, get_password_from_file and minor documentation additions Fix compiler warnings in mount.cifs Do not pass passwords with sec=none and sec=krb5 smbinfo: add bash completion support for filestreaminfo, keys, gettconinfo cifs-utils: bump version to 7.2 CIFS.upcall to accomodate new namespace mount opt cifs-utils: add documentation for upcall_target cifs-utils: avoid using mktemp when updating mtab getcifsacl: fix return code check for getting full ACL cifscreds: use continue instead of break when matching commands cifscreds: allow user to set the key's timeout configure.ac: libtalloc is now mandatory cldap_ping.c: add missing include Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a9cebe70db0156b72278f33dc2dcb66bc731b1e8 Author: Michael Tremer Date: Tue Mar 25 15:39:08 2025 +0000 core194: Ship abseil-cpp Signed-off-by: Michael Tremer commit 1526aea812a7f354daf50c9edab114f95c762058 Author: Adolf Belka Date: Mon Mar 24 18:44:24 2025 +0100 abseil-cpp: Update to version 20250127.0 - Update from version 20240722.0 to 20250127.0 - Update of rootfile - Changelog 20250127.0 What's New: Added support for Bazel 8.0 Added support for Bazel Platforms for better portability Added ABSL_ATTRIBUTE_VIEW and ABSL_ATTRIBUTE_OWNER for diagnosing certain lifetime issues Many performance improvements A security issue in hash container create/resize has been fixed. Note that the latest patch releases for previous LTS versions also address this issue. Breaking Changes: Bazel BUILD files now reference repositories by their canonical names from the Bazel Central Registry. For example, Abseil is now @abseil-cpp instead of @com_google_absl, and GoogleTest is now @googletest instead of @com_google_googletest. Users still using the old WORKSPACE system may need to use repo_mapping on repositories that still use the old names. See 90a7ba6 for an example. Other: This will be the last release to support C++14. Future releases will require at least C++17. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f6bc9fef66adde4bdc6e3076b6db081f45764569 Author: Michael Tremer Date: Tue Mar 25 15:38:10 2025 +0000 Revert "vpnmain.cgi: Fixes bug13737 - increments the serial number to allow cert regen" This reverts commit 7d1d7e0bec4c7f991dbbb622ce414e0b91d14d74. Reverted as requested by Adolf due to some work being required on this. Signed-off-by: Michael Tremer commit b992bcc7c7af09f02eb56b40ff0635242b25cc34 Author: Michael Tremer Date: Mon Mar 24 14:45:12 2025 +0000 core194: Ship util-linux Signed-off-by: Michael Tremer commit 571144dc501c14d25e1aee8bf898232dd8a13410 Author: Adolf Belka Date: Mon Mar 24 11:35:51 2025 +0100 util-linux: Update to version 2.41 - Update from version 2.40.2 to 2.41 - Update of rootfile for all three architectures. This time confirmed that all three have been edited to remove the + additions to lines. - There are two new commands available, bits and coresched. I have commented both of these out as they are new and have therefore never been used in the past. If they are something that should be used in IPFire then the lines can always be uncommented. - Changelog 2.41 Release highlights - full list of all changes is too large to put here (~1400 lines). The details can be found in the source tarball /Documentation/releases/v2.41-ReleaseNotes file. agetty: - Fixed an issue where issue files were not being printed from additional locations, such as /run or /usr/lib. This change now allows for the use of local information from /etc, in addition to generated files from /run and distribution-specific files from /usr/lib. cfdisk and sfdisk: - Added support for the --sector-size command line option. sfdisk: - Added a new option, --discard-free. fdisk: - Added a new command, 'T', to discard sectors. chrt: - The --sched-runtime now supports SCHED_{OTHER,BATCH} policies. column: - Can now handle ANSI SGR colors inside OSC 8 hyperlink escape codes and sequences. enosys: - Can now dump defined filters. libmount: - Added experimental support for statmount() and listmount() syscalls. - This new functionality can be accessed using "findmnt --kernel=listmount". - Added a new mount option, X-mount.nocanonicalize[=source|target]. - Added new mount extensions to the "ro" flag (ro[=vfs,fs]). - Added a new option, X-mount.noloop, to disable automatic loop device creation. - Now supports bind symlinks over symlinks. - Reads all kernel info/warning/error messages from new API syscalls (and mount(8) prints them). libuuid: - Now supports RFC9562 UUIDs. findmnt, lsblk, and lsfd: - Added a new --hyperlink command line option to print paths as terminal hyperlinks. findmnt: - Can now address filesystems using --id and --uniq-id (requires listmount() kernel support). flock: - Added support for the --fcntl command line option. hardlink: - Can now prioritize specified trees on the command line using --prioritize-trees. - Can exclude sub-trees using --exclude-subtree or keep them in the current mount using --mount. - Duplicates can now be printed using --list-duplicates. hwclock: - Added a new --param-index option to address position for RTC_PARAM_{GET,SET} ioctls. kill: - Can now decode signal masks (e.g. as used in /proc) to signal names. libblkid: - Made many changes to improve detection, including exfat, GPT, LUKS2, bitlocker, etc. login: - Added support for LOGIN_ENV_SAFELIST in /etc/login.def. lsfd: - Now supports pidfs and AF_VSOCK sockets. lsipc, ipcmk, ipcrm: - Now supports POSIX ipc. lslogins: - Now supports lastlog2. lsns: - Added support for the --filter option. build by meson: - Now supports translated man pages and has fixed many bugs. mkswap: - The option --file should now be usable on btrfs. nsenter: - Improved support for pidfd and can now join target process's socket net namespace. scriptlive: - Added a new option, --echo . zramctl: - Now supports COMP-RATIO and --algorithm-params. 2.40.4 libmount: - Revert "libmount: exec mount helpers with posixly correct argument order" po: - merge changes po-man: - merge changes - Fix table formatting 2.40.3 agetty: - Prevent cursor escape - add "systemd" to --version output - fix ambiguous ‘else’ [-Werror=dangling-else] audit-arch.h: - add defines for m68k, sh autotools: - Check for BPF_OBJ_NAME_LEN (required by lsfd) - add --disable-enosys, check for linux/audit.h - add Libs.private to uuid.pc - allow enabling dmesg with --disable-all-programs - allow enabling lsblk with --disable-all-programs - check for sys/vfs.h and linux/bpf.h - fix securedir and pam_lastlog2 install bash-completion: - add `--pty` and `--no-pty` options for `su` and `runuser` - complete `--user` only for `runuser`, not for `su` chcpu(8): - Document CPU deconfiguring behavior - Fix typo ci: - bump coveralls compiler version to gcc 13 doc: - fsck.8.adoc - fix email typo docs: - update AUTHORS file fdisk: - (man) improve --sector-size description - fix SGI boot file prompt - fix fdisk_sgi_set_bootfile return value - fix sgi_check_bootfile name size minimum - fix sgi_menu_cb return value fincore: - Use correct syscall number for cachestat on alpha fstab.5 mount: - fstab.5 mount.8 add note about field separator hardlink: - fix memory corruption (size calculation) - hardlink.1 directory|file is mandatory hwclock: - Remove ioperm declare as it causes nested extern declare warning lib/env: - fix env_list_setenv() for strings without '=' libblkid: - (exfat) validate fields used by prober - (gpt) use blkid_probe_verify_csum() for partition array checksum - add FSLASTBLOCK for swaparea - bitlocker add image for Windows 7+ BitLocker - bitlocker fix version on big-endian systems - improve portability libfdisk: - make sure libblkid uses the same sector size libmount: - exec mount helpers with posixly correct argument order - extract common error handling function - propagate first error of multiple filesystem types libmount/context_mount: - fix argument number comments logger: - correctly format tv_usec lscpu: - Skip aarch64 decode path for rest of the architectures - make code more readable lslocks: - remove deadcode [coverity scan] lsns: - ignore ESRCH errors reported when accessing files under /proc man pages: - document `--user` option for `runuser` - use `user` rather than `username` meson: - check for BPF_OBJ_NAME_LEN and linux/bpf.h mkswap: - set selinux label also when creating file more: - make sure we have data on stderr nsenter: - support empty environ[] partx: - Fix example in man page po: - merge changes - update de.po (from translationproject.org) - update ja.po (from translationproject.org) - update pt_BR.po (from translationproject.org) - update sr.po (from translationproject.org) - update zh_CN.po (from translationproject.org) po-man: - add missing langs to po4a.cfg - fix typo, update .gitignore - merge changes - update fr.po (from translationproject.org) - update pt_BR.po (from translationproject.org) tests: - fdisk/bsd Update expected output for alpha umount, losetup: - Document loop destroy behavior uuidd: - fix /var/lib/libuuid mode uuidd-tmpfiles.conf - fix typo in tmpfiles.conf - fix /var/lib/libuuid mode uuidd-tmpfiles.conf - fix typo in tmpfiles.conf Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3a93c9ddcf9d40bb5c07233f3cc8d417a3e4dfb7 Author: Michael Tremer Date: Mon Mar 24 09:57:43 2025 +0000 core194: Ship tzdata Signed-off-by: Michael Tremer commit 1c9edb860f2c4af7e09af788cfd6fe283270b5ec Author: Adolf Belka Date: Sun Mar 23 18:34:28 2025 +0100 tzdata: Update to version 2025b - Update from version 2025a to 2025b - Update of rootfile - Changelog 2025b Briefly: New zone for Aysén Region in Chile which moves from -04/-03 to -03. Changes to future timestamps Chile's Aysén Region moves from -04/-03 to -03 year-round, joining Magallanes Region. The region will not change its clocks on 2025-04-05 at 24:00, diverging from America/Santiago and creating a new zone America/Coyhaique. (Thanks to Yonathan Dossow.) Model this as a change to standard offset effective 2025-03-20. Changes to past timestamps Iran switched from +04 to +0330 on 1978-11-10 at 24:00, not at year end. (Thanks to Roozbeh Pournader.) Changes to code 'zic -l TIMEZONE -d . -l /some/other/file/system' no longer attempts to create an incorrect symlink, and no longer has a read buffer underflow. (Problem reported by Evgeniy Gorbanev.) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a191b8aeb8c2b5bcdbcd06573b329e85334212e4 Author: Adolf Belka Date: Sun Mar 23 18:31:14 2025 +0100 shadow: Update to version 4.17.4 - Update from version 4.17.3 to 4.17.4 - Update of rootfile not required - Changelog 4.17.4 Revert "lib/, src/: Use local time for human-readable dates" lib/getdate.y: Ignore time-zone information and use UTC src/chfn.c: Partially revert "lib/, src/: Use strsep(3) instead of its pattern" src/chfn.c: Use stpsep() instead of its pattern src/chfn.c: Add local variable to refer to the separated field src/chfn.c: copy_field(): Rename local variable lib/commonio.c: Rely on the POSIX.1-2008 behavior of realpath(3) lib/fs/readlink/: readlinknul(): Use ssize_t to simplify autogen.sh: Promote -Wsign-compare to an error lib/sizeof.h: ssizeof(): Add signed variant of sizeof src/lastlog.c: Use ssizeof() to avoid a -Wsign-compare diagnostic tests/unit/test_xasprintf.c: Fix sign-mismatch diagnostic configure.ac: stop checking for utmp location configure.ac: be deterministic about passwd location lib/, src/: update audit messages lib/: audit function for groups src/: update group audit messages doc/: Remove list of distributions Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3e01ed6ce803e83ba78c07999c420a28312a4947 Author: Michael Tremer Date: Mon Mar 24 09:57:14 2025 +0000 core194: Ship libusb Signed-off-by: Michael Tremer commit 08d3b9809d45aaea1714004062d9acb09a080c1b Author: Adolf Belka Date: Sun Mar 23 18:26:04 2025 +0100 libusb: Update to version 1.0.28 - Update from version 1.0.27 to 1.0.28 - Update of rootfile - Changelog 1.0.28 * New libusb_get_ssplus_usb_device_capability_descriptor API for query of SuperSpeed+ Capability Descriptors * API support for reporting USB 3.2 Gen2x2 speeds * macOS: Fix Zero-Length Packet for multiple packets per frame * Windows: Base HID device descriptor on OS-cached values * Build fixes for Haiku and SunOS * Many code correctness fixes Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 380c113b0755aa30eaf8479cb23772eaab6cf759 Merge: ba4bc8da4 d028a679a Author: Michael Tremer Date: Fri Mar 21 15:11:05 2025 +0000 Merge branch 'master' into next commit d028a679ab0a9a7fd29e2cf31a2fd3761f261fe1 Author: Adolf Belka Date: Wed Mar 12 12:03:22 2025 +0100 sources: Update ipblocklist with Threatview.io IP list - Blocklist addition was discussed and agreed at IPFire dev conf call in March 2025. - Tested on vm system. - Adjusted the entry alignment for the three 3coresec entries as they had used tabs and all the rest used spaces for alignment. Now all entries are lined up the same. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4c3fa8ead093c2299d45bbc5538271aa41f31be5 Author: Michael Tremer Date: Fri Mar 21 15:10:08 2025 +0000 core193: Ship ipblocklist-functions.pl Signed-off-by: Michael Tremer commit 80dc5de20c2fb6e67e7b9a66cab540336f1469bd Author: Adolf Belka Date: Wed Mar 12 15:46:10 2025 +0100 ipblocklist-functions.pl: Specify an IPFire user agent for the downloads - As discussed at the IPFire conf call in March 2025, this patch provides an IPFire specific User Agent string for the IP Block Lists downloads using LWP::UserAgent. - It turned out that there was already a function in general-functions.pl that creates an IPFire Useer Agent string. This was used for this IP Blocklist download. - Currently it gave me the string IPFire/2.29/192. - This was tested out with the Threatview.io IP blocklist download and it worked fine. - If this patch is approved and merged then I will let contact Threatview.io to let them know what our User Agent string is. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ba4bc8da4eec7fdb43d8c0b444aec8b2343deb86 Author: Michael Tremer Date: Fri Mar 21 15:08:43 2025 +0000 gcc: Update mpfr to version 4.2.2 Signed-off-by: Michael Tremer commit 953337104a45b1d3296d9a474ae57cb789c830f0 Author: Michael Tremer Date: Fri Mar 21 15:08:02 2025 +0000 core194: Ship mpfr Signed-off-by: Michael Tremer commit 47bc2d0c30c0fecd135880dd223ff6fb6c375ac0 Author: Adolf Belka Date: Fri Mar 21 14:30:45 2025 +0100 mpfr: Update to version 4.2.2 - Update from version 4.2.1 to 4.2.2 - Update of rootfile - Changelog 4.2.2 - In order to resolve a portability issue with the _Float128 fallback to __float128 for binary128 support (e.g. with Clang and glibc 2.41), the prototypes of the corresponding conversion functions had to be changed, with _Float128 replaced by mpfr_float128, where mpfr_float128 is a macro defined as _Float128 by default. This changes neither the ABI nor the API (except that the end user of MPFR would need to define mpfr_float128 as the actual type for the binary128 format if this is not the standard _Float128 type). - Other bug fixes (see and/or the ChangeLog file). In particular, the formatted output functions behaved incorrectly with %c on the value 0; such a use is uncommon, but this bug may have security implications. - Improved MPFR manual. - Detect the use of GMP's buggy vsnprintf replacement at configure time. With it, the tests of "%a" will be disabled to avoid an assertion failure in the MPFR testsuite. A warning will be displayed in the configure output in such a case. Also, note that due to new tests related to the fix of the formatted output functions with %c on the value 0, failures in the tfprintf and tsprintf tests may be observed if GMP has been built with its vsnprintf replacement (i.e. if GMP detected at configure time that the vsnprintf function from the C library is buggy/non-conforming). This is due to a bug in the vsnprintf replacement from GMP 6.3.0 (official tarball) and below. This could be observed on MS Windows and OpenBSD. To get rid of these failures, either use a fixed version (recommended!) or build the MPFR tests with the MPFR_TESTS_SKIP_CHECK_NULL macro defined. See the INSTALL file for other details. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 78646ef87613853692f8ee7498353dff9d90db7a Author: Michael Tremer Date: Fri Mar 21 15:07:19 2025 +0000 samba: Fix riscv64 rootfile (again) Signed-off-by: Michael Tremer commit 11cd611e5c84d124c7a5fabc1792580c0c662df4 Author: Michael Tremer Date: Fri Mar 21 12:02:38 2025 +0000 core193: Ship backup.pl and IP blocklist sources Signed-off-by: Michael Tremer commit 2c6dbe05755d81aa0a56969df825915c9df8c739 Author: Michael Tremer Date: Fri Mar 21 11:10:12 2025 +0000 samba: Fix riscv64 rootfile Signed-off-by: Michael Tremer commit 75a5b33f2b929b1bc75501b3e4a40b3a84d856a6 Author: Adolf Belka Date: Fri Mar 21 11:24:56 2025 +0100 samba: Update to version 4.22.0 - Update from version 4.21.4 - Update of rootfile for all three architectures - Changelog 4.22.0 NEW FEATURES/CHANGES SMB3 Directory Leases Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global option "smb3 directory leases" controls whether the feature is enabled or not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and disabled on clustered Samba, based on the "clustering" option. See man smb.conf for more details. SMB3 Directory Leases allow clients to cache directory listings and, depending on the workload, result in a decent reduction in SMB requests from clients. Netlogon Ping over LDAP and LDAPS Samba must query domain controller information via simple queries on the AD rootdse's netlogon attribute. Typically this is done via connectionless LDAP, using UDP on port 389. The same information is also available via classic LDAP rootdse queries over TCP. Samba can now be configured to use TCP via the new "client netlogon ping protocol" parameter to enable running in environments where firewalls completely block port 389 or UDP traffic to domain controllers. Experimental Himmelblaud Authentication in Samba Samba now includes experimental support for Azure Entra ID authentication via `himmelblaud`, located in the `rust/` directory. This implementation provides basic authentication and is configured through `smb.conf`, utilizing options such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`. To enable, configure Samba with `--enable-rust --with-himmelblau`. AD DC schema upgrade and provision performance improvements By increasing the LDB index cache size for certain offline operations that are likely to require large transactions, these are now several times faster. REMOVED FEATURES The "nmbd proxy logon" feature was removed. This was used before Samba4 acquired a NBT server. The parameter "cldap port" has been removed. CLDAP runs over UDP port 389, we don't see a reason why this should ever be changed to a different port. Moreover, we had several places in the code where Samba did not respect this parameter, so the behaviour was at least inconsistent. fruit:posix_rename This option of the vfs_fruit VFS module that could be used to enable POSIX directory rename behaviour for OS X clients has been removed as it could result in severe problems for Windows clients. As a possible workaround it is possible to prevent creation of .DS_Store files (a Finder thingy to store directory view settings) on network mounts by running $ defaults write com.apple.desktopservices DSDontWriteNetworkStores true on the Mac. smb.conf changes Parameter Name Description Default -------------- ----------- ------- smb3 directory leases New Auto vfs mkdir use tmp name New Auto client netlogon ping protocol New cldap himmelblaud hello enabled New no himmelblaud hsm pin path New default hsm pin path himmelblaud sfa fallback New no client use krb5 netlogon Experimental no reject aes netlogon servers Experimental no server reject aes schannel Experimental no server support krb5 netlogon Experimental no fruit:posix_rename Removed cldap port Removed CHANGES SINCE 4.22.0rc4 * BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD. * BUG 15797: Unable to connect to CephFS subvolume shares with vfs_shadow_copy2. * BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD. * BUG 15820: Incorrect FSF address in ctdb pcp scripts. * BUG 15804: "samba-tool domain backup offline" hangs. CHANGES SINCE 4.22.0rc3 * BUG 15815: client use krb5 netlogon is experimental and should not be used in production. CHANGES SINCE 4.22.0rc2 * BUG 15738: Creation of GPOs applicable to more than one group is impossible with Samba 4.20.0 and later. * BUG 15806: samba-tool acl commands broken for relative path names * BUG 15807: pysmbd seg faults when file is not found. * BUG 15796: Spotlight search results don't show file size and creation date. * BUG 15759: net ads create/join/winbind producing unix dysfunctional keytabs. * BUG 15806: samba-tool acl commands broken for relative path names. * BUG 15807: pysmbd seg faults when file is not found. * BUG 15680: Trust domains are not created. * BUG 15680: Trust domains are not created. * BUG 15703: General improvements for vfs_ceph_new module. CHANGES SINCE 4.22.0rc1 * BUG 15798: libnet4: seg fault after dc lookup failure Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 19c13b8e997058db1a0ffac90093bfdc2a6eee8a Author: Michael Tremer Date: Fri Mar 21 11:08:14 2025 +0000 core194: Ship bind Signed-off-by: Michael Tremer commit 868b52c2a7b72aca170b5e6228d9108b71716eaf Author: Matthias Fischer Date: Thu Mar 20 23:58:22 2025 +0100 bind: Update to 9.20.7 For details see: https://downloads.isc.org/isc/bind9/9.20.5/doc/arm/html/notes.html#notes-for-bind-9-20-7 Excerpt: "Notes for BIND 9.20.7 New Features Implement the min-transfer-rate-in configuration option. ... Add HTTPS record query to host command line tool. ... Implement sig0key-checks-limit and sig0message-checks-limit. ... Bug Fixes Fix dual-stack-servers configuration option. ... Fix a data race causing a permanent active client increase. ... Fix deferred validation of unsigned DS and DNSKEY records. ... Fix RPZ race condition during a reconfiguration. ... “CNAME and other data check” not applied to all types. ... Relax private DNSKEY and RRSIG constraints. ... Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse(). ... Fix TTL issue with ANY queries processed through RPZ “passthru”. ... dnssec-signzone needs to check for a NULL key when setting offline. ... Fix a bug in the statistics channel when querying zone transfer information. ... Fix assertion failure when dumping recursing clients. ... Dump the active resolver fetches from dns_resolver_dumpfetches()" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit bae5b30b5217d48851bd41a2f784a68f67573b35 Author: Michael Tremer Date: Wed Mar 19 16:17:53 2025 +0000 core194: Ship suricata and libhtp Signed-off-by: Michael Tremer commit 7b333a241306273599367c946c00ea6f5b3920b2 Author: Matthias Fischer Date: Wed Mar 19 17:16:22 2025 +0100 suricata: Update to 7.0.9 Excerpt from changelog: "7.0.9 -- 2025-03-18 Security #7616: datasets: hashsize setting via rules can cause high memory usage (7.0.x backport)(MODERATE - CVE 2025-29916) Security #7614: decode_base64: signature can do large memory allocation (7.0.x backport)(HIGH - CVE 2025-29917) Security #7527: detect: infinite loop with negated pcre and indefinite recursion limit setting (7.0.x backport)(HIGH - CVE 2025-29918) Security #7459: af-packet: defrag option can lead to truncated packets (7.0.x backport)(HIGH - CVE 2025-29915) Bug #7581: detect: missing file.data matches without filestore (7.0.x backport) Bug #7561: detect: integer underflow with krb5.ticket_encryption (7.0.x backport) Bug #7557: quic: valid traffic blocked in IPS mode (7.0.x backport) Bug #7555: tls: parser error on unACK'd data in FIN shutdown (7.0.x backport) Bug #7553: applayer: misdetection if response is seen first without request (7.0.x backport) Bug #7496: detect: protocol probing doesn't finish earlier if opposite dir already had a protocol (7.0.x backport) Bug #7493: flow/var: memory leak in lua extension (7.0.x backport) Bug #7468: detect: checksum detection broken by stream.checksum-validation (7.0.x backport) Bug #7460: eve: empty src_ip and dest_ip values may be logged Bug #7448: log/file: nullptr dereference if file was opened more than once (7.0.x backport) Bug #7431: flow: multiple Flow Managers scan wrong hash slices (7.0.x backport) Bug #7428: tcp: GAP event set on unack'd data following a RST (7.0.x backport) Optimization #7088: applayer: track modified transactions to avoid walking all live transactions (7.0.x backport)" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit ecee4cd3d7db6705049997fa4801ff57718fe352 Author: Matthias Fischer Date: Wed Mar 19 17:16:21 2025 +0100 libhtp: Update to 0.5.50 For details see: https://github.com/OISF/libhtp/releases/tag/0.5.50 " response: do not error on gap finishing content-length chunks: probe validity if data was not buffered chunks: abort asap on invalid chunk length response: end decompressors in chunked content decompressors: do not take data after end readme: update status readme: update goals response: end decompressors in chunked content scan-build: work around optin.performance.Padding" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 61277e8868fa85ac267e9dcfb9b7cc803aef8295 Author: Michael Tremer Date: Wed Mar 19 15:41:45 2025 +0000 core194: Ship shadow Signed-off-by: Michael Tremer commit a9ff2c2a7e8729ca90df8ac3e1a153689699d026 Author: Adolf Belka Date: Wed Mar 19 13:54:32 2025 +0100 shadow: Update to version 4.17.3 - Update from version 4.16.0 to 4.17.3 - Update of rootfile - At version 4.17.0 groups and ids were removed from shadow, so the parts of the patch related to stopping installation of groups is no longer needed. The parts related to not installing the man pages already installed by man are still done but using the commands shown in Linux From Scratch with shadow-4.17.3 rather than via a patch file which was getting very difficult to find and edit every man page that should be excluded from the source tarball to create the diff patch. - Corrected a typo, --without-brcypt should have been --without-bcrypt. However no impact as the default for brcypt is to not be installed. - This version brings in /bin/getsubids. I have commented this out as that command was never present before, although the subids libraries were. If this command should be available in IPFire then it can be uncommented in the rootfile. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit bb5d9cfab506dd325ea647c97297de97840c02e0 Author: Adolf Belka Date: Tue Mar 11 21:36:35 2025 +0100 bacula: Update to version 15.0.2 - Update from version 13.0.4 to 15.0.2 - Update of rootfile - Version 15.0.2 has now been released for a year so it is time to update the IPFire file daemon as the direcdtor and storage daemon should by now be at this latest version. - Changelog is too large to fully include here. Details can be found in the ChangeLog file in the source tarball. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 172638fb716f5c0344fa972054b10f6fd678fb55 Author: Michael Tremer Date: Wed Mar 19 10:55:50 2025 +0000 core194: Ship pango Signed-off-by: Michael Tremer commit 7e089aed602e21fe50b567b46ad3d7fd35c2b869 Author: Adolf Belka Date: Tue Mar 18 22:20:18 2025 +0100 pango: Update to version 1.56.3 - Update from version 1.56.1 to 1.56.3 - Update of rootfile - Changelog 1.56.3 - Improve font description serialization - fontconfig: Avoid FcFontSetSort when possible - coverage: Extend coverage by Unicode decomposition - win32: Speed up coverage creation - Deprecate pango_font_descriptions_free 1.56.2 - Annotation fixes - fontconfig: Set optical size for fonts with an opsz axis - fontconfig: Make panog_font_map_reload_font scale linearly Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9e782624954873350d8a7334b23186355ccec553 Author: Michael Tremer Date: Wed Mar 19 10:55:31 2025 +0000 core194: Ship lvm2 Signed-off-by: Michael Tremer commit 4cb0499fb1868f59b1a5bde5be7b2917f147f2f9 Author: Adolf Belka Date: Tue Mar 18 22:20:17 2025 +0100 lvm2: Update to version 2.03.31 - Update from version 2.03.30 to 2.03.31 - Update of rootfile not required - Changelog 2.03.31 Reduce 'mandoc -T lint' reported issues for man pages. Restore support for LVM_SUPPRESS_FD_WARNINGS (2.03.24). Fix uncache and split cache restoring original state of volume. Extend use of lockopt skip to more scenarios. Enhance error path resolving in polling code. Disallow shared activation of LV with CoW snapshot. Fix lvmlockd use in lvremove of CoW snapshot, VDO pool, and uncache. Improve mirror split with opened temporary volumes. Improve pvmove finish with opened temporary volumes. Fix backup limit for devices file, handle over 10,000 files. Ignore reported optimal_io_size not divisible by 4096. Fix busy-loop in config reading when read returned 0. Fix DM cache preserving logic (2.03.28). Improve use of lvmlockd for usecases involving thin volumes and pools. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3aa2a9397166019785ee758f09168427e6029622 Author: Michael Tremer Date: Wed Mar 19 10:55:09 2025 +0000 core194: Ship liburcu Signed-off-by: Michael Tremer commit ef72424f84630e31711f4368eb86b647f64f3f40 Author: Adolf Belka Date: Tue Mar 18 22:20:16 2025 +0100 liburcu: Update to version 0.15.1 - Update from version 0.15.0 to 0.15.1 - Update of rootfile not required - Changelog 0.15.1 * uatomic/generic: Add missing #include * docs: Clarify that make is required to build the project * fix: add missing SPDX headers to urcu/uatomic/api.h * compiler.h: Remove caa_unqual_scalar_typeof Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 369b7309ebe08be95230ab7c4a734fca0639ddb2 Author: Adolf Belka Date: Tue Mar 18 22:20:15 2025 +0100 libseccomp: Update to version 2.6.0 - Update from version 2.5.5 to 2.6.0 - Update of rootfile - Changelog 2.6.0 - Update the syscall table for Linux v6.13 - Add support for new arches: SuperH little and big endian, LoongArch, and 32-bit Motorola 68000 - Add multiplexed syscall support for more arches: MIPS, SuperH, and PPC - Consolidate and simplify handling of multiplexed syscalls - Add support for the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag - Add support for transactions with the seccomp_transaction_start(), seccomp_transaction_commit(), and seccomp_transaction_reject() APIs - Add a seccomp_precompute() API to generate the seccomp BPF filter prior to seccomp_load() or seccomp_export_bpf_mem() - Add support for binary tree filters without syscalls - Add support for the kernel’s implementation change of SECCOMP_IOCTL_NOTIF_ID_VALID - Add Python binding support for retrieving the notification file descriptor - Improved tooling to help track syscall table updates in the Linux kernel - Handle EINVAL error from the kernel when the WAIT_KILLABLE_RECV flag is erroneously provided to the kernel - Fix a seccomp userspace notification issue where the file descriptor was being requested more than once - Fix a bug where the internal filter state could be corrupted when a filter rule addition fails - Fix potential memory leak in the internal management of filter snapshots - Utilize Cython rather than distutils in the Python bindings, due to distutils’ deprecation - Many test and CI improvements and fixes - Many documentation improvements and updates Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3c1ee1a7bd580cf60d678dd501bbb473cac411c9 Author: Michael Tremer Date: Wed Mar 19 10:54:09 2025 +0000 core194: Ship libcap Signed-off-by: Michael Tremer commit b8b7f6d09e5a9b98dbab672edf6ff3943d2d0e75 Author: Adolf Belka Date: Tue Mar 18 22:20:13 2025 +0100 libcap: Update to version 2.75 - Update from version 2.73 to 2.75 - Update of rootfile - Changelog 2.75 This release is devoted to a fix for Bug 219838 reported by Frank. 2.74 ERRATA Bug 219838 the psx go package fails to build standalone. You can work around this by go mod vendor in your code tree or upgrade your package reference to psx/v1.2.75. This release addresses Bug 219687 reported by David Runge. Code at HEAD (tagged {cap,psx}/v1.2.74-rc5) fixes it for {x86,arm,mips}x{32-bit,64-bit}, ppc64, s390x and riscv. The mips32 support requires a more modern Go compiler than the default provided by Debian. For successfully testing I used go1.24.0. May be fixed for loongarch, but no system to test this with (derived from mips, so perhaps it is fixed). Group syntax parsing bugfix for pam_cap from Tianjia Zhang. Doc typo fix for cap_get_proc.3 from Tianjia Zhang. Fix transitive include in capsh.c from Leo. Go package documentation updates, including more cap examples. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 171aaffd68a7a776897798a3c2f90fdac8444ad5 Author: Michael Tremer Date: Wed Mar 19 10:53:43 2025 +0000 core194: Ship libedit Signed-off-by: Michael Tremer commit a8ba702326c1e0c9697d68bef1b6f7b001fca5ad Author: Adolf Belka Date: Tue Mar 18 22:20:14 2025 +0100 libedit: Update to version 20250104-3.1 - Update from version 20240808-3.1 to 20250104-3.1 - Update of rootfile - Changelog 20250104-3.1 * all: sync with upstream source Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2290f4c3d033906538ab18a0dd79399485f01924 Author: Michael Tremer Date: Wed Mar 19 10:53:25 2025 +0000 core194: Ship kmod Signed-off-by: Michael Tremer commit 14057125888ba4092e38e6d0d5f06a443842eed6 Author: Adolf Belka Date: Tue Mar 18 22:20:12 2025 +0100 kmod: Update to version 34.1 - Update from version 0.34 to 0.34.1 - Update of rootfile not required - Changelog 0.34.1 It's mostly a build system fix release, the first .1 we are releasing. My goal is to mimic what is done in the kernel and propagate the critical fixes to a stable release, which should help distros to get the fixes ahead of a new release, without having to patch it themselves. Shortlog is below: meson: Use short options for ln everywhere meson: Fix setting an absolute customdir NEWS: ditch mention of libxz.so meson: Fix build with glibc 2.31 kmod 34.1 build: support missing gtkdocize in releases Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3dbc8a9764581de0d52845b9bd5adcf694738cad Author: Michael Tremer Date: Wed Mar 19 10:53:03 2025 +0000 core194: Ship iana-etc Signed-off-by: Michael Tremer commit eb8eb515257c04c61cbd942bd1c15e3e6f93aa45 Author: Adolf Belka Date: Tue Mar 18 22:20:11 2025 +0100 iana-etc: Update to version 20250311 - Update from version 20241024 to 20250311 - Update of rootfile not required - No changelog provided Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit d8fb0fa4b4896a9d58ef229082c8f99d90b98d45 Author: Michael Tremer Date: Wed Mar 19 10:52:44 2025 +0000 core193: Ship hwdata Signed-off-by: Michael Tremer commit 24958e7380889968d76054aee3c9c104a8f96f43 Author: Adolf Belka Date: Tue Mar 18 22:20:10 2025 +0100 hwdata: Update to version 0.393 - Update from version 0.391 to 0.393 - Update of rootfile not required - Changelog 0.393 Update of usb & pci ID's 0.392 Update of usb & pci ID's Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer