[PATCH] arpwatch: Update to version 3.9

[PATCH] arpwatch: Update to version 3.9

[Adolf Belka]

- Update from version 3.8 to 3.9
- No change to rootfile
- Changelog
3.9
 - Use mktemp(1) to obtain a temporary file for update-ethercodes
   and avoid potiential security issues. Reported by Johannes Segitz
   (jsegitz@suse.de)

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/arpwatch | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lfs/arpwatch b/lfs/arpwatch
index 46eac6502..774b4f109 100644
--- a/lfs/arpwatch
+++ b/lfs/arpwatch
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = Monitoring tool for ARP traffic on a network
 
-VER        = 3.8
+VER        = 3.9
 ETHERCODES_DATE = 20200628
 
 # From: https://ee.lbl.gov/downloads/arpwatch/
@@ -37,7 +37,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = arpwatch
-PAK_VER    = 3
+PAK_VER    = 4
 
 DEPS       =
 
@@ -55,7 +55,7 @@ objects = $(DL_FILE) ethercodes.dat-$(ETHERCODES_DATE).xz
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 ethercodes.dat-$(ETHERCODES_DATE).xz = $(DL_FROM)/ethercodes.dat-$(ETHERCODES_DATE).xz
 
-$(DL_FILE)_BLAKE2 = 2ec0360ed12722e09cfccd06a1ab48ed77ea017d9ebf182cf2792dac53b61b1f0d6b5895fe30ec4d6b9e05d78aa75762775e548573f7bd5b2918ce8ca775eed3
+$(DL_FILE)_BLAKE2 = 12f24db33e4f068ffa4424b7b62a8a99666c33b14192e4251a71d16a8f0e539c7ec7ca0028d843aead74fedc57c636027895c1db447cadc65d58d0a3df7f4fb3
 ethercodes.dat-$(ETHERCODES_DATE).xz_BLAKE2 = e702b9109ef3ccce73e2637f96126bf19e7dfa533774c0bd623042b3609f147981263b84397ec155a65ae12fa57247c32644e1e7e57c2c749ef768156d853027
 
 install : $(TARGET)
@@ -102,8 +102,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Build!
 	cd $(DIR_APP) && ./configure \
-		--prefix=/usr \
-		--enable-zeropad
+				--prefix=/usr \
+				--enable-zeropad
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 
-- 
2.54.0

[PATCH] core202: Ship inotify-tools

[Adolf Belka]

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/202/filelists/inotify-tools | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/202/filelists/inotify-tools

diff --git a/config/rootfiles/core/202/filelists/inotify-tools b/config/rootfiles/core/202/filelists/inotify-tools
new file mode 120000
index 000000000..b316c2e73
--- /dev/null
+++ b/config/rootfiles/core/202/filelists/inotify-tools
@@ -0,0 +1 @@
+../../../common/inotify-tools
\ No newline at end of file
-- 
2.54.0

[PATCH] core202: Ship knot

[Adolf Belka]

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/202/filelists/knot | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/202/filelists/knot

diff --git a/config/rootfiles/core/202/filelists/knot b/config/rootfiles/core/202/filelists/knot
new file mode 120000
index 000000000..28e96f878
--- /dev/null
+++ b/config/rootfiles/core/202/filelists/knot
@@ -0,0 +1 @@
+../../../common/knot
\ No newline at end of file
-- 
2.54.0

[PATCH] core202: Ship lldpd

[Adolf Belka]

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/202/filelists/lldpd | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/202/filelists/lldpd

diff --git a/config/rootfiles/core/202/filelists/lldpd b/config/rootfiles/core/202/filelists/lldpd
new file mode 120000
index 000000000..35e3b1d01
--- /dev/null
+++ b/config/rootfiles/core/202/filelists/lldpd
@@ -0,0 +1 @@
+../../../common/lldpd
\ No newline at end of file
-- 
2.54.0

[PATCH] core202: Ship oath-toolkit

[Adolf Belka]

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/core/202/filelists/oath-toolkit | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/202/filelists/oath-toolkit

diff --git a/config/rootfiles/core/202/filelists/oath-toolkit b/config/rootfiles/core/202/filelists/oath-toolkit
new file mode 120000
index 000000000..589cc0d9f
--- /dev/null
+++ b/config/rootfiles/core/202/filelists/oath-toolkit
@@ -0,0 +1 @@
+../../../common/oath-toolkit
\ No newline at end of file
-- 
2.54.0

[PATCH] inotify-tools: Update to version 4.25.9.0

[Adolf Belka]

- Update from version 4.23.9.0 to 4.25.9.0
- No change to rootfile
- Changelog
4.25.9.0
	Reject fanotify-only options if fanotify is disabled by @defanor in #196
	Fix formatting of man page references by @jwilk in #213
	Disable SonarCloud by @ericcurtin in #214
	Remove dead builds from README.md by @ericcurtin in #215
	Add Fedora 39 build to github actions by @ericcurtin in #216
	Add flag for forcing static compilation by @nirhaike in #220
	Allow recursive watch with --include by @arnib in #229
	Fix a crash on >=1024 watched files by @jankratochvil in #230

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/inotify-tools | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lfs/inotify-tools b/lfs/inotify-tools
index bb70fbfc6..7df35e7c5 100644
--- a/lfs/inotify-tools
+++ b/lfs/inotify-tools
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 4.23.9.0
+VER        = 4.25.9.0
 
 THISAPP    = inotify-tools-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = eddb0e44721cd8674f2309046998de16a030ed9ad84c49bc5950b9362055db9242dc0de1c615c3bd6c1f2835c83fc55446c9f8e6da52a98870c53f4e6cfa31f9
+$(DL_FILE)_BLAKE2 = f32a7cfaf76e8896a6f581bbffe443109c017c59b44d5f9d15ca019029da4895b04880d404765921b201a9eaf1864d0085aa47366112bec0c3afd5c0fcfe5c47
 
 install : $(TARGET)
 
@@ -76,7 +76,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	$(UPDATE_AUTOMAKE)
 	cd $(DIR_APP) && ./autogen.sh
 	cd $(DIR_APP) && ./configure \
-		--prefix=/usr
+				--prefix=/usr
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 	@rm -rf $(DIR_APP)
-- 
2.54.0

[PATCH] knot: Update to version 3.5.4

[Adolf Belka]

- Update from 3.4.2 to 3.5.4
- Update of rootfile
- find-dependencies run due to sobump. No issues identified.
- Changelog
3.5.4
Features:
 - knotd: configurable ZERO-COPY XDP mode (see 'xdp.zero-copy')
 - mod-dnserr: module for DNS error reporting
Improvements:
 - knotd: 'zone-update-error' statistic counter covers more situations
 - knotd: 'zone.catalog-zone' configuration option is ignored if not needed
 - knotd: dynamic reconfiguration logs item value in debug mode
 - knotd: memory optimizations when reloading a zone file
 - knotd: improved interoperability with Bind9 Offline KSK operations
 - knotd: improved performance of updated zone check
 - knotd: increased maximum configuration database reader limit by 3
 - knotd: new warning logs if primaries are outdated during zone refresh
 - kxdpgun: JSON output is stream of newline-delimited objects instead of a list
 - kxdpgun: extended throughput statistics
 - libs: support for loading private ALIAS record type
 - libs: upgraded embedded libngtcp2 to 1.22.0
 - debian: switched to sysusers.d and tmpfiles.d configurations (Thanks to Luca Boccassi)
 - doc: various improvements
Bugfixes:
 - mod-onlinesign: incorrect next NSEC owner name leading to a DoS (Thanks to Shang Kunjie)
 - knotd: server crash upon receiving a malformed resource record over XFR (Thanks to Haruto Kimura)
 - knotd: generated catalog not updated if reconfigured without server restart
 - knotd: some cross-zone reconfigurations not handled correctly
 - knotd: configuration control transaction not recoverable after a semantic error
 - knotd: zone loaded from Redis backend incrementally for non-continuous changes
 - knotd: server crash when accessing an HSM in parallel by multiple background workers
 - knotd: insufficient module unloading if error
 - modules: some module hook registrations not checked for errors
 - mod-geoip: server crash if record owner missing in configuration file
 - libs: insufficient checks for malformed resource records (Thanks to Haruto Kimura)
 - redis: incorrect arity check and use-after-free in AOF (Thanks to Haruto Kimura)
 - redis: various issues when processing empty data
3.5.3
Features:
 - knotd: added statistics counter for failed zone update (see 'zone-update-error')
 - knotd: new D-Bus signal for zones not updated (see 'server.dbus-event')
 - knotc: optional parameter for delayed old KSK removal upon submission (see 'zone-ksk-submitted')
 - libs: added support for the RESINFO record type
Improvements:
 - knotd: zone inclusion deletes the whole subtree of glues and junk from the parent
 - knotd: supported unsigned input ZONEMD validation if enabled DNSSEC signing and ZONEMD generate
 - knotd: DNSSEC signing not required for key restore
 - knotd: increased defaults for 'database.timer-db-max-size' and 'database.kasp-db-max-size'
 - knotd: database connection pool is purged if reconfigured
 - knotd: removed shutdown delay if connected to a database
 - knotd: optimized memory trimming frequency for many zones
 - knotd: primary server sends NOTIFY after answering started, not sooner
 - redis: GnuTLS is not required to build the module alone !1809
 - libs: improved detection of PKCS #11 support !1830
 - libs: upgraded embedded libngtcp2 to 1.19.0
 - samples: added JSON support to probe_dump (Thanks to Benedikt Heine)
 - doc: extended and updated table of compatible PKCS #11 devices
Bugfixes:
 - knotd: DS push not replanned if reconfigured during DS submission
 - knotd: missing check for empty zone when flushing
 - knotd: missing catalog update clear if error
 - knotd: failed to parse database address without port specification
 - knotd: incorrect thread synchronization when dumping timers
 - knotd: server crashes when outbound QUIC connection is closed unexpectedly
 - knotd: zone not reloaded from database if not updated incrementally
 - knotd: UNIX socket path containing a single colon considered an IPv6 address
 - keymgr: program crashes when importing a malformed key
 - kdig: missing address context deinitialization when iterating over addresses
 - kdig: missing AA flag on NOTIFY query
3.5.2
Features:
 - knotd: configurable zone timer storage mode (see 'database.timer-db-sync')
 - libknot: added support for the DSYNC record type
 - redis: new module command for printing zone information (see 'KNOT.ZONE.INFO')
Improvements:
 - knotd: queries to a catalog zone are now allowed also for ACL rules with action 'query'
 - knotd: denied query to a catalog zone is responded to with NOTAUTH instead of REFUSED
 - knotd: existing PID file is reused if it matches current PID !1819
 - knotd: zone purge has its own zone event
 - knotd: optimized zone timer storage
 - knotd: optimized ACL evaluation
 - keymgr: added more algorithms to keystore-test and keystore-bench
 - mod-dnstap: added detection for protoc
 - libs: upgraded embedded libngtcp2 to 1.18.0
 - redis: added support for zone data replication
 - redis: extended logging
 - doc: various improvements
Bugfixes:
 - knotd: failed to receive zone with ZONEMD if enabled DNSSEC signing and ZONEMD generate
 - knotd: refresh with pinned master not rescheduled when tolerance period expired
 - knotd: failed to build with older libhiredis without TLS support
 - knotd: misleading error message when attempting to sign empty zone
 - mod-rrl: failed to compile if target architecture was specified
 - libknot: failed to dump RRSet if the initial output buffer was too small
 - libdnssec: missing digest.h in dnssec.h
 - redis: defective communication with sentinel
 - redis: failed zone load was not rescheduled
 - redis: several memory leaks
3.5.1
Features:
 - knotc: new command for setting zone SOA serial (see 'zone-serial-set')
Improvements:
 - knotd: zone database listen configuration now accepts a hostname value
 - knotd: support for specifying multiple zone databases (see 'zone-db-listen')
 - knotd: added serial parameter to D-Bus event 'external_verify'
 - libs: upgraded embedded libngtcp2 to 1.16.0
 - configure: new option for specifying Redis module destination (see '--with-redisdir')
 - configure: Redis support is fully optional (see '--enable-redis') (Thanks to Nicolas Parlant)
 - deb,rpm: renamed inappropriate package 'redis-knot' to 'redis-module-knot'
Bugfixes:
 - knotd: failed to build on PowerPC and MIPS
 - knotd: missing some checks for file operations
 - knotd: zones added via knotc conf-set include not loaded until restart
 - knotd: zone-diff after zone-begin prints misleading SOA removal
 - knotd: failed to load from other PEM keystores if PKCS #11 keystore is configured
 - knotd: failed to restore PKCS #11 keystore #960
 - knotc: failed to compile on GNU Hurd
 - keymgr: missing deprecation warning for 'local-serial' command
 - configure: linked with libhiredis even when configured with --disable-redis
 - deb,rpm: incorrect destination for Redis module (see 'Database zone backend')
3.5.0
Features:
 - knotd: database zone backend using Redis/Valkey (see 'Database zone backend')
 - knotd: support for multiple control sockets (see 'control.listen')
 - knotd: external zone validation (see 'External validation')
 - knotd: authorization based on certificate hostname validation (see 'DNS over QUIC')
 - knotd: multiple keystores can be specified per policy (see 'DNSSEC multiple keystores')
 - knotd: specified resource record types can be omitted when loading (see 'zone.zonefile-skip')
 - knotd: configurable delay before zone change processing (see 'zone.update-delay')
 - knotd: subzone flattening (see 'zone.include-from')
Improvements:
 - knotd: optimized dynamic zone addition/removal for many zones
 - knotd: optimized catalog updates for many zones
 - knotd: replaced a poor atomic fallback with a spin-lock-protected version
 - knotd: support for independent SOA serial series on the secondary side
 - knotd: self-signed certificate contains SAN instead of CN
 - knotd: removed RCU synchronization lock between unrelated zones' updates
 - knotd: zone-reload/reload fails if there is a module configuration error
 - knotd: control interfaces are started before zones loading
 - knotd: session ticket pool is purged on server reload if changed credentials
 - knotc: status returns 'Loading' if the server is not yet answering
 - knotc: extended tab completion for details, filters, and paths
 - kzonecheck: zone origin auto-detection uses SOA owner from the checked zone file
 - libknot: XDP drops packets with too many or inappropriate extended IPv6 headers
 - libknot: extended XDP checks for correct packets
 - libknot: semantically malformed resource records are dumped in generic format
 - libs: upgraded embedded libngtcp2 to 1.15.0
 - knot-exporter: less confusing option parsing and documentation
 - doc: various improvements
Bugfixes:
 - knotd: if multiple primaries send NOTIFY concurrently, only the last remote is queried
 - knotd: failed to build on macOS with POSIX semaphores
 - knotd: early zone free due to RCU-delayed update cleanup
 - knotd: server crashes if "" value overrides template master value
 - knot-exporter: label collisions caused by duplicate metrics (Thanks to Guillaume Cornet)
Packaging:
 - deb,rpm: keymgr extracted to a separate package knot-keymgr
 - deb,rpm: new package redis-knot with a Knot module for Redis/Valkey
 - docker: upgraded to Debian trixie-slim
Compatibility:
 - license: project relicensed to GPL-2.0-or-later
 - knotd: new default value of 'policy.nsec3-salt-length' is 0
 - knot-exporter: renamed some metrics, labes, or units (see 'Migration')
3.4.8
Features:
 - keymgr: implemented key pregeneration for later use (see 'for-later')
Improvements:
 - knotd: decreased remote session ticket lifetime to 1200 seconds
 - knotd: TCP connection is not shared between SOA and XFR if 'remote.no-edns' is set
 - knotd: 'zone.notify-delay' now applies to every outgoing NOTIFY
 - knotd: reduced timers database size by omitting zero timer values
 - knotd: zone-reload can be called on an expired zone
 - knotd: improved configuration commit performance when many zones are present
 - keymgr: allowed boolen key flags without an explicit 'on' value
 - keymgr: support for colon separators in keyid specification
 - utils: added INTERNET and CHAOS aliases for IN and CH class names
 - libs: upgraded embedded libngtcp2 to 1.14.0
 - doc: various improvements
Bugfixes:
 - knotd: possible use after free if member zone is reused when full reload
 - knotd: incorrect zone update revert adjustments
3.4.7
Features:
 - knotd: implemented optional NOTIFY delay upon zone loading (see 'zone.notify-delay')
 - knotd: failed ZONEMD validation emits 'dnssec-invalid' D-Bus event
 - kdig: added option for delayed reading of next transfer message (see '+msgdelay')
 - kzonecheck: new parameter for job count (see '-j')
Improvements:
 - knotd: semantic checks support DS algorithms 5 and 6
 - knotd: pending generation of reverse records is logged as warning
 - knotd: DNSKEY synchronization considers keytag modulo for better reliability
 - knotd: zone-(un)set parser errors no longer logged by the server
 - knotd: more verbose zone-(un)set parser errors are returned to the client
 - knotc: configuration warnings are printed only with the conf-check command
 - kdig: enabled TLS 1.2 support (with warning)
 - kdig: more verbose TLS/QUIC certificate information - SAN (see '-dd')
 - mod-rrl: disabled optimized KRU version on macOS to fix CPU issues
 - libknot: added two specific variants of KNOT_EAGAIN error (KNOT_NET_EAGAIN, KNOT_ETRYAGAIN)
 - libs: upgraded embedded libngtcp2 to 1.13.0
 - knot-exporter: added maximum libknot version dependency #956
 - knot-exporter: removed return statement from a finally block #957
 - packaging: new knot-exporter and python3-libknot RPM subpackages
 - doc: simplified highlighting of options enabled by default
 - doc: various improvements
Bugfixes:
 - knotd: false warning for missing glue if NS is at other delegation
 - knotd: missing rdata canonicalization in zone-(un)set operations
 - knotd: missing check for member zone configured with a non-generated catalog
 - knotd: benevolent IXFR skips whole rrset when ignoring a record
 - knotd: missing next remove key action log during KSK/algorithm rollover
 - knotd: missing catalog template configuration checks
 - knotd: missing check for empty QUIC connection in XDP mode
 - libknot: incorrect trailing rdata check in packet parser
 - kdig: ignored DoQ response from dnsdist #954
 - packaging: uninstalling lib*t64 packages removes files from upstream packages
3.4.6
Improvements:
 - knotd: default TSIG algorithm is now 'hmac-sha256'
 - knotd: added zone expiration info to the failed zone refresh log
 - knotd: reverse record generation now accepts multiple forward zones to be reversed
 - keymgr: underscores are now tolerated instead of dashes in command names
 - keymgr: correct mnemonic 'rsasha1-nsec3-sha1' is used instead of 'rsasha1nsec3sha1'
 - kdig: new '+[no]doflag' alias for '+[no]dnssec' #952
 - kdig: documented default option values #951
 - kxdpgun: extended JSON output with some packet statistics
 - doc: various updates and improvements
Bugfixes:
 - knotd: failed to stop the server if 'dbus-event: running` is set
 - knotd: TLS 0-RTT not working if compiled with the QUIC support
 - knotd: TLS handshake fails on FreeBSD
 - knotd: outbound QUIC communication fails on FreeBSD
 - knotd: KSK submission not ignored in the manual key management mode
 - knotd: failed to bind to a UNIX socket on recent Linux kernels
 - kzonecheck: failed to check non-trivial zones through standard input
3.4.5
Features:
 - knotd: support for SOA serial shift (see 'serial-modulo')
 - knotd: new server statistics (see 'tcp-io-timeout"' and 'tcp-idle-timeout')
Improvements:
 - knotd: better signing performance of many zones in parallel by
          moving 'last_signed_serial' from KASP database to timer database
 - knotd: the 'terminated inactive client' TCP log moved to debug level
 - knotd: allowed initial DDNS to an empty zone
 - knotd: extended backup and flush argument checks
 - knotd: new debug logs for zone events suspension
 - libs: upgraded embedded libngtcp2 to 1.11.0
 - doc: new section Multi-primary, updates
Bugfixes:
 - libdnssec: inappropriate DNSKEY flags evaluation
 - libknot: incorrect VLAN map size calculation for XDP
3.4.4
Features:
 - knotd: added support for EDNS ZONEVERSION
 - kdig: added support for EDNS ZONEVERSION (see '+zoneversion')
Improvements:
 - knotd: improved control error detection and reporting
 - kdig: proper section names for exported DDNS messages
 - libs: upgraded embedded libngtcp2 to 1.10.0
 - python: expanded documentation for the libknot control API
 - doc: updated XDP prerequisites
Bugfixes:
 - knotd: a DNAME record at the zone apex with active NSEC3 not accepted via XFR
 - knotd: configuration abort times out if no active transaction
 - knotd: defective serial modulo result if it overflows
 - knotd: TLS connections not properly terminated
 - knotd: maximum zone TTL not correctly recomputed after RRSIG TTL change
 - knotd: zone hangs if zone reload fails (Thanks to solidcc2)
 - knotd: statistics dump generates invalid YAML output if XDP is enabled #947
 - knotd: insufficient check for incomplete control message
 - mod-dnstap: used incorrect type for DDNS messages
 - knot-exporter: failed to run with Python 3.11 or older
 - tests: test_atomic and test_spinlock require building with the daemon enabled #946
3.4.3
Improvements:
 - knotd: improved processing of QNAMEs containing zero bytes
 - knotd: zone expiration now aborts possible zone control transaction #929
 - knotd: generated catalog memeber metadata is stored when the zone is loaded
 - knotd: new configuration check for using default NSEC3 salt length, which will change
 - mod-rrl: added QNAME (if possible) and transport protocol to log messages
 - mod-rrl: increased defaults for 'log-period' to 30 secs, 'rate-limit' to 50,
            'instant-rate-limit' to 125, and 'time-rate-limit' to 5 ms
 - kxdpgun: added space separators to some printed values for better readability
 - libs: upgraded embedded libngtcp2 to 1.9.1
 - knot-exporter: zone timers metric is now disabled by default (see '--zone-timers')
 - packaging: added build dependency softhsm for PKCS #11 testing on RPM distributions
 - doc: updated description of DNSSEC key management and module RRL
Bugfixes:
 - knotd: more active ZSKs cause cumulative ZSK rollovers
 - knotd: zone purge clears active generated catalog member metadata
 - mod-rrl: authorized requests are rate limited #943
 - kdig: misleading warning about timeout during QUIC connection
 - keymgr: public-only keys are marked as missing in the list output

