commit d3725fecec79b5d2c807e9830d983a1804b14616 Author: Adolf Belka Date: Mon Sep 15 19:40:55 2025 +0200 core198: Ship collectd due to sobump in nut update Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7ab09188f9f292f42f10b2f51923625ec72a8a0e Author: Adolf Belka Date: Mon Sep 15 19:40:54 2025 +0200 nut: Update to version 2.8.4 - Update from version 2.8.3 to 2.8.4 - Update of rootfile - sobump requires shipping of collectd - Changelog 2.8.4 - Bug fixes for fallout possible due to "fightwarn" effort in 2.8.0+: * In `usbhid-ups` sources, introduced optional `HU_FLAG_PARAM_REQUIRED` for `setvar()` or `instcmd()` handling (and a `HU_TYPE_CMD_PARAM_REQUIRED` shortcut) for setting in the mapping table flags, to specify variables or instant commands that require an argument (either from caller or a non-`NULL` default in the run-time table after device data discovery); if the flag is not set, a zero value is assumed. Incomplete code was a regression of NUT v2.8.3 causing some instant commands to fail. [#2860, #2955] - Fix fallout of development in NUT v2.8.0 and/or v2.8.1 and/or v2.8.2 and/or v2.8.3: * Fixed a regression in recipes of NUT v2.8.3 release (as compared to v2.8.2), where `configure --with-docs=all` no longer failed a run of the `configure` script when some of the required rendering tools were not in fact available. [#2842, fixed by #2921] * Some recipe improvements in earlier releases led to `make check` always running a spelling check (if tools are available), even if the explicit `configure --disable-spellcheck` option was used. Now it would not run if disabled (e.g. to speed up CI builds in scenarios that focus on other aspects of the code base), although developers can still use the explicit `make spellcheck*` goals, when tools are in fact available. [#2973] * A change in `Makefile.am` recipes to evaluate some driver names in the `DRIVERLIST` variables inspected by `configure` script, rather than having all their names hard-coded like before, led to inability to `configure --with-drivers=dummy-ups`. [#2825, #2927, fixed by PR #2929] * A problem noted with `upsdrvquery` (since NUT v2.8.1) message logging at high debug verbosity levels (5+) with very large blocks of content has exposed a deficiency in variable-argument handling, and specifically adaptive resizing of the output buffer or truncation of logged inputs (which is something NUT code tried to do since the beginning of time), and could lead to "segmentation fault" crashes on some platforms. [issue #2948, PR #2963] * Documentation build recipes overly zealously pre-processed source files, which was not applicable for each and every document type we have (e.g. binary images for illustrations); this caused grief with some toolkits. [issue #2989] - common code: * Revised common `writepid()` to use `altpidpath()` as location for the PID file creation, if the default `rootpidpath()` is not accessible (e.g. daemon was not initially started as `root`). Likewise updated short PID file based signal sending to consult both locations. [#1717] * Linux may report a `/proc/X/exe` symlink with an embedded "(deleted)" suffix, if the binary was removed (or replaced) since the running process started. This confused our code which verifies that when it is sending a signal to a PID, that PID does reflect the expected NUT program. [#3021] * Refactored NUT "common" sources to reference `nut_version.h` macros from a smaller C source file, to minimize the compilation unit size impacted by development iterations. [issue #2097] * Common code hardening: added sanity-checking for dynamically constructed or selected formatting strings with variable-argument list methods (typically used with log printing, `dstate` setting, etc.) [#2450, #3016] - Warn if `%n` formatting string is used -- it is deprecated in some newer distros due to security concerns. * Refactored repetitive implementations of `inet_ntopSS()` (nee `inet_ntopW()` in `upsd.c`) and `inet_ntopAI()` methods into `common.c`, so now they can be re-used or expanded more easily. [#2916] - `upsd` updates: * Fixed two bugs about printing the "further (ignored) addresses resolved for this name": the way to extract IP address string was not portable and misfired on some platforms, and the way to print had a theoretical potential for buffer overflow. [#2915] * Print arguments of a processed command into the debug log, to help track down what unsupported queries are about, etc. (but only endeavor to spend time, RAM and CPU on this if debug verbosity is high enough). Hide the sensitive commands' parameters unless verbosity is unusually high. [#3023] - `upsdrvquery` API updates [#2969]: * Added `upsdrvquery_oneshot_conn()` for issuing one-shot queries using an existing `udq_pipe_conn_t *` connection. The caller manages the connection's lifecycle, and the function includes a best-effort call to restore broadcast mode after the query to return the connection as it was. * Added `upsdrvquery_oneshot_sockfn()` for initiating one-shot queries using a socket filename. Shares internal logic with the existing `upsdrvquery_oneshot()`, which uses a UPS and driver name, respectively. * Introduced `upsdrvquery_restore_broadcast()` to explicitly restore broadcast mode (`BROADCAST 1`) on a connection, helping return it to a consistent and talkative state. * Revised connection ownership handling: internal functions like `upsdrvquery_prepare()` and `upsdrvquery_request()` no longer close connections they do not own. Responsibility for cleanup is now delegated to the caller to avoid unintended side effects and better align with expected usage patterns. - common driver code: * Update reports of failed socket file creation, to help troubleshooting some error cases in the field. [#2959] * Removed workarounds trying to migrate legacy driver raised `ALARM` status tokens into modern `alarm_*` function logic. Rather, we keep supporting them as separate from the modern logic, seeing as `upsmon` does not care where the token itself was raised for its notifications. Driver-code related test-cases were updated to reflect these changes. [issue #2928, PRs #2931 and #2934] * Introduced some macros in `drivers/upshandler.h` for common syslog level definitions and message wording for beginning and failing `instcmd()` or `setvar()` operations consistently in different drivers. As a related change, operations that intend to turn off or restart the load, or can do that by side effect (e.g. calibration if batteries are old or dead), would explicitly `upslogx(LOG_CRIT,...)` by default before commencing. [#2957] * Fixed a couple of ancient memory leaks: one "shared" during driver program initialization, and one specific to `dummy-ups` wind-down. [#2972] * Added a `suggest_NDE_conflict()` method so drivers which lack access to the expected device can consistently suggest that this may be because of running both an NDE-wrapped service unit and a manually launched driver program at the same time. Currently added to `libusb{0,1}.c` code, but may later be expanded to e.g. serial drivers and other media, when their behavior in such situations gets identified. [follow-up to issue #477, PR #3041] - `apc_modbus` driver updates: * The time stamp and inter-frame delay accounting was fixed, alleviating one of the problems reported in issue #2609. [PR #2982] * Fix missing variables due to mismatching format string. [PR #3013] - `bcmxcp` driver updates: * The latching on to a previous replace battery status was fixed, with its alarm state variable now correctly being reset; previously a factually replaced battery did not clear the alarm and the whole driver needed to be restarted. [issue #2999, PR #3002] - `clone`, `clone-outlet`, `nhs_ser` driver and `nutdrv_qx_ablerex` subdriver updates: * Refactored to follow modern handling of status and alarm conditions, aligning with current driver design practices. This includes fixing copy-paste related issues in alarm reporting and removing some alarm messages that should instead be reflected as status flags. [#2936] - `dummy-ups` driver updates: * A new instruction `ALARM` was added for the `Dummy Mode` operation of the driver, enabling simulation of UPS alarm states more closely in line with modern, real-world UPS driver implementations. This follows the updated principle of keeping alarm states decoupled from the `ups.status` variable, with alarms now raised via common alarm functions rather than direct manipulation. [issue #2928, PR #2936] - `nutdrv_qx` driver updates: * Added support for "preprocess"/"process" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * Introduced `innovart33` protocol support for Ippon Innova RT 3/3 topology UPSes. [#2938] * Updated `megatec` protocol for more detailed responses to `I` query which may return `ups.serial` (after a shorter `device.mfr`) and the `battery.runtime` (after a shorter `device.model`). Note that the expected response is shorter than in other dialects (38 vs. 39 bytes), so if this change breaks anything for your UPS that reported the values above correctly (e.g. the `ups.firmware` version becomes shorter or none of these are reported), please let NUT developers know. [#2980] * Revised `voltronic` protocol to suppress alarm "UPS is in ECO Mode", using "buzzword mode" settings more correctly than in the previous iteration, shipped in NUT v2.8.3 release (as PR #2750 for issue #2708). [issue #2494] * Introduced a `voltronic-axpert` subdriver for Voltronic Axpert inverters which speak the P30 protocol, currently in a highly experimental state: with initial support for query commands, but most values are "hidden" from default NUT builds by being defined in `experimental.*` namespace, and should also be enabled by `configure --with-unmapped-data-points`. Development was based on work done in the Voltronic Sunny subdriver in https://github.com/nickma82/nut/tree/nutdrv_qx_voltronic-sunny_rebased%2Bcommand [#1407] - `phoenixcontact_modbus` driver updates: * Added more settings that can be tuned -- support for shutdown variables, UPS mode selector, PC reset delay after main power recovers, and automatic switch to battery mode (and back) if main power is below or above a defined threshold (see the new "Configurable Values" section in the man page). They can be configured via `default.*` values in `ups.conf`. [#2986] - `pijuice` driver updates: * Converted to NUT standard use of `status_set()` with single-token values. [issue #2708] - `snmp-ups` driver updates: * Added support for "fun"/"nuf" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * Fixed `ups.test.date` to be semi-static in `apc-mib` mapping, so it would be queried more than once per driver up-time. [issue #3011] * Fixed debug-logging around `SU_FLAG_STATIC` entries to clarify when they get skipped. [issue #3011] - `usbhid-ups` driver updates: * Added support for "fun"/"nuf" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * `hid_ups_walk(HU_WALKMODE_INIT)`: report if exactly one of "fun" or "nuf" dynamic value mapping methods is defined in a one-line table, and this may preclude reads/writes of that variable. [#2956] * The `cps-hid` subdriver's existing mechanism for fixing broken report descriptors was extended to cover a newly reported case of nominal UPS power being incorrectly reported due to an unrealistically low maximum threshold, as seen with a EC850LCD device. [issue #2917, PR #2919] * Further revision of "ECO mode" related code in `mge-hid` subdriver, following up from work started for NUT v2.8.3 release. [PR #2956] * Added APC BVKxxxM2 and BKxxxM2-CH to list of devices where `lbrb_log_delay_sec=N` may be necessary to address spurious LOWBATT and REPLACEBATT events. [PR #2942, PR #3007, issue #2347, issue #3006] - New NUT drivers: * Introduced a `ve-direct` driver for Victron Energy UPS/solar panels monitoring. Most specific reported values are in an `experimental.*` namespace, as a community we need to come up with standard naming for those via `docs/nut-names.txt`. [#440] * Introduced a `nutdrv_hashx` driver for numerous devices from Ablerex, Atlantis Land, Epyc, Infosec, ION, PowerWalker, Right Power Technology, Salicru, UPS Solutions and other vendors (originally shipped with a "PowerMaster+", "PowerMaster" or "PowerGuide" software companion suite). This seems to be a protocol developed by Cyber Energy for serial-port devices, subsequently used by different vendors in their own products or re-branded Cyber Energy creations. [#2940] * Introduced a `failover` driver for monitoring multiple UPS driver sockets and seamless switching out of UPS data in a failover situation, includes support for end-to-end tracked instant commands and also variable updating. [#2962] * Introduced USB (`powervar_cx_usb`) and Serial (`powervar_cx_ser`) drivers for Powervar CUSPP protocol, tested with GTS (USB) and UPM (USB, Serial) models. [#2988] - The `nut-driver-enumerator.sh` script (NDE) updates: * Now NDE internally tracks dependency of one driver on another one that should be locally running to serve the "original" data points (`clone`, `clone-outlet`, `dummy-ups`, `failover`). It should create "soft" dependencies between respective service instances to order their start-up sequence. [#2962] * Fixed NDE to not consider "masked" systemd units as non-existent or as syntactically failed instantiated unit names. [#3033] - NUT Monitor GUI: * Ported Python 3 version to Qt6, now shipped alongside Qt5 for systems with either or both, maximizing compatibility with old and new setups. [#2946] - `upsmon` client: * Clearer debug logging of `SHUTDOWNCMD` and `NOTIFYCMD` that would be used (or warnings that none was set); flush output buffers after these messages and after each main loop cycle, so any emitted text is seen in a timely manner. [issue #3003, PR #3008] - The `nutshutdown` script (end-game integration for UPS power-off in case of FSD initiated by `upsmon`) was updated to consider `MODE=none` set in `nut.conf` and bail out quietly. [issue #2935, PR #3008] - Manual page recipes and contents: * Introduced handling (possibly rewriting) for man page section "Overviews, conventions, and miscellaneous" (commonly number 7), to deliver support for `man nut` queries (NUT overview manual page also created). [#2945] * A new `configure --with-docs-man-dir-as-base` option was introduced so that directories for man page sections can now be automatically named as either "base" number of the section (e.g. `man1`) or by full section name (`man1m`), as different OS distributions have different preferences in this regard. [#2950] * Option to `configure --enable-docs-man-for-progs-built-only` was added, to differentiate NUT builds that deliver man pages for only built programs (legacy default) or for all of them (as needed for docs sites). [#2976] * Option to `configure --enable-docs-changelog` was added, specifically to allow developer iterations to not waste CPU time rebuilding the huge `ChangeLog*` files whenever their Git index changes. [#3019] * Options to `configure --with-docs-changelog-start` and/or `configure --with-docs-changelog-end` were added to allow developers to customize the size of `ChangeLog*` files when they are generated. Default starting value is `auto` which applies the legacy default `v2.6.0` to release/pre-release builds, or when local Git version info could not be retrieved, and the most-recent release tag (or `master` as fallback) for usual build iterations. Default ending value is `HEAD` for the current git commit at the moment the ChangeLog is (re-)generated. Balancing against the option to not build `ChangeLog*` files at all, this couple allows quicker builds that exercise all relevant recipe code paths. [#3019] - Extended the `gitlog2changelog.py` helper script to report start/end commits actually used, and to allow callers to tweak them better (not only `HEAD` for the end of range); this may be of interest to other projects which use this script. Allow `configure` to disable generation of either certain `ChangeLog*` rendering formats or completely, to speed up developer iterations (much time is wasted when dev-testing new code, due to git index changes if NUT was configured to build with documentation). [#3019] - The `BUILD_TYPE=default-all-errors ci_build.sh` script handling was revised to simplify code, and to default in CI builds to a quicker mode which randomly mixes the selected SSL, USB and UNMAPPED variants (and relies on the dozens of NUT CI farm runs per iteration to likely cover all possible combinations), which should roughly halve the CI build times. Default activity for developer builds should remain as it was -- to try each such "axis" sequentially. [#2973] - Revised generation of links to external manual pages in HTML rendering of NUT manual pages (previous recipe iterations left DocBook XML `ulink` tag "as is", which was not understood by web browsers). [follow-up to PR #2797] - Made the distro-dependent URL template for man pages configurable. [follow-up to PR #2797] - Revised `make install-as-root` to fall back to legacy ways of enabling services, if `systemctl preset-all` fails (assumed due to a systemd 252 bug). [#3022] - Added a `make check-parallel-builds` recipe to help troubleshoot recipes in sub-directories, and improved build-ability of existing NUT sources starting from scratch there. This is a workflow useful for NUT development (e.g. to focus only on drivers, or tests, or nut-scanner) but not so much for end-user packaging where everything builds from the root directory. [PR #3030, follows up from PR #2825, highlights why issue #2584 better be solved] - Revised `appveyor.yml` to run CI builds faster (forfeit MSYS2 ecosystem updates and some other steps) and more likely fit in one-hour allocation. Also have it install `mingw-w64-x86_64-python-pyqt6` so the `NUT-Monitor` application can get packaged (would need a capable Python run-time though). [#3046] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6d332fdc0c3c24eaff4492f020cc617cb726d4de Author: Adolf Belka Date: Mon Sep 15 19:46:22 2025 +0200 core198: Ship p11-kit Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 31c5b4b03598793dec01ff6cf91465ca9f432786 Author: Adolf Belka Date: Mon Sep 15 19:46:30 2025 +0200 p11-kit: Update to version 0.25.8 - Update from version 0.25.5 to 0.25.8 - Update of rootfile - Changelog 0.25.8 * rpc: Unbreak protocol compatibility by reverting "rpc: Correctly map Mozilla certificate distrust attributes" [PR#716] 0.25.7 * Build fixes from tarball with Meson [PR#714] 0.25.6 * rpc: Add module configuration option to specify server address [PR#707] * rpc: Correctly map Mozilla certificate distrust attributes [PR#705] * rpc: Fix empty array attribute handling [PR#704] * server: Remove libsystemd dependency for socket activation [PR#685] * Avoid segfault if p11_library_init_impl/p11_library_uninit are called multiple times [PR#682] * Add zsh completions [PR#674] * pkcs11: Update pkcs11.h to version 3.1 [PR#671] * pkcs11: Add IBM specific mechanisms [PR#669] * server: check SHELL if (and only if) neither --sh nor --csh is specified [PR#661] * trust: don't create file names longer then 255 [PR#659] * trust: sort paths for reproducible extract [PR#656] * Build and test fixes [PR#647, PR#653, PR#654, PR#657, PR#660, PR#667, PR#673, PR#681, PR#683, PR#688, PR#694] * Update translations [PR#663, PR#701] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 932c1a82183897e27b54bf2ea5987f1d03eca7eb Author: Adolf Belka Date: Mon Sep 15 19:46:21 2025 +0200 core198: Ship lvm2 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c785cc3c45f5a33e87c09a487306e8c56b13d613 Author: Adolf Belka Date: Mon Sep 15 19:46:29 2025 +0200 lvm2: Update to version 2.03.35 - Update from version 2.03.33 to 2.03.35 - Update of rootfile - Changelog 2.03.35 Fix unlocking devices file only after all PVs are processed. Avoid creating system.devices when deleting entries. Fix existing issues with persistent reservations. Fix possible report output format inconsistencies while processing PVs. Allow report options for pv/vg/lvdisplay only if used with -C|--columns. Fix vgsplit failing to split a VG with RAID+integrity or cache with cachevol. Fix --lockopt handling in lvmlockd when --nolocking is used. Optimize dmeventd when remonitoring active devices. 2.03.34 Support dmeventd restart when there are no monitored devices. Dmeventd no longer calls 'action commands' on removed devices. Fix reader of VDO metadata on 32bit architecture. Fix lvmdevices --deldev/--delpvid to error out if devices file not writeable. Fix lvresize corruption in LV->crypt->FS stack if near crypt min size limit. Enhanced lvresize -r support for btrfs. Use glibc standard functions htoX, Xtoh functions for endian conversion. Fix structure copying within sanlock's release_rename(). Fix autoactivation on top of loop dev PVs to trigger once for change uevents. Add lvmlockd --lockopt repair to reinitialize corrupted sanlock leases. Fix support for lvcreate -T --setautoactivation. Add lvm.conf global/lvresize_fs_helper_executable. Enable lvm to use persistent reservations on a VG. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9acb4b08cb2fa38c591c270d75f3d823243232d8 Author: Adolf Belka Date: Mon Sep 15 19:46:20 2025 +0200 core198: Ship libxml2 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 798fa55f0d58f3bfcad9a26f3b579daba2a92bfe Author: Adolf Belka Date: Mon Sep 15 19:46:28 2025 +0200 libxml2: Update to version 2.14.6 - Update from version 2.14.4 to 2.14.6 - Update of rootfile - 5 CVE fixes in version 2.14.5 - Changelog 2.14.6 Regressions valid: Don't add ids when validating entity content Fix initGenericErrorDefaultFunc(NULL) (Samuel Thibault) valid: Undeprecate xmlAdd*Decl globals: Include HTMLparser.h, fixing Windows build io: Fix reading from pipes like stdin on Windows Security regexp: Avoid integer overflow and OOB array access tree: Guard against atype corruption Improvements parser: Fix xmlSaturatedAddSizeT argument type 2.14.5 Regressions valid: Don't add ids when validating entity content io: Fix reading from pipes like stdin on Windows parser: Fix handling of invalid char refs in recovery mode Security regexp: Avoid integer overflow and OOB array access tree: Guard against atype corruption [CVE-2025-49794] [CVE-2025-49796] schematron: Fix xmlSchematronReportOutput [CVE-2025-49795] schematron: Fix null pointer dereference leading to DoS (Michael Mann) [CVE-2025-6170] Fix potential buffer overflows of interactive shell (Michael Mann) [CVE-2025-6021] tree: Fix integer overflow in xmlBuildQName Bug fixes save: Fix serialization of attribute defaults containing < Improvements parser: Fix xmlSaturatedAddSizeT argument type Build systems and portability meson: Add libxml2 part of include dir to pc file (Heiko Becker) cmake: Fix installation directories in libxml2-config.cmake io: Fix linkage of __xml*BufferCreateFilename functions Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 199dc49ad07635013f639107f269d5059219c147 Author: Adolf Belka Date: Mon Sep 15 19:46:19 2025 +0200 core198: Ship libssh Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2b4ca744b03f828297bde50e43f40abbf146b64f Author: Adolf Belka Date: Mon Sep 15 19:46:27 2025 +0200 libssh: Update to version 0.11.3 - Update from version 0.11.2 to 0.11.3 - Update of rootfile - Changelog 0.11.3 * Security: * CVE-2025-8114: Fix NULL pointer dereference after allocation failure * CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX * Potential UAF when send() fails during key exchange * Fix possible timeout during KEX if client sends authentication too early (#311) * Cleanup OpenSSL PKCS#11 provider when loaded * Zeroize buffers containing private key blobs during export Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3063559e4fa15e3058f2e62d8df617fae4a92e69 Author: Adolf Belka Date: Mon Sep 15 19:46:18 2025 +0200 core198: Ship libffi Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c9ff62f3d28bf9c95de5889b02f9b13a3be8726d Author: Adolf Belka Date: Mon Sep 15 19:46:26 2025 +0200 libffi: Update to version 3.5.2 - Update from version 3.5.1 to 3.5.2 - Update of rootfile not required - Changelog 3.5.2 fix: enable FFI_MMAP_EXEC_WRIT for DragonFly BSD by @liweitianux in #930 Emscripten: Add wasm64 target by @ktock in #927 fix: Ensure trampoline file descriptors are closed on exec. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1345abf18b964289bbc37033eb8d7500cd97a15f Author: Adolf Belka Date: Mon Sep 15 19:46:25 2025 +0200 haproxy: Update to version 3.2.4 - Update from version 3.2.2 to 3.2.4 - Update of rootfile not required - Changelog 3.2.4 - DOC: deviceatlas build clarifications - BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers - BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources - MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead - BUG/MINOR: acme: allow "processing" in challenge requests - CLEANUP: acme: fix wrong spelling of "resources" - MINOR: acme: add ACME to the haproxy -vv feature list - MINOR: acme: implement traces - BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet - BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket - BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket - BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established - BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options - BUG/MINOR: hlua: take default-path into account with lua-load-per-thread - BUG/MEDIUM: mux-quic: ensure Early-data header is set - CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h - BUILD: acme: avoid declaring TRACE_SOURCE in acme-t.h - BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator - MINOR: acme: emit a log for DNS-01 challenge response - MINOR: acme: emit the DNS-01 challenge details on the dpapi sink - MEDIUM: acme: allow to wait and restart the task for DNS-01 - MINOR: acme: update the log for DNS-01 - BUG/MINOR: acme: possible integer underflow in acme_txt_record() - MEDIUM: acme: use lowercase for challenge names in configuration - DOC: management: clarify usage of -V with -c - MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory - BUG/MINOR: listener: really assign distinct IDs to shards - MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version < 3.5.1 - BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5) - BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred - BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred - BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred - BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode - BUG/MINOR: http-client: Reject any 101-switching-protocols response - BUG/MEDIUM: http-client: Drain the request if an early response is received - BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM - MINOR: h1-htx: Add function to format an HTX message in its H1 representation - BUG/MINOR: mux-h1: Use configured error files if possible for early H1 errors - BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg function - BUG/MEDIUM: h3: do not overwrite interim with final response - BUG/MINOR: h3: properly realloc buffer after interim response encoding - BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side) - MINOR: qmux: change API for snd_buf FIN transmission - BUG/MEDIUM: h3: handle interim response properly on FE side - BUG/MINOR: quic: Wrong source address use on FreeBSD - MINOR: h3: remove unused outbuf in h3_resp_headers_send() - BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init - BUG/MINOR: halog: exit with error when some output filters are set simultaneosly - BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS - BUG/MINOR: logs: fix log-steps extra log origins selection - BUG/MINOR: hq-interop: fix FIN transmission - BUG/MINOR mux-quic: apply correctly timeout on output pending data - BUG/MINOR: mux-quic: ensure close-spread-time is properly applied - CLEANUP: http-client: Remove useless indentation when sending request body - DOC: list missing global QUIC settings - BUILD: compat: provide relaxed versions of the MIN/MAX macros - BUILD: compat: always set _POSIX_VERSION to ease comparisons - BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR - MINOR: sock: update broken accept4 detection for older hardwares. - BUG/MEDIUM: ssl: Fix 0rtt to the server - BUG/MEDIUM: ssl: fix build with AWS-LC - BUG/MINOR: init: Initialize random seed earlier in the init process - DOC: management: fix typo in commit f4f93c56 - DOC: config: recommend single quoting passwords - BUG/MEDIUM: mux-quic: adjust wakeup behavior - BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer 3.2.3 - CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0 - CI: github: add an OpenSSL 3.5.0 job - CI: github: update the stable CI to ubuntu-24.04 - BUILD: quic: QUIC build against OpenSSL 3.5 broken - BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5 - CI: github: update to OpenSSL 3.5.1 - BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits (OpenSSL 3.5 QUIC API) - BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init() - BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections - BUG/MINOR: http-act: Fix parsing of the expression argument for pause action - BUILD/MEDIUM: deviceatlas: fix when installed in custom locations. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 36110b3f109fa60308a790aee1875e4816521f9f Author: Adolf Belka Date: Mon Sep 15 19:46:17 2025 +0200 core198: Ship freetype Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b07d7b7c66f75ac05491b3fee9cab812b20d88fe Author: Adolf Belka Date: Mon Sep 15 19:46:24 2025 +0200 freetype: Update to version 2.14.1 - Update from version 2.13.3 to 2.14.1 - Update of rootfile - Changelog 2.14.1 This is an emergency release that fixes a couple of severe bugs introduced in version 2.14.0 and discovered right after the release; see issues #1349, #1353, #1354, #1355, and #1356. 2.14.0 IMPORTANT CHANGES - A new configuration macro `FT_CONFIG_OPTION_USE_HARFBUZZ_DYNAMIC` is available to load the HarfBuzz library dynamically (in addition to the standard static and dynamic linking modes); cmake, meson, and autotools support have been updated accordingly. Using this new feature makes it possible to avoid the circular dependency between HarfBuzz and FreeType. A side effect of this change is that FreeType no longer uses HarfBuzz header files (if HarfBuzz support is activated). This code was contributed by Behdad Esfahbod. - The auto-hinter got new abilities. . It can now better separate diacritic glyphs from base glyphs at small sizes by artificially moving diacritics up (or down) if necessary. . Tilde accent glyphs get vertically stretched at small sizes so that they don't degenerate to horizontal lines. . Diacritics directly attached to a base glyph (like the ogonek in character 'ę') no longer distort the shape of the base glyph. These features use a database (which currently has entries for Unicode characters up to U+FFFF, based on Unicode 17.0), handling scripts like Latin, Cyrillic, or Greek, but not Arabic or Indic scripts. FreeType needs to access a proper Unicode character map (or must be able to construct such a cmap) of a given font to make this work. The central algorithm and the foundation of this feature was Craig White's GSoC 2023 project. - Bitmap-only TrueType fonts now ignore the `FT_LOAD_NO_BITMAP` flag and proceed loading bitmaps instead of giving an error. This behavior is documented and implemented for other bitmap-only fonts. The flag was always meant to suppress the bitmap strikes in favor of outlines, not to ban them completely. IMPORTANT BUG FIXES - Users of the `TT_CONFIG_OPTION_GPOS_KERNING` configuration option should update; the 'GPOS' table wasn't correctly validated before access, which could lead to crashes with malformed font files. MISCELLANEOUS - `FT_Set_Var_Design_Coordinates` and `FT_Set_MM_Blend_Coordinates` now set the `FT_FACE_FLAG_VARIATION` bit in the `face_flag` field of `FT_Face` (i.e., the macro `FT_IS_VARIATION` returns true) also if any of the provided coordinates is different from the face's default value for the corresponding axis, that is, the set up face is not at its default position. - `FT_Load_Sfnt_Table` can now also load a font's table directory. - The TrueType instruction interpreter was optimized to produce a 15% gain in the glyph loading speed. - Handling of Variation Fonts is now considerably faster, thanks to contributions by Behdad Esfahbod. - TrueType and CFF glyph loading speed has been improved by 5-10% on modern 64-bit platforms as a result of better handling of fixed- point multiplication. - The BDF driver now loads fonts 75% faster. - 'GPOS' kern table handling (if the `TT_CONFIG_OPTION_GPOS_KERNING` configuration option is active) is now about 3.5 times faster than before. - Support for the (currently undocumented) 'flip' graphic type in the 'sbix' SFNT table as used in the `Apple Color Emoji.ttc` font (code provided by Andrew Murray). - `ftmulti` can now scroll through named instances and gracefully show static fonts. - The build file on OpenVMS now also creates a 32-bit version of the library. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5c3108043280aabd6821b988dbde720be4bd92ef Author: Adolf Belka Date: Mon Sep 15 19:46:16 2025 +0200 core198: Ship ethtool Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4740d7ccb17db0e8c697630b72934ba8f1809bfc Author: Adolf Belka Date: Mon Sep 15 19:46:23 2025 +0200 ethtool: Update to version 6.15 - Update from version 6.9 to 6.15 - Update of rootfile - Changelog 6.15 * Feature: support OR-XOR symmetric RSS hash type (-x/-X) * Feature: dump registers for hibmcge driver (-d) * Feature: configure header-data split threshold (-g/-G) * Feature: dump registers for fbnic driver (-d) * Feature: JSON output for channels info (-l) * Fix: incorrect data in appstream metainfo XML * Fix: prevent potential null pointer dereferences * Fix: more consistent and better parseable per lane signal info (-d) 6.14 * Feature: list PHYs (--show-phys) * Feature: target a specific PHY with some commands (--phy) * Feature: more attributes for C33 PSE (--show-pse, --set-pse) * Feature: source information for cable tests (--cable-test[-tdr]) * Feature: JSON output for module info (-m) * Feature: misc RSS hash info improvements (-x) * Feature: tsinfo hwtstamp provider (--{get,set}-hwtimestamp-cfg) * Fix: fix wrong auto-negotiation state (no option) * Fix: more explicit RSS context action (-n) * Fix: print PHY address as decimal (no option) * Fix: fix return value on flow hashing error (-N) * Fix: fix JSON output for IRQ coalescing * Fix: fix MDI-X info output (no option) * Misc: code cleanup in module parsers * Misc: provide module_info JSON schema * Misc: add '-j' alias for --json * Misc: provide AppStream metainfo XML * Misc: update message descriptions for debugging output 6.11 * Feature: cmis: print active and inactive firmware versions * Feature: flash transceiver module firmware (--flash-module-firmware) * Feature: add T1BRR 10Mb/s mode to link mode tables * Feature: support for disabling netlink from command line * Fix: fix lanes parameter format specifier * Fix: add missing clause 33 PSE manual description * Fix: qsf: Better handling of Page A2h netlink read failure * Fix: rss: retrieve ring count using ETHTOOL_GRXRINGS ioctl (-x) * Misc: man page formatting fix 6.10 * Feature: suport for PoE in PSE (--show-pse and --set-pse) * Feature: add statistics support to tsinfo (-T) * Feature: add JSON output to base command (no option) * Feature: add JSON output to EEE info (--show-eee) * Fix: qsfp: better handling on page 03h read failure (-m) * Fix: handle zero arguments for module eeprom dump (-m) * Fix: check for missing arguments in do_srxfh() (-X) * Misc: compiler warnings in "make check" * Misc: more descriptive error when JSON output is not available Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 0fb06f864f987396be173350362b35f1ebe1fd17 Author: Adolf Belka Date: Mon Sep 15 17:47:27 2025 +0200 cmake: Add patch to avoid using undocumented type for CURLOPT_PROXYTYPE values - Update of rootfile - With the new update of curl changes were made to CURLOPT which resulted in cmake using an undocumented type. - This patch has been merged in the cmake git repo and will become available in version cmake-4.1.2 so the patch will be able to be removed when that version is released and updated in IPFire. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3bbca7da627e8ea29fff9fe377f6fc1b970892ab Author: Adolf Belka Date: Mon Sep 15 17:47:26 2025 +0200 core198: Ship curl Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1ff80986d5200d9cdb19458f53b6a611bd8219a5 Author: Adolf Belka Date: Mon Sep 15 17:47:25 2025 +0200 curl: Update to version 8.16.0 - Update from version 8.15.0 to 8.16.0 - Update of rootfile - Changelog 8.16.0 changes: o build: bump minimum required mingw-w64 to v3.0 (from v1.0) [33] o curl: add --follow [129] o curl: add --out-null [101] o curl: add --parallel-max-host to limit concurrent connections per host [81] o curl: make --retry-delay and --retry-max-time accept decimal seconds [112] o hostip: cache negative name resolves [175] o ip happy eyeballing: keep attempts running [80] o mbedtls: bump minimum version required to 3.2.0 [180] o multi: add curl_multi_get_offt [56] o multi: add CURLMOPT_NETWORK_CHANGED to signal network changed [84] o netrc: use the NETRC environment variable (first) if set [70] o smtp: allow suffix behind a mail address for RFC 3461 [127] o tls: make default TLS version be minimum 1.2 [71] o tool_getparam: add support for `--longopt=value` [69] o vquic: drop msh3 [8] o websocket: support CURLOPT_READFUNCTION [193] o writeout: add %time{} [74] bugfixes: o _PROTOCOLS.md: mention file:// is only for absolute paths [102] o acinclude: --with-ca-fallback only works with OpenSSL [217] o alpn: query filter [104] o ares: destroy channel on shutdown [178] o ares: use `ares_strerror()` to retrieve error messages [236] o asyn-thrdd: fix --disable-socketpair builds [235] o asyn-thrdd: fix Curl_async_pollset without socketpair [205] o asyn-thrdd: fix no `HAVE_GETADDRINFO` builds [214] o asyn-thrdd: manage DEFERRED and locks better [228] o autotools: make curl-config executable [253] o aws-lc: do not use large buffer [250] o BINDINGS.md: add LibQurl [156] o bufq: add integer overflow checks before chunk allocations [108] o bufq: removed "Useless Assignment" [188] o bufq: simplify condition [207] o build: allow libtests/clients to use libcurl dependencies directly [87] o build: disable `TCP_NODELAY` for emscripten [176] o build: enable _GNU_SOURCE on GNU/Hurd [27] o build: extend GNU C guards to clang where applicable, fix fallouts [61] o build: fix build errors/warnings in rare configurations [7] o build: fix disable-verbose [48] o build: fix mingw-w64 version guard for mingw32ce [124] o build: if no perl, fix to use the pre-built hugehelp, if present [144] o build: link to Apple frameworks required by static wolfSSL [40] o build: support LibreSSL native crypto lib with ngtcp2 1.15.0+ [209] o build: tidy up compiler definition for tests [37] o cf-https-connect: delete unused declaration [15] o clang-tidy: disable `clang-analyzer-security.ArrayBound` [265] o cmake: `CURL_CA_FALLBACK` only works with OpenSSL [215] o cmake: capitalize 'Rustls' in the config summary o cmake: defer building `unitprotos.h` till a test target needs it [75] o cmake: define `WIN32_LEAN_AND_MEAN` for examples [159] o cmake: drop redundant unity mode for `curlinfo` [155] o cmake: enable `-Wall` for MSVC 1944 [128] o cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix o cmake: fix setting LTO properties on the wrong targets [258] o cmake: fix to disable Schannel and SSPI for non-Windows targets o cmake: fix to restrict `SystemConfiguration` to macOS [139] o cmake: honor `CMAKE_C_FLAGS` in test 1119 and 1167 [206] o cmake: improve error message for invalid HTTP/3 MultiSSL configs [187] o cmake: keep websockets disabled if HTTP is disabled o cmake: make `runtests` targets build the curl tool [32] o cmake: make the ExternalProject test work [183] o cmake: omit linking duplicate/unnecessary libs to tests & examples [45] o cmake: re-add simple test target, and name it `tests` [142] o cmake: set `CURL_DIRSUFFIX` automatically in multi-config builds [154] o CODE_STYLE: sync with recent `checksrc.pl` updates [49] o config-win32.h: do not use winsock2 `inet_ntop()`/`inet_pton()` [58] o configure: if no perl, disable unity and shell completion, related tidy ups [137] o configure: tidy up internal names in ngtcp2 ossl detection logic [212] o connectdata: remove primary+secondary ip_quadruple [126] o connection: terminate after goaway [62] o contrithanks: fix for BSD `sed` tool [98] o cookie: don't treat the leading slash as trailing [185] o cookie: remove expired cookies before listing [158] o curl-config: remove X prefix use [138] o curl/system.h: fix for GCC 3.3.x and older [38] o curl: make the URL indexes 64 bit [117] o curl: tool_read_cb fix of segfault [18] o curl_addrinfo: drop workaround for old-mingw [14] o curl_easy_ssls_export: make the example more clear [78] o curl_fnmatch, servers: drop local macros in favour of `sizeof()` [21] o curl_mime_data_cb.md: mention what datasize is for [107] o curl_ossl: extend callback table for nghttp3 1.11.0 [46] o curl_setup.h: include `stdint.h` earlier [260] o curl_setup.h: move UWP detection after `config-win32.h` (revert) [51] o curl_setup.h: move UWP detection after `config-win32.h` [23] o CURLINFO_FILETIME*.md: correct the examples [242] o CURLOPT: bump `CURL_REDIR_*` macros to `long` [110] o CURLOPT: bump `CURL_SSLVERSION_*` macros to `long` [149] o CURLOPT: bump `CURLALTSVC_*` macros to `long` [96] o CURLOPT: bump `CURLFTP*` enums to `long`, drop casts [54] o CURLOPT: bump `CURLHEADER_*` macros to `long`, drop casts [94] o CURLOPT: bump `CURLPROTO_*` macros to `long` [148] o CURLOPT: bump `CURLPROXY_*` enums to `long`, drop casts [95] o CURLOPT: bump `CURLWS_NOAUTOPONG`, `CURLWS_RAW_MODE` macros to `long` [150] o CURLOPT: bump remaining macros to `long` [147] o CURLOPT: drop redundant `long` casts [55] o CURLOPT: replace `(long)` cast with `L` suffix for `CURLHSTS_*` macros o CURLOPT_HTTP_VERSION: mention new default value [179] o CURLOPT_SSL_CTX_*: replace the base64 with XXXX [171] o delta: fix warnings, fix for non-GNU `date` tool [99] o DEPRECATE.md: drop old OpenSSL versions [266] o DEPRECATE.md: drop support for c-ares versions before 1.16.0 [191] o DEPRECATE.md: drop support for Windows XP/2003 [31] o DEPRECATE.md: remove leftover "nothing" [57] o DISTROS.md: add Haiku [39] o docs/cmdline-opts: the auth types are not mutually exclusive [103] o docs: add CURLOPT type change history, drop casts where present [143] o docs: add major incident section to vuln disclosure policy [271] o docs: fix link CONTRIBUTE.md link [192] o docs: fix name in curl_easy_ssls_export man page [12] o docs: fix typo (staring -> starting) [211] o docs: point two broken links to archive.org [134] o docs: put `<>` within backticks in titles [261] o doh: rename symbols to avoid collision with mingw-w64 headers [66] o easy handle: check validity on external calls [28] o examples: drop long cast for `CURLALTSVC_*` o examples: make `CURLPIPE_MULTIPLEX` fallback `long` [233] o examples: remove base64 encoded chunks from examples [189] o examples: remove href_extractor.c [186] o ftp: store dir components as start+len instead of memdup'ing [198] o ftp: use 'conn' instead of 'data->conn' [208] o gnutls: fix building with older supported GnuTLS versions [241] o gnutls: some small cleanups [41] o hmac: return error if init fails [2] o hostip: do DNS cache pruning in milliseconds [132] o HTTP3.md: avoid `configure` issue for ngtcp2 1.14.0+ compatibility [182] o http: const up readonly H2_NON_FIELD [10] o http: do the cookie list access under lock [270] o http: silence `-Warray-bounds` with gcc 13+ [44] o idn: reject conversions that end up as a zero length hostname [273] o inet_pton, inet_ntop: drop declarations when unused [59] o lib1560: fix memory leak when run without UTF-8 support [17] o lib1560: replace an `int` with `bool` [97] o lib2700: use `testnum` [151] o lib517: use `LL` 64-bit literals & re-enable a test case (`time_t`) [100] o lib: drop `UNUSED_PARAM` macro [259] o libcurl: reset rewind flag in curl_easy_reset() [184] o libssh: Use sftp_aio instead of sftp_async for sftp_recv [92] o libtests: update format strings to avoid casts, drop some macros [109] o libtests: use `FMT_SOCKET_T`, drop more casts [136] o managen: reset text mode at end of table marker [145] o mbedtls: check for feature macros instead of version [166] o mdlinkcheck: handle links with a leading slash properly [195] o memanalyze: fix warnings [22] o memory: make function overrides work reliably in unity builds [93] o multi event: remove only announced [25] o multi: don't insert a node into the splay tree twice [68] o multi: fix assert in multi_getsock() [53] o multi: fix bad splay management [133] o multi: process pending, one by one [90] o multi: replace remaining EXPIRE_RUN_NOW [67] o multissl: initialize when requesting a random number [30] o ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0 [47] o ngtcp2: handshake timeout should be equal to --connect-timeout [262] o ngtcp2: use custom mem funcs [204] o openldap: fix `-Wtentative-definition-compat` [268] o openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro [222] o openssl: add and use `HAVE_OPENSSL3` internal macro [223] o openssl: assume `OPENSSL_VERSION_NUMBER` [181] o openssl: auto-pause on verify callback retry [167] o openssl: check SSL_write() length on retries [152] o openssl: clear errors after a failed `d2i_X509()` [161] o openssl: drop more legacy cruft [224] o openssl: drop redundant `HAVE_OPENSSL_VERSION` macro [221] o openssl: drop redundant version check [246] o openssl: drop single-use interim macro `USE_OPENSSL_SRP` [201] o openssl: enable `HAVE_KEYLOG_CALLBACK` for AWS-LC [220] o openssl: merge two `#if` blocks [218] o openssl: output unescaped utf8 x509 issuer/subject DNs [169] o openssl: remove legacy cruft, document macro guards [231] o openssl: save and restore OpenSSL error queue in two functions [172] o openssl: some small cleanups [42] o openssl: split cert_stuff into smaller sub functions [72] o openssl: sync an AWS-LC guard with BoringSSL [199] o openssl: use `RSA_flags()` again with BoringSSL [219] o parallel-max: bump the max value to 65535 [86] o parsedate: make Curl_getdate_capped able to return epoch [229] o processhelp.pm: fix to use the correct null device on Windows [164] o processhelp.pm: use `Win32::Process*` perl modules if available [200] o projects: drop unused logic from `generate.bat` [157] o projects: fix Windows project 'clean' function [203] o pytest: add SOCKS tests and scoring [9] o pytest: fix test_17_09_ssl_min_max for BoringSSL [197] o pytest: increase server KeepAliveTimeout [26] o pytest: relax error check on test_07_22 [16] o resolving: dns error tracing [196] o runtests: assume `Time::HiRes`, drop Perl Win32 dependency [163] o runtests: remove warning message [230] o runtests: replace `--ci` with `--buidinfo`, show OS/Perl version again [247] o runtests: show still running tests when nothing has happened for a while [227] o schannel: add an error message for client cert not found [165] o schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN` [114] o schannel: drop fallbacks for 4 macros [121] o schannel: drop fallbacks for unused `BCRYPT_*` macros [122] o schannel: drop old-mingw special case [77] o schannel: fix recent update for mingw32ce [123] o schannel: fix renegotiation [202] o schannel: improve handshake procedure [239] o schannel: not supported with UWP, drop redundant code [105] o schannel: use if(result) like the code style says [125] o scripts: enable strict warnings in Perl where missing, fix fallouts [63] o scripts: fix two Perl uninitialized value warnings [60] o sendf: getting less data than "max allowed" is okay [170] o servers: convert two macros to scoped static const strings [89] o setopt: refactor out the booleans from setopt_long to setopt_bool [83] o setopt: split out cookielist() and cookiefile() [130] o socks: do_SOCKS5: Fix invalid buffer content on short send [43] o socks_sspi: simplify, clean up Curl_SOCKS5_gssapi_negotiate [237] o spacecheck.pl: when detecting unicode, mention line number [85] o spacecheck: warn for 3+ empty lines in a row, fix fallouts [240] o spelling: file system [232] o test1148: drop redundant `LC_NUMBER=` env setting [13] o test1557: pass `long` type to `multi_setopt()` [234] o test1560: set locale/codeset with `LC_ALL` (was: `LANG`), test in CI [19] o test1560: skip some URLs if UTF-8 is not supported [34] o test1: raise alloc limits [11] o test428: re-enable for Windows [5] o test436: fix running on Windows with `_curlrc` present [153] o test: add `cygwin` feature and use it (test 1056, 1517) [249] o tests/ech_tests.sh: indent, if/for style, inline ifs [131] o tests: constify command-line arguments [82] o tests: delete unused commands [177] o tests: drop unused `BLANK` envs, unset `CURL_NOT_SET` [248] o tests: drop unused `CURL_FORCEHOST` envs [36] o tests: fix perl warnings in http2-server, http3-server [119] o tests: fix prechecks to call the bundle libtest tool [120] o tests: fix UTF-8 detection, per-test `LC_*` settings, CI coverage [6] o tests: merge clients into libtests, drop duplicate code [76] o tests: remove the QUIT filters [210] o tests: set `CURL_ENTROPY` per test, not globally [35] o tests: unset some envs instead of blanking them [4] o threaded-resolver: fix shutdown [252] o tidy-up: `Curl_thread_create()` callback return type [20] o tidy-up: move literal to the right side of comparisons [65] o tidy-up: prefer `ifdef`/`ifndef` for single checks [64] o tls: CURLINFO_TLS_SSL_PTR testing [79] o TODO: remove session export item [194] o TODO: remove the expand ~ idea [216] o tool_cb_wrt: stop alloc/free for every chunk windows console output [140] o tool_filetime: accept setting negative filetime [256] o tool_getparam: let --trace-config override -v [238] o tool_getparam: warn on more unicode prefixes [275] o tool_operate: avoid superfluous strdup'ing output [1] o tool_operate: use stricter curl_multi_setopt() arguments [225] o tool_operate: use the correct config pointer [115] o tool_paramhlp: fix secs2ms() [116] o tool_parsecfg: use dynbuf for quoted arguments [162] o tool_urlglob: add integer overflow protection [244] o tool_urlglob: polish, cleanups, improvements [141] o typecheck-gcc: add type checks for curl_multi_setopt() [226] o unit-tests: build the unitprotos.h from here [73] o unit2604: avoid `UNCONST()` [135] o URL-SYNTAX.md: drop link to codepoints.net to pass linkcheck [190] o urlapi: allow more path characters "raw" when asked to URL encode [146] o urldata: reduce two long struct fields to unsigned short [174] o urlglob: only accept 255 globs o vquic-tls: fix SSL backend type for QUIC connections using gnutls [29] o vquic: replace assert [254] o vquic: use curl_getenv [168] o vtls: set seen http version on successful ALPN [160] o websocket example: cast print values to unsigned int [251] o websocket: handling of PONG frames [213] o websocket: improve handling of 0-len frames [269] o websocket: reset upload_done when sending data [245] o windows: assume `ADDRESS_FAMILY`, drop feature checks [88] o windows: document toolchain support for `CERT_NAME_SEARCH_ALL_NAMES_FLAG` o windows: document toolchain support for some macros (cont.) [111] o windows: document toolchain support for some macros [113] o windows: drop `CRYPT_E_*` macro fallbacks, limit one to mingw32ce [118] o windows: drop two interim, single-use macros [106] o windows: drop unused `curlx/version_win32.h` includes [52] o windows: fix `if_nametoindex()` detection with autotools, improve with cmake [24] o windows: include `wincrypt.h` before `iphlpapi.h` for mingw-w64 <6 [50] o windows: target version macro tidy-ups [3] o wolfssl: rename ML-KEM hybrids to match IETF draft [173] o write-out.md: header_json is not included the json object [243] o ws: avoid NULL pointer deref in curl_ws_recv [91] o ws: get a new mask for each new outgoing frame [255] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 87d7fa42e36d11e0f3c9920abb41db7740b849db Merge: bed0f29da d6ec7e0bf Author: Michael Tremer Date: Mon Sep 15 10:20:35 2025 +0000 Merge branch 'master' into next commit d6ec7e0bf08a00c734c9e7b5f7c517ef82029afe Author: Michael Tremer Date: Mon Sep 15 12:17:01 2025 +0200 ovpnmain.cgi: Never write ncp-disable This was some compatibility code which was supposed to help us with the transition towards NCP. Since we are now on OpenVPN 2.6, this version no longer supports the "ncp-disable" switch and we cannot write it to the configuration any more. There should always be a default value for data ciphers. Signed-off-by: Michael Tremer commit bed0f29daf89b5813137d6e4b0656f690ae392c5 Author: Adolf Belka Date: Mon Sep 15 10:56:40 2025 +0200 python3-pyparsing: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3825dec163eabb70af464c01f22bb6cd05d76dbb Author: Adolf Belka Date: Mon Sep 15 10:56:39 2025 +0200 python3-packaging: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ee729f2470de5c2fdf8aa6ad9c45ca91afd7b191 Author: Adolf Belka Date: Mon Sep 15 10:56:38 2025 +0200 python3-setuptools-rust: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f5f2c430575e22c53788884b82f5d77c3c9144f8 Author: Adolf Belka Date: Mon Sep 15 10:56:37 2025 +0200 python3-setuptools: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5982c84b3f26a5bd42adbb7a6c66a5525ec3dda6 Author: Adolf Belka Date: Mon Sep 15 10:56:36 2025 +0200 python3-MarkupSafe: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 123c1fa3247a876ce26d41b7a01061af24dfc6e0 Author: Adolf Belka Date: Mon Sep 15 10:56:35 2025 +0200 python3-Jinja2: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e153297eccc92042633f5af85c641726fc053d34 Author: Adolf Belka Date: Mon Sep 15 10:56:34 2025 +0200 make.sh: Move setuptools module earlier in install order - The installed version of setuptools had to be moved earlier for a couple of other python modules that needed setuptools in place to build. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 35dbd453bf6844ba177849bd6bbf3b00f846aab5 Author: Adolf Belka Date: Mon Sep 15 10:56:33 2025 +0200 python3: Remove bundled setuptools - python3-pillow was finding the bundled setuptools version 63.2.0 and not the installed version of 80.9.0 and the bundled version failed the pillow requirement of >=77 - The bundled version install can not be disabled so this patch removes all the setuptools directories at the end of the python3 install so that only the IPFire installed version of setuptools will be available. - This resolved the problem of python3-pillow failing to build - The bundled setuptools has been removed in python-3.12 so when that version is released in IPFire the removal lines added in this patch will be able to be removed. - The removal of the bundled version of setuptools also caused changes in the rootfiles of 6 other python modules, so it looks like those were also building with the older bundled version but had no version requirement failure. This patch set also includes the changed rootfiles for each of those packages. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 78194fc50a82f8284122bf4c83cae51ffb25b9e1 Author: Michael Tremer Date: Sun Sep 14 13:39:32 2025 +0000 suricata-reporter: Update to 0.3 Signed-off-by: Michael Tremer commit d0d9a5d17f6f050958bf4f69b173fc24c476c5ba Merge: f0a4f19ca 0088442c5 Author: Michael Tremer Date: Sun Sep 14 10:39:50 2025 +0000 Merge branch 'master' into next commit 0088442c56e8a623c25d1a93940eabd29e4d430b Author: Adolf Belka Date: Mon Sep 8 14:59:38 2025 +0200 backup.pl: Update the RW entry in collectd.vpn if restoring old backup Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 211d81f8e20ab9c41b99933239f402e0afafcc0d Author: Adolf Belka Date: Mon Sep 8 14:59:37 2025 +0200 update.sh: Update collectd.vpn to the new RW log file name Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f0a4f19ca13c6faaa4f446eb085e801473eb5d88 Merge: fbe50152d 54944268e Author: Michael Tremer Date: Sun Sep 14 10:21:17 2025 +0000 Merge branch 'master' into next commit 54944268e729c8939a49a3e9536f5ad85ce9c2b8 Author: Michael Tremer Date: Sun Sep 14 12:19:00 2025 +0200 ovpnmain.cgi: Fix reading the legacy routes file Signed-off-by: Michael Tremer commit 771afe5726c4faef8efeea7e569b7537ed78c9aa Author: Michael Tremer Date: Sun Sep 14 12:08:58 2025 +0200 ovpnmain.cgi: Add the option for the firewall to reach OpenVPN clients Signed-off-by: Michael Tremer commit 6b486bac32699ba9d7f8abc5a4201e5a8a4fec41 Author: Michael Tremer Date: Sun Sep 14 12:01:34 2025 +0200 ovpnmain.cgi: Manually push a different gateway for static pools This is because in "topology subnet", ifconfig-push is massively broken. The client is not able to configure any routes correctly by pointing them to the interface. Instead it is trying to use the gateway address from the dynamic pool as gateway which cannot be reached if the client only has an IP address from another subnet. Pushing host routes is not supported, so we have to create a hack here and pretend that there is a gateway in the static pool somewhere. Signed-off-by: Michael Tremer commit fbe50152d997049cdcdb71b38baf989c5a119a1a Author: Matthias Fischer Date: Sat Sep 13 14:53:48 2025 +0200 bind: Update ot 9.20.13 For details see: https://downloads.isc.org/isc/bind9/9.20.13/doc/arm/html/notes.html#notes-for-bind-9-20-13 "Notes for BIND 9.20.13 New Features Add a new option manual-mode to dnssec-policy. When enabled, named will not modify DNSSEC keys or key states automatically. The proposed change will be logged and only after manual confirmation with rndc dnssec -step will the modification be made. [GL #4606] Add a new option servfail-until-ready to response-policy zones. By default, when named is started, it starts answering queries before all response policy zones are completely loaded and processed. This new option instructs named to respond with SERVFAIL until all the response policy zones are processed and ready. Note that if one or more response policy zones fail to load, named starts responding to queries according to those zones that did load. Note, that enabling this option has no effect when a DNS Response Policy Service (DNSRPS) interface is used. [GL #5222] Support for parsing HHIT and BRID records has been added. [GL #5444] Removed Features Deprecate the tkey-gssapi-credential statement. The tkey-gssapi-keytab statement allows GSS-TSIG to be set up in a simpler and more reliable way than using the tkey-gssapi-credential statement and setting environment variables (e.g. KRB5_KTNAME). Therefore, the tkey-gssapi-credential statement has been deprecated; tkey-gssapi-keytab should be used instead. For configurations currently using a combination of both tkey-gssapi-keytab and tkey-gssapi-credential, the latter should be dropped and the keytab pointed to by tkey-gssapi-keytab should now only contain the credential previously specified by tkey-gssapi-credential. [GL #4204] Obsolete the “tkey-domain” statement. Mark the tkey-domain statement as obsolete because it has not had any effect on server behavior since support for TKEY Mode 2 (Diffie-Hellman) was removed (in BIND 9.20.0). [GL #4204] Bug Fixes Prevent spurious SERVFAILs for certain 0-TTL resource records. Under certain circumstances, BIND 9 can return SERVFAIL when updating existing entries in the cache with new NS, A, AAAA, or DS records that have a TTL of zero. [GL #5294] Fix unexpected termination if catalog-zones had undefined default-primaries. The issue manifested only if the server was reloaded or reconfigured twice. [GL #5494]" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit cb010e23da05a5acd966265fd2daca9736db734b Merge: 630920eb3 9887048ac Author: Michael Tremer Date: Sat Sep 13 11:02:02 2025 +0000 Merge branch 'master' into next commit 630920eb33860ee1172b40527b152053460f6932 Author: Adolf Belka Date: Sat Sep 13 12:38:03 2025 +0200 tcl: Add note in lfs about tcl9 incompatibilities Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9887048ac4cd5c52a27420ba936952a183129ddf Author: Adolf Belka Date: Fri Sep 12 22:29:34 2025 +0200 core197: Ship wio.cgi & wiovpn.pl files Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 762a6e27010f9e60ddbc7e0c64b2c1c50044abf4 Author: Adolf Belka Date: Fri Sep 12 22:29:33 2025 +0200 wiovpn.pl: Update openvpn rw log filename Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 134c5656e2650ebd49606e3cf637ebe8448e74ab Author: Adolf Belka Date: Fri Sep 12 22:29:32 2025 +0200 wio.cgi: Update openvpn rw log filename Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ec7e2a750b815a85bec7f01ae192c0cd18a4f123 Author: Adolf Belka Date: Fri Sep 12 22:10:18 2025 +0200 lynis: Update to version 3.1.5 - Update from version 3.1.3 to 3.1.5 - Update of rootfile - Changelog 3.1.5 Added - Support for OpenWrt - Bitdefender detection on Linux - Detection of openSUSE Tumbleweed-Slowroll Changed - Corrected detection of service manager SMF - Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt - Check modules also under /usr/lib/modules.d 3.1.4 Changed - Update of translations: Portuguese - Add macOS Sequoia - Update of EOL database - Bugfix for using slashes in parameters (SafeInput function) - Simplified copyright line and meta data in files - Support for powerpc64le in authentication section - Don't show error "kadmin.local: unable to get default realm" Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e4a850a05a96a67f8cfc8a729baea7ff8686b8cc Author: Adolf Belka Date: Fri Sep 12 22:08:14 2025 +0200 strace: Update to version 6.16 - Update from 6.12 to 6.16 - Update of rootfile not required - Changelog 6.16 * Improvements * Added -N/--arg-names option for printing syscall argument names. * Implemented setting of system call information using PTRACE_SET_SYSCALL_INFO ptrace API introduced in Linux 6.16. * Implemented decoding of SO_RCVPRIORITY and SO_PASSRIGHTS socket options. * Implemented decoding of RTA_NH_ID and RTA_FLOWLABEL netlink attributes. * Updated decoding of statx syscall. * Updated lists of BR_*, CRYPTOCFGA_*, FUTEX2_*, IORING_*, IPSET_*, KVM_*, MDB_*, NETDEV_*, PR_*, RXRPC_*, SW_*, THERMAL_*, and V4L2_* constants. * Updated lists of ioctl commands from Linux 6.16. 6.15 * Improvements * Implemented decoding of open_tree_attr syscall. * Implemented decoding of AF_TIPC socket addresses and socket options. * Updated decoding of statmount syscall. * Updated lists of AUDIT_*, BPF_*, BTRFS_*, COUNTER_*, FAN_*, FRA_*, IFLA_*, IORING_*, KVM_*, LANDLOCK_*, PKEY_*, RTPROT_*, TCP_*, and V4L2_* constants. * Updated lists of ioctl commands from Linux 6.15. 6.14 * Improvements * Added -e namespace=new option for printing the namespaces entered by the tracee. * Implemented decoding of FRA_FLOWLABEL and FRA_FLOWLABEL_MASK netlink attributes of RTM_{NEW,DEL,GET}RULE NETLINK_ROUTE messages. * Implemented decoding of RTM_{NEW,DEL}MULTICAST and RTM_{NEW,DEL}ANYCAST NETLINK_ROUTE messages. * Updated decoding of statx syscall. * Updated lists of AT_*, AUDIT_*, ETHTOOL_*, FAN_*, IORING_*, IPPROTO_*, KEY_*, NL80211_*, RWF_*, and SECBIT_* constants. * Updated lists of ioctl commands from Linux 6.14. 6.13 * Improvements * Implemented decoding of getxattrat, setxattrat, listxattrat, and removexattrat syscalls. * Updated decoding of struct io_uring_clone_buffers, struct io_uring_napi, and struct perf_event_attr. * Updated decoding of crypto_user_alg netlink attributes of NETLINK_CRYPTO. * Implemented decoding of IFLA_MCTP_PHYS_BINDING netlink attribute. * Updated lists of AT_*, BPF_*, FAN_*, IORING_*, MADV_*, NT_*, and SCM_* constants. * Updated lists of ioctl commands from Linux 6.13. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 459c83435673c8b3e730e1037b9a2366fdfc1832 Author: Adolf Belka Date: Fri Sep 12 22:08:13 2025 +0200 nginx: Update to version 1.29.1 - Update from version 1.26.2 to 1.29.1 - Update of rootfile not required - One CVE fix in 1.27.4, one CVE fix in 1.27.1, four CVE fixes in 1.27.0 - Changelog 1.29.1 *) Change: now TLSv1.3 certificate compression is disabled by default. *) Feature: the "ssl_certificate_compression" directive. *) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer. *) Bugfix: the 103 response might be buffered when using HTTP/2 and the "early_hints" directive. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: nginx could not be built on NetBSD 10.0. *) Bugfix: in the "none" parameter of the "smtp_auth" directive. 1.29.0 *) Feature: support for response code 103 from proxy and gRPC backends; the "early_hints" directive. *) Feature: loading of secret keys from hardware tokens with OpenSSL provider. *) Feature: support for the "so_keepalive" parameter of the "listen" directive on macOS. *) Change: the logging level of SSL errors in a QUIC handshake has been changed from "error" to "crit" for critical errors, and to "info" for the rest; the logging level of unsupported QUIC transport parameters has been lowered from "info" to "debug". *) Change: the native nginx/Windows binary release is now built using Windows SDK 10. *) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or ngx_http_v3_module modules were used. *) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto optimization if ngx_http_v3_module was used. *) Bugfixes and improvements in HTTP/3. 1.27.5 *) Feature: CUBIC congestion control in QUIC connections. *) Change: the maximum size limit for SSL sessions cached in shared memory has been raised to 8192. *) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file", and "uwsgi_ssl_password_file" directives when loading SSL certificates and encrypted keys from variables; the bug had appeared in 1.23.1. *) Bugfix: in the $ssl_curve and $ssl_curves variables when using pluggable curves in OpenSSL. *) Bugfix: nginx could not be built with musl libc. Thanks to Piotr Sikora. *) Performance improvements and bugfixes in HTTP/3. 1.27.4 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives. *) Feature: the "keepalive_min_timeout" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. 1.27.3 *) Feature: the "server" directive in the "upstream" block supports the "resolve" parameter. *) Feature: the "resolver" and "resolver_timeout" directives in the "upstream" block. *) Feature: SmarterMail specific mode support for IMAP LOGIN with untagged CAPABILITY response in the mail proxy module. *) Change: now TLSv1 and TLSv1.1 protocols are disabled by default. *) Change: an IPv6 address in square brackets and no port can be specified in the "proxy_bind", "fastcgi_bind", "grpc_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as client address in ngx_http_realip_module. *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Bugfix: the "so_keepalive" parameter of the "listen" directive might be handled incorrectly on DragonFly BSD. *) Bugfix: in the "proxy_store" directive. 1.27.2 *) Feature: SSL certificates, secret keys, and CRLs are now cached on start or during reconfiguration. *) Feature: client certificate validation with OCSP in the stream module. *) Feature: OCSP stapling support in the stream module. *) Feature: the "proxy_pass_trailers" directive in the ngx_http_proxy_module. *) Feature: the "ssl_client_certificate" directive now supports certificates with auxiliary information. *) Change: now the "ssl_client_certificate" directive is not required for client SSL certificates verification. 1.27.1 *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash (CVE-2024-7347). Thanks to Nils Bars. *) Change: now the stream module handler is not mandatory. *) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old worker processes. Thanks to Kasei Wang. *) Bugfixes in HTTP/3. 1.27.0 *) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). Thanks to Nils Bars of CISPA. *) Feature: variables support in the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate" directives. *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-libatomic option was used. Thanks to Edgar Bonet. *) Bugfixes in HTTP/3. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5f46ad85918fd552529270504ad0941cc6a7a153 Author: Adolf Belka Date: Fri Sep 12 22:08:12 2025 +0200 mympd: Update to version 22.0.4 - Update from version 21.0.1 to 22.0.4 - Update of rootfile not required - Changelog 22.0.4 - Upd: Restrict sticker names (forbid equal sign) - Fix: Really shuffle the playlist #1455 - Fix: Relax search expression validation #1455 - Fix: Alpine packaging - Fix: Detection of local playback features #1452 22.0.3 - Upd: Create cache und workdir in init script - Upd: Feature detection for local playback output selection #1452 22.0.2 - Fix: MYMPD_API_JUKEBOX_RESTART requires MPD connection #1448 22.0.1 - Fix: Respect backgroundImage setting #1446 - Fix: Alpine packaging 22.0.0 Notes - This release enables certificate checking for outgoing https connections. The system CA cert store should be autodetected, open an issue if it fails. - The startup process of myMPD was reworked. myMPD no longer drops privileges, the included startup scripts are using now the init system to do this. - The default listening ports are now 8080 for HTTP and 8443 for HTTPS. API changes - MYMPD_API_SCRIPT_VERIFY_SIG: new - MYMPD_API_HOME_WIDGET_IFRAME_SAVE: new - MYMPD_API_HOME_WIDGET_SCRIPT_SAVE: new - MYMPD_API_HOME_WIDGET_SAVE: removed Scripting changes - Feat: `mympd.tblvalue_in_list()` - Checks a Lua table of tags against a comma separated list. - Upd: Executing external scripts is now disabled by default. Changelog - Feat: iFrames for home screen #1429 - Feat: Feat: Add custom css and js #1428 - Feat: Use system provided ca store for ssl certificate checking #1427 - Feat: Sign and verify scripts from mympd-scripts repository #1426 - Feat: Add trigger `mympd_playlistart`, `mympd_folderart` - Feat: Sort list of timers and triggers #1425 - Feat: Allow changing output device with local playback #1434 - Upd: Improve "Edit Script"-Layout - Upd: Bootstrap v5.3.7 - Upd: Mongoose 7.18 - Upd: libmympdclient 1.0.34 (libmpdclient 2.24.0) - Upd: Incbin - Upd: Replaced mjson with mongoose implementation - Fix: Improve MPD search expression validation #1435 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 78c7800d13de161e9ddd852a4759696d0d960d1d Author: Adolf Belka Date: Fri Sep 12 22:08:11 2025 +0200 mtr: Update to version 0.96 - Update from version 0.95 to 0.96 - Update of rootfile not required - Changelog 0.96 Merge branch 'traviscross:master' into master Change UDP and ICMP sockets binding to accept a source IP from the -a CLI option Adjust MIN_PORT to match other implementations Handle EHOSTDOWN and refine error handling better granularity add braille graph support with --displaymode 3 fix legend for braille display fix documentation/comment for ENABLE_BRAILLE use addrs for static host ordering in curses add --max-display-paths option Add a compact mode in curses mtr.8.in: spell --mark argument type properly Fix tiny typo in target Implement ASN lookups in well-known nat64 prefix net: implement addrcmp for AF_UNSPEC Initialize lines to empty string in split mode Add error code ETIMEOUT(110) handle logic fixed the sizes passed into snprintf Allow signed integers in the utils function Split the strtonum function into two parts to create a better structure Remove redundant code Fix https://github.com/traviscross/mtr/issues/475 xml report: remove leading spaces Set UTF-8 encoding for XML reports Update Cygwin ICMP service thread for asynchronous pipes Prevent icmp_socket leak on error Markus pointed out useless statement. merged Merge branch 'master' of github.com:traviscross/mtr Fixed typo noted by @szczot3k Changed how conflicitng first/max TTL works. Increased max probes Added protection against use of MTR_PACKET under special circumstances Merge branch 'master' of github.com:traviscross/mtr Added Arad Cohen to NEWS Set SO_BINDTODEVICE for -I Check if SO_BINDTODEVICE is defined ui: make interactive and non-interactive exit code the same Add WSL method to Windows Install Add Ubuntu as specific distribution Update section title Github actions added to perform lint and compile configure.ac: fix broken cap check Add option to use custom ipinfo provider Fix Capability Management, Retain CAP_NET_ADMIN Fix interface binding by retaining CAP_NET_RAW Linux-Only Interface, Marking, and IP Unit Tests Annotate `set_privileged_socket_opt` with UNUSED Drop capabilities when `setsockopt` errors Fix flake8 linting Change B101->S101 to reflect flake8 Use a uint32 for the type of a Linux mark Use Packet Marking for IP Address Selection Support Hexadecimal Arguments for Packet Marking ipv6 udp checksums like ipv4 but with ipv6 pseudoheader fix typo Merge branch 'master' into compact-layout Add help info for option -E Brought an unlikely privilege escalation scenario to my attention. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 8729e18bcd673bc167cac12a48ac55787389cfc3 Author: Adolf Belka Date: Fri Sep 12 22:08:10 2025 +0200 libogg: Update to version 1.3.6 - Update from version 1.3.5 to 1.3.6 - Update of rootfile - Changelog 1.3.6 * Update minimum cmake version to 3.6 This fixes incompatibility with cmake >= 4.0 * Fix UBsan issues * Improve allocation failure handling * Fix various compiler warnings * Fix various autotool warnings * Improve continuous integration testing scripts Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer