git.99rst.org Git - openwrt-packages.git/log

btop: Update to 1.4.7

Refreshed patches.

Release note: https://github.com/aristocratos/btop/releases/tag/v1.4.7

Signed-off-by: Tianling Shen <redacted>

dnsproxy: Update to 0.81.3

Release note: https://github.com/AdguardTeam/dnsproxy/releases/tag/v0.81.3

Signed-off-by: Tianling Shen <redacted>

v2ray-core: Update to 5.48.0

Release note: https://github.com/v2fly/v2ray-core/releases/tag/v5.48.0

Signed-off-by: Tianling Shen <redacted>

yq: Update to 4.53.2

Release note: https://github.com/mikefarah/yq/releases/tag/v4.53.2

Signed-off-by: Tianling Shen <redacted>

dufs: Update to 0.46.0

Release note: https://github.com/sigoden/dufs/releases/tag/v0.46.0

Signed-off-by: Tianling Shen <redacted>

rclone: Update to 1.74.1

Release note: https://rclone.org/changelog/#v1-74-1-2026-05-08

Signed-off-by: Tianling Shen <redacted>

v2ray-geodata: update to latest version

Update all geodata.

Signed-off-by: Tianling Shen <redacted>

dos2unix: Update to 7.5.5

2026-04-06: Version 7.5.5

* New option --error-binary: Return an error if a
binary file is skipped.
* Fix: dos2unix error on empty input. The problem was introduced
in version 7.5.4.

Signed-off-by: Tianling Shen <redacted>

frr: update to 10.6.1

update frr to latest stable 10.6.1

Signed-off-by: Lucian CRISTIAN <redacted>

bubblewrap: update to 0.11.2

0.11.2 (CVE-2026-41163):
* In setuid mode, don't run the low-privileged parts of the setup
   as dumpable, as that allows it to be ptraced which can lead to problems.
* New build option -Dsupport_setuid, which if set to false (the default)
   disables the support for setuid.

0.11.1:
* Reset disposition of SIGCHLD, restoring normal subprocess management
   if bwrap was run from a process that was ignoring that signal.
* Don't ignore --userns 0, --userns2 0 or --pidns 0 if used.
* Fix grammar in an error message and a broken link in the documentation.

Link: https://github.com/containers/bubblewrap/blob/v0.11.2/NEWS.md
Signed-off-by: Daniel Golle <redacted>

treewide: cleanup URLs

This commit converts plain HTTP URLs to HTTPS, and updates
old or outdated URLs.

Signed-off-by: Yanase Yuki <redacted>

openwisp-monitoring: upgrade to 0.3.1

Change log:
https://github.com/openwisp/openwrt-openwisp-monitoring/releases/tag/0.3.1

Signed-off-by: Federico Capoano <redacted>

sqlite3: bump to 3.53.1

Changes: https://sqlite.org/releaselog/3_53_1.html
Signed-off-by: George Sapkin <redacted>

wifi-chipset-detect: new package

Maintainer: Rob White rob@blue-wave.net

Compile tested: All

Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, mips_24kc,
aarch64_cortex-a53; On 24.10, 25.12 and master/snapshot.

Description: wifi-chipset-detect (1.0.0)

This is a new package that reports in json format the chipset
and driver capabilities of installed wireless hardware.

Developed originally for use where Captive Portal
and Mesh Backhaul networks are being built.

It provides a stand alone script to detect details of the physical
wireless hardware without requiring the radios to be enabled.
There are no dependencies over and above the basic OpenWrt flash image.
It is based on functionality built into the OpenNDS and Mesh11sd packages.

The json formatted output is displayed on the terminal screen.
It is also written to the file /tmp/wifidetect.

This version does not require the Captive Portal
or Mesh network to be running.

Full details can be seen here:
https://github.com/openNDS/wifi-chipset-detect

Signed-off-by: Rob White <redacted>

radicale3: bump version and adjust dependencies

Bump to latest release (3.7.2) and adjust dependencies accordingly.

Signed-off-by: Daniel F. Dickinson <redacted>

radicale3: fix formatting of initscript

Use shfmt to standardize formatting of initscript.

Signed-off-by: Daniel F. Dickinson <redacted>

radicale3: clean out cspell hints

Remove unwanted cspell hints from Makefile and initscript.

Signed-off-by: Daniel F. Dickinson <redacted>

lua-ffi: update to 1.2.0

changelog: https://github.com/zhaojh329/lua-ffi/releases/tag/v1.2.0

Signed-off-by: Jianhui Zhao <redacted>

zlog: update to 1.2.18

Changelog:
- Fix CVE-2024-22857 security vulnerability

Signed-off-by: Alexandru Ardelean <redacted>

taglib: update to 2.2.1

Changelog:
- Add Matroska (MKA, MKV) and WebM format support (v2.2)
- Add NI STEM support in MP4 files (v2.2)
- Add isDsd() method to WavPack audio properties (v2.2)
- Fix duplicate prevention in Matroska complex property keys (v2.2.1)
- Add Matroska edition, chapter, and attachment UID metadata (v2.2.1)

Signed-off-by: Alexandru Ardelean <redacted>

sbc: update to 2.2

Changelog:
- Fix compilation with C23 requirements (v2.2)
- Fix build without SBC_BUILD_WITH_SSE_SUPPORT (v2.1)

Signed-off-by: Alexandru Ardelean <redacted>

openblas: update to 0.3.33

Changelog:
- Fix GCC15 miscompilation of DDOT kernel on arm64 non-SVE targets
- Fix accuracy issue in GEMV kernel for Neoverse V1/SVE targets
- Fix broken STRMM/SSYMM in DYNAMIC_ARCH builds on non-SME hardware
- Add Cortex-A75/A76 autodetection in DYNAMIC_ARCH builds
- Fix LoongArch64 build failure with half-precision float support
- Import LAPACK updates aligned with upcoming 3.13.0 release

Signed-off-by: Alexandru Ardelean <redacted>

leptonica: update to 1.87.0

Changelog:
- Released as a configure-ready version

Signed-off-by: Alexandru Ardelean <redacted>

libmaxminddb: update to 1.13.3

Changelog:
- Fix MMDB_open incorrectly rejecting databases with 0-element
map/array fields at the end of metadata (v1.13.3)
- Fix compilation conflict with bswap32/bswap64 macros on macOS 26
Tahoe (v1.13.2)
- Fix validation and edge-case handling in database open path (v1.12.x)

Signed-off-by: Alexandru Ardelean <redacted>

jsoncpp: update to 1.9.7

Changelog:
- Security: reject unescaped control characters in JSON strings
- Security: fix use-after-free in Reader::parse()
- Add std::string_view support in the Value API
- Fix string_view ABI mismatch between library and consumers

Signed-off-by: Alexandru Ardelean <redacted>

bsbf-resources: update to GIT HEAD of 2026-05-06

Update bsbf-resources to the GIT HEAD of 2026-05-06.

