[PATCH] dma: Update to version 0.14

[PATCH] dma: Update to version 0.14

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1973 bytes --]

- Update from version 0.13 to 0.14
- Update of rootfile not required
- Changelog
    0.14
	https://github.com/corecode/dma/commits/v0.14/

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 lfs/dma | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lfs/dma b/lfs/dma
index 76b45423e..39507ff6a 100644
--- a/lfs/dma
+++ b/lfs/dma
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 0.13
+VER        = 0.14
 
 THISAPP    = dma-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,6 +32,8 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
+# https://github.com/corecode/dma
+
 ###############################################################################
 # Top-level Rules
 ###############################################################################
@@ -40,7 +42,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 731d250a5e75faa25fe06dc636a72fca1c26382ea3d447665f47afbb6eb40426f2e587520a3e9431d454dea7bc14c323d40a48e2e9165a9477b2e2b1d2035087
+$(DL_FILE)_BLAKE2 = 229088c95abd26999686df65f5aa17a994593793abba5c0afeddbf9c1b0fc53b2cb835c7025286c92fc95e6be7e3c01738ab747f18885210715427c297461413
 
 install : $(TARGET)
 
-- 
2.47.1

[PATCH] dnsdist: Update to version 1.9.8

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2548 bytes --]

- Update from version 1.9.7 to 1.9.8
- Update of rootfile not required
- Changelog
    1.9.8
	Improvements
	    Add the ability to load a given TLS tickets key
	    References: pull request 14877
	    Custom metrics: better error messages, small doc improvements
	    References: pull request 14978
	    Add elapsed time to dq object (@phonedph1)
	    References: pull request 14887
	Bug Fixes
	    setTicketsKeyAddedHook: pass a std::string to the hook to avoid luawrapper
	     to truncate content at potential null chars
	    References: pull request 14878
	    Fix ECS zero-scope caching with incoming DoH queries
	    References: #14959, pull request 14977
	    Allow resetting setWeightedBalancingFactor() to zero
	    References: pull request 14929

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 lfs/dnsdist | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lfs/dnsdist b/lfs/dnsdist
index 2605cbfc8..656f62135 100644
--- a/lfs/dnsdist
+++ b/lfs/dnsdist
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = A highly DNS-, DoS- and abuse-aware loadbalancer
 
-VER        = 1.9.7
+VER        = 1.9.8
 
 THISAPP    = dnsdist-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = dnsdist
-PAK_VER    = 25
+PAK_VER    = 26
 
 DEPS       =
 
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 895a581caf00e8274787d7280e790372868354cceebe5c34fc9bd960778758c6e39b1e47e11038b3f85277a9ea0231ee9951cd01febbf1c8edb0c5ae1059c644
+$(DL_FILE)_BLAKE2 = 854344eb6b82f98001171830715fe5cf564628405b4c79c07b43fccdbca0a4c9da7e527a748bc2972261a32ed9c51582eac2e6fdbef5c25bd71b161318a62155
 
 install : $(TARGET)
 
-- 
2.47.1

[PATCH] fetchmail: Update to version 6.5.2

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 17629 bytes --]

