commit 3eefc5fc6d98b6a117284c30c8ef0b3f67440c52 Author: Michael Tremer Date: Wed Jul 23 09:02:25 2025 +0000 core197: Restart the firewall This is required so that all new OpenVPN chains are available. Signed-off-by: Michael Tremer commit 39172586ac8778d34392ef881dda3eca797239a4 Author: Michael Tremer Date: Wed Jul 23 09:00:09 2025 +0000 openvpn: Silence when loading the tun module goes wrong Signed-off-by: Michael Tremer commit 81e867c96620ac5f000f68afa6b4cc36066f1a78 Author: Michael Tremer Date: Wed Jul 23 08:58:43 2025 +0000 core197: Escape slashes in path in sed command I think I have been too fast... Signed-off-by: Michael Tremer commit a9febdb8dd3547950f7581eb0ae0e619e0d2d21e Author: Adolf Belka Date: Mon Jul 21 23:25:59 2025 +0200 gnutls: Update to version 3.8.10 - Update from version 3.8.9 to 3.8.10 - Update of rootfile - 4 CVE fixes in this version - Changelog 3.8.10 ** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395] ** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps Spotted by oss-fuzz and reported by OpenAI Security Research Team, and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989] ** libgnutls: Fix double-free upon error when exporting otherName in SAN Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988] ** certtool: Fix 1-byte write buffer overrun when parsing template Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low] [CVE-2025-32990] ** libgnutls: PKCS#11 modules can now be used to override the default cryptographic backend. Use the [provider] section in the system-wide config to specify path and pin to the module (see system-wide config Documentation). ** libgnutls: Linux kernel version 6.14 brings a Kernel TLS (kTLS) key update support. The library running on the aforementioned version now utilizes the kernel’s key update mechanism when kTLS is enabled, allowing uninterrupted TLS session. The --enable-ktls configure option as well as the system-wide kTLS configuration(see GnuTLS Documentation) are still required to enable this feature. ** libgnutls: liboqs support for PQC has been removed For maintenance purposes, support for post-quantum cryptography (PQC) is now only provided through leancrypto. The experimental key exchange algorithm, X25519Kyber768Draft00, which is based on the round 3 candidate of Kyber and only supported through liboqs has also been removed altogether. ** libgnutls: TLS certificate compression methods can now be set with cert-compression-alg configuration option in the gnutls priority file. ** libgnutls: All variants of ML-DSA private key formats are supported While the previous implementation of ML-DSA was based on draft-ietf-lamps-dilithium-certificates-04, this updates it to draft-ietf-lamps-dilithium-certificates-12 with support for all 3 variants of private key formats: "seed", "expandedKey", and "both". ** libgnutls: ML-DSA signatures can now be used in TLS The ML-DSA signature algorithms, ML-DSA-44, ML-DSA-65, and ML-DSA-87, can now be used to digitally sign TLS handshake messages. ** API and ABI modifications: GNUTLS_PKCS_MLDSA_SEED: New enum member of gnutls_pkcs_encrypt_flags_t GNUTLS_PKCS_MLDSA_EXPANDED: New enum member of gnutls_pkcs_encrypt_flags_t Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 16e602e3512b65497ed16ed7d1606a6ff6ea3e52 Author: Adolf Belka Date: Mon Jul 21 23:25:58 2025 +0200 git: Update to version 2.50.1 - Update from version 2.50.0 to 2.50.1 - Update of rootfile not required - Changelog 2.50.1 This release merges up the fixes that appear in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, and v2.49.1 to address the following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release notes for v2.43.7 for details. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 44a287f38fd2249143982fb6fe942ab8c00d8a17 Author: Adolf Belka Date: Mon Jul 21 23:26:01 2025 +0200 tshark: Update to version 4.4.8 - Update from version 4.4.7 to 4.4.8 - Update of rootfile - Changelog 4.4.8 Bug Fixes Renegotiated DTLS session is not being decrypted. Issue 20362. Wireshark is completely stuck in initialization because androiddump recv() is blocked. Issue 20526. Fuzz job UTF-8 encoding issue: fuzz-2025-06-20-7318.pcap. Issue 20585. Crash when showing packet in new window after reloading Lua plugins with a certain gui.column.format preference. Issue 20588. Bug in UDS dissector with Service ReadDataByPeriodicIdentifier Response. Issue 20589. Packet diagram doesn’t show non-standard field value representations. Issue 20590. Packet diagram shows representation twice when field type is FT_NONE. Issue 20601. application/x-www-form-urlencoded key parsed incorrectly following a name-value byte sequence with no '=' Issue 20615. DNP3 time stamp was unable to work after epoch time(year 2038) Issue 20618. Updated Protocol Support ASTERIX, DLT, DNP 3.0, DOF, DTLS, ETSI CAT, Gryphon, IPsec, ISObus VT, KRB5, MBIM, RTCP, SLL, STCSIG, TETRA, UDS, and URL Encoded Form Data New and Updated Capture File Support pcapng Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ad02d9406ea35431a4bb6c7a07a06105a9ba9fb6 Author: Michael Tremer Date: Tue Jul 22 09:14:55 2025 +0000 core197: Restart strongSwan Signed-off-by: Michael Tremer commit 143e7771cc09e11c9ec8a6c3f66fd77462c235d8 Author: Adolf Belka Date: Mon Jul 21 23:25:54 2025 +0200 core 197: Ship strongswan Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6502d48b6bc8c442331112669afe892a38b02691 Author: Adolf Belka Date: Mon Jul 21 23:26:00 2025 +0200 strongswan: Update to version 6.0.2 - Update from version 6.0.1 to 6.0.2 - Update of rootfile - Changelog 6.0.2 - Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+). - Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+). - POSIX regular expressions can be used to match remote identities. - Switching configs based on EAP-Identities is supported. Setting `remote.eap_id` now always initiates an EAP-Identity exchange. - On Linux, sequence numbers from acquires are used when installing SAs. This allows handling narrowing properly. - During rekeying, the narrowed traffic selectors are now proposed instead of the configured ones. - The default AH/ESP proposals contain all supported key exchange methods plus `none` to make PFS optional and accept proposals of older peers. - GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance if the esp4|6_offload modules are loaded. - charon-nm sets the VPN connection as persistent, preventing NetworkManager from tearing down the connection if the network connectivity changes. - ML-KEM is supported via OpenSSL 3.5+. - The wolfssl plugin is now compatible to wolfSSL's FIPS module. - The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported anymore. - The long defunct uci plugin has been removed. - Log messages by watcher_t are now logged in a separate log group (`wch`). Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ffd7e8234d181b21149488c04f2de2cbb060a82e Author: Adolf Belka Date: Mon Jul 21 23:25:53 2025 +0200 core 197: Ship gettext Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 93c9eb0b668c0576747d1307b431c77af1cb644d Author: Adolf Belka Date: Mon Jul 21 23:25:57 2025 +0200 gettext: Update to version 0.26 - Update from version 0.25 to 0.26 - Update of rootfile - Changelog 0.26 Programming languages support: * JavaScript: - xgettext now parses regular expressions with character classes correctly. * C, C++, Python, JavaScript, EmacsLisp, librep, Go, Ruby, awk, D, Tcl, Perl, PHP: - xgettext's heuristic recognition of format strings has been improved: strings like "100% complete" (with a space flag in a format directive) are no longer flagged as format strings by default, unless they occur in a context that requires a format string. You can override this heuristic by using a comment of the form /* xgettext: c-format */. * Shell: - The documentation now mentions two other approaches for internationalizing messages with parameters in shell scripts. - xgettext now recognizes format strings in the 'printf' command syntax. They are marked as 'sh-printf-format' in POT and PO files. - Two new programs 'printf_gettext' and 'printf_ngettext' are provided, that do formatted output with a localized format string in a more efficient way (without spawning a subshell). - xgettext now recognizes the \c, \u, and \U escape sequences in dollar- single-quoted strings $'...'. Improvements for maintainers: * xgettext: - When extracting a message with plural that is some format string, xgettext now verifies that the msgid and msgid_plural are compatible as format strings. For most format string types, this still allows omitting from msgid a placeholder that is used in msgid_plural. But when a placeholder is used in both msgid and msgid_plural, its type must be the same in both. - xgettext now suggests a refactoring when a translatable string contains an URL or email address. Improvements for translators: * msggrep: - msggrep accepts two new options -W/--workflow-flags and -S/--sticky-flags that allow to select only messages that have a specified flag. Bug fixes: - The AM_GNU_GETTEXT macro now rejects the dysfunctional gettext() function in libc of Solaris 11.[0-3], Solaris OpenIndiana, and Solaris OmniOS. - The AM_GNU_GETTEXT macro now recognizes, on MSVC, the GNU libintl built as a shared library. 0.25.1 Bug fixes: - autopoint no longer fails if configure.ac contains no AM_GNU_GETTEXT_VERSION or AM_GNU_GETTEXT_REQUIRE_VERSION invocation. - nls.m4 is installed again under $PREFIX/share/aclocal/. Portability: - Building on native Windows with MSVC and --enable-shared is now supported. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 18c8ea7717b380b6c37b5a7ca5fed8e37944d4c0 Author: Adolf Belka Date: Mon Jul 21 23:25:52 2025 +0200 core 197: Ship e2fsprogs Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit d1ddf8ca8d50309d091602cee7091404cb72e85e Author: Adolf Belka Date: Mon Jul 21 23:25:56 2025 +0200 e2fsprogs: Update to version 1.47.3 - Update from version 1.47.2 to 1.47.3 - Update of rootfile not required - Changelog 1.47.3 UI and Features Mke2fs -d can now copy the fs-verity metadata and chattr flags into newly created file system. Add fuse2fs's support for the XATTR_CREATE and XATTR_REPLACE flags in setxattr. Add support for FALLOC_FL_ZERO_RANGE in fuse2fs. Add support to fuse2fs for the setting file attributes via fsxattr, including support for nanosecond timestamps. Add support to fuse2fs to set newer chattr flags. Add a lockfile command-line option to fuse2fs which is useful for scripts that need to know when fuse2fs is done modifying the file system after it is unmounted. Add mke2fs.conf knobs to control whether the RAID stripe or stride sizes from the storage device information depending on whether the storage device is a rotational or non-rotational device. By default don't set the RAID stripe size for non-rotational devices. E2scrub no longer runs fstrim by default, since util-linux ships with a fstrim.timer systemd file which will run fstrim on all mounted file systems. This can be re-enabled in /etc/e2scrub.conf if for some reason it is desireable to run the fstrim out of e2scrub. Fixes Fix "e2fsck -E unshare_blocks" to clear the shared_blocks flag when there are no shared blocks to clear Fix "e2fsck -n" to not abort when it trips across an EA inode which is not referenced by any inodes in the file system. Fix debugfs's dump and rdump commands to avoid looping forever when it runs across an I/O error or corupt filesystem metadata. Fix debugfs's dirsearch command on big-endian systems. Fix many fuse2fs bugs found by running fstests, including fixing support for O_APPEND, O_TRUNC, POSIX ACLs, and the immutable flag. Also fix fuse2fs to correctly remove ea_inodes if the last reference to an ea_inode is removed when an inode is removed, and to update timestmps correctly after the mkdir(2) and symlink(2) operations. Fix fuse2fs's error code handling for fallocate(), truncate() and removexattr(). Fix an integer overflow bug which resulted in fuse2fs failing to delete very large files. (Addresses Debian Bug: #1106241) Fix a (hard to reproduce) extent tree corruption bug which could be triggered by resize2fs or fuse2fs if the extent tree was especially complex Improve fuse2fs's handling of corrupted file systems. Fuse2fs doesn't support renameat2()'s RENAME_EXCHANGE or RENAME_WHITEOUT flags, so return ENOSYS instead of incorrectly handling the renameat2() request. Fuse2fs will avoid clearning the setgid bit in op_chmod if the file's group ownership is one of the calling process's group list (instead of just the primary group id). Change fuse2fs to align with kernel's behaviors by (a) clearing post-EOF on truncation, (b) validating FITRIM's parameters consistently with how the kernel does things, (c) how the "ro" mount option will replay the journal, (d) only supporting the xattr namespaces supported by the kernel, (e) clamping timestamps to the minimum and maximum value supported by the on-disk format, and (e) optionally delegating access control decisions to the kernel. Prevent fuse2fs from mounting file systems which have features that fuse2fs can't deal with. Fix error path handling in fuse2fs when servicing an op_create request. Fix spurious warnings from fuse2fs while servicing an op_fallocate request. Fix fuse2fs to correctly translate system errors from libext2fs to the negative error codes expected by the FUSE kernel driver. There aren't many; but in some cases, when the file system is corrupted, libext2fs will return EOVERFLOW and we sent a nonsense error to the kernel. Optimize ext2fs_extent_set_bmap() to avoid fragmenting the extent tree. This fixes a problem where resize2fs is trying to relocate all of the blocks in a file leading to the extent tree doubling in size, and potentially leading to a corrupted extent tree. Fix a bounding error in ext2fs_fallocate() which could cause it to allocate far more blocks than was requested. This caused a failure in fuse2fs while formatting a loopback file system stored in a large sparse file. Fix potential livelock bug in the unix_io manager. Fix invaidation support in the unix_io manager. Various man page cleanups. Performance, Internal Implementation, Development Support etc. Improve performance in e2fsck when replaying a journal with a large number of revoke blocks (which can be the case on Lustre servers). Improve tune2fs's performance by avoiding scanning the file system to update quota inodes in cases when it's not necessary. Improve fuse2fs's performance by returning inode and type information in readdir() and to use the actal inode numbers instead of asking fuse to make up inode numbers. Fix various Coverity and compiler warnings. Add two new flags for ext2fs_link(). The EXT2FS_LINK_APPEND flag causes ext2fs_link() to only search the last block in the directory, which imrpoves the scalability of creating a large number of files in a directory. The EXT2FS_LINK_EXPAND() causes ext2fs_link() to automatically expand the directory if there is no free space found to create the requested directory entry. Add a new function, ext2fs_mkdir2() which allows the flags parameter to be passed to ext2fs_link(), allows the chattr flags to be set in the newly created directory, and return the inode number for the newly created directory. Add new functions ext2fs_log2_u{32,64}() and ext2fs_log10_u{32,64}() so we don't have multiple copies of these functions in various e2fsprogs programs. Improve debugging and logging in fuse2fs. General code cleaups in fuse2fs. Improve fuse2fs's performance by allowing a larger cache in unix_io and using O_DIRECT to read and write the block device. Fixed Windows portability problems intrduced in 1.47.2. Fix various FreeBSD compile warnings and test issues. Fix MacOS build issues when compiling with libarchive and FUSE support. To avoid warning messages on newer versions of GNU grep, use "grep -E" instead of "egrep" when possible. Fix test failure for m_rootdir_acl when the build tree is hosted on btrfs. (This was caused by btrfs returning extended attributes relating to Posix ACL's in a different order than ext4 or xfs.) Fixed potention races in the Makefiles which could show up when using "make -j install". Fixed build failures when libarchive is not available. Fixed various Debian packaging issues. (Addresses Debian Bugs: #1106799, #1107595) Update Czech, Chinese, Dutch, French, Malay, Portuguese, Polish, Romainian, Serbian, Spanish, Swedish, and Ukrainian translations. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit cbc7373da9ab64fb4736b7efff5ea0db5c77dd36 Author: Adolf Belka Date: Mon Jul 21 23:25:51 2025 +0200 core 197: Ship curl Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1caf0133a625f7e02ce85c459c015fea21170003 Author: Adolf Belka Date: Mon Jul 21 23:25:55 2025 +0200 curl: Update to version 8.15.0 - Update from version 8.14.1 to 8.15.0 - Update of rootfile not required - Changelog 8.15.0 changes: o TLS: remove support for Secure Transport and BearSSL [19] bugfixes: o altsvc: accept 'clear' without semicolon as well [190] o asyn-ares: remove redundant NULL check [152] o asyn-thrdd: free the previous name before strdup'ing the new [84] o autotools: detect and link `brotlicommon` library for brotli [130] o autotools: drop `$top_builddir/src` from src header path [23] o autotools: drop headers from src mk-unity rules (fixup) [136] o autotools: drop no longer necessary `--srcdir` unity options [66] o autotools: drop redundant `Makefile.inc` from `EXTRA_DIST` in src [127] o autotools: simplify configuration in tests, examples [47] o bufq: change read/write signatures [120] o bufq: remove the unused Curl_bufq_unwrite function [143] o build: assume `sys/socket.h`, `sys/time.h` on non-Windows (as in `curl/curl.h`) [21] o build: drop `HAVE_SYS_SOCKET_H` and `HAVE_SYS_TIME_H` macros [69] o build: drop explicit curlx from hdr paths, refer headers with `curlx/` prefix [150] o build: drop unused variables in tests o build: fix libcurltool with cmake and tunits, related tidy-ups [138] o build: split `.c` and `.h` file lists in tests [128] o build: stop checking for `sys/stat.h` [146] o build: stubgss tidy-ups (in tests) [137] o build: sync build scripts between client/libtest [49] o build: tidy up `Makefile.inc` use in lib and src [116] o build: tidy up header paths, use srcdir where possible [42] o cf-socket: make socket data_pending a nop [175] o checksrc-all: rewrite in Perl, remove `checksrc.bat` [217] o checksrc: reduce exceptions, apply again to curlx [114] o cmake/FindGSS: fix processing C header path options [160] o cmake/FindGSS: initialize result variables [159] o cmake: `curl_add_clang_tidy_test_target` tidy-ups [185] o cmake: build `stubgss` library for libtests to match autotools [34] o cmake: check USE_WINDOWS_SSPI when adding secur32 to CURL_LIBS [144] o cmake: configure c-ares header directory in project root (was: lib) [106] o cmake: document OpenSSL and ngtcp2 crypto lib custom variables [29] o cmake: drop never propagated C macros [22] o cmake: drop passing redundant `CURL_STATICLIB` in examples and clients [52] o cmake: drop redundant macro from test clients [51] o cmake: drop reference to future variable o cmake: enable soversion by default for OpenHarmony OS [131] o cmake: fix `curl_add_clang_tidy_test_target` when no `-D` option [155] o cmake: fix generator expression in docs/examples [109] o cmake: gather options recursively in `curl_add_clang_tidy_test_target` [156] o cmake: make docs depend on support files [80] o cmake: move `OUTPUT` argument in the `add_custom_command()` line [50] o cmake: omit clang-tidy on internal libs curlu and curltool [64] o cmake: replace `cmakelint` with `cmake-lint` from `cmakelang`, fix issues [20] o cmake: replace the way clang-tidy verifies tests, fix issues found [101] o cmake: simplify handling generated `lib1521.c` in libtests [24] o cmake: sync `target_link_libraries()` order in tests more [44] o cmake: sync tests scripts by using the variable `BUNDLE` [46] o cmake: sync tests scripts with each other and autotools (more) [100] o cmake: use `target_link_options()` when available [43] o config-win32: fix default targets, shorten macro logic [227] o configure: order LDAP after the SSL libraries o connect: drop unused struct member [209] o connection: clarify `transport` [197] o connection: eliminate member `remote_addr` [10] o curl-config: fix whitespace in usage text [122] o curl.h: make CURL_IPRESOLVE_* symbols defined as longs [206] o curl.h: make CURLSSLOPT_* symbols defined as longs [3] o curl.h: remove the "RESERVED" error codes [2] o curl: implement non-blocking STDIN read on Windows [28] o curl: improve non-blocking STDIN performance [129] o curl: remove the global argument from many functions [218] o curl: unify pointer names to global config [219] o curl_get_line: make sure lines end with newline [110] o curl_memory.h: fix to undefine `accept4` [180] o curl_path: make SFTP handle a path like /~ properly. [11] o curlinfo: provide the 'digest' feature [168] o CURLSHOPT_SHARE.md: mention multi-threading requires callbacks [161] o DEPRECATE.md: add VS2005 removal to the list [214] o digest: fix build with disabled digest auth [72] o DISTROS: update NixOS link o docs,tests: fix english grammar "allow to" -> "allow to" [158] o docs/CONTRIBUTE: fix broken link [173] o docs/examples: add ftp-delete.c [5] o docs: beef up examples/websocket.c [189] o docs: fix broken link in CODE_REVIEW.md [67] o docs: fix broken link in INSTALL.md [68] o docs: fix docs for CURLOPT_PREQUOTE after #17616 [70] o docs: fix documentation of connect_only 2 [78] o docs: fix two typos [163] o docs: mention that the netrc file works without port numbers [112] o docs: mention the as-is concept generically [225] o docs: note SSLS-EXPORT feature in -ssl-sessions doc [199] o docs: reflect that delimiter-separated capath is only OpenSSL [135] o docs: sync -tls-earlydata support w/ CURLOPT_SSL_OPTIONS [198] o docs: warn about lifetime in CURLOPT_CLOSESOCKET* [54] o easy: fix comment-documentation [36] o easygetopt: fix curl logo in header comment [167] o firefox-db2pem: avoid use of eval in script [103] o ftp: fix prequotes for a directory in URL [83] o ftplistparser: split parse_unix into sub functions [77] o h2_serverpush: fix file handle leaks reported by clang-tidy [105] o h3: fix query of concurrent streams [220] o http/3: report handshake with version and cipher as for TCP connections [212] o http2: do not delay RST send on aborted transfer [57] o http2: fix var types in is_alive() implementations [222] o http: explicitly ignore parsing errors for Retry-After [98] o http: fix build with cookies and HSTS disabled [124] o http_ntlm: protect against null deref [95] o http_ntlm: remove unreachable code [88] o INSTALL.md: cygwin details and add source code link [4] o ldap: avoid automake caching issues with LDAP library names o ldap: if ldap-lib is sufficient, add it to LIBS. o ldap: initial support for --with-ldap option o lib2082: drop `typedef struct` [118] o lib: address singleuse issues [132] o lib: avoid reusing unclean connection [73] o lib: drop two interim macros in favor of native libcurl API calls [172] o lib: fix unused parameter/function compiler warnings [186] o lib: make `CURLX_SET_BINMODE()` and use it [39] o lib: make `curlx_wait_ms()` and use it [40] o lib: replace scache no-op macros with `#ifdef` [117] o lib: stop `time()` debug overrides at the end of source in altsvc, hsts [211] o lib: unify recv/send function signatures [92] o libcurl-env.md: drop LOGNAME, USER and NTLMUSER [99] o libcurl.m4: fix indentation [194] o libssh2: remove use of 'initialised' for cleanup [208] o libssh: de-complex myssh_statemach_act() [18] o libssh: fix readdir issues [191] o libtests: make test 1503,1504,1505 use the 1502 binary [90] o libtests: more header tidy-ups [224] o libtests: stop building the sames source multiple times [89] o memdebug.h: #undef `fclose` before defining it o memdebug.h: eliminate global macro `CURL_MT_LOGFNAME_BUFSIZE` [178] o memdebug: include in unity batch [63] o memory: stop overriding unused `wcsdup()`/`_wcsdup()` system functions [204] o memory: tidy up `_tcsdup()` override [202] o misc: fix typos [207] o mk-lib1521: replace `printf` with `curl_mprintf` [141] o multi: add dirty bitset [115] o multi: do no expire a blocked transfer [56] o multi: fix polling with pending input [60] o multi: remove careful bounds check as coverity says it is not needed [174] o multi: xfer table/bitset, handle limits [142] o ngtcp2: fix coverity warning about result handling [166] o openssl: enable readahead [91] o openssl: error on SSL_ERROR_SYSCALL [94] o openssl: fix handling of buffered data [82] o openssl: fix openssl engine use [74] o openssl: fix pkcs11 provider available check [154] o os400: upgrade ILE/RPG bindings with latest definitions. [184] o pingpong: on disconnect, check for unflushed pingpong state [12] o projects/build-openssl.bat: remove [223] o pytest test_07_70, weaken early data check [96] o pytest: adapt for runs with openssl-1.1.1 o pytest: disable test_07_37 and test_07_36 with openssl's quic [1] o quic: implement CURLINFO_TLS_SSL_PTR [176] o RELEASE-PROCEDURE.md: update docs/VERSIONS [7] o runtests.pl: fix sprintf() using one too many %s [134] o runtests: fix `LD_PRELOAD` detection for cmake-built curl binaries [123] o runtests: support memory-limits per test [193] o rustls: apply memory function overrides, fixing an ECH buffer free [181] o rustls: don't try printing the not provided file [104] o schannel: allow partial chains for manual peer verification [79] o schannel: drop Windows 2000 compatibility logic [26] o scorecard: flame graphs and documentation [165] o SCP/SFTP: avoid busy loop after EAGAIN [8] o scripts: fix to quote the copyright email address [210] o socks: fix query when filter context is null [221] o system.h: remove some macros [6] o test1117: reduce write delays [9] o test1175: fix to run, and fix documentation issues detected [216] o test1222: fix for out-of-tree and no-libcurl-manual builds [215] o test1499, 1599: use `%LOGDIR` [226] o test1499: verify two chunked responses on reused connection [145] o test1596: let test pass after year 2036 [35] o test1706: pass include directory to `managen` for out-of-tree builds [187] o tests/client: drop autotools logic no longer necessary [45] o tests/client: use `curl_mfprintf()` [48] o tests/dnsd: read config from file [85] o tests/http/clients: drop hack and use `curl_setup.h` again [58] o tests/http/clients: move to tests/client [53] o tests/http/requirements: remove multipart [183] o tests/libtest: call `curlx_now_init()` for unit 1399, 2600 (Windows) [76] o tests/libtest: drop `TEST_HANG_TIMEOUT` redefinition hack [108] o tests/libtest: drop a checksrc exception [119] o tests/libtest: use `curltime` from curlx [71] o tests/server/util.c: include netinet/in6.h [113] o tests/server: de-dupe/merge three `sockdaemon()` clones into one [149] o tests/server: drop `memdebug.h` [111] o tests/server: make all global vars/funcs static [41] o tests/server: move memory init to `memptr.c` [140] o tests/servers.pm: add more ways to figure out current user [17] o tests: always make bundles, adapt build and tests [81] o tests: bundle http clients, de-dupe, enable for MSVC [61] o tests: constify, make consts static [139] o tests: drop `BUNDLE_SRC` variable [59] o tests: drop mk-bundle exceptions [25] o tests: drop unused or redundant includes [153] o tests: drop useless "nodist_SOURCES" assignments [93] o tests: fail torture if !valgrind&threaded resolver [31] o tests: fix 1301, 1308 to fail on error [177] o tests: fix `BUNDLE` variable references in `Makefile.am` [125] o tests: make all names < 75 characters long [182] o tests: make individual test sources compile cleanly [107] o tests: make sshserver less verbose [55] o tests: move `curlcheck.h` to libtest as `unitcheck.h` [171] o tests: move GSS-API dynamic stub into debug-mode libcurl [169] o tests: torture: don't duplicate valgrind command [32] o tests: use %b64[] to base64 data [151] o tests: use %b64[] to base64 data in 2056, 2057 [126] o tftpd: use `CURLMIN()` macro [38] o tidy-up: replace `` with `"memdebug.h"` (src, units) [147] o tls: remove Curl_ssl false_start [86] o tool1621: drop unused internal libcurl headers [157] o tool_getparam: fix --ftp-pasv [15] o tool_operate: fix return code when --retry is used but not triggered [13] o tool_paramhelp: fix language in comments [196] o top-complexity: lower max allowed complexity threshold to 90 [33] o unit tests: extract "private" prototypes at build time [170] o unit1302: expand the base64 encode/decode tests [148] o url: fix connection lifetime checks [14] o url: fix NULL deref with bad password when no user is provided [87] o urlapi: simplify and split into sub functions [16] o urlapi: use uppercase hex encoding [133] o vauth: move auth structs to conn meta data [30] o vtls: change send/recv signatures of tls backends [65] o vtls: fix a copy-pasted early data comment typo [200] o vtls: log rustls negotiated KEX group name [201] o vtls: prefer ciphersuite to cipher in msgs [203] o vtls: prefer rustls-ffi ciphersuite name API [205] o VULN-DISCLOSURE-POLICY.md: fix typos [164] o VULN-DISCLOSURE-POLICY: all reports should be disclosed [102] o VULN-DISCLOSURE-POLICY: exclude not installed software [121] o VULN-DISCLOSURE-POLICY: minor language polish [162] o warnless: drop parts of the `read`/`write` preprocessor hack (Windows) [37] o warnless: replace `read()`/`write()` wrapper functions with macros (Windows) [75] o windows: drop redundant `curl_wcsdup_callback` callback [188] o windows: fixup `fopen()` in `CURLDEBUG` builds [62] o windows: reduce/stop loading DLLs at runtime [27] o wolfssl: add support for ML_KEM hybrids [195] o ws: drop redundant `CURL_EXTERN` from function definitions [179] o xfer: manage pause bits [97] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f7e6787df24843973e7315d55267db1284c5950d Author: Adolf Belka Date: Mon Jul 21 23:25:50 2025 +0200 core 197: Ship automake Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7648af1dd517af128c3abc2496020ea2f3b3f92d Author: Adolf Belka Date: Mon Jul 21 23:25:49 2025 +0200 automake: Update to version 1.18.1 - Update from version 1.18 to 1.18.1 - Update of rootfile not required - Changelog 1.18.1 * Bugs fixed - Undo change to mdate-sh; once again, it does not look at SOURCE_DATE_EPOCH. This change was a misunderstanding that causes problems, not fixes, for reproducible builds. (https://lists.gnu.org/archive/html/automake/2025-06/msg00021.html) - Improve debuggability of installcheck failures. (bug#78850) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit dadbaef0ae1e669e617cb0abfb08f81c91be2aa3 Author: Arne Fitzenreiter Date: Tue Jul 22 08:16:54 2025 +0200 core197: add kernel to updater Signed-off-by: Arne Fitzenreiter commit e5bbca89e6a79c428fd81ae916960d5402a286e2 Author: Arne Fitzenreiter Date: Tue Jul 22 08:04:09 2025 +0200 vulnarabilities: add transient sheduler attacks Signed-off-by: Arne Fitzenreiter commit 1f95c7ea8c7f615e0d808fac72fbb4622ec23a7f Author: Arne Fitzenreiter Date: Tue Jul 22 08:03:22 2025 +0200 kernel: update to 6.12.39 Signed-off-by: Arne Fitzenreiter commit 3e945cb3f0644f9dae356b0cbe0ddf9e532497b1 Author: Michael Tremer Date: Mon Jul 21 15:43:38 2025 +0000 core197: Ship Suricata's ruleset sources Signed-off-by: Michael Tremer commit 38617a4acd4485be7b019a72e549d222ecba1ad6 Author: Adolf Belka Date: Mon Jul 21 16:34:52 2025 +0200 ruleset-sources: Remove the abuse.ch SSL list from the suricata sources - The abuse.ch ssl suricata list has stopped being updated since 2025-06-25 - Looking at all of the abuse.ch lists, none of them are being updated anymore so abuse.ch becoming part of spamhaus looks to have stopped all work on free versions of the lists - This change modifies the abuse.ch entry so that it no longer can be installed but also if already installed it will remove it. - The patch has also made a few minor typo corrections in comments. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit dab0e52df496e83e797a80ffb19ee863e086b1d1 Author: Michael Tremer Date: Mon Jul 21 13:27:50 2025 +0000 dnsdist: Update to 2.0.0 Signed-off-by: Michael Tremer commit f7565a885b55384a64edd8bd73079143a04da519 Author: Michael Tremer Date: Fri Jul 18 09:57:34 2025 +0000 wireguard-functions.pl: Remove any carriage returns on import Some files might include carriage returns which won't be removed by chomp() on Linux. To be extra safe, we remove them manually. Signed-off-by: Michael Tremer commit 0a4a3c362f4123b21e4a3c67abb4f82df1e039a8 Author: Michael Tremer Date: Mon Jul 21 09:25:51 2025 +0000 core197: Ship wireguard-functions.pl Signed-off-by: Michael Tremer commit 68a3334413efb1a963b7cc6c6dca1ec0126e1cc1 Author: Michael Tremer Date: Fri Jul 18 08:42:12 2025 +0000 wireguard-functions.pl: Automatically skip IPv6 subnets Since we do not support this and some VPN providers generate configuration files that send any data over to them, we simply ignore any IPv6 subnets. Signed-off-by: Michael Tremer commit 43e0f64444f47b149f6a69ec5a727a1345698a40 Author: Michael Tremer Date: Thu Jul 17 18:26:33 2025 +0100 cpufrequtils: Drop unused patches Signed-off-by: Michael Tremer commit a9cc769404a20c0217a04720bc8cd17d678a6013 Author: Michael Tremer Date: Mon Jul 21 09:19:01 2025 +0000 core197: Update the status file in the roadwarrior configuration Signed-off-by: Michael Tremer commit e61c723c8f74e02d4e9f073d2dbcb05781f50cb4 Author: Michael Tremer Date: Mon Jul 21 09:17:27 2025 +0000 core197: Ship updated collectd configuration Signed-off-by: Michael Tremer commit 341a6a24655377ffc64d7adba096485bdc90341c Author: Robin Roevens Date: Sat Jul 19 23:10:10 2025 +0200 collectd: Openvpn-2.6: fix statusfile name Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 18f768f016d5d74c33f60b488f6b27f0b7fc3a07 Author: Michael Tremer Date: Mon Jul 21 09:15:12 2025 +0000 core197: Ship the new cpupower script Signed-off-by: Michael Tremer commit 080323d43237b4ed9ffe184cb9e147baacebdf95 Author: Michael Tremer Date: Mon Jul 21 09:14:19 2025 +0000 core197: Drop cpufrequtils Signed-off-by: Michael Tremer commit 3f67590278a59fbc85b095d7bc30dd69ac7e0f4e Author: Michael Tremer Date: Thu Jul 17 17:30:31 2025 +0000 cpufrequtils: Drop package This is now implemented in the core distribution. Signed-off-by: Michael Tremer commit 331d249140e4224834b2b9ea8a340cdfce4f81c7 Author: Michael Tremer Date: Thu Jul 17 17:30:30 2025 +0000 initscripts: Automatically enable CPU power saving features This is a cleaned up implementation of the script that was previously packaged in the cpufrequtils package. Signed-off-by: Michael Tremer commit 13b7e3803cfd803d42d4ef082fba37859aa1e2f7 Author: Michael Tremer Date: Fri Jul 18 10:30:29 2025 +0000 core197: Migrate OpenVPN configuration changes Signed-off-by: Michael Tremer commit 6349caf6fa009ea02f93c1b6d1a589859ce3031e Author: Michael Tremer Date: Fri Jul 18 10:11:34 2025 +0000 core197: Ship BIND Signed-off-by: Michael Tremer commit ff90bed77c5fec5d9f29c6f1422cf36440b09e94 Author: Matthias Fischer Date: Fri Jul 18 00:35:56 2025 +0200 bind: Update ot 9.20.11 For details see: https://downloads.isc.org/isc/bind9/9.20.11/doc/arm/html/notes.html#notes-for-bind-9-20-11 "Notes for BIND 9.20.11 Security Fixes Fix a possible assertion failure when stale-answer-client-timeout is set to 0. In specific circumstances the named resolver process could exit with an assertion failure when stale answers were enabled and the stale-answer-client-timeout configuration option was set to 0. This has been fixed. (CVE-2025-40777) [GL #5372] New Features Add support for the CO flag to dig. Add support for Compact Denial of Existence to dig. This includes showing the CO (Compact Answers OK) flag when displaying messages and adding an option to set the CO flag when making queries (dig +coflag). [GL #5319] Bug Fixes Correct the default interface-interval from 60s to 60m. When the interface-interval parser was changed from a uint32 parser to a duration parser, the default value stayed at plain number 60 which now means 60 