* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 3b9bedc91abae7e446bb9007dcad972bb4ebe880
@ 2025-12-08 11:23 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2025-12-08 11:23 UTC (permalink / raw)
To: ipfire-scm
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 32376 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 3b9bedc91abae7e446bb9007dcad972bb4ebe880 (commit)
via ba4ccaa68bc3717fdc0f21b20730d306061ebb0c (commit)
via e341f8854aec127ed6e7e576d964057fa56f2c47 (commit)
via 7be38f68c960c0331528a13ef0c55e3baddf13ca (commit)
via ad00778ed0c1358c8be5cb2e9216ac58c1717963 (commit)
via 92d6e918c986c89297a6dcb5a446c3d85922209c (commit)
via 1ad48baf9db7e96386b54b78dc660747004f9eba (commit)
from 15f3f5570302c9387930553a61247c9056525050 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3b9bedc91abae7e446bb9007dcad972bb4ebe880
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Sat Dec 6 13:04:15 2025 +0100
tshark: Update to version 4.6.2
- Update from version 4.6.1 to 4.6.2
- Update of rootfile
- Changelog
4.6.2
Bug Fixes
This release fixes an API/ABI change that was introduced in
Wireshark 4.6.1, which caused a compatibility issue with plugins
built for Wireshark 4.6.0. Issue 20881.
The following vulnerabilities have been fixed:
wnpa-sec-2025-07 HTTP3 dissector crash. Issue 20860.
wnpa-sec-2025-08 MEGACO dissector infinite loop. Issue 20884.
The following bugs have been fixed:
ws_base32_decode should be named *_encode ? Issue 20754.
Omnipeek files not working in 4.6.1. Issue 20876.
Stack buffer overflow in wiretap/ber.c (ber_open) Issue 20878.
Plugins incompatibility between 4.6.0 & 4.6.1. Issue 20881.
Fuzz job crash: fuzz-2025-11-30-12266121180.pcap. Issue 20883.
New and Updated Features
The Windows installers now ship with the Visual C++ Redistributable
version 14.44.35112. They previously shipped with 14.40.33807.
Updated Protocol Support
ATM PW, COSEM, COTP, DECT NR+, DMP, Fc00, GTP, HTTP3, IEEE 802.15.4,
ISIS HELLO, ISOBUS, MAC-LTE, MAUSB, MEGACO, MPEG DSM-CC, OsmoTRXD,
PTP, RLC, SAPDIAG, and SMTP
New and Updated Capture File Support
Peektagged
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ba4ccaa68bc3717fdc0f21b20730d306061ebb0c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Dec 8 11:22:12 2025 +0000
core200: Ship and restart Apache2
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e341f8854aec127ed6e7e576d964057fa56f2c47
Author: Matthias Fischer <matthias.fischer@ipfire.org>
Date: Fri Dec 5 22:21:04 2025 +0100
apache: Update to 2.4.66
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.66
"Changes with Apache 2.4.66
*) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
bypass via AllowOverride FileInfo (cve.mitre.org)
mod_userdir+suexec bypass via AllowOverride FileInfo
vulnerability in Apache HTTP Server. Users with access to use
the RequestHeader directive in htaccess can cause some CGI
scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through
2.4.65.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Mattias Åsander (Umeå University)
*) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
variable override (cve.mitre.org)
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly
superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
Users are recommended to upgrade to version 2.4.66 which fixes
the issue.
Credits: Mattias Åsander (Umeå University)
*) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
Windows through UNC SSRF (cve.mitre.org)
Server-Side Request Forgery (SSRF) vulnerability
 in Apache HTTP Server on Windows
with AllowEncodedSlashes On and MergeSlashes Off allows to
potentially leak NTLM
hashes to a malicious server via SSRF and malicious requests or
content
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
Includes adds query string to #exec cmd=... (cve.mitre.org)
Apache HTTP Server 2.4.65 and earlier with Server Side Includes
(SSI) enabled and mod_cgid (but not mod_cgi) passes the
shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Anthony Parfenov (United Rentals, Inc.)
*) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
unintended retry intervals (cve.mitre.org)
An integer overflow in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to
renew the certificate then are repeated without delays until it
succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes
the issue.