- Update from version 6.4.39 to 6.5.2
- Update of rootfile not required
- Changelog
    6.5.2
     ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS
	(There are no plans to remove features from a 6.5.X release, but they may be
	removed from a 6.6.0 or newer release.)
	* Support for operating systems that are not sufficiently POSIX compliant may be
	  removed or operation on such systems may be suboptimal for future releases.
	* Future fetchmail releases may require compilers and operating systems
	  that adhere to standards issued 2011 or later. (See README for requirements.)
	* Future fetchmail releases may tighten up security and lean towards
	  it a bit more by, for instance, implementing recommendations from
	  RFC-7817 or RFC-8314. This may, for instance, require that TLS v1.1
	  or newer be used.
	* The MX and host alias DNS lookups that fetchmail performs in multidrop mode
	  are based on assumptions that are rarely met in practice, somewhat defective,
	  deprecated and may be removed from a future fetchmail version.
	  They have never supported IPv6 (including IPv6-mapped IPv4).
	  Non-DNS based alias keywords such as "aka" will remain in fetchmail.
	* The monitor and interface options may be removed from a future fetchmail
	  version as they are not reasonably portable across operating systems.
	* POP2 is obsolete, support will be removed from a future fetchmail version.
	* IMAP2 and IMAP4 (not IMAP4r1) are obsolete, support may be removed from a
	  future fetchmail version.
	* RPOP is obsolete, support will be removed from a future fetchmail release.
	* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
	  is deprecated and may be removed from a future release.
	* The "envelope Received" option may be removed from a future release, because
	  the Received header was never meant to be machine-readable, the format varies
	  widely, and various other differences in behavior make parsing Received an
	  unreliable undertaking. The envelope option as such will remain though, in
	  order to support Delivered-To, X-Envelope-To, X-Original-To and similar.
	  See also <http://home.pages.de/~mandree/mail/multidrop>.
	* The "protocol auto" default inside fetchmail may be removed from a future
	  fetchmail release. Explicit configuration of the protocol is recommended.
	* Kerberos IV support may be removed from a future fetchmail release.
	* Kerberos 5 support may be removed from a future fetchmail release.
	  (Although GSS-API support should remain as long as it's viable.)
	* The --principal option may be removed from a future fetchmail release.
	* SIGHUP wakeup support may be removed from a future fetchmail release and
	  cause fetchmail to terminate - it was broken for many years.
	* The maintainer may migrate fetchmail to C++, and impose further requirements
	  (dependencies), such as Boost or other class libraries.
	* The softbounce option default will change to "false" in the next release.
	* The --bsmtp - mode of operation may be removed in a future release.
	* Fetchmailconf is deprecated and will be removed from a future release.
	* Fetchmail does not guarantee compatibility with EOL OpenSSL versions. Support
	  for end-of-life OpenSSL versions may be removed even from patchlevel releases.
	* Nonstandard or by today's standards insufficiently secure authentication
	  schemes (such as OPIE, RPA) may be removed from future fetchmail versions.
	* Nonstandard protocol extensions (such as SDPS/*ENV) may be removed from future
	  fetchmail versions.
	* --auth ssh may be removed from future fetchmail versions. Use --auth implicit.
	* Future fetchmail releases (even minor ones) may change undocumented parts of
	  the .netrc parser in incompatible ways to enhance compatibility with typical
	  ftp(1) .netrc parsers.
     KNOWN BUGS AND WORKAROUNDS
	* Fetchmail does not handle messages without Message-ID header well
	  (See sourceforge.net bug #780933)
	* Fetchmail currently uses 31-bit signed integers in several places
	  where unsigned and/or wider types should have been used. Please report
	  issues with this.
	* BSMTP is mostly untested and errors can cause corrupt output.
	* Fetchmail does not track pending deletes across crashes.
	* The command line interface is sometimes a bit stubborn, for instance,
	  fetchmail -s doesn't work with a daemon running.
	* Linux systems may return duplicates of an IP address in some circumstances if
	  no or no global IPv6 addresses are configured.
	  (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
	* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
	  messages. This will not be fixed, because the maintainer has no Kerberos 5
	  server to test against. Use GSSAPI.
	* For IMAP connections, fetchmail will print "will idle after poll" in
	  verbose mode even though --idle is not given, as an artifact of the 6.4.22
	  security fixes. Fetchmail means "could idle after poll", but this would
	  have required another loop through the translators.
	* aka ... hostnames are not considered for upstream server X.509 certificate
	  verification, aka was meant for alias detection with multidrop mailboxes.
	* When compiled against wolfSSL, note that it is not a feature-complete
	  emulation of OpenSSL. Main functionality is given, but some minor details
	  may not work the same as in OpenSSL builds.
	* When compiled against LibreSSL (due to licensing, this only works on OpenBSD
	  where LibreSSL is part of the OS), note that LibreSSL is somewhat behind
	  recent OpenSSL versions, so prefer OpenSSL to LibreSSL if you can.
	* FreeBSD's OPIE implementation cannot be found when using a C++ compiler.
	  This should not affect the normal build, which uses a C compiler.
	* Using ccache may trigger "implicit fallthrough" warnings because
	  the comments that, for instance, GCC understands, are removed by ccache's
	  separate preprocessing.  Fixing this portably requires C++17.
	* Fetchmail's RFC-2047 encoder (used for localized Subject: lines of locally-
	  originated e-mail messages) is simplistic and violates the RFC-2047
	  requirement that multibyte characters must not be split across
	  encoded-words.
     TRANSLATIONS: fetchmail's translations were updated, courtesy of:
	* cs:    Petr Pisar [Czech]
	* sr:    Мирослав Николић (Miroslav Nikolić) [Serbian]
     CHANGES:
	* Minor documentation consistency fixes (versions, dates).
    6.5.1
     BUG AND PORTABILITY FIXES:
	* Drop two wolfSSL compile-time checks that were for older 6.4 or for future
	  7.0 releases and broke compilation with wolfSSL 5.7.4.
	  Fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282413#c4
	* Use %p instead of non-portable %#p for one wolfSSL-related diagnostic message
	  (FreeBSD defines %#p to be %p, on many other platforms it's undefined
	  behavior).
	* Add regex_helper.c to list of files that contain translatable strings,
	  which contains two strings we missed to translate.
     CHANGES:
	* Simplify EVP_MD_fetch API detection ("like OpenSSL 3" vs. "like OpenSSL 1")
	  for version switch and base it on the claimed OpenSSL version of the crypto
	  SSL, which works for LibreSSL (claims OpenSSL 2) and wolfSSL alike.
     TRANSLATIONS: fetchmail's messages were translated by these fine people:
	* sq:    Besnik Bleta [Albanian]
	* es:    Cristian Othón Martínez Vera [Spanish]
	* ro:    Remus-Gabriel Chelu [Romanian]
	* fr:    Frédéric Marchal [French]
	* pl:    Jakub Bogusz [Polish]
	* sv:    Göran Uddeborg [Swedish]
	* ja:    Takeshi Hamasaki [Japanese]
	* eo:    Keith Bowes [Esperanto]
    6.5.0
     SECURITY FIX:
	* .netrc now may not have more than 0700 permission if it contains passwords,
	  else fetchmail will warn and ignore the file.
     REMOVED FEATURES
	* fetchmail no longer supports using an MDA as SMTP fallback. This is required
	  to make deliveries consistent.
	  The --enable-fallback configure option is gone.
	* fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have
	  been removed and behave as though "--sslproto auto" had been given.
     INCOMPATIBLE CHANGES
	* fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525)
	* fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option.
	* fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option.
	* fetchmailconf now requires Python 3.7.0 or newer.
	* fetchmail, with --logfile, now logs time stamps into the file, in localtime
	  and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through
	  the environment variables LC_TIME (or LC_ALL) and TZ.
	  Contributed by Holger Hoffstätte.
	* fetchmail sets the OPENSSL security level to 2 by default.
	  Override is possible from an environment variable,
	  see EXPERIMENTAL CHANGES below.
	* The ca, da, en_GB, id, it, nl, ru, zh_CN translations have been disabled,
	  they are too far behind.
     CHANGED REQUIREMENTS
	* fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix
	  Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with
	  XSI extension) compliant system.
	  In particular, older fetchmail versions had workarounds or replacement code
	  for several functions standardized in the Single Unix Specification v3, these
	  have been removed. Hence:
	  - The trio/ library has been removed from the distribution.
	  - The libesmtp/getaddrinfo.? library has been removed from the distribution.
	  - The KAME/getnameinfo.c file has been removed from the distribution.
	* fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL or wolfSSL,
	  at a minimum OpenSSL v3.0.9 or wolfSSL v5.7.2.
     TRANSLATIONS: fetchmail's messages were translated by these fine people:
	* cs:    Petr Pisar [Czech]
	* eo:    Keith Bowes [Esperanto]
	* es:    Cristian Othón Martínez Vera [Spanish]
	* fr:    Frédéric Marchal [French]
	* ja:    Takeshi Hamasaki [Japanese]
	* ro:    Remus-Gabriel Chelu [Romanian]
	* sv:    Göran Uddeborg [Swedish]
	* sq:    Besnik Bleta [Albanian]
	* pl:    Jakub Bogusz [Polish]
     BUG FIXES
	* fetchmail can now report mailbox sizes of 2^31 octets and beyond (2 GibiB).
	  This required C99 support (for the long long type).
	  Fixes Debian Bug#873668, reported by Andreas Schmidt.
	* fetchmail now defines its OpenSSL API level to 3.0.0 so as to expose the
	  3.0.0 APIs from OpenSSL.
	* The .netrc parser no longer permits "machine" after "default".
	* Add manpage info on the .netrc syntax, as ftp(1) is not standardized and
	  may not be installed. Fixes Launchpad Bug #1976361 reported by Bill Yikes.
	* Received: lines now return GMT time if the tzoffset cannot be represented
	  as whole minutes. Reported by @rriddicc via Gitlab #49.
	* If fetchmail was running localized, generated an error e-mail message locally,
	  and if the selected translation would require the Subject: line to wrap
	  inside an RFC-2047 encoded word (=?UTF-8?Q?...?=), the wrapped encoded-word
	  was not indented, thus not marked as a continuation line.
	* SSL error handling was improved, fetchmail now consistently clears the
	  thread/SSL error queue before SSL I/O operations and checks SSL_get_error
	  afterwards.  The SSL_connect() error handling has been revised to log more
	  consistently.
     CHANGES
	* When fetchmail attempts to log out from an IMAP4 server and the server messes
	  up its responses (it is supposed to send an untagged * BYE and a tagged
	  A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than
	  reporting a protocol error. We don't intend to chat any more so the protocol
	  violation is harmless, and we know the server cannot send more untagged
	  status responses.
	  Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20.
	* The configure script now spends more effort for getting --with-ssl right, by
	  running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS
	  macro to obtain run-time library path setting flags.
	* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
	  do not match, emit a warning and continue. Closes Gitlab #31.
	* There is now a --idletimeout feature contributed by Eric Durand, to
	  permit setting a shorter timeout for the --idle option, because many
	  servers violate the protocol (requiring 30 minutes) and hang up sooner than
	  the 28 minutes fetchmail waits before refreshing IDLE.
	  GitLab merge request !35.
	* There is now a --forceidle feature to force idle mode even if not advertised
	  in the server capabilities. This is a dangerous option, use it carefully.
	  Courtesy of Eric Durand, GitLab merge request !39.
	* There is now a --moveto feature (only feasible in IMAP) that, instead of
	  flushing mail, moves it to a user-specified folder. This is to assist with
	  archiving, or when providers (G...) break the IMAP model.
	  Courteously provided by Damjan Jovanovic.
	* rcfile parsing errors are now reported in more detail, and with -vv mode,
	  also lead to a non-importable Python dump of what was obtained, for debugging.
	* fetchmail's --auth option ssh was renamed to implicit, to make clear that it
	  does *NOT* imply any particular type or features of the --plugin.  --auth ssh
	  will be understood for a while for compatibility but fetchmail will report it
	  as implicit.
	* fetchmail no longer warns about port/service mismatches with/without ssl
	  option when a "plugin" is in use because fetchmail cannot know whether the
	  plugin talks SSL or STARTTLS/STLS. Fixes Debian Bug#1076604.
	* fetchmail re-executes itself if the .netrc file's modification change
	  is found to be newer at the beginning of a new run.
	* fetchmail can now use other digest algorithms than MD5 for the
	  --sslfingerprint option. To use, specify the algorithm's name in
	  curly braces as prefix in the finger print, say,
	  --sslfingerprint '{SHA256}00:01:[...]:1F'. This will also switch the
	  algorithm for printing. All algorithms supported by the TLS/SSL library
	  can be specified. Fixes Gitlab issue #19, Debian Bug#700266.
     EXPERIMENTAL CHANGES - these are not documented anywhere else, only here:
	* fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that
	  can be used to override the OpenSSL security level. Fetchmail by default
	  raises the security level to 2 if lower. This variable can be used to lower it.
	  Use with extreme caution. Note that levels 3 or higher will frequently cause
	  incompabilities with servers because server-side data sizes are often too low.
	  Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0.
	* fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that
	  sets the cipher string (through two different OpenSSL functions) for SSL and
	  TLS versions up to TLSv1.2.
	  If setting the ciphers fails, fetchmail will not connect.
	  If not given, defaults to Postfix's "medium" list,
	  "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH".
	* fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable
	  that sets the ciphersuites (a colon-separated list, without + ! -) for
	  TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the
	  ciphersuites fails, fetchmail refuses to connect.
	* NOTE the features above are simplistic. For instance, even though you
	  configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause
	  a connection abort.
	* fetchmail can be built with meson 1.30 or newer <https://mesonbuild.com/>.
	  fetchmail is not currently written in a way that supports unity
	  (amalgamated) builds.

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 lfs/fetchmail | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lfs/fetchmail b/lfs/fetchmail
index 6beb0db74..942babf4b 100644
--- a/lfs/fetchmail
+++ b/lfs/fetchmail
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = Full-Featured POP and IMAP Mail Retrieval Daemon
 
-VER        = 6.4.39
+VER        = 6.5.2
 
 THISAPP    = fetchmail-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = fetchmail
-PAK_VER    = 17
+PAK_VER    = 18
 
 DEPS       =
 
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 2d03f6668d2882e7dd1d4e83e8643a2a4c81576a143c75ff1b24327873fa6112fa313f9723373a268e04697b76b3b638cbbd7a04c21cba946cd1532b6aaf201d
+$(DL_FILE)_BLAKE2 = f0877550b05a68bd32a34f48eea10aaa210a0ed4d22261aaf4b886cbdc3578180d3be6e9d5f69eaec6421712153b5a8d21a9416ad272d7ce942836773cde1dec
 
 install : $(TARGET)
 
-- 
2.47.1

[PATCH] freeradius: Update to version 3.2.6

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 4173 bytes --]

- Update from version 3.2.5 to 3.2.6
- Update of rootfile
- Changelog
    3.2.6
     Configuration changes
	* require_message_authenticator=auto and limit_proxy_state=auto
	  are not applied for wildcard clients.  This likely will
	  leave your network in an insecure state.  Upgrade all clients!
     Feature improvements
	* Allow for "auth+acct" dynamic home servers.
	* Allow for setting "Home-Server-Pool", etc. for proxying
	  accounting packets, just like authentication packets.
	* Fix spelling in starent SN[1]-Subscriber-Acct-Mode attribute
	  value. Patch from John Thacker.
	* Update dictionary.iea. Patch from John Thacker.
	* Add warning for secrets that are too short.
	* More debugging for SSL ciphers. Patch from Nick Porter.
	* Update 3GPP dictionary. Patch from Nick Porter.
	* Fix ZTE dictionary.
	* Make radsecret more portable and avoid extra dependencies.
	* Add timestamp for Client-Lost so we don't think it's 1970. Patch
	  from Alexander Clouter. #5353
     Bug fixes
	* Dynamic clients now inherit require_message_authenticator
	  and limit_proxy_state from dynamic client {...} definition.
	* Fix radsecret build rules to better support parallel builds.
	* Checkpoint systems should be reconfigured for the BlastRADIUS
	  attack: https://support.checkpoint.com/results/sk/sk182516
	  The Checkpoint systems drop packets containing Message-Authenticator,
	  which violates the RFCs and is completely ridiculous.
	* Fix duplicate CoA packet issue. #5397
	* Several fixes in the event code
	* Don't leak memory in rlm_sql_sqlite. #5392
	* Don't stop processing RadSec data too early.

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/packages/freeradius | 1 +
 lfs/freeradius                       | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/config/rootfiles/packages/freeradius b/config/rootfiles/packages/freeradius
index 7e02a46df..3a82e7d9c 100644
--- a/config/rootfiles/packages/freeradius
+++ b/config/rootfiles/packages/freeradius
@@ -627,6 +627,7 @@ usr/sbin/radmin
 #usr/share/doc/freeradius/antora/modules/ROOT/pages
 #usr/share/doc/freeradius/antora/modules/ROOT/pages/directories.adoc
 #usr/share/doc/freeradius/antora/modules/ROOT/pages/index.adoc
+#usr/share/doc/freeradius/antora/modules/ROOT/pages/radiusd_x.adoc
 #usr/share/doc/freeradius/antora/modules/concepts
 #usr/share/doc/freeradius/antora/modules/concepts/nav.adoc
 #usr/share/doc/freeradius/antora/modules/concepts/pages
diff --git a/lfs/freeradius b/lfs/freeradius
index 228515400..e45e41aa4 100644
--- a/lfs/freeradius
+++ b/lfs/freeradius
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = RADIUS Server
 
-VER        = 3.2.5
+VER        = 3.2.6
 
 THISAPP    = freeradius-server-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = freeradius
-PAK_VER    = 22
+PAK_VER    = 23
 
 DEPS       = libtalloc samba
 
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 169dccd6f04b4503869912dec9423279cc18fc22fa3babf324747bdf0d80d3b4fa5460ac07f89f8d845bf664283a9772b483b8fcec990364fcaf71b673b6917c
+$(DL_FILE)_BLAKE2 = 0af7cdf7fb784f2d5019f3bcb06d1d44dca046c9a4513d780ab032367001b6a67e9ea17a3a5b4609b9d7b936647e60c96e35188ba9644c4360071ac8d021bd58
 
 install : $(TARGET)
 
-- 
2.47.1

[PATCH] frr: Update to version 10.2.1

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 3509 bytes --]