- Remove bsbf-route as bsbf-mptcp now includes the functionality it
  provides.
- Remove bsbf-plpmtu as that functionality is now provided with the
  plp-mtu-discovery package.
- Remove bsbf-tcp-in-udp as it's not a production-ready solution as it is.
- Add bsbf-client-web.
- Update the dependencies of bsbf-mptcp to curl, fping, ip-full, and
  mptcpize.
- Remove files/etc/config/bsbf-mptcp as that functionality is now provided
  using the /etc/bsbf/bsbf-mptcp-subflow-backup file.
- Remove files/etc/hotplug.d/iface/99-bsbf-mptcp as that functionality is
  now provided by the bsbf-mptcp service.
- Update the dependencies of bsbf-bonding to bsbf-client-web, bsbf-mptcp,
  bsbf-rate-limiting, and xray-core.
- Get rid of fw4 dependency and 99-bsbf-bonding.nft in favour of
  resources-client/bsbf_bonding.nft. Add a oneshot service to apply it at
  boot.
- Move from bsbf-openwrt-resources to bsbf-resources directory as we now
  install resources-client/xray.json and resources-client/bsbf_bonding.nft.
- Add the bsbf-bonding command.
- Run `bsbf-bonding --enable` at the end on the uci-defaults script.
- Add the tc package as a dependency for bsbf-rate-limiting.

Fixes: https://github.com/openwrt/packages/issues/29306
Signed-off-by: Chester A. Unal <redacted>

bsbf-bonding: fix checking if interface is a bridge

The current check would match a uci device section that doesn't say if the
interface is a bridge. Check that the type option is bridge to address
this.

Signed-off-by: Chester A. Unal <redacted>

https-dns-proxy: update to 2026.03.18-2

Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1

Description:
Fix nftables rule directory creation

  - Bump PKG_RELEASE to 2.

files/etc/init.d/https-dns-proxy:
  - Add 'mkdir -p' before writing nftables rules to ensure the parent
    directory exists. This fixes an issue where the directory might not
    exist on initial installation, causing errors.

tests/run_tests.sh:
  - Add comprehensive regression tests for notrack_nft.
  - Mock 'nft' to track invocations and control return codes for testing.
  - Patch 'NOTRACK_NFT_FILE' to a test-specific path for isolated testing.
  - Verify 'notrack_nft' correctly creates the parent directory if missing.
  - Test content of generated nftables snippet, idempotence, and removal.

Signed-off-by: Stan Grishin <redacted>

unbound: add test.sh

unbound-control-setup is a shell script that generates TLS certificates
for unbound-control; it does not print a version string. The generic CI
test framework cannot verify the version via the binary, causing the
"No executables in the package provided version" failure.

Add a package-specific test.sh that:
- tests unbound-daemon version via 'unbound -V' and config file presence
- tests libunbound shared library presence
- tests unbound-anchor/-checkconf/-control/-host binaries run and
respond to -h without starting the daemon
- tests unbound-control-setup as an installed, executable shell script
containing expected keywords (no version check)

Signed-off-by: Alexandru Ardelean <redacted>

alsa-lib: add test.sh for aserver without --version

aserver does not implement --version so the generic CI version check
fails for it. Add a test.sh case that verifies it is present and
executable instead.

Signed-off-by: Alexandru Ardelean <redacted>

upmpdcli: update to 1.9.17

Changes since 1.8.11:
- 1.8.16: Enhanced Tidal/Subsonic modules; improved Recoll 1.40 compatibility
- 1.8.17: Resolved Qobuz plugin incompatibilities on modern distributions
- 1.8.18: Fix many issues with the thoroughly broken Qobuz plugin
- 1.9.0: Restructured Qobuz plugin; improved search; fixed custom icon support
- 1.9.1: Subsonic and Tidal module enhancements
- 1.9.2: Resolved Qobuz login issues with OpenHome credentials service
- 1.9.5: Repaired broken Qobuz plugin; fixed gcc 15 compilation crash
- 1.9.6: Fixed media server crash with malformed proxy URLs
- 1.9.7: Fixed streaming URL handling with colon characters
- 1.9.11: Vastly improved Qobuz search; uprcl property operators and indexing
- 1.9.12: Accelerated uprcl initialization via stored Recoll data
- 1.9.13: Improved OpenHome source switching; major Subsonic plugin overhaul
- 1.9.14: Custom HTTP headers support for plugins; fixed rare proxy deadlock
- 1.9.15: Enhanced Linn Kinsky compatibility; improved radio metadata handling
- 1.9.17: Restored Qobuz connectivity via new OAuth method

Signed-off-by: Alexandru Ardelean <redacted>

mpd: update to 0.23.17

Drop 020-string-view.patch: mpd 0.23.17 uses std::string_view directly
in src/tag/GenParseName.cxx, making the patch redundant.

Changes since 0.23.16:
- Optimize the "albumart" command to send larger chunks when available
- Explicitly disallow 'idle' and 'noidle' commands in command lists
- Require libnfs 4.0 or later for NFS storage support
- Trigger inotify database update after symlink creation
- Prefer FFmpeg over sndfile and audiofile for DTS-WAV support
- Add support for libfmt 11.1

Signed-off-by: Alexandru Ardelean <redacted>

libnpupnp: update to 6.3.0

Changes since 6.2.1:
- Build without expat by default (switch to picoxml)
- Fix build errors with -Dipv6=false option (issue #142)
- Check size of POST upload data and response data against
g_maxContentLength; change default from 16k to 2MB
- Use IPv6 socket when looking for an available port with IPv6 enabled
- Fix MHD start error handling to not delete minisocket array prematurely
- Remove code assuming different v4/v6 listening ports
- Add per-subsystem debug logging control via environment variable
- SSDP code cleanups and header removal
- Fix win32 compile issue (setsockopt args)
- Avoid leaking private headers to consumers via meson build

Signed-off-by: Alexandru Ardelean <redacted>

imagemagick: update to 7.1.2-21

Security fixes (18 GHSAs addressed between 7.1.2-1 and 7.1.2-21):
- Fix stack buffer overflow in MagnifyImage (GHSA-rqq8-jh93-f4vg, high)
- Fix heap buffer overflow in WaveletDenoiseImage (GHSA-5ggv-92r5-cp4p)
- Fix uninitialized pointer dereference in JBIG decoder (GHSA-wj8w-pjxf-9g4f, high)
- Fix heap buffer over-write in PNG encoder with large profiles (GHSA-qmw5-2p58-xvrc)
- Fix heap buffer overflow in UHDR encoder (GHSA-h95r-c8c7-mrwx)
- Fix stack buffer overflow in sixel encoder (GHSA-49hx-7656-jpg3)
- Fix heap-buffer-overflow in NewXMLTree XML parsing (GHSA-gc62-2v5p-qpmp)
- Fix heap buffer over-write on 32-bit systems in SFW decoder (GHSA-56jp-jfqg-f8f4)
- Add overflow checks to BMP/DIB, SGI, PS3, JXL, and sixel write paths

Bug fixes:
- Fix double-free in SVG gradientTransform/transform parsing
- Fix NULL pointer dereference in HEIC NCLX color profile allocation
- Fix heap over-read in BilateralBlurImage with even-dimension kernels
- Fix infinite loop when decoding JXL with -limit height/width
- Fix race condition using properties instead of global splaytree

Signed-off-by: Alexandru Ardelean <redacted>

graphicsmagick: update to 1.3.46

Security fixes:
- Fix MSL/SVG parsers to use libxml2 SAX handlers, removing archaic
cruft with potential security issues
- Fix JP2 Jasper max_samples calculation to avoid DoS via huge images
- Apply image dimension resource limits and fix heap write overflow in JXL
- Fix WPG palette buffer allocation (SF bug #750)
- Fix ColorFloodfillImage() to error when clip-mask is present

Bug fixes:
- Fix JPEG CMYK inversion regression introduced in 1.3.43
- Re-implement PNG8 writer with correct indexed-color and binary transparency
- Re-write HEIF reader (AVIF, HEIC) based on heif_image_get_plane_readonly2(),
adding deep image support and YCbCr/monochrome output
- Fix Hull transform arithmetic overflow regression from Oct 2023
- Fix -crop percentage tiling regression
- Re-enable EXPERIMENTAL_EXIF_TAGS by default with known issues fixed
- Fix Magick++ thread safety regression since 2003 (pthreads support)

New features:
- Add support for newer Artifex urw-base35-fonts (OpenType and Type 1)
- Add ImagesResource limit to control simultaneous loaded images
- Add EXIF Version 3.0 decoding and validation
- Add preliminary MP4 coder with HEIF sequence support
- Require C99 compiler compatibility in build infrastructure

Signed-off-by: Alexandru Ardelean <redacted>

psqlodbc: remove test.sh covered by generic tests

The test only checked for .so file existence, which is already
verified by the generic tests (symlink validity + linked libraries).

Signed-off-by: Alexandru Ardelean <redacted>

scons: update to 4.10.1

Update from 4.0.1 to 4.10.1. Notable changes across releases:

- 4.10.1: switch to cProfile (profile module deprecated in Python 3.15);
  fix Literal membership tests and sequence type handling
- 4.10.0: fix MSVC initialization delays in GitHub Actions; fix variant
  directory components in CompilationDatabase; improve Ninja quoting
- 4.9.0: drop Python 3.6 support; add comprehensive type hints for Node
  classes; add clang/clang++ to default tool search order; support binary
  and octal integer constants in C preprocessor
- 4.8.0: replace black/flake8 with ruff; add MSVC_TOOLSET_VERSION,
  MSVC_SDK_VERSION, MSVC_SPECTRE_LIBS construction variables
- 4.7.0: make NewParallel scheduler the default; CacheDir writes execute
  in parallel outside taskmaster critical section; add Python 3.13 support
- 4.6.0: add Visual Studio 2026 and ARM64 host configuration support;
  enhanced type hints throughout Environment and Node classes
- 4.5.0: add ValidateOptions(); refactor Taskmaster into a package;
  migrate to Python's logging module; extend ninja tool with daemon support
- 4.4.0: add MSVC_USE_SETTINGS and multiple MSVC configuration variables;
  implement global policy settings for MSVC version handling
- 4.3.0: add SConsEnvironmentError exception; improved MSVC detection;
  Python 3.12 compatibility fixes
- 4.2.0: Performance improvements in Node processing; improved MSVC
  support for VS 2022; better parallel build handling

Signed-off-by: Alexandru Ardelean <redacted>

psqlodbc: update to 18.00.0001

Update from 17.00.0004 (2024-12-09) to 18.00.0001 (2026-03-23).
This is a major version bump to the 18.x series, aligning with
PostgreSQL 18 support. Switch from a fixed git commit to the
18.00.0001 tagged release.

Add test.sh to verify the psqlodbca and psqlodbcw shared libraries
are present after installation.

Signed-off-by: Alexandru Ardelean <redacted>

mpremote: update to 1.28.0

Update from 1.27.0 to 1.28.0, tracking the MicroPython 1.28.0 release.

Add version check to test.sh using importlib.metadata to verify the
installed package version matches the expected version string.

Signed-off-by: Alexandru Ardelean <redacted>

xfsprogs: update to 6.19.0

Update from 6.10.1 to 6.19.0. Notable changes:

- 6.19.0: fix log sunit automatic configuration in mkfs; fix data
  corruption bug in libxfs_file_write; fix various memory leaks; improve
  realtime subvolume info in xfs_io statfs
- 6.18.0: adjust nr_zones for zoned filesystems on conventional devices
  in mkfs; fix xfs_logprint pointer bugs; fix mdrestore superblock length
  check; add 2025 LTS config
- 6.16.0: atomic write enhancements for maximum atomic write limits at
  mount time; refactor log recovery infrastructure; remove experimental
  warnings from xfs_scrub
- 6.13.0: comprehensive metadata directory support in xfs_repair, xfs_db,
  and mkfs; realtime group support with new RT group structures; quota
  inodes use metadata directory infrastructure; realtime space quotas
- 6.12.0: realtime device support in xfs_db; file range commit ioctls
  with atomic write statx fields; modernize perag lookup to xarray;
  require -std=gnu11 for compilation

Add test.sh to verify xfs-mkfs and xfs-fsck report the correct version
and xfs-admin/xfs-growfs produce expected help output.

Signed-off-by: Alexandru Ardelean <redacted>

cifs-utils: update to 7.5

Update from 6.11 to 7.5. Notable changes across releases:

- 7.5: fix cifscreds command-line option parsing and ambiguous command
  matching; documentation updates for echo_interval parameter
- 7.4: retry logic for -EINPROGRESS errors during mount operations;
  improved handling for multiple IP address resolution scenarios
- 7.3: fix guest mount option handling; prevent empty password
  parameters from being passed to the SMB client
- 7.2: improve return code checking in getcifsacl; better handling of
  permission-related errors across different kernel versions
- 7.1: add upcall_target mount option for namespace resolution; enable
  credential lookups in host or application namespace (e.g., Kubernetes)
- 7.0: migrate files to /usr per DEP17 M2 standard
- 6.15: fix CVE-2022-27239 (stack buffer overflow in ip= argument
  parsing) and CVE-2022-29869 (info leak in verbose logging)

Add libtalloc dependency to cifsmount

Add test.sh to verify mount.cifs and smbinfo report the correct version.

Signed-off-by: Alexandru Ardelean <redacted>

ocserv: bump to v1.4.1

* Version 1.4.1 (released 2026-02-28)
- [SECURITY] Fixed authentication bypass (medium severity) when using
  certificate authentication with cert-user-oid set to SAN(rfc822name):
  a client presenting a valid CA-signed certificate without the expected
  RFC822 SAN field could authenticate using password credentials alone,
  bypassing the intended certificate-to-username binding. Requires the
  attacker to possess both a valid CA-signed certificate and valid user
  credentials (694)
- The bundled inih was updated to r62.
- The bundled protobuf-c was updated to 1.5.2.
- Fixed a bug where session timeout could be bypassed by reconnecting
  (e.g., closing/opening laptop lid) (599)
- occtl: 'show user' command now includes a 'Session started at:' field,
  indicating when the VPN session was established
- occtl: Fix column misalignment in ban command outputs
- occtl: Fix 'show ip bans' may produce invalid JSON (683)
- Handle dotted client hostnames (e.g., .local) by stripping the domain suffix
- Renamed `min-reauth-time` configuration option to `ban-time` to better reflect
  its purpose (676). This option defines the duration (in seconds) for which
  an IP address is banned after exceeding the maximum allowed `max-ban-score`.
  Default is 300 seconds (5 minutes).
- Fixed ocserv-worker process title
- Fixed ignored udp-port in vhost (612)

* Version 1.4.0 (released 2026-01-04)
- The bundled llhtp was updated to 9.3.0.
- The bundled protobuf-c was updated to 1.5.1.
- Fixed issues with PAM authentication when combined with pam_sssd (618)
- Enhanced the seccomp filters to address issue in testing (627)
- Fixed "unexpected URL" errors for Cisco AnyConnect clients
- Fixed the 'ping-leases' option, which was broken since version 1.1.1
- Fixed maximum MTU tracking in server statistics
- Fixed 'iroute' option processing to handle multiple routes (625)
- Fixed session accounting for roaming users (674)
- occtl: fix invalid JSON output in `occtl -j show iroutes` (661)
- occtl: fix regression with trailing commas in `occtl -j show sessions` (669)
- occtl: fix missing column headers in 'show ip bans' output (677)
- occtl: 'show ip bans' no longer shows expired bans (675)
- Fixed DTLS not working with systemd socket activation (647)
- Fixed a bug in the ban timer logic that could prevent IP addresses
  from being banned or cause premature unbans (678)
- Session statistics are now reported at consistent intervals
  for RADIUS compatibility (630)
- Single form to enter username and password (551)

Signed-off-by: Paul Donald <redacted>

afalg_engine: remove

Because AI bots are shredding through the AF_ALG code in the kernel,
upstream has decided to deprecate AF_ALG:

https://lore.kernel.org/all/20260430011544.31823-1-ebiggers@kernel.org/

Follow their lead and do the same here.

afalg_engine AFAIK is a faster version of what OpenSSL provides last
time I used it. Although I don't think it was useful for long. OpenSSH's
sandbox conflicts with AF_ALG.

Signed-off-by: Rosen Penev <redacted>

prosody: fix build, bump to to 0.12.6 and add test.sh

mod_s2s was refactored into a single mod_s2s.lua in the flat modules
directory in 0.12.x; remove the obsolete subdirectory install rule that
caused the package build to fail.

Also add util/human/ and util/prosodyctl/ which are new subdirectories
in 0.12.x not covered by the previous install rules.

Force libidn instead of ICU for stringprep

prosody's configure script auto-detects stringprep backends and prefers
ICU when available, generating -DUSE_STRINGPREP_ICU and including
<unicode/usprep.h>. The OpenWrt SDK staging directory does not provide
ICU development headers, so the build fails with:

encodings.c:271:10: fatal error: unicode/usprep.h: No such file or directory

The Makefile DEPENDS already declares +libidn. Pass --with-idn=idn to
explicitly select the libidn backend, which is available in the staging
directory.

Also, pass TARGET="../util/" to MAKE_FLAGS. OpenWrt has it's own TARGET
env var which clobbers the 'TARGET' var from prosody's build (specified
as 'TARGET?=../util/')

Adding a test.sh to check for the correct version (since prosody mostly
has lua scripts).

Security release addressing multiple vulnerabilities. 0.12.6 is
likely the last release of the 0.12.x series (EOL June 2026).

Upstream advisory: https://prosody.im/security/

Signed-off-by: Alexandru Ardelean <redacted>

avahi: update to 0.9-rc4

Fixes https://github.com/openwrt/packages/issues/27952

Update avahi from 0.8 to 0.9-rc4. The 0.9 development line accumulates
four years of bug and security fixes since the 0.8 release (2020-02-18).

Notable improvements in 0.9-rc4 over 0.8:

Security (all CVEs previously backported as patches, now removed):
  - CVE-2023-38469: reject TXT records whose total rdata exceeds
    AVAHI_DNS_RDATA_MAX, preventing heap-buffer reads under crafted mDNS
  - CVE-2023-38470: ensure each DNS label is at least one byte, preventing
    an infinite loop on malformed packets
  - CVE-2023-38471: extract host name via avahi_unescape_label() before
    generating an alternative to avoid operating on a raw escaped string
  - CVE-2023-38472: check that rdata pointer is non-NULL before passing to
    avahi_rdata_parse() from dbus-entry-group
  - CVE-2023-38473: derive alternative host name from its unescaped form,
    fixing incorrect hostname collision resolution with escaped labels

Bug fixes (previously backported):
  - Fix NULL-pointer crashes in avahi_s_*_browser_new() (#175)
  - Avoid infinite loop in avahi-daemon simple-protocol by handling
    AVAHI_WATCH_HUP event in client_work
  - Fix potential undefined behaviour in avahi_dns_packet_consume_uint32:
    cast uint8_t operands to uint32_t before shifting
  - Fix memory/CPU leak in the simple event loop: cleanup_watches() was
    zeroing timeout_req_cleanup instead of watch_req_cleanup, so completed
    watches were never removed from the linked list
  - Emit D-Bus error reply when avahi-daemon cannot resolve a hostname or
    service, rather than crashing with a NULL dereference
  - Increase ini-file-parser line buffer from 256 to 1024 bytes to handle
    longer configuration values without silent truncation

Other changes:
  - P2P tunnel support: IFF_MULTICAST is no longer required for
    point-to-point interfaces when allow-point-to-point=yes
  - Runtime directory: configure.ac now derives the socket path from
    ${runstatedir} (defaults to ${localstatedir}/run), so the
    explicit patch reverting the /run hardcoding is no longer needed
  - Patch 010-pkgconfig.patch (pkgconfig prefix alignment) is retained
    as it has not been merged upstream

Dropped patches (all merged upstream):
  020-revert-runtime-dir-systemd-change.patch
  100-p2p-no-iff_multicast-required.patch
  200-Fix-NULL-pointer-crashes-from-175.patch
  201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
  202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch
  203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
  204-Emit-error-if-requested-service-is-not-found.patch
  205-conf-file-line-lengths.patch
  300-CVE-2023-38469.patch through 304-CVE-2023-38473.patch

Library SONAMES unchanged: libavahi-common.so.3, libavahi-core.so.7,
libavahi-client.so.3 — no reverse dependency rebuilds required.

Disable libsystemd (not available on OpenWrt)
avahi 0.9-rc4 added --enable-libsystemd which defaults to enabled and
fails configure when libsystemd is not found via pkg-config.  OpenWrt
does not provide libsystemd; disable it explicitly.
Also pass --with-systemdsystemunitdir=no to suppress the pkg-config
lookup for the systemd unit directory.

Drop po/ subdir from build
The 0.9-rc4 tarball is a raw git archive; po/Makefile.in.in is not
pre-generated as it was in the 0.8 release tarball.  autopoint (from
gettext) is needed to install it, but is not available in the OpenWrt
SDK.  Since OpenWrt does not use NLS translations, remove po/ from
SUBDIRS in Makefile.am to avoid the missing po/Makefile.in.in error
during configure.

In 0.9-rc4 the D-Bus system.d directory changed from
$(sysconfdir)/dbus-1/system.d to $(datadir)/dbus-1/system.d,
so avahi-dbus.conf is now installed under usr/share/dbus-1/system.d.
Update the install rule source path accordingly; keep the on-device
destination at /etc/dbus-1/system.d for compatibility.

Signed-off-by: Alexandru Ardelean <redacted>

rsync: update to 3.4.2

Changelog: https://download.samba.org/pub/rsync/NEWS#3.4.2

Signed-off-by: John Audia <redacted>

Revert "libfastjson: add missing runtime dependency on libm"

This reverts commit d114f46db11ad1639d9b8c59489182ab9583c092.

Apparently the libm does not exist as a package, so the commit is wrong.

Signed-off-by: Hannu Nyman <redacted>

nebula: bump version to 1.10.3

changelog: https://github.com/slackhq/nebula/compare/v1.9.7...v1.10.3

Signed-off-by: Alan Feng <redacted>

ddns-scripts: fix option name in updater messages

On master, updater help and missing-option text still refer to '-N'.
Use '-S' instead so the messages match accepted script options.
Also clarify that SECTION is the UCI section name/id to start.
This is a text-only change; runtime behavior is unchanged.

Bump PKG_RELEASE to 4.

Fixes: #27737
Signed-off-by: Dharmik Parmar <redacted>

gots_engine: fix PKG_MIRROR_HASH

It was discovered by CI/CD that it is no longer valid.

Fixes:
```
2026-04-29T13:04:58.0170130Z SHELL= flock /builder/tmp/.gost_engine-3.0.3.tar.zst.flock -c '   /builder/scripts/download.pl "/builder/dl" "gost_engine-3.0.3.tar.zst" "ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88" "" || (  /builder/scripts/dl_github_archive.py --dl-dir="/builder/dl" --url="https://github.com/gost-engine/engine" --version="v3.0.3" --subdir="gost_engine-3.0.3" --source="gost_engine-3.0.3.tar.zst" --hash="ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88" --submodules  || ( echo "Checking out files from the git repository..."; mkdir -p /builder/tmp/dl && cd /builder/tmp/dl && rm -rf gost_engine-3.0.3 && [ \! -d gost_engine-3.0.3 ] && git clone  https://github.com/gost-engine/engine gost_engine-3.0.3 && (cd gost_engine-3.0.3 && git checkout v3.0.3) && export TAR_TIMESTAMP=`cd gost_engine-3.0.3 && git log -1 --no-show-signature --format='\''@%ct'\''` && echo "Generating formal git archive (apply .gitattributes rules)" && (cd gost_engine-3.0.3 && git config core.abbrev 8 && git archive --format=tar HEAD --output=../gost_engine-3.0.3.tar.git) &&  tar --numeric-owner --owner=0 --group=0 --ignore-failed-read -C gost_engine-3.0.3 -f gost_engine-3.0.3.tar.git -r .git .gitmodules 2>/dev/null  && rm -rf gost_engine-3.0.3 && mkdir gost_engine-3.0.3 && tar -C gost_engine-3.0.3 -xf gost_engine-3.0.3.tar.git && (cd gost_engine-3.0.3 && git submodule update --init --recursive --  && rm -rf .git .gitmodules) && echo "Packing checkout..." && tar --numeric-owner --owner=0 --group=0 --mode=a-s --sort=name ${TAR_TIMESTAMP:+--mtime="$TAR_TIMESTAMP"} -c gost_engine-3.0.3 | zstd -T0 --ultra -20 -c > /builder/tmp/dl/gost_engine-3.0.3.tar.zst && mv /builder/tmp/dl/gost_engine-3.0.3.tar.zst /builder/dl/ && rm -rf gost_engine-3.0.3; );  )  && ( file_hash="$(/builder/staging_dir/host/bin/mkhash sha256 "/builder/dl/gost_engine-3.0.3.tar.zst")"; [ "$file_hash" = "ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88" ] || [ "ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88" = "skip" ] || { echo "Hash mismatch for file gost_engine-3.0.3.tar.zst: expected ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88, got $file_hash"; false; }; )    '
2026-04-29T13:04:58.0559677Z + curl -f --connect-timeout 5 --retry 3 --location https://sources.cdn.openwrt.org/gost_engine-3.0.3.tar.zst
2026-04-29T13:04:58.0616240Z   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
2026-04-29T13:04:58.0616964Z                                  Dload  Upload   Total   Spent    Left  Speed
2026-04-29T13:04:58.0617618Z
2026-04-29T13:04:58.1364520Z   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
2026-04-29T13:04:58.1365467Z 100  977k  100  977k    0     0  12.8M      0 --:--:-- --:--:-- --:--:-- 12.8M
2026-04-29T13:04:58.1453386Z Hash of the downloaded file does not match (file: b3a6701cd97e4db4f3e0f4b356c991075c6157dd3941d34851c8f36baa1d2721, requested: ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88) - deleting download.
```

Signed-off-by: Josef Schlehofer <redacted>

mpd: enabled dsd for mpd-full variant

Fixes: #29281
Signed-off-by: Yehor Popovych <redacted>

openvpn: disable wolfssl support

WolfSSL support for OpenVPN is currently broken:
https://github.com/wolfSSL/wolfssl/pull/10309

Until a fix is available, disable WolfSSL as variant.
Support can be re-enabled when WolfSSL is updated.

Signed-off-by: Sander van Deijck <redacted>

openvpn: update to 2.7.4

Update the OpenVPN package to 2.7.4

For changes, see:
https://github.com/OpenVPN/openvpn/blob/v2.7.4/Changes.rst

Signed-off-by: Sander van Deijck <redacted>

alsa-ucm-conf: update to 1.2.15.3

Changelog:
- Add UCM profiles for DualSense PS5 controller and multiple Qualcomm
platforms
- Improve USB audio device handling and HDA initialization patterns
- Enhance phantom jack detection and optional headphone output handling
- Add support for Steinberg audio devices and new MediaTek SoC configs

Signed-off-by: Alexandru Ardelean <redacted>

libssh: update to 0.12.0

Changelog:
- Add quantum-resistant hybrid key exchange (sntrup761x25519, mlkem
variants)
- Add FIDO/U2F key support with libfido2 integration
- Add host-bound public key authentication and GSSAPI key exchange
- Add sshsig signing support (e.g. for git commit signing)
- Fix SFTP reliability when status messages lack error data
- Security fixes: path traversal in SCP and buffer management issues

Signed-off-by: Alexandru Ardelean <redacted>

json-glib: update to 1.10.8

Changelog:
- Add strict JSON parsing mode (JsonParser:strict property)
- Add JsonGenerator.take_root() for improved generator handling
- Support parsing of files larger than 4 GB
- Add single-quoted strings support in non-strict mode (v1.10.6)
- Fix malformed Unicode error handling and parser conformance

Signed-off-by: Alexandru Ardelean <redacted>

libidn2: update to 2.3.8

Changelog:
- Update to Unicode 15.1.0 standard with U+19DA marked DISALLOWED
- Switch from gnulib submodule to GNULIB_REVISION for build management
- Fix uninitialized memory and compiler warnings
- Improve reproducibility and cross-platform build compatibility

Signed-off-by: Alexandru Ardelean <redacted>

libidn: update to 1.43

Changelog:
- Fix uninitialized value bug in idna_to_unicode_4z4z on malloc failure
- Restore Unicode table generation scripts for modern Perl compatibility
- Fix Windows/musl compatibility for version checking
- Achieve reproducible builds across tested platforms

Signed-off-by: Alexandru Ardelean <redacted>

ngtcp2: update to 1.22.1

Changelog:
- Add Generic Segmentation Offload (GSO) packet aggregation via
ngtcp2_conn_write_aggregate_pkt
- Fix CVE-2026-40170 (v1.22.1)
- Refine BBR congestion control and header protection cipher
- Improve error handling across the codebase

Signed-off-by: Alexandru Ardelean <redacted>

nghttp3: update to 1.15.0

Changelog:
- Client-side stream scheduling is now incremental by default
- Add nghttp3_recv_settings2 API
- Add glitch protection and time-based features (v1.12.0)
- Optimize QPACK Huffman decoding performance
- Fix ENABLE_CONNECT_PROTOCOL handling

Signed-off-by: Alexandru Ardelean <redacted>

banip: update 1.8.8-2

- optimized pidfile handling in the init file
- small cornercase fixes & improvements
- drop deprecated 'drop' feed (replaced by 'spamhaus' json feed with the same content)
- LuCI: expose the new JSON Lines Format in the feed editor
- readme update

Signed-off-by: Dirk Brenken <redacted>

lua-openssl: fix Lua detection with CMake 4.3

FindLuaJIT.cmake uses NO_DEFAULT_PATH and only searches hardcoded
luajit-specific paths, so it never finds regular Lua. However if
LUAJIT_INCLUDE_DIRS and LUAJIT_LIBRARY are pre-set in the CMake
cache, find_path/find_library skip their searches, the module sets
LUAJIT_FOUND=ON and also sets LUA_INCLUDE_DIR/LUA_LIBRARIES from
those values, and the if(NOT LUAJIT_FOUND) guard skips the broken
find_package(Lua REQUIRED) call that fails under CMake 4.3.

Signed-off-by: Alexandru Ardelean <redacted>

ci: mark and close PRs with formality issues

Add a recurring workflow that runs every day at 5:30 and marks all PRs
that have formality check failures (i.e. marked as 'not following
guidelines') that have not been active in the past 14 days as stale.
Close stale PRs after 14 more days.

Signed-off-by: George Sapkin <redacted>

adblock: update 4.5.5-2

- optimized pidfile handling in the init file
- multiple allowlist tweaks
- various small cornercase fixes & improvements
- LuCI: expose new UCI options 'adb_fetchcmd' and 'adb_fetchretry'
- readme update

Signed-off-by: Dirk Brenken <redacted>

boost: build libquadmath only on some archs

libquadmath is only packaged for x86 and powerpc targets in OpenWrt.
Declaring it as an unconditional runtime dependency of boost-charconv
causes apk installation failure on all other architectures (e.g.
i386, arm, mips) with "libquadmath (no such package)".

Guard the dependency with an ARCH filter so it is only pulled in on
platforms where the package actually exists.

Signed-off-by: Alexandru Ardelean <redacted>
boost: add x86 to libquadmath arch conditional in boost-charconv

libquadmath is available on x86 (i386) in addition to x86_64 and
powerpc variants. Include it in the filter so boost-charconv gets
the correct dependency on 32-bit x86 targets.

Signed-off-by: Alexandru Ardelean <redacted>

openzwave: add test.sh

MinOZW does not implement any --version flag, so skip the generic
version check. Just verify the binary is present and executable.

Signed-off-by: Alexandru Ardelean <redacted>

domoticz: fix build and add test.sh

boost::asio::post() without an explicit executor fails to compile with
Boost >= 1.82 due to changes in the executor model: bare lambdas no
longer have an implicit system executor that satisfies the
blocking.never requirement.

Pass io_context_ explicitly as the first argument so the handler is
dispatched on the correct io_context thread, which is the original
intent of the call (making stop() safe to call from any thread).

Add test.sh
domoticz is a daemon requiring a database and network port; it does not
implement a --version flag. Verify the binary is present and executable.

Disable LTO to fix link failure on i386 with musl fortify
Suggested via https://github.com/openwrt/packages/pull/29239
Also tested.

Signed-off-by: Alexandru Ardelean <redacted>

libre2: update to 2025-11-05

Bump to latest upstream snapshot (2025-11-05). re2 uses date-based
versioning from git. This brings roughly two years of upstream
improvements including performance optimisations, bug fixes, and
C++17/20 compatibility improvements.

Reference:
https://github.com/google/re2/releases/tag/2025-11-05

Signed-off-by: Alexandru Ardelean <redacted>

Revert "adguardhome: added ujail dependency"

This commit was merged into the master branch by accident
and should be undone. Adding ujail as a hardcoded dependency
is incorrect, as ujail is meant to be an optional dependency.

A better approach is to implement ujail support within
the init script, which was discussed in the pull request
(https://github.com/openwrt/packages/pull/29277),
consistent with how other packages in the repository handle this.

Therefore, reverting for now.

This reverts commit e6b5141c7ea68f85b47abfd4904e0262782d43e3.

Signed-off-by: Josef Schlehofer <redacted>

libgpiod: add python-setuptools host build dep

If python3-gpiod is enabled and the python-setuptools host package is
missing, the setuptools.build_meta import will cause a build failure.
Fix this by adding a conditional build dependency.

Signed-off-by: Ernestas Kulik <redacted>

libgpiod: make Python bindings optional

The python3-light dependency gets lugged even with the package disabled,
so this commit makes python3-light a conditional dependency, similar to
gensio in 0c245fda70d580737ee30cc39d42bcca6ddd7f3e.

Signed-off-by: Ernestas Kulik <redacted>

mosquitto: fix installing libraries

Use cp instead of install when installing libraries to not follow
symlinks and create duplicate files.

Fixes: aa89f847 ("mosquitto: update to 2.0.18")
Signed-off-by: George Sapkin <redacted>

sed: update to v4.10

update to version v4.10, disable building gnulib-tests to avoid
compilation errors.

Add --disable-xattr to CONFIGURE_ARGS to avoid linking an unneeded
dependency.

Changes in sed since v4.9, from NEWS:

** Bug fixes

  sed 's/a/b/g' (and other global substitutions) now works on input
  lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
  would evoke a "panic" (exit 4).
  [bug present since the beginning]

  'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
  an attacker swap a symlink between resolution and open, causing sed to
  read attacker-chosen content and write it to the original target.
  [bug introduced in sed 4.1e]

  sed no longer falsely matches when back-references are combined with
  optional groups (.?) and the $ anchor.  For example, this no longer
  falsely matches the empty string at beginning of line:
    $ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/'
    Xab
  [bug present since "the beginning"]

  In --posix mode, sed no longer mishandles backslash escapes (\n,
  \t, \a, etc.) after a named character class like [[:alpha:]].
  For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the
  trailing newline, treating \n as a literal backslash and an 'n'
  rather than a newline.  This happened when an earlier backslash
  escape in the same regex had already been converted, shifting the
  in-place normalization buffer.
  [bug introduced in sed 4.9]

  sed --debug no longer crashes when a label (":") command is compiled
  before the --debug option is processed, e.g., sed -f<(...) --debug.
  [bug introduced in sed 4.7 with --debug]

  sed no longer rejects the documented GNU extension 'a**' (equivalent
  to 'a*') in Basic Regular Expression (BRE) mode.  Previously, this
  worked only with -E (ERE mode), even though grep has always accepted
  it in BRE mode.
  [bug present since "the beginning"]

  sed no longer rejects "\c[" in regular expressions
  [bug present since the beginning]

  'sed --follow-symlinks -i' no longer mishandles an operand that is a
  short symbolic link to a long symbolic link to a file.
  [bug introduced in sed 4.9]

  Fix some some longstanding but unlikely integer overflows.
  Internally, 'sed' now more often prefers signed integer arithmetic,
  which can be checked automatically via 'gcc -fsanitize=undefined'.

** Changes in behavior

  In the default C locale, diagnostics now quote 'like this' (with
  apostrophes) instead of `like this' (with a grave accent and an
  apostrophe).  This tracks the GNU coding standards.

  'sed --posix' now warns about uses of backslashes in the 's' command
  that are handled by GNU sed but are not portable to other
  implementations.

** Build-related

  builds no longer fail on platforms without the <getopt.h> header or
  getopt_long function.
  [bug introduced in sed 4.9]

Signed-off-by: Russell Senior <redacted>

libfastjson: add missing runtime dependency on libm

libfastjson uses modf() from libm but does not declare the dependency.
With BIND_NOW (CONFIG_PKG_RELRO_FULL), this can cause the dynamic linker
to process libfastjson's relocations before libm's GOT is set up,
triggering a crash in libm's IFUNC resolver on PowerPC.

Fixes: https://github.com/openwrt/packages/issues/29160
Signed-off-by: micpf <redacted>

https-dns-proxy: update to 2026.03.18-1

Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1

Description:
update to 2026.03.18, improve nftables rules

  - Update PKG_VERSION to 2026.03.18.
  - Set PKG_RELEASE to 1.
  - Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
  - Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.

files/etc/init.d/https-dns-proxy:
  - Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
    table. A top-level `chain` outside any table is invalid nftables
    syntax and is rejected on kernel 6.18+, breaking firewall load.
    Fixes mossdef-org/https-dns-proxy#7.
  - Syntax-check the generated snippet with `nft -c -f` after write
    and report OK/FAIL on the start path.
  - On remove, explicitly `nft delete table` in addition to removing
    the snippet file, so the live ruleset is cleaned up immediately
    rather than waiting for the next fw4 reload.

Signed-off-by: Stan Grishin <redacted>

adguardhome: added ujail dependency

In order to create a proper jail, we net the procd-ujail package.
Otherwise, AdGuardHome will run as unprivileged process,
and will not be able to listen on ports below 1024.

Signed-off-by: Alexander Krause <redacted>

zstd: add test.sh for script wrappers without --version

zstdgrep and zstdless are shell script wrappers that do not output a
version string, so the generic CI version check fails for them. Add a
test.sh case that verifies they are present and executable instead.

Signed-off-by: Alexandru Ardelean <redacted>

dbus: add test.sh for binaries without --version

dbus-utils utilities do not implement --version so the generic CI
version check fails for them. Add a test.sh case that verifies the
binaries are present and executable instead.

dbus-utils: dbus-monitor, dbus-send, dbus-test-tool
Signed-off-by: Alexandru Ardelean <redacted>

bluez: add test.sh for binaries without --version

Several bluez utilities do not implement --version so the generic CI
version check fails for them. Add test.sh cases that verify the
binaries are present and executable instead.

bluez-daemon: obexd
bluez-utils: bdaddr, ciptool, hciattach, hciconfig, l2ping, l2test, rctest
bluez-utils-extra: gatttool
Signed-off-by: Alexandru Ardelean <redacted>

semodule-utils: update to 3.10

Changes in 3.10:
- general bug fixes from libsepol (bounds statements in optional
blocks, type attribute handling in role-types rule, NULL dereference
and use-after-free fixes)
- treewide: add .clang-format configuration file

Signed-off-by: Alexandru Ardelean <redacted>

selinux-python: update to 3.10

Changes in 3.10:
- python/sepolicy: add support for DNF5
- sandbox/seunshare: replace system() with execv() to prevent shell
injection vulnerability
- seunshare: always use translations when printing
- setfiles: add -A option to disable SELINUX_RESTORECON_ADD_ASSOC

Signed-off-by: Alexandru Ardelean <redacted>

python-semanage: update to 3.10

Changes in 3.10:
- improve semanage man pages: add examples for -r RANGE flag usage
- semanage: reset active value when deleting boolean customizations
- various libsemanage/libsepol bug fixes and security hardening

Signed-off-by: Alexandru Ardelean <redacted>

python-selinux: update to 3.10

Changes in 3.10:
- fix parsing of the enforcing kernel cmdline parameter
- build python module without isolation (Makefile fix)
- treewide: add .clang-format configuration file
- various libsepol bug fixes (NULL deref, use-after-free, MLS range
validation, functionfs_seclabel policycap, bpf_token_perms polcap)

Signed-off-by: Alexandru Ardelean <redacted>

ci: relax subject and line length checks

Relax subject length checks to 60/80 and line length to 100 to match the
actions repo.

Link: https://github.com/openwrt/actions-shared-workflows/pull/95
Signed-off-by: George Sapkin <redacted>

glib2: split package into separate libraries

Existing package contains five libraries, some of which are > 1MB. Allow
packages which depend on only some of them to only pull in the ones they
need by splitting this package into finer-grained packages. Transition
can be done piecemeal as depending on glib2 will still pull in all the
libraries.

The original split commit (6bb0d6bd2) had a typo: the glib2 meta-package
used 'DEPENDS:+glib2-gthread +glib2-gio' (missing '='), which caused
the meta-package to have no effective dependencies. This meant packages
declaring '+glib2' did not get the sub-packages installed, causing APK
dependency checks to fail for all glib2 libraries across ~60 packages.

This re-applies the split with 'DEPENDS:=+glib2-gthread +glib2-gio'
(correct assignment syntax), so the meta-package properly pulls in all
sub-packages for consumers that still declare '+glib2'.

Signed-off-by: Alexandru Ardelean <redacted>
Signed-off-by: Alexandru Ardelean <redacted>

attr: add test.sh to handle version check

The generic CI test fails for /usr/bin/attr because that binary does
not implement --version. getfattr and setfattr do, so test those for
the version string and only verify attr is present and executable.

Signed-off-by: Alexandru Ardelean <redacted>

lua-openssl: fix CMake Lua detection in build

The CMakeLists.txt first tries FindLuaJIT.cmake which uses
NO_DEFAULT_PATH with hardcoded host paths, so it always fails in
cross-compilation. The fallback find_package(Lua REQUIRED) may also
fail to find a flat sysroot layout where lua.h lives at
/usr/include/lua.h rather than a versioned subdirectory.

Explicitly pass LUA_INCLUDE_DIR and LUA_LIBRARY to CMake to bypass
both finders, and depend on +liblua (the library package) instead of
+lua to ensure Build/InstallDev runs and Lua headers are present in
the staging directory before this package builds.

Signed-off-by: Alexandru Ardelean <redacted>

banip: release 1.8.8-1

- introduced a shared named nft limit (loglimit) referenced by
  all log rules instead of per-rule limits, aligning with kernel printk rate limits
- added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning
   the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting
   entirely (useful for ulogd or other userspace log handlers that bypass printk)
- LuCI: made the new UCI option available (Log Settings)
- readme update

Signed-off-by: Dirk Brenken <redacted>

unzip: refresh patches

Fixes:
```
2026-04-28T14:55:09.6675796Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0001-fix-heap-based-buffer-overflow-in-the-CRC32-verifica.patch' -> '/feed/utils/unzip/patches/0001-fix-heap-based-buffer-overflow-in-the-CRC32-verifica.patch'
2026-04-28T14:55:09.6707616Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0002-fix-heap-based-buffer-overflow-in-the-test_compr_eb-.patch' -> '/feed/utils/unzip/patches/0002-fix-heap-based-buffer-overflow-in-the-test_compr_eb-.patch'
2026-04-28T14:55:09.6739766Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0003-fix-heap-based-buffer-overflow-in-the-getZip64Data-f.patch' -> '/feed/utils/unzip/patches/0003-fix-heap-based-buffer-overflow-in-the-getZip64Data-f.patch'
2026-04-28T14:55:09.6770773Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0004-fix-out-of-bounds-read-or-write-and-crash.patch' -> '/feed/utils/unzip/patches/0004-fix-out-of-bounds-read-or-write-and-crash.patch'
2026-04-28T14:55:09.6802381Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0005-fix-heap-based-buffer-over-read-and-application-cras.patch' -> '/feed/utils/unzip/patches/0005-fix-heap-based-buffer-over-read-and-application-cras.patch'
2026-04-28T14:55:09.6832719Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0006-fix-infinite-loop-because-of-an-empty-bzip2-data.patch' -> '/feed/utils/unzip/patches/0006-fix-infinite-loop-because-of-an-empty-bzip2-data.patch'
2026-04-28T14:55:09.6863943Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0007-fix-error-to-prevent-unsigned-overflow.patch' -> '/feed/utils/unzip/patches/0007-fix-error-to-prevent-unsigned-overflow.patch'
2026-04-28T14:55:09.6895530Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0008-fix-buffer-overflow-in-the-list_files-function.patch' -> '/feed/utils/unzip/patches/0008-fix-buffer-overflow-in-the-list_files-function.patch'
2026-04-28T14:55:09.6926806Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0009-fix-buffer-overflow-in-the-zi_short-function.patch' -> '/feed/utils/unzip/patches/0009-fix-buffer-overflow-in-the-zi_short-function.patch'
2026-04-28T14:55:09.6958683Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0010-unix.c-Remove-build-date.patch' -> '/feed/utils/unzip/patches/0010-unix.c-Remove-build-date.patch'
2026-04-28T14:55:09.6990350Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/0011-fix-heap-based-buffer-overflow-in-the-password-prote.patch' -> '/feed/utils/unzip/patches/0011-fix-heap-based-buffer-overflow-in-the-password-prote.patch'
2026-04-28T14:55:09.7023549Z '/builder/build_dir/target-aarch64_generic_musl/unzip-6.0/unzip60/patches/012-fix-gcc15-build.patch' -> '/feed/utils/unzip/patches/012-fix-gcc15-build.patch'
2026-04-28T14:55:09.7047649Z make[2]: Leaving directory '/feed/utils/unzip'
2026-04-28T14:55:09.7051724Z time: package/feeds/packages_ci/unzip/refresh#1.41#1.81#2.76
2026-04-28T14:55:09.7059428Z make[1]: Leaving directory '/builder'
2026-04-28T14:55:09.7071281Z ##[endgroup]
2026-04-28T14:55:09.7104892Z Dirty patches detected, please refresh and review the diff
```

Fixes: f9e7e2db94a768d24201df27c4b619e724f95536 ("unzip: add valid patche headers and missing CVE informations")
Signed-off-by: Josef Schlehofer <redacted>

coredns: fix netlink compat for wgsd plugin

wgsd (WireGuard Service Discovery plugin) pulls in
golang.zx2c4.com/wireguard/wgctrl -> mdlayher/genetlink v1.2.0 ->
mdlayher/netlink v1.6.2. This version of netlink calls
mdlayher/socket's Sendmsg/Recvmsg with the old API signatures
(pre-context.Context, single-return-value Sendmsg), but coredns
itself requires mdlayher/socket v0.5.1 which changed these
signatures to include context.Context and return (int, error).

Add a go get step that upgrades netlink to v1.7.2 after the wgsd
plugin dependencies are pulled in, ensuring the build uses a
netlink version compatible with socket v0.5.x.

Should fix:
https://downloads.openwrt.org/snapshots/faillogs/i386_pentium-mmx/packages/coredns/compile.txt

```
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:35: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:33: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:127:42: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:142:41: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
github.com/aws/aws-sdk-go-v2/aws/protocol/query
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
github.com/aws/smithy-go/private/requestcompression
```

Signed-off-by: Alexandru Ardelean <redacted>

syslog-ng: update to version 4.11.0

Release notes:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.11.0

Signed-off-by: Josef Schlehofer <redacted>

python3-ubus: update to 0.1.3

Bump to version 0.1.3 and drop patch, which is in upstream.

Signed-off-by: Erik Larsson <redacted>

prosody: fix PKG_HASH for 0.12.4

The prosody.im upstream updated the 0.12.4 tarball in-place, changing
its content without bumping the version. Update PKG_HASH to match the
currently published tarball.

Fixes: f4d305b73 ("prosody: update to 0.12.4")
Signed-off-by: Alexandru Ardelean <redacted>

banip: release 1.8.7-1

- fix log rate limit and drop throttling (#29255, #27990)
- serialize dedup writes via flock in f_down
- tighten RDAP CIDR validation and lock handling in f_monitor
- fix IPv6 prefix regex in f_search, simplify sed pattern in f_report
- readme update

Signed-off-by: Dirk Brenken <redacted>
Co-authored-by: Copilot <redacted>
Signed-off-by: Dirk Brenken <redacted>

mdio-netlink: update to Git HEAD (2026-04-14)

Signed-off-by: Robert Marko <redacted>

snort3: update to 3.12.2.0

Changelog: https://github.com/snort3/snort3/releases/tag/3.12.2.0

Signed-off-by: John Audia <redacted>

zoneinfo: updated to 2026b release

Updated package version and file hashes.

Signed-off-by: Vladimir Ulrich <redacted>

keepalived: bump PKG_RELEASE to 3

Bump PKG_RELEASE from 2 to 3.

Signed-off-by: Rishabh <redacted>

keepalived: update config for option track_script

Update config for option track_script in vrrp_instance to use vrrp_script
instead of track_script

Signed-off-by: Rishabh <redacted>

keepalived: remove config section track_script

Remove config section for track_script from keepalived.config
as it is not supported.

Signed-off-by: Rishabh <redacted>