Changelog:
==========
- Sort certificates by underlying objects CKA_ID to provide deterministic
object order
- Avoid using uninitialized memory
- Improve test coverage and build scripts
- Improve compatibility with modern compilers (avoid strict warnings)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Major changes in 1.58.1
=======================
* cdda: Fix duration of last track for some media
* build: Fix build when google option is disabled
* Fix various memory leaks
* Some other fixes
* Translation updates
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Key changes
=============
* Fix crash due to not checking for failure to load icon
* Fix hangs setting FAT label when matches a root folder entry
* Erase file system signatures before all FileSystem copies
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Gimp 3.0.8's meson file detects the presence of libunwind incorrectly,
making it fail on some platforms (e.g. x86 + musl + clang), even when
libunwind is explicitly disabled:
| <snip>i686-oe-linux-musl-ld: app/core/libappcore.a.p/gimpbacktrace-linux.c.o: in function `gimp_backtrace_get_address_info':
| /usr/src/debug/gimp/3.0.8/../sources/gimp-3.0.8/app/core/gimpbacktrace-linux.c:708:(.text+0xbd7): undefined reference to `_ULx86_init_local'
This backported patch fixes this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Ptests passed successfully.
Dropped manpages PACKAGECONFIG: when it is enabled, it requires an executable that
is compiled from the project's source, but since it is cross-compiled, it is not
usable. The cmakefile also started to explicitly disable generating this tool
when cross-compiling is enabled.
Since this recipe has no native counterpart, and the manpages can't be generated
in this state, this option was removed.
Changes:
3.22.0:
- Complete overhaul of SDL client
- Introduction of new WINPR_ATTR_NODISCARD macro wrapping compiler or C language
version specific [[nodiscard]] attributes
- Addition of WINPR_ATTR_NODISCARD to (some) public API functions so usage errors
are producing warnings now
- Add some more stringify functions for logging
- CVE fixes: CVE-2026-23948, CVE-2026-24682, CVE-2026-24683, CVE-2026-24676,
CVE-2026-24677, CVE-2026-24678, CVE-2026-24684, CVE-2026-24679,
CVE-2026-24681, CVE-2026-24675, CVE-2026-24491, CVE-2026-24680
- [core,info] fix missing NULL check
- [gateway,tsg] fix TSG_PACKET_RESPONSE parsing
- Allow querying auth identity with kerberos when running as a server
- Sspi krb heimdal
- Tsg fix idleTimeout parsing
- [channels,smartcard] revert 649f7de
- [crypto] deprecate er and der modules
- [channels,rdpei] lock full update, not only parts
- [winpr,platform] add WINPR_ATTR_NODISCARD macro
- Wlog cleanup
- new stringify functions & touch API defines
- Add support for querying SECPKG_ATTR_PACKAGE_INFO to NTLM and Kerberos
- [channels,video] measure times in ns
- [utils] Nodiscard
- Error handling fixes
- [channels,drdynvc] check pointer before reset
- Winpr api def
- [winpr,platform] drop C23 [[nodiscard]]
- [gdi] add additional checks for a valid rdpGdi
- Sdl3 high dpiv2
- peer: Disconnect if Logon() returned FALSE
- [channels,rdpecam] fix PROPERTY_DESCRIPTION parsing
- [channel,rdpsnd] only clean up thread before free
- [channels,rdpei] add RDPINPUT_CONTACT_FLAG_UP
3.21.0:
- CVE fixes: CVE-2026-23530, CVE-2026-23531, CVE-2026-23532, CVE-2026-23533,
CVE-2026-23534, CVE-2026-23732, CVE-2026-23883, CVE-2026-23884
- [client,sdl] fix monitor resolution
- [codec,progressive] fix progressive_rfx_upgrade_block
- Krb cache fix
- Rdpdr improved checks
- Codec advanced length checks
- Glyph fix length checks
- Wlog printf format string checks
- [warnings,format] fix format string warnings
- Double free fixes
- [clang-tidy] clean up code warnings
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The majority of the ptests require the data/ directory, so
switch to using the git fetcher.