- Update from version 10.1 to 10.2.1
- Update of rootfile not required
- Changelog
    10.2.1
     Fixed CVE-2024-55553
	More details: https://frrouting.org/security/cve-2024-55553
     Bug Fixes
	bfdd
	    retain remote dplane client socket
	bgpd
	    Fix to pop items off zebra_announce FIFO for few EVPN triggers
	    Check if as_type is not specified when peer is a peer-group member
	    Do not reset peers on suppress-fib toggling
	    Fix bgp core with a possible Intf delete
	    Fix enforce-first-as per peer-group removal
	    Fix evpn bestpath calculation when path is not established
	    Fix graceful-restart for peer-groups
	    Fix memory leak when creating BMP connection with a source interface
	    Fix memory leak when reconfiguring a route distinguisher
	    Fix unconfigure asdot neighbor
	    Fix use single whitespace when displaying flowspec entries
	    Fix version attribute is an int, not a string
	    Import allowed routes with self AS if desired
	    Initialize as_type for peer-group as AS_UNSPECIFIED
	    Use gracefulRestart JSON field
	    Validate both nexthop information (NEXTHOP and NLRI)
	    Validate only affected RPKI prefixes instead of a full RIB
	    When calling bgp_process, prevent infinite loop
	lib
	    Allow setsockopt functions to return size set
	    Fix session re-establishment
	    Take ge/le into consideration when checking the prefix with the prefix-list
	    Use backoff setsockopt option for freebsd
	ospfd
	    OSPF multi-instance default origination fixes
	pimd
	    Fix access-list memory leak in pimd
	    Free igmp proxy joins on interface deletion
	    igmp proxy joins should not be written as part of config
	    Prevent crash of pim when auto-rp's socket is not initialized

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 lfs/frr | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lfs/frr b/lfs/frr
index 95fbdf0f1..b257a2d09 100644
--- a/lfs/frr
+++ b/lfs/frr
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = FRRouting Routing daemon
 
-VER        = 10.1
+VER        = 10.2.1
 
 THISAPP    = frr-frr-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = frr
-PAK_VER    = 11
+PAK_VER    = 12
 
 DEPS       =
 
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 72dccecd6ad4f64a635d17ca99f2b1583ea83697901a0078270c033effa53ece2a4fe169d1b46d9393000a437bb48e562f49b2a94b48f4d2d013d2204322fde8
+$(DL_FILE)_BLAKE2 = 8bcc8ccf8febee1012d94a9f3de40cc177bec1af464cd935303df8859a72607d03e5f9030f05bed5d56a7a413a0029479f538b3c0b35acc4a66295b4229f6be1
 
 install : $(TARGET)
 
-- 
2.47.1

[PATCH] postfix: Update to version 3.9.1

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 4068 bytes --]

- Update from version 3.9.0 to 3.9.1
- Update of rootfile not required
- Changelog
    3.9.1
	    The mail_version configuration parameter did not have a three-number value
	     (3.9 instead of 3.9.0; it still had the two-number version from the
	     development releases postfix-3.9-yyyymmdd). This broke pathnames derived
	     from the mail_version value, such as shlib_directory. Problem reported by
	     Michael Orlitzky.
	    Bugfix (defect introduced: Postfix 2.9, date 20111218): with
	     "smtpd_sasl_auth_enable = no", the permit_sasl_authenticated feature
	     ignored information that was received with the XCLIENT LOGIN command, so
	     that the client was treated as unauthenticated. This was fixed by removing
	     an unnecessary test. Problem reported by Antonin Verrier.
	    Bugfix (defect introduced: postfix 3.0): the default master.cf syslog_name
	     setting for the relay service did not preserve multi-instance information,
	     which complicated logfile analysis. Found during a support discussion.
	    Bugfix (defect introduced: Postfix 2.3, date 20051222): file descriptor
	     leak after failure to connect to a Dovecot auth server. The impact is
	     limited because Dovecot auth failures are rare, there are limits on the
	     number of retries (one), on the number of errors per SMTP session
	     (smtpd_hard_error_limit), on the number of sessions per SMTP server
	     process (max_use), and on the number of file handles per process (managed
	     with sysctl). Found during code maintenance.
	    Bugfix (defect introduced: Postfix 3.4, date 20190121): the postsuper
	     command failed with "open logfile '/path/to/file': Permission denied" when
	     the maillog_file parameter specified a filename and Postfix was not
	     running. This was fixed by opening the maillog_file before dropping root
	     privileges. Found during code maintenance.
	    Bugfix (defect introduced Postfix 3.0). No autodetection of UTF8 text when
	     missing message headers were automatically added by Postfix (for example,
	     a From: header with UTF8 full name information from the password file).
	     This caused Postfix to send UTF8 in message headers without using the
	     SMTPUTF8 protocol. Problem reported by Michael Tokarev.

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 lfs/postfix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lfs/postfix b/lfs/postfix
index 497168267..2435f3c39 100644
--- a/lfs/postfix
+++ b/lfs/postfix
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = A fast, secure, and flexible mailer
 
-VER        = 3.9.0
+VER        = 3.9.1
 
 THISAPP    = postfix-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = postfix
-PAK_VER    = 45
+PAK_VER    = 46
 
 DEPS       =
 
@@ -70,7 +70,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = e07a525d9cbea43d3ed11f3d672452cf94f88ca7bbaf3c3254bf5be4ef675a1797a5fff2444c0db60c6eb53e43734a388a91faed72bb2fb4e3e5a353535602b0
+$(DL_FILE)_BLAKE2 = 78be7bf0f0d9e46429b40f98ddc98cac442cfdb404d77073346c973f3d0d4c52f299fc7f5d64bddaaf2db60dd234c52790f1efe4995faee8e2cd10c6f8e2096f
 
 install : $(TARGET)
 
-- 
2.47.1

[PATCH] protobuf: Update to version 29.3

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 14530 bytes --]

- Update from version 28.3 to 29.3
- Update of rootfile
- Changelog
    29.3
	Announcements
	    Protobuf News may include additional announcements or pre-announcements
	     for upcoming changes.
	C++
	    Fix cmake installation location of java and go features (#19773) (1dc5842)
	Other
	    Add .bazeliskrc for protobuf repo to tell bazelisk to use 7.1.2 by
	     default. (#19884) (9a5d2c3)
	    Update artifact actions to v4 (#19703) (8e7e6b0)
    29.2
	Announcements
	    Protobuf News may include additional announcements or pre-announcements
	     for upcoming changes.
	C++
	    Automated rollback of commit 23aada2. (#19692) (1772657)
	    Remove unused / invalid C++ lazy repeated field code from OSS. (#19682)
	     (3649f87)
	Java
	    Automated rollback of commit 23aada2. (#19692) (1772657)
	Other
	    Export environment variables so bazelisk picks them up (#19690) (8b9d76c)
	    Pin staleness check to Bazel 7 (#19689) (a1c9b6a)
	    Remove CMake downgrade workaround from Windows CI tests (#19630) (3a7bb4a)
    29.1
	Announcements
	    Protobuf News may include additional announcements or pre-announcements
	     for upcoming changes.
	Java
	    Rename maven to protobuf_maven in MODULE.bazel (#18641) (#19477) (ba6da44)
	Kotlin
	    Rename maven to protobuf_maven in MODULE.bazel (#18641) (#19477) (ba6da44)
	Python
	    Revert "Remove deprecated service.py usages from test". For 29.x only
	     (#19434) (5864b50)
    29.0
	Announcements
	    Protobuf News may include additional announcements or pre-announcements
	     for upcoming changes.
	Bazel
	    Add missing line to docstring after Args (#19213) (6f310d5)
	    Fix proto_info_bzl (#18918) (083de5f)
	    Use rules_cc everywhere in protobuf (ddadd0b)
	    Upgrade rules_cc to 0.0.13 (3dd4835)
	    Convert proto toolchain string to Label (aa181e2)
	    Prepare supporting targets for testing (a748b10)
	    Support --incompatible_enable_proto_toolchain_resolution (372ddb3)
	    Move ProtoInfo and ProtoLangToolchainInfo from Bazel (426ca8a)
	    Move java_{lite_}proto_library from Bazel repository (d77bdac)
	    Move proto_toolchain from rules_proto to protobuf (9f9cb7a)
	    Move proto_library from Bazel repository (3ff2cf0)
	    Move proto_common implementation from Bazel binary (b19fbe6)
	Compiler
	    Begin adding extension numbers to SourceCodeInfo and FileDescriptorSet for
	     tooling purposes. (07e489d)
	    Update protoc release to include editions language features proto for Go
	     (#19013) (63d966b)
	    Introduce lifetimes for individual feature values. (0b6e768)
	    Windows - Fix handling of utf8 command line arguments (#17854) (b9d1800)
	    Limit feature deprecation warnings to reduce noise. (5cd9a46)
	C++
	    Fix C++ ifndef_guard printer to also convert "-" to "_". (7331b77)
	    Fix C++ codegen namespace printer to print closing namespaces in reverse
	     order. (3bf9c40)
	    Fix raw_ptr.cc on exotic architectures (#18193) (63f6262)
	    Fix cord handling in DynamicMessage and oneofs. (9e8b30c)
	    Fix packed reflection handling bug in edition 2023. (4c92328)
	    Add JsonStreamToMessage method (0259cc3)
	    Introduce lifetimes for individual feature values. (0b6e768)
	    Insert software prefetches into merge functions. This improves performance
	     when hardware prefetchers are disabled on AMD machines. (d993365)
	    Insert software prefetches into proto parsing functions. This improves
	     performance when hardware prefetchers are disabled on AMD platforms.
	     (8aa0add)
	    Add prefetching of subsequent extensions in ExtensionSet::ForEach. (9b019ee)
	    Remove the AnyMetadata class and use free functions instead. (920d5c3)
	    Add [[deprecated]] attribute when generating enums and classes. (23aada2)
	    Use linear search instead of binary search in flat mode of ExtensionSet.
	     (0ed61f0)
	    Prepare MessageLite::GetTypeName to be upgraded to return (30a8ef5)
	    Limit feature deprecation warnings to reduce noise. (5cd9a46)
	    Add Compiler Condition to use inline assembly optimizations with ARM64 for
	     Compatibility with MSVC (#17671) (c5f6231)
	    Enable small object optimization (SOO) for RepeatedField in order to
	     reduce data indirections. (e2525e6)
	    Return backing array memory to arena in ExtensionSet. (5ac8ee1)
	    In edition 2024, Enum_Name(value) functions return absl::string_view by
	     default. (e3fa6aa)
	    Add Prefetchers to Proto Copy Construct to help address load misses (cdb7238)
	    Reduced nesting in GenerateByteSize: slight readability improvements in
	     generated code. (162a740)
	    Introduce FieldDescriptor::cpp_string_type() API to replace direct ctype
	     inspection which will be removed in the next breaking change (d0e49df)
	    Update the comment of TextFormat::Printer::RegisterMessagePrinter that the
	     method takes ownerhip of the printer pointer. (d911161)
	    Prepare the code for migrating return types from const std::string& to
	     (e13b8e9)
	Java
	    Remove deprecation warnings for Timestamp and Duration add/subtract/between
	     that we do not yet have alternatives to. (f606c13)
	    [29.x] Add missing java load (#19016) (bb287be)
	    Give Kotlin jars an OSGi Manifest (#18812) (0c51eba)
	    Re-export includingDefaultValueFields in deprecated state for important
	     Cloud customer. (7321b2f)
	    Restore compatibility with 3.22 gencode by re-adding mutableCopy helpers
	     (1b1e90b)
	    Speed up CodedOutputStream by extracting rarely-executed string formatting
	     code (f8f5136)
	    Return constant Value objects for true, false, and "" (4fbb0c5)
	    Optimise CodedOutputStream.ArrayEncoder.writeFixed32NoTag/writeFixed64NoTag
	     (a51f98c)
	    CodedOutputStream: avoid updating position to go beyond end of array.
	     (76ab5f2)
	    Convert IndexOutOfBoundsException to OutOfSpaceException in
	     UnsafeDirectNioEncoder (0e75d92)
	    Suppress ReturnValueIgnored errorprone issues (bbbc7b9)
	    Fix packed reflection handling bug in edition 2023. (4c92328)
	    Move cc_proto_library from Bazel repository (5254448)
	    Protobuf Lite ArrayLists: Defer allocating backing array until we have
	     some idea how much to allocate. (05a8a40)
	    Allocate correct-sized array when parsing packed fixed-width primitives
	     (4e8469c)
	    Bugfix: Make extensions beyond n=16 immutable. (ee419f2)
	    Reserve capacity in ProtobufArrayList when calling
	     Builder.addAllRepeatedMessage(Collection) (e3cc31a)
	    Avoid allocating iterators when calling
	     Message.Builder.addAllFoo(RandomAccess List) (bd1887e)
	    Remove the AnyMetadata class and use free functions instead.
	     (https://github.com/protocolbuffers/protobuf/com...

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/common/protobuf | 41 +++++++++++++++++++-------------
 lfs/protobuf                     |  6 ++---
 2 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/config/rootfiles/common/protobuf b/config/rootfiles/common/protobuf
index c26f8dfb8..db247dfeb 100644
--- a/config/rootfiles/common/protobuf
+++ b/config/rootfiles/common/protobuf
@@ -1,11 +1,11 @@
 #usr/bin/protoc
-#usr/bin/protoc-28.3.0
+#usr/bin/protoc-29.3.0
 #usr/bin/protoc-gen-upb
-#usr/bin/protoc-gen-upb-28.3.0
+#usr/bin/protoc-gen-upb-29.3.0
 #usr/bin/protoc-gen-upb_minitable
-#usr/bin/protoc-gen-upb_minitable-28.3.0
+#usr/bin/protoc-gen-upb_minitable-29.3.0
 #usr/bin/protoc-gen-upbdefs
-#usr/bin/protoc-gen-upbdefs-28.3.0
+#usr/bin/protoc-gen-upbdefs-29.3.0
 #usr/include/google
 #usr/include/google/protobuf
 #usr/include/google/protobuf/any.h
@@ -21,6 +21,7 @@
 #usr/include/google/protobuf/arenaz_sampler.h
 #usr/include/google/protobuf/compiler
 #usr/include/google/protobuf/compiler/code_generator.h
+#usr/include/google/protobuf/compiler/code_generator_lite.h
 #usr/include/google/protobuf/compiler/command_line_interface.h
 #usr/include/google/protobuf/compiler/cpp
 #usr/include/google/protobuf/compiler/cpp/enum.h
@@ -86,7 +87,6 @@
 #usr/include/google/protobuf/compiler/java/helpers.h
 #usr/include/google/protobuf/compiler/java/internal_helpers.h
 #usr/include/google/protobuf/compiler/java/java_features.pb.h
-#usr/include/google/protobuf/compiler/java/kotlin_generator.h
 #usr/include/google/protobuf/compiler/java/lite
 #usr/include/google/protobuf/compiler/java/lite/enum.h
 #usr/include/google/protobuf/compiler/java/lite/enum_field.h
@@ -105,6 +105,10 @@
 #usr/include/google/protobuf/compiler/java/names.h
 #usr/include/google/protobuf/compiler/java/options.h
 #usr/include/google/protobuf/compiler/java/shared_code_generator.h
+#usr/include/google/protobuf/compiler/kotlin
+#usr/include/google/protobuf/compiler/kotlin/file.h
+#usr/include/google/protobuf/compiler/kotlin/generator.h
+#usr/include/google/protobuf/compiler/kotlin/message.h
 #usr/include/google/protobuf/compiler/objectivec
 #usr/include/google/protobuf/compiler/objectivec/enum.h
 #usr/include/google/protobuf/compiler/objectivec/enum_field.h
@@ -144,6 +148,7 @@
 #usr/include/google/protobuf/compiler/rust/accessors/accessors.h
 #usr/include/google/protobuf/compiler/rust/accessors/default_value.h
 #usr/include/google/protobuf/compiler/rust/accessors/generator.h
+#usr/include/google/protobuf/compiler/rust/accessors/with_presence.h
 #usr/include/google/protobuf/compiler/rust/context.h
 #usr/include/google/protobuf/compiler/rust/crate_mapping.h
 #usr/include/google/protobuf/compiler/rust/enum.h
@@ -154,6 +159,7 @@
 #usr/include/google/protobuf/compiler/rust/relative_path.h
 #usr/include/google/protobuf/compiler/rust/rust_field_type.h
 #usr/include/google/protobuf/compiler/rust/rust_keywords.h
+#usr/include/google/protobuf/compiler/rust/upb_helpers.h
 #usr/include/google/protobuf/compiler/scc.h
 #usr/include/google/protobuf/compiler/subprocess.h
 #usr/include/google/protobuf/compiler/versions.h
@@ -191,6 +197,7 @@
 #usr/include/google/protobuf/generated_message_tctable_gen.h
 #usr/include/google/protobuf/generated_message_tctable_impl.h
 #usr/include/google/protobuf/generated_message_util.h
+#usr/include/google/protobuf/go_features.proto
 #usr/include/google/protobuf/has_bits.h
 #usr/include/google/protobuf/implicit_weak_message.h
 #usr/include/google/protobuf/inlined_string_field.h
@@ -206,6 +213,7 @@
 #usr/include/google/protobuf/io/zero_copy_stream.h
 #usr/include/google/protobuf/io/zero_copy_stream_impl.h
 #usr/include/google/protobuf/io/zero_copy_stream_impl_lite.h
+#usr/include/google/protobuf/java_features.proto
 #usr/include/google/protobuf/json
 #usr/include/google/protobuf/json/internal
 #usr/include/google/protobuf/json/internal/descriptor_traits.h
@@ -279,14 +287,6 @@
 #usr/include/google/protobuf/wire_format_lite.h
 #usr/include/google/protobuf/wrappers.pb.h
 #usr/include/google/protobuf/wrappers.proto
-#usr/include/java
-#usr/include/java/core
-#usr/include/java/core/src
-#usr/include/java/core/src/main
-#usr/include/java/core/src/main/resources
-#usr/include/java/core/src/main/resources/google
-#usr/include/java/core/src/main/resources/google/protobuf
-#usr/include/java/core/src/main/resources/google/protobuf/java_features.proto
 #usr/include/upb
 #usr/include/upb/base
 #usr/include/upb/base/descriptor_constants.h
@@ -378,6 +378,7 @@
 #usr/include/upb/reflection/def.hpp
 #usr/include/upb/reflection/def_pool.h
 #usr/include/upb/reflection/def_type.h
+#usr/include/upb/reflection/descriptor_bootstrap.h
 #usr/include/upb/reflection/enum_def.h
 #usr/include/upb/reflection/enum_reserved_range.h
 #usr/include/upb/reflection/enum_value_def.h
@@ -415,6 +416,7 @@
 #usr/include/upb/util/def_to_proto.h
 #usr/include/upb/util/required_fields.h
 #usr/include/upb/wire
+#usr/include/upb/wire/byte_size.h
 #usr/include/upb/wire/decode.h
 #usr/include/upb/wire/encode.h
 #usr/include/upb/wire/eps_copy_input_stream.h
@@ -423,7 +425,11 @@
 #usr/include/upb/wire/reader.h
 #usr/include/upb/wire/types.h
 #usr/include/upb_generator
-#usr/include/upb_generator/mangle.h
+#usr/include/upb_generator/common
+#usr/include/upb_generator/common/names.h
+#usr/include/upb_generator/minitable
+#usr/include/upb_generator/minitable/names.h
+#usr/include/upb_generator/minitable/names_internal.h
 #usr/include/utf8_range.h
 #usr/include/utf8_validity.h
 #usr/lib/cmake/protobuf
@@ -439,14 +445,15 @@
 #usr/lib/cmake/utf8_range/utf8_range-targets-noconfig.cmake
 #usr/lib/cmake/utf8_range/utf8_range-targets.cmake
 #usr/lib/libprotobuf-lite.so
-usr/lib/libprotobuf-lite.so.28.3.0
+usr/lib/libprotobuf-lite.so.29.3.0
 #usr/lib/libprotobuf.so
-usr/lib/libprotobuf.so.28.3.0
+usr/lib/libprotobuf.so.29.3.0
 #usr/lib/libprotoc.so
-usr/lib/libprotoc.so.28.3.0
+usr/lib/libprotoc.so.29.3.0
 #usr/lib/libupb.a
 usr/lib/libutf8_range.so
 usr/lib/libutf8_validity.so
 #usr/lib/pkgconfig/protobuf-lite.pc
 #usr/lib/pkgconfig/protobuf.pc
+#usr/lib/pkgconfig/upb.pc
 #usr/lib/pkgconfig/utf8_range.pc
diff --git a/lfs/protobuf b/lfs/protobuf
index a58933f33..92d19de38 100644
--- a/lfs/protobuf
+++ b/lfs/protobuf
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 28.3
+VER        = 29.3
 
 THISAPP    = protobuf-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 05162124676abe18300481e9f985fd2cfb09b052d06670a993e79ef02f3daf0d5380b521977ebc2362d4094486151ea285fe1c98a1d2f3799b18a1fa422fdc13
+$(DL_FILE)_BLAKE2 = 8d37daac6f0d832e5bff5c56b9be73fce1fe016ca4e905f4c66d8fea20fabbee54a6be2c824f503d40f8492a4ec6280a539c454de9a118b69ebc57f2afe3d965
 
 install : $(TARGET)
 
-- 
2.47.1