commit a76a30a5b0
Author: Gerald Combs <gerald@wireshark.org>
Date:   Fri Dec 5 08:51:21 2025 -0800

    Temporarily revert "BLF: Validate length of uncompressed segments."

    This reverts commit c99f1188693ddad1e6ff0244ca0cd095619bdda7.

commit e94ad367f5
Author: John Thacker <johnthacker@gmail.com>
Date:   Fri Dec 5 15:37:14 2025 +0000

    Homeplug AV: Add to COL_INFO even with a non-NULL tree

    The Homeplug AV dissector does a lot of checking for a NULL tree.
    In one path, text is appended to COL_INFO only when there *is* a
    NULL tree, but we can have a non-NULL tree and also need to fill
    in the columns in a number of situations, notably if there are
    custom columns.

    Append the text in the other code path. Just get rid of the NULL
    tree check, any savings are minimal due to the NULL tree checks
    inside the API.

    Fix #20893

    (cherry picked from commit 30bc529ecf09788cc3db94e636d50bfe45bb4385)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 6fa837416e
Author: Gerald Combs <gerald@wireshark.org>
Date:   Thu Dec 4 14:08:52 2025 -0800

    GitLab CI: Try to fix a macOS Intel clock sync issue

commit c99f118869
Author: Darius Davis <darius-wireshark@free-range.com.au>
Date:   Mon Dec 1 17:47:28 2025 +1000

    BLF: Validate length of uncompressed segments.

    When a container's data is not compressed, its actual length should equal the
    length of the data stored in the file.

    Fixes #20880.

    (cherry picked from commit 516ba22c34bd62468c2967ac476146bc03482679)

commit 1427ccda0c
Author: John Thacker <johnthacker@gmail.com>
Date:   Wed Dec 3 17:54:40 2025 +0000

    pkcs12: Put a maximum limit on hash iterations willing to perform

    iterationCount is defined in the ASN.1 for pkcs12 (RFC 8081) as
    an unbounded Integer (either (1..MAX) in one place, or with no
    value constraint in another, though the latter is silly as negative
    numbers make no sense.) We should have a sanity check on it to avoid
    endless hashing that consumes an incredible amout of time (especially
    as the iteration_count value is eventually cast to unsigned, so a -1
    becomes whatever the maximum size of that unsigned variable is).

    RFC 8081 Section 4.2 Iteration Count says:

       Choosing a reasonable value for the iteration count depends on
       environment and circumstances, and varies from application to
       application.  This document follows the recommendations made in FIPS
       Special Publication 800-132 [NISTSP132], which says

          The iteration count shall be  selected as large as possible, as
          long as the time required to generate the key using the entered
          password is acceptable for the users. [...] A minimum iteration
          count of 1,000 is recommended.  For especially critical keys, or
          for very powerful systems or systems where user-perceived
          performance is not critical, an iteration count of 10,000,000 may
          be appropriate.

    While a user may want to decrypt "especially critical keys", OTOH
    generally "user-perceived performance" is of a concern.

    This puts a limit of 10,000,000 instead of allowing 2*32 as we've been
    doing, though we could make it an unsigned preference at some point.

    This also happens to fix a pointer-sign warning by changing the variable
    to unsigned earlier (as opposed to casting it when calling
    generate_key_or_iv).

    Ping #20175

    (cherry picked from commit ab257c76541d984143943a8e61c0f8930511409d)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit bbebfd2644
Author: Gerald Combs <gerald@wireshark.org>
Date:   Tue Dec 2 17:08:22 2025 -0800

    Prep for 4.4.12

commit e02acae542
Author: Anders Broman <a.broman58@gmail.com>
Date:   Mon Dec 1 08:44:07 2025 +0100

    SMTP: Make sure the line is long enough for a BDAT chunk size

    Make sure that linelen is large enough (i.e., more than 5 octets, for
    bdat-cmd   ::= "BDAT" SP chunk-size
    ) before calling it a BDAT command and trying to call strtoul on
    line + 5 to find the chunk size.

    Fix #20883

    The sample file above didn't crash in 4.6 and earlier because
    tvb_get_ptr was used, which provides a raw pointer into the packet,
    so the strtoul call happened to poke into the CR LF at the end of
    the line in the original packet data, past the ostensible length
    retrieved by tvb_get_ptr(). (In pretty much all implementations,
    even composite TVBs, tvb_get_ptr() never truncates the pointer it
    returns, so the CR LF was always there. Still smells bad, though.)

    (cherry picked from commit a62404fed311e87b4bf2dfc4a4a1e38afbb64183)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit e4f3706e1b
Author: Anders Broman <a.broman58@gmail.com>
Date:   Mon Dec 1 08:41:55 2025 +0100

    MEGACO: Handle tvb_get_uint8 returning -1

    When dissecting a media descriptor, handle tvb_get_uint8 returning
    -1 when searching for a left or right bracket and not finding it
    by setting the bracket offset to the end offset so that the loop
    will exit. Leaving it at -1 can cause going backwards and at worst
    infinite loops.

    Fix #20884

    (cherry picked from commit aba1fbe6266beb6bf9b887b6eab008e4f4841c9b)

    Co-authored-by: John Thacker <johnthacker@gmail.com>

commit 37ff6310f7
Author: Gerald Combs <gerald@wireshark.org>
Date:   Sun Nov 30 10:17:48 2025 +0000

    [Automatic update for 2025-11-30]

    Update manuf, services enterprise numbers, translations, and other items.

commit ab8b29f016
Author: John Thacker <johnthacker@gmail.com>
Date:   Fri Nov 28 11:10:10 2025 -0500

    GitHub: Remove MacOS logray action

    This hasn't built on 4.4 for months because of a patch to
    libscap failing, and there's not much point in trying to
    build this on the 4.4 branch when there are Stratoshark actions
    on 4.6 and master.

commit 9bdee7187d
Author: Gerald Combs <gerald@wireshark.org>
Date:   Fri Nov 28 10:31:44 2025 -0800

    GitLab CI: The Windows Arm64 job now requires QT_HOST_PATH

commit e690438d9a
Author: Guy Harris <gharris@sonic.net>
Date:   Fri Nov 28 06:01:13 2025 +0000

    wiretap: Fix a bounds check in the BER file reader

    Fixes #20878

    (cherry picked from commit 7a826592c2c4b026a568d715885347cf77949d28)

    Co-authored-by: Gerald Combs <gerald@wireshark.org>

commit 7b9cc9b6d2
Author: Martin Mathieson <martin.r.mathieson@googlemail.com>
Date:   Sun Nov 16 22:02:18 2025 +0000

    make-enterprises.py: Remove extra quotes in enterprise names

    (cherry picked from commit 27b485b2f8a93542c24011a0e13f56d798c782c9)

commit 7e4902bb3e
Author: Gerald Combs <gerald@wireshark.org>
Date:   Sun Nov 23 10:17:18 2025 +0000

    [Automatic update for 2025-11-23]

    Update manuf, services enterprise numbers, translations, and other items.

commit 8f3d8027f3
Author: Jaap Keuter <jaap.keuter@xs4all.nl>
Date:   Sun Nov 23 09:36:39 2025 +0000

    CMake: Find winsparkle only for Wireshark/Stratoshark on Windows

    (cherry picked from commit c0d935d0286c90eb9b702ce8ceed1cdd086b4c3d)

    Co-authored-by: Jaap Keuter <jaap.keuter@xs4all.nl>

commit 138afb1c45
Author: John Thacker <johnthacker@gmail.com>
Date:   Sat Nov 22 11:39:36 2025 -0500

    fc00/cjdns: Remove variant Base32 algorithm, do not decode key

    Cjdns/fc00 uses a custom Base 32 variant with a different alphabet
    than that specified in RFC 4648. It's not appropriate to offer it
    as "the" base32 implementation in libwsutil. (An API that offered
    several implementations and the ability for a custom alphabet might
    be useful.) Remove it from libwsutil.

    The implementation submitted is lifted verbatim from the Cjdns
    codebase without attribution, and changing the original license
    from GPLv3 to GPLv2. It had never been licensed as anything other
    than GPLv3 according to the git history of that file in cjdns.
    The Wireshark contributor is an author on the fc00 project, but
    is not clear that the proper rights were obtained to relicense
    the code which originated in cjdns. Remove it, and add the key
    in encoded form instead of decoding. If someone cares, they can
    offer a clean room implementation of the algorithm.

    Update the URL from a mirror of cjdns to the main GitHub repository.

    Fix #20754

    (cherry picked from commit 70a4094ae414d36813795820a31fc83666d959df)

commit f8a55d32c2
Author: Gerald Combs <gerald@wireshark.org>
Date:   Wed Nov 19 14:31:14 2025 -0800

    Version: 4.4.11 → 4.4.12 [skip ci]