seconds instead of 60 minutes. The documentation also incorrectly states that the value is in minutes. That has been fixed. [GL #5246] Fix a purge-keys bug when using multiple views of a zone. Previously, when a DNSSEC key was purged by one zone view, other zone views would return an error about missing key files. This has been fixed. [GL #5315] Use IPv6 queries in delv +ns. delv +ns invokes the same code to perform name resolution as named, but it neglected to set up an IPv6 dispatch object first. Consequently, it was behaving more like named -4. It now sets up dispatch objects for both address families, and performs resolver queries to both IPv4 and IPv6 addresses, except when one of the address families has been suppressed by using delv -4 or delv -6. [GL #5352]" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit a2cc5c320c3bd894c0cff2f9185f13f0d527e456 Author: Robin Roevens Date: Thu Jul 17 19:52:05 2025 +0200 zabbix_agentd: Openvpn-2.6: use the helper binary to read the status log Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 928f98326d7c82584754a9c4631b94e64ca15ae1 Author: Robin Roevens Date: Thu Jul 17 19:52:04 2025 +0200 zabbix_agentd: Openvpn-2.6: fix pid name for services stats Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit c297c347d96460bcab651b4f58038d5e857fd2ff Author: Robin Roevens Date: Thu Jul 17 19:52:03 2025 +0200 zabbix_agentd: Add LocationDB functionality Adds new IPFire specific monitoring capabilities to Zabbix Agent: - ipfire.locationdb.lookup[,,...]: Perform IPFire LocationDB lookups from within Zabbix. Returns a JSON dict. - ipfire.locationdb.version: Get LocationDB version timestamp in unixtime. Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 3f3c688181304b4676a7fbb3291270b967f09395 Author: Robin Roevens Date: Thu Jul 17 19:52:02 2025 +0200 zabbix_agentd: Add WireGuard specific monitoring items Adds new IPFire specific monitoring capabilities to Zabbix Agent: - ipfire.wireguard.peers.discovery: Discovery of configured WireGuard clients. Returns a JSON array. - ipfire.wireguard.statusreport.get: Parses and returns output of `wireguardctrl dump` as a JSON array. Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 2772a5990067679bde106883f39a30aa2fe196e6 Author: Robin Roevens Date: Thu Jul 17 19:52:01 2025 +0200 zabbix_agentd: Add ARPing method for checking Internet Gateway Since some ISP's block ICMP ping to their gateway ARPing can be an alternative. This change adds arping alternatives for the regular (icmp) ping checks: - ipfire.net.gateway.arping: Check if the Internet Gateway is reachable via ARPing - ipfire.net.gateway.arpingtime: Measure the time it takes to ARPing the Internet Gateway Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit 23fb1dfd86d1efc85a0f80228bd644287bfff682 Author: Robin Roevens Date: Thu Jul 17 19:52:00 2025 +0200 zabbix_agentd: Update to 7.0.16 (LTS) - Update from version 7.0.11 to 7.0.16 - Update of rootfile not required Bugs fixed: ZBX-26080 Fixed old file descriptors being held when external log rotation is used ZBX-26121 Added default flags to net.dns.get arguments when none are specified ZBX-26055 Fixed failure to refresh active checks when next refresh was faster than 60 seconds Full changelogs since 7.0.11: - https://www.zabbix.com/rn/rn7.0.12 - https://www.zabbix.com/rn/rn7.0.13 - https://www.zabbix.com/rn/rn7.0.14 - https://www.zabbix.com/rn/rn7.0.15 - https://www.zabbix.com/rn/rn7.0.16 Signed-off-by: Robin Roevens Signed-off-by: Michael Tremer commit d32ce68c3e2cc0bde4407d97e1f09d8a1efba0e7 Author: Michael Tremer Date: Thu Jul 17 09:33:00 2025 +0000 core197: Ship unbound Signed-off-by: Michael Tremer commit fa17eeb492011789e7fd0c88ffb1b345cf60fc7e Author: Matthias Fischer Date: Wed Jul 16 18:50:32 2025 +0200 unbound 1.23.1: Fix for rootfile Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 78857720874c00fd9827da6b61454b0f932592d9 Author: Matthias Fischer Date: Wed Jul 16 13:32:07 2025 +0200 unbound: Update to 1.23.1 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-1 "Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP Lab Nankai University." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit c5ecfbe3f1cb1adc4d8ad04c97a5d749dd5a3f1a Author: Michael Tremer Date: Tue Jul 15 09:57:16 2025 +0000 core197: Ship OpenVPN changes Signed-off-by: Michael Tremer commit 231f939586d8ec1d72f654175b549859e59f105b Author: Michael Tremer Date: Tue Jul 8 10:49:47 2025 +0200 openvpn: Ignore existing PID files when starting processes This is all not very organised and tidy. The init process seems to be too cautious if there is a PID file left but there should not be any harm in trying to start the same process twice when in doubt because after all only one can bind to the same port at a time. Signed-off-by: Michael Tremer commit fa429bcca8f156125181667fba75b2dfd13c7281 Author: Michael Tremer Date: Tue Jul 8 10:44:30 2025 +0200 ovpnmain.cgi: Accept an empty value for ENABLED Signed-off-by: Michael Tremer commit 3bbf7b6e2919bf054af1d6c924522f889142ba91 Author: Michael Tremer Date: Tue Jul 8 10:42:36 2025 +0200 ovpnmain.cgi: Fix broken headline in N2N crypto section Signed-off-by: Michael Tremer