ipmitool: disable download of PEN list in Makefile

This commit allows building the package without downloading enterprise
numbers from the IANA PEN registry. This enables offline builds and
reduces storage usage, especially on devices with limited space.

Signed-off-by: Oliver Sedlbauer <[email protected]>

ipmitool: add option to disable registry download

Upstream backport

Signed-off-by: Oliver Sedlbauer <[email protected]>

ipmitool: do not require IANA PEN registry

Upstream backport

Signed-off-by: Oliver Sedlbauer <[email protected]>

lua-eco: update to 3.8.0

Signed-off-by: Jianhui Zhao <[email protected]>

netbird: update to 0.40.0

changelog: https://github.com/netbirdio/netbird/releases/tag/v0.40.0

Signed-off-by: Wesley Gimenes <[email protected]>

v2raya: Update to 2.2.6.7

Signed-off-by: Tianling Shen <[email protected]>

alist: Update to 3.44.0

Signed-off-by: Tianling Shen <[email protected]>

inih: Update to r59

Signed-off-by: Tianling Shen <[email protected]>

strongswan: DHCP on lo fixes backport

Fixes #25801. Adds the following commits to fix DHCP behaviour on
Strongswan 5.9.14:

 - https://github.com/strongswan/strongswan/commit/abbf9d28b0032cf80b79bcacea3146a60800a6dd
 - https://github.com/strongswan/strongswan/commit/00d8c36d6fdf9e8ee99b9f92a64e7e81dbfa4432
 - https://github.com/strongswan/strongswan/commit/a50ed3006e8152eb2cf20e9f92f088ecc18081b0

Signed-off-by: Joel Low <[email protected]>

expat: bump to 2.7.1 to fix several CVEs

Addresses CVE-2024-8176 and CVE-2024-50602.

Full changelog linked below.

Changelog: https://github.com/libexpat/libexpat/blob/R_2_7_1/expat/Changes
Fixes: https://github.com/openwrt/packages/issues/26255
Fixes: https://github.com/advisories/GHSA-9hcv-xw76-m4h6
Fixes: https://github.com/advisories/GHSA-79wf-qgrg-2p6c
Signed-off-by: George Sapkin <[email protected]>

nano: Update to 8.4

Update nano edit to version 8.4.

Add configure flags to overcome upstream bug 66978, where the newly added
gnulib module for strcasecmp always fails in the configure step when
cross-compiling.
https://savannah.gnu.org/bugs/?66978
https://github.com/coreutils/gnulib/commit/b2927d1b1fa3fb09a2210a3df5691f7d48d6151b

The added flags disable the strcasecmp function from gnulib.
If upstream (gnulib?) fixes things later, the flags should be removed.

Signed-off-by: Hannu Nyman <[email protected]>

zerotier: add patch to support miniupnpc 2.2.8

Signed-off-by: Moritz Warning <[email protected]>

znc: update to use SOURCE_VERSION for submodule download

Commit 9fc79e2e2622 ("download: don't overwrite VERSION variable")
changed the variable for direct download call from VERSION to
SOURCE_VERSION.

This cause the dl_github_archive script to pass empty value for
--version arg making it always clone HEAD.

Correctly update the variable to SOURCE_VERSION to actually clone the
expected commit HASH.

Signed-off-by: Christian Marangi <[email protected]>

crun: update to use SOURCE_VERSION for submodule download

Commit 9fc79e2e2622 ("download: don't overwrite VERSION variable")
changed the variable for direct download call from VERSION to
SOURCE_VERSION.

This cause the dl_github_archive script to pass empty value for
--version arg making it always clone HEAD.

Correctly update the variable to SOURCE_VERSION to actually clone the
expected commit HASH.

Signed-off-by: Christian Marangi <[email protected]>

nvme-cli: update to 1.12

Bump to latest upstream release.

Removed upstreamed: 021-pligins-netapp-add-include-of-libgen.h-for-basename.patch
Manually rebased: 010-gcc14.patch

Build system: x86/64
Build-tested: x86/64
Run-tested: x86/64

Signed-off-by: John Audia <[email protected]>

libnvme: update to 1.12

New version requires liburing as a new dependency. To avoid a build error
where mock.c is using glibc's function sig, disabled build tests since
builds are done with musl libc.

Signed-off-by: John Audia <[email protected]>

gping: drop package

Reasons to drop:
- an unresolved issue which prevents updating gping to latest version.
  gping now relies on support for fractional timespan of 'sleep', which
  isn't enabled in main OpenWrt repository
- there are probably only few users of this package, if any, and I'm not
  a user anymore either
- there are other equal or better tools for the same purpose

Signed-off-by: Jonas Jelonek <[email protected]>

adguardhome: increase UDP send/receive buffers

Link: https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
Signed-off-by: George Sapkin <[email protected]>

golang: bump to 1.24.2

go1.24.2 (released 2025-04-01) includes security fixes to the net/http
package, as well as bug fixes to the compiler, the runtime, the go
command, and the crypto/tls, go/types, net/http, and testing packages.