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/knot |  8 ++++----
 lfs/knot                     | 20 ++++++++++----------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/config/rootfiles/common/knot b/config/rootfiles/common/knot
index 5d0ab19d3..fdca132f8 100644
--- a/config/rootfiles/common/knot
+++ b/config/rootfiles/common/knot
@@ -4,12 +4,12 @@ usr/bin/kdig
 #usr/lib/libdnssec.la
 #usr/lib/libdnssec.lai
 #usr/lib/libdnssec.so
-usr/lib/libdnssec.so.9
-usr/lib/libdnssec.so.9.0.0
+usr/lib/libdnssec.so.10
+usr/lib/libdnssec.so.10.0.0
 #usr/lib/libknot.la
 #usr/lib/libknot.lai
 #usr/lib/libknot.so
-usr/lib/libknot.so.15
-usr/lib/libknot.so.15.0.0
+usr/lib/libknot.so.16
+usr/lib/libknot.so.16.0.0
 #usr/lib/libknotus.a
 #usr/lib/libknotus.la
diff --git a/lfs/knot b/lfs/knot
index 6645c7be5..63bb5d264 100644
--- a/lfs/knot
+++ b/lfs/knot
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.4.2
+VER        = 3.5.4
 
 THISAPP    = knot-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 0b633b27b22665db243bc4222f05028a17ee7ec6ba5960ff1cfe503d27bf3d26218f771cb15b70bbf8782898bcc7748bd5c27d55747607a1d93f784cdadddad7
+$(DL_FILE)_BLAKE2 = ddd7b2fdcc2fbd23c3ff3173026883bae4b068eac7b076a641353a0c2f13b525914c6d8df3ea41b339667c28f4f5e70486b51fc7b6eee2de7bdf648b3ec2d3c8
 
 install : $(TARGET)
 
@@ -74,13 +74,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && ./configure \
-		--prefix=/usr \
-		--enable-static=no \
-		--disable-fastparser \
-		--disable-daemon \
-		--disable-modules \
-		--enable-maxminddb=no \
-		--disable-documentation
+				--prefix=/usr \
+				--enable-static=no \
+				--disable-fastparser \
+				--disable-daemon \
+				--disable-modules \
+				--enable-maxminddb=no \
+				--disable-documentation
 	cd $(DIR_APP)/src && make $(MAKETUNING) kdig
 	cd $(DIR_APP)/src/.libs && cp -av kdig /usr/bin
 	cd $(DIR_APP)/src/.libs && cp -av lib* /usr/lib
-- 
2.54.0

[PATCH] lldpd: Update to version 1.0.21

[Adolf Belka]

- Update from version 1.0.20 to 1.0.21
- No change to rootfile
- Changelog
1.0.21
 * Changes:
   + Add "configure lldp portdescription-source" to choose how to populate port
	description (#763)
 * Fix:
   + Fix path traversal vulnerabilities in the privileged process (#773, #774)
   + Fix arbitrary file deletion in the privileged process (#772)
   + Fix accuracy of Dot3 MAU types advertised and add support for 200G and 400G (#771)
   + Fix detection of wireless interfaces (#738)

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/lldpd | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/lfs/lldpd b/lfs/lldpd
index 72954fb0d..012ebc640 100644
--- a/lfs/lldpd
+++ b/lfs/lldpd
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.0.20
+VER        = 1.0.21
 
 THISAPP    = lldpd-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 95743f28d9b3c8ad6f354f7def5f835d9b0668c151ad429dccfc7a249e29234a9ca1fda6b3bcc2890c424053b5adf2d4d9d7c0cb2887e97cc32b42577b91c63a
+$(DL_FILE)_BLAKE2 = 4420fa88b934a368741e3d2cf26fe8dc9b84eb45a604f31b6b9588e992eda3e5be0767187bebc9137d90b632fe17af647f3134dc05e3251b73b113338cb2a44c
 
 install : $(TARGET)
 
@@ -81,13 +81,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && ./configure \
-		--prefix=/usr \
-		--sysconfdir=/etc \
-		--localstatedir=/var \
-		--disable-static \
-		--with-privsep-user=nobody \
-		--with-privsep-group=nobody \
-		--without-embedded-libevent \
+				--prefix=/usr \
+				--sysconfdir=/etc \
+				--localstatedir=/var \
+				--disable-static \
+				--with-privsep-user=nobody \
+				--with-privsep-group=nobody \
+				--without-embedded-libevent \
 		$(EXTRA_ARGS)
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
-- 
2.54.0

[PATCH] mympd: Update to version 25.0.1

[Adolf Belka]

- Update from version 22.1.1 to 25.0.1
- No chanjge to rootfile
- Changelog
25.0.1
	- Upd: Translation #1527 #1529
	- Fix: Compile error with libmpdclient 2.24 #1528
25.0.0
	This is the first release that supports only MPD 0.23.5 and higher and
	 Lua 5.4.x and higher.
	- Feat: Use myGPIOd REST-API #1510
	- Feat: Implement merge sort for linked lists
	- Feat: Use a faster algorithm for shuffling linked lists
	- Feat: Regularly save the myMPD state if myMPD is active
	- Feat: Scripting - Add custom Lua function `mympd.firstTableValue`
	- Upd: Bump requirement for MPD and Lua versions
	- Upd: Search and utf8 handling improvements
	- Upd: Add connection header to responses
	- Upd: Improve HTTP session handling
	- Fix: Check for minimum string length in json payload
	- Fix: libutf8proc is an unused shared library in mympd-script #1520
24.0.3
	- Upd: Split sds_extras compile unit
	- Fix: test_utf8wrap still fails #1519
	- Fix: Reset scrolling position on search
24.0.2
	- Fix: Define NDEBUG for all release types but Debug #1515
	- Fix: utf8 test failures #1514
24.0.1
	- Fix: Handle invalid unicode strings #1511
24.0.0
	This release improves the integrated search by using string normalization and
	 adding a fuzzy search option. Furthermore the mpd connection handling was
	 improved.
	The documentation site was migrated from Mkdocs to Sphinx, because of the
	 deprecation of Material for Mkdocs.
	- Feat: Fuzzy substring matching using the levenshtein distance
	- Feat: String normalization for album, webradio, playlists and filesystem search
	- Feat: Replace utf8 implementation with utf8proc library
	- Feat: Add setting for default search operator
	- Upd: Migrate documentation to Sphinx with Sphinx Book Theme #1495
	- Upd: Move lyrics handling from mympd_api to webserver thread
	- Upd: Performance improvements for mympd_api polling
	- Upd: Stability improvements in MPD connection handling
	- Upd: Limit length of smart playlists #1505
	- Fix: Handling of HTTP connections #1503
	- Fix: Endless scrolling in mobile view #1504
23.0.1
	- Upd: Translations
	- Upd: Mongoose 7.20
	- Upd: Optimize build for openSUSE Build Service
	- Fix: Segvault in album view if song title tag not exists
	- Fix: Segvault in playlist view if song title tag not exists
23.0.0
	This versions enhances the jukebox implementation and the album handling.
	- Feat: Keep jukebox queue between myMPD restarts #1485
	- Feat: Add option for Jukebox Autostart #1482
	- Feat: Manually trigger refill of the jukebox queue #1483
	- Feat: Configurable jukebox queue lengths #1484
	- Feat: Add option for default behavior on click on tag in browse view #1472
	- Feat: Optionally group songs with empty album tag in a special
	   `Unknown Album` album #1472
	- Feat: Support large images
	- Feat: Add implicit secondary sort tag to album view
	- Feat: Add option to increase the size of action icons in lists #1489
	- Upd: Remove obsolete config variable save_caches
	- Fix: Do not reset scrolling position on update of lists #1478
	- Fix: Try to keep select if list is refreshed because of an event #1479
	- Fix: Song count and limit calculation for last played list #1487
	- Fix: Display Disc 1 for multidisc albums #1490
22.1.2
	- Upd: Translations
	- Fix: Initialize mg_user_data in debug build
	- Fix: Listing songs from Artists List view fails #1474
	- Fix: Random select if only one entry must be added #1480

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/mympd | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lfs/mympd b/lfs/mympd
index 17ab9be3a..cd591fca4 100644
--- a/lfs/mympd
+++ b/lfs/mympd
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = Webfrontend for Music Player Daemon
 
-VER        = 22.1.1
+VER        = 25.0.1
 
 THISAPP    = myMPD-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = mympd
-PAK_VER    = 16
+PAK_VER    = 17
 
 DEPS       = mpd libmpdclient
 
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = a64c9691e552c63fcdaf7cbca71a33d812293477f5676ffeb63fb1b7d230d69f3c4f6efdd188afa2a596543644bb3920d12e00f59fd3f5ebce1f04a6a4d01dda
+$(DL_FILE)_BLAKE2 = 9a4c726f5d38769198a0f1b363270002664880cffe61c007b58b9dbabeadd2f929bd70e9780039eb1230ebe19edc675b9b5a99f375f7c9fd52220cd6a4a4c20b
 
 install : $(TARGET)
 
-- 
2.54.0

[PATCH] oath-toolkit: Update to version 2.6.14

[Adolf Belka]

- Update from version 2.6.13 to 2.6.14
- No change to rootfile
- Changelog
2.6.14
** pam_oath: Support null_usersfile_okay parameter.
	The argument no_usersfile_okay forces the module to act as if the user
	is not present in the config, if the config file does not exist. This
	has security implications only use if you know what you are
	doing. E.g.  if the file is in a mount like home and that fails to be
	mounted, then this will succeed even if the OTP if configured for that
	user.  Patch by Luna, Jan Zerebecki, and Miika Alikirri; see
	<https://codeberg.org/oath-toolkit/oath-toolkit/pulls/94>.
** pam_oath README: Suggest `KbdInteractiveAuthentication`.
	Instead of deprecated `ChallengeResponseAuthentication`.  Patch by
	lvgenggeng, see
	<https://codeberg.org/oath-toolkit/oath-toolkit/pulls/112>.
** Various build fixes including updated gnulib files.
	Fixes building with glibc 2.43, see
	<https://codeberg.org/oath-toolkit/oath-toolkit/issues/113>.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/oath-toolkit | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lfs/oath-toolkit b/lfs/oath-toolkit
index 70aa20256..3834d010d 100644
--- a/lfs/oath-toolkit
+++ b/lfs/oath-toolkit
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2022-2025  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2022-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 2.6.13
+VER        = 2.6.14
 
 THISAPP    = oath-toolkit-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 055014039c611c382ba1cf902482c22df765636e7393e0a3f5acb0811a6be55b6b9dc7fc269d31705081bf02c240589d4fecdeb79fd151082a902e09597e7303
+$(DL_FILE)_BLAKE2 = 0d20e9d60350268080abd245b47bd84ae426a0007cba8af049994a1f6a5f9153220a570f3ff93432a8c369e8becc342011cea46cf3c75cad2e3f8a70107af2e3
 
 install : $(TARGET)
 
@@ -72,7 +72,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && find . -name wchar.in.h | xargs sed -i 's/^\(_GL_EXTERN_C wchar_t \*\)wmemchr (/\1(wmemchr) (/'
 	cd $(DIR_APP) && find . -name stdlib.in.h | xargs sed -i 's/^\(_GL_EXTERN_C void \*\)bsearch (/\1(bsearch) (/'
-	cd $(DIR_APP) && ./configure --prefix=/usr
+	cd $(DIR_APP) && ./configure \
+				--prefix=/usr
 	cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
 	cd $(DIR_APP) && make install
 	@rm -rf $(DIR_APP)
-- 
2.54.0

[PATCH] samba: Update to version 4.24.1

[Adolf Belka]

- Update from version 4.23.6 to 4.24.1
- Update of rootfiles for all three architectures
- Changelog
4.24.1
   * BUG 16057: autobuild fails if /proc/version contains trailing space
   * BUG 16035: use after free in streams_xattr_connect()
   * BUG 16042: rpc workers with long living clients grow server  memory keytab
   * BUG 16058: vfs_snapper failing to access or enumerate files in subfolders
   * BUG 16040: Samba is not build with FORTIFY_SOURCE
   * BUG 16055: Fix tests with MIT Kerberos 1.22.x
4.24.0
NEW FEATURES/CHANGES
Authentication information audit support
	There are some Active Directory attributes that are not secret, but
	 are relied on in some forms of authentication. Changes to these
	 attributes could indicate surreptitious activity. The
	 "dsdb_password_audit" and "dsdb_password_json_audit" debug classes now
	 log changes to the following attributes:
	   * altSecurityIdentities
	   * dNSHostName
	   * msDS-AdditionalDnsHostName
	   * msDS-KeyCredentialLink
	   * servicePrincipalName
	For the JSON logs, changes to these will be logged with the "action"
	 field set to "Auth info change".
vfs_streams_xattr can hold larger streams
	On Linux the size of a single extended attribute is limited to 65536
	 bytes of size. For some file systems, this is also the overall limit
	 of space for xattrs, but for example xfs can hold more than that 64k
	 of extended xattrs, although the individual xattr is still limited to
	 64k. Setting
	    streams_xattr:max xattrs per stream = 1
	 to a higher value than 1 will allow Samba to shard the stream to more
	 than one xattr. It has an artificial limit of 16 for a maximum stream
	 length of 1MB.
Support for remote password management (Entra ID SSPR, Keycloak)
	When a system such as Entra ID or Keycloak wants to change a user's
	 password in its own database as well as in AD, it will use a password
	 reset, meaning it does not transmit the old password to the domain
	 controller. Normally a password reset avoids password history and age
	 checks, which would allow a cloud password change to bypass
	 on-premises password policies. To address this, a password reset using
	 the "policy hints" control should respect password policies, as if it
	 were an ordinary password change. Both Entra ID and Keycloak use this,
	 but until now Samba did not understand this control, and would reject
	 these reset requests.
	Now Samba AD will recognise the policy hints control and enforce local
	 policy. This allows Microsoft Entra self-service password reset (SSPR)
	 to work, and for Keycloak to work with the "password policy hints
	 enabled" option.
Kerberos PKINIT KeyTrust logon support
	Samba servers configured with the embedded heimdal KDC and running as an ADDC,
	 now support "Windows Hello for Business Key-Trust logons". This allows the
	 PKINIT authentication mechanism to be used with self-signed keys.
	The samba-tool computer and user commands have a new "keytrust"
	 sub-command which allows for the setting and viewing of the public key
	 details for computer and user accounts. This stores the public key
	 details in msDS-KeyCredentialLink attribute of the account.
msDS-KeyCredentialLink validation
	Updates to the msDS-KeyCredentialLink attribute are validated against the
	 rules specified by MS-ADTS 3.1.1.5.3.1.1.6.
Kerberos PKINIT strong/flexible key mappings
	Samba servers configured with the embedded heimdal KDC and running as an ADDC
	 now support "Windows Strong and Flexible key mappings" as outlined in
	 Microsoft KB5014754: Certificate-based authentication changes on Windows domain
	 controllers.
	The default enforcement mode ("full") allows only strong certificate
	 mappings. The smb.conf option
	    strong certificate binding enforcement = compatibility
	will allow weak mappings where the certificate is newer than the user
	 account. The option "none" will allow any mappings.
	The mappings for an account should be placed in the altSecurityIdentities
	 attribute and follow the syntax documented in KB5014754.
Kerberos PKINIT SID extension
	PKINIT authentication now supports certificates containing an Object SID
	 extension (extension 1.3.6.1.4.1.311.25.2), this is considered to be a STRONG
	 mapping for KB5014754.
	The computer and user samba-tool commands have a new sub-command
	 "generate-csr" to generate certificate signing requests.
KDC includes PAC by default
	Samba will ignore the value provided by the client in "PA-PAC-REQUEST"
	 and always include a PAC in responses, unless "kdc always generate
	 pac" is set to "no".
KDC can insist clients request canonicalization
	Canonicalization of principal client names is not mandatory in
	 Kerberos (per RFC4120), but must be requested by the client. In some
	 circumstances allows a client to deceive Active Directory member
	 servers (known as the "dollar ticket" attack).
	The new configuration option "kdc require canonicalization" can be
	 used to require that clients request canonicalization; if they do not,
	 their AS_REQ requests will be rejected as if the account was unknown.
	The default value is "no", for backward compatibility. Windows clients
	 will ask for canonicalization by default, so in Windows-heavy
	 environments it is safe and recommended to set this to "yes".
KDC can avoid potentially confusing canonicalization
	Currently when the client does not request canonicalization, when the
	 KDC looks up a name and there is no match it will append a "$" to the
	 name and try again. An attacker who can create arbitrary machine
	 accounts can sometimes get tickets for Unix users by mimicking their
	 names (the "dollar ticket" attack).
	The configuration option
	    kdc name match implicit dollar without canonicalization = no
	 can be used to disable this behaviour for clients that do not request
	 canonicalization. Probably this only affects traditional Unix clients,
	 as Windows clients use canonicalization. If affected clients want a
	 ticket for a machine account, they will have to use the full name
	 including the dollar (e.g. "server$", not "server").
	If the "kdc require canonicalization" option cannot be set to "yes"
	 (because some clients do not request canonicalization) setting this
	 option to "no" is a good alternative.
KDC provides Kerberos acceptors with canonical client names
	By default the KDC will now send Kerberos services the canonicalized
	 name (the sAMAccountName from the PAC) rather than trusting the cname.
	To return to the old behaviour, use
	    krb5 acceptor report canonical client name = no
	 in the smb.conf.
	This currently affects Heimdal KDC only, not MIT.
KDC recommended configuration:
	strong certificate binding enforcement                            full
	kdc always include pac                                            yes
	kdc require canonicalization                                      yes
	If unable to use "kdc require canonicalization" = "yes", then
	"kdc name match implicit dollar without implicit canonicalization" should be
	set to "no" if possible.
samba tool
	Two new sub-commands have been added to the user and computer commands:
	user|computer generate-csr
	    Generate a Certificate signing request for an account containing the
	    Object SID extension  (extension 1.3.6.1.4.1.311.25.2)
	user|computer keytrust
	   Add the public key details of a self signed certificate to an account.
	   The command supports PEM and DER encoded public keys.
New AIO rate-limiting VFS module
	A new VFS stackable module has been introduced to implement rate-limiting for
	asynchronous I/O operations. Administrators can now enforce throughput ceilings
	by defining limits in either operations per second or bytes per second. The
	module utilizes a token-based algorithm to calculate real-time I/O load; when
	limits are exceeded, it dynamically injects millisecond delays into async
	operations to maintain the defined threshold.
CephFS FSCrypt support for the VFS ceph_new module
	The ceph_new VFS module can now make use of the FSCrypt feature recently added
	to CephFS. This enhancement enables data and file name encryption on a per
	share basis. A single CephFS file system may host a mix of encrypted and
	unencrypted directories.
	To obtain the encryption keys needed for FSCrypt the ceph_new module includes
	support for the Keybridge protocol. Keybridge is an RPC protocol based on
	Varlink that can retrieve keys from a local service via a UNIX socket. Users
	can choose to develop a custom Keybridge implementation or use the existing
	KMIP-compatible Keybridge server available as part of the sambacc project
	(https://github.com/samba-in-kubernetes/sambacc).
Domain encryption types changed to AES by default
	The default value of the smb.conf option ‘kdc default domain supported enctypes’
	now corresponds to ‘aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96’ (both AES
	encryption types) if the domain functional level is 2008 or higher. This
	addresses CVE-2026-20833.
smb.conf changes
  Parameter Name                          Description     Default
  strong certificate binding enforcement  New             full
  certificate backdating compensation     New             0
  kdc always include pac                  New             yes
  kdc require canonicalization            New             no
  kdc name match implicit dollar without canonicalization
                                          New             yes
  kdc default domain supported enctypes   New default     AES encryption types (if supported by domain)
bugfixes
   * BUG 16019: incorrect behavior on rpcclient enumport with rpcd_spoolss
   * BUG 16001: altSecurityIdentities X509 issuer DN order is reversed
   * BUG 16000: vfs_aio_ratelimit: introduce burst-aware and persistent state
     model
4.24.0rc3
   * BUG 15990: No function _python_sysroot defined
   * BUG 15978: leases torture test flappy
   * BUG 15984: smbd: in contend_dirleases() don't bother checking when not
     enabled
   * BUG 15993: 'net ads kerberos kinit' should use also default ccache name
     from krb5.conf
   * BUG 15789: "use-kerberos=desired" broken
   * BUG 15975: source3/libads/kerberos.c sets wrong failure for negative
     connection cache
   * BUG 15938: CTDB's statd_callout fails on sm-notify
   * BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses
     their state
   * BUG 15939: CTDB statd_callout_notify notifies unnecessary clients and loses
     their state
   * BUG 15998: Backport domain default AES encryption types to 4.24
4.24.0rc2
   * BUG 15979: possible memory leak  on rpc_spoolss
   * BUG 15972: Winbind group resolution failure
   * BUG 15979: possible memory leak  on rpc_spoolss
   * BUG 15977: ctdbd socket documentation is wrong
   * BUG 15976: time_t related build failure on 32bit arch in 4.24.0rc1

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/packages/aarch64/samba | 17 +++++++++++++++++
 config/rootfiles/packages/riscv64/samba | 17 +++++++++++++++++
 config/rootfiles/packages/x86_64/samba  | 17 +++++++++++++++++
 lfs/samba                               |  6 +++---
 4 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/packages/aarch64/samba b/config/rootfiles/packages/aarch64/samba
index d1e56440a..f1b997a87 100644
--- a/config/rootfiles/packages/aarch64/samba
+++ b/config/rootfiles/packages/aarch64/samba
@@ -124,6 +124,7 @@ usr/bin/wspsearch
 #usr/include/samba-4.0/util/idtree_random.h
 #usr/include/samba-4.0/util/signal.h
 #usr/include/samba-4.0/util/substitute.h
+#usr/include/samba-4.0/util/talloc_keep_secret.h
 #usr/include/samba-4.0/util/tfork.h
 #usr/include/samba-4.0/util/time.h
 #usr/include/samba-4.0/util_ldb.h
@@ -188,6 +189,7 @@ usr/lib/python3.10/site-packages/ldb.cpython-310-aarch64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/__init__.py
 usr/lib/python3.10/site-packages/samba/_glue.cpython-310-aarch64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/_ldb.cpython-310-aarch64-linux-gnu.so
+usr/lib/python3.10/site-packages/samba/asn1.py
 usr/lib/python3.10/site-packages/samba/auth.cpython-310-aarch64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/auth_util.py
 usr/lib/python3.10/site-packages/samba/colour.py
@@ -287,6 +289,7 @@ usr/lib/python3.10/site-packages/samba/emulate/traffic.py
 usr/lib/python3.10/site-packages/samba/emulate/traffic_packets.py
 usr/lib/python3.10/site-packages/samba/forest_update.py
 usr/lib/python3.10/site-packages/samba/functional_level.py
+usr/lib/python3.10/site-packages/samba/generate_csr.py
 usr/lib/python3.10/site-packages/samba/gensec.cpython-310-aarch64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/getopt.py
 usr/lib/python3.10/site-packages/samba/gkdi.py
@@ -337,6 +340,7 @@ usr/lib/python3.10/site-packages/samba/kcc/graph.py
 usr/lib/python3.10/site-packages/samba/kcc/graph_utils.py
 usr/lib/python3.10/site-packages/samba/kcc/kcc_utils.py
 usr/lib/python3.10/site-packages/samba/kcc/ldif_import_export.py
+usr/lib/python3.10/site-packages/samba/key_credential_link.py
 usr/lib/python3.10/site-packages/samba/logger.py
 usr/lib/python3.10/site-packages/samba/lsa_utils.py
 usr/lib/python3.10/site-packages/samba/mdb_util.py
@@ -353,6 +357,8 @@ usr/lib/python3.10/site-packages/samba/netbios.cpython-310-aarch64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/netcmd/__init__.py
 usr/lib/python3.10/site-packages/samba/netcmd/common.py
 usr/lib/python3.10/site-packages/samba/netcmd/computer.py
+usr/lib/python3.10/site-packages/samba/netcmd/computer_generate_csr.py
+usr/lib/python3.10/site-packages/samba/netcmd/computer_keytrust.py
 usr/lib/python3.10/site-packages/samba/netcmd/contact.py
 usr/lib/python3.10/site-packages/samba/netcmd/dbcheck.py
 usr/lib/python3.10/site-packages/samba/netcmd/delegation.py
@@ -434,7 +440,9 @@ usr/lib/python3.10/site-packages/samba/netcmd/user/delete.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/disable.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/edit.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/enable.py
+usr/lib/python3.10/site-packages/samba/netcmd/user/generate_csr.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/getgroups.py
+usr/lib/python3.10/site-packages/samba/netcmd/user/keytrust.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/list.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/move.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/password.py
@@ -580,6 +588,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/domain_backup_offline.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_api.py
+#usr/lib/python3.10/site-packages/samba/tests/dsdb_dn.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_dns.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_lock.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_quiet_env_tests.py
@@ -609,6 +618,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/kcc/kcc_utils.py
 #usr/lib/python3.10/site-packages/samba/tests/kcc/ldif_import_export.py
 #usr/lib/python3.10/site-packages/samba/tests/key_credential_link.py
+#usr/lib/python3.10/site-packages/samba/tests/key_credential_link_samdb.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5
 #usr/lib/python3.10/site-packages/samba/tests/krb5/alias_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/as_canonicalization_tests.py
@@ -629,12 +639,14 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tgs_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tgt_tests.py
+#usr/lib/python3.10/site-packages/samba/tests/krb5/key_trust_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kpasswd_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/lockout_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/netlogon.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/nt_hash_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/pac_align_tests.py
+#usr/lib/python3.10/site-packages/samba/tests/krb5/pkinit_certificate_mapping_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/pkinit_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/protected_users_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/raw_testcase.py
@@ -756,8 +768,10 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_auth_policy.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_auth_silo.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_check_password_script.py
+#usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_generate_csr.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_get_kerberos_ticket.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_getpassword_gmsa.py
+#usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_keytrust.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_base.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
@@ -975,6 +989,7 @@ usr/lib/samba/vfs/acl_tdb.so
 usr/lib/samba/vfs/acl_xattr.so
 usr/lib/samba/vfs/aio_fork.so
 usr/lib/samba/vfs/aio_pthread.so
+usr/lib/samba/vfs/aio_ratelimit.so
 usr/lib/samba/vfs/audit.so
 usr/lib/samba/vfs/btrfs.so
 usr/lib/samba/vfs/cap.so
@@ -1039,6 +1054,8 @@ usr/sbin/winbindd
 #usr/share/locale/hu/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/it/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/ja/LC_MESSAGES/pam_winbind.mo
+#usr/share/locale/ka/LC_MESSAGES/net.mo
+#usr/share/locale/ka/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/ko/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/nb/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/nl/LC_MESSAGES/pam_winbind.mo
diff --git a/config/rootfiles/packages/riscv64/samba b/config/rootfiles/packages/riscv64/samba
index 2cff83ea1..17d234343 100644
--- a/config/rootfiles/packages/riscv64/samba
+++ b/config/rootfiles/packages/riscv64/samba
@@ -124,6 +124,7 @@ usr/bin/wspsearch
 #usr/include/samba-4.0/util/idtree_random.h
 #usr/include/samba-4.0/util/signal.h
 #usr/include/samba-4.0/util/substitute.h
+#usr/include/samba-4.0/util/talloc_keep_secret.h
 #usr/include/samba-4.0/util/tfork.h
 #usr/include/samba-4.0/util/time.h
 #usr/include/samba-4.0/util_ldb.h
@@ -188,6 +189,7 @@ usr/lib/python3.10/site-packages/ldb.cpython-310-riscv64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/__init__.py
 usr/lib/python3.10/site-packages/samba/_glue.cpython-310-riscv64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/_ldb.cpython-310-riscv64-linux-gnu.so
+usr/lib/python3.10/site-packages/samba/asn1.py
 usr/lib/python3.10/site-packages/samba/auth.cpython-310-riscv64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/auth_util.py
 usr/lib/python3.10/site-packages/samba/colour.py
@@ -287,6 +289,7 @@ usr/lib/python3.10/site-packages/samba/emulate/traffic.py
 usr/lib/python3.10/site-packages/samba/emulate/traffic_packets.py
 usr/lib/python3.10/site-packages/samba/forest_update.py
 usr/lib/python3.10/site-packages/samba/functional_level.py
+usr/lib/python3.10/site-packages/samba/generate_csr.py
 usr/lib/python3.10/site-packages/samba/gensec.cpython-310-riscv64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/getopt.py
 usr/lib/python3.10/site-packages/samba/gkdi.py
@@ -337,6 +340,7 @@ usr/lib/python3.10/site-packages/samba/kcc/graph.py
 usr/lib/python3.10/site-packages/samba/kcc/graph_utils.py
 usr/lib/python3.10/site-packages/samba/kcc/kcc_utils.py
 usr/lib/python3.10/site-packages/samba/kcc/ldif_import_export.py
+usr/lib/python3.10/site-packages/samba/key_credential_link.py
 usr/lib/python3.10/site-packages/samba/logger.py
 usr/lib/python3.10/site-packages/samba/lsa_utils.py
 usr/lib/python3.10/site-packages/samba/mdb_util.py
@@ -353,6 +357,8 @@ usr/lib/python3.10/site-packages/samba/netbios.cpython-310-riscv64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/netcmd/__init__.py
 usr/lib/python3.10/site-packages/samba/netcmd/common.py
 usr/lib/python3.10/site-packages/samba/netcmd/computer.py
+usr/lib/python3.10/site-packages/samba/netcmd/computer_generate_csr.py
+usr/lib/python3.10/site-packages/samba/netcmd/computer_keytrust.py
 usr/lib/python3.10/site-packages/samba/netcmd/contact.py
 usr/lib/python3.10/site-packages/samba/netcmd/dbcheck.py
 usr/lib/python3.10/site-packages/samba/netcmd/delegation.py
@@ -434,7 +440,9 @@ usr/lib/python3.10/site-packages/samba/netcmd/user/delete.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/disable.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/edit.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/enable.py
+usr/lib/python3.10/site-packages/samba/netcmd/user/generate_csr.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/getgroups.py
+usr/lib/python3.10/site-packages/samba/netcmd/user/keytrust.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/list.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/move.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/password.py
@@ -580,6 +588,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/domain_backup_offline.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_api.py
+#usr/lib/python3.10/site-packages/samba/tests/dsdb_dn.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_dns.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_lock.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_quiet_env_tests.py
@@ -609,6 +618,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/kcc/kcc_utils.py
 #usr/lib/python3.10/site-packages/samba/tests/kcc/ldif_import_export.py
 #usr/lib/python3.10/site-packages/samba/tests/key_credential_link.py
+#usr/lib/python3.10/site-packages/samba/tests/key_credential_link_samdb.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5
 #usr/lib/python3.10/site-packages/samba/tests/krb5/alias_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/as_canonicalization_tests.py
@@ -629,12 +639,14 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tgs_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tgt_tests.py
+#usr/lib/python3.10/site-packages/samba/tests/krb5/key_trust_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kpasswd_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/lockout_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/netlogon.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/nt_hash_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/pac_align_tests.py
+#usr/lib/python3.10/site-packages/samba/tests/krb5/pkinit_certificate_mapping_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/pkinit_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/protected_users_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/raw_testcase.py
@@ -756,8 +768,10 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_auth_policy.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_auth_silo.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_check_password_script.py
+#usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_generate_csr.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_get_kerberos_ticket.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_getpassword_gmsa.py
+#usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_keytrust.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_base.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
@@ -975,6 +989,7 @@ usr/lib/samba/vfs/acl_tdb.so
 usr/lib/samba/vfs/acl_xattr.so
 usr/lib/samba/vfs/aio_fork.so
 usr/lib/samba/vfs/aio_pthread.so
+usr/lib/samba/vfs/aio_ratelimit.so
 usr/lib/samba/vfs/audit.so
 usr/lib/samba/vfs/btrfs.so
 usr/lib/samba/vfs/cap.so
@@ -1039,6 +1054,8 @@ usr/sbin/winbindd
 #usr/share/locale/hu/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/it/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/ja/LC_MESSAGES/pam_winbind.mo
+#usr/share/locale/ka/LC_MESSAGES/net.mo
+#usr/share/locale/ka/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/ko/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/nb/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/nl/LC_MESSAGES/pam_winbind.mo
diff --git a/config/rootfiles/packages/x86_64/samba b/config/rootfiles/packages/x86_64/samba
index d800fca99..582ed8ebe 100644
--- a/config/rootfiles/packages/x86_64/samba
+++ b/config/rootfiles/packages/x86_64/samba
@@ -124,6 +124,7 @@ usr/bin/wspsearch
 #usr/include/samba-4.0/util/idtree_random.h
 #usr/include/samba-4.0/util/signal.h
 #usr/include/samba-4.0/util/substitute.h
+#usr/include/samba-4.0/util/talloc_keep_secret.h
 #usr/include/samba-4.0/util/tfork.h
 #usr/include/samba-4.0/util/time.h
 #usr/include/samba-4.0/util_ldb.h
@@ -188,6 +189,7 @@ usr/lib/python3.10/site-packages/ldb.cpython-310-x86_64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/__init__.py
 usr/lib/python3.10/site-packages/samba/_glue.cpython-310-x86_64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/_ldb.cpython-310-x86_64-linux-gnu.so
+usr/lib/python3.10/site-packages/samba/asn1.py
 usr/lib/python3.10/site-packages/samba/auth.cpython-310-x86_64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/auth_util.py
 usr/lib/python3.10/site-packages/samba/colour.py
@@ -287,6 +289,7 @@ usr/lib/python3.10/site-packages/samba/emulate/traffic.py
 usr/lib/python3.10/site-packages/samba/emulate/traffic_packets.py
 usr/lib/python3.10/site-packages/samba/forest_update.py
 usr/lib/python3.10/site-packages/samba/functional_level.py
+usr/lib/python3.10/site-packages/samba/generate_csr.py
 usr/lib/python3.10/site-packages/samba/gensec.cpython-310-x86_64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/getopt.py
 usr/lib/python3.10/site-packages/samba/gkdi.py
@@ -337,6 +340,7 @@ usr/lib/python3.10/site-packages/samba/kcc/graph.py
 usr/lib/python3.10/site-packages/samba/kcc/graph_utils.py
 usr/lib/python3.10/site-packages/samba/kcc/kcc_utils.py
 usr/lib/python3.10/site-packages/samba/kcc/ldif_import_export.py
+usr/lib/python3.10/site-packages/samba/key_credential_link.py
 usr/lib/python3.10/site-packages/samba/logger.py
 usr/lib/python3.10/site-packages/samba/lsa_utils.py
 usr/lib/python3.10/site-packages/samba/mdb_util.py
@@ -353,6 +357,8 @@ usr/lib/python3.10/site-packages/samba/netbios.cpython-310-x86_64-linux-gnu.so
 usr/lib/python3.10/site-packages/samba/netcmd/__init__.py
 usr/lib/python3.10/site-packages/samba/netcmd/common.py
 usr/lib/python3.10/site-packages/samba/netcmd/computer.py
+usr/lib/python3.10/site-packages/samba/netcmd/computer_generate_csr.py
+usr/lib/python3.10/site-packages/samba/netcmd/computer_keytrust.py
 usr/lib/python3.10/site-packages/samba/netcmd/contact.py
 usr/lib/python3.10/site-packages/samba/netcmd/dbcheck.py
 usr/lib/python3.10/site-packages/samba/netcmd/delegation.py
@@ -434,7 +440,9 @@ usr/lib/python3.10/site-packages/samba/netcmd/user/delete.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/disable.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/edit.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/enable.py
+usr/lib/python3.10/site-packages/samba/netcmd/user/generate_csr.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/getgroups.py
+usr/lib/python3.10/site-packages/samba/netcmd/user/keytrust.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/list.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/move.py
 usr/lib/python3.10/site-packages/samba/netcmd/user/password.py
@@ -580,6 +588,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/domain_backup_offline.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_api.py
+#usr/lib/python3.10/site-packages/samba/tests/dsdb_dn.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_dns.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_lock.py
 #usr/lib/python3.10/site-packages/samba/tests/dsdb_quiet_env_tests.py
@@ -609,6 +618,7 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/kcc/kcc_utils.py
 #usr/lib/python3.10/site-packages/samba/tests/kcc/ldif_import_export.py
 #usr/lib/python3.10/site-packages/samba/tests/key_credential_link.py
+#usr/lib/python3.10/site-packages/samba/tests/key_credential_link_samdb.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5
 #usr/lib/python3.10/site-packages/samba/tests/krb5/alias_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/as_canonicalization_tests.py
@@ -629,12 +639,14 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tgs_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kdc_tgt_tests.py
+#usr/lib/python3.10/site-packages/samba/tests/krb5/key_trust_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/kpasswd_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/lockout_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/netlogon.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/nt_hash_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/pac_align_tests.py
+#usr/lib/python3.10/site-packages/samba/tests/krb5/pkinit_certificate_mapping_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/pkinit_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/protected_users_tests.py
 #usr/lib/python3.10/site-packages/samba/tests/krb5/raw_testcase.py
@@ -756,8 +768,10 @@ usr/lib/python3.10/site-packages/samba/tdb_util.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_auth_policy.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_auth_silo.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_check_password_script.py
+#usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_generate_csr.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_get_kerberos_ticket.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_getpassword_gmsa.py
+#usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_keytrust.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_base.py
 #usr/lib/python3.10/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
@@ -975,6 +989,7 @@ usr/lib/samba/vfs/acl_tdb.so
 usr/lib/samba/vfs/acl_xattr.so
 usr/lib/samba/vfs/aio_fork.so
 usr/lib/samba/vfs/aio_pthread.so
+usr/lib/samba/vfs/aio_ratelimit.so
 usr/lib/samba/vfs/audit.so
 usr/lib/samba/vfs/btrfs.so
 usr/lib/samba/vfs/cap.so
@@ -1039,6 +1054,8 @@ usr/sbin/winbindd
 #usr/share/locale/hu/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/it/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/ja/LC_MESSAGES/pam_winbind.mo
+#usr/share/locale/ka/LC_MESSAGES/net.mo
+#usr/share/locale/ka/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/ko/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/nb/LC_MESSAGES/pam_winbind.mo
 #usr/share/locale/nl/LC_MESSAGES/pam_winbind.mo
diff --git a/lfs/samba b/lfs/samba
index 7b38018cc..a4a24a3f3 100644
--- a/lfs/samba
+++ b/lfs/samba
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 4.23.6
+VER        = 4.24.1
 SUMMARY    = A SMB/CIFS File, Print, and Authentication Server
 
 THISAPP    = samba-$(VER)
@@ -33,7 +33,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = samba
-PAK_VER    = 120
+PAK_VER    = 121
 
 DEPS       = avahi libtalloc perl-Parse-Yapp wsdd
 
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = c5c567bfc4734429790ec7362150eda231ce7e3e7dbdfaa2ca2dc81bd178c9c15cc9360b21f4c5dd1f1423d46337bc5a7b581efcff8ed647adb69a9b47922320
+$(DL_FILE)_BLAKE2 = 51459d4db739e47bc05692046ce0a8b3044de923b3d1e7a51589bb838a7ef9865b6d6034656ade87e099374157a92dac0cba70a5f293a4d1e2b623341b3e75ca
 
 install : $(TARGET)
 
-- 
2.54.0