git.99rst.org Git - openwrt-packages.git/log

python-semantic-version: add target package

Remove host-only build.

Signed-off-by: George Sapkin <redacted>

python-marshmallow: add new package

A lightweight library for converting complex datatypes to and from native
Python datatypes.

Signed-off-by: George Sapkin <redacted>

python-h11: add host package

Add host package necessary for python-uvicorn/host.

Signed-off-by: George Sapkin <redacted>

python3-bottle: add host package

Add host package necessary for python-platformio/host.

Signed-off-by: George Sapkin <redacted>

python-anyio: add new package

High-level concurrency and networking framework on top of asyncio or Trio.

Signed-off-by: George Sapkin <redacted>

python-ajsonrpc: add new package

Lightweight JSON-RPC 2.0 protocol implementation and asynchronous server
powered by asyncio. This library is a successor of json-rpc and written
by the same team.

Signed-off-by: George Sapkin <redacted>

bsbf-resources: update to GIT HEAD of 2026-05-11

Update bsbf-resources to the GIT HEAD of 2026-05-11.

- Do not add more than 8 WANs with files/etc/uci-defaults/99-bsbf-bonding.
- resources-client/bsbf_bonding.nft now destroys the bsbf_bonding table
before adding it. Therefore, no need to delete the table anymore. And use
the destroy command to successfully exit even when the table doesn't exist.

Signed-off-by: Chester A. Unal <redacted>

bsbf-openwrt-resources: add network to firewall wan zone

Add the network entries that bsbf-autoconf-cellular and bsbf-autoconf-dhcp
create, to the firewall wan zone.

Signed-off-by: Chester A. Unal <redacted>

coreutils: update to 9.11

Release notes:
https://lists.gnu.org/archive/html/coreutils-announce/2026-02/msg00000.html
https://lists.gnu.org/archive/html/coreutils-announce/2026-04/msg00000.html

- Add --enable-install-program=kill,uptime
since 9.10 these programs are no longer built by default.
- Drop upstream backported patch and refresh remaining patches.

Signed-off-by: Wei-Ting Yang <redacted>

adblock: update 4.5.5-3

- added 4 missing hagezi categories
- added 2 missing ipfire dbl categories
- fixed 2 stevenblack categories
- minor code improvements and fixes

Signed-off-by: Dirk Brenken <redacted>

jsoncpp: build with C++17 to enable string_view API

jsoncpp 1.9.7 added std::string_view overloads for Value::get() and
Value::operator[], but these are only compiled when C++17 is active.
Building with the default C++11 standard leaves those symbols out of
the library, causing link failures for consumers that include the
headers with C++17 enabled (e.g. upmpdcli 1.9.17, domoticz 2025.2).

Add -Dcpp_std=c++17 to the meson args so the string_view API is
available in the installed library.

Signed-off-by: Alexandru Ardelean <redacted>

scons: recent update failed to update a patch

The recent commit 048a5088c515f737fecfd797807c9dfa6302fc0f updated
scons to 4.10.1, but neglected to correct a version related path in
a patch. This fixes that oversight, so that scons hostpkg builds
again. Also, fix up fuzz in the patches.

Signed-off-by: Russell Senior <redacted>

boost: updates package to version 1.91.0

This commit updates boost to version 1.91.0

New libraries in this release:
* Decimal [2]: An implementation of IEEE754 Decimal Floating Point Numbers,
from Matt Borland and Christopher Kormanyos.

More info about Boost 1.91.0 can be found at the usual place [1].

[1]: https://www.boost.org/users/history/version_1_91_0.html
[2]: https://www.boost.org/libs/decimal

Signed-off-by: Carlos Miguel Ferreira <redacted>

micropython-lib: update to 1.28.0, add test.sh

micropython-lib is a companion repository to micropython, versioned in
lockstep. Both are now at 1.28.0 (released 2026-04-06).

The 001-build-unix-ffi.patch remains needed as the upstream has not yet
incorporated the --unix-ffi argument into the tools/build.py script.

test.sh:
- micropython-lib: verify stdlib-replacement modules (collections,
functools, base64) can be imported via the /usr/lib/micropython path
- micropython-lib-unix: verify the micropython-unix wrapper script exists
and that sqlite3/select are importable via the unix-ffi path

Signed-off-by: Alexandru Ardelean <redacted>

micropython: update to 1.28.0

Changes since 1.27.0:
- New machine.CAN class with bindings for the stm32 port; support across
  all ports to follow
- machine.PWM support added to stm32 and alif ports, completing coverage
  of all Tier 1/2 MCU-based ports
- Template strings (t-strings, PEP 750) added at the "full feature" level
- weakref module added with weakref.ref and weakref.finalize classes
- f-strings now support nested f-strings within expressions
- Optimisations to native emitter; new RISC-V Zcmp arch flag for RV32
- extmod.mk: add extmod/machine_can.c (shifts the mbedtls hunk by 1 line;
  update 040-extmod-use-external-mbedtls.patch accordingly)

micropython-lib is updated in lockstep in a separate commit.

Ref: https://github.com/micropython/micropython/releases/tag/v1.28.0
Signed-off-by: Alexandru Ardelean <redacted>

lua-eco: update to 4.0.0

changelog: https://github.com/zhaojh329/lua-eco/releases/tag/v4.0.0

Signed-off-by: Jianhui Zhao <redacted>

onigumura: fix library installation

Commit 537c2a631 ("treewide: avoid deref symlinks when installing .so")
intended to avoid duplicating .so* files, but this package actually
relies on install dereferencing the file that matches the SONAME
version, to avoid installing unnecessary symlinks.

Fixes: https://github.com/openwrt/packages/issues/29387
Fixes: 537c2a631 ("treewide: avoid deref symlinks when installing .so")
Signed-off-by: Eneas U de Queiroz <redacted>

ci: cancel in-progress Test and Build runs on PR update

When a contributor pushes a new commit to an open PR, the previous
Test and Build run is no longer informative and only consumes a
runner slot that the new run could use. Add a concurrency group
keyed on the workflow name and ref so a fresh push cancels the
prior in-progress run for the same PR.

Since this workflow only triggers on pull_request, the ref is
always refs/pull/<num>/merge (unique per PR), so cancel-in-progress
can be set unconditionally.

Co-Authored-By: Claude Opus 4.7 (1M context) <redacted>
Signed-off-by: Hauke Mehrtens <redacted>

haveged: update to 1.9.20

Update to version 1.9.20.

Signed-off-by: Hannu Nyman <redacted>

transmission: update to 4.1.1

Bug-fix release. Fixes 20+ bugs and includes some performance
improvements. All users are encouraged to upgrade.

Highlights (all platforms):
* Fixed a 4.1.0 bug that failed to report some filesystem errors
   to RPC clients querying free space.
* Fixed a 4.1.0 bug that kept a torrent's updated queue position
   from being shown.
* Fixed a 4.1.0 bug that caused torrents' queuing order to
   sometimes be lost between sessions.
* Hardened .torrent parsing by exiting sooner if 'pieces' has
   an invalid size.
* Reverted a 4.1.0 RPC change that broke some 3rd party code by
   returning floats rather than integers for speed limit fields.
* Fixed crash when pausing a torrent and editing its tracker
   list at the same time.
* Fixed 4.1.0 crash on arm32 by switching crc32 libraries to
   Mark Adler's crcany.
* Require UTF-8 filenames in .torrent files (per BitTorrent spec).
* Fixed crash when parsing a .torrent file with a bad 'pieces' key.
* Fixed potential fd leak when launching scripts on POSIX systems.
* Changed network traffic algorithm to spread bandwidth more
   evenly amongst peers.

Link: https://github.com/transmission/transmission/releases/tag/4.1.1
Signed-off-by: Daniel Golle <redacted>

libb64: update to 2.0.0.1

Patch release fixing build system issues with the 2.0.0 release.
2.0.0 introduced API changes including:
* Version macros for detection of incompatible API / version
* size_t as argument to allow longer base64 encoded strings
* Configurable line break functionality
* Flags field for encoder
* Helpers to calculate required output buffer maximum lengths
* Switched in-/out-pointers to void*

Link: https://github.com/libb64/libb64/blob/v2.0.0.1/CHANGELOG.md
Signed-off-by: Daniel Golle <redacted>

glib2: update to 2.88.1

Bump from 2.82.0 to the current upstream stable. Required by GTK
4.22 and other recent GNOME-stack consumers (gtk 4.22 requires
glib >= 2.84).

Refresh 006-c99.patch for upstream context shift; the patch
forces HAVE_C99_SNPRINTF/VSNPRINTF and HAVE_UNIX98_PRINTF to
true when cross-compiling, since upstream now only does that
implicitly for the darwin/iOS/tvOS triplet.

Link: https://gitlab.gnome.org/GNOME/glib/-/tags/2.88.1
Signed-off-by: Daniel Golle <redacted>

flup: remove the package

Flup was heavily used in downstream distribution (Turris OS)
for their Web UI - reForis. Since there are no other
dependent packages in this repository, Flup is no longer needed.

The package appears to be abandoned and is no longer maintained
The latest version dates back to 2009.

It was previously required for Seafile.

Signed-off-by: Josef Schlehofer <redacted>

coreutils: add generic version check override

Override generic version checks to skip them for some of the tools that
don't report their versions.

Signed-off-by: George Sapkin <redacted>

lksctp-tools: add generic version check override

Override generic version checks to skip them altogether because none of the
tools report their versions.

Signed-off-by: George Sapkin <redacted>

checksec: update to 3.1.0

The upstream repository was renamed from checksec.sh to checksec and the
main script was renamed from checksec to checksec.bash (still installed as
/usr/bin/checksec). The checksec_automator subpackage was removed upstream,
so drop it. Update PKG_NAME accordingly and adjust the install rule.

Changelog: https://github.com/slimm609/checksec/releases/tag/3.1.0

Co-authored-by: George Sapkin <redacted>
Signed-off-by: Alexandru Ardelean <redacted>

sispmctl: update to 4.12

Command-line tool for controlling GEMBIRD SiS-PM USB-controlled power strips.

Changelog: https://sourceforge.net/p/sispmctl/news/

Signed-off-by: Alexandru Ardelean <redacted>

stress-ng: update to 0.21.00

Spans two minor release cycles (0.19.04 to 0.21.00), adding new stressors,
improved architecture support, and various bug fixes.

Changelog: https://github.com/ColinIanKing/stress-ng/blob/V0.21.00/CHANGES

Signed-off-by: Alexandru Ardelean <redacted>

less: update to 692

Update test.sh to use $2 (positional version argument) instead of the
$PKG_VERSION environment variable, and add a check that the alternative
binary /usr/libexec/less-gnu is present.

Changelog: https://www.greenwoodsoftware.com/less/news.692.html

Signed-off-by: Alexandru Ardelean <redacted>

hwdata: update to 0.406

Updates PCI, USB, OUI, and other hardware ID databases.

Changelog: https://github.com/vcrhonek/hwdata/commits/v0.406

Signed-off-by: Alexandru Ardelean <redacted>

fuse3: update to 3.18.2

Drop two patches that have been applied upstream:
- 100-fuse_signals.c-fix-build-warning-when-HAVE_BACKTRACE.patch
- 101-mount_util.c-check-if-utab-exists-before-update.patch

Changelog: https://github.com/libfuse/libfuse/releases/tag/fuse-3.18.2

Signed-off-by: Alexandru Ardelean <redacted>

fontconfig: update to 2.16.0

Bugfix and maintenance release of the font configuration and discovery library.

Changelog: https://gitlab.freedesktop.org/fontconfig/fontconfig/-/blob/2.16.0/NEWS

Signed-off-by: Alexandru Ardelean <redacted>

fio: update to 3.42

Remove <linux/prctl.h> from backend.c via Build/Prepare sed: both
<linux/prctl.h> and <sys/prctl.h> define struct prctl_mm_map in newer
musl toolchains, causing a redefinition build error. sys/prctl.h alone
provides everything fio needs.

Changelog: https://github.com/axboe/fio/blob/fio-3.42/HOWTO.rst

Signed-off-by: Alexandru Ardelean <redacted>

lttng-modules: update to 2.15.1

Bug-fix release (2026-04-24).

Changes:
- Fix: kallsyms on powerpc64 with ABI V1
- fix: ASoC: soc-dapm: move struct snd_soc_dapm_context (v7.0)
- fix: adjust range in btrfs probe for v6.18.14

Reference: https://lttng.org/files/lttng-modules/

Signed-off-by: Alexandru Ardelean <redacted>

lttng-tools: update to 2.15.0

Remove obsolete patches:
- 010-compat-off64_t-is-not-defined-by-musl.patch: the patched files
  (src/common/compat/compat-fcntl.c and src/common/compat/fcntl.h)
  no longer exist in 2.15.0
- 020-fix-lttng-tools-fails-to-compile-with-libxml2-2-14-0.patch: the
  encode_string() function was refactored in 2.15.0 to use
  xmlCharEncInFunc() instead of handler->input(), so the fix is no
  longer needed

Add musl compatibility fixes in Build/Prepare via sed:
- Remove :: global-namespace qualifier from TFD_CLOEXEC in timerfd.hpp;
  musl defines it as an octal literal so ::TFD_CLOEXEC is invalid C++
- Same fix for EPOLL_CLOEXEC in poller.cpp
- Relax static_assert in consumer.hpp from __cplusplus == 201103L to
  >= 201103L; SDK builds with C++17

Add missing +libstdcpp to DEPENDS (lttng-tools links libstdc++.so.6).

Signed-off-by: Alexandru Ardelean <redacted>

lttng-ust: update to 2.15.0

Update from 2.13.9 to 2.15.0 (skips 2.14.x stable series).

Highlights of the 2.14/2.15 series:
- C++ header compatibility improvements (tracepoint API usable from C++)
- liblttng-ust-tracepoint split into its own shared library
- Add liblttng-ust-fd, liblttng-ust-fork helper libraries
- Ring buffer API cleanup and modernisation
- Drop internal libcompat layer

Patch update:
- 100-no-tests.patch: adjust hunk offset from line 7 to line 9; the
tests/ entry in SUBDIRS moved down two lines in Makefile.am

Reference: https://lttng.org/files/lttng-ust/

Signed-off-by: Alexandru Ardelean <redacted>

delve: update to 1.26.3

Bug-fix release (2026-04-27).

Changes:
- dwarf/godwarf: fix regression debugging DWARFv5 on macOS
- cmd/dlv: use goversion.ParseProducer for DW_AT_producer parsing
- pkg/proc: fix flakiness in TestWaitFor
- eBPF backend: extend feature to print procedure parameters in trace
- minor comment and code cleanup

Reference: https://github.com/go-delve/delve/blob/master/CHANGELOG.md#1263-2026-04-27

Signed-off-by: Alexandru Ardelean <redacted>

erlang: update to 28.5

Upstream release 28.5 (2026-04-23), patch release for OTP 28.

Applications updated:
- erl_interface-5.7: new --{enable,disable}-use-embedded-3pp-alternatives
  configure option; allows using system zstd, zlib, ryu, openssl, tcl
  instead of bundled copies (default: zlib uses OS version if available)
- erts-16.4: fixed bug in enif_make_map_from_arrays for arrays with >= 33
  keys (duplicates could produce broken maps); fixed Unicode handling in
  erl.exe args_file on Windows
- mnesia-4.25.3: bug fixes
- ssl-11.6: bug fixes

Highlight: new "Secure Coding Guidelines" document added to Design
Principles describing how to write secure Erlang code.

Reference: https://github.com/erlang/otp/releases/tag/OTP-28.5

Signed-off-by: Alexandru Ardelean <redacted>

rsyslog: update to 8.2604.0

Version 8.2604.0 follows the YYYYMM.x versioning scheme (April 2026).

The 8.2604.0 release enables --enable-impstats-push by default, which
requires protobuf-c-compiler (protoc-c). Since we don't ship
protobuf-c in the SDK environment and the impstats push feature is
not essential for typical OpenWrt use, disable it explicitly with
--disable-impstats-push.

Signed-off-by: Alexandru Ardelean <redacted>

travelmate: release 2.4.5-1

- added opt-in protection against access points with locally-administered (LAA) BSSIDs
- added a special trm_maxretry value '0', enabling unlimited connection retries
- removed obsolete connection-tracking functions (too many uci updates/flash wear)
- all runtime files now live under a single /var/run/travelmate/ directory
- various code cleanups & fixes
- LuCI: made the new UCI option 'trm_eviltwin' available
- LuCI: more cleanups
- readme update

Signed-off-by: Dirk Brenken <redacted>

mptcpd: bump PKG_RELEASE for ell 0.83 ABI rebuild

mptcpd is the only consumer of libell; bump PKG_RELEASE so the
package is rebuilt against ell 0.83 once that update lands.

Signed-off-by: Daniel Golle <redacted>

ell: update to 0.83

Embedded Linux Library update.

Changes since 0.82:
* Fix issue with PKCS#8 unit tests.
* Add additional test vectors for AES-CCM.

Link: https://git.kernel.org/pub/scm/libs/ell/ell.git/log/?h=0.83
Signed-off-by: Daniel Golle <redacted>

lvm2: update to 2.03.40 (libdm 1.02.209)

Update LVM2 from 2.03.33 to 2.03.40, bundled libdm from 1.02.207 to
1.02.209.

LVM2 highlights since 2.03.33:

2.03.40 (28th April 2026):
* Many bug fixes and memory/lock leak fixes throughout the
   tree (vgcreate, vgmerge, vgimportclone, pvscan, raid, dmeventd,
   pvmove, lvmpolld).
* Validate area_count and metadata sizes to prevent overflows.
* Fix percent_check threshold stuck above 100% in dmeventd
   thin/vdo plugins.
* Pre-create udev cookie before critical section to avoid
   resume failures.

2.03.39 (13th March 2026):
* Support --interval +N to delay first poll in pvmove and lvpoll.
* Add atomic leases using Compare and Write (CAW) to lvmlockd.
* Add lvm-index(7), lvm-categories(7), lvm-args(7) man pages.
* Show active cache mode in kernel table line (lvs -o kernel_cache_mode).
* Switch from internal device_mapper library to libdm.

2.03.34 - 2.03.38:
* Persistent reservation support on a VG; VG attr character + pr
   field on vgs reflecting persistent reservation status.
* dmeventd: restart with no monitored devices, no actions on
   removed devices.
* Various filter, integrity, cache, raid and pvmove fixes.

libdm changes since 1.02.207 (1.02.208 / 1.02.209) consist purely
of internal cleanups and version bumps; no user-visible changes
documented in WHATS_NEW_DM.

Link: https://gitlab.com/lvmteam/lvm2/-/blob/v2_03_40/WHATS_NEW
Link: https://gitlab.com/lvmteam/lvm2/-/blob/v2_03_40/WHATS_NEW_DM
Signed-off-by: Daniel Golle <redacted>

cryptsetup: update to 2.8.6

Stable bug-fix release. All users of cryptsetup 2.8.x must upgrade.

Changes since 2.8.4:
* Fix FileVault (fvault2) metadata parsing crash with crafted images.
   Reported by David Pokora (Trail of Bits/Anthropic).
* Fix reading FileVault image metadata from incorrect image offset.
* OpenSSL backend: increase the number of allowed threads to 64
   (workaround for parallel Argon2 PBKDF deadlock).
* Fix LUKS2 reencryption lock name when the device is being reencrypted.
* Check UUID of the resumed device to match UUID stored in metadata.
* Add a specific error for failed detached header allocation.
* Fix tests not to use aes-generic kernel cipher name (Linux 7.0+).
* Fix OpenSSL crypto backend if built with LibreSSL.
* Several compatibility fixes to the alternative Meson configuration.
* Various code fixes based on AI-assisted reviews (memory wiping,
   error paths, integrity sector overflow, device-mapper flags, ...).

Link: https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.8.6/docs/v2.8.6-ReleaseNotes
Signed-off-by: Daniel Golle <redacted>

libxmp: update to 4.7.0

A substantial release with many new features and module format
fixes since 4.6.3.

Highlights:
* Increase maximum sampling rate (XMP_MAX_SRATE) to 768000.
* xmp_seek_time now always seeks; new xmp_seek_time_frame for
   frame-accurate seeking.
* New tempo factor APIs: xmp_set_tempo_factor_relative,
   xmp_get_tempo_factor, xmp_get_tempo_factor_relative.
* New API define XMP_FORMAT_32BIT to enable 32-bit integer output.
* New API defines XMP_INST_NO_DEFAULT_PAN, XMP_MARK_SKIP,
   XMP_MARK_END.
* Add support for Pack-Ice depacking and Software Visions DMF
   (Apocalypse Abyss MOD variant).
* Internal module time/duration calculations now use doubles.
* Numerous bug fixes across MOD, XM, S3M, IT, RTM, MED, Funktracker,
   Imago Orpheus IMF, Liquid Tracker LIQ, DigiBooster Pro, IMS and
   other formats: sample default panning/volume corrections, effect
   memory and translation fixes, note edge cases.

Link: https://github.com/libxmp/libxmp/blob/libxmp-4.7.0/docs/Changelog
Signed-off-by: Daniel Golle <redacted>

openal-soft: update to 1.25.1

1.25.1:
* Fixed the OpenSL and JACK backends.
* Fixed WASAPI and CoreAudio capture.
* Fixed building the OSS backend with OSS v4.
* Fixed a debug assertion with HRTF enabled.
* Fixed an STL hardening assertion in the polyphase resampler.
* Added a new stereo-encoding option for Tetraphonic Surround Matrix
Encoding.

1.25.0:
* Updated library codebase to C++20.
* Fixed alcIsExtensionPresent to do a case-insensitive compare.
* Fixed potential noise when switching reverbs.
* Fixed reverb panning with certain output modes.
* Fixed retrieving the alGetProcAddressDirect extension function.
* Fixed negative source offsets with a callback buffer.
* Added build options for STL hardening (default ON for performant checks).
* Added support for fourth-order ambisonics.
* Added support for CAF files to the Wave Writer backend.
* Added optional support for C++20 modules.
* Updated alsoft-config to Qt6.
* Changed default period size to 512 sample frames.

Link: https://github.com/kcat/openal-soft/blob/1.25.1/ChangeLog
Signed-off-by: Daniel Golle <redacted>

xdg-dbus-proxy: update to 0.1.7

Changes in 0.1.7 (2025-04-07):
  * Drop the autotools build system
  * Unbreak the CI
  * Prevent a crash on disconnect
  * Fix building with glibc >= 2.43
  * Fix the eavesdrop filtering to prevent message interception

Link: https://github.com/flatpak/xdg-dbus-proxy/blob/0.1.7/NEWS
Signed-off-by: Daniel Golle <redacted>

libp11: update to 0.4.18

Changes since 0.4.16:

0.4.18 (2026-02-16):
* Support for RSA-PSS and RSA-OAEP using keys retrieved using the
PKCS11_get_private_key() libp11 API and the PKCS#11 provider.
* Improved test coverage.

0.4.17 (2026-02-01):
* Ed25519 and Ed448 support (PKCS#11 v3.2).
* Fixed OPENSSL_NO_EC builds.
* Reverted RSA public exponent change from PR #474.
* Fixed crash on module initialization failures.
* Ignoring trailing newlines in pin-source files.
* Initial build fixes for the upcoming OpenSSL 4.x.

Drop the now obsolete 001-fix-install.patch which has been merged
upstream.

Link: https://github.com/OpenSC/libp11/blob/libp11-0.4.18/NEWS
Signed-off-by: Daniel Golle <redacted>

wavpack: update to 5.9.0

Release 5.9.0 (January 16, 2026):
* added: new feature to wvtag to copy tags from one WavPack file
   to another
* improved: minor tweaks to the new DNS (dynamic noise shaping)
   algorithm
* improved: better handling of specific non-standard WAV and AIFF
   files
* improved: added CI (GitHub Actions) and fixed a few minor build
   issues
* fixed: --pause option failed in many situations (Windows-only)
* fixed: issues related to encoding from an unknown length
   (e.g., pipes)
* fixed: several fuzzer-revealed issues related to multithreading
* fixed: potential buffer overruns in WavpackOpenRawDecoder()

Link: https://github.com/dbry/WavPack/blob/5.9.0/NEWS
Signed-off-by: Daniel Golle <redacted>

libjwt: update to 3.3.2

Major version jump from 1.17.1 to 3.3.2.

libjwt 3.x is a substantial rewrite:
* New backend abstraction supporting OpenSSL, GnuTLS and MbedTLS
crypto libraries (selected at build time).
* New JWK and JWKS APIs for key handling with full RFC 7517 support.
* Improved error handling and reporting.
* EdDSA signature support (Ed25519, Ed448).
* Optional libcurl integration for fetching JWKS from a URL.
* Many API additions while keeping backwards-compatible semantics
for the most common HMAC/RSA/ECDSA operations.

Force OpenSSL backend (-DWITH_GNUTLS=OFF -DWITH_MBEDTLS=OFF) since
libopenssl is already a dependency, avoiding pulling in libgnutls.
Disable -DWITH_TESTS=OFF since the testsuite is not relevant for
embedded targets.

Link: https://github.com/benmcollins/libjwt/releases/tag/v3.3.2
Signed-off-by: Daniel Golle <redacted>

libevdev: update to 1.13.6

Minor update from 1.13.4 with new EV_KEY/EV_ABS code definitions
synced with the latest kernel input headers, plus various bug fixes
and tooling improvements.

Link: https://gitlab.freedesktop.org/libevdev/libevdev/-/tags/libevdev-1.13.6
Signed-off-by: Daniel Golle <redacted>

https-dns-proxy: update to 2026.03.18-3

Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1

Description:
update to 2026.03.18, release 3

  - update PKG_RELEASE to 3

files/etc/init.d/https-dns-proxy:
  - refactor nftable rules to explicitly add and flush the table and
    chains instead of block replacement
  - make nftable `delete table` call silent in `notrack_nft remove`
  - update `notrack_nft remove` to check for absence of nftable table
    instead of just checking the file
  - ensure `notrack_nft remove` sets _error=1 on failure
  - ignore dnsmasq instances with port 0 in
    `dnsmasq_instance_append_force_dns_port`

tests/run_tests.sh:
  - add test case to ensure dnsmasq port 0 is ignored
  - update `notrack_nft remove` test to confirm success when both file
    and table are absent

Signed-off-by: Stan Grishin <redacted>

gawk: update to 5.4.0

Changes from 5.3.x to 5.4.0:
* Use Mike Haertel's MinRX regular expression matcher by default.
   The old regex and dfa engines are still available.
* New @nsinclude directive: like @include but doesn't reset
   the namespace to "awk".
* lshift()/rshift() return 0 when shifting more bits than in uintmax_t.
* Persistent memory: store meta-info in backing file; warn on
   version mismatch; allow dynamic extensions with persistent memory.
* ordchr extension now supports multibyte / wide characters.
* length(array) is no longer an extension (POSIX 2024); --posix
   no longer rejects it and --lint no longer warns.
* --traditional rationalised to match BWK awk behaviour.
* Assertions are now enabled in the C code.
* Hexadecimal floating-point values may now be used in source,
   strtonum() and -n/--non-decimal-data option.
* UDP networking support is now deprecated, will be removed in 6.0.
* Reading regular disk input files is somewhat faster (no timeout check).
* Various bug fixes.

Link: https://git.savannah.gnu.org/cgit/gawk.git/plain/NEWS?h=gawk-5.4.0
Signed-off-by: Daniel Golle <redacted>

postgresql: update to 18.3

Major version update from 17.5 to 18.3.

PostgreSQL 18 (released September 2025) brings:
* Asynchronous I/O (AIO) for shared buffers, sequential scans,
bitmap heap scans and pg_prewarm.
* Skip scans for B-tree indexes.
* Performance improvements for partition pruning.
* Logical replication: improved replication of generated columns,
protocol version 5.
* Native UUIDv7 support.
* Larger I/O for sequential and parallel scans.
* Concurrent reindex of partitioned tables.
* pg_dump: --filter for selective dumps.
* Numerous SQL/JSON improvements.
* New built-in role pg_signal_autovacuum_worker.

18.3 is the third maintenance release with bug fixes since 18.0.

Drop the now obsolete pg_config_ext.h copy in Build/InstallDev: this
header has been removed upstream in PostgreSQL 18.

Link: https://www.postgresql.org/docs/release/18.0/
Link: https://www.postgresql.org/docs/release/18.3/
Signed-off-by: Daniel Golle <redacted>

libdrm: update to 2.4.133

Bump from 2.4.123 to current upstream stable. Required by recent
Mesa, weston, wlroots and other graphics-stack consumers
(wlroots 0.20+ explicitly requires libdrm >= 2.4.129).

Link: https://dri.freedesktop.org/libdrm/
Signed-off-by: Daniel Golle <redacted>

openlist: Update to 4.2.1

Release note:
- https://github.com/OpenListTeam/OpenList/releases/tag/v4.2.0
- https://github.com/OpenListTeam/OpenList/releases/tag/v4.2.1

Signed-off-by: Tianling Shen <redacted>

btop: Update to 1.4.7

Refreshed patches.

Release note: https://github.com/aristocratos/btop/releases/tag/v1.4.7

Signed-off-by: Tianling Shen <redacted>

dnsproxy: Update to 0.81.3

Release note: https://github.com/AdguardTeam/dnsproxy/releases/tag/v0.81.3

Signed-off-by: Tianling Shen <redacted>

v2ray-core: Update to 5.48.0

Release note: https://github.com/v2fly/v2ray-core/releases/tag/v5.48.0

Signed-off-by: Tianling Shen <redacted>

yq: Update to 4.53.2

Release note: https://github.com/mikefarah/yq/releases/tag/v4.53.2

Signed-off-by: Tianling Shen <redacted>

dufs: Update to 0.46.0

Release note: https://github.com/sigoden/dufs/releases/tag/v0.46.0

Signed-off-by: Tianling Shen <redacted>

rclone: Update to 1.74.1

Release note: https://rclone.org/changelog/#v1-74-1-2026-05-08

Signed-off-by: Tianling Shen <redacted>

v2ray-geodata: update to latest version

Update all geodata.

Signed-off-by: Tianling Shen <redacted>

dos2unix: Update to 7.5.5

2026-04-06: Version 7.5.5

* New option --error-binary: Return an error if a
binary file is skipped.
* Fix: dos2unix error on empty input. The problem was introduced
in version 7.5.4.

Signed-off-by: Tianling Shen <redacted>

frr: update to 10.6.1

update frr to latest stable 10.6.1

Signed-off-by: Lucian CRISTIAN <redacted>

bubblewrap: update to 0.11.2

0.11.2 (CVE-2026-41163):
* In setuid mode, don't run the low-privileged parts of the setup
   as dumpable, as that allows it to be ptraced which can lead to problems.
* New build option -Dsupport_setuid, which if set to false (the default)
   disables the support for setuid.

0.11.1:
* Reset disposition of SIGCHLD, restoring normal subprocess management
   if bwrap was run from a process that was ignoring that signal.
* Don't ignore --userns 0, --userns2 0 or --pidns 0 if used.
* Fix grammar in an error message and a broken link in the documentation.

Link: https://github.com/containers/bubblewrap/blob/v0.11.2/NEWS.md
Signed-off-by: Daniel Golle <redacted>

treewide: cleanup URLs

This commit converts plain HTTP URLs to HTTPS, and updates
old or outdated URLs.

Signed-off-by: Yanase Yuki <redacted>

openwisp-monitoring: upgrade to 0.3.1

Change log:
https://github.com/openwisp/openwrt-openwisp-monitoring/releases/tag/0.3.1

Signed-off-by: Federico Capoano <redacted>

sqlite3: bump to 3.53.1

Changes: https://sqlite.org/releaselog/3_53_1.html
Signed-off-by: George Sapkin <redacted>

wifi-chipset-detect: new package

Maintainer: Rob White rob@blue-wave.net

Compile tested: All

Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, mips_24kc,
aarch64_cortex-a53; On 24.10, 25.12 and master/snapshot.

Description: wifi-chipset-detect (1.0.0)

This is a new package that reports in json format the chipset
and driver capabilities of installed wireless hardware.

Developed originally for use where Captive Portal
and Mesh Backhaul networks are being built.

It provides a stand alone script to detect details of the physical
wireless hardware without requiring the radios to be enabled.
There are no dependencies over and above the basic OpenWrt flash image.
It is based on functionality built into the OpenNDS and Mesh11sd packages.

The json formatted output is displayed on the terminal screen.
It is also written to the file /tmp/wifidetect.

This version does not require the Captive Portal
or Mesh network to be running.

Full details can be seen here:
https://github.com/openNDS/wifi-chipset-detect

Signed-off-by: Rob White <redacted>

radicale3: bump version and adjust dependencies

Bump to latest release (3.7.2) and adjust dependencies accordingly.

Signed-off-by: Daniel F. Dickinson <redacted>

radicale3: fix formatting of initscript

Use shfmt to standardize formatting of initscript.

Signed-off-by: Daniel F. Dickinson <redacted>

radicale3: clean out cspell hints

Remove unwanted cspell hints from Makefile and initscript.

Signed-off-by: Daniel F. Dickinson <redacted>

lua-ffi: update to 1.2.0

changelog: https://github.com/zhaojh329/lua-ffi/releases/tag/v1.2.0

Signed-off-by: Jianhui Zhao <redacted>

zlog: update to 1.2.18

Changelog:
- Fix CVE-2024-22857 security vulnerability

Signed-off-by: Alexandru Ardelean <redacted>

taglib: update to 2.2.1

Changelog:
- Add Matroska (MKA, MKV) and WebM format support (v2.2)
- Add NI STEM support in MP4 files (v2.2)
- Add isDsd() method to WavPack audio properties (v2.2)
- Fix duplicate prevention in Matroska complex property keys (v2.2.1)
- Add Matroska edition, chapter, and attachment UID metadata (v2.2.1)

Signed-off-by: Alexandru Ardelean <redacted>

sbc: update to 2.2

Changelog:
- Fix compilation with C23 requirements (v2.2)
- Fix build without SBC_BUILD_WITH_SSE_SUPPORT (v2.1)

Signed-off-by: Alexandru Ardelean <redacted>

openblas: update to 0.3.33

Changelog:
- Fix GCC15 miscompilation of DDOT kernel on arm64 non-SVE targets
- Fix accuracy issue in GEMV kernel for Neoverse V1/SVE targets
- Fix broken STRMM/SSYMM in DYNAMIC_ARCH builds on non-SME hardware
- Add Cortex-A75/A76 autodetection in DYNAMIC_ARCH builds
- Fix LoongArch64 build failure with half-precision float support
- Import LAPACK updates aligned with upcoming 3.13.0 release

Signed-off-by: Alexandru Ardelean <redacted>

leptonica: update to 1.87.0

Changelog:
- Released as a configure-ready version

Signed-off-by: Alexandru Ardelean <redacted>

libmaxminddb: update to 1.13.3

Changelog:
- Fix MMDB_open incorrectly rejecting databases with 0-element
map/array fields at the end of metadata (v1.13.3)
- Fix compilation conflict with bswap32/bswap64 macros on macOS 26
Tahoe (v1.13.2)
- Fix validation and edge-case handling in database open path (v1.12.x)

Signed-off-by: Alexandru Ardelean <redacted>

jsoncpp: update to 1.9.7

Changelog:
- Security: reject unescaped control characters in JSON strings
- Security: fix use-after-free in Reader::parse()
- Add std::string_view support in the Value API
- Fix string_view ABI mismatch between library and consumers

Signed-off-by: Alexandru Ardelean <redacted>

bsbf-resources: update to GIT HEAD of 2026-05-06

Update bsbf-resources to the GIT HEAD of 2026-05-06.

- Remove bsbf-route as bsbf-mptcp now includes the functionality it
  provides.
- Remove bsbf-plpmtu as that functionality is now provided with the
  plp-mtu-discovery package.
- Remove bsbf-tcp-in-udp as it's not a production-ready solution as it is.
- Add bsbf-client-web.
- Update the dependencies of bsbf-mptcp to curl, fping, ip-full, and
  mptcpize.
- Remove files/etc/config/bsbf-mptcp as that functionality is now provided
  using the /etc/bsbf/bsbf-mptcp-subflow-backup file.
- Remove files/etc/hotplug.d/iface/99-bsbf-mptcp as that functionality is
  now provided by the bsbf-mptcp service.
- Update the dependencies of bsbf-bonding to bsbf-client-web, bsbf-mptcp,
  bsbf-rate-limiting, and xray-core.
- Get rid of fw4 dependency and 99-bsbf-bonding.nft in favour of
  resources-client/bsbf_bonding.nft. Add a oneshot service to apply it at
  boot.
- Move from bsbf-openwrt-resources to bsbf-resources directory as we now
  install resources-client/xray.json and resources-client/bsbf_bonding.nft.
- Add the bsbf-bonding command.
- Run `bsbf-bonding --enable` at the end on the uci-defaults script.
- Add the tc package as a dependency for bsbf-rate-limiting.

Fixes: https://github.com/openwrt/packages/issues/29306
Signed-off-by: Chester A. Unal <redacted>

bsbf-bonding: fix checking if interface is a bridge

The current check would match a uci device section that doesn't say if the
interface is a bridge. Check that the type option is bridge to address
this.

Signed-off-by: Chester A. Unal <redacted>

https-dns-proxy: update to 2026.03.18-2

Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1

Description:
Fix nftables rule directory creation

  - Bump PKG_RELEASE to 2.

files/etc/init.d/https-dns-proxy:
  - Add 'mkdir -p' before writing nftables rules to ensure the parent
    directory exists. This fixes an issue where the directory might not
    exist on initial installation, causing errors.

tests/run_tests.sh:
  - Add comprehensive regression tests for notrack_nft.
  - Mock 'nft' to track invocations and control return codes for testing.
  - Patch 'NOTRACK_NFT_FILE' to a test-specific path for isolated testing.
  - Verify 'notrack_nft' correctly creates the parent directory if missing.
  - Test content of generated nftables snippet, idempotence, and removal.

Signed-off-by: Stan Grishin <redacted>

unbound: add test.sh

unbound-control-setup is a shell script that generates TLS certificates
for unbound-control; it does not print a version string. The generic CI
test framework cannot verify the version via the binary, causing the
"No executables in the package provided version" failure.

Add a package-specific test.sh that:
- tests unbound-daemon version via 'unbound -V' and config file presence
- tests libunbound shared library presence
- tests unbound-anchor/-checkconf/-control/-host binaries run and
respond to -h without starting the daemon
- tests unbound-control-setup as an installed, executable shell script
containing expected keywords (no version check)

Signed-off-by: Alexandru Ardelean <redacted>

alsa-lib: add test.sh for aserver without --version

aserver does not implement --version so the generic CI version check
fails for it. Add a test.sh case that verifies it is present and
executable instead.

Signed-off-by: Alexandru Ardelean <redacted>

upmpdcli: update to 1.9.17

Changes since 1.8.11:
- 1.8.16: Enhanced Tidal/Subsonic modules; improved Recoll 1.40 compatibility
- 1.8.17: Resolved Qobuz plugin incompatibilities on modern distributions
- 1.8.18: Fix many issues with the thoroughly broken Qobuz plugin
- 1.9.0: Restructured Qobuz plugin; improved search; fixed custom icon support
- 1.9.1: Subsonic and Tidal module enhancements
- 1.9.2: Resolved Qobuz login issues with OpenHome credentials service
- 1.9.5: Repaired broken Qobuz plugin; fixed gcc 15 compilation crash
- 1.9.6: Fixed media server crash with malformed proxy URLs
- 1.9.7: Fixed streaming URL handling with colon characters
- 1.9.11: Vastly improved Qobuz search; uprcl property operators and indexing
- 1.9.12: Accelerated uprcl initialization via stored Recoll data
- 1.9.13: Improved OpenHome source switching; major Subsonic plugin overhaul
- 1.9.14: Custom HTTP headers support for plugins; fixed rare proxy deadlock
- 1.9.15: Enhanced Linn Kinsky compatibility; improved radio metadata handling
- 1.9.17: Restored Qobuz connectivity via new OAuth method

Signed-off-by: Alexandru Ardelean <redacted>

mpd: update to 0.23.17

Drop 020-string-view.patch: mpd 0.23.17 uses std::string_view directly
in src/tag/GenParseName.cxx, making the patch redundant.

Changes since 0.23.16:
- Optimize the "albumart" command to send larger chunks when available
- Explicitly disallow 'idle' and 'noidle' commands in command lists
- Require libnfs 4.0 or later for NFS storage support
- Trigger inotify database update after symlink creation
- Prefer FFmpeg over sndfile and audiofile for DTS-WAV support
- Add support for libfmt 11.1

Signed-off-by: Alexandru Ardelean <redacted>

libnpupnp: update to 6.3.0

Changes since 6.2.1:
- Build without expat by default (switch to picoxml)
- Fix build errors with -Dipv6=false option (issue #142)
- Check size of POST upload data and response data against
g_maxContentLength; change default from 16k to 2MB
- Use IPv6 socket when looking for an available port with IPv6 enabled
- Fix MHD start error handling to not delete minisocket array prematurely
- Remove code assuming different v4/v6 listening ports
- Add per-subsystem debug logging control via environment variable
- SSDP code cleanups and header removal
- Fix win32 compile issue (setsockopt args)
- Avoid leaking private headers to consumers via meson build

Signed-off-by: Alexandru Ardelean <redacted>

imagemagick: update to 7.1.2-21

Security fixes (18 GHSAs addressed between 7.1.2-1 and 7.1.2-21):
- Fix stack buffer overflow in MagnifyImage (GHSA-rqq8-jh93-f4vg, high)
- Fix heap buffer overflow in WaveletDenoiseImage (GHSA-5ggv-92r5-cp4p)
- Fix uninitialized pointer dereference in JBIG decoder (GHSA-wj8w-pjxf-9g4f, high)
- Fix heap buffer over-write in PNG encoder with large profiles (GHSA-qmw5-2p58-xvrc)
- Fix heap buffer overflow in UHDR encoder (GHSA-h95r-c8c7-mrwx)
- Fix stack buffer overflow in sixel encoder (GHSA-49hx-7656-jpg3)
- Fix heap-buffer-overflow in NewXMLTree XML parsing (GHSA-gc62-2v5p-qpmp)
- Fix heap buffer over-write on 32-bit systems in SFW decoder (GHSA-56jp-jfqg-f8f4)
- Add overflow checks to BMP/DIB, SGI, PS3, JXL, and sixel write paths

Bug fixes:
- Fix double-free in SVG gradientTransform/transform parsing
- Fix NULL pointer dereference in HEIC NCLX color profile allocation
- Fix heap over-read in BilateralBlurImage with even-dimension kernels
- Fix infinite loop when decoding JXL with -limit height/width
- Fix race condition using properties instead of global splaytree

Signed-off-by: Alexandru Ardelean <redacted>

graphicsmagick: update to 1.3.46

Security fixes:
- Fix MSL/SVG parsers to use libxml2 SAX handlers, removing archaic
cruft with potential security issues
- Fix JP2 Jasper max_samples calculation to avoid DoS via huge images
- Apply image dimension resource limits and fix heap write overflow in JXL
- Fix WPG palette buffer allocation (SF bug #750)
- Fix ColorFloodfillImage() to error when clip-mask is present

Bug fixes:
- Fix JPEG CMYK inversion regression introduced in 1.3.43
- Re-implement PNG8 writer with correct indexed-color and binary transparency
- Re-write HEIF reader (AVIF, HEIC) based on heif_image_get_plane_readonly2(),
adding deep image support and YCbCr/monochrome output
- Fix Hull transform arithmetic overflow regression from Oct 2023
- Fix -crop percentage tiling regression
- Re-enable EXPERIMENTAL_EXIF_TAGS by default with known issues fixed
- Fix Magick++ thread safety regression since 2003 (pthreads support)

New features:
- Add support for newer Artifex urw-base35-fonts (OpenType and Type 1)
- Add ImagesResource limit to control simultaneous loaded images
- Add EXIF Version 3.0 decoding and validation
- Add preliminary MP4 coder with HEIF sequence support
- Require C99 compiler compatibility in build infrastructure

Signed-off-by: Alexandru Ardelean <redacted>

psqlodbc: remove test.sh covered by generic tests

The test only checked for .so file existence, which is already
verified by the generic tests (symlink validity + linked libraries).

Signed-off-by: Alexandru Ardelean <redacted>

scons: update to 4.10.1

Update from 4.0.1 to 4.10.1. Notable changes across releases:

- 4.10.1: switch to cProfile (profile module deprecated in Python 3.15);
  fix Literal membership tests and sequence type handling
- 4.10.0: fix MSVC initialization delays in GitHub Actions; fix variant
  directory components in CompilationDatabase; improve Ninja quoting
- 4.9.0: drop Python 3.6 support; add comprehensive type hints for Node
  classes; add clang/clang++ to default tool search order; support binary
  and octal integer constants in C preprocessor
- 4.8.0: replace black/flake8 with ruff; add MSVC_TOOLSET_VERSION,
  MSVC_SDK_VERSION, MSVC_SPECTRE_LIBS construction variables
- 4.7.0: make NewParallel scheduler the default; CacheDir writes execute
  in parallel outside taskmaster critical section; add Python 3.13 support
- 4.6.0: add Visual Studio 2026 and ARM64 host configuration support;
  enhanced type hints throughout Environment and Node classes
- 4.5.0: add ValidateOptions(); refactor Taskmaster into a package;
  migrate to Python's logging module; extend ninja tool with daemon support
- 4.4.0: add MSVC_USE_SETTINGS and multiple MSVC configuration variables;
  implement global policy settings for MSVC version handling
- 4.3.0: add SConsEnvironmentError exception; improved MSVC detection;
  Python 3.12 compatibility fixes
- 4.2.0: Performance improvements in Node processing; improved MSVC
  support for VS 2022; better parallel build handling

Signed-off-by: Alexandru Ardelean <redacted>

psqlodbc: update to 18.00.0001

Update from 17.00.0004 (2024-12-09) to 18.00.0001 (2026-03-23).
This is a major version bump to the 18.x series, aligning with
PostgreSQL 18 support. Switch from a fixed git commit to the
18.00.0001 tagged release.

Add test.sh to verify the psqlodbca and psqlodbcw shared libraries
are present after installation.

Signed-off-by: Alexandru Ardelean <redacted>

mpremote: update to 1.28.0

Update from 1.27.0 to 1.28.0, tracking the MicroPython 1.28.0 release.

Add version check to test.sh using importlib.metadata to verify the
installed package version matches the expected version string.

Signed-off-by: Alexandru Ardelean <redacted>

xfsprogs: update to 6.19.0

Update from 6.10.1 to 6.19.0. Notable changes:

- 6.19.0: fix log sunit automatic configuration in mkfs; fix data
  corruption bug in libxfs_file_write; fix various memory leaks; improve
  realtime subvolume info in xfs_io statfs
- 6.18.0: adjust nr_zones for zoned filesystems on conventional devices
  in mkfs; fix xfs_logprint pointer bugs; fix mdrestore superblock length
  check; add 2025 LTS config
- 6.16.0: atomic write enhancements for maximum atomic write limits at
  mount time; refactor log recovery infrastructure; remove experimental
  warnings from xfs_scrub
- 6.13.0: comprehensive metadata directory support in xfs_repair, xfs_db,
  and mkfs; realtime group support with new RT group structures; quota
  inodes use metadata directory infrastructure; realtime space quotas
- 6.12.0: realtime device support in xfs_db; file range commit ioctls
  with atomic write statx fields; modernize perag lookup to xarray;
  require -std=gnu11 for compilation

Add test.sh to verify xfs-mkfs and xfs-fsck report the correct version
and xfs-admin/xfs-growfs produce expected help output.

Signed-off-by: Alexandru Ardelean <redacted>

cifs-utils: update to 7.5

Update from 6.11 to 7.5. Notable changes across releases:

- 7.5: fix cifscreds command-line option parsing and ambiguous command
  matching; documentation updates for echo_interval parameter
- 7.4: retry logic for -EINPROGRESS errors during mount operations;
  improved handling for multiple IP address resolution scenarios
- 7.3: fix guest mount option handling; prevent empty password
  parameters from being passed to the SMB client
- 7.2: improve return code checking in getcifsacl; better handling of
  permission-related errors across different kernel versions
- 7.1: add upcall_target mount option for namespace resolution; enable
  credential lookups in host or application namespace (e.g., Kubernetes)
- 7.0: migrate files to /usr per DEP17 M2 standard
- 6.15: fix CVE-2022-27239 (stack buffer overflow in ip= argument
  parsing) and CVE-2022-29869 (info leak in verbose logging)

Add libtalloc dependency to cifsmount

Add test.sh to verify mount.cifs and smbinfo report the correct version.

Signed-off-by: Alexandru Ardelean <redacted>

ocserv: bump to v1.4.1

* Version 1.4.1 (released 2026-02-28)
- [SECURITY] Fixed authentication bypass (medium severity) when using
  certificate authentication with cert-user-oid set to SAN(rfc822name):
  a client presenting a valid CA-signed certificate without the expected
  RFC822 SAN field could authenticate using password credentials alone,
  bypassing the intended certificate-to-username binding. Requires the
  attacker to possess both a valid CA-signed certificate and valid user
  credentials (694)
- The bundled inih was updated to r62.
- The bundled protobuf-c was updated to 1.5.2.
- Fixed a bug where session timeout could be bypassed by reconnecting
  (e.g., closing/opening laptop lid) (599)
- occtl: 'show user' command now includes a 'Session started at:' field,
  indicating when the VPN session was established
- occtl: Fix column misalignment in ban command outputs
- occtl: Fix 'show ip bans' may produce invalid JSON (683)
- Handle dotted client hostnames (e.g., .local) by stripping the domain suffix
- Renamed `min-reauth-time` configuration option to `ban-time` to better reflect
  its purpose (676). This option defines the duration (in seconds) for which
  an IP address is banned after exceeding the maximum allowed `max-ban-score`.
  Default is 300 seconds (5 minutes).
- Fixed ocserv-worker process title
- Fixed ignored udp-port in vhost (612)

* Version 1.4.0 (released 2026-01-04)
- The bundled llhtp was updated to 9.3.0.
- The bundled protobuf-c was updated to 1.5.1.
- Fixed issues with PAM authentication when combined with pam_sssd (618)
- Enhanced the seccomp filters to address issue in testing (627)
- Fixed "unexpected URL" errors for Cisco AnyConnect clients
- Fixed the 'ping-leases' option, which was broken since version 1.1.1
- Fixed maximum MTU tracking in server statistics
- Fixed 'iroute' option processing to handle multiple routes (625)
- Fixed session accounting for roaming users (674)
- occtl: fix invalid JSON output in `occtl -j show iroutes` (661)
- occtl: fix regression with trailing commas in `occtl -j show sessions` (669)
- occtl: fix missing column headers in 'show ip bans' output (677)
- occtl: 'show ip bans' no longer shows expired bans (675)
- Fixed DTLS not working with systemd socket activation (647)
- Fixed a bug in the ban timer logic that could prevent IP addresses
  from being banned or cause premature unbans (678)
- Session statistics are now reported at consistent intervals
  for RADIUS compatibility (630)
- Single form to enter username and password (551)

Signed-off-by: Paul Donald <redacted>

afalg_engine: remove

Because AI bots are shredding through the AF_ALG code in the kernel,
upstream has decided to deprecate AF_ALG:

https://lore.kernel.org/all/20260430011544.31823-1-ebiggers@kernel.org/

Follow their lead and do the same here.

afalg_engine AFAIK is a faster version of what OpenSSL provides last
time I used it. Although I don't think it was useful for long. OpenSSH's
sandbox conflicts with AF_ALG.

Signed-off-by: Rosen Penev <redacted>

prosody: fix build, bump to to 0.12.6 and add test.sh

mod_s2s was refactored into a single mod_s2s.lua in the flat modules
directory in 0.12.x; remove the obsolete subdirectory install rule that
caused the package build to fail.

Also add util/human/ and util/prosodyctl/ which are new subdirectories
in 0.12.x not covered by the previous install rules.

Force libidn instead of ICU for stringprep

prosody's configure script auto-detects stringprep backends and prefers
ICU when available, generating -DUSE_STRINGPREP_ICU and including
<unicode/usprep.h>. The OpenWrt SDK staging directory does not provide
ICU development headers, so the build fails with:

encodings.c:271:10: fatal error: unicode/usprep.h: No such file or directory

The Makefile DEPENDS already declares +libidn. Pass --with-idn=idn to
explicitly select the libidn backend, which is available in the staging
directory.

Also, pass TARGET="../util/" to MAKE_FLAGS. OpenWrt has it's own TARGET
env var which clobbers the 'TARGET' var from prosody's build (specified
as 'TARGET?=../util/')

Adding a test.sh to check for the correct version (since prosody mostly
has lua scripts).

Security release addressing multiple vulnerabilities. 0.12.6 is
likely the last release of the 0.12.x series (EOL June 2026).

Upstream advisory: https://prosody.im/security/

Signed-off-by: Alexandru Ardelean <redacted>