Testsuite summary
TOTAL: 1632
PASS: 1627
SKIP: 5
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 268
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A wrapper around the stdlib `tokenize` which roundtrips.
Dependency for python3-time-machine ptests.
Use git fetcher so we have tests/ and testing/resources/ for ptest.
Testsuite summary
TOTAL: 45
PASS: 45
SKIP: 0
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 8
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Faker is a Python package that generates fake data for you. Whether you
need to bootstrap your database, create good-looking XML documents,
fill-in your persistence to stress test it, or anonymize data
taken from a production service, Faker is for you.
* Skip tests/pytest as this causes the 'pytests --automake' parser to fail
for some reason [1] and the handful of tests are of questionable extra value.
Testsuite summary
TOTAL: 2151
PASS: 2146
SKIP: 5
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 39
Dependency for python3-orjson ptest.
[1] https://gitlab.com/rossburton/python-unittest-automake-output/-/issues/9
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update python3-orjson-crates.inc
Add patches to fix compilation for arm64/riscv64 by gating x86/x86_64 only
AVX512 feature(s). The approach has thus far been rejected by upstream:
https://github.com/ijl/orjson/pull/609.
Release Notes:
https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3116---2026-01-29
* orjson now includes code licensed under the Mozilla Public License 2.0
(MPL-2.0).
* Drop support for Python 3.9.
* ABI compatibility with CPython 3.15 alpha 5.
* Build now depends on Rust 1.89 or later instead of 1.85.
* Fix sporadic crash serializing deeply nested list of dict.
* Show simple error message instead of traceback when attempting to build
on unsupported Python versions.
* ABI compatibility with CPython 3.15 alpha 1.
* Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux
ppc64le, manylinux s390x.
* Build now requires a C compiler.
* Fix PyPI project metadata when using maturin 1.9.2 or later.
* Fix build using Rust 1.89 on amd64.
* Build now depends on Rust 1.85 or later instead of 1.82.
* Publish PyPI wheels for CPython 3.14.
* Fix str on big-endian architectures. This was introduced in 3.11.0.
* Use a deserialization buffer allocated per request instead of a shared
buffer allocated on import.
* ABI compatibility with CPython 3.14 beta 4.
* Fix incorrect escaping of the vertical tabulation character. This was
introduced in 3.10.17.
Comparing changes:
https://github.com/ijl/orjson/compare/3.10.17...3.11.6
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch isn't intended to introduce new behavior, rather it
changes the order of some existing LDFLAGS to fix a workaround that
stopped working at some point in the past.
LDFLAGS:x86 contains libatomic, because linking with this library
is required for this platform.
However when gyp links, it invokes the following (pseudo-)command:
$LD $LDFLAGS $RESOURCES_TO_LINK $EXTRA_LIBS $EXTRA_LDFLAGS
The EXTRA* arguments are coming from the gyp config. Since
LDFLAGS appears very early in the command, libatomic also
appears early amongst the resources, and the linker couldn't
find the relevant symbols when compiled for x86 platform (as
it was processed the very last):
| [...] undefined reference to `__atomic_compare_exchange'
Using this patch the library appears at the end, along with
the other EXTRA_LIBS, after the list of linked resources,
allowing linking to succeed.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The compiler defaults to C++ < 17 which causes build failures.
Abseil requires C++17 or higher, so explicitly set CMAKE_CXX_STANDARD=17
to ensure the build uses the correct C++ standard.
Error:
CMake Error at CMake/AbseilDll.cmake:745 (message):
The compiler defaults to or is configured for C++ < 17. C++ >= 17 is
required and Abseil and all libraries that use Abseil must use the same C++
language standard
Signed-off-by: Yogesh Tyagi <yogesh.tyagi@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fix for CVE-2025-68670.
Drop patch that is included in this release.
Changelog:
Security fixes:
- CVE-2025-68670
New features:
- It is now possible to start the xrdp daemon entirely unprivileged from the service manager.
If you do this certain restrictions will apply. See
https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root for details.
- TLS pre-master secrets can now be recorded for packet captures
- Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers
- Alternate shell names can now be passed to startwm.sh in an environment variable for more
system management control
- Updated Xorg paths in sesman.ini to include more recent distros
- Add Slovenian keyboard
- xrdpapi: Add a way to monitor connect/disconnect events
Bug fixes:
- Allow an empty X11 UTF8_STRING to be pasted to the clipboard
- Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server
which did not support the ExtendedDesktopSize encoding
- Fix a regression introduced in v0.10.x related to PAM groups handling
- Inconsistencies with [MS-RDPBCGR] have been addressed
- A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed
- Prevent some possible crashes when the RFX encoder is resized
- Fixes a regression introduced by GFX development which prevented the JPEG encoder from working
correctly
- Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted
unexpectedly
- Do not overwrite a VNC port set by the user when not using sesman
- Fix regression from 0.9.x when freerdp client uses /workarea
- Fixes a crash where a resize is attempted with drdynvc disabled
- getgrouplist() now compiles on MacOS
- Various Coverity warnings have been addressed
- Documentation improvements
Internal changes:
- An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog: https://github.com/jpadilla/pyjwt/releases/tag/2.11.0
- Fixed type error in comment
- Make note of use of leeway with nbf
- Validate key against allowed types for Algorithm family
- Add iterator for PyJWKSet
- Add iss, issuer type checks
- Improve typing/logic for options in decode, decode_complete; Improve docs
- Map algorithm=None to "none"
- Correct PyJWKClient.get_signing_key_from_jwt annotation
- Fixed doc string typo in _validate_jti() function
- Update SECURITY.md
- Typing fix: use float instead of int for lifespan and timeout
- Fix TYP header documentation
- doc: Document claims sub and jti
- Resolve package build warnings
- Support Python 3.14, and test against PyPy 3.10+
- Fix a SyntaxWarning caused by invalid escape sequences
- Standardize CHANGELOG links to PRs
- Migrate from pep517, which is deprecated, to build
- Fix incorrectly-named test suite function
- Fix Read the Docs builds
- Escalate test suite warnings to errors
- Add pyupgrade as a pre-commit hook
- Simplify the test suite decorators
- Improve coverage config and eliminate unused test suite code
- Build a shared wheel once in the test suite
- Thoroughly test type annotations, and resolve errors
- Fix leeway value in usage documentation
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865
This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.
The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.
See also discussion in the Github issue.
It seems that it won't be fixed, because there is nothing to fix.
[1]: https://github.com/proftpd/proftpd/issues/1298
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503
Pick the patch that explicitly refernces the CVE ID in its message.
(The NVD advisory mentions only the cups-filters patch, but
the developer indicated the CVE ID in the libcupsfilters patch also)
Between this recipe version and the patch the project has decided to
eliminate c++ from the project, and use c only. The patch however
is straightforward enough that it could be backported with very small
modifications.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop patches that are included in this release.
Changes:
* mbed TLS updated to 3.6.4.
* Small bugfixes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations,
which place cache files into the /tmp folder, that is world-writeable.
The recommendation would be to place them to a more secure folder.
The recipe however does not install these example configurations,
and as such it is not vulnerable either.
Just to make sure, patch these folders to a non-tmp folder
(and also install that folder, empty).
Some more discussion about the vulnerability:
https://bugzilla.suse.com/show_bug.cgi?id=48161
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Wang Mingyu
Ankur Tyagi
Gyorgy Sarvari
Mingli Yu
Tim Orling
Etienne Cordonnier
Gianfranco Costamagna
Yogesh Tyagi