commit ab7e955f1210e1f23fbcae4b64e499c8dde588e1 Author: Michael Tremer Date: Fri Mar 28 12:11:22 2025 +0000 credits.cgi. Update contributors Signed-off-by: Michael Tremer commit 80208fe4e628d7148e4439053e25f9de0bcd6ecb Author: Michael Tremer Date: Fri Mar 28 12:11:08 2025 +0000 core194: Ship pakfire.cgi Signed-off-by: Michael Tremer commit 22e7fefc22d23a033c32ffed035995892a895ad7 Author: Stephen Cuka Date: Wed Mar 26 23:34:40 2025 -0600 pakfire.cgi: Convert icons to buttons. - Convert icons to buttons on main and confirmation pages. - Disable Upgrade button if no core or add-on updates available. - Disable Install and Remove buttons until an add-on is selected to install or remove. - Change 'abort' to 'cancel'. - Change 'uninstall' to 'remove'. - Set fixed height on select boxes to keep the size the same if there are no options for the select. - Change translation for install/remove description text, the previous text referred to the icons. 'pakfire install description' -> 'Please select one or more add-ons to install.' 'pakfire uninstall description' -> 'Please select one or more add-ons to remove.' Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit e0dc059b360d0609961d588694dfc7e386e63306 Author: Stephen Cuka Date: Tue Mar 25 13:25:42 2025 -0600 pakfire.cgi: Change to new translations. upgrade -> pakfire upgrade install -> pakfire install available updates -> pakfire updates calamaris refresh list -> pakfire refresh list Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit b79accc2a46d289667c05e43893ffa200fb5ddf9 Author: Stephen Cuka Date: Mon Mar 24 16:12:55 2025 -0600 langs: Add trs for upgrade confirmation page. 'pakfire confirm updates' => 'Do you want to install all updates?' 'pakfire updating' => 'Updating pakfire database, please wait...' Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit 3e79d2a2544377a83c6ccde5feed7eb2e48883d8 Author: Stephen Cuka Date: Mon Mar 24 13:13:47 2025 -0600 langs: Add trs for install/remove confirmation pages. 'pakfire dependencies found' => 'Dependencies found:' 'pakfire no dependencies found' => 'No dependencies found.' 'pakfire resolvedeps wait' => 'Checking for dependencies, please wait...' Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit 0378ba767ae0698b3f909671177ea2f1369b291f Author: Stephen Cuka Date: Sun Mar 23 19:10:10 2025 -0600 langs: Add 'pakfire refresh list' translation. Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit 88838a2a2580a55bbbb3f5b4e8a9492aa5a15cb6 Author: Stephen Cuka Date: Sun Mar 23 18:35:43 2025 -0600 langs: Add 'pakfire updates' translation. Add missing 'pakfire updates' tr to en.pl and it.pl. For other languages, in cases where the existing 'pakfire updates' tr does not match the 'available updates' tr currently used by pakfire.cgi, give precedence to the 'available updates' tr and update 'pakfire updates' accordingly. Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit 9f82bd84751feaf9c4596a8cab0695110f0675c1 Author: Stephen Cuka Date: Sun Mar 23 15:25:13 2025 -0600 langs: Add 'pakfire install' translation. Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit 5a16ed0b0224de172f03516f15fb2108e87f1b8c Author: Stephen Cuka Date: Sun Mar 23 14:42:13 2025 -0600 langs: Add 'pakfire upgrade' translation. Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit 6c75a5eee22ddd0e3fbff58677f7a6a3c19d2c64 Author: Robin Roevens Date: Thu Mar 27 23:45:52 2025 +0100 zabbix_agentd: Disable passive checks by default on new installations. Zabbix Agent by default normally forks 10 instances to listen for incoming (passive) checks. I, however, recommend only using active checks on an IPFire instance, so that the agent on the instance will only actively contact the Zabbix server to request a list of checks to perform instead of waiting for the server to contact the agent for every check. This frees up some resources valuable to smaller systems and makes the agent not to listen on any TCP port, which is a possible attack surface less. Users with an existing installation will have to manually add the parameter to their config. This will be documented in the wiki. Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 91ed071a0b98087afe37b8e93149afa298518d50 Author: Robin Roevens Date: Thu Mar 27 23:45:51 2025 +0100 zabbix_agentd: Update to 7.0.11 (LTS) - Update from version 6.0.33 to 7.0.11 - Update of rootfile not required This is a major release update to the next LTS version and breaks compatibility with Zabbix Server 6.x. A survey on the forum resulted in nobody claiming to still use Zabbix Server v6.x. Full changelogs: - https://www.zabbix.com/rn/rn7.0.0 - https://www.zabbix.com/rn/rn7.0.1 - https://www.zabbix.com/rn/rn7.0.2 - https://www.zabbix.com/rn/rn7.0.3 - https://www.zabbix.com/rn/rn7.0.4 - https://www.zabbix.com/rn/rn7.0.5 - https://www.zabbix.com/rn/rn7.0.6 - https://www.zabbix.com/rn/rn7.0.7 - https://www.zabbix.com/rn/rn7.0.8 - https://www.zabbix.com/rn/rn7.0.9 - https://www.zabbix.com/rn/rn7.0.10 - https://www.zabbix.com/rn/rn7.0.11 Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 6a3fe52cc0303b128899995e10c9d1804468fda9 Author: Michael Tremer Date: Fri Mar 28 11:45:38 2025 +0000 core194: Ship strongswan Signed-off-by: Michael Tremer commit c77440a3b1279d215a551d146140754d6f064253 Author: Michael Tremer Date: Fri Mar 28 11:44:01 2025 +0000 strongswan: Update to 6.0.1 Signed-off-by: Michael Tremer commit a565452c975fb9567c6bc85c8a32eec872d47d78 Author: Matthias Fischer Date: Tue Mar 25 19:08:51 2025 +0100 suricata: Update to 7.0.10 For details see: https://suricata.io/2025/03/25/suricata-7-0-10-released/ "This is an extra release to address a critical issue in 7.0.9 affecting AF_PACKET users: setting a BPF would cause Suricata to fail to start up. As this affected many users, we’ve decided to push this release earlier than originally planned. Our QA processes have been updated to avoid similar issues going forward." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit ee8b09e77d006492f89f7a8d39c4ef3787f279c4 Author: Michael Tremer Date: Tue Mar 25 15:46:54 2025 +0000 core194: Remove libidn Signed-off-by: Michael Tremer commit 28867b07c217d0cb2a855c1e1e6ac42ac2f5f32e Author: Adolf Belka Date: Mon Mar 24 18:44:26 2025 +0100 libidn: Removal of package as no longer needed. - A while back elinks changed from using libidn to libidn2. At that time that left ghostscript as the only package still using libidn. With the removal of cups and associated packages, including ghostscript, libidn is no longer used. libidn2 is used where required now. - This removes the lfs and rootfiles and removes the entry from the make.sh file. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 52d025342d0b804d71e1238a5c6c88d59fd973a0 Author: Adolf Belka Date: Mon Mar 24 18:44:25 2025 +0100 cifs-utils: Update to version 7.3 - Update from version 7.1 to 7.3 - Update of rootfile not required. - Changelog 7.3 Fix regression in mount.cifs with guest mount option cldap_ping: Fix socket fd leak resolve_host.c: Initialize site_name 7.2 cifs-utils: Skip TGT check if valid service ticket is already available docs: update actimeo description docs: add max_cached_dirs description docs: add esize description cifs-utils: support and document password2 mount option use enums to check password or password2 in set_password, get_password_from_file and minor documentation additions Fix compiler warnings in mount.cifs Do not pass passwords with sec=none and sec=krb5 smbinfo: add bash completion support for filestreaminfo, keys, gettconinfo cifs-utils: bump version to 7.2 CIFS.upcall to accomodate new namespace mount opt cifs-utils: add documentation for upcall_target cifs-utils: avoid using mktemp when updating mtab getcifsacl: fix return code check for getting full ACL cifscreds: use continue instead of break when matching commands cifscreds: allow user to set the key's timeout configure.ac: libtalloc is now mandatory cldap_ping.c: add missing include Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a9cebe70db0156b72278f33dc2dcb66bc731b1e8 Author: Michael Tremer Date: Tue Mar 25 15:39:08 2025 +0000 core194: Ship abseil-cpp Signed-off-by: Michael Tremer commit 1526aea812a7f354daf50c9edab114f95c762058 Author: Adolf Belka Date: Mon Mar 24 18:44:24 2025 +0100 abseil-cpp: Update to version 20250127.0 - Update from version 20240722.0 to 20250127.0 - Update of rootfile - Changelog 20250127.0 What's New: Added support for Bazel 8.0 Added support for Bazel Platforms for better portability Added ABSL_ATTRIBUTE_VIEW and ABSL_ATTRIBUTE_OWNER for diagnosing certain lifetime issues Many performance improvements A security issue in hash container create/resize has been fixed. Note that the latest patch releases for previous LTS versions also address this issue. Breaking Changes: Bazel BUILD files now reference repositories by their canonical names from the Bazel Central Registry. For example, Abseil is now @abseil-cpp instead of @com_google_absl, and GoogleTest is now @googletest instead of @com_google_googletest. Users still using the old WORKSPACE system may need to use repo_mapping on repositories that still use the old names. See 90a7ba6 for an example. Other: This will be the last release to support C++14. Future releases will require at least C++17. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f6bc9fef66adde4bdc6e3076b6db081f45764569 Author: Michael Tremer Date: Tue Mar 25 15:38:10 2025 +0000 Revert "vpnmain.cgi: Fixes bug13737 - increments the serial number to allow cert regen" This reverts commit 7d1d7e0bec4c7f991dbbb622ce414e0b91d14d74. Reverted as requested by Adolf due to some work being required on this. Signed-off-by: Michael Tremer commit b992bcc7c7af09f02eb56b40ff0635242b25cc34 Author: Michael Tremer Date: Mon Mar 24 14:45:12 2025 +0000 core194: Ship util-linux Signed-off-by: Michael Tremer commit 571144dc501c14d25e1aee8bf898232dd8a13410 Author: Adolf Belka Date: Mon Mar 24 11:35:51 2025 +0100 util-linux: Update to version 2.41 - Update from version 2.40.2 to 2.41 - Update of rootfile for all three architectures. This time confirmed that all three have been edited to remove the + additions to lines. - There are two new commands available, bits and coresched. I have commented both of these out as they are new and have therefore never been used in the past. If they are something that should be used in IPFire then the lines can always be uncommented. - Changelog 2.41 Release highlights - full list of all changes is too large to put here (~1400 lines). The details can be found in the source tarball /Documentation/releases/v2.41-ReleaseNotes file. agetty: - Fixed an issue where issue files were not being printed from additional locations, such as /run or /usr/lib. This change now allows for the use of local information from /etc, in addition to generated files from /run and distribution-specific files from /usr/lib. cfdisk and sfdisk: - Added support for the --sector-size command line option. sfdisk: - Added a new option, --discard-free. fdisk: - Added a new command, 'T', to discard sectors. chrt: - The --sched-runtime now supports SCHED_{OTHER,BATCH} policies. column: - Can now handle ANSI SGR colors inside OSC 8 hyperlink escape codes and sequences. enosys: - Can now dump defined filters. libmount: - Added experimental support for statmount() and listmount() syscalls. - This new functionality can be accessed using "findmnt --kernel=listmount". - Added a new mount option, X-mount.nocanonicalize[=source|target]. - Added new mount extensions to the "ro" flag (ro[=vfs,fs]). - Added a new option, X-mount.noloop, to disable automatic loop device creation. - Now supports bind symlinks over symlinks. - Reads all kernel info/warning/error messages from new API syscalls (and mount(8) prints them). libuuid: - Now supports RFC9562 UUIDs. findmnt, lsblk, and lsfd: - Added a new --hyperlink command line option to print paths as terminal hyperlinks. findmnt: - Can now address filesystems using --id and --uniq-id (requires listmount() kernel support). flock: - Added support for the --fcntl command line option. hardlink: - Can now prioritize specified trees on the command line using --prioritize-trees. - Can exclude sub-trees using --exclude-subtree or keep them in the current mount using --mount. - Duplicates can now be printed using --list-duplicates. hwclock: - Added a new --param-index option to address position for RTC_PARAM_{GET,SET} ioctls. kill: - Can now decode signal masks (e.g. as used in /proc) to signal names. libblkid: - Made many changes to improve detection, including exfat, GPT, LUKS2, bitlocker, etc. login: - Added support for LOGIN_ENV_SAFELIST in /etc/login.def. lsfd: - Now supports pidfs and AF_VSOCK sockets. lsipc, ipcmk, ipcrm: - Now supports POSIX ipc. lslogins: - Now supports lastlog2. lsns: - Added support for the --filter option. build by meson: - Now supports translated man pages and has fixed many bugs. mkswap: - The option --file should now be usable on btrfs. nsenter: - Improved support for pidfd and can now join target process's socket net namespace. scriptlive: - Added a new option, --echo . zramctl: - Now supports COMP-RATIO and --algorithm-params. 2.40.4 libmount: - Revert "libmount: exec mount helpers with posixly correct argument order" po: - merge changes po-man: - merge changes - Fix table formatting 2.40.3 agetty: - Prevent cursor escape - add "systemd" to --version output - fix ambiguous ‘else’ [-Werror=dangling-else] audit-arch.h: - add defines for m68k, sh autotools: - Check for BPF_OBJ_NAME_LEN (required by lsfd) - add --disable-enosys, check for linux/audit.h - add Libs.private to uuid.pc - allow enabling dmesg with --disable-all-programs - allow enabling lsblk with --disable-all-programs - check for sys/vfs.h and linux/bpf.h - fix securedir and pam_lastlog2 install bash-completion: - add `--pty` and `--no-pty` options for `su` and `runuser` - complete `--user` only for `runuser`, not for `su` chcpu(8): - Document CPU deconfiguring behavior - Fix typo ci: - bump coveralls compiler version to gcc 13 doc: - fsck.8.adoc - fix email typo docs: - update AUTHORS file fdisk: - (man) improve --sector-size description - fix SGI boot file prompt - fix fdisk_sgi_set_bootfile return value - fix sgi_check_bootfile name size minimum - fix sgi_menu_cb return value fincore: - Use correct syscall number for cachestat on alpha fstab.5 mount: - fstab.5 mount.8 add note about field separator hardlink: - fix memory corruption (size calculation) - hardlink.1 directory|file is mandatory hwclock: - Remove ioperm declare as it causes nested extern declare warning lib/env: - fix env_list_setenv() for strings without '=' libblkid: - (exfat) validate fields used by prober - (gpt) use blkid_probe_verify_csum() for partition array checksum - add FSLASTBLOCK for swaparea - bitlocker add image for Windows 7+ BitLocker - bitlocker fix version on big-endian systems - improve portability libfdisk: - make sure libblkid uses the same sector size libmount: - exec mount helpers with posixly correct argument order - extract common error handling function - propagate first error of multiple filesystem types libmount/context_mount: - fix argument number comments logger: - correctly format tv_usec lscpu: - Skip aarch64 decode path for rest of the architectures - make code more readable lslocks: - remove deadcode [coverity scan] lsns: - ignore ESRCH errors reported when accessing files under /proc man pages: - document `--user` option for `runuser` - use `user` rather than `username` meson: - check for BPF_OBJ_NAME_LEN and linux/bpf.h mkswap: - set selinux label also when creating file more: - make sure we have data on stderr nsenter: - support empty environ[] partx: - Fix example in man page po: - merge changes - update de.po (from translationproject.org) - update ja.po (from translationproject.org) - update pt_BR.po (from translationproject.org) - update sr.po (from translationproject.org) - update zh_CN.po (from translationproject.org) po-man: - add missing langs to po4a.cfg - fix typo, update .gitignore - merge changes - update fr.po (from translationproject.org) - update pt_BR.po (from translationproject.org) tests: - fdisk/bsd Update expected output for alpha umount, losetup: - Document loop destroy behavior uuidd: - fix /var/lib/libuuid mode uuidd-tmpfiles.conf - fix typo in tmpfiles.conf - fix /var/lib/libuuid mode uuidd-tmpfiles.conf - fix typo in tmpfiles.conf Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3a93c9ddcf9d40bb5c07233f3cc8d417a3e4dfb7 Author: Michael Tremer Date: Mon Mar 24 09:57:43 2025 +0000 core194: Ship tzdata Signed-off-by: Michael Tremer commit 1c9edb860f2c4af7e09af788cfd6fe283270b5ec Author: Adolf Belka Date: Sun Mar 23 18:34:28 2025 +0100 tzdata: Update to version 2025b - Update from version 2025a to 2025b - Update of rootfile - Changelog 2025b Briefly: New zone for Aysén Region in Chile which moves from -04/-03 to -03. Changes to future timestamps Chile's Aysén Region moves from -04/-03 to -03 year-round, joining Magallanes Region. The region will not change its clocks on 2025-04-05 at 24:00, diverging from America/Santiago and creating a new zone America/Coyhaique. (Thanks to Yonathan Dossow.) Model this as a change to standard offset effective 2025-03-20. Changes to past timestamps Iran switched from +04 to +0330 on 1978-11-10 at 24:00, not at year end. (Thanks to Roozbeh Pournader.) Changes to code 'zic -l TIMEZONE -d . -l /some/other/file/system' no longer attempts to create an incorrect symlink, and no longer has a read buffer underflow. (Problem reported by Evgeniy Gorbanev.) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a191b8aeb8c2b5bcdbcd06573b329e85334212e4 Author: Adolf Belka Date: Sun Mar 23 18:31:14 2025 +0100 shadow: Update to version 4.17.4 - Update from version 4.17.3 to 4.17.4 - Update of rootfile not required - Changelog 4.17.4 Revert "lib/, src/: Use local time for human-readable dates" lib/getdate.y: Ignore time-zone information and use UTC src/chfn.c: Partially revert "lib/, src/: Use strsep(3) instead of its pattern" src/chfn.c: Use stpsep() instead of its pattern src/chfn.c: Add local variable to refer to the separated field src/chfn.c: copy_field(): Rename local variable lib/commonio.c: Rely on the POSIX.1-2008 behavior of realpath(3) lib/fs/readlink/: readlinknul(): Use ssize_t to simplify autogen.sh: Promote -Wsign-compare to an error lib/sizeof.h: ssizeof(): Add signed variant of sizeof src/lastlog.c: Use ssizeof() to avoid a -Wsign-compare diagnostic tests/unit/test_xasprintf.c: Fix sign-mismatch diagnostic configure.ac: stop checking for utmp location configure.ac: be deterministic about passwd location lib/, src/: update audit messages lib/: audit function for groups src/: update group audit messages doc/: Remove list of distributions Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3e01ed6ce803e83ba78c07999c420a28312a4947 Author: Michael Tremer Date: Mon Mar 24 09:57:14 2025 +0000 core194: Ship libusb Signed-off-by: Michael Tremer commit 08d3b9809d45aaea1714004062d9acb09a080c1b Author: Adolf Belka Date: Sun Mar 23 18:26:04 2025 +0100 libusb: Update to version 1.0.28 - Update from version 1.0.27 to 1.0.28 - Update of rootfile - Changelog 1.0.28 * New libusb_get_ssplus_usb_device_capability_descriptor API for query of SuperSpeed+ Capability Descriptors * API support for reporting USB 3.2 Gen2x2 speeds * macOS: Fix Zero-Length Packet for multiple packets per frame * Windows: Base HID device descriptor on OS-cached values * Build fixes for Haiku and SunOS * Many code correctness fixes Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 380c113b0755aa30eaf8479cb23772eaab6cf759 Merge: ba4bc8da4 d028a679a Author: Michael Tremer Date: Fri Mar 21 15:11:05 2025 +0000 Merge branch 'master' into next commit d028a679ab0a9a7fd29e2cf31a2fd3761f261fe1 Author: Adolf Belka Date: Wed Mar 12 12:03:22 2025 +0100 sources: Update ipblocklist with Threatview.io IP list - Blocklist addition was discussed and agreed at IPFire dev conf call in March 2025. - Tested on vm system. - Adjusted the entry alignment for the three 3coresec entries as they had used tabs and all the rest used spaces for alignment. Now all entries are lined up the same. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4c3fa8ead093c2299d45bbc5538271aa41f31be5 Author: Michael Tremer Date: Fri Mar 21 15:10:08 2025 +0000 core193: Ship ipblocklist-functions.pl Signed-off-by: Michael Tremer commit 80dc5de20c2fb6e67e7b9a66cab540336f1469bd Author: Adolf Belka Date: Wed Mar 12 15:46:10 2025 +0100 ipblocklist-functions.pl: Specify an IPFire user agent for the downloads - As discussed at the IPFire conf call in March 2025, this patch provides an IPFire specific User Agent string for the IP Block Lists downloads using LWP::UserAgent. - It turned out that there was already a function in general-functions.pl that creates an IPFire Useer Agent string. This was used for this IP Blocklist download. - Currently it gave me the string IPFire/2.29/192. - This was tested out with the Threatview.io IP blocklist download and it worked fine. - If this patch is approved and merged then I will let contact Threatview.io to let them know what our User Agent string is. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ba4bc8da4eec7fdb43d8c0b444aec8b2343deb86 Author: Michael Tremer Date: Fri Mar 21 15:08:43 2025 +0000 gcc: Update mpfr to version 4.2.2 Signed-off-by: Michael Tremer commit 953337104a45b1d3296d9a474ae57cb789c830f0 Author: Michael Tremer Date: Fri Mar 21 15:08:02 2025 +0000 core194: Ship mpfr Signed-off-by: Michael Tremer commit 47bc2d0c30c0fecd135880dd223ff6fb6c375ac0 Author: Adolf Belka Date: Fri Mar 21 14:30:45 2025 +0100 mpfr: Update to version 4.2.2 - Update from version 4.2.1 to 4.2.2 - Update of rootfile - Changelog 4.2.2 - In order to resolve a portability issue with the _Float128 fallback to __float128 for binary128 support (e.g. with Clang and glibc 2.41), the prototypes of the corresponding conversion functions had to be changed, with _Float128 replaced by mpfr_float128, where mpfr_float128 is a macro defined as _Float128 by default. This changes neither the ABI nor the API (except that the end user of MPFR would need to define mpfr_float128 as the actual type for the binary128 format if this is not the standard _Float128 type). - Other bug fixes (see and/or the ChangeLog file). In particular, the formatted output functions behaved incorrectly with %c on the value 0; such a use is uncommon, but this bug may have security implications. - Improved MPFR manual. - Detect the use of GMP's buggy vsnprintf replacement at configure time. With it, the tests of "%a" will be disabled to avoid an assertion failure in the MPFR testsuite. A warning will be displayed in the configure output in such a case. Also, note that due to new tests related to the fix of the formatted output functions with %c on the value 0, failures in the tfprintf and tsprintf tests may be observed if GMP has been built with its vsnprintf replacement (i.e. if GMP detected at configure time that the vsnprintf function from the C library is buggy/non-conforming). This is due to a bug in the vsnprintf replacement from GMP 6.3.0 (official tarball) and below. This could be observed on MS Windows and OpenBSD. To get rid of these failures, either use a fixed version (recommended!) or build the MPFR tests with the MPFR_TESTS_SKIP_CHECK_NULL macro defined. See the INSTALL file for other details. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 78646ef87613853692f8ee7498353dff9d90db7a Author: Michael Tremer Date: Fri Mar 21 15:07:19 2025 +0000 samba: Fix riscv64 rootfile (again) Signed-off-by: Michael Tremer commit 11cd611e5c84d124c7a5fabc1792580c0c662df4 Author: Michael Tremer Date: Fri Mar 21 12:02:38 2025 +0000 core193: Ship backup.pl and IP blocklist sources Signed-off-by: Michael Tremer commit 2c6dbe05755d81aa0a56969df825915c9df8c739 Author: Michael Tremer Date: Fri Mar 21 11:10:12 2025 +0000 samba: Fix riscv64 rootfile Signed-off-by: Michael Tremer commit 75a5b33f2b929b1bc75501b3e4a40b3a84d856a6 Author: Adolf Belka Date: Fri Mar 21 11:24:56 2025 +0100 samba: Update to version 4.22.0 - Update from version 4.21.4 - Update of rootfile for all three architectures - Changelog 4.22.0 NEW FEATURES/CHANGES SMB3 Directory Leases Starting with Samba 4.22 SMB3 Directory Leases are supported. The new global option "smb3 directory leases" controls whether the feature is enabled or not. By default, SMB3 Directory Leases are enabled on non-clustered Samba and disabled on clustered Samba, based on the "clustering" option. See man smb.conf for more details. SMB3 Directory Leases allow clients to cache directory listings and, depending on the workload, result in a decent reduction in SMB requests from clients. Netlogon Ping over LDAP and LDAPS Samba must query domain controller information via simple queries on the AD rootdse's netlogon attribute. Typically this is done via connectionless LDAP, using UDP on port 389. The same information is also available via classic LDAP rootdse queries over TCP. Samba can now be configured to use TCP via the new "client netlogon ping protocol" parameter to enable running in environments where firewalls completely block port 389 or UDP traffic to domain controllers. Experimental Himmelblaud Authentication in Samba Samba now includes experimental support for Azure Entra ID authentication via `himmelblaud`, located in the `rust/` directory. This implementation provides basic authentication and is configured through `smb.conf`, utilizing options such as `realm`, `winbindd_socket_directory`, and `template_homedir`. New global parameters include `himmelblaud_sfa_fallback`, `himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`. To enable, configure Samba with `--enable-rust --with-himmelblau`. AD DC schema upgrade and provision performance improvements By increasing the LDB index cache size for certain offline operations that are likely to require large transactions, these are now several times faster. REMOVED FEATURES The "nmbd proxy logon" feature was removed. This was used before Samba4 acquired a NBT server. The parameter "cldap port" has been removed. CLDAP runs over UDP port 389, we don't see a reason why this should ever be changed to a different port. Moreover, we had several places in the code where Samba did not respect this parameter, so the behaviour was at least inconsistent. fruit:posix_rename This option of the vfs_fruit VFS module that could be used to enable POSIX directory rename behaviour for OS X clients has been removed as it could result in severe problems for Windows clients. As a possible workaround it is possible to prevent creation of .DS_Store files (a Finder thingy to store directory view settings) on network mounts by running $ defaults write com.apple.desktopservices DSDontWriteNetworkStores true on the Mac. smb.conf changes Parameter Name Description Default -------------- ----------- ------- smb3 directory leases New Auto vfs mkdir use tmp name New Auto client netlogon ping protocol New cldap himmelblaud hello enabled New no himmelblaud hsm pin path New default hsm pin path himmelblaud sfa fallback New no client use krb5 netlogon Experimental no reject aes netlogon servers Experimental no server reject aes schannel Experimental no server support krb5 netlogon Experimental no fruit:posix_rename Removed cldap port Removed CHANGES SINCE 4.22.0rc4 * BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD. * BUG 15797: Unable to connect to CephFS subvolume shares with vfs_shadow_copy2. * BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD. * BUG 15820: Incorrect FSF address in ctdb pcp scripts. * BUG 15804: "samba-tool domain backup offline" hangs. CHANGES SINCE 4.22.0rc3 * BUG 15815: client use krb5 netlogon is experimental and should not be used in production. CHANGES SINCE 4.22.0rc2 * BUG 15738: Creation of GPOs applicable to more than one group is impossible with Samba 4.20.0 and later. * BUG 15806: samba-tool acl commands broken for relative path names * BUG 15807: pysmbd seg faults when file is not found. * BUG 15796: Spotlight search results don't show file size and creation date. * BUG 15759: net ads create/join/winbind producing unix dysfunctional keytabs. * BUG 15806: samba-tool acl commands broken for relative path names. * BUG 15807: pysmbd seg faults when file is not found. * BUG 15680: Trust domains are not created. * BUG 15680: Trust domains are not created. * BUG 15703: General improvements for vfs_ceph_new module. CHANGES SINCE 4.22.0rc1 * BUG 15798: libnet4: seg fault after dc lookup failure Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 19c13b8e997058db1a0ffac90093bfdc2a6eee8a Author: Michael Tremer Date: Fri Mar 21 11:08:14 2025 +0000 core194: Ship bind Signed-off-by: Michael Tremer commit 868b52c2a7b72aca170b5e6228d9108b71716eaf Author: Matthias Fischer Date: Thu Mar 20 23:58:22 2025 +0100 bind: Update to 9.20.7 For details see: https://downloads.isc.org/isc/bind9/9.20.5/doc/arm/html/notes.html#notes-for-bind-9-20-7 Excerpt: "Notes for BIND 9.20.7 New Features Implement the min-transfer-rate-in configuration option. ... Add HTTPS record query to host command line tool. ... Implement sig0key-checks-limit and sig0message-checks-limit. ... Bug Fixes Fix dual-stack-servers configuration option. ... Fix a data race causing a permanent active client increase. ... Fix deferred validation of unsigned DS and DNSKEY records. ... Fix RPZ race condition during a reconfiguration. ... “CNAME and other data check” not applied to all types. ... Relax private DNSKEY and RRSIG constraints. ... Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse(). ... Fix TTL issue with ANY queries processed through RPZ “passthru”. ... dnssec-signzone needs to check for a NULL key when setting offline. ... Fix a bug in the statistics channel when querying zone transfer information. ... Fix assertion failure when dumping recursing clients. ... Dump the active resolver fetches from dns_resolver_dumpfetches()" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit bae5b30b5217d48851bd41a2f784a68f67573b35 Author: Michael Tremer Date: Wed Mar 19 16:17:53 2025 +0000 core194: Ship suricata and libhtp Signed-off-by: Michael Tremer commit 7b333a241306273599367c946c00ea6f5b3920b2 Author: Matthias Fischer Date: Wed Mar 19 17:16:22 2025 +0100 suricata: Update to 7.0.9 Excerpt from changelog: "7.0.9 -- 2025-03-18 Security #7616: datasets: hashsize setting via rules can cause high memory usage (7.0.x backport)(MODERATE - CVE 2025-29916) Security #7614: decode_base64: signature can do large memory allocation (7.0.x backport)(HIGH - CVE 2025-29917) Security #7527: detect: infinite loop with negated pcre and indefinite recursion limit setting (7.0.x backport)(HIGH - CVE 2025-29918) Security #7459: af-packet: defrag option can lead to truncated packets (7.0.x backport)(HIGH - CVE 2025-29915) Bug #7581: detect: missing file.data matches without filestore (7.0.x backport) Bug #7561: detect: integer underflow with krb5.ticket_encryption (7.0.x backport) Bug #7557: quic: valid traffic blocked in IPS mode (7.0.x backport) Bug #7555: tls: parser error on unACK'd data in FIN shutdown (7.0.x backport) Bug #7553: applayer: misdetection if response is seen first without request (7.0.x backport) Bug #7496: detect: protocol probing doesn't finish earlier if opposite dir already had a protocol (7.0.x backport) Bug #7493: flow/var: memory leak in lua extension (7.0.x backport) Bug #7468: detect: checksum detection broken by stream.checksum-validation (7.0.x backport) Bug #7460: eve: empty src_ip and dest_ip values may be logged Bug #7448: log/file: nullptr dereference if file was opened more than once (7.0.x backport) Bug #7431: flow: multiple Flow Managers scan wrong hash slices (7.0.x backport) Bug #7428: tcp: GAP event set on unack'd data following a RST (7.0.x backport) Optimization #7088: applayer: track modified transactions to avoid walking all live transactions (7.0.x backport)" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit ecee4cd3d7db6705049997fa4801ff57718fe352 Author: Matthias Fischer Date: Wed Mar 19 17:16:21 2025 +0100 libhtp: Update to 0.5.50 For details see: https://github.com/OISF/libhtp/releases/tag/0.5.50 " response: do not error on gap finishing content-length chunks: probe validity if data was not buffered chunks: abort asap on invalid chunk length response: end decompressors in chunked content decompressors: do not take data after end readme: update status readme: update goals response: end decompressors in chunked content scan-build: work around optin.performance.Padding" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 61277e8868fa85ac267e9dcfb9b7cc803aef8295 Author: Michael Tremer Date: Wed Mar 19 15:41:45 2025 +0000 core194: Ship shadow Signed-off-by: Michael Tremer commit a9ff2c2a7e8729ca90df8ac3e1a153689699d026 Author: Adolf Belka Date: Wed Mar 19 13:54:32 2025 +0100 shadow: Update to version 4.17.3 - Update from version 4.16.0 to 4.17.3 - Update of rootfile - At version 4.17.0 groups and ids were removed from shadow, so the parts of the patch related to stopping installation of groups is no longer needed. The parts related to not installing the man pages already installed by man are still done but using the commands shown in Linux From Scratch with shadow-4.17.3 rather than via a patch file which was getting very difficult to find and edit every man page that should be excluded from the source tarball to create the diff patch. - Corrected a typo, --without-brcypt should have been --without-bcrypt. However no impact as the default for brcypt is to not be installed. - This version brings in /bin/getsubids. I have commented this out as that command was never present before, although the subids libraries were. If this command should be available in IPFire then it can be uncommented in the rootfile. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit bb5d9cfab506dd325ea647c97297de97840c02e0 Author: Adolf Belka Date: Tue Mar 11 21:36:35 2025 +0100 bacula: Update to version 15.0.2 - Update from version 13.0.4 to 15.0.2 - Update of rootfile - Version 15.0.2 has now been released for a year so it is time to update the IPFire file daemon as the direcdtor and storage daemon should by now be at this latest version. - Changelog is too large to fully include here. Details can be found in the ChangeLog file in the source tarball. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 172638fb716f5c0344fa972054b10f6fd678fb55 Author: Michael Tremer Date: Wed Mar 19 10:55:50 2025 +0000 core194: Ship pango Signed-off-by: Michael Tremer commit 7e089aed602e21fe50b567b46ad3d7fd35c2b869 Author: Adolf Belka Date: Tue Mar 18 22:20:18 2025 +0100 pango: Update to version 1.56.3 - Update from version 1.56.1 to 1.56.3 - Update of rootfile - Changelog 1.56.3 - Improve font description serialization - fontconfig: Avoid FcFontSetSort when possible - coverage: Extend coverage by Unicode decomposition - win32: Speed up coverage creation - Deprecate pango_font_descriptions_free 1.56.2 - Annotation fixes - fontconfig: Set optical size for fonts with an opsz axis - fontconfig: Make panog_font_map_reload_font scale linearly Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9e782624954873350d8a7334b23186355ccec553 Author: Michael Tremer Date: Wed Mar 19 10:55:31 2025 +0000 core194: Ship lvm2 Signed-off-by: Michael Tremer