nginx-1.29.6 mainline version has been released, featuring sticky sessions support for upstreams.

Postfix stable release 3.11.0

[A hyperlinked version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.11.0.html]

Postfix stable release 3.11.0 is available. Postfix 3.7 - 3.10 were updated a few weeks ago; after that, Postfix 3.7 will no longer be updated.

The main changes are below. See the RELEASE_NOTES file for further details.

Berkeley DB migration:

• Some (Linux) distributions are removing support for BerkeleyDB databases (In Postfix, this means we lose support for the hash: and btree: lookup tables). See NON_BERKELEYDB_README for manual and partially automatic migration from btree: to lmdb:, and from hash: to lmdb: or cdb:.

• The loss of BerkeleyDB affects Mailman versions that want to execute commands like "postmap hash:/path/to/file" when a mailing list is added or removed. Postfix provides a way to redirect such commands to a supported database type.

• You don't have to wait until BerkeleyDB support is removed. It can make sense to migrate while BerkeleyDB support is still available (mainly, less downtime).

Changes in TLS support:

• Default TLS security. The Postfix SMTP client smtp_tls_security_level default value is "may" if Postfix was built with TLS support, and the compatibility_level is 3.11 or higher.

• Support for the RFC 8689 "REQUIRETLS" verb in ESMTP. This requires that every SMTP (and LMTP) server in the forward path is strongly authenticated with DANE, STS, or equivalent, and that every server announces REQUIRETLS support.

  See REQUIRETLS_README for suggestions to carefully enforce REQUIRETLS without causing massive mail delivery problems.

• Logging the TLS security level. This shows the desired and actual TLS security level enforcement status and, if a message requests REQUIRETLS, the REQUIRETLS policy enforcement status. For a list of examples see smtp_log_tls_feature_status

• Workaround for an interface mismatch between the Postfix SMTP client and MTA-STS policy plugins. This introduces a new parameter smtp_tls_enforce_sts_mx_patterns (default: "yes"). The MTA-STS plugin configuration needs to enable TLSRPT support, so that it forwards STS policy attributes to Postfix. Both postfix-tlspol and postfix-mta-sts-resolver have been updated accordingly.

  With this, the Postfix SMTP client will connect to an MX host only if its name matches any STS policy MX host pattern, and will match a server certificate against the MX hostname. Otherwise, the old behavior stays in effect: connect to any MX host listed in DNS, and match a server certificate against any STS policy MX host pattern.

• Post-quantum cryptography support. With OpenSSL 3.5 and later, change the tls_eecdh_auto_curves default value to avoid problems with network infrastructure that mishandles TLS hello messages larger than one (Ethernet) TCP segment. This problem is more generally known as "protocol ossification".

Miscellaneous changes:

• Deprecation of obsolete parameters. Postfix programs log a warning that these parameters will be removed. See DEPRECATION_README for a list of deprecated parameters.

• JSON output support with "postconf -j|-jM|-jF|-jP", "postalias -jq|-js", "postmap -jq|-js", and "postmulti -jl". No support is planned for JSON input support.

• Milter support: improved Milter error handling for messages that arrive over a long-lived SMTP connection, by changing the default milter_default_action from "tempfail" to the new "shutdown" action (i.e. disconnect the remote SMTP client). This was already back-ported to earlier stable releases.

There are more changes; see RELEASE_NOTES for those.

You can find the Postfix source code at the mirrors listed at https://www.postfix.org/.

VIENNA, Austria – March 04, 2026 – Enterprise software developer Proxmox Server Solutions (henceforth "Proxmox"), today announced that NAKIVO is offering native, agentless backup support for Proxmox Virtual Environment (VE) and is now officially a Proxmox solution provider. This strategic partnership provides a seamless, enterprise-grade data protection path for organizations transitioning to open-source infrastructure.

NAKIVO Backup & Replication is a comprehensive data protection solution that provides backup, instant recovery, ransomware protection and disaster recovery for a wide range of physical, virtual, cloud, SaaS and hybrid environments via a single web-based interface. This all-in-one approach helps organizations centrally manage protection tasks, maintain visibility across platforms and quickly recover workloads during outages or ransomware incidents.

Short Quote NAKIVO:

“Our integration with Proxmox VE is a direct response to the community’s need for a reliable, enterprise-grade data protection solution that matches the flexibility of their hypervisor. Our focus, as always, remains on delivering a reliable backup solution that streamlines data protection and helps achieve robust cyber resilience and rapid recovery for all environments,” Bruce Talley, CEO of NAKIVO.

Short Quote Proxmox:

“Our goal is to provide a virtualization platform that is both powerful and inherently open,” said Tim Marx, COO of Proxmox. “By fostering native integrations with leaders like NAKIVO, we give our customers the flexibility to choose the best-in-class tools they need to secure their data. This collaboration reinforces Proxmox VE as a mature, enterprise-grade ecosystem that is ready for the most demanding environments.”

Availability

The NAKIVO Backup & Replication integration is available immediately for all Proxmox VE users. For more information, please visit https://www.nakivo.com/proxmox-backup/

###

About NAKIVO
NAKIVO is a US-based software vendor dedicated to delivering a reliable backup, ransomware protection and disaster recovery solution for virtual, physical, cloud, SaaS and mixed environments. Over 16,000 customers in 191 countries trust NAKIVO with protecting their data, including major companies like Coca-Cola, Honda, Siemens and Cisco. Learn more: https://www.nakivo.com

About Proxmox Server Solutions
Proxmox provides powerful and user-friendly open-source server software. Enterprises of all sizes and industries use the Proxmox solutions to deploy efficient and simplified IT infrastructures, minimize total cost of ownership, and avoid vendor lock-in. Proxmox also offers commercial support, training services, and an extensive partner ecosystem to ensure business continuity for its customers. Proxmox Server Solutions GmbH was established in 2005 and is headquartered in Vienna, Austria. Learn more: https://www.proxmox.com

Contact: Daniela Häsler, Proxmox Server Solutions GmbH, marketing@proxmox.com

njs-0.9.6 version has been released, featuring optional chaining, nullish coalescing assignment (??=), and logical assignment operators (||= and &&=).

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.3, 17.9, 16.13, 15.17, and 14.22. This is an out-of-cycle release that fixes several regressions reported after the last update release.

For the full list of changes, please review the release notes.

Bug Fixes and Improvements

This update fixes several bugs that were reported since the previous release. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix issue where a standby would halt and return an error "could not access status of transaction".
• Fix error where the substring() function would raise an error "invalid byte sequence for encoding" on non-ASCII text values if the source of that value is a database column. This was due to a change introduced for the fix to CVE-2026-2006.
• Fix for the strict_word_similarity function in pg_trgm that could lead to incorrect output or crashes. This was due to an oversight in the fix for CVE-2026-2007.
• Fix function volatility for json_strip_nulls() and jsonb_strip_nulls() to be immutable, like previous releases, allowing for them to be used in indexes. If you previously upgraded to PostgreSQL 18.0 through 18.2, see the additional steps in the "Updating" section.
• Fix for NOT NULL tests in LATERAL UNION ALL subquery that could lead to wrong query output.
• Avoid NOT NULL constraints from generating name conflicts with user-written constraints.
• Fix pg_stat_get_backend_wait_event() and pg_stat_get_backend_wait_event_type() to report values for auxiliary processes, similar to pg_stat_activity.
• Fix casting a composite-type variable to a domain type when returning its value from a PL/pgSQL function.
• Fix the hstore binary input function to avoid crashes on input with duplicate keys.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

If you previously upgraded to PostgreSQL 18.0, 18.1 or 18.2, you need to execute the following SQL as a PostgreSQL superuser in all of your databases to make the json_strip_nulls() and jsonb_strip_nulls() functions immutable:

UPDATE pg_catalog.pg_proc SET provolatile = 'i' WHERE oid IN ('3261','3262');

You should also execute this command in the template0 and template1 databases so future databases you create in your PostgreSQL cluster have the correct function volatility setting. Please see the documentation on template databases for more information.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

• Download
• Release Notes
• Security
• Versioning Policy
• Submit a Bug
• Donate

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

The Asterisk Development Team would like to announce
the release of Certified asterisk-22.8-cert1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert1
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-22.8-cert1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 853
• Commit Authors: 110
• Issues Resolved: 590
• Security Advisories Resolved: 13

The Asterisk Development Team would like to announce
release candidate 1 of Certified asterisk-22.8-cert1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert1-rc1
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert1-rc1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-22.8-cert1-rc1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 853
• Commit Authors: 110
• Issues Resolved: 590
• Security Advisories Resolved: 13
  • GHSA-2grh-7mhv-fcfw: Using malformed From header can forge identity with ";" or NULL in name portion
  • GHSA-33x6-fj46-6rfh: Path traversal via AMI ListCategories allows access to outside files
  • GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-c4cg-9275-6w44: Write=originate, is sufficient permissions for code execution / System() dialplan
  • GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands
  • GHSA-hxj9-xwr8-w8pq: Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation
  • GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v428-g3cw-7hv9: A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

• chan_websocket.conf.sample: Fix category name.

  The category name in the chan_websocket.conf.sample file was
  incorrect. It should be "global" instead of "general".

• cli.c: Allow 'channel request hangup' to accept patterns.

  The 'channel request hangup' CLI command now accepts
  multiple channel names, POSIX Extended Regular Expressions, glob-like
  patterns, or a combination of all of them. See the CLI command 'core
  show help channel request hangup' for full details.

• res_sorcery_memory_cache: Reduce cache lock time for sorcery memory cache populate command

  The AMI command sorcery memory cache populate will now
  return an error if there is an internal error performing the populate.
  The CLI command will display an error in this case as well.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: Two new optional profile parameters have been added.

  • pidf_element_id which sets the value of the id attribute on the top-level
    PIDF-LO device, person or tuple elements.
  • device_id which sets the content of the <deviceID> element.
    Both parameters can include channel variables.

• res_pjsip_messaging: Add support for following 3xx redirects

  A new pjsip endpoint option follow_redirect_methods was added.
  This option is a comma-delimited, case-insensitive list of SIP methods
  for which SIP 3XX redirect responses are followed. An alembic upgrade
  script has been added for adding this new option to the Asterisk
  database.

• taskprocessors: Improve logging and add new cli options

  New CLI command has been added -
  core show taskprocessor name

• ccss: Add option to ccss.conf to globally disable it.

  A new "enabled" parameter has been added to ccss.conf. It defaults
  to "yes" to preserve backwards compatibility but CCSS is rarely used so
  setting "enabled = no" in the "general" section can save some unneeded channel
  locking operations and log message spam. Disabling ccss will also prevent
  the func_callcompletion and chan_dahdi modules from loading.

• Makefile: Add module-list-* targets.

  Try "make module-list-deprecated" to see what modules
  are on their way out the door.

• app_mixmonitor: Add 's' (skip) option to delay recording.

  This change introduces a new 's()' (skip) option to the MixMonitor
  application. Example:
  MixMonitor(${UNIQUEID}.wav,s(3))
  This skips recording for the first 3 seconds before writing audio to the file.
  Existing MixMonitor behavior remains unchanged when the 's' option is not used.

• app_queue.c: Only announce to head caller if announce_to_first_user

  When announce_to_first_user is false, no announcements are played to the head caller

• res_stir_shaken: Add STIR_SHAKEN_ATTESTATION dialplan function.

  The STIR_SHAKEN_ATTESTATION dialplan function has been added
  which will allow suppressing attestation on a call-by-call basis
  regardless of the profile attached to the outgoing endpoint.

• func_channel: Allow R/W of ADSI CPE capability setting.

  CHANNEL(adsicpe) can now be read or written to change
  the channels' ADSI CPE capability setting.

• func_hangupcause.c: Add access to Reason headers via HANGUPCAUSE()

  Added a new option to HANGUPCAUSE to access additional
  information about hangup reason. Reason headers from pjsip
  could be read using 'tech_extended' cause type.

• func_math: Add DIGIT_SUM function.

  The DIGIT_SUM function can be used to return the digit sum of
  a number.

• app_sf: Add post-digit timer option to ReceiveSF.

  The 't' option for ReceiveSF now allows for a timer since
  the last digit received, in addition to the number-wide timeout.

• app_dial: Allow fractional seconds for dial timeouts.

  The answer and progress dial timeouts now have millisecond
  precision, instead of having to be whole numbers.

• chan_dahdi: Add DAHDI_CHANNEL function.

  The DAHDI_CHANNEL function allows for getting/setting
  certain properties about DAHDI channels from the dialplan.

• app_queue.c: Add new global 'log_unpause_on_reason_change'

  Add new global option 'log_unpause_on_reason_change' that
  is default disabled. When enabled cause addition of UNPAUSE event on
  every re-PAUSE with reason changed.

• pbx_builtins: Allow custom tone for WaitExten.

  The tone used while waiting for digits in WaitExten
  can now be overridden by specifying an argument for the 'd'
  option.

• res_tonedetect: Add option for TONE_DETECT detection to auto stop.

  The 'e' option for TONE_DETECT now allows detection to
  be disabled automatically once the desired number of matches have
  been fulfilled, which can help prevent race conditions in the
  dialplan, since TONE_DETECT does not need to be disabled after
  a hit.

• sorcery: Prevent duplicate objects and ensure missing objects are created on update

  Users relying on Sorcery multiple writable backends configurations
  (e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
  in sorcery.conf to ensure missing objects are recreated after temporary backend
  failures. Default behavior remains unchanged unless explicitly enabled.

• chan_websocket: Allow additional URI parameters to be added to the outgoing URI.

  A new WebSocket channel driver option v has been added to the
  Dial application that allows you to specify additional URI parameters on
  outgoing connections. Run core show application Dial from the Asterisk CLI
  to see how to use it.

• app_chanspy: Add option to not automatically answer channel.

  ChanSpy and ExtenSpy can now be configured to not
  automatically answer the channel by using the 'N' option.

• cel: Add STREAM_BEGIN, STREAM_END and DTMF event types.

  Enabling the tracking of the
  STREAM_BEGIN and the STREAM_END event
  types in cel.conf will log media files and
  music on hold played to each channel.
  The STREAM_BEGIN event's extra field will
  contain a JSON with the file details (path,
  format and language), or the class name, in
  case of music on hold is played. The DTMF
  event's extra field will contain a JSON with
  the digit and the duration in milliseconds.

• res_srtp: Add menuselect options to enable AES_192, AES_256 and AES_GCM

  Options are now available in the menuselect "Resource Modules"
  category that allow you to enable the AES_192, AES_256 and AES_GCM
  cipher suites in res_srtp. Of course, libsrtp and OpenSSL must support
  them but modern versions do. Previously, the only way to enable them was
  to set the CFLAGS environment variable when running ./configure.
  The default setting is to disable them preserving existing behavior.

• cdr: add CANCEL dispostion in CDR

  A new CDR option "canceldispositionenabled" has been added
  that when set to true, the NO ANSWER disposition will be split into
  two dispositions: CANCEL and NO ANSWER. The default value is 'no'

• func_curl: Allow auth methods to be set.

  The httpauth field in CURLOPT now allows the authentication
  methods to be set.

• Media over Websocket Channel Driver

  A new channel driver "chan_websocket" is now available. It can
  exchange media over both inbound and outbound websockets and will both frame
  and re-time the media it receives.
  See http://s.asterisk.net/mow for more information.
  The ARI channels/externalMedia API now includes support for the

• res_stir_shaken.so: Handle X5U certificate chains.

  The STIR/SHAKEN verification process will now load a full
  certificate chain retrieved via the X5U URL instead of loading only
  the end user cert.

• res_stir_shaken: Add "ignore_sip_date_header" config option.

  A new STIR/SHAKEN verification option "ignore_sip_date_header" has
  been added that when set to true, will cause the verification process to
  not consider a missing or invalid SIP "Date" header to be a failure. This
  will make the IAT the sole "truth" for Date in the verification process.
  The option can be set in the "verification" and "profile" sections of
  stir_shaken.conf.
  Also fixed a bug in the port match logic.
  Resolves: #1251
  Resolves: #1271

• app_record: Add RECORDING_INFO function.

  The RECORDING_INFO function can now be used
  to retrieve the duration of a recording.

• app_queue: queue rules – Add support for QUEUE_RAISE_PENALTY=rN to raise penalties only for members within min/max range

  This change introduces QUEUE_RAISE_PENALTY=rN, allowing selective penalty raises
  only for members whose current penalty is within the [min_penalty, max_penalty] range.
  Members with lower or higher penalties are unaffected.
  This behavior is backward-compatible with existing queue rule configurations.

• res_odbc: cache_size option to limit the cached connections.

  New cache_size option for res_odbc to on a per class basis limit the
  number of cached connections. Please reference the sample configuration
  for details.

• res_odbc: cache_type option for res_odbc.

  When using res_odbc it should be noted that back-end
  connections to the underlying database can now be configured to re-use
  the cached connections in a round-robin manner rather than repeatedly
  re-using the same connection. This helps to keep connections alive, and
  to purge dead connections from the system, thus more dynamically
  adjusting to actual load. The downside is that one could keep too many
  connections active for a longer time resulting in resource also begin
  consumed on the database side.

• ARI Outbound Websockets

  Asterisk can now establish websocket sessions to your ARI applications
  as well as accepting websocket sessions from them.
  Full details: http://s.asterisk.net/ari-outbound-ws

• res_websocket_client: Create common utilities for websocket clients.

  A new module "res_websocket_client" and config file
  "websocket_client.conf" have been added to support several upcoming new
  capabilities that need common websocket client configuration.

• asterisk.c: Add option to restrict shell access from remote consoles.

  A new asterisk.conf option 'disable_remote_console_shell' has
  been added that, when set, will prevent remote consoles from executing
  shell commands using the '!' prefix.
  Resolves: #GHSA-c7p6-7mvq-8jq2

• sig_analog: Add Call Waiting Deluxe support.

  Call Waiting Deluxe can now be enabled for FXS channels
  by enabling its corresponding option.

• stasis/control.c: Set Hangup Cause to No Answer on Dial timeout

  A Dial timeout on POST /channels/{channelId}/dial will now result in a
  CANCEL and ChannelDestroyed with cause 19 / User alerting, no answer. Previously
  no explicit cause was set, resulting in a cause of 16 / Normal Call Clearing.

• contrib: Add systemd service and timer files for malloc trim.

  Service and timer files for systemd have been added to the
  contrib/systemd/ directory. If you are experiencing memory issues,
  install these files to have "malloc trim" periodically run on the
  system.

• Add log-caller-id-name option to log Caller ID Name in queue log

  This patch adds a global configuration option, log-caller-id-name, to queues.conf
  to control whether the Caller ID name is logged as parameter 4 when a call enters a queue.
  When log-caller-id-name=yes, the Caller ID name is included in the queue log,
  Any '|' characters in the caller ID name will be replaced with '_'.
  (provided it’s allowed by the existing log_restricted_caller_id rules).
  When log-caller-id-name=no (the default), the Caller ID name is omitted.

• asterisk.c: Add "pre-init" and "pre-module" capability to cli.conf.

  In cli.conf, you can now define startup commands that run before
  core initialization and before module initialization.

• audiosocket: added support for DTMF frames

  The AudioSocket protocol now forwards DTMF frames with
  payload type 0x03. The payload is a 1-byte ascii representing the DTMF
  digit (0-9,*,#...).

• ari/pjsip: Make it possible to control transfers through ARI

  Call transfers on the PJSIP channel can now be controlled by
  ARI. This can be enabled by using the PJSIP_TRANSFER_HANDLING(ari-only)
  dialplan function.

• sig_analog: Add Last Number Redial feature.

  Users can now redial the last number
  called if the lastnumredial setting is set to yes.
  Resolves: #437

• Add SHA-256 and SHA-512-256 as authentication digest algorithms

  The SHA-256 and SHA-512-256 algorithms are now available
  for authentication as both a UAS and a UAC.

• Upgrade bundled pjproject to 2.15.1 Resolves: #1016

  Bundled pjproject has been upgraded to 2.15.1. For more
  information visit pjproject Github page: https://github.com/pjsip/pjproject/releases/tag/2.15.1

• res_pjsip: Add new AOR option "qualify_2xx_only"

  The pjsip.conf AOR section now has a "qualify_2xx_only"
  option that can be set so that only 2XX responses to OPTIONS requests
  used to qualify a contact will mark the contact as available.

• app_queue: allow dynamically adding a queue member in paused state.

  use the p option of AddQueueMember() for paused member state.
  Optionally, use the r(reason) option to specify a custom reason for the pause.

• manager.c: Add Processed Call Count to CoreStatus output

  The current processed call count is now returned as CoreProcessedCalls from the
  CoreStatus AMI Action.

• func_curl.c: Add additional CURL options for SSL requests

  The following new configuration options are now available
  in the res_curl.conf file, and the CURL() function: 'ssl_verifyhost'
  (CURLOPT_SSL_VERIFYHOST), 'ssl_cainfo' (CURLOPT_CAINFO), 'ssl_capath'
  (CURLOPT_CAPATH), 'ssl_cert' (CURLOPT_SSLCERT), 'ssl_certtype'
  (CURLOPT_SSLCERTTYPE), 'ssl_key' (CURLOPT_SSLKEY), 'ssl_keytype',
  (CURLOPT_SSLKEYTYPE) and 'ssl_keypasswd' (CURLOPT_KEYPASSWD). See the
  libcurl documentation for more details.

• res_stir_shaken: Allow sending Identity headers for unknown TNs

  You can now set the "unknown_tn_attest_level" option
  in the attestation and/or profile objects in stir_shaken.conf to
  enable sending Identity headers for callerid TNs not explicitly
  configured.

• manager.c: Restrict ListCategories to the configuration directory.

  The ListCategories AMI action now restricts files to the
  configured configuration directory.

• res_pjsip: Add new endpoint option "suppress_moh_on_sendonly"

  The new "suppress_moh_on_sendonly" endpoint option
  can be used to prevent playing MOH back to a caller if the remote
  end sends "sendonly" or "inactive" (hold) to Asterisk in an SDP.

• app_mixmonitor: Add 'D' option for dual-channel audio.

  The MixMonitor application now has a new 'D' option which
  interleaves the recorded audio in the output frames. This allows for
  stereo recording output with one channel being the transmitted audio and
  the other being the received audio. The 't' and 't' options are
  compatible with this.

• manager.c: Restrict ModuleLoad to the configured modules directory.

  The ModuleLoad AMI action now restricts modules to the
  configured modules directory.

• manager: Enhance event filtering for performance

  You can now perform more granular filtering on events
  in manager.conf using expressions like
  eventfilter(name(Newchannel),header(Channel),method(starts_with)) = PJSIP/
  This is much more efficient than
  eventfilter = Event: Newchannel.*Channel: PJSIP/
  Full syntax guide is in configs/samples/manager.conf.sample.

• db.c: Remove limit on family/key length

  The ast_db_*() APIs have had the 253 byte limit on
  "/family/key" removed and will now accept families and keys with a
  total length of up to SQLITE_MAX_LENGTH (currently 1e9!). This
  affects the DB* dialplan applications, dialplan functions,
  manager actions and databse CLI commands. Since the
  media_cache also uses the ast_db_*() APIs, you can now store
  resources with URIs longer than 253 bytes.

• res_pjsip_notify: add dialplan application

  A new dialplan application PJSIPNotify is now available
  which can send SIP NOTIFY requests from the dialplan.
  The pjsip send notify CLI command has also been enhanced to allow
  sending NOTIFY messages to a specific channel. Syntax:
  pjsip send notify channel

• channel: Add multi-tenant identifier.

  tenantid has been added to channels. It can be read in
  dialplan via CHANNEL(tenantid), and it can be set using
  Set(CHANNEL(tenantid)=My tenant ID). In pjsip.conf, it is recommended to
  use the new tenantid option for pjsip endpoints (e.g., tenantid=My
  tenant ID) so that it will show up in Newchannel events. You can set it
  like any other channel variable using set_var in pjsip.conf as well, but
  note that this will NOT show up in Newchannel events. Tenant ID is also
  available in CDR and can be accessed with CDR(tenantid). The peer tenant
  ID can also be accessed with CDR(peertenantid). CEL includes tenant ID
  as well if it has been set.

• feat: ARI "ChannelToneDetected" event

  Setting the TONE_DETECT dialplan function on a channel
  in ARI will now cause a ChannelToneDetected ARI event to be raised
  when the specified tone is detected.

• res_pjsip_config_wizard.c: Refactor load process

  The res_pjsip_config_wizard.so module can now be reloaded.

• app_voicemail_odbc: Allow audio to be kept on disk

  This commit adds a new voicemail.conf option
  'odbc_audio_on_disk' which when set causes the ODBC variant of
  app_voicemail_odbc to leave the message and greeting audio files
  on disk and only store the message metadata in the database.
  Much more information can be found in the voicemail.conf.sample
  file.

• app_queue: Add option to not log Restricted Caller ID to queue_log

  Add a Queue option log-restricted-caller-id to control whether the Restricted Caller ID
  will be stored in the queue log.
  If log-restricted-caller-id=no then the Caller ID will be stripped if the Caller ID is restricted.

• pbx.c: expand fields width of "core show hints"

  The fields width of "core show hints" were increased.
  The width of "extension" field to 30 characters and
  the width of the "device state id" field to 60 characters.

• rtp_engine: add support for multirate RFC2833 digits

  No change in configuration is required in order to enable this
  feature. Endpoints configured to use RFC2833 will automatically have this
  enabled. If the endpoint does not support this, it should not include it in
  the SDP offer/response.
  Resolves: #699

• res_pjsip_logger: Preserve logging state on reloads.

  Issuing "pjsip reload" will no longer disable
  logging if it was previously enabled from the CLI.

• loader.c: Allow dependent modules to be unloaded recursively.

  In certain circumstances, modules with dependency relations
  can have their dependents automatically recursively unloaded and loaded
  again using the "module refresh" CLI command or the ModuleLoad AMI command.

• tcptls/iostream: Add support for setting SNI on client TLS connections

  Secure websocket client connections now send SNI in
  the TLS client hello.

• res_pjsip_endpoint_identifier_ip: Endpoint identifier request URI

  this new feature let users match endpoints based on the
  indound SIP requests' URI. To do so, add 'request_uri' to the
  endpoint's 'identify_by' option. The 'match_request_uri' option of
  the identify can be an exact match for the entire request uri, or a
  regular expression (between slashes). It's quite similar to the
  header identifer.
  Fixes: #599

• res_pjsip_refer.c: Allow GET_TRANSFERRER_DATA

  the GET_TRANSFERRER_DATA dialplan variable can now be used also in pjsip.

• manager.c: Add new parameter 'PreDialGoSub' to Originate AMI action

  When using the Originate AMI Action, we now can pass the PreDialGoSub parameter, instructing the asterisk to perform an subrouting at channel before call start. With this parameter an call initiated by AMI can request the channel to start the call automaticaly, adding a SIP header to using GoSUB, instructing to autoanswer the channel, and proceeding the outbuound extension executing. Exemple of an context to perform the previus indication:
  [addautoanswer]
  exten => _s,1,Set(PJSIP_HEADER(add,Call-Info)=answer-after=0)
  exten => _s,n,Set(PJSIP_HEADER(add,Alert-Info)=answer-after=0)
  exten => _s,n,Return()

• manager.c: Add CLI command to kick AMI sessions.

  The "manager kick session" CLI command now
  allows kicking a specified AMI session.

• chan_dahdi: Allow specifying waitfordialtone per call.

  "waitfordialtone" may now be specified for DAHDI
  trunk channels on a per-call basis using the CHANNEL function.

• Upgrade bundled pjproject to 2.14.1

  Bundled pjproject has been upgraded to 2.14.1. For more
  information visit pjproject Github page: https://github.com/pjsip/pjproject/releases/tag/2.14.1

• app_dial: Add dial time for progress/ringing.

  The timeout argument to Dial now allows
  specifying the maximum amount of time to dial if
  early media is not received.

• app_voicemail: Allow preventing mark messages as urgent.

  The leaveurgent mailbox option can now be used to
  control whether callers may leave messages marked as 'Urgent'.

• Stir/Shaken Refactor

  Asterisk's stir-shaken feature has been refactored to
  correct interoperability, RFC compliance, and performance issues.
  See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
  information.

• Upgrade bundled pjproject to 2.14.

  Bundled pjproject has been upgraded to 2.14. For more
  information on what all is included in this change, check out the
  pjproject Github page: https://github.com/pjsip/pjproject/releases

• app_speech_utils.c: Allow partial speech results.

  The SpeechBackground dialplan application now supports a 'p'
  option that will return partial results from speech engines that
  provide them when a timeout occurs.

• res_pjsip_outbound_registration.c: Add User-Agent header override

  PJSIP outbound registrations now support a per-registration
  User-Agent header

• app_chanspy: Add 'D' option for dual-channel audio

  The ChanSpy application now accepts the 'D' option which
  will interleave the spied audio within the outgoing frames. The
  purpose of this is to allow the audio to be read as a Dual channel
  stream with separate incoming and outgoing audio. Setting both the
  'o' option and the 'D' option and results in the 'D' option being
  ignored.

• app_voicemail_odbc: remove macrocontext from voicemail_messages table

  The fix requires removing the macrocontext column from the
  voicemail_messages table in the voicemail database via alembic upgrade.

• chan_dahdi: Allow MWI to be manually toggled on channels.

  The 'dahdi set mwi' now allows MWI on channels
  to be manually toggled if needed for troubleshooting.
  Resolves: #440

• app_dial: Add option "j" to preserve initial stream topology of caller

  The option "j" is now available for the Dial application which
  uses the initial stream topology of the caller to create the outgoing
  channels.

• logger: Add channel-based filtering.

  The console log can now be filtered by
  channels or groups of channels, using the
  logger filter CLI commands.

• chan_pjsip: Add PJSIPHangup dialplan app and manager action

  A new dialplan app PJSIPHangup and AMI action allows you
  to hang up an unanswered incoming PJSIP call with a specific SIP
  response code in the 400 -> 699 range.

• app_voicemail: Add AMI event for mailbox PIN changes.

  The VoicemailPasswordChange event is
  now emitted whenever a mailbox password is updated,
  containing the mailbox information and the new
  password.
  Resolves: #398

• res_speech: allow speech to translate input channel

  res_speech now supports translation of an input channel
  to a format supported by the speech provider, provided a translation
  path is available between the source format and provider capabilites.

• res_pjsip: Expanding PJSIP endpoint ID and relevant resource length to 255 characters

  With this update, the PJSIP realm lengths have been extended
  to support up to 255 characters.

• res_stasis: signal when new command is queued

  Call setup times should be significantly improved
  when using ARI.

• lock.c: Separate DETECT_DEADLOCKS from DEBUG_THREADS

  You no longer need to select DEBUG_THREADS to use
  DETECT_DEADLOCKS. This removes a significant amount of overhead
  if you just want to detect possible deadlocks vs needing full
  lock tracing.

• file.c: Add ability to search custom dir for sounds

  A new option "sounds_search_custom_dir" has been added to
  asterisk.conf that allows asterisk to search
  AST_DATA_DIR/sounds/custom for sounds files before searching the
  standard AST_DATA_DIR/sounds/ directory.

• make_buildopts_h, et. al. Allow adding all cflags to buildopts.h

  The "Build Options" entry in the "core show settings"
  CLI command has been renamed to "ABI related Build Options" and
  a new entry named "All Build Options" has been added that shows
  both breaking and non-breaking options.

• chan_rtp: Implement RTP glue for UnicastRTP channels

  The dial string option 'g' was added to the UnicastRTP channel
  which enables RTP glue and therefore native RTP bridges with those
  channels.

• variables: Add additional variable dialplan functions.

  Four new dialplan functions have been added.
  GLOBAL_DELETE and DELETE have been added which allows
  the deletion of global and channel variables.
  GLOBAL_EXISTS and VARIABLE_EXISTS have been added
  which checks whether a global or channel variable has
  been set.

• sig_analog: Add Called Subscriber Held capability.

  Called Subscriber Held is now supported for analog
  FXS channels, using the calledsubscriberheld option. This allows
  a station user to go on hook when receiving an incoming call
  and resume from another phone on the same line by going on hook,
  without disconnecting the call.

• res_pjsip_header_funcs: Make prefix argument optional.

  The prefix argument to PJSIP_HEADERS is now
  optional. If not specified, all header names will be
  returned.

• core/ari/pjsip: Add refer mechanism

  There is a new ARI endpoint /endpoints/refer for referring
  an endpoint to some URI or endpoint.

• chan_dahdi: Allow autoreoriginating after hangup.

  The autoreoriginate setting now allows for kewlstart FXS
  channels to automatically reoriginate and provide dial tone to the
  user again after all calls on the line have cleared. This saves users
  from having to manually hang up and pick up the receiver again before
  making another call.

• sig_analog: Allow three-way flash to time out to silence.

  The threewaysilenthold option now allows the three-way
  dial tone to time out to silence, rather than continuing forever.

• res_pjsip: Enable TLS v1.3 if present.

  res_pjsip now allows TLS v1.3 to be enabled if supported by
  the underlying PJSIP library. The bundled version of PJSIP supports
  TLS v1.3.

• app_queue: Add support for applying caller priority change immediately.

  The 'queue priority caller' CLI command and
  'QueueChangePriorityCaller' AMI action now have an 'immediate'
  argument which allows the caller priority change to be reflected
  immediately, causing the position of a caller to move within the
  queue depending on the priorities of the other callers.

• Adds manager actions to allow move/remove/forward individual messages in a particular mailbox folder. The forward command can be used to copy a message within a mailbox or to another mailbox. Also adds a VoicemailBoxSummarry, required to retrieve message ID's.

  The following manager actions have been added
  VoicemailBoxSummary - Generate message list for a given mailbox
  VoicemailRemove - Remove a message from a mailbox folder
  VoicemailMove - Move a message from one folder to another within a mailbox
  VoicemailForward - Copy a message from one folder in one mailbox
  to another folder in another or the same mailbox.

• app_voicemail: add CLI commands for message manipulation

  The following CLI commands have been added to app_voicemail
  voicemail show mailbox
  Show contents of mailbox @
  voicemail remove <from_folder>
  Remove message from <from_folder> in mailbox @
  voicemail move <from_folder> <to_folder>
  Move message in mailbox & from <from_folder> to <to_folder>
  voicemail forward <from_mailbox> <from_context> <from_folder> <to_mailbox> <to_context> <to_folder>
  Forward message in mailbox @ <from_folder> to
  mailbox @ <to_folder>

• sig_analog: Allow immediate fake ring to be suppressed.

  The immediatering option can now be set to no to suppress
  the fake audible ringback provided when immediate=yes on FXS channels.

• AMI: Add parking position parameter to Park action

  New ParkingSpace parameter has been added to AMI action Park.

• res_musiconhold: Add option to loop last file.

  The loop_last option in musiconhold.conf now
  allows the last file in the directory to be looped once reached.

• AMI: Add CoreShowChannelMap action.

  New AMI action CoreShowChannelMap has been added.

• sig_analog: Add fuller Caller ID support.

  Additional Caller ID properties are now supported on
  incoming calls to FXS stations, namely the
  redirecting reason and call qualifier.

• res_stasis.c: Add new type 'sdp_label' for bridge creation.

  When creating a bridge using the ARI the 'type' argument now
  accepts a new value 'sdp_label' which will configure the bridge to add
  labels for each stream in the SDP with the corresponding channel id.

• app_queue: Preserve reason for realtime queues

  Make paused reason in realtime queues persist an
  Asterisk restart. This was fixed for non-realtime
  queues in ASTERISK_25732.

• cel: add local optimization begin event (#54)

  The new AST_CEL_LOCAL_OPTIMIZE_BEGIN can be used
  by itself or in conert with the existing
  AST_CEL_LOCAL_OPTIMIZE to book-end local channel optimizaion.

• chan_dahdi: Add dialmode option for FXS lines.

  A "dialmode" option has been added which allows
  specifying, on a per-channel basis, what methods of
  subscriber dialing (pulse and/or tone) are permitted.
  Additionally, this can be changed on a channel
  at any point during a call using the CHANNEL
  function.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: In order to correct bugs in both code and
  documentation, the following changes to the parameters for GML geolocation
  locations are now in effect:

  • The documented but unimplemented crs (coordinate reference system) element
    has been added to the location_info parameter that indicates whether the 2d
    or 3d reference system is to be used. If the crs isn't valid for the shape
    specified, an error will be generated. The default depends on the shape
    specified.
  • The Circle, Ellipse and ArcBand shapes MUST use a 2d crs. If crs isn't
    specified, it will default to 2d for these shapes.
    The Sphere, Ellipsoid and Prism shapes MUST use a 3d crs. If crs isn't
    specified, it will default to 3d for these shapes.
    The Point and Polygon shapes may use either crs. The default crs is 2d
    however so if 3d positions are used, the crs must be explicitly set to 3d.
  • The geoloc show gml_shape_defs CLI command has been updated to show which
    coordinate reference systems are valid for each shape.
  • The pos3d element has been removed in favor of allowing the pos element
    to include altitude if the crs is 3d. The number of values in the pos
    element MUST be 2 if the crs is 2d and 3 if the crs is 3d. An error
    will be generated for any other combination.
  • The angle unit-of-measure for shapes that use angles should now be included
    in the respective parameter. The default is degrees. There were some
    inconsistent references to orientation_uom in some documentation but that
    parameter never worked and is now removed. See examples below.
    Examples...

    location_info = shape="Sphere", pos="39.0 -105.0 1620", radius="20"
    location_info = shape="Point", crs="3d", pos="39.0 -105.0 1620"
    location_info = shape="Point", pos="39.0 -105.0"
    location_info = shape=Ellipsoid, pos="39.0 -105.0 1620", semiMajorAxis="20"
                  semiMinorAxis="10", verticalAxis="0", orientation="25 degrees"
    pidf_element_id = ${CHANNEL(name)}-${EXTEN}
    device_id = mac:001122334455
    Set(GEOLOC_PROFILE(pidf_element_id)=${CHANNEL(name)}/${EXTEN})
  

• app_directed_pickup.c: Change some log messages from NOTICE to VERBOSE.

  In an effort to reduce log spam, two normal progress
  "pickup attempted" log messages from app_directed_pickup have been changed
  from NOTICE to VERBOSE(3). This puts them on par with other normal
  dialplan progress messages.

• app_queue.c: Fix error in Queue parameter documentation.

  As part of Asterisk 21, macros were removed from Asterisk.
  This resulted in argument order changing for the Queue dialplan
  application since the macro argument was removed. Upgrade notice was
  missed when this was done, so this upgrade note has been added to
  provide a record of such and a notice to users who may have not upgraded
  yet.

• res_audiosocket: add message types for all slin sample rates

  New audiosocket message types 0x11 - 0x18 has been added
  for slin12, slin16, slin24, slin32, slin44, slin48, slin96, and
  slin192 audio. External applications using audiosocket may need to be
  updated to support these message types if the audiosocket channel is
  created with one of these audio formats.

• taskpool: Add taskpool API, switch Stasis to using it.

  The threadpool_* options in stasis.conf have now been deprecated
  though they continue to be read and used. They have been replaced with taskpool
  options that give greater control over the underlying taskpool used for stasis.

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root. If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started. Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

• jansson: Upgrade version to jansson 2.14.1

  jansson has been upgraded to 2.14.1. For more
  information visit jansson Github page: https://github.com/akheron/jansson/releases/tag/v2.14.1

• Alternate Channel Storage Backends

  With this release, you can now select an alternate channel
  storage backend based on C++ Maps. Using the new backend may increase
  performance and reduce the chances of deadlocks on heavily loaded systems.
  For more information, see http://s.asterisk.net/dc679ec3

• ARI: REST over Websocket

  This commit adds the ability to make ARI REST requests over the same
  websocket used to receive events.
  See https://docs.asterisk.org/Configuration/Interfaces/Asterisk-REST-Interface-ARI/ARI-REST-over-WebSocket/

• alembic: Database updates required.

  Two commits in this release...
  'Add SHA-256 and SHA-512-256 as authentication digest algorithms'
  'res_pjsip: Add new AOR option "qualify_2xx_only"'
  ...have modified alembic scripts for the following database tables: ps_aors,
  ps_contacts, ps_auths, ps_globals. If you don't use the scripts to update
  your database, reads from those tables will succeeed but inserts into the
  ps_contacts table by res_pjsip_registrar will fail.

• channel: Add multi-tenant identifier.

  A new versioned struct (ast_channel_initializers) has been
  added that gets passed to __ast_channel_alloc_ap. The new function
  ast_channel_alloc_with_initializers should be used when creating
  channels that require the use of this struct. Currently the only value
  in the struct is for tenantid, but now more fields can be added to the
  struct as necessary rather than the __ast_channel_alloc_ap function. A
  new option (tenantid) has been added to endpoints in pjsip.conf as well.
  CEL has had its version bumped to include tenant ID.

• app_queue: Add option to not log Restricted Caller ID to queue_log

  Add a new column to the queues table:
  queue_log_option_log_restricted ENUM('0','1','off','on','false','true','no','yes')
  to control whether the Restricted Caller ID will be stored in the queue log.

• pbx_variables.c: Prevent SEGV due to stack overflow.

  The maximum amount of dialplan recursion
  using variable substitution (such as by using EVAL_EXTEN)
  is capped at 15.

• Stir/Shaken Refactor

  The stir-shaken refactor is a breaking change but since
  it's not working now we don't think it matters. The
  stir_shaken.conf file has changed significantly which means that
  existing ones WILL need to be changed. The stir_shaken.conf.sample
  file in configs/samples/ has quite a bit more information. This is
  also an ABI breaking change since some of the existing objects
  needed to be changed or removed, and new ones added. Additionally,
  if res_stir_shaken is enabled in menuselect, you'll need to either
  have the development package for libjwt v1.15.3 installed or use
  the --with-libjwt-bundled option with ./configure.

• app_voicemail_odbc: remove macrocontext from voicemail_messages table

  The fix requires that the voicemail database be upgraded via
  alembic. Upgrading to the latest voicemail database via alembic will
  remove the macrocontext column from the voicemail_messages table.

• app.c: Allow ampersands in playback lists to be escaped.

  Ampersands in URLs passed to the Playback(),
  Background(), SpeechBackground(), Read(), Authenticate(), or
  Queue() applications as filename arguments can now be escaped by
  single quoting the filename. Additionally, this is also possible when
  using the CONFBRIDGE dialplan function, or configuring various
  features in confbridge.conf and queues.conf.

• pjsip_configuration.c: Disable DTLS renegotiation if WebRTC is enabled.

  The dtls_rekey will be disabled if webrtc support is
  requested on an endpoint. A warning will also be emitted.

• res_pjsip: Expanding PJSIP endpoint ID and relevant resource length to 255 characters

  As part of this update, the maximum allowable length
  for PJSIP endpoints and relevant resources has been increased from
  40 to 255 characters. To take advantage of this enhancement, it is
  recommended to run the necessary procedures (e.g., Alembic) to
  update your schemas.

• users.conf: Deprecate users.conf configuration.

  The users.conf config is now deprecated
  and will be removed in a future version of Asterisk.

• app_queue: Preserve reason for realtime queues

  Add a new column to the queue_member table:
  reason_paused VARCHAR(80) so the reason can be preserved.

• app_sla: Migrate SLA applications out of app_meetme.

  The SLAStation and SLATrunk applications have been moved
  from app_meetme to app_sla. If you are using these applications and have
  autoload=no, you will need to explicitly load this module in modules.conf.

• utils.h: Deprecate ast_gethostbyname(). (#79)

  ast_gethostbyname() has been deprecated and will be removed
  in Asterisk 23. New code should use ast_sockaddr_resolve() and
  ast_sockaddr_resolve_first_af().

• cel: add local optimization begin event (#54)

  The existing AST_CEL_LOCAL_OPTIMIZE can continue
  to be used as-is and the AST_CEL_LOCAL_OPTIMIZE_BEGIN event
  can be ignored if desired.

Developer Notes:

• ccss: Add option to ccss.conf to globally disable it.

  A new API ast_is_cc_enabled() has been added. It should be
  used to ensure that CCSS is enabled before making any other ast_cc_* calls.

• chan_websocket: Add ability to place a MARK in the media stream.

  Apps can now send a MARK_MEDIA command with an optional
  correlation_id parameter to chan_websocket which will be placed in the
  media frame queue. When that frame is dequeued after all intervening media
  has been played to the core, chan_websocket will send a
  MEDIA_MARK_PROCESSED event to the app with the same correlation_id
  (if any).

• chan_websocket: Add capability for JSON control messages and events.

  The chan_websocket plain-text control and event messages are now
  deprecated (but remain the default) in favor of JSON formatted messages.
  See https://docs.asterisk.org/Configuration/Channel-Drivers/WebSocket for
  more information.
  A "transport_data" parameter has been added to the

• chan_pjsip: Add technology-specific off-nominal hangup cause to events.

  A "tech_cause" parameter has been added to the
  ChannelHangupRequest and ChannelDestroyed ARI event messages and a "TechCause"
  parameter has been added to the HangupRequest, SoftHangupRequest and Hangup
  AMI event messages. For chan_pjsip, these will be set to the last SIP
  response status code for off-nominally terminated calls. The parameter is
  suppressed for nominal termination.

• ARI: The bridges play and record APIs now handle sample rates > 8K correctly.

  The ARI /bridges/play and /bridges/record REST APIs have new
  parameters that allow the caller to specify the format to be used on the
  "Announcer" and "Recorder" channels respecitvely.

• taskpool: Add taskpool API, switch Stasis to using it.

  The taskpool API has been added for common usage of a
  pool of taskprocessors. It is suggested to use this API instead of the
  threadpool+taskprocessor approach.

• ARI: Add command to indicate progress to a channel

  A new ARI endpoint is available at /channels/{channelId}/progress to indicate progress to a channel.

• options: Change ast_options from ast_flags to ast_flags64.

  The 32-bit ast_options has no room left to accomodate new
  options and so has been converted to an ast_flags64 structure. All internal
  references to ast_options have been updated to use the 64-bit flag
  manipulation macros. External module references to the 32-bit ast_options
  should continue to work on little-endian systems because the
  least-significant bytes of a 64 bit integer will be in the same location as a
  32-bit integer. Because that's not the case on big-endian systems, we've
  swapped the bytes in the flags manupulation macros on big-endian systems
  so external modules should still work however you are encouraged to test.

Commit Authors:

• Abdelkader Boudih: (3)
• Albrecht Oster: (1)
• Alexandre Fournier: (1)
• Alexei Gradinari: (10)
• Alexey Khabulyak: (3)
• Alexey Vasilyev: (1)
• Allan Nathanson: (6)
• Andreas Wehrmann: (1)
• Anthony Minessale: (1)
• Artem Umerov: (2)
• Bastian Triller: (4)
• Ben Ford: (17)
• Boris P. Korzun: (2)
• Brad Smith: (4)
• C. Maj: (1)
• Cade Parker: (1)
• Christoph Moench-Tegeder: (1)
• Daouda Taha: (1)
• Eduardo: (1)
• Fabrice Fontaine: (3)
• Flole998: (1)
• Florent CHAUVEAU: (1)
• Frederic LE FOLL: (1)
• George Joseph: (184)
• Gitea: (1)
• Henning Westerholt: (3)
• Henrik Liljedahl: (1)
• Holger Hans Peter Freyther: (9)
• Igor Goncharovsky: (7)
• InterLinked1: (4)
• Itzanh: (1)
• Ivan Poddubny: (2)
• Jaco Kroon: (10)
• James Terhune: (1)
• Jason D. McCormick: (1)
• Jeremy Lainé: (1)
• Jiajian Zhou: (1)
• Joe Garlick: (3)
• Joe Searle: (2)
• Jose Lopes: (1)
• Joshua C. Colp: (22)
• Joshua Elson: (2)
• Justin T. Gibbs: (1)
• Kent: (1)
• Kristian F. Høgh: (1)
• Luz Paz: (4)
• Maksim Nesterov: (1)
• Marcel Wagner: (2)
• Mark Murawski: (2)
• Martin Nystroem: (1)
• Martin Tomec: (2)
• Matthew Fredrickson: (2)
• Max Grobecker: (1)
• Maximilian Fridrich: (13)
• Michael Kuron: (2)
• Michal Hajek: (2)
• Miguel Angel Nubla: (1)
• Mike Bradeen: (58)
• Mike Pultz: (3)
• MikeNaso: (1)
• Nathan Bruning: (1)
• Nathan Monfils: (2)
• Nathaniel Wesley Filardo: (1)
• Naveen Albert: (201)
• Nick French: (1)
• Niklas Larsson: (1)
• Norm Harrison: (2)
• Olaf Titz: (1)
• Peter Fern: (1)
• Peter Jannesen: (3)
• Peter Krall: (1)
• PeterHolik: (2)
• Philip Prindeville: (12)
• Roman Pertsev: (1)
• Samuel Olaechea: (1)
• Sean Bright: (122)
• Sebastian Jennen: (1)
• Sergey V. Lobanov: (1)
• Shaaah: (1)
• Shyju Kanaprath: (1)
• Sperl Viktor: (5)
• Spiridonov Dmitry: (1)
• Stanislav Abramenkov: (6)
• Steffen Arntz: (1)
• Stuart Henderson: (1)
• Sven Kube: (8)
• ThatTotallyRealMyth: (1)
• The_Blode: (1)
• Thomas B. Clark: (1)
• Thomas Guebels: (2)
• Tinet-mucw: (11)
• Vitezslav Novy: (1)
• Walter Doekes: (1)
• Zhai Liangliang: (1)
• alex2grad: (1)
• chrsmj: (2)
• cmaj: (2)
• fabriziopicconi: (1)
• gauravs456: (1)
• gibbz00: (1)
• jiangxc: (1)
• jonatascalebe: (1)
• kodokaii: (1)
• mkmer: (3)
• phoneben: (10)
• romryz: (1)
• sarangr7: (1)
• sungtae kim: (3)
• zhengsh: (3)
• zhou_jiajian: (2)

certified-22.8-cert1-pre1

New uNmINeD development snapshot is available for download!

Changes:

• (Minecraft) Added and fixed a lot of building block colors
• (Minecraft) Fixed Java Edition region loading issues that were occuring on some systems
• (Hytale) Added support for RocksDB world storage type (thanks to rocksdb-sharp)
• (Hytale) Map colors are now calculated based on in-game textures
• (Hytale / GUI) Added Hytale player markers
• (GUI) Added export functions to the block list panel

uNmINeD now uses different colors for each Minecraft stone type (basalt, diorite, andesite, etc.), and the color of stone and cobblestone blocks are now darker to better match the in-game color. Many other blocks now have a distinct color (gold, lapis, diamond, etc.). If you want to go back to the previous map colors, turn off the Natural stones, Masonry and Mineral blocks settings on the stylesheet sidebar tab.

Hytale support is still experimental. There may be bugs and crashes.

A Hytale world map rendered in uNmINeD:

News from apt.postgresql.org:

Changelogs

apt.postgresql.org now has changelog files in a place where apt can retrieve them automatically, for example

apt changelog postgresql-18

will download the file and display it in a pager. Mind that the files are only present yet for packages updated since last week, the rest will follow over time.

Build logs

Likewise, package build logs are now also stored along with the packages in .build.xz files in the pool directory. (There is no automated download tool for them, though.)

Ubuntu releases resolute and plucky

Work on the upcoming Ubuntu 26.04 "resolute" release has started and packages are available on apt.postgresql.org.

The Ubuntu 25.04 "plucky" release has reached its end of life and has been moved to apt-archive.postgresql.org.

Christoph

Postfix stable release 3.10.8 and legacy releases 3.9.9, 3.8.15, 3.7.20

[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.10.8.html]

Fixes for all supported Postfix releases:

• Improved Milter error handling for messages that arrive over a long-lived SMTP connection, by changing the default milter_default_action from "tempfail" to the new "shutdown" action (i.e. disconnect the remote SMTP client).

  The problem was that after a single Milter error, Postfix could tempfail all messages that the client sends over a long-lived connection, even if the Milter error was only temporary. This problem was reported by Ankit Kulkarni.

• Bugfix (defect introduced: Postfix 2.11): "posttls-finger -v -v -v" terminated with a panic, caused by recursive logging. Reported by Geert Hendrickx, diagnosed by Viktor Dukhovni, and fixed by Wietse.

With one simple change, the patch for Postfix 3.7 should also apply to older Postfix versions, because the patch affects code that has not changed in a decade or so. The simple change is to remove the Prereq: line, and to remove the part that updates the HISTORY file.

You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/.

The PostgreSQL Global Development Group is planning for an out-of-cycle release on February 26, 2026 due to regressions introduced in the February 12, 2026 update release, which included releases 18.2, 17.8, 16.12, 15.16, and 14.21. This release will provide fixes for all supported versions (18.3, 17.9, 16.13, 15.17, 14.22). While these fixes may not impact all PostgreSQL users, the PostgreSQL Global Development Group wants to address these issues before the next scheduled release on May 14, 2026.

The regressions from this release include:

• The substring() function raises an error "invalid byte sequence for encoding" on non-ASCII text values if the source of that value is a database column.
• A standby may halt and return an error "could not access status of transaction".

For the substring() regression, the fix for CVE-2026-2006, which closed a vulnerability in the database server, introduced a regression causing substring() to improperly return an error on multi-byte (non-ASCII) text values if the source of that value was a database column. If you've upgraded to 18.2, 17.8, 16.12, 15.16, or 14.21, and need the fix ahead of the February 26, 2026 release, you should consider manually applying the changes. Release specific information can be found here: https://wiki.postgresql.org/wiki/2026-02_Regression_Fixes.

Ahead of this release, you can find additional information about the regressions and fixes here: https://wiki.postgresql.org/wiki/2026-02_Regression_Fixes.

[0.15.5] - 2026-02-14

If you are upgrading from v0.14.x and below, this version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.
If you are upgrading from v0.15.x, replace the binary and update the webadmin.

Added

Changed

Fixed

• IMAP/JMAP: OOM when mail-parser returns cyclical MIME structures (CVE-2026-26312).
• Tracing: Fix tracing indexing when using separate stores.
• JMAP: Fix upToId computation in */queryChanges.
• JMAP: Include createdIds when the property is present.
• JMAP: Respect query arguments in Email/queryChanges.
• JMAP: Return the correct container/item change id when there are no changes.

Check binary attestation at here

The MariaDB Foundation is pleased to announce the availability of MariaDB 12.3.1, the release candidate (RC) in the new long-term support (LTS) release, and MariaDB 12.2.2, the latest stable rolling release. …

Continue reading \"MariaDB 12.3.1 and 12.2.2 now available\"

The post MariaDB 12.3.1 and 12.2.2 now available appeared first on MariaDB.org.

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.2, 17.8, 16.12, 15.16, and 14.21. This release fixes 5 security vulnerabilities and over 65 bugs reported over the last several months.

For the full list of changes, please review the release notes.

Security Issues

CVE-2026-2003: PostgreSQL oidvector discloses a few bytes of memory

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 14 - 18.

Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Altan Birler for reporting this problem.

CVE-2026-2004: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Daniel Firer, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2006: PostgreSQL missing validation of multibyte character length executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Paul Gerste and Moritz Sanft, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2007: PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory

CVSS v3.1 Base Score: 8.2

Supported, Vulnerable Versions: 18.

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.

The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

Bug Fixes and Improvements

This update fixes over 65 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix inconsistent case-insensitive text matching in the ltree extension. If you use an index on an ltree column, in some cases you may need perform a reindex. See the "Updating" section for additional instructions.
• Executing ALTER TABLE ... ADD CONSTRAINT to add a NOT NULL constraint on a column that already is marked as NOT NULL now requires the constraint name to match the existing constraint name.
• Fix trigger behavior when MERGE is executed from a WITH query to include rows affected by the MERGE.
• Several query planner fixes.
• Fix for text substring search for non-deterministic collations.
• Several fixes for NOTIFY error handling and reporting.
• Use the correct ordering function in GIN index parallel builds.
• Fix incorrect handling of incremental backups with tables larger than 1GB.
• Fail recovery if WAL does not exist back to the redo point indicated by the checkpoint record.
• Fix for ALTER PUBLICATION to ensure event triggers contain all set options.
• Several fixes around replication slot initialization.
• Don't advance replication slot after a logical replication parallel worker apply failure to prevent transaction loss on the subscriber.
• Fix error reporting for SQL/JSON path type mismatches.
• Fix JIT compilation function inlining when using LLVM 17 or later.
• Add new server parameter file_extend_method to control use of posix_fallocate().
• Fix psql tab completion for the VACUUM command options.
• Fix pg_dump to handle concurrent sequence drops gracefully and to fail if the calling user explicitly lacks privileges to read the sequence.
• Several fixes for amcheck around btree inspection.
• Avoid crash in pg_stat_statements when an IN list contains both constants and non-constant expressions.

This release also updates time zone data files to tzdata release 2025c, which only has a historical data change for pre-1976 timestamps in Baja California.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

If you have indexes on ltree columns and do not use the libc collation provider, after upgrading to the latest version, you must reindex any ltree column. You can use REINDEX INDEX CONCURRENTLY to minimize the impact on your system.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

• Download
• Release Notes
• Security
• Versioning Policy
• Submit a Bug
• Donate

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

New uNmINeD development snapshot is available for download!

Changes:

• Improved Hytale map colors
• Improved Hytale processing speed
• Added grass tints for Hytale (read from chunk data)
• Added water biome tints for Hytale (read from configuration)
• Added player names for Hytale
• Block name matcher now treats patterns ending in ** specially, the pattern foo** means foo or foo_*
• (GUI) Fixed broken chunk inspector GUI
• (GUI) Fixed broken web export GUI

The Hytale support is still experimental. There may be bugs, crashes, and the map colors are still unfinished.

!!! WARNING !!!

It has not yet been tested whether uNmINeD can be used safely while Hytale is running. Always close Hytale before using uNmINeD to prevent data corruption!

A Hytale world in uNmINeD:

New uNmINeD development snapshot is available for download!

Changes:

• Added support for Hytale (experimental)
• Added support for Minecraft 26.1-snapshot-6 worlds
• Added support for multiple asterixes in block name patterns
• Fixed broken textured rendering for Java Edition

uNmINeD now can read Hytale worlds. This is an experimental feature under development. Map colors are far from finished, the code is slow, and there may be bugs and crashes.

!!! WARNING !!!

It has not yet been tested whether uNmINeD can be used safely while Hytale is running. Always close Hytale before using uNmINeD to prevent data corruption!

Check your Hytale world in uNmINeD and have fun!