Credits: Aisle Research
*) mod_http2: Fix handling of 304 responses from mod_cache. PR 69580.
[Stefan Eissing]
*) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
PR69741 [Benjamin P. Kallus]
*) mod_md: update to version 2.6.5
- New directive `MDInitialDelay`, controlling how longer to wait after
a server restart before checking certificates for renewal.
[Michael Kaufmann]
- Hardening: when build with OpenSSL older than 1.0.2 or old libressl
versions, the parsing of ASN.1 time strings did not do a length check.
- Hardening: when reading back OCSP responses stored in the local JSON
store, missing 'valid' key led to uninitialized values, resulting in
wrong refresh behaviour.
*) mod_md: update to version 2.6.6
- Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
- Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]
*) mod_http2: update to version 2.0.35
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
[Stefan Eissing]
* mod_proxy_http2: add support for ProxyErrorOverride directive. PR69771
*) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
[Ruediger Pluem]
*) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
host compatibility policy. PR 69743. [Joe Orton]
*) mod_md: update to version 2.6.2
- Fix error retry delay calculation to not already doubling the wait
on the first error.
*) mod_md: update to version 2.6.1
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 7be38f68c960c0331528a13ef0c55e3baddf13ca
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Fri Dec 5 20:24:43 2025 +0100
openvpn: Update to version 2.6.17
- Update from 2.6.16 to 2.6.17
- No change to rootfile
- Changelog
2.6.17
Security fixes:
CVE-2025-13751: Windows/interactive service: fix erroneous exit on error
that could be used by a local Windows users to achieve a local
denial-of-service
Bug fixes:
Windows/interactive service: improve service pipe robustness against file
access races (uuid) and access by unauthorized processes (ACL).
upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper to
1.31, fixing a parser bug
Windows MSI changes since 2.6.16-I001:
Built against OpenSSL 3.6.0
Included openvpn-gui updated to 11.59.0.0
Authorize config before opening the service pipe
Remove dependence on pathcch.dll not in Windows 7
Included win-dco driver updated to 2.8.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ad00778ed0c1358c8be5cb2e9216ac58c1717963
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Fri Dec 5 20:24:41 2025 +0100
core200: Ship bash
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 92d6e918c986c89297a6dcb5a446c3d85922209c
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Fri Dec 5 20:24:40 2025 +0100
bash: Update to version 5.3 patch 8
- Update from version 5.3 patch 3 to 5.3 patch 8
- No change to rootfile
- Changelog
patch 8
Bash tries to consume entire multibyte characters when looking for backslash
escapes in $'...' strings, and treats too many characters as potentially
beginning a multibyte character in UTF-8 locales. Being more selective about
when to call mbrtowc() can lead to optimized string processing and script
speedups. This patch also handles the unlikely situation of a locale
encoding null wide characters with non-null bytes.
patch 7
No-fork command substitutions can perform redirections that act on the
enclosing command as well.
patch 6
When `globasciiranges' is enabled, glob patterns with ranges in bracket
expressions can produce incorrect matches for character ranges whose
start and end are non-ascii characters.
patch 5
Restoring the default disposition in a subshell for a signal bash treats
specially can cause a crash.
patch 4
The Linux kernel reports incorrect sizes for files in /sys/block/*/uevent,
leading bash to report a read error when the byte count does not agree
with the file size from fstat(2).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 1ad48baf9db7e96386b54b78dc660747004f9eba
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Dec 8 11:19:48 2025 +0000
ppp: Send LCP keepalive packets only when there is no traffic
lcp-echo-adaptive
If this option is used with the lcp-echo-failure option
then pppd will send LCP echo-request frames only if no
traffic was received from the peer since the last
echo-request was sent.
Suggested-by: Heath Harry <hharry06@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/apache2 | 3 +-
.../{oldcore/114 => core/200}/filelists/apache2 | 0
.../{oldcore/139 => core/200}/filelists/bash | 0
config/rootfiles/core/200/filelists/files | 1 +
config/rootfiles/core/200/update.sh | 1 +
config/rootfiles/packages/tshark | 4 +-
lfs/apache2 | 4 +-
lfs/bash | 2 +-
lfs/openvpn | 4 +-
lfs/tshark | 6 +-
src/initscripts/networking/red | 3 +-
src/patches/bash/bash53-004 | 47 +++++
src/patches/bash/bash53-005 | 42 ++++
src/patches/bash/bash53-006 | 48 +++++
src/patches/bash/bash53-007 | 56 +++++
src/patches/bash/bash53-008 | 231 +++++++++++++++++++++
16 files changed, 439 insertions(+), 13 deletions(-)
copy config/rootfiles/{oldcore/114 => core/200}/filelists/apache2 (100%)
copy config/rootfiles/{oldcore/139 => core/200}/filelists/bash (100%)
create mode 100644 src/patches/bash/bash53-004
create mode 100644 src/patches/bash/bash53-005
create mode 100644 src/patches/bash/bash53-006
create mode 100644 src/patches/bash/bash53-007
create mode 100644 src/patches/bash/bash53-008
Difference in files:
diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
index 7f02347a2..8bca87c3b 100644
--- a/config/rootfiles/common/apache2
+++ b/config/rootfiles/common/apache2
@@ -505,6 +505,7 @@ srv/web/ipfire/html/captive
#srv/web/ipfire/manual/images/custom_errordocs.png
#srv/web/ipfire/manual/images/down.gif
#srv/web/ipfire/manual/images/favicon.ico
+#srv/web/ipfire/manual/images/favicon.png
#srv/web/ipfire/manual/images/feather.gif
#srv/web/ipfire/manual/images/feather.png
#srv/web/ipfire/manual/images/filter_arch.png
@@ -1080,8 +1081,6 @@ srv/web/ipfire/html/captive
#srv/web/ipfire/manual/mod/mod_systemd.html
#srv/web/ipfire/manual/mod/mod_systemd.html.en
#srv/web/ipfire/manual/mod/mod_systemd.html.fr.utf8
-#srv/web/ipfire/manual/mod/mod_tls.html
-#srv/web/ipfire/manual/mod/mod_tls.html.en
#srv/web/ipfire/manual/mod/mod_unique_id.html
#srv/web/ipfire/manual/mod/mod_unique_id.html.en
#srv/web/ipfire/manual/mod/mod_unique_id.html.fr.utf8
diff --git a/config/rootfiles/core/200/filelists/apache2 b/config/rootfiles/core/200/filelists/apache2
new file mode 120000
index 000000000..eef95efa7
--- /dev/null
+++ b/config/rootfiles/core/200/filelists/apache2
@@ -0,0 +1 @@
+../../../common/apache2
\ No newline at end of file
diff --git a/config/rootfiles/core/200/filelists/bash b/config/rootfiles/core/200/filelists/bash
new file mode 120000
index 000000000..de970cb1d
--- /dev/null
+++ b/config/rootfiles/core/200/filelists/bash
@@ -0,0 +1 @@
+../../../common/bash
\ No newline at end of file
diff --git a/config/rootfiles/core/200/filelists/files b/config/rootfiles/core/200/filelists/files
index e8109af74..5ab36a55e 100644
--- a/config/rootfiles/core/200/filelists/files
+++ b/config/rootfiles/core/200/filelists/files
@@ -1,2 +1,3 @@
+etc/rc.d/init.d/networking/red
etc/rc.d/init.d/unbound
srv/web/ipfire/cgi-bin/ovpnmain.cgi
diff --git a/config/rootfiles/core/200/update.sh b/config/rootfiles/core/200/update.sh
index 7d00047b1..2037bf15f 100644
--- a/config/rootfiles/core/200/update.sh
+++ b/config/rootfiles/core/200/update.sh
@@ -73,6 +73,7 @@ ldconfig
sudo -u nobody /srv/web/ipfire/cgi-bin/ovpnmain.cgi
# Start services
+/etc/init.d/apache restart
/etc/init.d/unbound restart
/etc/init.d/openvpn-rw restart
diff --git a/config/rootfiles/packages/tshark b/config/rootfiles/packages/tshark
index ec74f5030..2686a23e4 100644
--- a/config/rootfiles/packages/tshark
+++ b/config/rootfiles/packages/tshark
@@ -11,10 +11,10 @@ usr/bin/dumpcap
usr/bin/tshark
#usr/lib/libwireshark.so
usr/lib/libwireshark.so.19
-usr/lib/libwireshark.so.19.0.1
+usr/lib/libwireshark.so.19.0.2
#usr/lib/libwiretap.so
usr/lib/libwiretap.so.16
-usr/lib/libwiretap.so.16.0.1
+usr/lib/libwiretap.so.16.0.2
#usr/lib/libwsutil.so
usr/lib/libwsutil.so.17
usr/lib/libwsutil.so.17.0.0
diff --git a/lfs/apache2 b/lfs/apache2
index 7287c997b..059d011c8 100644
--- a/lfs/apache2
+++ b/lfs/apache2
@@ -25,7 +25,7 @@
include Config
-VER = 2.4.65
+VER = 2.4.66
THISAPP = httpd-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 67da132d066e03690d3a3ead8a528ab020564699c82584adf5bc637e1bc6c1def6f08e7b8b7962115fcb5bab31be7c977442549096d171321f95f54796ece63a
+$(DL_FILE)_BLAKE2 = 3e702c9eda81440733516b6fe26f44cd358c385203de5a674f65e3806b0204bae4eb845e3a9ab340b2d731f98c9a0e72f616dd3ad070421b31e7814bbfcd6469
install : $(TARGET)
diff --git a/lfs/bash b/lfs/bash
index 1bc7b52f6..adfbd35d1 100644
--- a/lfs/bash
+++ b/lfs/bash
@@ -25,7 +25,7 @@
include Config
VER = 5.3
-PATCHVER = 3
+PATCHVER = 8
THISAPP = bash-$(VER)
DL_FILE = $(THISAPP).tar.gz
diff --git a/lfs/openvpn b/lfs/openvpn
index 9252c44f8..25e186f12 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -24,7 +24,7 @@
include Config
-VER = 2.6.16
+VER = 2.6.17
THISAPP = openvpn-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = d4219d5974ecb0d73b865f436ed5a57874dee7295446a10d47354024564a25098ea2210f3356f3938fd24fb99c2310797bb70936ad5423eafad7cbacc94c71c5
+$(DL_FILE)_BLAKE2 = a5cff9bf4de85b647bd0cef808586b2cd29694ad0134ae6e4b3f74251c2ce0908cf86cbc041768f7fbc495e3ad5c5dbb9c491fe351b99da330dd2390142b353e
install : $(TARGET)
diff --git a/lfs/tshark b/lfs/tshark
index 6d566504e..07cb1af8e 100644
--- a/lfs/tshark
+++ b/lfs/tshark
@@ -26,7 +26,7 @@ include Config
SUMMARY = A Network Traffic Analyser
-VER = 4.6.1
+VER = 4.6.2
THISAPP = wireshark-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -35,7 +35,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tshark
DEPS = c-ares
-PAK_VER = 30
+PAK_VER = 31
SERVICES =
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 4ca4b482ec58003c78413e29b11d3b628c835ffc0a635150415a91d570952b958f80a3baf0da7fc952fd338697c06631d20dbb7a29a42a46a22bb1be32ab2265
+$(DL_FILE)_BLAKE2 = 1f7a7c73d610e00c9c5718e67dbc48b1a3872f9a72769017b266f7fbbf8b1d834878319514bae069ee3ba17de0fb35eb88f24e9809ac6c821e0f4e4bbaf195d1
install : $(TARGET)
diff --git a/src/initscripts/networking/red b/src/initscripts/networking/red
index 536fc972c..fe8012f9a 100644
--- a/src/initscripts/networking/red
+++ b/src/initscripts/networking/red
@@ -436,7 +436,8 @@ case "${1}" in
PPP_STD_OPTIONS="$PLUGOPTS usepeerdns defaultroute noipdefault noauth"
PPP_STD_OPTIONS+=" default-asyncmap hide-password nodetach noipv6"
PPP_STD_OPTIONS+=" noaccomp nodeflate nopcomp novj novjccomp"
- PPP_STD_OPTIONS+=" nobsdcomp user ${USERNAME} lcp-echo-interval 20"
+ PPP_STD_OPTIONS+=" nobsdcomp user ${USERNAME}"
+ PPP_STD_OPTIONS+=" lcp-echo-adaptive lcp-echo-interval 20"
PPP_STD_OPTIONS+=" lcp-echo-failure 5 ${AUTH}"
if [ -n "${MTU}" ]; then
diff --git a/src/patches/bash/bash53-004 b/src/patches/bash/bash53-004
new file mode 100644
index 000000000..5d7705c0d
--- /dev/null
+++ b/src/patches/bash/bash53-004
@@ -0,0 +1,47 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-004
+
+Bug-Reported-by: Emanuele Torre <torreemanuele6@gmail.com>
+Bug-Reference-ID: <aHKS0uA8Sf_vMT25@ntoo>
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2025-07/msg00031.html
+
+Bug-Description:
+
+The Linux kernel reports incorrect sizes for files in /sys/block/*/uevent,
+leading bash to report a read error when the byte count does not agree
+with the file size from fstat(2).
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/builtins/evalfile.c Fri Sep 6 15:42:40 2024
+--- builtins/evalfile.c Fri Sep 12 11:38:57 2025
+***************
+*** 161,166 ****
+--- 161,168 ----
+ if (nr >= 0)
+ string[nr] = '\0';
++ #if 0
+ if (nr != file_size)
+ nr = -1; /* XXX - didn't get the whole file */
++ #endif
+ }
+ else
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 3
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 4
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-005 b/src/patches/bash/bash53-005
new file mode 100644
index 000000000..2bebca8be
--- /dev/null
+++ b/src/patches/bash/bash53-005
@@ -0,0 +1,42 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-005
+
+Bug-Reported-by: chet.ramey@case.edu
+Bug-Reference-ID:
+Bug-Reference-URL:
+
+Bug-Description:
+
+Restoring the default disposition in a subshell for a signal bash treats
+specially can cause a crash.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/trap.c Thu Dec 19 11:35:49 2024
+--- trap.c Fri Nov 7 11:23:31 2025
+***************
+*** 965,968 ****
+--- 965,969 ----
+ set_signal_handler (sig, SIG_DFL);
+ change_signal (sig, (char *)DEFAULT_SIG);
++ sigmodes[sig] &= ~SIG_TRAPPED; /* no longer trapped */
+ return;
+ }
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 4
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 5
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-006 b/src/patches/bash/bash53-006
new file mode 100644
index 000000000..95891a474
--- /dev/null
+++ b/src/patches/bash/bash53-006
@@ -0,0 +1,48 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-006
+
+Bug-Reported-by: Duncan Roe <duncan_roe@optusnet.com.au>
+Bug-Reference-ID: <aL0p/3BQeCLc6krz@dimstar.local.net>
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2025-09/msg00053.html
+
+Bug-Description:
+
+When `globasciiranges' is enabled, glob patterns with ranges in bracket
+expressions can produce incorrect matches for character ranges whose
+start and end are non-ascii characters.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/lib/glob/smatch.c Mon May 29 14:15:17 2023
+--- lib/glob/smatch.c Mon Sep 8 12:54:59 2025
+***************
+*** 391,395 ****
+ return 0;
+
+! if (forcecoll == 0 && glob_asciirange && c1 <= UCHAR_MAX && c2 <= UCHAR_MAX)
+ return ((int)(c1 - c2));
+
+--- 391,395 ----
+ return 0;
+
+! if (forcecoll == 0 && glob_asciirange)
+ return ((int)(c1 - c2));
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 5
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 6
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-007 b/src/patches/bash/bash53-007
new file mode 100644
index 000000000..58bc0d710
--- /dev/null
+++ b/src/patches/bash/bash53-007
@@ -0,0 +1,56 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-007
+
+Bug-Reported-by: jdhedden@gmail.com
+Bug-Reference-ID: <689ac876.050a0220.334a3f.30fb@mx.google.com>
+Bug-Reference-URL:
+
+Bug-Description:
+
+No-fork command substitutions can perform redirections that act on the
+enclosing command as well.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/subst.c Fri Jul 25 08:53:25 2025
+--- subst.c Tue Aug 12 15:41:01 2025
+***************
+*** 207,210 ****
+--- 207,212 ----
+ extern int extended_quote;
+
++ extern REDIRECT *exec_redirection_undo_list, *redirection_undo_list;
++
+ #if !defined (HAVE_WCSDUP) && defined (HANDLE_MULTIBYTE)
+ extern wchar_t *wcsdup (const wchar_t *);
+***************
+*** 7001,7004 ****
+--- 7003,7011 ----
+ }
+ #endif
++
++ unwind_protect_pointer (redirection_undo_list);
++ redirection_undo_list = NULL;
++ unwind_protect_pointer (exec_redirection_undo_list);
++ exec_redirection_undo_list = NULL;
+
+ subst_assign_varlist = 0;
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 6
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 7
+
+ #endif /* _PATCHLEVEL_H_ */
diff --git a/src/patches/bash/bash53-008 b/src/patches/bash/bash53-008
new file mode 100644
index 000000000..4ab993518
--- /dev/null
+++ b/src/patches/bash/bash53-008
@@ -0,0 +1,231 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 5.3
+Patch-ID: bash53-008
+
+Bug-Reported-by: Grisha Levit <grishalevit@gmail.com>
+Bug-Reference-ID: <20251022174207.10518-1-grishalevit@gmail.com>
+Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2025-10/msg00145.html
+
+Bug-Description:
+
+Bash tries to consume entire multibyte characters when looking for backslash
+escapes in $'...' strings, and treats too many characters as potentially
+beginning a multibyte character in UTF-8 locales. Being more selective about
+when to call mbrtowc() can lead to optimized string processing and script
+speedups. This patch also handles the unlikely situation of a locale
+encoding null wide characters with non-null bytes.
+
+Patch (apply with `patch -p0'):
+
+*** ../bash-5.3-patched/lib/sh/strtrans.c Fri Oct 13 11:57:46 2023
+--- lib/sh/strtrans.c Mon Oct 27 14:30:35 2025
+***************
+*** 56,60 ****
+ unsigned long v;
+ size_t clen;
+! int mb_cur_max;
+ #if defined (HANDLE_MULTIBYTE)
+ wchar_t wc;
+--- 56,60 ----
+ unsigned long v;
+ size_t clen;
+! size_t mb_cur_max;
+ #if defined (HANDLE_MULTIBYTE)
+ wchar_t wc;
+***************
+*** 64,68 ****
+ return ((char *)0);
+
+! mb_cur_max = MB_CUR_MAX;
+ #if defined (HANDLE_MULTIBYTE)
+ temp = 4*len + 4;
+--- 64,68 ----
+ return ((char *)0);
+
+! mb_cur_max = locale_mb_cur_max;
+ #if defined (HANDLE_MULTIBYTE)
+ temp = 4*len + 4;
+***************
+*** 80,87 ****
+ clen = 1;
+ #if defined (HANDLE_MULTIBYTE)
+! if ((locale_utf8locale && (c & 0x80)) ||
+! (locale_utf8locale == 0 && mb_cur_max > 0 && is_basic (c) == 0))
+ {
+ clen = mbrtowc (&wc, s - 1, mb_cur_max, 0);
+ if (MB_INVALIDCH (clen))
+ clen = 1;
+--- 80,91 ----
+ clen = 1;
+ #if defined (HANDLE_MULTIBYTE)
+! /* We read an entire multibyte character at a time if we are in a
+! locale where a backslash can possibly appear as part of a
+! multibyte character. UTF-8 encodings prohibit this. */
+! if (locale_utf8locale == 0 && mb_cur_max > 1 && is_basic (c) == 0)
+ {
+ clen = mbrtowc (&wc, s - 1, mb_cur_max, 0);
++ if (MB_NULLWCH (clen))
++ break; /* it apparently can happen */
+ if (MB_INVALIDCH (clen))
+ clen = 1;
+***************
+*** 228,237 ****
+ char *r, *ret;
+ const char *s;
+- size_t l, rsize;
+ unsigned char c;
+ size_t clen;
+ int b;
+- #if defined (HANDLE_MULTIBYTE)
+ wchar_t wc;
+ #endif
+
+--- 232,241 ----
+ char *r, *ret;
+ const char *s;
+ unsigned char c;
++ #if defined (HANDLE_MULTIBYTE)
+ size_t clen;
+ int b;
+ wchar_t wc;
++ DECLARE_MBSTATE;
+ #endif
+
+***************
+*** 239,245 ****
+ return ((char *)0);
+
+! l = strlen (str);
+! rsize = 4 * l + 4;
+! r = ret = (char *)xmalloc (rsize);
+
+ *r++ = '$';
+--- 243,247 ----
+ return ((char *)0);
+
+! r = ret = (char *)xmalloc (4 * strlen (str) + 4);
+
+ *r++ = '$';
+***************
+*** 248,255 ****
+ for (s = str; c = *s; s++)
+ {
+- b = 1; /* 1 == add backslash; 0 == no backslash */
+- l = 1;
+- clen = 1;
+-
+ switch (c)
+ {
+--- 250,253 ----
+***************
+*** 267,303 ****
+ default:
+ #if defined (HANDLE_MULTIBYTE)
+! b = is_basic (c);
+! /* XXX - clen comparison to 0 is dicey */
+! if ((b == 0 && ((clen = mbrtowc (&wc, s, MB_CUR_MAX, 0)) < 0 || MB_INVALIDCH (clen) || iswprint (wc) == 0)) ||
+! (b == 1 && ISPRINT (c) == 0))
+! #else
+! if (ISPRINT (c) == 0)
+! #endif
+ {
+! *r++ = '\\';
+! *r++ = TOCHAR ((c >> 6) & 07);
+! *r++ = TOCHAR ((c >> 3) & 07);
+! *r++ = TOCHAR (c & 07);
+! continue;
+ }
+! l = 0;
+! break;
+! }
+! if (b == 0 && clen == 0)
+! break;
+
+! if (l)
+! *r++ = '\\';
+!
+! if (clen == 1)
+! *r++ = c;
+! else
+! {
+! for (b = 0; b < (int)clen; b++)
+! *r++ = (unsigned char)s[b];
+! s += clen - 1; /* -1 because of the increment above */
+ }
+ }
+
+ *r++ = '\'';
+ *r = '\0';
+--- 265,304 ----
+ default:
+ #if defined (HANDLE_MULTIBYTE)
+! if ((locale_utf8locale && (c & 0x80)) ||
+! (locale_utf8locale == 0 && locale_mb_cur_max > 1 && is_basic (c) == 0))
+ {
+! clen = mbrtowc (&wc, s, locale_mb_cur_max, &state);
+! if (MB_NULLWCH (clen))
+! goto quote_end;
+! if (MB_INVALIDCH (clen))
+! INITIALIZE_MBSTATE;
+! else if (iswprint (wc))
+! {
+! for (b = 0; b < (int)clen; b++)
+! *r++ = (unsigned char)s[b];
+! s += clen - 1; /* -1 because of the increment above */
+! continue;
+! }
+ }
+! else
+! #endif
+! if (ISPRINT (c))
+! {
+! *r++ = c;
+! continue;
+! }
+
+! *r++ = '\\';
+! *r++ = TOCHAR ((c >> 6) & 07);
+! *r++ = TOCHAR ((c >> 3) & 07);
+! *r++ = TOCHAR (c & 07);
+! continue;
+ }
++
++ *r++ = '\\';
++ *r++ = c;
+ }
+
++ quote_end:
+ *r++ = '\'';
+ *r = '\0';
+***************
+*** 349,353 ****
+ {
+ #if defined (HANDLE_MULTIBYTE)
+! if (is_basic (c) == 0)
+ return (ansic_wshouldquote (s));
+ #endif
+--- 350,355 ----
+ {
+ #if defined (HANDLE_MULTIBYTE)
+! if ((locale_utf8locale && (c & 0x80)) ||
+! (locale_utf8locale == 0 && locale_mb_cur_max > 1 && is_basic (c) == 0))
+ return (ansic_wshouldquote (s));
+ #endif
+
+*** ../bash-5.3/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
+--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 7
+
+ #endif /* _PATCHLEVEL_H_ */
+--- 26,30 ----
+ looks for to find the patch level (for the sccs version string). */
+
+! #define PATCHLEVEL 8
+
+ #endif /* _PATCHLEVEL_H_ */
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-12-08 11:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-12-08 11:23 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 3b9bedc91abae7e446bb9007dcad972bb4ebe880 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox