commit cc67c087c843438b5402c9443fb471d3faa60d98 Author: Adolf Belka Date: Wed Sep 17 13:09:40 2025 +0200 nfs: Update to version 2.8.4 - Update from version 2.8.3 to 2.8.4 - Update of rootfile not required - Changelog is just a list of the commits. The details can be found in the changelog at https://sourceforge.net/projects/nfs/files/nfs-utils/2.8.4/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 86aeb7aa208dd2cd303c3b6f496ad9df00413786 Author: Adolf Belka Date: Wed Sep 17 13:09:34 2025 +0200 core198: Ship lzip Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 725ef361d21b56c2943b61dc3fdb522f9286f968 Author: Adolf Belka Date: Wed Sep 17 13:09:39 2025 +0200 lzip: Update to version 1.25 - Update from version 1.24.1 to 1.25 - Update of rootfile not required - Changelog 1.25 lzip now exits with error status 2 if any empty member is found in a multimember file. lzip now exits with error status 2 if the first byte of the LZMA stream is not 0. Options '--empty-error' and '--marking-error' have been removed. The chapter 'Syntax of command-line arguments' has been added to the manual. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 020d01e9adb87fcbd19b71b90c278f9727f31178 Author: Adolf Belka Date: Wed Sep 17 13:09:38 2025 +0200 libvirt: Update to version 11.7.0 - Update from version 11.4.0 to 11.7.0 - Update of rootfile - Changelog 11.7.0 New features * Allow setting the log level of Cloud Hypervisor Users can now configure the verbosity of Cloud Hypervisor by setting the "log_level" option in ch.conf * bhyve: experimental NAT networking support The bhyve driver now has experimental NAT networking support using the Packet Filter (pf) firewall. * bhyve: domain statistics reporting The bhyve driver now supports querying domain block, interface, and memory statistics. Not all statistics fields are supported though. Improvements * bhyve: improve 'efi' configuration autofill When a domain is configured with ````, NVRAM configuration is now autofilled. 11.6.0 New features * Introduce VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag This new flag for virConnectBaselineHypervisorCPU can be used for computing a baseline CPU on any host. Without the VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag the baseline API would return reasonable output only when run on one of the hosts that the input CPU definitions were collected from. * Allow control over QEMU TLS priority strings The qemu.conf file now has multiple settings allowing control over the QEMU TLS priority strings, for the different subsystems in QEMU that can support TLS. This can be used to workaround a current bug in GNUTLS that is liable to cause crashes of the source QEMU when performing long running live migration operations with TLS enabled. * Add support for disabling deprecated CPU model features by default for s390 domains. Starting an s390 domain with host-model will now default to setting the ``deprecated_features`` attribute to ``off``, ensuring the domain starts with a migration-compatible CPU model to newer systems. This behavior can be modified by setting the ``default_cpu_deprecated_features`` option in the qemu.conf file. * bhyve: Add TCP console support TCP serial devices can now be configured with ````:: Additionally, number of supported consoles increased to 4. * qemu: Add support for RBD namespaces Allow specifying the 'namespace' within a RBD image pool. Improvements * qemu: Change default SCSI controller model to ``virtio-scsi`` for ARM and RISC-V The previous default of ``lsilogic`` is unsupported by modern operating systems. ``virtio-scsi`` is a more suitable default for ARM and RISC-V ``virt`` machine types. * Clarify documentation of virConnectBaselineHypervisorCPU The documentation makes it clear virConnectBaselineHypervisorCPU is supposed to be called on one of the hosts represented in the input CPU definitions. Otherwise the API will give unexpected results. * Allow specifying zero discard granularity for block devices This can be used to tell some guest operating systems (notably Windows) to not trim the disk. * bhyve: Add timeout handling for bhyveload It is now possible to run ``bhyveload`` with the ``timeout`` tool, which can send ``SIGTERM`` and ``SIGKILL`` signals when timeout is reached. Timeout values are set using the ``bhyveload_timeout`` and ``bhyveload_timeout_kill`` configuration options in ``bhyve.conf``. * nss: Improve debugging Debugging messages from NSS modules can be now enabled by setting the ``LIBVIRT_NSS_DEBUG`` environment variable. So far, there is no special meaning to its value. * rpc: Removed requirement for TLS certificates to support 'key encipherment' With TLS 1.3, key encipherment is not required even for RSA keys. Other key types didn't even support it so they were wrongly refused even in cases when they would work with libvirt. The TLS certificate validation now no longer requires 'key encipherment' to be enabled. Bug fixes * bhyve: Fix resetting of the autostart flag of the domain on destroy. * The nwfilter driver no longer recreates the base iptable/ip6tables chains The nwfilter driver had a impl mistake causing it to recreate the base chains for iptables/ip6tables every time a VM was started. This allowed a small window where traffic might not be fully filtered. It now handles iptables/ip6tables the same way as ebtables, creating the base chains only if they did not already exist. * Fix systemd unit ordering for auto-shutdown of domains via the daemon The ordering of systemd units created by libvirt for individual machines needed to be adapted when the shutdown of VMs on host shutdown is done via the virt daemon itself (rather than ``libvirt-guests.service``) to ensure that the VMs are not terminated before the virt daemon can deal with them. 11.5.0 Removed features * qemu: Don't accept VIR_DUMP_LIVE flag in virDomainCoreDumpWithFormat() Unfortunately, QEMU always pauses vCPUs when doing a core dump. Therefore, there is no way for Libvirt to honor VIR_DUMP_LIVE flag semantics. Instead of silently pretending the flag works, an appropriate error is now reported. New features * vmx: Add support for reporting NVMe disks in the domain XML * qemu: Add support for NVMe disks NVMe disks can now be emulated by using an ``nvme`` bus, but require a serial due to the hypervisor:: qwertyuiop Multiple disks can be represented as different namespaces on the same controller, but they cannot have a different serial number due to the fact that it is the controller which ultimately has the serial number attached to it, but for ease of use it is automatically copied from the disk serial. * esx: Add support for specifying alternative CA bundle for remote peer verification. Users can now use ``cacert`` parameter in the URI to specify a file path with CA certificate(s) that will be used for remote peer certificate validation. * qemu: add support for AMD IOMMU device The ``amd`` model for the ```` device is now supported. New attributes ``passtrhough`` and ``xtsup`` are also supported for this model. Improvements * Include supported console types in domain capabilities Domain capabilities now include information about supported console types, such as:: pty tcp * virsh: Add waiting for domain state via ``virsh await`` The new helper command ``virsh await`` simplifies waiting on domain state which is normally announced via events. Currently two waiting conditions are implemented: ``domain-inactive``, and ``guest-agent-available``. Bug fixes * qemu: Be more forgiving when acquiring QUERY job when formatting domain XML Since ``libvirt-11.0.0`` the ``virDomainGetXMLDesc()`` API used to format domain XML acquires QUERY job. But this caused a regression when the API might timeout for incoming migration. This is now fixed. * qemu: Fix shared filesystem detection on nonexistent paths Since ``libvirt-11.1.0`` nonexistent paths within directories marked as shared filesystem (via the ``shared_filesystems`` option in ``qemu.conf`` would not be properly detected as being on a shared filesystem. * qemu: Properly emulate USB cdrom device CD-ROM devices on USB bus are now properly emulated as such which was not the case since libvirt switched to the modern qemu commandline syntax for storage backends. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 94ae888ff8756f32de33b446c4d597d21ff13156 Author: Adolf Belka Date: Wed Sep 17 13:09:33 2025 +0200 core198: Ship less Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6f6fd5bec198071d3a89118a5315361a54058ab1 Author: Adolf Belka Date: Wed Sep 17 13:09:37 2025 +0200 less: Update to version 679 - Update from version 678 to 679 - Update of rootfile not required - Changelog 679 Fix bad parsing of lesskey file an env var is a prefix of another env var (github #626). Fix unexpected exit using -K if a key press is received while reading the input file (github #628). Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7adb7c43b8b4ab7b79879f1fd181b897526fe653 Author: Adolf Belka Date: Wed Sep 17 13:09:32 2025 +0200 core198: Ship expat Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 59b4901d426b0f8f3747712d3f52002149822e86 Author: Adolf Belka Date: Wed Sep 17 13:09:36 2025 +0200 expat: Update to version 2.7.2 - Update from version 2.7.1 to 2.7.2 - Update of rootfile - CVE fix - Changelog 2.7.2 Security fixes: CVE-2025-59375 -- Disallow use of disproportional amounts of dynamic memory from within an Expat parser (e.g. previously a ~250 KiB sized document was able to cause allocation of ~800 MiB from the heap, i.e. an "amplification" of factor ~3,300); once a threshold (that defaults to 64 MiB) is reached, a maximum amplification factor (that defaults to 100.0) is enforced, and violating documents are rejected with an out-of-memory error. There are two new API functions to fine-tune this new behavior: - XML_SetAllocTrackerActivationThreshold - XML_SetAllocTrackerMaximumAmplification . If you ever need to increase these defaults for non-attack XML payload, please file a bug report with libexpat. There is also a new environment variable EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity of allocations debugging at runtime, disabled by default. Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. Distributors intending to backport (or cherry-pick) the fix need to copy 99% of the related pull request, not just the "lib: Implement tracking of dynamic memory allocations" commit, to not end up with a state that literally does both too much and too little at the same time. Appending ".diff" to the pull request URL could be of help. Other changes: Autotools: Sync CMake templates with CMake 3.31 for macOS CMake: Drop support for CMake <3.15 CMake: Fix off_t detection for -Werror CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON Windows: Drop support for Visual Studio <=16.0/2019 xmlwf: Mention supported environment variables in --help output xmlwf: Fix (internal) help generator docs: Promote the contract to call function XML_FreeContentModel when registering a custom element declaration handler (via a call to function XML_SetElementDeclHandler) docs: Add missing

..

wrap docs: Drop AppVeyor badge tests: Fix portable_strndup Drop casts around malloc/free/realloc that C99 does not need Replace empty for-loops with while loops Add const with internal XmlInitUnknownEncodingNS Drop an OpenVMS support leftover Address more clang-tidy warnings Version info bumped from 11:2:10 (libexpat*.so.1.10.2) to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/ for what these numbers do Infrastructure: CI: Cover compilation on FreeBSD CI: Upgrade Clang from 19 to 21 CI: Make calling Cppcheck without --suppress=objectIndex and --suppress=unknownMacro possible CI|Windows: Get off of deprecated image "windows-2019" CI: Adapt to breaking changes in GitHub Actions Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 451c78516344734b7307caab5e0a0ba8101e5978 Author: Adolf Belka Date: Wed Sep 17 13:09:31 2025 +0200 core198: Ship ed Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit af52039b00d8e472a3775118fd8d2940e5778a65 Author: Adolf Belka Date: Wed Sep 17 13:09:35 2025 +0200 ed: Update to version 1.22.2 - Update from version 1.20.2 to 1.22.2 - Update of rootfile not required - Changelog 1.22.2 * Newline characters are no longer allowed in file names even when '--unsafe-names' is specified. * The file name is now printed escaped also when replaced into a shell command. 1.22.1 * Ed now departs from POSIX and ignores SIGPIPE to prevent commands like 'w !:' or ',!:' from terminating ed. A broken pipe is now detected as any other write error. (Reported by Sergei Trofimovich). 1.22 * An ex(1) style filter has been implemented; the shell escape command (!) now accepts line addresses to filter the addressed lines through a shell command. (Suggested by Shawn Wagner, Andrew L. Moore, and John Cowan). 1.21.1 * Fixed a compilation failure caused by the inclusion of the unused and obsolete header . (Reported by Michael Mikonos). * Ed now reads the initial window size for the z command from the environment variable LINES. (Suggested by Artyom Bologov). 1.21 * 'r !command' and 'w !command' ignore again the exit status of 'command'. Bug introduced in version 1.6. (Reported by Andrew L. Moore). * Include 'stdbool.h' instead of defining 'bool' to fix compilation in C23. (Reported by Alexander Jones). * The messages "Newline inserted" and "Newline appended" are now suppressed in scripted mode (-s). (Reported by Artyom Bologov). * The chapter 'Syntax of command-line arguments' has been added to the manual. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ece2ba69eeead4743e9b41b5011f8aa8a8658e90 Author: Matthias Fischer Date: Tue Sep 16 23:47:05 2025 +0200 suricata: Update to 8.0.1 Excerpt from changelog: "8.0.1 -- 2025-09-15 Security #7881: detect/tls: keyword tls.subjectaltname leads to NULL Deref if tls.subjectaltname contains zero(HIGH - CVE 2025-59150) Security #7861: detect: Dynamic-stack-buffer-overflow in ShortenString(HIGH - CVE 2025-59149) Security #7838: detect/entropy: segfault when not anchored to a sticky buffer(HIGH - CVE 2025-59148) Security #7657: tcp: syn resend with different seq leads to detection bypasss(HIGH - CVE 2025-59147) Bug #7891: unix-socket: memory leak when client disconnects during rule reload Bug #7877: rust: build with RUSTC and CARGO variables fails Bug #7865: detect/integers: u8 prefilter does not support all modes Bug #7859: doc/userguide: build failure with read the docs theme Bug #7843: http: dissection anomaly on `Content-Encoding: identity` Bug #7836: util-byte: bad usage of StringParse function return codes Bug #7828: util/hash: unexpected remove behavior Bug #7827: app-layer: ippair.memcap counter shows memuse Bug #7824: hyperscan: caching results in segfault with link time optimization (-flto=auto, etc) Bug #7822: engine-analysis: SEGV on rule failure without rules-fast-pattern enabled Bug #7821: engine-analysis: no report for failed rules without fast pattern Bug #7820: app-layer/snmp: internal error if app-layer is disabled Bug #7815: unix-socket: segfault in "pcap-file-list" command Bug #7813: cppcheck: warnings in counters.c Bug #7804: util-lua-sandbox.c undeclared identifier error for Suricata 8.0.0 Bug #7803: http: use transactions right get function Bug #7802: detect/dsize: uninitialized value from SigParseRequiredContentSize Bug #7741: http2: events can contain an empty response object Bug #7740: doh2: events are always dns even if there is no DNS info (pure HTTP2 settings) Bug #7651: decoder/pppoe: valid packets are getting dropped as decoder.ppp.unsup_proto Bug #7636: tcp: assertion triggered in StreamTcpReassembleAppLayer Bug #7611: eve: segv in stats.totals output Bug #5689: eve: community id computed wrong for tcp and ipv4 when src_ip == dest_ip Bug #4702: tcp: SYN/ACK dropped when client does not support timestamps Bug #4178: alert-debug: DNS Query triggers alert but no output in alert-debug.log Bug #3844: tcp: possible bypass with TCP ssn reuse Optimization #7769: detect/file: remove redundant de_ctx->rule_file != NULL check Feature #7869: detect/integers: support units like kib Task #7857: schema/arp: fix invalid pkt event output Task #7834: detect: remove unused non-pf stats counters Documentation #7890: detect: tls.cert_subject incorrectly claims to support multi-buffer Documentation #7867: detect/multi-buffers: complete list in userguide page on multi-buffer-matching Documentation #7854: doc/lualib: fix flow timestamps() return value order Documentation #7795: eve/schema: document stats.detect counters Documentation #7794: eve/schema: document stats.flow counters Documentation #7728: lua: fix all Lua documentation examples for new library format Documentation #7648: rtd: set "latest" to last stable release starting with 8.0.0 Documentation #7639: dpdk: update Connect-X4 recommended fallback tx-descriptor count Documentation #7631: userguide: document lua lib suricata.dnp3 Documentation #7190: detect/integers: document usage of units Documentation #7081: userguide: add unix socket option to retrieve flow info Documentation #6840: devguide/app-layer: section with conceptualized steps for adding parser Documentation #6284: userguide: document what's the impact of `stream.inline` Documentation #6270: userguide: document usage of Suricata as a firewall Documentation #5690: userguide: document the differences between IPS and IDS mode Documentation #5513: userguide: add a chapter for IPS mode Documentation #5139: userguide: add a section for netflow event type Documentation #5078: doc/userguide: improve rule reload documentation Documentation #4351: doc: explain the engine logic to trigger inspection of TCP data" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit c5f7ae87f65cb31fdfa3a88cb160acd9878a7829 Author: Michael Tremer Date: Wed Sep 17 08:49:35 2025 +0000 libhtp: Drop package This is no longer required in the distribution as Suricata has switched to htp-rs now. I am not aware of any other users. Signed-off-by: Michael Tremer commit 0bd55dcef4b1666c48a58a0eb462573f263347d0 Author: Michael Tremer Date: Wed Sep 17 08:48:07 2025 +0000 libhtp: Update to 0.5.52 Signed-off-by: Michael Tremer commit 8e9dd5d165b1cbb6b9ebd6d1e4bd0a7a2af0a3dd Author: Michael Tremer Date: Tue Sep 16 10:01:32 2025 +0000 python3: Don't try to remove setuptools outside the toolchain stage Signed-off-by: Michael Tremer commit d3725fecec79b5d2c807e9830d983a1804b14616 Author: Adolf Belka Date: Mon Sep 15 19:40:55 2025 +0200 core198: Ship collectd due to sobump in nut update Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7ab09188f9f292f42f10b2f51923625ec72a8a0e Author: Adolf Belka Date: Mon Sep 15 19:40:54 2025 +0200 nut: Update to version 2.8.4 - Update from version 2.8.3 to 2.8.4 - Update of rootfile - sobump requires shipping of collectd - Changelog 2.8.4 - Bug fixes for fallout possible due to "fightwarn" effort in 2.8.0+: * In `usbhid-ups` sources, introduced optional `HU_FLAG_PARAM_REQUIRED` for `setvar()` or `instcmd()` handling (and a `HU_TYPE_CMD_PARAM_REQUIRED` shortcut) for setting in the mapping table flags, to specify variables or instant commands that require an argument (either from caller or a non-`NULL` default in the run-time table after device data discovery); if the flag is not set, a zero value is assumed. Incomplete code was a regression of NUT v2.8.3 causing some instant commands to fail. [#2860, #2955] - Fix fallout of development in NUT v2.8.0 and/or v2.8.1 and/or v2.8.2 and/or v2.8.3: * Fixed a regression in recipes of NUT v2.8.3 release (as compared to v2.8.2), where `configure --with-docs=all` no longer failed a run of the `configure` script when some of the required rendering tools were not in fact available. [#2842, fixed by #2921] * Some recipe improvements in earlier releases led to `make check` always running a spelling check (if tools are available), even if the explicit `configure --disable-spellcheck` option was used. Now it would not run if disabled (e.g. to speed up CI builds in scenarios that focus on other aspects of the code base), although developers can still use the explicit `make spellcheck*` goals, when tools are in fact available. [#2973] * A change in `Makefile.am` recipes to evaluate some driver names in the `DRIVERLIST` variables inspected by `configure` script, rather than having all their names hard-coded like before, led to inability to `configure --with-drivers=dummy-ups`. [#2825, #2927, fixed by PR #2929] * A problem noted with `upsdrvquery` (since NUT v2.8.1) message logging at high debug verbosity levels (5+) with very large blocks of content has exposed a deficiency in variable-argument handling, and specifically adaptive resizing of the output buffer or truncation of logged inputs (which is something NUT code tried to do since the beginning of time), and could lead to "segmentation fault" crashes on some platforms. [issue #2948, PR #2963] * Documentation build recipes overly zealously pre-processed source files, which was not applicable for each and every document type we have (e.g. binary images for illustrations); this caused grief with some toolkits. [issue #2989] - common code: * Revised common `writepid()` to use `altpidpath()` as location for the PID file creation, if the default `rootpidpath()` is not accessible (e.g. daemon was not initially started as `root`). Likewise updated short PID file based signal sending to consult both locations. [#1717] * Linux may report a `/proc/X/exe` symlink with an embedded "(deleted)" suffix, if the binary was removed (or replaced) since the running process started. This confused our code which verifies that when it is sending a signal to a PID, that PID does reflect the expected NUT program. [#3021] * Refactored NUT "common" sources to reference `nut_version.h` macros from a smaller C source file, to minimize the compilation unit size impacted by development iterations. [issue #2097] * Common code hardening: added sanity-checking for dynamically constructed or selected formatting strings with variable-argument list methods (typically used with log printing, `dstate` setting, etc.) [#2450, #3016] - Warn if `%n` formatting string is used -- it is deprecated in some newer distros due to security concerns. * Refactored repetitive implementations of `inet_ntopSS()` (nee `inet_ntopW()` in `upsd.c`) and `inet_ntopAI()` methods into `common.c`, so now they can be re-used or expanded more easily. [#2916] - `upsd` updates: * Fixed two bugs about printing the "further (ignored) addresses resolved for this name": the way to extract IP address string was not portable and misfired on some platforms, and the way to print had a theoretical potential for buffer overflow. [#2915] * Print arguments of a processed command into the debug log, to help track down what unsupported queries are about, etc. (but only endeavor to spend time, RAM and CPU on this if debug verbosity is high enough). Hide the sensitive commands' parameters unless verbosity is unusually high. [#3023] - `upsdrvquery` API updates [#2969]: * Added `upsdrvquery_oneshot_conn()` for issuing one-shot queries using an existing `udq_pipe_conn_t *` connection. The caller manages the connection's lifecycle, and the function includes a best-effort call to restore broadcast mode after the query to return the connection as it was. * Added `upsdrvquery_oneshot_sockfn()` for initiating one-shot queries using a socket filename. Shares internal logic with the existing `upsdrvquery_oneshot()`, which uses a UPS and driver name, respectively. * Introduced `upsdrvquery_restore_broadcast()` to explicitly restore broadcast mode (`BROADCAST 1`) on a connection, helping return it to a consistent and talkative state. * Revised connection ownership handling: internal functions like `upsdrvquery_prepare()` and `upsdrvquery_request()` no longer close connections they do not own. Responsibility for cleanup is now delegated to the caller to avoid unintended side effects and better align with expected usage patterns. - common driver code: * Update reports of failed socket file creation, to help troubleshooting some error cases in the field. [#2959] * Removed workarounds trying to migrate legacy driver raised `ALARM` status tokens into modern `alarm_*` function logic. Rather, we keep supporting them as separate from the modern logic, seeing as `upsmon` does not care where the token itself was raised for its notifications. Driver-code related test-cases were updated to reflect these changes. [issue #2928, PRs #2931 and #2934] * Introduced some macros in `drivers/upshandler.h` for common syslog level definitions and message wording for beginning and failing `instcmd()` or `setvar()` operations consistently in different drivers. As a related change, operations that intend to turn off or restart the load, or can do that by side effect (e.g. calibration if batteries are old or dead), would explicitly `upslogx(LOG_CRIT,...)` by default before commencing. [#2957] * Fixed a couple of ancient memory leaks: one "shared" during driver program initialization, and one specific to `dummy-ups` wind-down. [#2972] * Added a `suggest_NDE_conflict()` method so drivers which lack access to the expected device can consistently suggest that this may be because of running both an NDE-wrapped service unit and a manually launched driver program at the same time. Currently added to `libusb{0,1}.c` code, but may later be expanded to e.g. serial drivers and other media, when their behavior in such situations gets identified. [follow-up to issue #477, PR #3041] - `apc_modbus` driver updates: * The time stamp and inter-frame delay accounting was fixed, alleviating one of the problems reported in issue #2609. [PR #2982] * Fix missing variables due to mismatching format string. [PR #3013] - `bcmxcp` driver updates: * The latching on to a previous replace battery status was fixed, with its alarm state variable now correctly being reset; previously a factually replaced battery did not clear the alarm and the whole driver needed to be restarted. [issue #2999, PR #3002] - `clone`, `clone-outlet`, `nhs_ser` driver and `nutdrv_qx_ablerex` subdriver updates: * Refactored to follow modern handling of status and alarm conditions, aligning with current driver design practices. This includes fixing copy-paste related issues in alarm reporting and removing some alarm messages that should instead be reflected as status flags. [#2936] - `dummy-ups` driver updates: * A new instruction `ALARM` was added for the `Dummy Mode` operation of the driver, enabling simulation of UPS alarm states more closely in line with modern, real-world UPS driver implementations. This follows the updated principle of keeping alarm states decoupled from the `ups.status` variable, with alarms now raised via common alarm functions rather than direct manipulation. [issue #2928, PR #2936] - `nutdrv_qx` driver updates: * Added support for "preprocess"/"process" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * Introduced `innovart33` protocol support for Ippon Innova RT 3/3 topology UPSes. [#2938] * Updated `megatec` protocol for more detailed responses to `I` query which may return `ups.serial` (after a shorter `device.mfr`) and the `battery.runtime` (after a shorter `device.model`). Note that the expected response is shorter than in other dialects (38 vs. 39 bytes), so if this change breaks anything for your UPS that reported the values above correctly (e.g. the `ups.firmware` version becomes shorter or none of these are reported), please let NUT developers know. [#2980] * Revised `voltronic` protocol to suppress alarm "UPS is in ECO Mode", using "buzzword mode" settings more correctly than in the previous iteration, shipped in NUT v2.8.3 release (as PR #2750 for issue #2708). [issue #2494] * Introduced a `voltronic-axpert` subdriver for Voltronic Axpert inverters which speak the P30 protocol, currently in a highly experimental state: with initial support for query commands, but most values are "hidden" from default NUT builds by being defined in `experimental.*` namespace, and should also be enabled by `configure --with-unmapped-data-points`. Development was based on work done in the Voltronic Sunny subdriver in https://github.com/nickma82/nut/tree/nutdrv_qx_voltronic-sunny_rebased%2Bcommand [#1407] - `phoenixcontact_modbus` driver updates: * Added more settings that can be tuned -- support for shutdown variables, UPS mode selector, PC reset delay after main power recovers, and automatic switch to battery mode (and back) if main power is below or above a defined threshold (see the new "Configurable Values" section in the man page). They can be configured via `default.*` values in `ups.conf`. [#2986] - `pijuice` driver updates: * Converted to NUT standard use of `status_set()` with single-token values. [issue #2708] - `snmp-ups` driver updates: * Added support for "fun"/"nuf" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * Fixed `ups.test.date` to be semi-static in `apc-mib` mapping, so it would be queried more than once per driver up-time. [issue #3011] * Fixed debug-logging around `SU_FLAG_STATIC` entries to clarify when they get skipped. [issue #3011] - `usbhid-ups` driver updates: * Added support for "fun"/"nuf" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * `hid_ups_walk(HU_WALKMODE_INIT)`: report if exactly one of "fun" or "nuf" dynamic value mapping methods is defined in a one-line table, and this may preclude reads/writes of that variable. [#2956] * The `cps-hid` subdriver's existing mechanism for fixing broken report descriptors was extended to cover a newly reported case of nominal UPS power being incorrectly reported due to an unrealistically low maximum threshold, as seen with a EC850LCD device. [issue #2917, PR #2919] * Further revision of "ECO mode" related code in `mge-hid` subdriver, following up from work started for NUT v2.8.3 release. [PR #2956] * Added APC BVKxxxM2 and BKxxxM2-CH to list of devices where `lbrb_log_delay_sec=N` may be necessary to address spurious LOWBATT and REPLACEBATT events. [PR #2942, PR #3007, issue #2347, issue #3006] - New NUT drivers: * Introduced a `ve-direct` driver for Victron Energy UPS/solar panels monitoring. Most specific reported values are in an `experimental.*` namespace, as a community we need to come up with standard naming for those via `docs/nut-names.txt`. [#440] * Introduced a `nutdrv_hashx` driver for numerous devices from Ablerex, Atlantis Land, Epyc, Infosec, ION, PowerWalker, Right Power Technology, Salicru, UPS Solutions and other vendors (originally shipped with a "PowerMaster+", "PowerMaster" or "PowerGuide" software companion suite). This seems to be a protocol developed by Cyber Energy for serial-port devices, subsequently used by different vendors in their own products or re-branded Cyber Energy creations. [#2940] * Introduced a `failover` driver for monitoring multiple UPS driver sockets and seamless switching out of UPS data in a failover situation, includes support for end-to-end tracked instant commands and also variable updating. [#2962] * Introduced USB (`powervar_cx_usb`) and Serial (`powervar_cx_ser`) drivers for Powervar CUSPP protocol, tested with GTS (USB) and UPM (USB, Serial) models. [#2988] - The `nut-driver-enumerator.sh` script (NDE) updates: * Now NDE internally tracks dependency of one driver on another one that should be locally running to serve the "original" data points (`clone`, `clone-outlet`, `dummy-ups`, `failover`). It should create "soft" dependencies between respective service instances to order their start-up sequence. [#2962] * Fixed NDE to not consider "masked" systemd units as non-existent or as syntactically failed instantiated unit names. [#3033] - NUT Monitor GUI: * Ported Python 3 version to Qt6, now shipped alongside Qt5 for systems with either or both, maximizing compatibility with old and new setups. [#2946] - `upsmon` client: * Clearer debug logging of `SHUTDOWNCMD` and `NOTIFYCMD` that would be used (or warnings that none was set); flush output buffers after these messages and after each main loop cycle, so any emitted text is seen in a timely manner. [issue #3003, PR #3008] - The `nutshutdown` script (end-game integration for UPS power-off in case of FSD initiated by `upsmon`) was updated to consider `MODE=none` set in `nut.conf` and bail out quietly. [issue #2935, PR #3008] - Manual page recipes and contents: * Introduced handling (possibly rewriting) for man page section "Overviews, conventions, and miscellaneous" (commonly number 7), to deliver support for `man nut` queries (NUT overview manual page also created). [#2945] * A new `configure --with-docs-man-dir-as-base` option was introduced so that directories for man page sections can now be automatically named as either "base" number of the section (e.g. `man1`) or by full section name (`man1m`), as different OS distributions have different preferences in this regard. [#2950] * Option to `configure --enable-docs-man-for-progs-built-only` was added, to differentiate NUT builds that deliver man pages for only built programs (legacy default) or for all of them (as needed for docs sites). [#2976] * Option to `configure --enable-docs-changelog` was added, specifically to allow developer iterations to not waste CPU time rebuilding the huge `ChangeLog*` files whenever their Git index changes. [#3019] * Options to `configure --with-docs-changelog-start` and/or `configure --with-docs-changelog-end` were added to allow developers to customize the size of `ChangeLog*` files when they are generated. Default starting value is `auto` which applies the legacy default `v2.6.0` to release/pre-release builds, or when local Git version info could not be retrieved, and the most-recent release tag (or `master` as fallback) for usual build iterations. Default ending value is `HEAD` for the current git commit at the moment the ChangeLog is (re-)generated. Balancing against the option to not build `ChangeLog*` files at all, this couple allows quicker builds that exercise all relevant recipe code paths. [#3019] - Extended the `gitlog2changelog.py` helper script to report start/end commits actually used, and to allow callers to tweak them better (not only `HEAD` for the end of range); this may be of interest to other projects which use this script. Allow `configure` to disable generation of either certain `ChangeLog*` rendering formats or completely, to speed up developer iterations (much time is wasted when dev-testing new code, due to git index changes if NUT was configured to build with documentation). [#3019] - The `BUILD_TYPE=default-all-errors ci_build.sh` script handling was revised to simplify code, and to default in CI builds to a quicker mode which randomly mixes the selected SSL, USB and UNMAPPED variants (and relies on the dozens of NUT CI farm runs per iteration to likely cover all possible combinations), which should roughly halve the CI build times. Default activity for developer builds should remain as it was -- to try each such "axis" sequentially. [#2973] - Revised generation of links to external manual pages in HTML rendering of NUT manual pages (previous recipe iterations left DocBook XML `ulink` tag "as is", which was not understood by web browsers). [follow-up to PR #2797] - Made the distro-dependent URL template for man pages configurable. [follow-up to PR #2797] - Revised `make install-as-root` to fall back to legacy ways of enabling services, if `systemctl preset-all` fails (assumed due to a systemd 252 bug). [#3022] - Added a `make check-parallel-builds` recipe to help troubleshoot recipes in sub-directories, and improved build-ability of existing NUT sources starting from scratch there. This is a workflow useful for NUT development (e.g. to focus only on drivers, or tests, or nut-scanner) but not so much for end-user packaging where everything builds from the root directory. [PR #3030, follows up from PR #2825, highlights why issue #2584 better be solved] - Revised `appveyor.yml` to run CI builds faster (forfeit MSYS2 ecosystem updates and some other steps) and more likely fit in one-hour allocation. Also have it install `mingw-w64-x86_64-python-pyqt6` so the `NUT-Monitor` application can get packaged (would need a capable Python run-time though). [#3046] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6d332fdc0c3c24eaff4492f020cc617cb726d4de Author: Adolf Belka Date: Mon Sep 15 19:46:22 2025 +0200 core198: Ship p11-kit Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 31c5b4b03598793dec01ff6cf91465ca9f432786 Author: Adolf Belka Date: Mon Sep 15 19:46:30 2025 +0200 p11-kit: Update to version 0.25.8 - Update from version 0.25.5 to 0.25.8 - Update of rootfile - Changelog 0.25.8 * rpc: Unbreak protocol compatibility by reverting "rpc: Correctly map Mozilla certificate distrust attributes" [PR#716] 0.25.7 * Build fixes from tarball with Meson [PR#714] 0.25.6 * rpc: Add module configuration option to specify server address [PR#707] * rpc: Correctly map Mozilla certificate distrust attributes [PR#705] * rpc: Fix empty array attribute handling [PR#704] * server: Remove libsystemd dependency for socket activation [PR#685] * Avoid segfault if p11_library_init_impl/p11_library_uninit are called multiple times [PR#682] * Add zsh completions [PR#674] * pkcs11: Update pkcs11.h to version 3.1 [PR#671] * pkcs11: Add IBM specific mechanisms [PR#669] * server: check SHELL if (and only if) neither --sh nor --csh is specified [PR#661] * trust: don't create file names longer then 255 [PR#659] * trust: sort paths for reproducible extract [PR#656] * Build and test fixes [PR#647, PR#653, PR#654, PR#657, PR#660, PR#667, PR#673, PR#681, PR#683, PR#688, PR#694] * Update translations [PR#663, PR#701] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 932c1a82183897e27b54bf2ea5987f1d03eca7eb Author: Adolf Belka Date: Mon Sep 15 19:46:21 2025 +0200 core198: Ship lvm2 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c785cc3c45f5a33e87c09a487306e8c56b13d613 Author: Adolf Belka Date: Mon Sep 15 19:46:29 2025 +0200 lvm2: Update to version 2.03.35 - Update from version 2.03.33 to 2.03.35 - Update of rootfile - Changelog 2.03.35 Fix unlocking devices file only after all PVs are processed. Avoid creating system.devices when deleting entries. Fix existing issues with persistent reservations. Fix possible report output format inconsistencies while processing PVs. Allow report options for pv/vg/lvdisplay only if used with -C|--columns. Fix vgsplit failing to split a VG with RAID+integrity or cache with cachevol. Fix --lockopt handling in lvmlockd when --nolocking is used. Optimize dmeventd when remonitoring active devices. 2.03.34 Support dmeventd restart when there are no monitored devices. Dmeventd no longer calls 'action commands' on removed devices. Fix reader of VDO metadata on 32bit architecture. Fix lvmdevices --deldev/--delpvid to error out if devices file not writeable. Fix lvresize corruption in LV->crypt->FS stack if near crypt min size limit. Enhanced lvresize -r support for btrfs. Use glibc standard functions htoX, Xtoh functions for endian conversion. Fix structure copying within sanlock's release_rename(). Fix autoactivation on top of loop dev PVs to trigger once for change uevents. Add lvmlockd --lockopt repair to reinitialize corrupted sanlock leases. Fix support for lvcreate -T --setautoactivation. Add lvm.conf global/lvresize_fs_helper_executable. Enable lvm to use persistent reservations on a VG. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9acb4b08cb2fa38c591c270d75f3d823243232d8 Author: Adolf Belka Date: Mon Sep 15 19:46:20 2025 +0200 core198: Ship libxml2 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 798fa55f0d58f3bfcad9a26f3b579daba2a92bfe Author: Adolf Belka Date: Mon Sep 15 19:46:28 2025 +0200 libxml2: Update to version 2.14.6 - Update from version 2.14.4 to 2.14.6 - Update of rootfile - 5 CVE fixes in version 2.14.5 - Changelog 2.14.6 Regressions valid: Don't add ids when validating entity content Fix initGenericErrorDefaultFunc(NULL) (Samuel Thibault) valid: Undeprecate xmlAdd*Decl globals: Include HTMLparser.h, fixing Windows build io: Fix reading from pipes like stdin on Windows Security regexp: Avoid integer overflow and OOB array access tree: Guard against atype corruption Improvements parser: Fix xmlSaturatedAddSizeT argument type 2.14.5 Regressions valid: Don't add ids when validating entity content io: Fix reading from pipes like stdin on Windows parser: Fix handling of invalid char refs in recovery mode Security regexp: Avoid integer overflow and OOB array access tree: Guard against atype corruption [CVE-2025-49794] [CVE-2025-49796] schematron: Fix xmlSchematronReportOutput [CVE-2025-49795] schematron: Fix null pointer dereference leading to DoS (Michael Mann) [CVE-2025-6170] Fix potential buffer overflows of interactive shell (Michael Mann) [CVE-2025-6021] tree: Fix integer overflow in xmlBuildQName Bug fixes save: Fix serialization of attribute defaults containing < Improvements parser: Fix xmlSaturatedAddSizeT argument type Build systems and portability meson: Add libxml2 part of include dir to pc file (Heiko Becker) cmake: Fix installation directories in libxml2-config.cmake io: Fix linkage of __xml*BufferCreateFilename functions Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 199dc49ad07635013f639107f269d5059219c147 Author: Adolf Belka Date: Mon Sep 15 19:46:19 2025 +0200 core198: Ship libssh Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2b4ca744b03f828297bde50e43f40abbf146b64f Author: Adolf Belka Date: Mon Sep 15 19:46:27 2025 +0200 libssh: Update to version 0.11.3 - Update from version 0.11.2 to 0.11.3 - Update of rootfile - Changelog 0.11.3 * Security: * CVE-2025-8114: Fix NULL pointer dereference after allocation failure * CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX * Potential UAF when send() fails during key exchange * Fix possible timeout during KEX if client sends authentication too early (#311) * Cleanup OpenSSL PKCS#11 provider when loaded * Zeroize buffers containing private key blobs during export Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3063559e4fa15e3058f2e62d8df617fae4a92e69 Author: Adolf Belka Date: Mon Sep 15 19:46:18 2025 +0200 core198: Ship libffi Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c9ff62f3d28bf9c95de5889b02f9b13a3be8726d Author: Adolf Belka Date: Mon Sep 15 19:46:26 2025 +0200 libffi: Update to version 3.5.2 - Update from version 3.5.1 to 3.5.2 - Update of rootfile not required - Changelog 3.5.2 fix: enable FFI_MMAP_EXEC_WRIT for DragonFly BSD by @liweitianux in #930 Emscripten: Add wasm64 target by @ktock in #927 fix: Ensure trampoline file descriptors are closed on exec. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1345abf18b964289bbc37033eb8d7500cd97a15f Author: Adolf Belka Date: Mon Sep 15 19:46:25 2025 +0200 haproxy: Update to version 3.2.4 - Update from version 3.2.2 to 3.2.4 - Update of rootfile not required - Changelog 3.2.4 - DOC: deviceatlas build clarifications - BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers - BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources - MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead - BUG/MINOR: acme: allow "processing" in challenge requests - CLEANUP: acme: fix wrong spelling of "resources" - MINOR: acme: add ACME to the haproxy -vv feature list - MINOR: acme: implement traces - BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet - BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket - BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket - BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established - BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options - BUG/MINOR: hlua: take default-path into account with lua-load-per-thread - BUG/MEDIUM: mux-quic: ensure Early-data header is set - CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h - BUILD: acme: avoid declaring TRACE_SOURCE in acme-t.h - BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator - MINOR: acme: emit a log for DNS-01 challenge response - MINOR: acme: emit the DNS-01 challenge details on the dpapi sink - MEDIUM: acme: allow to wait and restart the task for DNS-01 - MINOR: acme: update the log for DNS-01 - BUG/MINOR: acme: possible integer underflow in acme_txt_record() - MEDIUM: acme: use lowercase for challenge names in configuration - DOC: management: clarify usage of -V with -c - MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory - BUG/MINOR: listener: really assign distinct IDs to shards - MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version < 3.5.1 - BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5) - BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred - BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred - BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred - BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode - BUG/MINOR: http-client: Reject any 101-switching-protocols response - BUG/MEDIUM: http-client: Drain the request if an early response is received - BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM - MINOR: h1-htx: Add function to format an HTX message in its H1 representation - BUG/MINOR: mux-h1: Use configured error files if possible for early H1 errors - BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg function - BUG/MEDIUM: h3: do not overwrite interim with final response - BUG/MINOR: h3: properly realloc buffer after interim response encoding - BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side) - MINOR: qmux: change API for snd_buf FIN transmission - BUG/MEDIUM: h3: handle interim response properly on FE side - BUG/MINOR: quic: Wrong source address use on FreeBSD - MINOR: h3: remove unused outbuf in h3_resp_headers_send() - BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init - BUG/MINOR: halog: exit with error when some output filters are set simultaneosly - BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS - BUG/MINOR: logs: fix log-steps extra log origins selection - BUG/MINOR: hq-interop: fix FIN transmission - BUG/MINOR mux-quic: apply correctly timeout on output pending data - BUG/MINOR: mux-quic: ensure close-spread-time is properly applied - CLEANUP: http-client: Remove useless indentation when sending request body - DOC: list missing global QUIC settings - BUILD: compat: provide relaxed versions of the MIN/MAX macros - BUILD: compat: always set _POSIX_VERSION to ease comparisons - BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR - MINOR: sock: update broken accept4 detection for older hardwares. - BUG/MEDIUM: ssl: Fix 0rtt to the server - BUG/MEDIUM: ssl: fix build with AWS-LC - BUG/MINOR: init: Initialize random seed earlier in the init process - DOC: management: fix typo in commit f4f93c56 - DOC: config: recommend single quoting passwords - BUG/MEDIUM: mux-quic: adjust wakeup behavior - BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer 3.2.3 - CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0 - CI: github: add an OpenSSL 3.5.0 job - CI: github: update the stable CI to ubuntu-24.04 - BUILD: quic: QUIC build against OpenSSL 3.5 broken - BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5 - CI: github: update to OpenSSL 3.5.1 - BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits (OpenSSL 3.5 QUIC API) - BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init() - BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections - BUG/MINOR: http-act: Fix parsing of the expression argument for pause action - BUILD/MEDIUM: deviceatlas: fix when installed in custom locations. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 36110b3f109fa60308a790aee1875e4816521f9f Author: Adolf Belka Date: Mon Sep 15 19:46:17 2025 +0200 core198: Ship freetype Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b07d7b7c66f75ac05491b3fee9cab812b20d88fe Author: Adolf Belka Date: Mon Sep 15 19:46:24 2025 +0200 freetype: Update to version 2.14.1 - Update from version 2.13.3 to 2.14.1 - Update of rootfile - Changelog 2.14.1 This is an emergency release that fixes a couple of severe bugs introduced in version 2.14.0 and discovered right after the release; see issues #1349, #1353, #1354, #1355, and #1356. 2.14.0 IMPORTANT CHANGES - A new configuration macro `FT_CONFIG_OPTION_USE_HARFBUZZ_DYNAMIC` is available to load the HarfBuzz library dynamically (in addition to the standard static and dynamic linking modes); cmake, meson, and autotools support have been updated accordingly. Using this new feature makes it possible to avoid the circular dependency between HarfBuzz and FreeType. A side effect of this change is that FreeType no longer uses HarfBuzz header files (if HarfBuzz support is activated). This code was contributed by Behdad Esfahbod. - The auto-hinter got new abilities. . It can now better separate diacritic glyphs from base glyphs at small sizes by artificially moving diacritics up (or down) if necessary. . Tilde accent glyphs get vertically stretched at small sizes so that they don't degenerate to horizontal lines. . Diacritics directly attached to a base glyph (like the ogonek in character 'ę') no longer distort the shape of the base glyph. These features use a database (which currently has entries for Unicode characters up to U+FFFF, based on Unicode 17.0), handling scripts like Latin, Cyrillic, or Greek, but not Arabic or Indic scripts. FreeType needs to access a proper Unicode character map (or must be able to construct such a cmap) of a given font to make this work. The central algorithm and the foundation of this feature was Craig White's GSoC 2023 project. - Bitmap-only TrueType fonts now ignore the `FT_LOAD_NO_BITMAP` flag and proceed loading bitmaps instead of giving an error. This behavior is documented and implemented for other bitmap-only fonts. The flag was always meant to suppress the bitmap strikes in favor of outlines, not to ban them completely. IMPORTANT BUG FIXES - Users of the `TT_CONFIG_OPTION_GPOS_KERNING` configuration option should update; the 'GPOS' table wasn't correctly validated before access, which could lead to crashes with malformed font files. MISCELLANEOUS - `FT_Set_Var_Design_Coordinates` and `FT_Set_MM_Blend_Coordinates` now set the `FT_FACE_FLAG_VARIATION` bit in the `face_flag` field of `FT_Face` (i.e., the macro `FT_IS_VARIATION` returns true) also if any of the provided coordinates is different from the face's default value for the corresponding axis, that is, the set up face is not at its default position. - `FT_Load_Sfnt_Table` can now also load a font's table directory. - The TrueType instruction interpreter was optimized to produce a 15% gain in the glyph loading speed. - Handling of Variation Fonts is now considerably faster, thanks to contributions by Behdad Esfahbod. - TrueType and CFF glyph loading speed has been improved by 5-10% on modern 64-bit platforms as a result of better handling of fixed- point multiplication. - The BDF driver now loads fonts 75% faster. - 'GPOS' kern table handling (if the `TT_CONFIG_OPTION_GPOS_KERNING` configuration option is active) is now about 3.5 times faster than before. - Support for the (currently undocumented) 'flip' graphic type in the 'sbix' SFNT table as used in the `Apple Color Emoji.ttc` font (code provided by Andrew Murray). - `ftmulti` can now scroll through named instances and gracefully show static fonts. - The build file on OpenVMS now also creates a 32-bit version of the library. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5c3108043280aabd6821b988dbde720be4bd92ef Author: Adolf Belka Date: Mon Sep 15 19:46:16 2025 +0200 core198: Ship ethtool Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4740d7ccb17db0e8c697630b72934ba8f1809bfc Author: Adolf Belka Date: Mon Sep 15 19:46:23 2025 +0200 ethtool: Update to version 6.15 - Update from version 6.9 to 6.15 - Update of rootfile - Changelog 6.15 * Feature: support OR-XOR symmetric RSS hash type (-x/-X) * Feature: dump registers for hibmcge driver (-d) * Feature: configure header-data split threshold (-g/-G) * Feature: dump registers for fbnic driver (-d) * Feature: JSON output for channels info (-l) * Fix: incorrect data in appstream metainfo XML * Fix: prevent potential null pointer dereferences * Fix: more consistent and better parseable per lane signal info (-d) 6.14 * Feature: list PHYs (--show-phys) * Feature: target a specific PHY with some commands (--phy) * Feature: more attributes for C33 PSE (--show-pse, --set-pse) * Feature: source information for cable tests (--cable-test[-tdr]) * Feature: JSON output for module info (-m) * Feature: misc RSS hash info improvements (-x) * Feature: tsinfo hwtstamp provider (--{get,set}-hwtimestamp-cfg) * Fix: fix wrong auto-negotiation state (no option) * Fix: more explicit RSS context action (-n) * Fix: print PHY address as decimal (no option) * Fix: fix return value on flow hashing error (-N) * Fix: fix JSON output for IRQ coalescing * Fix: fix MDI-X info output (no option) * Misc: code cleanup in module parsers * Misc: provide module_info JSON schema * Misc: add '-j' alias for --json * Misc: provide AppStream metainfo XML * Misc: update message descriptions for debugging output 6.11 * Feature: cmis: print active and inactive firmware versions * Feature: flash transceiver module firmware (--flash-module-firmware) * Feature: add T1BRR 10Mb/s mode to link mode tables * Feature: support for disabling netlink from command line * Fix: fix lanes parameter format specifier * Fix: add missing clause 33 PSE manual description * Fix: qsf: Better handling of Page A2h netlink read failure * Fix: rss: retrieve ring count using ETHTOOL_GRXRINGS ioctl (-x) * Misc: man page formatting fix 6.10 * Feature: suport for PoE in PSE (--show-pse and --set-pse) * Feature: add statistics support to tsinfo (-T) * Feature: add JSON output to base command (no option) * Feature: add JSON output to EEE info (--show-eee) * Fix: qsfp: better handling on page 03h read failure (-m) * Fix: handle zero arguments for module eeprom dump (-m) * Fix: check for missing arguments in do_srxfh() (-X) * Misc: compiler warnings in "make check" * Misc: more descriptive error when JSON output is not available Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 0fb06f864f987396be173350362b35f1ebe1fd17 Author: Adolf Belka Date: Mon Sep 15 17:47:27 2025 +0200 cmake: Add patch to avoid using undocumented type for CURLOPT_PROXYTYPE values - Update of rootfile - With the new update of curl changes were made to CURLOPT which resulted in cmake using an undocumented type. - This patch has been merged in the cmake git repo and will become available in version cmake-4.1.2 so the patch will be able to be removed when that version is released and updated in IPFire. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3bbca7da627e8ea29fff9fe377f6fc1b970892ab Author: Adolf Belka Date: Mon Sep 15 17:47:26 2025 +0200 core198: Ship curl Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1ff80986d5200d9cdb19458f53b6a611bd8219a5 Author: Adolf Belka Date: Mon Sep 15 17:47:25 2025 +0200 curl: Update to version 8.16.0 - Update from version 8.15.0 to 8.16.0 - Update of rootfile - Changelog 8.16.0 changes: o build: bump minimum required mingw-w64 to v3.0 (from v1.0) [33] o curl: add --follow [129] o curl: add --out-null [101] o curl: add --parallel-max-host to limit concurrent connections per host [81] o curl: make --retry-delay and --retry-max-time accept decimal seconds [112] o hostip: cache negative name resolves [175] o ip happy eyeballing: keep attempts running [80] o mbedtls: bump minimum version required to 3.2.0 [180] o multi: add curl_multi_get_offt [56] o multi: add CURLMOPT_NETWORK_CHANGED to signal network changed [84] o netrc: use the NETRC environment variable (first) if set [70] o smtp: allow suffix behind a mail address for RFC 3461 [127] o tls: make default TLS version be minimum 1.2 [71] o tool_getparam: add support for `--longopt=value` [69] o vquic: drop msh3 [8] o websocket: support CURLOPT_READFUNCTION [193] o writeout: add %time{} [74] bugfixes: o _PROTOCOLS.md: mention file:// is only for absolute paths [102] o acinclude: --with-ca-fallback only works with OpenSSL [217] o alpn: query filter [104] o ares: destroy channel on shutdown [178] o ares: use `ares_strerror()` to retrieve error messages [236] o asyn-thrdd: fix --disable-socketpair builds [235] o asyn-thrdd: fix Curl_async_pollset without socketpair [205] o asyn-thrdd: fix no `HAVE_GETADDRINFO` builds [214] o asyn-thrdd: manage DEFERRED and locks better [228] o autotools: make curl-config executable [253] o aws-lc: do not use large buffer [250] o BINDINGS.md: add LibQurl [156] o bufq: add integer overflow checks before chunk allocations [108] o bufq: removed "Useless Assignment" [188] o bufq: simplify condition [207] o build: allow libtests/clients to use libcurl dependencies directly [87] o build: disable `TCP_NODELAY` for emscripten [176] o build: enable _GNU_SOURCE on GNU/Hurd [27] o build: extend GNU C guards to clang where applicable, fix fallouts [61] o build: fix build errors/warnings in rare configurations [7] o build: fix disable-verbose [48] o build: fix mingw-w64 version guard for mingw32ce [124] o build: if no perl, fix to use the pre-built hugehelp, if present [144] o build: link to Apple frameworks required by static wolfSSL [40] o build: support LibreSSL native crypto lib with ngtcp2 1.15.0+ [209] o build: tidy up compiler definition for tests [37] o cf-https-connect: delete unused declaration [15] o clang-tidy: disable `clang-analyzer-security.ArrayBound` [265] o cmake: `CURL_CA_FALLBACK` only works with OpenSSL [215] o cmake: capitalize 'Rustls' in the config summary o cmake: defer building `unitprotos.h` till a test target needs it [75] o cmake: define `WIN32_LEAN_AND_MEAN` for examples [159] o cmake: drop redundant unity mode for `curlinfo` [155] o cmake: enable `-Wall` for MSVC 1944 [128] o cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix o cmake: fix setting LTO properties on the wrong targets [258] o cmake: fix to disable Schannel and SSPI for non-Windows targets o cmake: fix to restrict `SystemConfiguration` to macOS [139] o cmake: honor `CMAKE_C_FLAGS` in test 1119 and 1167 [206] o cmake: improve error message for invalid HTTP/3 MultiSSL configs [187] o cmake: keep websockets disabled if HTTP is disabled o cmake: make `runtests` targets build the curl tool [32] o cmake: make the ExternalProject test work [183] o cmake: omit linking duplicate/unnecessary libs to tests & examples [45] o cmake: re-add simple test target, and name it `tests` [142] o cmake: set `CURL_DIRSUFFIX` automatically in multi-config builds [154] o CODE_STYLE: sync with recent `checksrc.pl` updates [49] o config-win32.h: do not use winsock2 `inet_ntop()`/`inet_pton()` [58] o configure: if no perl, disable unity and shell completion, related tidy ups [137] o configure: tidy up internal names in ngtcp2 ossl detection logic [212] o connectdata: remove primary+secondary ip_quadruple [126] o connection: terminate after goaway [62] o contrithanks: fix for BSD `sed` tool [98] o cookie: don't treat the leading slash as trailing [185] o cookie: remove expired cookies before listing [158] o curl-config: remove X prefix use [138] o curl/system.h: fix for GCC 3.3.x and older [38] o curl: make the URL indexes 64 bit [117] o curl: tool_read_cb fix of segfault [18] o curl_addrinfo: drop workaround for old-mingw [14] o curl_easy_ssls_export: make the example more clear [78] o curl_fnmatch, servers: drop local macros in favour of `sizeof()` [21] o curl_mime_data_cb.md: mention what datasize is for [107] o curl_ossl: extend callback table for nghttp3 1.11.0 [46] o curl_setup.h: include `stdint.h` earlier [260] o curl_setup.h: move UWP detection after `config-win32.h` (revert) [51] o curl_setup.h: move UWP detection after `config-win32.h` [23] o CURLINFO_FILETIME*.md: correct the examples [242] o CURLOPT: bump `CURL_REDIR_*` macros to `long` [110] o CURLOPT: bump `CURL_SSLVERSION_*` macros to `long` [149] o CURLOPT: bump `CURLALTSVC_*` macros to `long` [96] o CURLOPT: bump `CURLFTP*` enums to `long`, drop casts [54] o CURLOPT: bump `CURLHEADER_*` macros to `long`, drop casts [94] o CURLOPT: bump `CURLPROTO_*` macros to `long` [148] o CURLOPT: bump `CURLPROXY_*` enums to `long`, drop casts [95] o CURLOPT: bump `CURLWS_NOAUTOPONG`, `CURLWS_RAW_MODE` macros to `long` [150] o CURLOPT: bump remaining macros to `long` [147] o CURLOPT: drop redundant `long` casts [55] o CURLOPT: replace `(long)` cast with `L` suffix for `CURLHSTS_*` macros o CURLOPT_HTTP_VERSION: mention new default value [179] o CURLOPT_SSL_CTX_*: replace the base64 with XXXX [171] o delta: fix warnings, fix for non-GNU `date` tool [99] o DEPRECATE.md: drop old OpenSSL versions [266] o DEPRECATE.md: drop support for c-ares versions before 1.16.0 [191] o DEPRECATE.md: drop support for Windows XP/2003 [31] o DEPRECATE.md: remove leftover "nothing" [57] o DISTROS.md: add Haiku [39] o docs/cmdline-opts: the auth types are not mutually exclusive [103] o docs: add CURLOPT type change history, drop casts where present [143] o docs: add major incident section to vuln disclosure policy [271] o docs: fix link CONTRIBUTE.md link [192] o docs: fix name in curl_easy_ssls_export man page [12] o docs: fix typo (staring -> starting) [211] o docs: point two broken links to archive.org [134] o docs: put `<>` within backticks in titles [261] o doh: rename symbols to avoid collision with mingw-w64 headers [66] o easy handle: check validity on external calls [28] o examples: drop long cast for `CURLALTSVC_*` o examples: make `CURLPIPE_MULTIPLEX` fallback `long` [233] o examples: remove base64 encoded chunks from examples [189] o examples: remove href_extractor.c [186] o ftp: store dir components as start+len instead of memdup'ing [198] o ftp: use 'conn' instead of 'data->conn' [208] o gnutls: fix building with older supported GnuTLS versions [241] o gnutls: some small cleanups [41] o hmac: return error if init fails [2] o hostip: do DNS cache pruning in milliseconds [132] o HTTP3.md: avoid `configure` issue for ngtcp2 1.14.0+ compatibility [182] o http: const up readonly H2_NON_FIELD [10] o http: do the cookie list access under lock [270] o http: silence `-Warray-bounds` with gcc 13+ [44] o idn: reject conversions that end up as a zero length hostname [273] o inet_pton, inet_ntop: drop declarations when unused [59] o lib1560: fix memory leak when run without UTF-8 support [17] o lib1560: replace an `int` with `bool` [97] o lib2700: use `testnum` [151] o lib517: use `LL` 64-bit literals & re-enable a test case (`time_t`) [100] o lib: drop `UNUSED_PARAM` macro [259] o libcurl: reset rewind flag in curl_easy_reset() [184] o libssh: Use sftp_aio instead of sftp_async for sftp_recv [92] o libtests: update format strings to avoid casts, drop some macros [109] o libtests: use `FMT_SOCKET_T`, drop more casts [136] o managen: reset text mode at end of table marker [145] o mbedtls: check for feature macros instead of version [166] o mdlinkcheck: handle links with a leading slash properly [195] o memanalyze: fix warnings [22] o memory: make function overrides work reliably in unity builds [93] o multi event: remove only announced [25] o multi: don't insert a node into the splay tree twice [68] o multi: fix assert in multi_getsock() [53] o multi: fix bad splay management [133] o multi: process pending, one by one [90] o multi: replace remaining EXPIRE_RUN_NOW [67] o multissl: initialize when requesting a random number [30] o ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0 [47] o ngtcp2: handshake timeout should be equal to --connect-timeout [262] o ngtcp2: use custom mem funcs [204] o openldap: fix `-Wtentative-definition-compat` [268] o openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro [222] o openssl: add and use `HAVE_OPENSSL3` internal macro [223] o openssl: assume `OPENSSL_VERSION_NUMBER` [181] o openssl: auto-pause on verify callback retry [167] o openssl: check SSL_write() length on retries [152] o openssl: clear errors after a failed `d2i_X509()` [161] o openssl: drop more legacy cruft [224] o openssl: drop redundant `HAVE_OPENSSL_VERSION` macro [221] o openssl: drop redundant version check [246] o openssl: drop single-use interim macro `USE_OPENSSL_SRP` [201] o openssl: enable `HAVE_KEYLOG_CALLBACK` for AWS-LC [220] o openssl: merge two `#if` blocks [218] o openssl: output unescaped utf8 x509 issuer/subject DNs [169] o openssl: remove legacy cruft, document macro guards [231] o openssl: save and restore OpenSSL error queue in two functions [172] o openssl: some small cleanups [42] o openssl: split cert_stuff into smaller sub functions [72] o openssl: sync an AWS-LC guard with BoringSSL [199] o openssl: use `RSA_flags()` again with BoringSSL [219] o parallel-max: bump the max value to 65535 [86] o parsedate: make Curl_getdate_capped able to return epoch [229] o processhelp.pm: fix to use the correct null device on Windows [164] o processhelp.pm: use `Win32::Process*` perl modules if available [200] o projects: drop unused logic from `generate.bat` [157] o projects: fix Windows project 'clean' function [203] o pytest: add SOCKS tests and scoring [9] o pytest: fix test_17_09_ssl_min_max for BoringSSL [197] o pytest: increase server KeepAliveTimeout [26] o pytest: relax error check on test_07_22 [16] o resolving: dns error tracing [196] o runtests: assume `Time::HiRes`, drop Perl Win32 dependency [163] o runtests: remove warning message [230] o runtests: replace `--ci` with `--buidinfo`, show OS/Perl version again [247] o runtests: show still running tests when nothing has happened for a while [227] o schannel: add an error message for client cert not found [165] o schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN` [114] o schannel: drop fallbacks for 4 macros [121] o schannel: drop fallbacks for unused `BCRYPT_*` macros [122] o schannel: drop old-mingw special case [77] o schannel: fix recent update for mingw32ce [123] o schannel: fix renegotiation [202] o schannel: improve handshake procedure [239] o schannel: not supported with UWP, drop redundant code [105] o schannel: use if(result) like the code style says [125] o scripts: enable strict warnings in Perl where missing, fix fallouts [63] o scripts: fix two Perl uninitialized value warnings [60] o sendf: getting less data than "max allowed" is okay [170] o servers: convert two macros to scoped static const strings [89] o setopt: refactor out the booleans from setopt_long to setopt_bool [83] o setopt: split out cookielist() and cookiefile() [130] o socks: do_SOCKS5: Fix invalid buffer content on short send [43] o socks_sspi: simplify, clean up Curl_SOCKS5_gssapi_negotiate [237] o spacecheck.pl: when detecting unicode, mention line number [85] o spacecheck: warn for 3+ empty lines in a row, fix fallouts [240] o spelling: file system [232] o test1148: drop redundant `LC_NUMBER=` env setting [13] o test1557: pass `long` type to `multi_setopt()` [234] o test1560: set locale/codeset with `LC_ALL` (was: `LANG`), test in CI [19] o test1560: skip some URLs if UTF-8 is not supported [34] o test1: raise alloc limits [11] o test428: re-enable for Windows [5] o test436: fix running on Windows with `_curlrc` present [153] o test: add `cygwin` feature and use it (test 1056, 1517) [249] o tests/ech_tests.sh: indent, if/for style, inline ifs [131] o tests: constify command-line arguments [82] o tests: delete unused commands [177] o tests: drop unused `BLANK` envs, unset `CURL_NOT_SET` [248] o tests: drop unused `CURL_FORCEHOST` envs [36] o tests: fix perl warnings in http2-server, http3-server [119] o tests: fix prechecks to call the bundle libtest tool [120] o tests: fix UTF-8 detection, per-test `LC_*` settings, CI coverage [6] o tests: merge clients into libtests, drop duplicate code [76] o tests: remove the QUIT filters [210] o tests: set `CURL_ENTROPY` per test, not globally [35] o tests: unset some envs instead of blanking them [4] o threaded-resolver: fix shutdown [252] o tidy-up: `Curl_thread_create()` callback return type [20] o tidy-up: move literal to the right side of comparisons [65] o tidy-up: prefer `ifdef`/`ifndef` for single checks [64] o tls: CURLINFO_TLS_SSL_PTR testing [79] o TODO: remove session export item [194] o TODO: remove the expand ~ idea [216] o tool_cb_wrt: stop alloc/free for every chunk windows console output [140] o tool_filetime: accept setting negative filetime [256] o tool_getparam: let --trace-config override -v [238] o tool_getparam: warn on more unicode prefixes [275] o tool_operate: avoid superfluous strdup'ing output [1] o tool_operate: use stricter curl_multi_setopt() arguments [225] o tool_operate: use the correct config pointer [115] o tool_paramhlp: fix secs2ms() [116] o tool_parsecfg: use dynbuf for quoted arguments [162] o tool_urlglob: add integer overflow protection [244] o tool_urlglob: polish, cleanups, improvements [141] o typecheck-gcc: add type checks for curl_multi_setopt() [226] o unit-tests: build the unitprotos.h from here [73] o unit2604: avoid `UNCONST()` [135] o URL-SYNTAX.md: drop link to codepoints.net to pass linkcheck [190] o urlapi: allow more path characters "raw" when asked to URL encode [146] o urldata: reduce two long struct fields to unsigned short [174] o urlglob: only accept 255 globs o vquic-tls: fix SSL backend type for QUIC connections using gnutls [29] o vquic: replace assert [254] o vquic: use curl_getenv [168] o vtls: set seen http version on successful ALPN [160] o websocket example: cast print values to unsigned int [251] o websocket: handling of PONG frames [213] o websocket: improve handling of 0-len frames [269] o websocket: reset upload_done when sending data [245] o windows: assume `ADDRESS_FAMILY`, drop feature checks [88] o windows: document toolchain support for `CERT_NAME_SEARCH_ALL_NAMES_FLAG` o windows: document toolchain support for some macros (cont.) [111] o windows: document toolchain support for some macros [113] o windows: drop `CRYPT_E_*` macro fallbacks, limit one to mingw32ce [118] o windows: drop two interim, single-use macros [106] o windows: drop unused `curlx/version_win32.h` includes [52] o windows: fix `if_nametoindex()` detection with autotools, improve with cmake [24] o windows: include `wincrypt.h` before `iphlpapi.h` for mingw-w64 <6 [50] o windows: target version macro tidy-ups [3] o wolfssl: rename ML-KEM hybrids to match IETF draft [173] o write-out.md: header_json is not included the json object [243] o ws: avoid NULL pointer deref in curl_ws_recv [91] o ws: get a new mask for each new outgoing frame [255] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 87d7fa42e36d11e0f3c9920abb41db7740b849db Merge: bed0f29da d6ec7e0bf Author: Michael Tremer Date: Mon Sep 15 10:20:35 2025 +0000 Merge branch 'master' into next commit d6ec7e0bf08a00c734c9e7b5f7c517ef82029afe Author: Michael Tremer Date: Mon Sep 15 12:17:01 2025 +0200 ovpnmain.cgi: Never write ncp-disable This was some compatibility code which was supposed to help us with the transition towards NCP. Since we are now on OpenVPN 2.6, this version no longer supports the "ncp-disable" switch and we cannot write it to the configuration any more. There should always be a default value for data ciphers. Signed-off-by: Michael Tremer commit bed0f29daf89b5813137d6e4b0656f690ae392c5 Author: Adolf Belka Date: Mon Sep 15 10:56:40 2025 +0200 python3-pyparsing: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3825dec163eabb70af464c01f22bb6cd05d76dbb Author: Adolf Belka Date: Mon Sep 15 10:56:39 2025 +0200 python3-packaging: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ee729f2470de5c2fdf8aa6ad9c45ca91afd7b191 Author: Adolf Belka Date: Mon Sep 15 10:56:38 2025 +0200 python3-setuptools-rust: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f5f2c430575e22c53788884b82f5d77c3c9144f8 Author: Adolf Belka Date: Mon Sep 15 10:56:37 2025 +0200 python3-setuptools: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5982c84b3f26a5bd42adbb7a6c66a5525ec3dda6 Author: Adolf Belka Date: Mon Sep 15 10:56:36 2025 +0200 python3-MarkupSafe: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 123c1fa3247a876ce26d41b7a01061af24dfc6e0 Author: Adolf Belka Date: Mon Sep 15 10:56:35 2025 +0200 python3-Jinja2: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e153297eccc92042633f5af85c641726fc053d34 Author: Adolf Belka Date: Mon Sep 15 10:56:34 2025 +0200 make.sh: Move setuptools module earlier in install order - The installed version of setuptools had to be moved earlier for a couple of other python modules that needed setuptools in place to build. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 35dbd453bf6844ba177849bd6bbf3b00f846aab5 Author: Adolf Belka Date: Mon Sep 15 10:56:33 2025 +0200 python3: Remove bundled setuptools - python3-pillow was finding the bundled setuptools version 63.2.0 and not the installed version of 80.9.0 and the bundled version failed the pillow requirement of >=77 - The bundled version install can not be disabled so this patch removes all the setuptools directories at the end of the python3 install so that only the IPFire installed version of setuptools will be available. - This resolved the problem of python3-pillow failing to build - The bundled setuptools has been removed in python-3.12 so when that version is released in IPFire the removal lines added in this patch will be able to be removed. - The removal of the bundled version of setuptools also caused changes in the rootfiles of 6 other python modules, so it looks like those were also building with the older bundled version but had no version requirement failure. This patch set also includes the changed rootfiles for each of those packages. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 78194fc50a82f8284122bf4c83cae51ffb25b9e1 Author: Michael Tremer Date: Sun Sep 14 13:39:32 2025 +0000 suricata-reporter: Update to 0.3 Signed-off-by: Michael Tremer commit d0d9a5d17f6f050958bf4f69b173fc24c476c5ba Merge: f0a4f19ca 0088442c5 Author: Michael Tremer Date: Sun Sep 14 10:39:50 2025 +0000 Merge branch 'master' into next commit 0088442c56e8a623c25d1a93940eabd29e4d430b Author: Adolf Belka Date: Mon Sep 8 14:59:38 2025 +0200 backup.pl: Update the RW entry in collectd.vpn if restoring old backup Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 211d81f8e20ab9c41b99933239f402e0afafcc0d Author: Adolf Belka Date: Mon Sep 8 14:59:37 2025 +0200 update.sh: Update collectd.vpn to the new RW log file name Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f0a4f19ca13c6faaa4f446eb085e801473eb5d88 Merge: fbe50152d 54944268e Author: Michael Tremer Date: Sun Sep 14 10:21:17 2025 +0000 Merge branch 'master' into next commit 54944268e729c8939a49a3e9536f5ad85ce9c2b8 Author: Michael Tremer Date: Sun Sep 14 12:19:00 2025 +0200 ovpnmain.cgi: Fix reading the legacy routes file Signed-off-by: Michael Tremer