commit bfbf3566b6a206cac68c1b36764451f73f89049f Author: Michael Tremer Date: Thu May 22 15:37:46 2025 +0000 Revert "screen: Update to version 5.0.1" This reverts commit de98f72736d8ee27c31226df46403b4e122733e2. The source tarball contains binaries. Read more here: https://lists.ipfire.org/development/98828B86-5323-4EFA-9278-6BB578AB77E2@ipfire.org/T/#t Signed-off-by: Michael Tremer commit 89bd70bc4054d3c53148374f86e9812e90a26a5a Merge: c405b9701 1e50e6e79 Author: Michael Tremer Date: Thu May 22 15:18:45 2025 +0000 Merge branch 'master' into next commit 1e50e6e79163d3e0ef551044f1cd11807f6e2ba5 Author: Adolf Belka Date: Tue May 20 12:57:39 2025 +0200 http-client-functions.pl: Fixes bug13852 Suggested-by: Adam G Fixes: bug13852 Tested-by: Adolf Belka Tested-by: Adam G Signed-off-by: Adolf Belka Acked-by: Stefan Schantl Signed-off-by: Michael Tremer commit 186cfa34b580f70f9ccf00aa4503e479df2cd31b Author: Adolf Belka Date: Wed May 21 20:57:38 2025 +0200 core195: Ship ntp - fixes bug13855 Fixes: bug13855 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c405b9701fb86ef1e1b21c08db7c8110a162e70b Author: Michael Tremer Date: Thu May 22 15:16:45 2025 +0000 core196: Ship libarchive Signed-off-by: Michael Tremer commit 6f76ad5ffd6d93c5996a33cc42129cabf0d03a36 Author: Adolf Belka Date: Thu May 22 15:08:31 2025 +0200 libarchive: Update to version 3.8.0 - Update from version 3.7.9 to 3.8.0 - Update of rootfile - Changelog 3.8.0 New features: bsdtar: support --mtime and --clamp-mtime (#2601) lib: mbedtls 3.x compatibility (#2602) 7-zip reader: improve self-extracting archive detection (#2088) xar: xmllite support for the XAR reader and writer (#2388) zip writer: added XZ, LZMA, ZSTD and BZIP2 support (#2137, #2284, #2391) zip writer: added LZMA + RISCV BCJ filter (#2403) Notable security fixes: rar: do not skip past EOF while reading (#2584) rar: fix double free with over 4 billion nodes (#2598) rar: fix heap-buffer-overflow (#2599) warc: prevent signed integer overflow (#2568) tar: fix overflow in build_ustar_entry (#2588) Notable bugfixes: bsdtar: don't hardlink negative inode files together (#2587) gz: allow setting the original filename for gzip compressed files (#2544) lib: improve lseek handling (#2564) lib: support @-prefixed Unix epoch timestamps as date strings (#2606) rar: support large headers on 32 bit systems (#2596) tar reader: Improve LFS support on 32 bit systems (#2582) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2bb2919a72318e5279ebf07617d36f7a2fb6c8f5 Author: Michael Tremer Date: Thu May 22 15:16:12 2025 +0000 core196: Ship BIND Signed-off-by: Michael Tremer commit 14c452287d009e080976e67526cf6e088fd3e3dd Author: Adolf Belka Date: Thu May 22 15:08:30 2025 +0200 bind: Update to version 9.20.9 - Update from version 9.20.8 to 9.20.9 - Update of rootfile - Changelog 9.20.9 Security Fixes - [CVE-2025-40775] Prevent assertion when processing TSIG algorithm. ``b8c198ac5ca`` DNS messages that included a Transaction Signature (TSIG) containing an invalid value in the algorithm field caused :iscman:`named` to crash with an assertion failure. This has been fixed. :cve:`2025-40775` :gl:`#5300` Feature Changes - Use jinja2 templates in system tests. ``8f545784ff0`` `python-jinja2` is now required to run system tests. :gl:`#4938` :gl:`!10396` Bug Fixes - Fix EDNS yaml output. ``8c3b226d89b`` `dig` was producing invalid YAML when displaying some EDNS options. This has been corrected. Several other improvements have been made to the display of EDNS option data: - We now use the correct name for the UPDATE-LEASE option, which was previously displayed as "UL", and split it into separate LEASE and LEASE-KEY components in YAML mode. - Human-readable durations are now displayed as comments in YAML mode so as not to interfere with machine parsing. - KEY-TAG options are now displayed as an array of integers in YAML mode. - EDNS COOKIE options are displayed as separate CLIENT and SERVER components, and cookie STATUS is a retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414` - Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6`` This change allows the client to identify the server that returns the BADVERS and to provide a DNS SERVER COOKIE to be included in the resend of the request. :gl:`#5235` :gl:`!10392` - Disable own memory context for libxml2 on macOS. ``51e51d5ea8f`` Apple broke custom memory allocation functions in the system-wide libxml2 starting with macOS Sequoia 15.4. Usage of the custom memory allocation functions has been disabled on macOS. :gl:`#5268` :gl:`!10411` - `check_private` failed to account for the length byte before the OID. ``2b827380e75`` In PRIVATEOID keys, the key data begins with a length byte followed by an ASN.1 object identifier that indicates the cryptographic algorithm to use. Previously, the length byte was not accounted for when checking the contents of keys and signatures, which could have led to interoperability problems with any zones signed using PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376` - Fix a serve-stale issue with a delegated zone. ``d839d11bf62`` When ``stale-answer-client-timeout 0`` option was enabled, it could be ignored when resolving a zone which is a delegation of an authoritative zone belonging to the resolver. This has been fixed. :gl:`#5275` :gl:`!10420` - Fix the ksr two-tone test. ``3e2b255b5b7`` The two-tone ksr subtest (test_ksr_twotone) depended on the dnssec-policy keys algorithm values in named.conf being entered in numerical order. As the algorithms used in the test can be selected randomly this does not always happen. Sort the dnssec-policy keys by algorithm when adding them to the key list from named.conf. :gl:`#5286` :gl:`!10435` - Revert NSEC3 closest encloser lookup improvements. ``ac41f158fad`` The performance improvements for NSEC3 closest encloser lookups that were restored in BIND 9.20.8 turned out to cause incorrect NSEC3 records to be returned in nonexistence proofs and were therefore reverted again. :gl:`#5292` :gl:`!10443` Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit add0b84fd6a0b529a71206fac79e7a79cc7572e9 Author: Michael Tremer Date: Thu May 22 15:15:05 2025 +0000 core196: Ship apr Signed-off-by: Michael Tremer commit 8509b471f3085aebbc596e6addaee5f3b731cb7f Author: Adolf Belka Date: Thu May 22 15:08:29 2025 +0200 apr: Update to version 1.7.6 - Update from version 1.7.5 to 1.7.6 - Update of rootfile - Changelog 1.7.6 *) test/testsock.c (test_get_addr): Fix test to portably switch the socket to non-blocking mode using apr_socket_timeout_set(). Also make the test SKIP for the case where the connect() completes synchronously. [Ivan Zhakov] *) network_io/win32/sockets.c: (apr_socket_connect): Copy the remote address by value rather than by reference. This ensures that the sockaddr object returned by apr_socket_addr_get is allocated from the same pool as the socket object itself, as apr_socket_accept does; avoiding any potential lifetime mismatches. [Ivan Zhakov] *) CMake: Install include/apr_encode.h. [Ivan Zhakov] *) CMake: Fix installation PDB files with multi-config generators. [Ivan Zhakov] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1fbd20b8fadef562c5f5897ef8c4f7d0d9d4306b Author: Michael Tremer Date: Thu May 22 15:14:19 2025 +0000 core196: Ship man-pages Signed-off-by: Michael Tremer commit 30b83e7161724a4101a9aba83befa2177c6c675f Author: Adolf Belka Date: Tue May 20 11:09:27 2025 +0200 man-pages: Update to version 6.14 - Update from version 6.9.1 to 6.14 - Update of rootfile - -R had to be added in to make command. See changelog Global changes for version 6.11 The -R will be able to be removed after make version 4.5 has been released. - Changelog 6.14 New and rewritten pages man2const/ UFFDIO_MOVE.2const man7/ mctp.7 Newly documented interfaces in existing pages man2/ fanotify_init.2 FAN_REPORT_FD_ERROR FAN_REPORT_MNT fanotify_mark.2 FAN_PRE_ACCESS FAN_MARK_MNTNS FAN_MNT_ATTACH, FAN_MNT_DETACH open_by_handle_at.2 AT_HANDLE_CONNECTABLE AT_HANDLE_MNT_ID_UNIQUE man2const/ TIOCLINUX.2const TIOCL_SELCHAR TIOCL_SELWORD TIOCL_SELLINE TIOCL_SELPOINTER TIOCL_SELCLEAR TIOCL_SELMOUSEREPORT man3/ abs.3 uabs(3) ulabs(3) ullabs(3) uimaxabs(3) man7/ fanotify.7 FAN_DENY_ERRNO() FAN_REPORT_FD_ERROR FAN_PRE_ACCESS FAN_RESPONSE_INFO_AUDIT_RULE FAN_REPORT_MNT FAN_MNT_ATTACH, FAN_MNT_DETACH FAN_EVENT_INFO_TYPE_MNT New and changed links man3/ uabs.3 (abs(3)) ulabs.3 (abs(3)) ullabs.3 (abs(3)) uimaxabs.3 (abs(3)) Global changes - CREDITS, * - Move in-source contribution records to a new CREDITS file, and update copyright notices to be uniform across the project. - man/ - Use GNU forward declarations of parameters for sizes of array parameters. - \fX => \f[X] - Use 'path' instead of 'pathname' for parameters. 6.13 Newly documented interfaces in existing pages man7/ landlock.7 Landlock ABI v6 LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET LANDLOCK_SCOPE_SIGNAL Global changes - Build system: - PDF book: - Add support for UNIX V10 sources. - Makefiles: - Don't pass an escaped # to grep(1). Use a trick to work with both new and old systems. This fixes a regressions in the build system from man-pages-6.11, which was itself introduced while fixing a regression introduced in man-pages-6.10. 6.12 Newly documented interfaces in existing pages man2/ mbind.2 MPOL_PREFERRED_MANY set_mempolicy.2 MPOL_PREFERRED_MANY Global changes - Build system: - Use ifndef and := instead of ?= (fixes regression introduced in 6.11, which affected at least the version string). 6.11 New and rewritten pages man7/ pathname.7 Global changes - Build system: - [Breaking change!] Require the user to pass '-R' to make(1). This is necessary to be able to do the following change. When GNU make(1) releases a new version, it will not be necessary to pass -R, but in current versions of make(1) it is necessary. - [Breaking change!] Use '?=' assignments instead of ':=', to support setting make(1) variables in the environment. Now one can do this: $ export prefix=/usr $ make -R $ sudo make install -R (The -R is only necessary in GNU make(1) versions prior to the yet-unreleased 4.5.) - Escape '#' in regexes, to support old versions of GNU make(1). This fixes a regression in man-pages-6.10, which caused issues in users with an old-enough version of GNU make(1), such as the one present in Debian old-old-stable. - Fix duplicate overview-panel entries in the PDF book. - CONTRIBUTING.d/: - Add C coding style guide. - RELEASE: - Document the production of the book. - man/: - Refresh bpf-helpers(7) from Linux v6.13. 6.10 New and rewritten pages man1/ diffman-git.1 mansect.1 pdfman.1 sortman.1 man2/ keyctl.2 (split into many pages) listmount.2 statmount.2 uretprobe.2 man2const/ KEYCTL_ASSUME_AUTHORITY.2const (previously, keyctl.2) KEYCTL_CHOWN.2const (previously, keyctl.2) KEYCTL_CLEAR.2const (previously, keyctl.2) KEYCTL_DESCRIBE.2const (previously, keyctl.2) KEYCTL_DH_COMPUTE.2const (previously, keyctl.2) KEYCTL_GET_KEYRING_ID.2const (previously, keyctl.2) KEYCTL_GET_PERSISTENT.2const (previously, keyctl.2) KEYCTL_GET_SECURITY.2const (previously, keyctl.2) KEYCTL_INSTANTIATE.2const (previously, keyctl.2) KEYCTL_INVALIDATE.2const (previously, keyctl.2) KEYCTL_JOIN_SESSION_KEYRING.2const (previously, keyctl.2) KEYCTL_LINK.2const (previously, keyctl.2) KEYCTL_READ.2const (previously, keyctl.2) KEYCTL_RESTRICT_KEYRING.2const (previously, keyctl.2) KEYCTL_REVOKE.2const (previously, keyctl.2) KEYCTL_SEARCH.2const (previously, keyctl.2) KEYCTL_SESSION_TO_PARENT.2const (previously, keyctl.2) KEYCTL_SETPERM.2const (previously, keyctl.2) KEYCTL_SET_REQKEY_KEYRING.2const (previously, keyctl.2) KEYCTL_SET_TIMEOUT.2const (previously, keyctl.2) KEYCTL_UNLINK.2const (previously, keyctl.2) KEYCTL_UPDATE.2const (previously, keyctl.2) PR_RISCV_SET_ICACHE_FLUSH_CTX.2const man3/ __riscv_flush_icache.3 timespec_get.3 wcscasecmp.3 (merged wcsncasecmp.3 with it) wcsncasecmp.3 (merged into wcsncasecmp.3) Newly documented interfaces in existing pages man2/ io_submit.2 RWF_ATOMIC RWF_NOAPPEND landlock_add_rule.2 Landlock ABI v4 landlock_create_ruleset.2 Landlock ABI v4 madvise.2 MADV_GUARD_INSTALL MADV_GUARD_REMOVE perf_event_open.2 struct perf_event_attr::inherit && cpus=-1 posix_fadvise.2 POSIX_FADV_NOREUSE prctl.2 PR_RISCV_SET_ICACHE_FLUSH_CTX process_madvise.2 All flags permitted for calling process readv.2 RWF_ATOMIC RWF_NOAPPEND stat.2 AT_EMPTY_PATH && NULL statx.2 AT_EMPTY_PATH && NULL STATX_DIO_READ_ALIGN STATX_MNT_ID_UNIQUE STATX_SUBVOL STATX_WRITE_ATOMIC man3/ dlinfo.3 RTLD_DI_PHDR fnmatch.3 FNM_IGNORECASE man7/ landlock.7 Landlock ABI v4 Landlock ABI v5 rtnetlink.7 struct ifa_cacheinfo New and changed links man2/ riscv_flush_icache.2 (__riscv_flush_icache(3)) man2const/ KEYCTL_INSTANTIATE_IOV.2const (KEYCTL_INSTANTIATE(2const)) KEYCTL_NEGATE.2const (KEYCTL_INSTANTIATE(2const)) KEYCTL_REJECT.2const (KEYCTL_INSTANTIATE(2const)) man3/ timespec_getres.3 (timespec_get(3)) wcsncasecmp.3 (wcscasecmp(3)) Global changes - src/bin/ - Add a few programs that are useful for maintaining manual pages: diffman-git(1), mansect(1), pdfman(1), sortman(1) - SPONSORS - Add file listing the sponsors of this project. - CONTRIBUTING* - Expand documentation for contributing to the project. Especially, regarding help using git(1). - man/ - Split keyctl.2 - man2/, man3/: SYNOPSIS: Rename function parameters for consistency and correctness. - man2/, man3/: SYNOPSIS: Use typeof() to improve readability of function pointers. - man1/: SYNOPSIS: Use .SY/.YS for formatting commands. - share/mk/ - Refactor *FLAGS and LDLIBS variables, as requested by some distros. - LICENSES/ - Add GPL-3.0-or-later. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b9b9e7da02fb5cb22c27ef61970ea6df472c1815 Author: Michael Tremer Date: Thu May 22 15:13:42 2025 +0000 core196: Ship libgcrypt Signed-off-by: Michael Tremer commit 9b163cfe595d0215957e6ef06ea34780c207d1a6 Author: Adolf Belka Date: Tue May 20 11:09:26 2025 +0200 libgcrypt: Update to version 1.11.1 - Update from version 1.11.0 to 1.11.1 - Update of rootfile - Changelog 1.11.1 * Bug fixes: - Fix build regression on 32 bit Windows using Clang. [T7175] - Fix build regression on macOS due to symbol naming. [T7170] - Fix Kyber secret-dependent branch introduced by recent versions of Clang. [rCf765778e82] - Fix build regression due to the use of AVX512 in Blake. [T7184] - Do not build i386 asm on amd64 and vice versa. [T7220] - Fix build regression on armhf with gcc-14. [T7226] - Return the proper error code on malloc failure in hex2buffer. [rCc51151f5b0] - Fix long standing bug for PRIME % 2 == 0. [rC639b0fca15] * Performance: - Add AES Vector Permute intrinsics implementation for AArch64. [rC94a63aedbb] - Add GHASH AArch64/SIMD intrinsics implementation. [rCfec871fd18] - Add RISC-V vector permute AES. [rCb24ebd6163] - Add GHASH RISC-V Zbb+Zbc implementation. [rC0f1fec12b0] - Add ChaCha20 RISC-V vector intrinsics implementation. [rC8dbee93ac2] - Add SHA3 acceleration for RISC-V Zbb extension. [rC1a660068ba] * Other: - Add CET support for i386 and amd64 assembly. [T7220] - Add PAC/BTI support for AArch64 asm. [T7220] - Apply changes to Kyber from upstream for final FIPS 203. [rCcc95c36e7f] - Introduce an internal API for a revampled FIPS service indicator. [T7340] - Several improvements for constant time operation by the introduction of Least Leak Intended (LLI) variants of internal functions. [T7519,T7490] - Remove WindowsCE support. [T7486] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1560233869b50d528d9d7052174d8126941d0cc6 Author: Adolf Belka Date: Tue May 20 11:09:25 2025 +0200 iperf3: Update to version 3.19 - Update from version 3.16 to 3.19 - Update of rootfile not required - CVE fix in version 3.18 and another in 3.17. The CVE fix in 3.17 results in a breaking change. The vulnerable option can be enabled in the build but that doesn't seem to be a good approach for IPFire. I am not sure that the non backwards compatible changed padding on encrypted strings would create a problem for us. I suspect this is more if iperf3 is being used in a continuous measuring mode and in IPFire it is an addon that is used to measure throughput rates when required. - Changelog 3.19 Notable user-visible changes iperf3 now supports the use of Multi-Path TCP (MPTCPv1) on Linux with the use of the -m or --mptcp flag. (PR #1661) iperf3 now supports a --cntl-ka option to enable TCP keepalives on the control connection. (#812, #835, PR #1423) iperf3 now supports the MSG_TRUNC receive option, specified by the --skip-rx-copy. This theoretically improves the rated throughput of tests at high bitrates by not delivering network payload data to userspace. (#1678, PR #1717) A bug that caused the bitrate setting to be ignored when bursts are set, has been fixed. (#1773, #1820, PR #1821, PR #1848) The congestion control protocol setting, if used, is now properly reset between tests. (PR #1812) iperf3 now exits with a non-error 0 exit code if exiting via a SIGTERM, SIGHUP, or SIGINT. (#1009, PR# 1829) The current behavior of iperf3 with respect to the -n and -k options is now documented as correct. (#1768, #1775, #596, PR #1800) Notable developer-visible changes iperf3 now supports a callback function to get the JSON output strings. (#1711, PR #1798) iperf3 now builds correctly with gcc-15 (#1838, PR #1805) Various memory leaks were fixed (#1881, PR#1823, #1814, PR#1822) A potential segfault crash was fixed (#1807) Improved warning messages when reading malformed JSON messages (PR #1817) The Github CI configuration was changed to use a more up-to-date set of runners (PR #1864) 3.18 Notable user-visible changes SECURITY NOTE: Thanks to Leonid Krolle Bi.Zone for discovering a JSON type security vulnerability that caused a segmentation fault in the server. (CVE-2024-53580) This has now been fixed. (PR#1810) UDP packets per second now reports the correct number of packets, by reporting NET_SOFTERROR if there's a EAGAIN/EINTR errno if no data was sent (#1367/PR#1379). Several segmentation faults related to threading were fixed. One where pthread_cancel was called on an improperly initialized thread (#1801), another where threads were being recycled (#1760/PR#1761), and another where threads were improperly handling signals (#1750/PR#1752). A segmentation fault from calling freeaddrinfo with NULL was fixed (PR#1755). Some JSON options were fixed, including checking the size for json_read (PR#1709), but the size limit was removed for received server output (PR#1779). A rcv-timeout error has been fixed. The Nread timeout was hardcoded and timed out before the --rcv-timeout option (PR#1744). There is no longer a limit on the omit time period (#1770/PR#1774). Fixed an output crash under 32-bit big-endian systems (PR#1713). An issue was fixed where CPU utilization was unexpectedly high during limited baud rate tests. The --pacing-timer option was removed, but it is still available in the library (#1741/PR#1743). Add SCTP information to --json output and fixed compile error when SCTP is not supported (#1731). --fq-rate was changed from a uint to a uint64 to allow pacing above 32G. Not yet tested on big-endian systems (PR#1728). Notable developer-visible changes Clang compilation failure on Android were fixed (PR#1687). iperf_time_add() was optimizated to improve performance (PR#1742). Debug messages were added when the state changes (PR#1734). To increase performance, the old UDP prot_listener is cleared and removed after each test (PR#1708). A file descriptor leak was closed (PR#1619). 3.17.1 Notable user-visible changes Version number has been corrected. (#1699) Notable developer-visible changes No longer signing tags 3.17 Notable user-visible changes BREAKING CHANGE: iperf3's authentication features, when used with OpenSSL prior to 3.2.0, contain a vulnerability to a side-channel timing attack. To address this flaw, a change has been made to the padding applied to encrypted strings. This change is not backwards compatible with older versions of iperf3 (before 3.17). To restore the older (vulnerable) behavior, and hence backwards-compatibility, use the --use-pkcs1-padding flag. The iperf3 team thanks Hubert Kario from RedHat for reporting this issue and providing feedback on the fix. (CVE-2024-26306)(PR#1695) iperf3 no longer changes its current working directory in --daemon mode. This results in more predictable behavior with relative paths, in particular finding key and credential files for authentication. (PR#1672) A new --json-stream option has been added to enable a streaming output format, consisting of a series of JSON objects (for the start of the test, each measurement interval, and the end of the test) separated by newlines (#444, #923, #1098). UDP tests now work correctly between different endian hosts (#1415). The --fq-rate parameter now works for --reverse tests (#1632, PR#1667). The statistics reporting interval is now available in the --json start test object (#1663). A negative time test duration is now properly flagged as an error (IS#1662 / PR#1666). Notable developer-visible changes Fixes have been made to better (unofficially) support builds on Android (#1641 / #1651) and VxWorks (#1595). iperf3 now builds correctly on architectures without native support for 64-bit atomic types, by linking with the libatomic library (#1611). Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9f8ef171fbcc28b6afa3c01202c342df996cb32e Author: Michael Tremer Date: Thu May 22 15:13:04 2025 +0000 core196: Ship iana-etc Signed-off-by: Michael Tremer commit bfc55a86577c518f803ac924f5c9c8cb1914b3e8 Author: Adolf Belka Date: Tue May 20 11:09:24 2025 +0200 iana-etc: Update to version 20250505 - Update from version 20250311 to 20250505 - Update of rootfile not required - No changelog provided Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 93feaf664d666a454c70872f4ab5b3172745b926 Author: Michael Tremer Date: Thu May 22 15:12:44 2025 +0000 core196: Ship dhcpcd Signed-off-by: Michael Tremer commit 873255ad80c8383c2c02b00aabc092293f83fc6b Author: Adolf Belka Date: Mon May 19 17:46:11 2025 +0200 dhcpcd: Update to version 10.2.3 - Update from version 10.2.2 to 10.2.3 - Update of rootfile not required - Changelog 10.2.3 Restore logic on when to open an address specific socket by @dougnazar in #502 [Fix] DHCP Failure on WAN Interface Rename (Fixes #504) by @ngxquanganh in #505 BSD: routes via P2P interfaces now find their out-going interface -b --background fixed resolv: Fix processing more DNSSL options than RDNSS] dhcpcd: Remove option rapid_commit from dhcpcd.conf privsep: Fix valgrind and hardened-malloc on Linux with SECCOMP route: Don't spam route changes for lifetime Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit dc244cf8aec2f0127ccf0fb135a783d5af7ac061 Author: Adolf Belka Date: Mon May 19 12:37:32 2025 +0200 fr.pl: Fixes bug 12060 - remove extraneous spaces at end of lines - All lines where there was a space at the end of the french translation, and the other language files did not have a space for that line, had the space removed. - ./make.sh lang was run but nothing else was created by that. Fixes: bug12060 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 89b4ea56bb123e2833526c2ae44ef23ce959d28e Merge: 7f3848504 0563f17ea Author: Michael Tremer Date: Thu May 22 15:11:18 2025 +0000 Merge branch 'master' into next commit 0563f17ea5d018cff939f95a3b6545442ee32f5d Author: Michael Tremer Date: Thu May 22 15:09:28 2025 +0000 initscripts: Ship runlevel symlinks for WireGuard Fixes: #13850 Signed-off-by: Michael Tremer commit 84f2a8a7b3247db125397c8ebd14cbbeafd956d4 Author: Adolf Belka Date: Fri May 16 14:30:38 2025 +0200 core195: Ship backup include file Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 91b60bbe8b4dcdd8fccd7ac2ed2b69acff4f2db1 Author: Adolf Belka Date: Fri May 16 13:20:46 2025 +0200 include: Add wireguard directory to the backup include file Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7f38485048922932b13d3c10edf5ecd2d15ed37d Author: Adolf Belka Date: Sat May 17 13:43:11 2025 +0200 core196: Ship zlib-ng Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 75d71006db82b731f5208dac3b7b2807ce1beee7 Author: Adolf Belka Date: Sat May 17 13:43:10 2025 +0200 zlib-ng: Update to version 2.2.4 - Update from version 2.2.3 to 2.2.4 - Update of rootfile - Changelog 2.2.4 Important fixes Fix potential shift overflow problems reported by static checkers #1859 VS2015: Fix an unfortunate bug #1862 RVV: Workaround error G6E97C40B #1853 s390x: Disable CRC32-VX Extensions for some broken Clang versions #1852 Buildsystem Improve include directory usage #1855 CMake: disable LTO for some configure checks #1850 Tests/Benchmarks Add uncompress benchmark #1860 CI Fix automatic Windows 32-bit ARM release builds #1839 CI changes for Ubuntu 24 #1843 #1857 Increase CMake workflow timeout #1854 s390x: Update CI clang version #1858 s390x docker rebuild script improvements #1846 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2b050ede16d8ca16ede1c29b745fa5bfa5e0119e Author: Adolf Belka Date: Sat May 17 13:42:51 2025 +0200 core196: Ship m4 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 78d239c0621f9af550ebade05fb55e224dd140fe Author: Adolf Belka Date: Sat May 17 13:42:50 2025 +0200 m4: Update to version 1.4.20 - Update from version 1.4.19 to 1.4.20 - Update of rootfile - Changelog 1.4.20 ** Fix a bug in the `eval' builtin where it does not suppress warnings about division by zero that occurs within a more complex expression on the right hand side of || or && (present since short-circuiting was introduced in 1.4.8b). ** The `syscmd' and `esyscmd' builtins no longer mishandle a command line starting with `-' or `+' (present since "the beginning"). ** Fix regression introduced in 1.4.19 where trace output (such as with `debugmode(t)') could read invalid memory when tracing a series of pushed macros that are popped during argument collection. ** Fix regression introduced in 1.4.19 where the `format' builtin inadvertently took on locale-dependent parsing and output of floating point numbers as a side-effect of introducing message translations. While it would be nice for m4 to be fully locale-aware, such a behavior change belongs in a major version release such as 1.6, and not a minor release. ** Fix regression introduced in 1.4.11 where the experimental `changeword' builtin could cause a crash if given a regex that does not match all one-byte prefixes of valid longer matches. As a reminder, `changeword' is not recommended for production use, and will likely not be present in the next major version release. ** On non-Unix platforms where binary files differ from text, loading a frozen file (which should be cross-platform compatible) now correctly uses binary mode. ** Several documentation improvements to the manual. ** Update to comply with newer C standards, and inherit portability improvements from gnulib. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 48adbf5d5fc1b12d95be68679e9637fa5d884c3d Author: Adolf Belka Date: Sat May 17 13:42:27 2025 +0200 libxml2: Update to version 2.14.3 - Update from version 2.14.2 to 2.14.3 - Update of rootfile - Changelog 2.14.3 ### Regressions - reader: Fix reading compressed data - parser: Make undeclared entities in XML content fatal - save: Fix XML escape table - save: Fix xmlSave with NULL encoding - Revert "valid: Remove duplicate error messages when streaming" ### Bug fixes - save: Fix serialization of attribute defaults containing < - io: Fix linkage of __xml*BufferCreateFilename functions ### Build systems - cmake: Fix installation directories in libxml2-config.cmake - meson: Install libxml2.py ### Improvements - parser: Make xmlCtxtGetValidCtxt depend on VALID_ENABLED - html: Avoid HTML_PARSE_HTML5 clashing with XML_PARSE_NOENT Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7b58a102a6191e94b19890f4b1e10b3aea45272e Author: Adolf Belka Date: Sat May 17 13:42:07 2025 +0200 core196: Ship harfbuzz Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3f5ce8391fb3b698db1e8790dfbb8931823c6022 Author: Adolf Belka Date: Sat May 17 13:42:06 2025 +0200 harfbuzz: Update to version 11.2.1 - Update from version 11.2.0 to 11.2.1 - Update of rootfile - Changelog 11.2.1 - Various build improvements. - Fix build with HB_NO_DRAW and HB_NO_PAINT - Add an optional “harfruzz” shaper that uses HarfRuzz; an ongoing Rust port of HarfBuzz shaping. This shaper is mainly used for testing the output of the Rust implementation. - Fox regression that caused applying unsafe_to_break() to the whole buffer to be ignored. - Update USE data files. - Fix getting advances of out-of-rage glyph indices in DirectWrite font functions. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ca35133b416be3306ea7e1a7be93f294b7ccd339 Author: Adolf Belka Date: Sat May 17 13:41:41 2025 +0200 fmt: Update to version 11.2.0 - Update from version 11.1.3 to 11.2.0 - Update of rootfile - Changelog 11.2.0 Added the s specifier for std::error_code. It allows formatting an error message as a string. For example: #include int main() { auto ec = std::make_error_code(std::errc::no_such_file_or_directory); fmt::print("{:s}\n", ec); } prints No such file or directory (The actual message is platform-specific.) Fixed formatting of std::chrono::local_time and tm (#3815, #4350). For example (godbolt): #include int main() { std::chrono::zoned_time zt( std::chrono::current_zone(), std::chrono::system_clock::now()); fmt::print("{}", zt.get_local_time()); } is now formatted consistenly across platforms. Added diagnostics for cases when timezone information is not available. For example: fmt::print("{:Z}", std::chrono::local_seconds()); now gives a compile-time error. Deprecated fmt::localtime in favor of std::localtime. Fixed compilation with GCC 15 and C++20 modules enabled (#4347). Thanks @tkhyn. Fixed handling of named arguments in format specs (#4360, #4361). Thanks @dinomight. Added error reporting for duplicate named arguments (#4367). Thanks @dinomight. Fixed formatting of long with FMT_BUILTIN_TYPES=0 (#4375, #4394). Optimized text_style using bit packing (#4363). Thanks @LocalSpook. Added support for incomplete types (#3180, #4383). Thanks @LocalSpook. Fixed a flush issue in fmt::print when using libstdc++ (#4398). Fixed fmt::println usage with FMT_ENFORCE_COMPILE_STRING and legacy compile-time checks (#4407). Thanks @madmaxoft. Removed legacy header fmt/core.h from docs (#4421, #4422). Thanks @krzysztofkortas. Worked around limitations of __builtin_strlen during constant evaluation (#4423, #4429). Thanks @brevzin. Worked around a bug in MSVC v141 (#4412, #4413). Thanks @hirohira9119. Removed the fmt_detail namespace (#4324). Removed specializations of std::is_floating_point in tests (#4417). Fixed a CMake error when setting CMAKE_MODULE_PATH in the pedantic mode (#4426). Thanks @rlalik. Updated the Bazel config (#4400). Thanks @Vertexwahn. 11.1.4 Fixed ABI compatibility with earlier 11.x versions on Windows (#4359). Improved the logic of switching between fixed and exponential format for float (#3649). Moved is_compiled_string to the public API (#4342). Thanks @SwooshyCueb. Simplified implementation of operator""_cf (#4349). Thanks @LocalSpook. Fixed __builtin_strlen detection (#4329). Thanks @LocalSpook. Fixed handling of BMI paths with the Ninja generator (#4344). Thanks @tkhyn. Fixed gcc 8.3 compile errors (#4331, #4336). Thanks @sergiud. Fixed a bogus MSVC warning (#4356). Thanks @dinomight. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 593ce447494d67f09a005544449eabe222ff958f Author: Adolf Belka Date: Sat May 17 13:41:18 2025 +0200 core196: Ship exfatprogs Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3e0847ca5e4e8209f589b8eb709e0cebb0dd64ab Author: Adolf Belka Date: Sat May 17 13:41:19 2025 +0200 exfatprogs: Update to version 1.2.9 - Update from version 1.2.5 to 1.2.9 - Update of rootfile not required - Changelog 1.2.9 NEW FEATURES : * dump.exfat: support dumping directory entry sets, which prints all fields of directory entries and cluster chains. See a man page. CHANGES : * exfatprogs: update the Github action for build test with Debain + clang + lld. 1.2.8 BUG FIXES : * dump.exfat: fix an incorrect output of an entry position in 32-bit system. * mkfs.exfat: fill an oem sector with zero instead of one. * exfatprogs: fix compilation on musl based systems due to loff_t type. And update the Github action to validate builds on the system. 1.2.7 NEW FEATURES : * fsck.exfat: support repairing the upcase table. CHANGES : * exfatprogs: make sure to load the tbl preprocessor for man pages. BUG FIXES : * exfatprogs: fix a double free memory error. * dump.exfat: fix a constraint that volume label, bitmap, upcase table must be located at the beginning of a root directory. 1.2.6 CHANGES : * exfatprogs: replace obsolete autoconf and libtool macros. * mkfs.exfat: prefer the physical block size over the logical block size for the exFAT sector size. * mkfs.exfat: add notes about the format of the volume GUID to the man page. * mkfs.exfat: fix an incorrect calculation of the number of used clusters. BUG FIXES : * exfatlabel: fix an user input error when setting a volume serial or label. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f560fe5aa2be436686b97e179b8cd4b905b9bc51 Author: Adolf Belka Date: Fri May 16 09:30:22 2025 +0200 core196: Ship hwdata Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 07bd2fc0a341055da35cf22b78149dced66076f5 Author: Adolf Belka Date: Thu May 15 22:51:38 2025 +0200 hwdata: Update to version 0.395 - Update from version 0.394 to 0.395 - Update of rootfile not required - Removal of the old hwdata directory as no longer required with the source tarball approach implemented from CU191 onwards. - Changelog 0.395 Update usb and vendor ids Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f097650f1005f3281867cb3de6bfb7630bbbaf46 Author: Adolf Belka Date: Fri May 16 09:28:59 2025 +0200 core196: Ship screen Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit de98f72736d8ee27c31226df46403b4e122733e2 Author: Adolf Belka Date: Thu May 15 18:25:25 2025 +0200 screen: Update to version 5.0.1 - Update from version 5.0.0 to 5.0.1 - Update of rootfile - 5 CVE fixes included in this version - Changelog 5.0.1 Security fix CVE-2025-46805: do NOT send signals with root privileges CVE-2025-46804: avoid file existence test information leaks CVE-2025-46803: apply safe PTY default mode of 0620 CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher CVE-2025-23395: reintroduce lf_secreopen() for logfile buffer overflow due bad strncpy() uninitialized variables warnings typos combining char handling that could lead to a segfault Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 753b4d041acb860d2d5ac743e7041732ba1bcdae Author: Peter Müller Date: Thu May 15 16:03:00 2025 +0000 Tor: Update to 0.4.8.16 Full changelog since version 0.4.8.13: Changes in version 0.4.8.16 - 2025-03-24 This is quick second release since 0.4.8.15 due to a typo in a directory authority rule file. This only affects directory authorities. Regardless, upgrading to latest stable is always desired. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/03/24. o Minor bugfix (dirauth): - Fix typo in flag assignment approved-routers file. Fixes bug 41035; bugfix on 0.4.8.15 Changes in version 0.4.8.15 - 2025-03-20 This is a minor release fixing a sandbox issue for bandwidth authority and a conflux issue on the control port. It also has a client fix about relay flag usage. We strongly recommend to update as soon as possible as usual. o Minor feature (testing, CI): - Use a fixed version of chutney (be881a1e) instead of its current HEAD. This version should also be preferred when testing locally. o Minor features (continuous integration): - Upgrade CI runners to use Debian Bookworm instead of Bullseye. Closes ticket 41029. o Minor features (fallbackdir): - Regenerate fallback directories generated on March 20, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/03/20. o Minor bugfixes (control port): - Correctly report conflux pair information to controller fields Fixes bug 40872; bugfix on 0.4.8.1-alpha o Minor bugfixes (relay flag usage): - Fix client usage of the MiddleOnly flag so that MiddleOnly relays are not used as HS IP or RP by clients or services. Additionally, give dirauths the ability to remove specific flags, as an alternative to MiddleOnly. Fixes bug 41023; bugfix on 0.4.7.2-alpha o Minor bugfixes (sandbox, bwauth): - Fix sandbox to work for bandwidth authority. Fixes bug 40933; bugfix on 0.2.2.1-alpha Changes in version 0.4.8.14 - 2025-02-05 Minor release fixing a major bug affecting onion service directory cache, also known as HSDir. Furthermore, the fallbackdir list had more than 25% of its entries unreachable or gone from the consensus. As usual, we strongly recommend to update to this version as soon as possible. o Major bugfixes (onion service directory cache): - When the OOM killer kicks in, cleanup the descriptor cache of an HSDir by looking at the lowest downloaded count instead of time in cache. Fixes bug 40996; bugfix on 0.3.5.1-alpha. o Minor feature (testing): - test-network now unconditionally includes IPv6 instead of trying to detect IPv6 support. o Minor features (fallbackdir): - Regenerate fallback directories generated on February 05, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/02/05. o Minor bugfixes (memory): - Fix a pointer free that wasn't set to NULL afterwards which could be reused by calling back in the free all function. Fixes bug 40989; bugfix on 0.4.8.13. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit e6b3bf6939d0a3a92b8594496e0ae4cd267873d1 Author: Adolf Belka Date: Thu May 15 14:00:29 2025 +0200 core196: Ship all packages modified from bug13834 patch set Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 8d047473a57cb188930a9c6ea3ff23e15ec329b3 Author: Adolf Belka Date: Thu May 15 13:49:20 2025 +0200 graphs.pl: Update of rrd file names from the collectd-5 update - Some additional rrd file name changes missed from collect-5 update. - This was identified as part of fixing bug13834 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 430aeef947300c1b2d127c130c88ba9c3e3a2a9e Author: Adolf Belka Date: Thu May 15 13:49:19 2025 +0200 red: Fixes rrd file name updates from collectd-5 update - Some additional rrd file name changes missed from collect-5 update. - This was identified as part of fixing bug13834 - Couldn't test this as I don't have a ppp0 connection available but the chnage is inline with the other rrd changes which have been tested as working. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 21e65de3931157bb7ebdf8ebe580376a83aa8ce8 Author: Adolf Belka Date: Thu May 15 13:49:18 2025 +0200 netovpnsrv.cgi: Fixes rrd file names for n2n openvpn graphs - An additional rrd file name change missed from collect-5 update. - This was identified as part of fixing bug13834 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b5321ccf52d0c7baa85d3319cd4f356d1b76ae2b Author: Adolf Belka Date: Thu May 15 13:49:17 2025 +0200 netexternal.cgi: Fixed bug13834 - tun0 graph missing in external net traffic - Some additional rrd directory and file name changes missed from collect-5 update. Fixes: bug13834 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9faaaf7ba61e0d149391ed2af948211c73e69545 Author: Stephen Cuka Date: Thu May 15 03:34:59 2025 -0600 langs: Update translations for Italian - 'Cancel' -> 'Cancellare' - 'Remove' -> 'Rimuovere' Signed-off-by: Stephen Cuka Signed-off-by: Michael Tremer commit 7cc5c8a2b79c58bca5a06887ffeda0159c50a3a6 Author: Michael Tremer Date: Wed May 14 16:44:54 2025 +0000 udev: Don't fail if the linker emits any warnings This only appears on aarch64. [436/452] Linking target src/udev/v4l_id FAILED: src/udev/v4l_id cc -o src/udev/v4l_id src/udev/v4l_id.p/v4l_id_v4l_id.c.o -Wl,--as-needed -Wl,--no-undefined -Wl,-O1 -fstack-protector -O2 -g0 -pipe -Wall -fexceptions -fPIC -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -mbranch-protection=standard -Wl,--start-group src/shared/libsystemd-shared-254.a src/libsystemd/libsystemd_static.a src/basic/libbasic.a src/basic/libbasic-compress.a -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -pthread /usr/lib/libacl.so /usr/lib/libblkid.so /usr/lib/libcap.so /usr/lib/libcrypt.so -ldl /lib/libip4tc.so /lib/libip6tc.so /usr/lib/libkmod.so /usr/lib/libmount.so /usr/lib/libssl.so /usr/lib/libcrypto.so /usr/lib/libpam.so -lrt /usr/lib/liblzma.so /usr/lib/libzstd.so -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -lm -Wl,--end-group -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections /usr/lib/libcrypto.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking. /usr/lib/libzstd.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking. collect2: error: ld returned 1 exit status ninja: build stopped: subcommand failed. Reported-by: Adolf Belka Signed-off-by: Michael Tremer commit 5904802e7bc16b201e7887761b3f8a1fc133bb28 Author: Adolf Belka Date: Wed May 14 15:15:13 2025 +0200 libloc: Addition of patch to deal with gettext update to 0.25 Suggested-by: Michael Tremer Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 0c548547e402abf21acdfd7690e402257e464a1a Author: Adolf Belka Date: Wed May 14 15:15:12 2025 +0200 ddns: Addition of patch to deal with gettext update to 0.25 Suggested-by: Michael Tremer Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1f08b0357bdfe150fa7e2139ba7b9094de567562 Author: Adolf Belka Date: Wed May 14 15:15:11 2025 +0200 fireperf: Addition of patch to deal with gettext update to 0.25 Suggested-by: Michael Tremer Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9c11f9efdaa64e268d19561e7b802549740f32b9 Author: Adolf Belka Date: Wed May 14 15:15:10 2025 +0200 gettext: Update to version 0.25 - Update from version 0.24 to 0.25 - Update of rootfile - This is part of a patch set as the gettext update required some patches to other packages to get them to build - Changelog 0.25 # Programming languages support: * Go: - xgettext now supports Go. - 'msgfmt -c' now verifies the syntax of translations of Go format strings. - New examples 'hello-go' and 'hello-go-http' have been added. * TypeScript: - xgettext now supports TypeScript and TSX (= TypeScript with JSX extensions). * D: - A new library libintl_d.a contains the runtime for using GNU gettext message catalogs in the D programming language. - xgettext now supports D. - 'msgfmt -c' now verifies the syntax of translations of D format strings. - A new example 'hello-d' has been added. * Modula-2: - A new library libintl_m2.so contains the runtime for using GNU gettext message catalogs in the Modula-2 programming language. - xgettext now supports Modula-2. - 'msgfmt -c' now verifies the syntax of translations of Modula-2 format strings. - A new example 'hello-modula2' has been added. # Improvements for maintainers: * xgettext has a new option '--generated' that customizes the way the 'POT-Creation-Date' in the POT file is computed. 0.24.1 * Bug fixes: - Fix bad interactions between autoreconf and autopoint. - xgettext: Creating the POT file of a package under Git version control is now faster. Also, the use of Git can be turned off by specifying the option '--no-git'. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer