commit 057b3e49c5e8aadb2c35ee2c65641ad7b073dacb Author: Michael Tremer Date: Tue Apr 29 08:54:07 2025 +0000 core195: Ship vpnmain.cgi This is because of changes that were applied late to c194. Signed-off-by: Michael Tremer commit c85560b8c558e95490687a1e798ae16d9652e74e Merge: 43867c1e0 f9f02b4c2 Author: Michael Tremer Date: Tue Apr 29 08:53:48 2025 +0000 Merge remote-tracking branch 'origin/master' into next commit f9f02b4c244fea3025245348678bb08bbfbd48a8 Author: Michael Tremer Date: Mon Apr 28 09:45:51 2025 +0000 vpnmain.cgi: Fix editing connections that are using a PSK This patch takes care of properly decoding the PSK if it was already stored base64-encoded. If the connection is edited, it always will be stored base64-encoded upon save. It would have been nice to not send the PSK back to the browser again (although the security benefits would have been marginal), but that would make the code even messier than it is. Signed-off-by: Michael Tremer Tested-by: Adolf Belka Tested-by: Christian Hernmarck commit 43867c1e070fc96420a666b0bb21182eff16787b Author: Michael Tremer Date: Sun Apr 27 18:30:59 2025 +0200 wireguard: Add a custom routing table for peers This is a dirty hack to make connections to VPN providers actually work. We mark all WG packets after encryption and use a secondary routing table to look up any routes to the peers. That way, we can replace the default route in the main routing table without having to care about the special routes there. Signed-off-by: Michael Tremer commit 8b7f769451feade69f7a269387f67d3f95dcaa90 Author: Michael Tremer Date: Sun Apr 27 18:01:44 2025 +0200 wireguard-functions.pl: Tolerate any IP addresses with subnet masks on import Signed-off-by: Michael Tremer commit 5c71c87e88446bd42bdc3ec7143b8f032499aa06 Author: Michael Tremer Date: Sun Apr 27 17:50:09 2025 +0200 wireguard-functions.pl: Don't strictly require a port in imported configurations If importing a client configuration, there might not be a port. This is quite likely to happen with VPN providers that don't create a connection but are awaiting incoming connections only. Signed-off-by: Michael Tremer commit d365234701bb68bbf8826c7b7b74248021393cfe Author: Michael Tremer Date: Sun Apr 27 17:48:19 2025 +0200 wireguard.cgi: Show public key when hovering over a peer name This is quite useful when debugging a client. Signed-off-by: Michael Tremer commit ff566655f74bdbbba135520d7b29633b4d18fa6a Author: Michael Tremer Date: Sun Apr 27 17:47:39 2025 +0200 wireguard-functions.pl: Append /32 subnet mask to client address Some clients seem to want this or otherwise refuse the import. Signed-off-by: Michael Tremer commit 569a0a9d33e37c6967c47033bed75cdca8984fd1 Author: Michael Tremer Date: Sat Apr 26 15:03:53 2025 +0200 langs: Add German translation for WireGuard Signed-off-by: Michael Tremer commit 9fba112e94900d0a64a140a7d945d7ec651ce7ae Author: Michael Tremer Date: Sat Apr 26 14:37:29 2025 +0200 wireguard.cgi: Check the first available option on add Signed-off-by: Michael Tremer commit 459bb750298c09990c0c8d4677f0f442887304d0 Author: Michael Tremer Date: Sat Apr 26 14:30:44 2025 +0200 wireguard: Automatically apply MASQUERADE for peers with local address In this case we are the client and we cannot leak any local subnets. Signed-off-by: Michael Tremer commit 361437f82984effc7408d4428cd6c89855163de4 Author: Michael Tremer Date: Sat Apr 26 14:25:27 2025 +0200 wireguard: Support having a local IP address This is what we need to support VPN providers. Signed-off-by: Michael Tremer commit 5abfabb8bd81ded8c01f34e71b0d01717a4952b4 Author: Michael Tremer Date: Sat Apr 26 14:04:54 2025 +0200 wireguard-functions.pl: Complain if required fields are missing Signed-off-by: Michael Tremer commit 0dc47e5dbd6df2ba54f20617bd54b2ae3f0bbec5 Author: Michael Tremer Date: Sat Apr 26 13:54:30 2025 +0200 wireguard.cgi: Rebuild the importer This is now a two-step process that is asking for all sorts of required information. Signed-off-by: Michael Tremer commit fa53185b7b50b3ffb40186a3c7d1c7a0204ca8cc Author: Michael Tremer Date: Sat Apr 26 13:13:32 2025 +0200 wireguard.cgi: Add some extra spacing when chosing a connection type Signed-off-by: Michael Tremer commit cae7916decc645cd7ea9cefec739db0f9da93354 Author: Michael Tremer Date: Sat Apr 26 13:06:47 2025 +0200 wireguard.cgi: Allow full access to everywhere by default for RW I think this is a more what people would expect. Signed-off-by: Michael Tremer commit 0bdbbd0e323062eab81504f61affc985e2c44cae Author: Michael Tremer Date: Sat Apr 26 13:05:18 2025 +0200 wireguard.cgi: Fail if we are trying to edit a peer that does not exist Signed-off-by: Michael Tremer commit d0943219087f39fe69a47e20dff748297e4a5fb7 Author: Michael Tremer Date: Fri Apr 25 14:53:47 2025 +0200 core195: Ship network-functions.pl Signed-off-by: Michael Tremer commit 08f60babc98dad3b37c626867f2530998f5ca81c Author: Michael Tremer Date: Fri Apr 25 14:53:07 2025 +0200 wireguard.cgi: Normalize the pool address Signed-off-by: Michael Tremer commit f4fa8b317d41fa5650ddcad5d42cdee1affc51e5 Author: Michael Tremer Date: Fri Apr 25 14:11:49 2025 +0200 wireguard: Don't block RW peer traffic Signed-off-by: Michael Tremer commit 3948ba05ec12cddf75a70174baa75097107c407b Author: Michael Tremer Date: Fri Apr 25 14:06:36 2025 +0200 wireguard-functions.pl: Fix collecting used IP addresses Signed-off-by: Michael Tremer commit 25ac8dbdcf88184daa9e41bcc4cc489a5d3a5f11 Author: Michael Tremer Date: Fri Apr 25 12:30:37 2025 +0200 wireguard-functions.pl: Dereference another array for local subnets Signed-off-by: Michael Tremer commit 9638ab6ea9223e41dc21bc52ee189ab760c02327 Author: Michael Tremer Date: Fri Apr 25 10:00:10 2025 +0000 core195: Ship gzip Signed-off-by: Michael Tremer commit c55ed9a6022109ccc2a69d3d9066125ac862ff82 Author: Adolf Belka Date: Thu Apr 24 15:43:47 2025 +0200 gzip: Update to version 1.14 - Update from version 1.13 to 1.14 - Update of rootfile not required - Changelog 1.14 ** Bug fixes 'gzip -d' no longer omits the last partial output buffer when the input ends unexpectedly on an IBM Z platform. [bug introduced in gzip-1.11] 'gzip -l' no longer misreports lengths of multimember inputs. [bug introduced in gzip-1.12] 'gzip -S' now rejects suffixes containing '/'. [bug present since the beginning] ** Changes in behavior The GZIP environment variable is now silently ignored except for the options -1 (--fast) through -9 (--best), --rsyncable, and --synchronous. This brings gzip into line with more-cautious compressors like zstd that limit environment variables' effect to relatively innocuous performance issues. You can continue to use scripts to specify whatever gzip options you like. 'zmore' is no longer installed on platforms lacking 'more'. ** Performance improvements gzip now decompresses significantly faster by computing CRCs via a slice by 8 algorithm, and faster yet on x86-64 platforms that support pclmul instructions. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 8afbef0fce2fde7d12ddbab26390c6a71c173bdc Author: Michael Tremer Date: Fri Apr 25 11:56:20 2025 +0200 wireguard-functions.pl: Fix array dereference when generating the client configuration Signed-off-by: Michael Tremer commit dfb7062fba3bcac4a422f8d473d3fbe001cd1c65 Author: Michael Tremer Date: Fri Apr 25 11:52:01 2025 +0200 wireguard-functions.pl: Don't crash when configuration files don't exist This should never really happen, but since we include this file in pretty much everything Perl, we should not fail. Signed-off-by: Michael Tremer commit 7a735a765e91efd2b25dfade31056522796867b0 Author: Michael Tremer Date: Fri Apr 25 11:51:42 2025 +0200 core195: Create an empty set of wireguard configuration files Signed-off-by: Michael Tremer commit 0ef81845d8be2c869c227f76477337d8e27226fb Author: Michael Tremer Date: Fri Apr 25 09:59:19 2025 +0000 core195: Ship ids.cgi Signed-off-by: Michael Tremer commit 5e93cd834b2f203d6adafc80a9eac603a116efd7 Author: Michael Tremer Date: Wed Apr 23 12:45:44 2025 +0200 ids.cgi: Show graph only when all RRDs exist Signed-off-by: Michael Tremer commit 3757b8ef10377e422f2c7b98d34f728ab0977809 Author: Michael Tremer Date: Thu Apr 24 15:00:39 2025 +0000 core195: Ship OpenSSL Signed-off-by: Michael Tremer commit c1f13252d063b374039bc80c12d60b389a75befd Author: Adolf Belka Date: Thu Apr 24 15:43:54 2025 +0200 openssl: Update to version 3.5.0 - Update from version 3.4.1 to 3.5.0 - Update of rootfile - The changelog mentions some potentially significant or incompatible changes. From the description they don't seem to be ones that would not work with IPFire but I will look at evaluating the new version in my vm testbed and reporting back. - Changelog 3.5.0 This release incorporates the following potentially significant or incompatible changes: Default encryption cipher for the req, cms, and smime applications changed from des-ede3-cbc to aes-256-cbc. The default TLS supported groups list has been changed to include and prefer hybrid PQC KEM groups. Some practically unused groups were removed from the default list. The default TLS keyshares have been changed to offer X25519MLKEM768 and and X25519. All BIO_meth_get_*() functions were deprecated. This release adds the following new features: Support for server side QUIC (RFC 9000) Support for 3rd party QUIC stacks including 0-RTT support Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA) A new configuration option no-tls-deprecated-ec to disable support for TLS groups deprecated in RFC8422 A new configuration option enable-fips-jitter to make the FIPS provider to use the JITTER seed source Support for central key generation in CMP Support added for opaque symmetric key objects (EVP_SKEY) Support for multiple TLS keyshares and improved TLS key establishment group configurability API support for pipelining in provided cipher algorithms Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 66eac1139047efaf5619dcf562807b12c4a2a126 Author: Michael Tremer Date: Thu Apr 24 15:00:02 2025 +0000 core195: Ship OpenSSH Signed-off-by: Michael Tremer commit 1f1755aae03cd18dc2c54d550151a9406c2acb2b Author: Adolf Belka Date: Thu Apr 24 15:43:53 2025 +0200 openssh: Update to version 10.0p1 - Update from version 9.9p2 to 10.0p1 - Update of rootfile - There is a security fix in this version that openssh have described as minor. - From this version onwards the default key agreement used is the hybrid post-quantum algorithm - mlkem768x25519-sha256 - Changelog 10.0p1 Potentially-incompatible changes * This release removes support for the weak DSA signature algorithm, completing the deprecation process that began in 2015 (when DSA was disabled by default) and repeatedly warned over the last 12 months. * scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by scp & sftp. This disables implicit session creation by these tools when ControlMaster was set to yes/auto by configuration, which some users found surprising. This change will not prevent scp/sftp from using an existing multiplexing session if one had already been created. GHPR557 * This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this. * sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per- connection sshd-session binary to a new sshd-auth binary. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection. It also yields a small runtime memory saving as the authentication code will be unloaded after the authentication phase completes. This change should be largely invisible to users, though some log messages may now come from "sshd-auth" instead of "sshd-session". Downstream distributors of OpenSSH will need to package the sshd-auth binary. * sshd(8): this release disables finite field (a.k.a modp) Diffie-Hellman key exchange in sshd by default. Specifically, this removes the "diffie-hellman-group*" and "diffie-hellman-group-exchange-*" methods from the default KEXAlgorithms list. The client is unchanged and continues to support these methods by default. Finite field Diffie Hellman is slow and computationally expensive for the same security level as Elliptic Curve DH or PQ key agreement while offering no redeeming advantages. ECDH has been specified for the SSH protocol for 15 years and some form of ECDH has been the default key exchange in OpenSSH for the last 14 years. * sshd(8): this release removes the implicit fallback to compiled- in groups for Diffie-Hellman Group Exchange KEX when the moduli file exists but does not contain moduli within the client- requested range. The fallback behaviour remains for the case where the moduli file does not exist at all. This allows administrators more explicit control over which DH groups will be selected, but can lead to connection failures if the moduli file is edited incorrectly. bz#2793 Security * sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. X11 forwarding is disabled by default in the server and agent forwarding is off by default in the client. New features * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. This algorithm is considered to be safe against attack by quantum computers, is guaranteed to be no less strong than the popular curve25519-sha256 algorithm, has been standardised by NIST and is considerably faster than the previous default. * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher for the connection. The default cipher preference list is now Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR (128/192/256). * ssh(1): add %-token and environment variable expansion to the ssh_config SetEnv directive. * ssh(1): allow %-token and environment variable expansion in the ssh_config User directive, with the exception of %r and %C which would be self-referential. bz#3477 * ssh(1), sshd(8): add "Match version" support to ssh_config and sshd_config. Allows matching on the local version of OpenSSH, e.g. "Match version OpenSSH_10.*". * ssh(1): add support for "Match sessiontype" to ssh_config. Allows matching on the type of session initially requested, either "shell" for interactive sessions, "exec" for command execution sessions, "subsystem" for subsystem requests, such as sftp, or "none" for transport/forwarding-only sessions. * ssh(1): add support for "Match command ..." support to ssh_config, allowing matching on the remote command as specified on the command-line. * ssh(1): allow 'Match tagged ""' and 'Match command ""' to match empty tag and command values respectively. * sshd(8): allow glob(3) patterns to be used in sshd_config AuthorizedKeysFile and AuthorizedPrincipalsFile directives. bz2755 * sshd(1): support the VersionAddendum in the client, mirroring the option of the same name in the server; bz2745 * ssh-agent(1): the agent will now delete all loaded keys when signaled with SIGUSR1. This allows deletion of keys without having access to $SSH_AUTH_SOCK. * Portable OpenSSH, ssh-agent(1): support systemd-style socket activation in ssh-agent using the LISTEN_PID/LISTEN_FDS mechanism. Activated when these environment variables are set, the agent is started with the -d or -D option and no socket path is set. GHPR502 * ssh-keygen(1): support FIDO tokens that return no attestation data, e.g. recent WinHello. GHPR542 * ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the default FIDO application ID allow-list to be overridden. * Add a work-in-progress tool to verify FIDO attestation blobs that ssh-keygen can optionally write when enrolling FIDO keys. This tool is available under regress/misc/ssh-verify-attestation for experimentation but is not installed by "make install". * ssh-keygen(1): allow "-" as output file for moduli screening. GHPR393 Bugfixes * sshd(8): remove assumption that the sshd_config and any configs it includes can fit in a (possibly enlarged) socket buffer. Previously it was possible to create a sufficiently large configuration that could cause sshd to fail to accept any connection. sshd(8) will now actively manage sending its config to the sshd-session sub-process. * ssh(1): don't start the ObscureKeystrokeTiming mitigations if there has been traffic on a X11 forwarding channel recently. Should fix X11 forwarding performance problems when this setting is enabled. bz3655 * ssh(1): prohibit the comma character in hostnames accepted, but allow an underscore as the first character in a hostname. * sftp(1): set high-water when resuming a "put". Prevents bogus "server reordered acks" debug message. * ssh(1), sshd(8): fix regression in openssh-9.8, which would fail to accept "Match criteria=argument" as well as the documented "Match criteria argument" syntax in ssh_config and sshd_config. bz3739 * sftp(1), ssh(1): fix a number possible NULL dereference bugs, including Coverity CIDs 405019 and 477813. * sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty when LoginGraceTime was exceeded. bz3797 * sshd(8): fix "Match invalid-user" from incorrectly being activated in initial configuration pass when no other predicates were present on the match line * sshd(8): fix debug logging of user specific delay. GHPR#552 * sshd(8): improve debug logging across sub-process boundaries. Previously some log messages were lost early in the sshd-auth and sshd-session processes' life. * ssh(1): require control-escape character sequences passed via the '-e ^x' command-line to be exactly two characters long. Avoids one byte out-of-bounds read if ssh is invoked as "ssh -e^ ..." GHPR368 * ssh(1), sshd(8): prevent integer overflow in x11 port handling. These are theoretically possible if the admin misconfigured X11DisplayOffset or the user misconfigures their own $DISPLAY, but don't happen in normal operation. bz#3730 * ssh-keygen(1): don't mess up ssh-keygen -l output when the file contains CR characters; GHPR236 bz3385. * sshd(8): add rate limits to logging of connections dropped by PerSourcePenalties. Previously these could be noisy in logs. * ssh(1): fix argument of "Compression" directive in ssh -G config dump, which regressed in openssh-9.8. * sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd refuses to accept the signature returned by an agent holding host keys during the hostkey rotation sub-protocol. This situation could occur in situations where a PKCS#11 smartcard that lacked support for particular signature algorithms was used to store host keys. * ssh-keygen(1): when using RSA keys to sign messages with "ssh-keygen -Y", select the signature algorithm based on the requested hash algorithm ("-Ohashalg=xxx"). This allows using something other than the default of rsa-sha2-512, which may not be supported on all signing backends, e.g. some smartcards only support SHA256. * ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on big-endian systems. * Many regression and interop test improvements. Portability * All: add support for AWS-LC (AWS libcrypto). bz3784 * sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement. * sshd(8): add support for locking sshd into memory, enabled with the --with-linux-memlock-onfault configure flag. * Add support for building a standalone sk-libfido2 library, enabled by --with-security-key-standalone * ssh(1), sshd(8), ssh-keyscan(1): include __builtin_popcount replacement function. for compilers that lack it. * All: Check for and replace le32toh, le64toh, htole64 separately. It appears that at least some versions of endian.h in glibc do not have the latter two. bz#3794 * Remove ancient RHL 6.x config in RPM spec. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7d6b92e10d604050b22cb4f9823df13f8df15215 Author: Adolf Belka Date: Thu Apr 24 15:43:51 2025 +0200 nano: Update to version 8.4 - Update from version 8.3 to 8.4 - Update of rootfile not required - Changelog 8.4 • Bracketed pastes over a slow connection are more reliable. • Tabs in an external paste at a prompt are not dropped. • Feedback occurs when the cursor sits on a Byte Order Mark. • The Execute prompt is more forgiving of a typo. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9e3eebb4ef732acb81b9039a9d6983b5f59fcf9a Author: Adolf Belka Date: Thu Apr 24 15:43:52 2025 +0200 nfs: Update to version 2.8.3 - Update from version 2.8.2 to 2.8.3 - Update of rootfile not required - Changelog is just a list of the commits and is over 500 lines long. The details can be found in the changelog at https://sourceforge.net/projects/nfs/files/nfs-utils/2.8.3/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ab7944fceb9138fb3ec66c02d1573f99a853d0b8 Author: Michael Tremer Date: Thu Apr 24 14:58:34 2025 +0000 core195: Ship libgpg-error Signed-off-by: Michael Tremer commit 1a0cbc236b0e51399de495b582813acf5b39a9f4 Author: Adolf Belka Date: Thu Apr 24 15:43:50 2025 +0200 libgpg-error: Update to version 1.54 - Update from version 1.51 to 1.54 - Update of rootfile - Changelog 1.54 * Fix a regression in 1.52 which did not allow to open UNC specified files on Windows. [rE28ae4ee194] * Ignore log file specification from the Registry in the gpg-error tool. 1.53 * Fix regression in 1.52. 1.52 * The KEY_WOW64_xxKEY flags can now be passed to the Registry read functions. [rE652328c786] * In the spawn functions care about closefrom/close call is interrupted. [T7478] * New command --getreg for gpg-error on Windows. [rE652328c786] * New simple string list API. [rE47097806f1] * New API for name value files. [rE7ec1f27b60] * Add a Windows Registry emulation for Unix. [rE9864dd4d66] * Interface changes relative to the 1.51 release: gpgrt_w32_reg_query_string NEW (Windows only). gpgrt_strlist_t NEW type. gpgrt_strlist_free NEW. gpgrt_strlist_add NEW. gpgrt_strlist_tokenize NEW. gpgrt_strlist_copy NEW. gpgrt_strlist_rev NEW. gpgrt_strlist_prev NEW. gpgrt_strlist_last NEW. gpgrt_strlist_pop NEW. gpgrt_strlist_find NEW. GPGRT_STRLIST_APPEND NEW const. GPGRT_STRLIST_WIPE NEW const. gpgrt_nvc_t NEW type. gpgrt_nve_t NEW type. gpgrt_nvc_new NEW. gpgrt_nvc_release NEW. gpgrt_nvc_get_flag NEW. gpgrt_nvc_add NEW. gpgrt_nvc_set NEW. gpgrt_nve_set NEW. gpgrt_nvc_delete NEW. gpgrt_nvc_lookup NEW. gpgrt_nvc_parse NEW. gpgrt_nvc_write NEW. gpgrt_nve_next NEW. gpgrt_nve_name NEW. gpgrt_nve_value NEW. gpgrt_nvc_get_string NEW. gpgrt_nvc_get_bool NEW. GPGRT_NVC_WIPE NEW const. GPGRT_NVC_PRIVKEY NEW const. GPGRT_NVC_SECTION NEW const. GPGRT_NVC_MODIFIED NEW const. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f82f3234ab37ab0bef908d2550d3b17da105d5c1 Author: Michael Tremer Date: Thu Apr 24 14:58:17 2025 +0000 core195: Ship libffi Signed-off-by: Michael Tremer commit d4bf67e28f75d82e6873700d2f89b5a61ece0b00 Author: Adolf Belka Date: Thu Apr 24 15:43:49 2025 +0200 libffi: Update to version 3.4.8 - Update from version 3.4.7 to 3.4.8 - Update of rootfile not required - Changelog 3.4.8 aarch64: add PAC to GNU Notes by @billatarm in #882 MIPS: Dont import asm/sgidefs.h on linux by @fossdd in #885 Update the Simple Example from the Docs to fix a compile error by @Nikitf777 in #886 Fix bugs in the x86-64 and x32 target (#887) by @mikulas-patocka in #889 Add the "ABI_ATTR" attribute to called functions (#891) by @mikulas-patocka in #892 powerpc: Add static trampoline support (#894) by @peter-bergner in #895 testsuite: add two tests to Makefile.am by @thesamesam in #893 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 38e463f7b6692c3ea88c0d384d4d390136c91a2f Author: Michael Tremer Date: Thu Apr 24 14:57:55 2025 +0000 core195: Ship libcap Signed-off-by: Michael Tremer commit e5ee56f677e12873754589ac19669bffbfa8fe42 Author: Adolf Belka Date: Thu Apr 24 15:43:48 2025 +0200 libcap: Update to version 2.76 - Update from version 2.75 to 2.76 - Update of rootfile - Changelog 2.76 More libpsx and psx Go package mechanism fixes (many thanks to Christial Kastner for helping dive into the off-piste architectures. See Bug 219915.) Address an arm64 (aarch64) libpsx issue seen with Tracee. (Tagged psx/v1.2.76-rc1) Note, 2.75 should have fixed the tracee issue 4678 but the above issue emerged from their extensive testing. Thanks to Gregório G. for reporting the observed failure details. More architectures supported: of the many architectures Debian builds for, we think only alpha and sparc64 have problems. Unable to construct qemu-*-system images with which to debug these. If anyone has a recipe for that that works for Fedora as a base platform, please provide details... To make the various .so files continue to be runnable as standalone programs added another workaround for glibc. (Bug 219880 reported by Christian Kastner.) _IO_stdin_used needs to be weekly defined to make puts() and friends work. Also updated the Stackoverflow answer to include that detail. Made a new man page cap_text_formats(7). This makes it possible to separate the tool man pages from the developer man pages. I believe this was the second time this was requested, by Carlos Rodriguez-Fernandez this time (can't find the former request in my email). Some man page cross linking fixes as well. Dropped Make.Rules definition of SYSTEM_HEADERS Thanks to Ross Burton for reporting. Removed a spurious debugging printf() from setcap tool. Removed cap_ workarounds for go.dev cap package examples. The website bugs have been resolved: go/issues/70611; go/issues/70630. Added a Makefile to the contrib/seccomp example. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 981a5756fdbf9d099e16e358bc5ac206db1229dc Author: Michael Tremer Date: Thu Apr 24 14:57:33 2025 +0000 core195: Ship btrfs-progs Signed-off-by: Michael Tremer commit cf56de7a94e5007bce8eaa37cc5a4929a13ff45e Author: Adolf Belka Date: Thu Apr 24 15:43:44 2025 +0200 btrfs-progs: Update to version 6.14 - Update from version 6.13 to 6.14 - Update of rootfile not required - Changelog 6.14 * mkfs: * allow --sectorsize to be 2K for testing purposes of subpage mode (needs the same block size supported by kernel) * fix false error when no compression is requested and lzo is not compiled in * convert: support 2K block size in the source filesystem * defrag: new parameter -L/--level to specify compression levels (kernel 6.15), also supports the realtime levels * subvol delete: show names of recursively deleted child subvolumes * qgroup show: use sysfs to detect up to date consistency status * zoned mode: support zone capacity tracking * other: * CI new and updated workflows * documentation updates Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit cca29326abd3e2fba6e6fc40c33e82a1ad001e9b Author: Michael Tremer Date: Thu Apr 24 14:56:53 2025 +0000 core195: Ship fontconfig Signed-off-by: Michael Tremer commit 406ab3f286dd6ed8427f29534f686ddaeefe6e80 Author: Adolf Belka Date: Thu Apr 24 15:43:46 2025 +0200 fontconfig: Update to version 2.16.2 - Update from version 2.16.0 to 2.16 2 - Update of rootfile - Default build system has been moved from autotools to meson. Autotools will likely be removed in next version. - Changelog 2.16.2 meson: do not require libintl if nls feature is disabled ci: Add back Android build in a common way ci: drop Language to make sure they are applied as default style ci: Change the default build system to meson ci: Stop on fail anyway ci: default to clean-build ci: detect OS from os-release if no FC_DISTRO_NAME is set ci: add missing dependency of pytest ci: Set more timeout for pytest ci: fix too many open files on test ci: add missing dependency of requests meson: Use Requires.private instead of Requires Upgrade bindgen in Fontations enabled Rust builds [Fontations] Add internal PatternBuilder abstraction meson: don't force build of a shared library meson.build: define a 'c' standard for the project (C99 and C11) 2.16.1 meson: create fc_cachedir at the installation time meson: set WORDS_BIGENDIAN ci: get back MinGW build to rawhide meson: make sure config.h contains config-fixups.h for OSX Reformatting with clang-format ci: Add a workflow to check the coding style ci: workaround conflict between systemd and systemd-standalone-sysusers conf.d: Add Adwaita Sans as system-ui ci: disable job tentatively ci: Add a release workflow [Fontations] Allow linkage to internals in tests meson.build: explicitly check for pthread support Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 553867681e73a487b59cc85327979b7f4d3049f0 Author: Michael Tremer Date: Thu Apr 24 14:56:28 2025 +0000 core195: Ship coreutils Signed-off-by: Michael Tremer commit 62bf01529bda71007f08827ae4c25684ebc31ef3 Author: Adolf Belka Date: Thu Apr 24 15:43:45 2025 +0200 coreutils: Update to version 9.7 - Update from version 9.5 to 9.7 - Update of rootfile not required - Changelog 9.7 ** Bug fixes 'cat' would fail with "input file is output file" if input and output are the same terminal device and the output is append-only. [bug introduced in coreutils-9.6] 'cksum -a crc' misbehaved on aarch64 with 32-bit uint_fast32_t. [bug introduced in coreutils-9.6] dd with the 'nocache' flag will now detect all failures to drop the cache for the whole file. Previously it may have erroneously succeeded. [bug introduced with the "nocache" feature in coreutils-8.11] 'ls -Z dir' would crash on all systems, and 'ls -l' could crash on systems like Android with SELinux but without xattr support. [bug introduced in coreutils-9.6] `ls -l` could output spurious "Not supported" errors in certain cases, like with dangling symlinks on cygwin. [bug introduced in coreutils-9.6] timeout would fail to timeout commands with infinitesimal timeouts. For example `timeout 1e-5000 sleep inf` would never timeout. [bug introduced with timeout in coreutils-7.0] sleep, tail, and timeout would sometimes sleep for slightly less time than requested. [bug introduced in coreutils-5.0] 'who -m' now outputs entries for remote logins. Previously login entries prefixed with the service (like "sshd") were not matched. [bug introduced in coreutils-9.4] ** Improvements 'logname' correctly returns the user who logged in the session, on more systems. Previously on musl or uclibc it would have merely output the LOGNAME environment variable. 9.6 ** Bug fixes cp fixes support for --update=none-fail, which would have been rejected as an invalid option. [bug introduced in coreutils-9.5] cp,mv --update no longer overrides --interactive or --force. [bug introduced in coreutils-9.3] csplit no longer creates empty files given empty input. [This bug was present in "the beginning".] ls and printf fix shell quoted output in the edge case of escaped first and last characters, and single quotes in the string. [bug introduced in coreutils-8.26] ls -l no longer outputs "Permission denied" errors on NFS which may happen with files without read permission, and which resulted in inaccurate indication of ACLs (missing '+' flag after mode). [bug introduced in coreutils-9.4] ls -l no longer outputs "Not supported" errors on virtiofs. [bug introduced in coreutils-9.4] mv works again with macFUSE file systems. Previously it would have exited with a "Function not implemented" error. [bug introduced in coreutils-8.28] nproc gives more consistent results on systems with more than 1024 CPUs. Previously it would have ignored the affinity mask on such systems. [bug introduced with nproc in coreutils-8.1] numfmt --from=iec-i now works with numbers without a suffix. Previously such numbers were rejected with an error. [bug introduced with numfmt in coreutils-8.21] printf now diagnoses attempts to treat empty strings as numbers, as per POSIX. For example, "printf '%d' ''" now issues a diagnostic and fails instead of silently succeeding. [This bug was present in "the beginning".] pwd no longer outputs an erroneous double slash on systems where the system getcwd() was completely replaced. [bug introduced in coreutils-9.2] 'shuf' generates more-random output when the output is small. [bug introduced in coreutils-8.6] `tail --follow=name` no longer waits indefinitely for watched file names that are moved elsewhere within the same file system. [bug introduced in coreutils-8.24] `tail --follow` without --retry, will consistently exit with failure status where inotify is not used, when all followed files become inaccessible. [This bug was present in "the beginning".] `tail --follow --pid=PID` will now exit when the PID dies, even in the presence of blocking inputs like unopened fifos. [This bug was present in "the beginning".] 'tail -c 4096 /dev/zero' no longer loops forever. [This bug was present in "the beginning".] ** Changes in behavior 'factor' now buffers output more efficiently in some cases. install -C now dereferences symlink sources when comparing, rather than always treating as different and performing the copy. kill -l and -t now list signal 0, as it's a valid signal to send. ls's -f option now simply acts like -aU, instead of also ignoring some earlier options. For example 'ls -fl' and 'ls -lf' are now equivalent because -f no longer ignores an earlier -l. The new behavior is more orthogonal and is compatible with FreeBSD. stat -f -c%T now reports the "fuseblk" file system type as "fuse", given that there is no longer a distinct "ctl" fuse variant file system. ** New Features cksum -a now supports the "crc32b" option, which calculates the CRC of the input as defined by ITU V.42, as used by gzip for example. For performance pclmul instructions are used where supported. ls now supports the --sort=name option, to explicitly select the default operation of sorting by file name. printf now supports indexed arguments, using the POSIX:2024 specified %$ format, where '' is an integer referencing a particular argument, thus allowing repetition or reordering of printf arguments. test supports the POSIX:2024 specified '<' and '>' operators with strings, to compare the string locale collating order. timeout now supports the POSIX:2024 specified -f, and -p short options, corresponding to --foreground, and --preserve-status respectively. ** Improvements cksum -a crc, makes use of AVX2, AVX512, and ARMv8 SIMD extensions for time reductions of up to 40%, 60%, and 80% respectively. 'head -c NUM', 'head -n NUM', 'nl -l NUM', 'nproc --ignore NUM', 'tail -c NUM', 'tail -n NUM', and 'tail --max-unchanged-stats NUM’ no longer fail merely because NUM stands for 2**64 or more. sort operates more efficiently when used on pseudo files with an apparent size of 0, like those in /proc. stat and tail now know about the "bcachefs", and "pidfs" file system types. stat -f -c%T now reports the file system type, and tail -f uses inotify for these file systems. wc now reads a minimum of 256KiB at a time. This was previously 16KiB and increasing to 256KiB was seen to increase wc -l performance by about 10% when reading cached files on modern systems. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1ae53a882e5e935c45e63dec707f8b7bc342f022 Author: Adolf Belka Date: Thu Apr 24 15:43:43 2025 +0200 alsa: Update to version 1.2.14 - Update from version 1.2.13 to 1.2.14 - alsa-lib, alsa-utils and alsa-ucm-conf all updated to that new version. - Update of rootfile - Changelog 1.2.14 alsa-lib Core Delete alsalisp code include: prefer alsa/asoundlib.h for apps, dependency cleanups seq: Define new events for UMP EP/FB change notifications configure: Make sequencer dependent on rawmidi src/Versions.in.in: Update *_tempo_base name Config API include: prefer alsa/asoundlib.h for apps, dependency cleanups Control API control: remap - improve sync feature control: remap - add sync feature control: remap - separate event handling from map (preparation for sync) control: remap - add possibility to remap multiple source channels include: prefer alsa/asoundlib.h for apps, dependency cleanups PCM API pcm: hw: do not reset tstamp_type in SND_PCM_APPEND mode (#2) pcm: hw: fix default timestamp type for O_APPPEND pcm: hw: do not reset tstamp_type in SND_PCM_APPEND mode pcm: fix minor typos in doc RawMidi API rawmidi: ump - fix snd_ump_block_info_set_block_id double version #2 rawmidi: Extensions for tied device and substream inactive flag rawmidi: ump - fix snd_ump_block_info_set_block_id double version rawmidi: ump - fix snd_ump_block_info_get_block_id double version Rawmidi API rawmidi: Make rawmidi flag bits doxygen-style comments rawmidi: Extensions for tied device and substream inactive flag Sequencer API seq: update_group_ports - rewrite blknames update ALSA: seq: Use SND_* instead of SNDRV_* ALSA: seq: Add missing UMP EP cap bit at snd_seq_create_ump_endpoint() seq: shuffle calloc arguments in snd_seq_hw_open (gcc warning) seq: add more checks to snd_seq_hw_set_client_info for older kernels seq: Fix typo of the group number in snd_seq_create_ump_endpoint() seq: Fix bogus return of snd_seq_client_info_get_ump_conversion() seq: seq.c - fix calloc arguments seq: seqmid - fix info->name is always true error seq: Define new events for UMP EP/FB change notifications seq: include UMP headers Use Case Manager API ucm: do not bump syntax version to 8 ucm: add '${LibCaps}' substitution ucm: remove @@LibraryVersion and @@SyntaxVersion variables ucm: format @@SyntaxVersion to 4 digits ucm: enhance documentation (sys-card + ranges + more) ucm: add @@LibraryVersion and @@SyntaxVersion variables ucm: add sys-card substitution /Makefile.am Delete alsalisp code /include/Makefile.am Delete alsalisp code include: prefer alsa/asoundlib.h for apps, dependency cleanups ALSA Lisp Delete alsalisp code Documentation doc: fix permissions External PCM Filter Plugin SDK include: pcm extplug/ioplug: fix internal include External PCM I/O Plugin SDK include: pcm extplug/ioplug: fix internal include Kernel Headers Sync UAPI asequencer.h with 6.14 kernel Sync UAPI asound.h with 6.14 kernel MIDI 2.0 (UMP) include/ump_msg.h: Fix endianness detection seq: include UMP headers Test/Example code test/playmidi1: fix compilation caused by conflict between midifile.h and ump_msg.h Utils utils: add missing alsa-topology.pc.in to EXTRA_DIST alsa-utils Core axfer, topology: use only include instead specific alsa-lib headers ALSA Control (alsactl) alsactl: info - handle situations when devices are not available in kernel alsactl: info - print errors for next_device calls Remove trailing spaces in man pages alsactl: 90-alsa-restore.rules - fix AMD acp-pdm-mach link alsactl: 90-alsa-restore.rules - fix alsa_restore_go/std Audio Transfer utility axfer, topology: use only include instead specific alsa-lib headers alsa-info.sh alsa-info: move man page to section 8 (administration commands) alsa-info.sh: Add alsa-ucm package to package filter alsatplg (topology) Topology: NHLT: Intel: Improve error message for DMIC enable conflict Topology: NHLT: Intel: Fix mono DMIC configure for MTL platform axfer, topology: use only include instead specific alsa-lib headers Topology: NHLT: Intel: Fix DMA slots config in SSP blob amixer amixer: fix unknown TVL sequence print aplay/arecord Remove trailing spaces in man pages aplaymidi/arecordmidi Remove trailing spaces in man pages aplaymidi2/arecordmidi2 (MIDI v2.0) arecordmidi2: fix unitialization variable error in read_ump_raw() aseqdump aseqdump: Fix typos in messages alsa-ucm-conf Core github: use ucm-validator2, use actions/checkout@v4 Configuration USB-Audio: Add support of HyperX SoloCast (USB ID 03f0:0b8b) ucm2: Qualcomm: add Asus Zenbook A14 ucm2: Qualcomm: add Lenovo ThinkBook 16 support ucm2: Qualcomm: add HP Omnibook X14 support USB-Audio: Add focusrite scarlett 18i20 lineup USB-Audio: Add Roland BridgeCast One sof-soundwire: cs42l43: Switch mixer based on output volume ucm2: sof-soundwire: Correct include file path for dsp.conf USB-Audio: ALC4080 - add rear microphone support for 0414:a014 (Gigabyte Aorus Pro) sof-soundwire: Add LED support for cs35l56 amplifiers sof-soundwire: cs42l43: Drop headset mic from mic mute LED HDA: mics - don't create conflict link for Headphone Mic HDA: mics - improve the Jack selection HDA: mics - prefer 'Mic Jack' instead 'Headphone Jack' USB-Audio: ALC4080 - add support for ASUS B850-I (USB ID 0b05:1be1) sof-hda-dsp: Use common HDA initialization from /HDA/init.conf HDA: move led.conf include to more appropriate place ucm2: Qualcomm: fix typo in Lenovo T14s matching sof-soundwire: rt1318: add playback control switch ucm2: Qualcomm: add Lenovo Yoga Slim7x support ucm2: Qualcomm: add Lenovo T14s support ucm2: MediaTek: mt8390-evk: Add support for SOF Torradex: replace spaces with tabs when appropriate Torradex: fix wrong device names Headphone/Microphone USB-Audio: Add support for RME Fireface UCX II Qualcomm: Add QCS6490 RB3Gen2 HiFi config Qualcomm: Add QCM6490 IDP HiFi config ucm2: IO-Boards: Toradex: verdin: Add support for Toradex ucm2: IO-Boards: Toradex: verdin: Add support for Toradex ucm2: NXP: iMX6: Toradex: colibri-imx6: Add support for ucm2: NXP: iMX7: Toradex: colibri-imx7: Add support for ucm2: NXP: iMX8X: Toradex: colibri-imx8x: Add support for ucm2: NXP: iMX6: Toradex: apalis-imx6: Add support for ucm2: NXP: iMX8: Toradex: apalis-imx8: Add support for ucm2: IO-Boards: Toradex: apalis: Add support for Toradex USB-Audio: add Roland Quad-Capture support ucm2: HDA - remove HDA-Capture-value.conf and put contents directly to HDACaptureDevice macro ucm2: HDA: HiFi-analog/mic: Refactor the analog mic discovery GoXLR: Add 'Broadcast Stream Mix 2' to Capture if channels use SetLED in rt1318 init configuration Turn speaker LED accroding to rt1318 speaker status ucm2: use new SetLED macro to hide the implementation details common: add led.conf with SetLED macro to hide implementation details USB-Audio: Add support for TASCAM Model 12 UCM2: Blobs: SOF: Cleanup blob names from .blob to .bin USB-Audio: alc4080: Add MSI PRO B650-A WIFI USB ID 0db0:9e6d USB-Audio: Improve support for Focusrite 4th Gen devices USB-Audio: GoXLR - fix the channel detection for mini, cleanups USB-Audio: set capture channels to 4 in UR22C-HiFi.conf sof-soundwire: Fix cs42l43 dmic initialisation sof-soundwire: Split cs42l43 dmic initialisation ucm2: add mt8183_mt6358_ts3a227_max98357 ucm2: add mt8183_da7219_rt1015p ucm2: add acp3x-alc5682-alc1015 DEBUG.md: add "Logs from PipeWire (wireplumber)" section USB-Audio: Revelator-IO-44-HiFi - fix device names (validator) Rename ucm2/AMD/acp3xalc5682m98 to ucm2/AMD/acp3x-alc5682-max98357 Rename ucm2/AMD/acpd7219m98357 to ucm2/AMD/acp-da7219-rt5682-max98357 Qualcomm: Add SM8750 MTP HiFi config rt722: change output volume of headphone to 0dB ucm2: USB-Audio: add Presonus Revelator IO 44 (USB194f:0424) USB-Audio: ALC4080 - add ASUS ROG Crosshair X870E Hero (USB ID 0b05:1b7c) sun4i-codec: add routing for headphones and internal speaker UCM2: sof-soundwire: Add setup of IIR, DRC, beamformer UCM2: sof-soundwire: Add setup of IIR, DRC, beamformer UCM2: sof-soundwire: Enable DRC and equalizers for UCM2: Intel: sof-hda-dsp: Enable Dmic0 DRC and TDFB UCM2: Blobs/SOF/IPC4: Add Beamformer blobs, update UCM2: Intel: sof-hda-dsp: Cleanup definitions UCM2: Intel: sof-hda-dsp: Move variables defitions from ucm: fix SectionDevice identifiers ucm2: whitespace fixes USB-Audio: ALC4080: add support for MSI MEG X670E GODLIKE (USB 0db0:e1f8) USB-Audio: ALC4080 - add ASUS ROG STRIX X870E-E GAMING WIFI (USB 0b05:1b9b) Configuration files for Roland Bridge Cast X V2 ucm2: sof-soundwire: Correct FixedBootSequence for dmic info amd-soundwire: add support for AMD generic legacy machine driver sof-hda-dsp: Add back missing .conf suffix for product/user specific configs sof-soundwire: whitespace cleanup sof-soundwire: cs42l43: Correct CapturePCM and routing avs_nau8825: Fix JackControl name sof-soundwire: cs42l43-spk: Correct PlaybackPCM and routing sof-hda-dsp: Fix the case where sysfs dmi product_name attribute is not set UCM2: Intel: sof-hda-dsp: Fix handling of empty sys_vendor Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 634af916739e6758c853939c08b7b409dc2379cb Author: Stephen Cuka Date: Thu Apr 24 06:40:55 2025 -0600 pakfire.cgi: Changes to 'Install' confirmation page - Comma separate package names if multiple packages selected to install. - Display dependencies for package(s) to install in 'parent -> child' format. - Formatting and verbiage changes. - No functional changes to the install process. Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit a8a107af2ed730c71d12d2cc276242403c814cfe Author: Adolf Belka Date: Thu Apr 24 16:20:41 2025 +0200 core195: Ship backup.pl and sources files Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer