Changelog:
==========
- Sort certificates by underlying objects CKA_ID to provide deterministic
object order
- Avoid using uninitialized memory
- Improve test coverage and build scripts
- Improve compatibility with modern compilers (avoid strict warnings)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Major changes in 1.58.1
=======================
* cdda: Fix duration of last track for some media
* build: Fix build when google option is disabled
* Fix various memory leaks
* Some other fixes
* Translation updates
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Key changes
=============
* Fix crash due to not checking for failure to load icon
* Fix hangs setting FAT label when matches a root folder entry
* Erase file system signatures before all FileSystem copies
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Gimp 3.0.8's meson file detects the presence of libunwind incorrectly,
making it fail on some platforms (e.g. x86 + musl + clang), even when
libunwind is explicitly disabled:
| <snip>i686-oe-linux-musl-ld: app/core/libappcore.a.p/gimpbacktrace-linux.c.o: in function `gimp_backtrace_get_address_info':
| /usr/src/debug/gimp/3.0.8/../sources/gimp-3.0.8/app/core/gimpbacktrace-linux.c:708:(.text+0xbd7): undefined reference to `_ULx86_init_local'
This backported patch fixes this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Ptests passed successfully.
Dropped manpages PACKAGECONFIG: when it is enabled, it requires an executable that
is compiled from the project's source, but since it is cross-compiled, it is not
usable. The cmakefile also started to explicitly disable generating this tool
when cross-compiling is enabled.
Since this recipe has no native counterpart, and the manpages can't be generated
in this state, this option was removed.
Changes:
3.22.0:
- Complete overhaul of SDL client
- Introduction of new WINPR_ATTR_NODISCARD macro wrapping compiler or C language
version specific [[nodiscard]] attributes
- Addition of WINPR_ATTR_NODISCARD to (some) public API functions so usage errors
are producing warnings now
- Add some more stringify functions for logging
- CVE fixes: CVE-2026-23948, CVE-2026-24682, CVE-2026-24683, CVE-2026-24676,
CVE-2026-24677, CVE-2026-24678, CVE-2026-24684, CVE-2026-24679,
CVE-2026-24681, CVE-2026-24675, CVE-2026-24491, CVE-2026-24680
- [core,info] fix missing NULL check
- [gateway,tsg] fix TSG_PACKET_RESPONSE parsing
- Allow querying auth identity with kerberos when running as a server
- Sspi krb heimdal
- Tsg fix idleTimeout parsing
- [channels,smartcard] revert 649f7de
- [crypto] deprecate er and der modules
- [channels,rdpei] lock full update, not only parts
- [winpr,platform] add WINPR_ATTR_NODISCARD macro
- Wlog cleanup
- new stringify functions & touch API defines
- Add support for querying SECPKG_ATTR_PACKAGE_INFO to NTLM and Kerberos
- [channels,video] measure times in ns
- [utils] Nodiscard
- Error handling fixes
- [channels,drdynvc] check pointer before reset
- Winpr api def
- [winpr,platform] drop C23 [[nodiscard]]
- [gdi] add additional checks for a valid rdpGdi
- Sdl3 high dpiv2
- peer: Disconnect if Logon() returned FALSE
- [channels,rdpecam] fix PROPERTY_DESCRIPTION parsing
- [channel,rdpsnd] only clean up thread before free
- [channels,rdpei] add RDPINPUT_CONTACT_FLAG_UP
3.21.0:
- CVE fixes: CVE-2026-23530, CVE-2026-23531, CVE-2026-23532, CVE-2026-23533,
CVE-2026-23534, CVE-2026-23732, CVE-2026-23883, CVE-2026-23884
- [client,sdl] fix monitor resolution
- [codec,progressive] fix progressive_rfx_upgrade_block
- Krb cache fix
- Rdpdr improved checks
- Codec advanced length checks
- Glyph fix length checks
- Wlog printf format string checks
- [warnings,format] fix format string warnings
- Double free fixes
- [clang-tidy] clean up code warnings
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The majority of the ptests require the data/ directory, so
switch to using the git fetcher.
Testsuite summary
TOTAL: 1632
PASS: 1627
SKIP: 5
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 268
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A wrapper around the stdlib `tokenize` which roundtrips.
Dependency for python3-time-machine ptests.
Use git fetcher so we have tests/ and testing/resources/ for ptest.
Testsuite summary
TOTAL: 45
PASS: 45
SKIP: 0
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 8
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Faker is a Python package that generates fake data for you. Whether you
need to bootstrap your database, create good-looking XML documents,
fill-in your persistence to stress test it, or anonymize data
taken from a production service, Faker is for you.
* Skip tests/pytest as this causes the 'pytests --automake' parser to fail
for some reason [1] and the handful of tests are of questionable extra value.
Testsuite summary
TOTAL: 2151
PASS: 2146
SKIP: 5
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 39
Dependency for python3-orjson ptest.
[1] https://gitlab.com/rossburton/python-unittest-automake-output/-/issues/9
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update python3-orjson-crates.inc
Add patches to fix compilation for arm64/riscv64 by gating x86/x86_64 only
AVX512 feature(s). The approach has thus far been rejected by upstream:
https://github.com/ijl/orjson/pull/609.
Release Notes:
https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3116---2026-01-29
* orjson now includes code licensed under the Mozilla Public License 2.0
(MPL-2.0).
* Drop support for Python 3.9.
* ABI compatibility with CPython 3.15 alpha 5.
* Build now depends on Rust 1.89 or later instead of 1.85.
* Fix sporadic crash serializing deeply nested list of dict.
* Show simple error message instead of traceback when attempting to build
on unsupported Python versions.
* ABI compatibility with CPython 3.15 alpha 1.
* Publish PyPI wheels for 3.14 and manylinux i686, manylinux arm7, manylinux
ppc64le, manylinux s390x.
* Build now requires a C compiler.
* Fix PyPI project metadata when using maturin 1.9.2 or later.
* Fix build using Rust 1.89 on amd64.
* Build now depends on Rust 1.85 or later instead of 1.82.
* Publish PyPI wheels for CPython 3.14.
* Fix str on big-endian architectures. This was introduced in 3.11.0.
* Use a deserialization buffer allocated per request instead of a shared
buffer allocated on import.
* ABI compatibility with CPython 3.14 beta 4.
* Fix incorrect escaping of the vertical tabulation character. This was
introduced in 3.10.17.
Comparing changes:
https://github.com/ijl/orjson/compare/3.10.17...3.11.6
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch isn't intended to introduce new behavior, rather it
changes the order of some existing LDFLAGS to fix a workaround that
stopped working at some point in the past.
LDFLAGS:x86 contains libatomic, because linking with this library
is required for this platform.
However when gyp links, it invokes the following (pseudo-)command:
$LD $LDFLAGS $RESOURCES_TO_LINK $EXTRA_LIBS $EXTRA_LDFLAGS
The EXTRA* arguments are coming from the gyp config. Since
LDFLAGS appears very early in the command, libatomic also
appears early amongst the resources, and the linker couldn't
find the relevant symbols when compiled for x86 platform (as
it was processed the very last):
| [...] undefined reference to `__atomic_compare_exchange'
Using this patch the library appears at the end, along with
the other EXTRA_LIBS, after the list of linked resources,
allowing linking to succeed.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The compiler defaults to C++ < 17 which causes build failures.
Abseil requires C++17 or higher, so explicitly set CMAKE_CXX_STANDARD=17
to ensure the build uses the correct C++ standard.
Error:
CMake Error at CMake/AbseilDll.cmake:745 (message):
The compiler defaults to or is configured for C++ < 17. C++ >= 17 is
required and Abseil and all libraries that use Abseil must use the same C++
language standard
Signed-off-by: Yogesh Tyagi <yogesh.tyagi@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fix for CVE-2025-68670.
Drop patch that is included in this release.
Changelog:
Security fixes:
- CVE-2025-68670
New features:
- It is now possible to start the xrdp daemon entirely unprivileged from the service manager.
If you do this certain restrictions will apply. See
https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root for details.
- TLS pre-master secrets can now be recorded for packet captures
- Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers
- Alternate shell names can now be passed to startwm.sh in an environment variable for more
system management control
- Updated Xorg paths in sesman.ini to include more recent distros
- Add Slovenian keyboard
- xrdpapi: Add a way to monitor connect/disconnect events
Bug fixes:
- Allow an empty X11 UTF8_STRING to be pasted to the clipboard
- Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server
which did not support the ExtendedDesktopSize encoding
- Fix a regression introduced in v0.10.x related to PAM groups handling
- Inconsistencies with [MS-RDPBCGR] have been addressed
- A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed
- Prevent some possible crashes when the RFX encoder is resized
- Fixes a regression introduced by GFX development which prevented the JPEG encoder from working
correctly
- Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted
unexpectedly
- Do not overwrite a VNC port set by the user when not using sesman
- Fix regression from 0.9.x when freerdp client uses /workarea
- Fixes a crash where a resize is attempted with drdynvc disabled
- getgrouplist() now compiles on MacOS
- Various Coverity warnings have been addressed
- Documentation improvements
Internal changes:
- An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog: https://github.com/jpadilla/pyjwt/releases/tag/2.11.0
- Fixed type error in comment
- Make note of use of leeway with nbf
- Validate key against allowed types for Algorithm family
- Add iterator for PyJWKSet
- Add iss, issuer type checks
- Improve typing/logic for options in decode, decode_complete; Improve docs
- Map algorithm=None to "none"
- Correct PyJWKClient.get_signing_key_from_jwt annotation
- Fixed doc string typo in _validate_jti() function
- Update SECURITY.md
- Typing fix: use float instead of int for lifespan and timeout
- Fix TYP header documentation
- doc: Document claims sub and jti
- Resolve package build warnings
- Support Python 3.14, and test against PyPy 3.10+
- Fix a SyntaxWarning caused by invalid escape sequences
- Standardize CHANGELOG links to PRs
- Migrate from pep517, which is deprecated, to build
- Fix incorrectly-named test suite function
- Fix Read the Docs builds
- Escalate test suite warnings to errors
- Add pyupgrade as a pre-commit hook
- Simplify the test suite decorators
- Improve coverage config and eliminate unused test suite code
- Build a shared wheel once in the test suite
- Thoroughly test type annotations, and resolve errors
- Fix leeway value in usage documentation
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865
This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.
The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.
See also discussion in the Github issue.
It seems that it won't be fixed, because there is nothing to fix.
[1]: https://github.com/proftpd/proftpd/issues/1298
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64503
Pick the patch that explicitly refernces the CVE ID in its message.
(The NVD advisory mentions only the cups-filters patch, but
the developer indicated the CVE ID in the libcupsfilters patch also)
Between this recipe version and the patch the project has decided to
eliminate c++ from the project, and use c only. The patch however
is straightforward enough that it could be backported with very small
modifications.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop patches that are included in this release.
Changes:
* mbed TLS updated to 3.6.4.
* Small bugfixes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations,
which place cache files into the /tmp folder, that is world-writeable.
The recommendation would be to place them to a more secure folder.
The recipe however does not install these example configurations,
and as such it is not vulnerable either.
Just to make sure, patch these folders to a non-tmp folder
(and also install that folder, empty).
Some more discussion about the vulnerability:
https://bugzilla.suse.com/show_bug.cgi?id=48161
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
After the previous hash update the license file was not renamed,
which causes it to clash in the DL_DIR if it was already downloaded
with the previous hash.
This change renames the file to avoid this clash.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Starting with [https://github.com/libsdl-org/sdl2-compat/pull/536], it
is possible to compile without x11. Remove x11 from
REQUIRED_DISTRO_FEATURES
Changelog:
2.32.62:
This is a stable bugfix release, with the following changes:
Improved support for GNU/Hurd
Fixed crash if hidapi strings are not available
2.32.60:
This is a stable bugfix release, with the following changes:
Fixed crash at startup in Dwarf Fortress
Fixed crash at startup in Stellaris
Fixed mouse stuttering in Amiberry
Fixed the viewport not being reset when the window is resized
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe is one of the successors of mime-support, which
provided mailcap and mime.types files. This recipe contains
only the mime.types portion.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe is one of the successors of the mime-support, which
provided mailcap and mime.types files. This recipe contains
only the mailcap portion.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Debian has split this package into two sepatare packages:
media-types and mailcap. This package hasn't been updated
since 2020 (but the other two packages are regularly updated).
Beside this the SRC_URI has been inaccessible since a while also.
Drop this recipe (and substitute it with the up to date packages
in followup patches).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop the patches that are included in this release.
License-Update: copyright year bump
Changelog:
1.22.2:
Fix a SPNEGO packet parsing bug which could cause GSS mechanism negotiation failure.
1.22.1:
Fix a vulnerability in GSS MIC verification [CVE-2025-57736]
1.22.0:
User experience
- The libdefaults configuration variable "request_timeout" can be set to limit the
total timeout for KDC requests. When making a KDC request, the client will now
wait indefinitely (or until the request timeout has elapsed) on a KDC which
accepts a TCP connection, without contacting any additional KDCs. Clients will
make fewer DNS queries in some configurations.
- The realm configuration variable "sitename" can be set to cause the client to
query site-specific DNS records when making KDC requests.
Administrator experience
- Principal aliases are supported in the DB2 and LMDB KDB modules and in the
kadmin protocol. (The LDAP KDB module has supported aliases since release 1.7.)
- UNIX domain sockets are supported for the Kerberos and kpasswd protocols.
- systemd socket activation is supported for krb5kdc and kadmind.
Developer experience
- KDB modules can be be implemented in terms of other modules using the new
krb5_db_load_module() function.
- The profile library supports the modification of empty profiles and the copying
of modified profiles, making it possible to construct an in-memory profile and
pass it to krb5_init_context_profile().
- GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to gss_init_sec_context()
to request strict enforcement of channel bindings by the acceptor.
Protocol evolution
- The PKINIT preauth module supports elliptic curve client certificates, ECDH key
exchange, and the Microsoft paChecksum2 field.
- The IAKERB implementation has been changed to comply with the most recent draft
standard and to support realm discovery.
- Message-Authenticator is supported in the RADIUS implementation used by the OTP
kdcpreauth module.
Code quality
- Removed old-style function declarations, to accomodate compilers which have
removed support for them.
- Added OSS-Fuzz to the project's continuous integration infrastructure.
- Rewrote the GSS per-message token parsing code for improved safety.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Delete patch that's included in this release.
Changelog:
- Add support for MbedTLS
- Add Reverse Proxy implementation
- Add support for wireless pairing (AppleTV)
- Embed 3rd party libraries for ed25519 and SRP6a
- Fixes in idevicedebug
- idevicecrashreport: Allow filtering crash reports by filename
- Add idevicedevmodectl tool
- Fixes for idevicebackup2
- Add property_list_client_get_service_client() and service_get_connection() functions
- Add idevicebtlogger
- Add new idevice_events_subscribe/unsubscribe API
- Move LIBIMOBILEDEVICE_API to public headers
- Add afc_strerror function
- Add libimobiledevice_version() function
- Use libimobiledevice-glue's SHA1 implementation
- Add support for iOS 17+ Personalized Developer Disk image mounting
- Fix compilation on MSVC
- Add idevice_strerror() to interface
- Add new idevice_get_device_version() to interface
- Add os_trace_relay service implementation
- Fixes for idevicesyslog
- afc: Add afc_get_file_info_plist and afc_get_device_info_plist functions
... and several other internal changes
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop patch to fix gcc15 compatibility - the problem has been solved by upstream.
Changelog:
- Update getaddrinfo options to support IPv6 hostname resolution
- Removed unnecessary _WIN64 conditional checks
- Fixed condition variable timed wait
- Support tls:// prefix
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Wang Mingyu
Ankur Tyagi
Gyorgy Sarvari
Mingli Yu
Tim Orling
Etienne Cordonnier
Gianfranco Costamagna
Yogesh Tyagi
Markus Volk
Peter Marko