chore: update dependencies

[renovate]

Update Request | Renovate Bot

This PR contains the following updates:

Package	Update	Change
PCRE2Project/pcre2	minor	10.44 -> 10.45
SELinuxProject/selinux	minor	3.7 -> 3.8
git://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git	minor	6.11.0 -> 6.12.0
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git	patch	6.12.11 -> 6.12.12
https://github.com/ipxe/ipxe.git	digest	cc38d7d -> 77cc3ed
https://gitlab.com/apparmor/apparmor.git	major	v3.1.7 -> v4.0.3
seccomp/libseccomp	minor	2.5.5 -> 2.6.0
siderolabs/bldr	patch	v0.4.0-1-g76a2c8f -> v0.4.0

---

Release Notes

PCRE2Project/pcre2 (PCRE2Project/pcre2)

v10.45

Compare Source

1. (#​418) Change 6 of 10.44 broke 32-bit tests because pcre2test's reporting of
   memory size was changed to the entire compiled data block, instead of just the
   pattern and tables data, so as to align with the new length restriction.
   Because the block's header contains pointers, this meant the pcre2test output
   was different in 32-bit mode. A patch by Carlo reverts to the previous state
   and makes sure that any limit set by pcre2_set_max_pattern_compiled_length()
   also avoids the internal struct overhead.

2. (#​416, #​622) Updates to build.zig.

3. (#​427, et al.) Various fixes to pacify static analyzers.

4. (#​428) Add --posix-pattern-file to pcre2grep to allow processing of empty
   patterns through the -f option, as well as patterns that end in space
   characters, for compatibility with other grep tools.

5. (4fa5b8b) Fix a bug in the fuzz support quantifier-limiting code. It ignores
   strings of more than 5 digits because they are necessarily numbers greater than
   65535, the largest legal quantifier. However, it wasn't ignoring non-significant
   leading zeros.

6. (6d82f0c) The case-independent processing of the letter-matching Unicode
   properties Ll, Lt, and Lu have been changed to match Perl (which changed a while
   ago). When caseless matching is in force, all three of these properties are now
   treated as Lc (cased letter).

7. (#​433) The pcre2_jit_compile() function was updated by the addition of a new
   option PCRE2_JIT_TEST_ALLOC which, if called with a NULL first argument, tests
   not only the availability of JIT, but also its ability to allocate executable
   memory. Update pcre2test to use this support to extend the -C option.

8. (75b1025) The code for parsing Unicode property descriptions for \p and \P
   been changed as follows:

. White space etc. before ^ in a negated value such as \p{ ^L } was not being
ignored.

. The code wouldn't have worked if PCRE2 was compiled for UTF-8 support
within an EBCDIC environment. Possibly nobody does this any more, but it
should now work.

. The documentation of the syntax of what can follow \p and \P has been
updated.

9. (1c24ba0) There was an error in the table of lengths for parsed items for
   the OPTIONS item, but fortuitously it could never have actually bitten. While
   fixing this, some other code that could never be obeyed was discovered and
   removed.

10. (674b664) Removed some incorect optimization code from DFA matching that
    has been there since PCRE1, but has just been found to cause a no match return
    instead of a partial match in some cases. It involves partial matching when (*F)
    is present so is unlikely to have actually affected anyone.

11. (b0f4ac1) Tidy the wording and formatting of some pcre2test error messages
    concerned with bad modifiers. Also restrict single-letter modifier sequences to
    the first item in a modifier list, as documented and always intended.

12. (1415565) An iterator at the end of many assertions can always be
    auto-possessified, but not at the end of variable-length lookbehinds. There was
    a bug in the code that checks for such a lookbehind; it was looking only at the
    first branch, which is wrong because some branches can be fixed length when
    others are not, for example (?<=AB|CD?). Now all branches are checked for
    variability.

13. (ead0828) Matching with pcre2_match() could give an incorrect result if a
    variable-length lookbehind was used as the condition in a conditional group.
    The condition could erroneously be treated as true if a branch matched but
    overran the current position. This bug was in the interpreter only; matching
    with JIT was correct.

14. (#​443) Split out the sljit sub-project into a "Git submodule". Git users
    must now run git submodule init; git submodule update after a Git checkout, or
    the build will fail due to missing files in deps/sljit.

15. (#​441) Add a new error code (PCRE2_ERROR_JIT_UNSUPPORTED) which is yielded
    for unsupported jit features.

16. (#​444) Fix bug in 'first code unit' and 'last code unit' optimization
    combined with lookahead assertions.

17. (#​445, #​447, #​449, #​451, #​452, #​459, #​563) Add a new feature called scan
    substring. This feature is a new type of assertion which matches the content of
    a capturing block to a sub-pattern.

18. (#​450) Improvements to 'first code unit' / 'starting code units'
    optimisation.

19. (#​455) Many, many improvements to the JIT compiler.

20. Item 43 of 10.43 was incomplete because it addressed only \z and not \Z,
    which was still misbehaving when matching fragments inside invalid UTF strings.

21. (d29e729) Octal escapes of the form \045 or \111 were not being recognized
    in substitution strings, and if encountered gave an error, though the \o{...}
    form was recognized. This bug is now fixed.

22. (#​463, #​487) Fix 1 byte out-of-bounds read when parsing malformed limits
    (e.g. LIMIT_HEAP)

23. Many improvements to test infrastructure. Many more platforms and
    configurations are now run in Continuous Integration, and all the platforms now
    run the full test suite, rather than a partial subset.

24. (#​475) Implement title casing in substitution strings using Perl syntax.

25. (#​478, #​504) Disallow \x if not followed by { or a hex digit.

26. (#​473) Implements Python-style backrefs in substitutions.

27. (#​472) Fix error reporting for certain over-large octal escapes.

28. (#​482) Fix parsing of named captures in replacement strings, allowing
    non-ASCII capture names to be used.

29. (#​477, #​474, #​488, #​494, #​496, #​506, #​508, #​511, #​518, #​524, #​540) Many
    improvements to parsing and optimising of character classes.

30. (#​483, #​498) Add support for \g and $ to replacement strings.

31. (#​470) Add option flags PCRE2_EXTRA_NO_BS0 and PCRE2_EXTRA_PYTHON_OCTAL.

32. (#​471) Add new API function pcre2_set_optimize() for controlling which
    optimizations are enabled.

33. (#​491) Adds $&amp; $` $' and $_ to substitution replacements, as well as
    interpreting \b and \v as characters.

34. (#​499) Add option PCRE2_EXTRA_NEVER_CALLOUT to disable callouts.

35. (#​503, #​513) Update Unicode support to UCD 16.

36. (#​512, #​618, #​638) Add new function pcre2_set_substitute_case_callout() to
    allow clients to provide a custom callback with locale-aware case
    transformation.

37. (#​516) Fix case-insensitive matching of backreferences when using the
    PCRE2_EXTRA_CASELESS_RESTRICT option.

38. (#​519) In pcre2grep, add $& as an alias for $0

39. (c9bf833, #​534) Updated perltest.sh to enable locale setting.

40. (#​521) Add support for Turkish I casefolding, using new options
    PCRE2_EXTRA_TURKISH_CASING, and added pre-pattern flags (*TURKISH_CASING) and
    (*CASELESS_RESTRICT).

41. (#​523, #​546, #​547) Add support for UTS#18 compatible character classes,
    using the new option PCRE2_ALT_EXTENDED_CLASS. This adds '[' as a metacharacter
    within character classes and the operators '&&', '--' and '~~', allowing
    subtractions and intersections of character classes to be easily expressed.

42. (#​553, #​586, #​596, #​597) Add support for Perl-style extended character
    classes, using the syntax (?[...]). This also allows expressing subtractions and
    intersections of character classes, but using a different syntax to UTS#18.

43. (#​554) Fixed a bug in JIT affecting greedy bounded repeats. The upper limit
    of repeats inside a repeated bracket might be incorrectly checked.

44. (#​556) Fixed a bug in JIT affecting caseful matching of backreferences. When
    utf is disabled, and dupnames is enabled, caseless matching was used even
    if caseful matching was needed.

45. (f34fc0a) Fixed a bug in pcre2grep reported by Alejandro Colomar
    [email protected] (GitHub issue #​577). In certain cases, when lines of above and
    below context were contiguous, a separator line was incorrectly being inserted.

46. (#​594) Fix a small (one/two byte) out-of-bounds read on invalid UTF-8 input
    in pcre2grep.

47. (#​370) Fix the INSTALL_MSVC_PDB CMake flag.

48. (#​366) Install cmake files in prefix/lib/cmake/pcre2 rather than
    prefix/cmake. The new CMake flag PCRE2_INSTALL_CMAKEDIR allows customising this
    location.

49. (#​624, #​626, #​628, #​632, #​639, #​641) Reduce code size of generated JIT code
    for repeated character classes.

50. (#​623) Update the Bazel build files.

SELinuxProject/selinux (SELinuxProject/selinux)

v3.8: SELinux userspace release 3.8

Compare Source

RELEASE 3.8

Important change:

The internal representation of file_contexts.*.bin files is completely
rewritten and new format stores all multi-byte data in network
byte-order, so that such compiled files can be cross-compiled,
e.g. for embedded devices with read-only filesystems.

User-visible changes

• libsemanage: Preserve file context and ownership in policy store

• libselinux: deprecate security_disable(3)

• libsepol: Support nlmsg extended permissions

• libsepol: Add policy capability netlink_xperm

• libsemanage: Optionally allow duplicate declarations

• policycoreutils: introduce unsetfiles

• libselinux/utils: introduce selabel_compare

• improved selabel_lookup performance

• libselinux: support parallel usage of selabel_lookup(3)

• libsepol: add support for xperms in conditional policies

• Improved man pages

• Code improvements and bug fixes

• Always build for LFS mode on 32-bit archs.

• libsemanage: Mute error messages from selinux_restorecon introduced in 3.8-rc1

• Regex spec ordering is restored to pre 3.8-rc1

• Binary fcontext files format changed, files using old format are ignored

• Code improvements and bug fixes

apparmor/apparmor (https://gitlab.com/apparmor/apparmor.git)

v4.0.3: AppArmor 4.0.3

Compare Source

AppArmor 4.0.3 is a bug fix release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.

This version of the userspace should work with all kernel versions from 2.6.15 and later (some earlier version of the kernel if they have the apparmor patches applied).

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad.

Important note: the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

• libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
• the docs for everything but libapparmor have already been built

gitlab

• https://gitlab.com/apparmor/apparmor/-/releases/v4.0.3

v4.0.2: AppArmor 4.0.2

Compare Source

AppArmor 4.0.2 is a bug fix release of the user space components of the AppArmor security project. The kernel portion of the project is maintained and pushed separately.

This version of the userspace should work with all kernel versions from
2.6.15 and later (some earlier version of the kernel if they have the
apparmor patches applied).

Important Note

AppArmor 4.0.2 does not address interactions between the bwrap_userns_restrict and flatpak profiles. The bwrap profile is not enabled by default, if enabled the flatpak profile needs to be updated.

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad.

Important note: the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

• libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
• the docs for everything but libapparmor have already been built

gitlab

• https://gitlab.com/apparmor/apparmor/-/releases/v4.0.2

v4.0.1: AppArmor 4.0

Compare Source

AppArmor 4.0 is a major new release of the AppArmor that is in development.

Apprmor 4.0 is a bridge release between older AppArmor 3.x policy and the newer AppArmor 4 style policy which introduces several new features that are not backwards compatible. As such AppArmor 4.0 will be a short lived release, and will not receive long term support. The following AppArmor 4.1 feature release is planned to be a regular release, please take this into account when including AppArmor 4.0 into a distro release. For questions around compatibility see the compatibility matrix.

Note

• Some features will work with older kernels but many of the features in apparmor 4 with require a development kernel.
• The kernel portion of the project is maintained and pushed separately.
• AppArmor 4.0 contains all bug fixes and policy updates from apparmor 3.1
• Some new features will not be fully supported in some utilities. In these cases it was decided that releasing a new feature earlier had more benefit than delaying it for full utility support. Please see the feature support matrix.

Obtaining the Release

There are two ways to obtain this release either through gitlab or a tarball in launchpad.

Important note: the gitlab release tarballs differ from the launchpad release tarballs. The launchpad release tarball has a couple processing steps already performed:

• libapparmor autogen.sh is already done, meaning distros only need to use ./configure in their build setup
• the docs for everything but libapparmor have already been built

gitlab

• https://gitlab.com/apparmor/apparmor/-/releases/v4.0.1

v4.0.0

Compare Source

seccomp/libseccomp (seccomp/libseccomp)

v2.6.0: libseccomp v2.6.0

Compare Source

ChangeLog

• Version 2.6.0 - January 23, 2025
  • New features
    • Add support for new architectures
      • SuperH little endian
      • SuperH big endian
      • LoongArch
      • 32-bit Motorola 68000
    • Add multiplexed syscall support for more architectures
      • MIPS
      • SuperH
      • PPC
    • Consolidate and simplify handling of multiplexed syscalls
    • Add support for the SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV flag
    • Add support for transactions with the seccomp_transaction_start(), seccomp_transaction_commit(), and seccomp_transaction_reject() APIs
    • Improved tooling to help track syscall table updates in the Linux kernel
    • Update the syscall table for Linux v6.13
  • Performance improvements
    • Add a seccomp_precompute() API to generate the seccomp BPF filter prior to seccomp_load() or seccomp_export_bpf_mem()
  • Bug fixes
    • Handle EINVAL error from the kernel when the WAIT_KILLABLE_RECV flag is erroneously provided to the kernel
    • Add support for binary tree filters without syscalls
    • Add support for the kernel’s implementation change of SECCOMP_IOCTL_NOTIF_ID_VALID
    • Fix a seccomp userspace notification issue where the file descriptor was being requested more than once
    • Fix a bug where the internal filter state could be corrupted when a filter rule addition fails
    • Fix potential memory leak in the internal management of filter snapshots
  • Python bindings
    • Add support for retrieving the notification file descriptor
    • Utilize Cython rather than distutils, due to distutils’ deprecation
  • Many test and CI improvements and fixes
  • Many documentation improvements and updates

Checksum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

83b6085232d1588c379dc9b9cae47bb37407cf262e6e74993c61ba72d2a784dc  libseccomp-2.6.0.tar.gz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmeS4dkACgkQ6iDy2pc3
iXNA2g/+KfaAHm8Uc+HAxHXcDUhw2XB4KQVZvRzLboiBcJu1N0N3ZM9NAtBlB/3Y
b/tOv3PfrTxij4a93Tgt81rOFNha9Ditq3CI/2wDeunNJR2hSZEELyg+S+7x2eyl
6oixUbpWw3nSgaoYyAjqXy7GBCL0k1PibNzVFlHp2SOWZp979nhhhTdNUZAs6hjQ
sMFrEo7lU5HSqDCEJU88K2pKSSCwNMIDJrg9qmd47JOfmSHXTbhMzUPwGyBpVfgB
LYcw4auZUSpYxEBJj97NaXtuW2Bqqu0zBsVBC9bAOF5BbokXCV2jaKzMv6X1e5jI
CpHMBKjLHu8pZKjtSdLagNN6u6Y16tsQQ0TdvBkK5h2WWGVdagB3kj/pcIUqd/gC
po6w5HP0y3MPmy3I7ZbVMYMTTJFCli/d3zEEnKyktfAbhqDZ45zspg/7+LXlh1/x
zNc1CjwRj9ceouU2dvXFmVyEB645abLarDDqizzxnZYANozLJ3acJoBp1I7msaxy
1kmzyoRYroiuZeIlIEht+fnthesE5/x5ZPaugcAIT/oPxtxU1n/08C6rXYZWIL5N
u+NBUfqgsDMEN16bNv4On5siATWes5VVLbvFeOnM2pDdbfBlK2cRgP+1+aCAtokV
i6cl9bjvPqqWgJ518CYraHiLeH5gqqAtzhFy9rDtCJAF7sFZM0k=
=pDHk
-----END PGP SIGNATURE-----

v2.5.6: libseccomp v2.5.6

Compare Source

ChangeLog

• Version 2.5.6 - January 24, 2025
  • Update the syscall table for Linux v6.13
  • Fix a bug where the internal filter state could be corrupted when a filter rule addition fails
  • Fix potential memory leak in the internal management of filter snapshots

Checksum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

04c37d72965dce218a0c94519b056e1775cf786b5260ee2b7992956c4ee38633  libseccomp-2.5.6.tar.gz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEER6aPzjfH1wJP1l4RNWzmLCtSQJkFAmeT8VQACgkQNWzmLCtS
QJn3wA//Q2LtBcCf1HGYM6EOIc8ZeNrmYplNBdWlrlo77J8XvqJykwaaYWGYheDp
jHmxD7Ay/yV0Ofv8f9clqLcUCOSAGlMkt8RSiQf31G2v6lTqPdZvEX7h908w2Tw+
EKyXRiFxfaNRkzqO5Rle/deBkl0VnuJJE7pIYYkCdITBaUc1/tn1mxdcvjf0m/en
i7HSN025PoPPVWPM10nOZv33/BkmiR6TTe5HVVMqpE8uBYdJtDifk9YfY70mEaRA
665ZKRGh/Nt99dPZl40PUpoOHK+K+ssJyW6ouGRRy4mC6EGh92B+pLkLqYGL1+f+
PzazZyk2oF8C3yXaErBYqQl8tJBuTrauJv9S//ppqcyXzXN4JSX85mHbcLODWsos
1iWaWxA3HiadX7gO+rpKLcXy5bQpbmviF2L+OXzWcWsni4Sg2tbOTIZ4y6lKBGqe
ddXvDUGrQQoYVlHzFlouv4cxBZTInt7W12xKfxKe2WmRIH1JkCtzxTwDwaM8w0zL
9ilRgvbXbgOOrXiZjvWRCvnQTKKxGdfpcbdyj7UZeK1jwuvuX2XUa1XDY9HtkI1t
DtVOJhR9ODLe6VGROB4km2JrY2tSblayX0MMqLPpiO838zhRh8QLJmqaupPoaEtu
HBsz/pf94tud7h/KW5vZjzgq1BXENSje99GaoWqfkHVBNCVincA=
=GNPp
-----END PGP SIGNATURE-----

siderolabs/bldr (siderolabs/bldr)

v0.4.0

Compare Source

bldr 0.4.0 (2025-01-31)

Welcome to the v0.4.0 release of bldr!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/bldr/issues.

Contributors

• Andrey Smirnov
• Dmitriy Matrenichev
• Noel Georgi

Changes

7 commits

• 62ed470 release(v0.4.0): prepare release
• 4a79aeb feat: make variant in pkg.yaml explicit
• d978bcc fix: drop TOOLCHAIN from std vars
• 66b078d fix: drop alpine for md5sum step
• 24a37b0 feat: implement support for network mode
• 40ad501 chore: rekres to simplify .kres.yaml defaults
• 73fad60 chore: bump deps

Changes from siderolabs/gen

4 commits

• 5ae3afe chore: update hashtriemap implementation from the latest upstream
• e847d2a chore: add more utilities to xiter
• f3c5a2b chore: add Empty and Empty2 iterators
• c53b90b chore: add packages xiter/xstrings/xbytes

Dependency Changes

• github.com/Masterminds/sprig/v3 v3.2.3 -> v3.3.0
• github.com/containerd/platforms v0.2.1 -> v1.0.0-rc.1
• github.com/emicklei/dot v1.6.2 -> v1.6.4
• github.com/google/go-github/v67 v67.0.0 new
• github.com/moby/buildkit v0.15.1 -> v0.19.0
• github.com/otiai10/copy v1.14.0 -> v1.14.1
• github.com/siderolabs/gen v0.5.0 -> v0.8.0
• github.com/stretchr/testify v1.9.0 -> v1.10.0
• golang.org/x/oauth2 v0.22.0 -> v0.25.0
• golang.org/x/sync v0.8.0 -> v0.10.0

Previous release can be found at v0.3.2

---

Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.