Link: https://github.com/golang/go/issues?q=milestone%3AGo1.24.2+label%3ACherryPickApproved
Signed-off-by: George Sapkin <[email protected]>

openvpn: update to 2.6.14

Security fixes:

​CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
 Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made
 to abort with an ASSERT() message by sending a particular combination of authenticated and
 malformed packets. No crypto integrity is violated, no data is leaked, and no remote code
 execution is possible. This bug does not affect OpenVPN clients.

For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.14/Changes.rst

Signed-off-by: Ivan Pavlov <[email protected]>

lighttpd: update to lighttpd 1.4.79 release hash

Signed-off-by: Glenn Strauss <[email protected]>

lpac: Refresh 0001-driver-add-uqmi-backend.patch

Signed-off-by: Ryan Press <[email protected]>

lpac: Add support for MBIM backend

Signed-off-by: Ryan Press <[email protected]>

patch: update to v2.8

Delete patches already upstream.

Signed-off-by: Russell Senior <[email protected]>

netbird: update to 0.39.2

changelog: https://github.com/netbirdio/netbird/releases/tag/v0.39.2

Signed-off-by: Wesley Gimenes <[email protected]>

croc: update to 10.2.2

release notes:
https://github.com/schollz/croc/releases/tag/v10.2.2

Signed-off-by: Jonas Jelonek <[email protected]>

eza: update to 0.21.0

[release notes]
0.20.21: https://github.com/eza-community/eza/releases/tag/v0.20.21
0.20.22: https://github.com/eza-community/eza/releases/tag/v0.20.22
0.20.23: https://github.com/eza-community/eza/releases/tag/v0.20.23
0.20.24: https://github.com/eza-community/eza/releases/tag/v0.20.24
0.21.0:  https://github.com/eza-community/eza/releases/tag/v0.21.0

Signed-off-by: Jonas Jelonek <[email protected]>

acme-common: update PKG_RELEASE

Signed-off-by: Florian Eckert <[email protected]>

acme: remove crontab entry if service is stopped

Until now it was not possible to stop the acme service, because the handling
was done via cron. With this change, the acme handler can now be stopped by
calling '/etc/init.d/acme' stop. This call removes the entry from the crontab.

Signed-off-by: Florian Eckert <[email protected]>

acme: remove lock handling

Since procd is now used, the call of '/etc/init.d/acme' does not have to be
locked separately. This code block can therefore be removed.

Signed-off-by: Florian Eckert <[email protected]>

acme: fix service_triggers on config change

In the current implementation, the config change trigger is no longer set
at boot time. This is because during boot, only the '$CHALLENGE_DIR' is
created with the boot function. The 'start_service' is first called by first
cron call at midnight. This call is installing the service_triggers reload
handling.

To fix this, add a new extra_command 'renew' that is responsible to renew
the acme. This function is called from cron and the start_service
function does the rest.

* Create directories
* Install service reload trigger form acme config change

Fixes: 76f17ab15b (acme-common: Create challenge directory on boot)
Signed-off-by: Florian Eckert <[email protected]>

ddns-scripts: always use the 'ps' output from busybox

The 'ps' command from 'procps-ng' is used in favour of 'ps' from 'busybox'
when 'procps-ng' is installed. The problem is that the outputs are not
compatible and the ‘grep’ is different for further processing. To fix this,
always use the 'ps' command from 'busybox'.

Signed-off-by: Florian Eckert <[email protected]>

ddns-scripts: fix ddns-scripts-scaleway description

ddns-scripts-scaleway description section was not defined as such and was
overriding the package definition leading to:
Makefile:839: *** missing separator.  Stop.

Fixes: a7867016c84c ("ddns-scripts: add support for Scaleway DNS")
Signed-off-by: Robert Marko <[email protected]>

modemmanager: fix pending mmcli calls for ModemManager-monitor script

If the ModemManager is stopped via '/etc/init.d/modemmanager', mmcli calls
always remain in the process list. This is because the ModemManager-monitor
call is not terminated properly, as the kill signals are not handled
correctly in the startup script for mmcli.

To fix this, the signal handling is refactored.

Signed-off-by: Florian Eckert <[email protected]>

modemmanager: add missing mmcli timeout option during ubus call

The default 'timeout' value is 30 seconds when calling an mmcli action. That
is too long. For this reason, the mmcli 'timeout' option is specified for
calls and the value is set to 10 seconds.

Signed-off-by: Florian Eckert <[email protected]>

ddns-scripts: fix typo in package name

Signed-off-by: Lars Kaiser <[email protected]>

ddns-scripts: add support for Scaleway DNS

Signed-off-by: Lars Kaiser <[email protected]>

wfb-ng: Update to release 25.01

1) FEC optimizations
2) Add tunnel daemon
3) Add wfb_tx_cmd utility

Signed-off-by: Vasily Evseenko <[email protected]>

tailscale: update to 1.82.0

Signed-off-by: Sandro Jäckel <[email protected]>

exim: update to 4.98.2

Fixes CVE-2025-26794 (SQL injection when using SQLite for ETRN hints)

Signed-off-by: Daniel Golle <[email protected]>

banIP: update 1.5.5-2

* fixed a JSON reporting issue (when the map and NFT counters are disabled)
* optimized the getfetch function call within the reporting function
* removed the stale IPv6 links in the becyber feed
* cosmetics

Signed-off-by: Dirk Brenken <[email protected]>

antiblock: Update to 2.1.2

1) Fixed a bug, specifying the sniffer port did not work

Signed-off-by: Khachatryan Karen <[email protected]>

banIP: release 1.5.5-1

* added a geoIP Map to show home IPs and potential attacker IPs on a leafletjs based map
* significantly improved the reporting performance on multicore hardware
* removed aria2 support (it doesn't support post data requests)
* removed the following outbound feeds due to too many false positives:
   adaway, adguard, adguardtrackers, antipopads, oisdbig, oisdnsfw, oisdsmall, stevenblack and yoyo
* renamed the banIP command "survey" to "content"
* various other small tweaks
* update the readme

Signed-off-by: Dirk Brenken <[email protected]>

icu: bump to 77.1

ICU 77 is mostly focused on bug fixes, segmentation conformance, and other refinements.

The Java technology preview implementation of the CLDR MessageFormat 2.0 specification has been updated to incorporate the CLDR 46.1 spec plus most but not all of the CLDR 47 changes.
The C++ technology preview implementation of MessageFormat 2.0 is not yet quite up to date with CLDR 46.1.

Signed-off-by: Hirokazu MORIKAWA <[email protected]>

netbird: update to 0.39.1

changelog: https://github.com/netbirdio/netbird/releases/tag/v0.39.1

Signed-off-by: Wesley Gimenes <[email protected]>

tailscale: assign PKG_CPE_ID

Link: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.2&orderBy=2.2&keyword=cpe%3A2.3%3Aa%3Atailscale%3Atailscale&status=FINAL
Link: https://github.com/openwrt/packages/issues/8534
Signed-off-by: George Sapkin <[email protected]>

tor: update to 0.4.8.16 stable

Minor release, see the changelog [1] for what's new.

[1] https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.16/ChangeLog

Signed-off-by: Rui Salvaterra <[email protected]>

zoneinfo: Updated to 2025b release.

Signed-off-by: Vladimir Ulrich <[email protected]>

nvme-cli: update to 2.11

Bump to latest upstream release.

Removed upstreamed: 020-replace_uint16_t
Manually rebased: 010-gcc14.patch

To fix the following build error, added two commits from upstream:
020-nvme-print-add-fallback-for-.patch
021-pligins-netapp-add-include-of-libgen.h-for-basename.patch

Tested the resulting binary and it seems fine:
% nvme smart-log /dev/nvme0 | grep "temperature"
temperature : 42 °C (315 K)

Link to upstream issue: https://github.com/linux-nvme/nvme-cli/issues/2743

Build error:
../nvme-print.c: In function 'is_temperature_fahrenheit':
../nvme-print.c:805:19: error: 'LC_MEASUREMENT' undeclared (first use in this function)
  805 |         setlocale(LC_MEASUREMENT, "");
      |                   ^~~~~~~~~~~~~~
../nvme-print.c:805:19: note: each undeclared identifier is reported only once for each function it appears in

Build system: x86/64
Build-tested: x86/64
Run-tested: x86/64

Signed-off-by: John Audia <[email protected]>

libnvme: update to 1.11.1

New upstream release

Signed-off-by: John Audia <[email protected]>

keepalived: bump to 2.3.2

This requires backporting two upstream commits to avoid a segfault
due to the /etc/iproute2/rt_addrprotos.d and
/usr/share/iproute2/rt_addrprotos.d directories not existing on OpenWrt,
and the following compile error:

In file included from /home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/net/ethernet.h:10,
                 from vrrp.c:44:
/home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/netinet/if_ether.h:115:8: error: redefinition of 'struct ethhdr'
  115 | struct ethhdr {
      |        ^~~~~~
In file included from vrrp.c:43:
/home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/linux/if_ether.h:173:8: note: originally defined here
  173 | struct ethhdr {
      |        ^~~~~~

Signed-off-by: Stijn Tintel <[email protected]>

antiblock: Update to 2.1.1

1) Fixed a bug that not all routers were deleted.
2) Log updated.
3) The "output" option has been removed from the service, it is now /tmp/antiblock

Signed-off-by: Khachatryan Karen <[email protected]>

alist: Update to 3.43.0

Signed-off-by: Tianling Shen <[email protected]>

dnsproxy: Update to 0.75.2

Signed-off-by: Tianling Shen <[email protected]>

netbird: update to 0.38.2

changelog: https://github.com/netbirdio/netbird/releases/tag/v0.38.2

Signed-off-by: Wesley Gimenes <[email protected]>

snowflake: update to 2.11.0

ChangeLog:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/commit/6472bd86cdd5d13fe61dc851edcf83b03df7bda1

Signed-off-by: Nick Hainke <[email protected]>

adguardhome: bump to 0.107.59

Use prebuilt frontend and drop node/host depenendency as a result.

Changelog: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.59
Signed-off-by: George Sapkin <[email protected]>

adguardhome: bump to 0.107.58

Changelog: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.58
Signed-off-by: George Sapkin <[email protected]>

adguardhome: assign PKG_CPE_ID

Link: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=2.3&keyword=cpe%3A2.3%3Aa%3Aadguard%3Aadguardhome
Link: https://github.com/openwrt/packages/issues/8534
Signed-off-by: George Sapkin <[email protected]>

adguardhome: add CI version check

Signed-off-by: George Sapkin <[email protected]>

lighttpd: update to lighttpd 1.4.78 release hash

Signed-off-by: Glenn Strauss <[email protected]>

gnutls: Update to version 3.8.9

All patches refreshed.

Verbatim copy from upstream's NEWS file:

* Version 3.8.9 (released 2025-02-07)

** libgnutls: leancrypto was added as an interim option for PQC
   The library can now be built with leancrypto instead of liboqs for
   post-quantum cryptography (PQC), when configured with
   --with-leancrypto option instead of --with-liboqs.

** libgnutls: Experimental support for ML-DSA signature algorithm
   The library and certtool now support ML-DSA signature algorithm as
   defined in FIPS 204 and based on
   draft-ietf-lamps-dilithium-certificates-04. This feature is
   currently marked as experimental and can only be enabled when
   compiled with --with-leancrypto or --with-liboqs.
   Contributed by David Dudas.

** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
   The support for ML-KEM post-quantum key encapsulation mechanisms
   has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
   MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
   draft-kwiatkowski-tls-ecdhe-mlkem-03.

** libgnutls: Fix potential DoS in handling certificates with numerous name
   constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
   bundled copy of libtasn1 has also been updated to the latest 4.20.0
   release to complete the fix.  Reported by Bing Shi (#1553).
   [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]

** API and ABI modifications:
GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t

* Version 3.8.8 (released 2024-11-05)

** libgnutls: Experimental support for X25519MLKEM768 and SecP256r1MLKEM768 key exchange in TLS 1.3
   The support for post-quantum key exchanges has been extended to
   cover the final standard of ML-KEM, following
   draft-kwiatkowski-tls-ecdhe-mlkem. The minimum supported version of
   liboqs is bumped to 0.11.0.

** libgnutls: All records included in an OCSP response are now checked in TLS
   Previously, when multiple records are provided in a single OCSP
   response, only the first record was considered; now all those
   records are examined until the server certificate matches.

** libgnutls: Handling of malformed compress_certificate extension is now more standard compliant
   The server behavior of receiving a malformed compress_certificate
   extension now more strictly follows RFC 8879; return
   illegal_parameter alert instead of bad_certificate, as well as
   overlong extension data is properly rejected.

** build: More flexible library linking options for compression libraries, TPM, and liboqs support
   The configure options, --with-zstd, --with-brotli, --with-zlib,
   --with-tpm2, and --with-liboqs now take 4 states:
   yes/link/dlopen/no, to specify how the libraries are linked or
   loaded.

** API and ABI modifications:
No changes since last version.

* Version 3.8.7 (released 2024-08-15)

** libgnutls: New configure option to compile out DSA support
   The --disable-dsa configure option has been added to completely disable DSA
   algorithm support.

** libgnutls: Experimental support for X25519Kyber768Draft00 key exchange in TLS
   For testing purposes, the hybrid post-quantum key exchange defined
   in draft-tls-westerbaan-xyber768d00 has been implemented using
   liboqs. Since the algorithm is still not finalized, the support of
   this key exchange is disabled by default and can be enabled with
   the --with-liboqs configure option.

** API and ABI modifications:
GNUTLS_PK_MLKEM768: New enum member of gnutls_pk_algorithm_t

* Version 3.8.6 (released 2024-07-03)

** libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12
   To be compliant with FIPS 140-3, PKCS#12 files with MAC based on
   PBKDF2 (PBMAC1) is now supported, according to the specification
   proposed in draft-ietf-lamps-pkcs12-pbmac1.

** libgnutls: SHA3 extendable output functions (XOF) are now supported
   SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new
   public API gnutls_hash_squeeze.

** API and ABI modifications:
gnutls_pkcs12_generate_mac3: New function
gnutls_pkcs12_flags_t: New enum
gnutls_hash_squeeze: New function

Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues

Signed-off-by: Pascal Ernster <[email protected]>

bind: bump to 9.20.7

Verbatim copy from upstream's release notes:

Notes for BIND 9.20.7

- New Features
  - Implement the min-transfer-rate-in configuration option.
  - A new option min-transfer-rate-in has been added to the view and zone configurations. It can abort incoming zone transfers that run very slowly due to network-related issues, for example. The default value is 10240 bytes in five minutes. [GL #3914]
  - Add HTTPS record query to host command line tool.
  - The host command was extended to also query for the HTTPS RR type by default.
  - Implement sig0key-checks-limit and sig0message-checks-limit.
  - Previously, a hard-coded limitation of a maximum of two key or message verification checks was introduced when checking a message’s SIG(0) signature, to protect against possible DoS attacks. Two as a maximum was chosen so that more than a single key should only be required during key rotations, and in that case two keys are enough. It later became apparent that there are other use cases where even more keys are required; see the related GitLab issue for examples.
  - This change introduces two new configuration options for the views: sig0key-checks-limit and sig0message-checks-limit. They define how many keys can be checked to find a matching key, and how many message verifications are allowed to take place once a matching key has been found. The former provides slightly less “expensive” key parsing operations and defaults to 16. The latter protects against expensive cryptographic operations when there are keys with colliding tags and algorithm numbers; the default is 2. [GL #5050]
- Bug Fixes
  - Fix dual-stack-servers configuration option.
  - The dual-stack-servers configuration option was not working as expected; the specified servers were not being used when they should have been, leading to resolution failures. This has been fixed. [GL #5019]
  - Fix a data race causing a permanent active client increase.
  - Previously, a data race could cause a newly created fetch context for a new client to be used before it had been fully initialized, which would cause the query to become stuck; queries for the same data would be either paused indefinitely or dropped because of the clients-per-query limit. This has been fixed. [GL #5053]
  - Fix deferred validation of unsigned DS and DNSKEY records.
  - When processing a query with the “checking disabled” bit set (CD=1), named stores the invalidated result in the cache, marked “pending”. When the same query is sent with CD=0, the cached data is validated and either accepted as an answer, or ejected from the cache as invalid. This deferred validation was not attempted for DS and DNSKEY records if they had no cached signatures, causing spurious validation failures. The deferred validation is now completed in this scenario.
  - Also, if deferred validation fails, the data is now re-queried to find out whether the zone has been corrected since the invalid data was cached. [GL #5066]
  - Fix RPZ race condition during a reconfiguration.
  - With RPZ in use, named could terminate unexpectedly because of a race condition when a reconfiguration command was received using rndc. This has been fixed. [GL #5146]
  - “CNAME and other data check” not applied to all types.
  - An incorrect optimization caused “CNAME and other data” errors not to be detected if certain types were at the same node as a CNAME. This has been fixed. [GL #5150]
  - Relax private DNSKEY and RRSIG constraints.
  - DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to allow empty key and signature material after the algorithm identifier for PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within the expected use of these types, as no key material is shared and the signatures are ineffective, but these are private algorithms and they can be totally insecure. [GL #5167]
  - Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
  - Previously, when parsing responses, named incorrectly rejected responses without matching RRSIG records for NSEC/DS/NSEC3 records in the authority section. This rejection, if appropriate, should have been left for the validator to determine and has been fixed. [GL #5185]
  - Fix TTL issue with ANY queries processed through RPZ “passthru”.
  - Answers to an “ANY” query which were processed by the RPZ “passthru” policy had the response-policy’s max-policy-ttl value unexpectedly applied. This has been fixed. [GL #5187]
  - dnssec-signzone needs to check for a NULL key when setting offline.
  - dnssec-signzone could dereference a NULL key pointer when resigning a zone. This has been fixed. [GL #5192]
  - Fix a bug in the statistics channel when querying zone transfer information.
  - When querying zone transfer information from the statistics channel, there was a rare possibility that named could terminate unexpectedly if a zone transfer was in a state when transferring from all the available primary servers had failed earlier. This has been fixed. [GL #5198]
  - Fix assertion failure when dumping recursing clients.
  - Previously, if a new counter was added to the hash table while dumping recursing clients via the rndc recursing command, and fetches-per-zone was enabled, an assertion failure could occur. This has been fixed. [GL #5200]
  - Dump the active resolver fetches from dns_resolver_dumpfetches()
  - Previously, active resolver fetches were only dumped when the fetches-per-zone configuration option was enabled. Now, active resolver fetches are dumped along with the number of clients-per-query counters per resolver fetch.

Notes for BIND 9.20.6

- New Features
  - Adds support for EDE code 1 and 2.
  - Support was added for EDE codes 1 and 2, which might occur during DNSSEC validation in the case of an unsupported RRSIG algorithm or DNSKEY digest. [GL #2715]
  - Add an rndc command to toggle jemalloc profiling.
  - The new command is rndc memprof; the memory profiling status is also reported inside rndc status. The status shows whether named can toggle memory profiling, and whether the server is built with jemalloc. [GL #4759]
  - Add support for multiple extended DNS errors.
  - The Extended DNS Error (EDE) mechanism may raise errors during a DNS resolution. named is now able to add up to three EDE codes in a DNS response. If there are duplicate error codes, only the first one is part of the DNS response. [GL #5085]
  - Print the expiration time of stale records.
  - BIND now prints the expiration time of any stale RRsets in the cache dump.
- Bug Fixes
  - Recently expired records could be returned with a timestamp in future.
  - Under rare circumstances, an RRSet that expired at the time of the query could be returned with a TTL in the future. This has been fixed.
  - As a side effect, the expiration time of expired RRSets is no longer returned in a cache dump. [GL #5094]
  - YAML string not terminated in negative response in delv.
  - [GL #5098]
  - Fix a bug in dnssec-signzone related to keys being offline.
  - When dnssec-signzone was called on an already-signed zone and the private key file was unavailable, a signature that needed to be refreshed was dropped without being able to generate a replacement. This has been fixed. [GL #5126]
  - Apply the memory limit only to ADB database items.
  - Under heavy load, a resolver could exhaust the memory available for storing the information in the Address Database (ADB), effectively discarding previously stored information in the ADB. The memory used to retrieve and provide information from the ADB is no longer subject to the same memory limits that are applied to the Address Database. [GL #5127]
  - Avoid unnecessary locking in the zone/cache database.
  - Lock contention among many worker threads referring to the same database node at the same time is now prevented. This improves zone and cache database performance for any heavily contended database nodes. [GL #5130]
  - Fix reporting of Extended DNS Error 22 (No Reachable Authority).
  - This error code was previously not reported in some applicable situations. This has been fixed. [GL #5137]

Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues

Signed-off-by: Pascal Ernster <[email protected]>

coreutils: apply PKG_FIXUP conditionally

PKG_FIXUP:=autoreconf introduced in this commit[1] to fix builds with GCC 14
does not play well with GCC 13. Apply it conditionally.

I build some coreutils packages under GCC 13 and again under GCC 14 and both
completed successfully.

Build system: x86/64
Build-tested: x86/64

Fixes https://github.com/openwrt/packages/issues/26175

1. https://github.com/openwrt/packages/commit/b1a648e1ff60932e2b8f65479da3059d1c1b8b58

Signed-off-by: John Audia <[email protected]>

adblock: update 4.2.7-3

* fixed a reversed domain output when TLD compression is disabled (reported in the forum)
* removed abandoned antipopads source
* added three energized source variants (blu, spark, ultimate)

Signed-off-by: Dirk Brenken <[email protected]>

coreutils: Add PKG_FIXUP:=autoreconf and bump PKG_RELEASE

This fixes the build on GCC 14 and solves issue https://github.com/openwrt/packages/issues/26175

Maintainer: @hnyman
Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues

Signed-off-by: Pascal Ernster <[email protected]>

antiblock: Update to 2.1.0

1) Added the ability to route different domains through different gateways, up to 32 routes.
2) The program has been switched from proxying mode to sniffer mode.
3) Blacklist has been added so that the specified subnets are not added to the routing table.

Signed-off-by: Khachatryan Karen <[email protected]>

snort3: update to 3.7.1.0

Changelog: https://github.com/snort3/snort3/releases/tag/3.7.1.0

Signed-off-by: John Audia <[email protected]>

libdaq3: update to 3.0.19

Update to latest version.

Changelog: https://github.com/snort3/libdaq/releases/tag/v3.0.19

Signed-off-by: John Audia <[email protected]>

haproxy: update to v3.0.9

- Update haproxy PKG_VERSION and PKG_HASH
- See changes: http://git.haproxy.org/?p=haproxy-3.0.git;a=shortlog

Signed-off-by: Christian Lachner <[email protected]>

knot: update to version 3.4.5

Signed-off-by: Jan Hák <[email protected]>

fsh: update to 4.9.0

Signed-off-by: Ray Wang <[email protected]>

treewide: drop node module packages

https://github.com/openwrt/packages/pull/26116
We will no longer be building packages for various target architectures for node.js.

I will be dropping node-related packages that are no longer needed for this reason.

You can still use hostpkg's node.js as a build tool, so you can still use yarn and javascript-obfuscator as before.

Signed-off-by: Hirokazu MORIKAWA <[email protected]>

curl: add new option HTTP AUTH

The '--enable-http-auth' compile option in cURL is used to enable support
for HTTP authentication methods. This option allows cURL to handle various
authentication schemes, such as Basic, Digest, NTLM, and others, which
are commonly used in HTTP requests to secure access to resources.

This cURL compile option is default disabled. This should at least be enabled
as a compile option in OpenWrt so that it can be switched on if needed.

Signed-off-by: Florian Eckert <[email protected]>

dockerd: fix build issue with custom core.abbrev value in .gitconfig

As documented by "man git-rev-parse", the "--short" option shortens
commit sha1sums to at least "length" characters, equal to core.abbrev if
that is specified in ~/.gitconfig.

The development processes of some other open source projects require
having a

[core]
abbrev = 12

in the .gitconfig, which is incompatible with the way in which docker
wants PKG_GIT_SHORT_COMMIT.

On my system, I get these errors:

  make[3]: Entering directory 'feeds/packages/utils/dockerd'
  (...)
  # Verify CLI is the same version
  ( CLI_MAKEFILE="../docker/Makefile"; CLI_VERSION=$( grep --only-matching --perl-regexp '(?<=PKG_VERSION:=)(.*)' "${CLI_MAKEFILE}" ); if [ "${CLI_VERSION}" != "27.3.1" ]; then echo "ERROR: Expected 'PKG_VERSION:=27.3.1' in '${CLI_MAKEFILE}', found 'PKG_VERSION:=${CLI_VERSION}'"; exit 1; fi )
  # Verify PKG_GIT_SHORT_COMMIT
  ( EXPECTED_PKG_GIT_SHORT_COMMIT=$( feeds/packages/utils/dockerd/git-short-commit.sh 'github.com/moby/moby' 'v27.3.1' 'tmp/git-short-commit/dockerd-27.3.1' ); if [ "${EXPECTED_PKG_GIT_SHORT_COMMIT}" != "41ca978" ]; then echo "ERROR: Expected 'PKG_GIT_SHORT_COMMIT:=${EXPECTED_PKG_GIT_SHORT_COMMIT}', found 'PKG_GIT_SHORT_COMMIT:=41ca978'"; exit 1; fi )
  Trying remote 'github.com/moby/moby'
  fatal: 'github.com/moby/moby' does not appear to be a git repository
  fatal: Could not read from remote repository.

  Please make sure you have the correct access rights
  and the repository exists.
  Trying remote 'https://github.com/moby/moby'
  remote: Enumerating objects: 11117, done.
  From https://github.com/moby/moby
   * tag                         v27.3.1    -> FETCH_HEAD
  HEAD is now at 41ca978a0a54 Merge pull request #48525 from thaJeztah/27.x_backport_govulncheck_permissions
  ERROR: Expected 'PKG_GIT_SHORT_COMMIT:=41ca978a0a54', found 'PKG_GIT_SHORT_COMMIT:=41ca978'
  make[3]: *** [Makefile:198: build_dir/target-aarch64_generic_glibc/dockerd-27.3.1/.prepared_d76b59f2eb81424899b1fbb9e44f77e2_6664517399ebbbc92a37c5bb081b5c53] Error 1
  make[3]: Leaving directory 'feeds/packages/utils/dockerd'
  time: package/feeds/packages/dockerd/compile#1.71#1.18#5.38
      ERROR: package/feeds/packages/dockerd failed to build.

Since --short supports a length argument, use that to break the
dependency on the system .gitconfig.

Signed-off-by: Vladimir Oltean <[email protected]>

docker-compose: Update to version 2.34.0

Release notes:
https://github.com/docker/compose/releases/tag/v2.34.0

Signed-off-by: Javier Marcet <[email protected]>

hev-socks5-tunnel: update to 2.10.0

Signed-off-by: Ray Wang <[email protected]>

stress-ng: bump to version 0.18.11

Also fixes MIPS builds.
Seems there is some inline assembly that won't work with MIPS16
instructions.

Signed-off-by: Alexandru Ardelean <[email protected]>

net/arp-scan: Disable promiscuous mode

If you run the arp-scan tool cyclically, the kernel messages for
promiscuous mode are very annoying.

This backports an upstream patch to disable the unnecessary promiscuous
mode in arp-scan.

Signed-off-by: Martin Schiller <[email protected]>

Unbound: Fixed: local-data except IPv6 GA addresses with odhcpd

issue #25954

Signed-off-by: hingbong lo <[email protected]>

hev-socks5-tproxy: update to 2.8.0

Signed-off-by: Ray Wang <[email protected]>

natmap: update to 20250318

Signed-off-by: Ray Wang <[email protected]>

pptpd: Fix secrets update

Clear pptp-server existing logins from CHAP_SECRETS file before adding new login data.

Signed-off-by: Thiago Pereira Ricciardi <[email protected]>

htop: tell which variant of ncurses to look for

Signed-off-by: Maxim Storchak <[email protected]>

coreutils: Adjust coreutils dependency in each app to be selective

Adjust the dependency to the virtual coreutils main package in
each app to be selective. Otherwise you need to first select the
main coreutils before the actuall apps can be selected. That has
prevented other applications from depending on just one individual
coreutils app, as they have needed to depend also on the empty main
coreutils package.

Reference to discussion in:
https://github.com/openwrt/luci/issues/7605

Signed-off-by: Hannu Nyman <[email protected]>

coreutils: Upgrade to 9.6

Upgrade GNU coreutils to version 9.6
* refresh patch

Signed-off-by: Hannu Nyman <[email protected]>

adguardhome: bump to 0.107.57

Changelog: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.57
Signed-off-by: George Sapkin <[email protected]>

adguardhome: remove unnecessary build options

Remove `node-yarn/host` because the upstream switched to npm
Remove `NODE_OPTIONS=--openssl-legacy-provider` because it's not necessary since Node.js 18.x

Link: https://github.com/AdguardTeam/AdGuardHome/commit/1afe226ce8f8af179e1eacccf4cdd63823f0c358#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R210-L211
Link: https://github.com/AdguardTeam/AdGuardHome/commit/1afe226ce8f8af179e1eacccf4cdd63823f0c358#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5L223-L230
Signed-off-by: George Sapkin <[email protected]>

snort3: update to 3.7.0.0

Changelog: https://github.com/snort3/snort3/releases/tag/3.7.0.0

Signed-off-by: John Audia <[email protected]>

netbird: update to 0.38.0

changelog: https://github.com/netbirdio/netbird/releases/tag/v0.38.0

Signed-off-by: Wesley Gimenes <[email protected]>

mc: update project URLs

Upstream is preparing the migration to a new website. As part of this, they
will be dropping the `www` prefix. Also, the package source is updated to use
mc's official OSU OSL mirror over HTTPS.

Signed-off-by: Yury V. Zaytsev <[email protected]>

bcm27xx-eeprom: update to v2025-02-12-2712

bcm2711:
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2711/release-notes.md#2024-12-07-enable-banklow-and-so-numa-by-default-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2711/release-notes.md#2024-12-07-enable-banklow-and-so-numa-by-default-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2711/release-notes.md#2025-02-11-recovery-walk-partitions-to-delete-recoverybin-latest

bcm2712:
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2024-11-27-rp1fw-add-fifo_state--drain_tx-fix-can_add_program-default
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2024-12-07-enable-banklow-and-so-numa-by-default-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2024-12-15-add-net-install-to-boot-menu-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2024-12-19-disable-fan-pwm-before-shutdown-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-01-06-stop-the-fan-after-after-fan-probe-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-01-07-fixup-m2-hat-detection-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-01-08-update-sdram-refresh-timings-for-bcm2712d0-products-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-01-13-improved-sdram-refresh-timings-for-pi5-16gb-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-01-14-add-set_reboot_order-api-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-01-22-add-dt-chosen-property-signed-boot-bootimg-hash-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-01-27-walk-the-partition-table-if-the-requested-partition-is-not-bootable-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-02-11-cm5-no-wifi-stability-improvements-latest
https://github.com/raspberrypi/rpi-eeprom/blob/v2025.02.12-2712/firmware-2712/release-notes.md#2025-02-12-fixup-change-to-disable-37v-pmic-output-on-cm5-no-wifi-latest

Full changelog: https://github.com/raspberrypi/rpi-eeprom/compare/v2024.11.12-2712...v2025.02.12-2712

Signed-off-by: Álvaro Fernández Rojas <[email protected]>

lxc: add two files to default backup list

Users running unprivileged containers will need to create
/etc/subgid and /etc/subuid and want to have them preserved
across updates. This commit adds them to the default backup set.

Signed-off-by: John Audia <[email protected]>
Co-authored-by: Tianling Shen <[email protected]>

lxc: lxc-checkconfig fix typo

Fix a typo introduced in https://github.com/openwrt/packages/pull/25719/commits/fd686a32209f74cd12ca434bc3245ef0f7589c46
which partially broke lxc-checkconfig

Build system: x86/64
Build-tested: bcm27xx/bcm2712
Run-tested: bcm27xx/bcm2712

Signed-off-by: John Audia <[email protected]>

owut: update to 2025.03.14

Bug fixes:
    efahl/owut@15d734237725 owut: fix incorrect log levels on list and blob commands
    efahl/owut@3867b98d0ea1 owut: fix parsing of certain APK versions

Enhancements:
    efahl/owut@52e7d44c99a3 owut: allow user to override 'package_changes'

Signed-off-by: Eric Fahlgren <[email protected]>

node: make hostpkg only

https://github.com/openwrt/packages/issues/26078
As a result of the discussion in this thread, the node.js package was changed to hostpkg only.
In addition, this fix uses the pre-built version distributed on nodejs.
The use of pre-build is based on the suggestion of @artynet.

The packages in the node module are successfully built, but the target node.js itself cannot be provided, so it cannot be used.

Yarn, which is used in packages for web front ends, etc., can be used without any problems.

Support for host builds other than linux x86_64.

Signed-off-by: Hirokazu MORIKAWA <[email protected]>

numpy: bump to version 2.2.3

Signed-off-by: Alexandru Ardelean <[email protected]>

pytz: bump to version 2025.1

Signed-off-by: Alexandru Ardelean <[email protected]>

python-evdev: bump to version 1.9.1

Signed-off-by: Alexandru Ardelean <[email protected]>

django: bump to version 5.1.7

Signed-off-by: Alexandru Ardelean <[email protected]>