| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Refresh patches.
Compile-tested for ar71xx - Archer C7 v2
Runtime-tested on ar71xx - Archer C7 v2
Fixes CVE-2017-15265.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
[remove 2nd CVE as it was fixed in mac80211 in commit bff16304b0bf]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
| |
6efeb19 autofs: register SIGTERM for gracefull exit
01bb2b0 mount: fix SIGSEV crashes
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a simple version bump. Changes:
* noise: handshake constants can be read-only after init
* noise: no need to take the RCU lock if we're not dereferencing
* send: improve dead packet control flow
* receive: improve control flow
* socket: eliminate dead code
* device: our use of queues means this check is worthless
* device: no need to take lock for integer comparison
* blake2s: modernize API and have faster _final
* compat: support READ_ONCE
* compat: just make ro_after_init read_mostly
Assorted cleanups to the module, including nice things like marking our
precomputations as const.
* Makefile: even prettier output
* Makefile: do not clean before cloc
* selftest: better test index for rate limiter
* netns: disable accept_dad for all interfaces
Fixes in our testing and build infrastructure. Now works on the 4.14 rc
series.
* qemu: add build-only target
* qemu: work on ubuntu toolchain
* qemu: add more debugging options to main makefile
* qemu: simplify shutdown
* qemu: open /dev/console if we're started early
* qemu: phase out bitbanging
* qemu: always create directory before untarring
* qemu: newer packages
* qemu: put hvc directive into configuration
This is the beginning of working out a cross building test suite, so we do
several tricks to be less platform independent.
* tools: encoding: be more paranoid
* tools: retry resolution except when fatal
* tools: don't insist on having a private key
* tools: add pass example to wg-quick man page
* tools: style
* tools: newline after warning
* tools: account for padding being in zero attribute
Several important tools fixes, one of which suppresses a needless warning.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit f6c4a9c045797d9be12310eebc6341050fd260ce)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit b6c3931ad6554357a108127797c8d7097a93f18f introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.
Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit c5f97c9372da3229350184fb263c97d9ea8944c5)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
While these changes are not included in the advisory, upstream
encourages users to merge them.
See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html
Added 013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch so
that 016-Optional-AP-side-workaround-for-key-reinstallation-a.patch
applies without having to rework it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2f701194c29da50bfda968a83c6609843f74a7f4)
|
| |
|
|
|
|
|
|
| |
The subtarget cleanups made in cabf775 "x86: Refresh subtargets kernel config"
removed some important symbol disable statements, so revert the changes to the
subtarget configs for now.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The short log of changes since the 2016-06-10 release is below.
Jouni Malinen (1):
wireless-regdb: Remove DFS requirement for India (IN)
Ryan Mounce (1):
wireless-regdb: Update rules for Australia (AU) and add 60GHz rules
Seth Forshee (2):
wireless-regdb: Update 5 GHz rules for Canada
wireless-regdb: update regulatory.bin based on preceding changes
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
(cherry picked from commit 8b12e62e9cd6ba2e3bb2e7f2555180df0173c7c6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move wireguard from openwrt/packages to base a package.
This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.
WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 699c6fcc314225f79156a26db418e15bbc6bf10f)
|
| |
|
|
|
|
| |
Fixes CVE-2017-0786
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
| |
Refresh patches.
Fixes the following CVEs:
- CVE-2017-1000252
- CVE-2017-12153
- CVE-2017-12154
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Backport of bbda81ce3077dfade2a43a39f772cfec2e82a9a5
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
| |
Xen support for x86/generic was added in 296772f9. This commit also
enables it for x86/64.
This was successfully tested with Xen 4.5.
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was done by simply running `make kernel_menuconfig CONFIG_TARGET=subtarget`
and then saving without changing any option.
Having consistent kernel config is important to avoid surprises, such
as the issue fixed with 6f0367c9 (where Xen support was silently
disabled when building the kernel, although it was present in the
initial config)
As far as I understand the build system, this shouldn't have any
user-visible impact, because the build system already merges the
various kernel configs during build.
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Xen serial console has been broken since the xen_domu subtarget
was merged in the generic x86 subtarget (commits 296772f9 and b36e24f3).
The reason for the broken serial console seems to be an IRQ conflict
between the serial console driver and the PATA_LEGACY driver:
[ 1.330125] genirq: Flags mismatch irq 8. 00000000 (hvc_console) vs. 00000000 (platform[pata_legacy.4])
[ 1.330134] hvc_open: request_irq failed with rc -16.
[ 1.330148] Warning: unable to open an initial console.
Just drop the PATA_LEGACY driver from the x86/generic and x86_64
subtargets, since this driver is marked experimental and only supports
very old ISA devices anyway. It is still included in the x86/legacy
subtarget where it rightfully belongs.
Fixes: FS#787
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a backport of 641a65fd062987a456216cc4fa91ff2910528261 in master.
This change re-enables PAE for the 32-bit x86 subtarget, which is
interesting in its own right but also necessary for Xen support.
Commit af1d1ebd ("x86: enable 4G high memory support for generic (32bit)
subtarget") inadvertently disabled both PAE and Xen support.
Fixes: FS#908
Cc: Daniel Golle <daniel@makrotopia.org>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
|
| |
|
|
|
|
|
| |
This PHY requires some extra programming to work reliably with all
devices. Backport upstream fix for it.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
|
|
| |
Backport required DT changes from commit dabdd123c90c.
Significantly improves stability and performance for MT76x2 and MT7603
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A default rssileds config exists for the TP-Link WA850RE v1 but the
rssiled package is not included by default.
The compressed 17.01.3 image size increases by 3302 bytes which should
be tolerable even for a 4MB flash board.
Fixes: FS#1043
Signed-off-by: Mathias Kresin <dev@kresin.me>
|
| |
|
|
|
|
|
|
| |
Fixes CVE-2017-9778.
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
[reference fixed CVE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
Certain functions are available in system headers, but only work on
macOS 10.13
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current makefile unnecessarily pads sysupgrade image for Archer devices.
This has three implications:
1. higher risk of OOM when uploading the binary image to the device
2. much slower upgrade due to time wasted erasing and writing padding
3. grows image beyond available flash size if metadata are appended
This is already fixed in master, albeit in a completely different way (the
whole target have been reworked)
Fixes: FS#1025, FS#1039
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
3fd58e9 2017-08-19 uhttpd: add manifest support
88c0b4b 2017-07-09 file: fix basic auth regression
99957f6 2017-07-02 file: remove unused "auth" member from struct
path_info
c0a569d 2017-07-02 proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS
ad93be7 2017-07-02 auth: store parsed username and password
fa51d7f 2017-07-02 proc: do not declare empty process variables
a8bf9c0 2017-01-26 uhttpd: Add TCP_FASTOPEN support
e6cfc91 2016-10-25 lua: ensure that PATH_INFO starts with a slash
Signed-off-by: Adrian Panella <ianchi74@outlook.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of blindly enabling the odhcpd v6 server and RA server on the
lan port, only do that if the lan port protocol is "static"
This prevents the unhelpful case of a device being a dhcpv4 client and
v6 server on the same ethernet port.
Signed-off-by: Karl Palsson <karlp@etactica.com>
[PKG_SOURCE_DATE increase; odhcpd.defaults script cleanup]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
|
|
|
| |
336212c config: fix dhcpv4 server being started
336212c dhcpv6: assign all viable DHCPv6 addresses by default (FS#402, FS#524)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
|
|
| |
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The /bin/config_generate script and some other scripts are assuming the
/etc/config directory exists in the image. This is true in case for
example the package firewall, dropbear or dnsmasq are included, which
are adding the files under /etc/config/. Without any of these package
the system will not boot up fully because the /etc/config/ directory is
missing and some init scripts just fail.
Make sure all images with the base-files contain a /etc/config/
directory.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: John Crispin <john@phrozen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Module definitions for kmod-wdt-sunxi and kmod-eeprom-sunxi are removed
(wdt-sunxi was builtin anyways; nvmem-sunxi, which is the new name of
eeprom-sunxi is changed to builtin). As kmod-eeprom-sunxi was specified
in DEFAULT_PACKAGES, but not available on kernel 4.4, it was breaking the
image builder.
Support for kmod-sunxi-ir is added for kernel 4.4 (it is unclear why it
was disable before, it builds fine with with kernel 4.4).
Condtionals only relevant for pre-4.4 kernels are removed from modules.mk,
as sunxi does't support older kernels anymore.
Fixes FS#755.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit b428f45c062dc8ca8c2f35f491fa467dc5b85519.
If the optimized firmware download is disabled, the xdsl subsystem
hangs in the "idle request" state after physically disconnecting and
reconnecting the xdsl modem from the line.
It might fix the failing line init on boot as well.
Signed-off-by: Mathias Kresin <dev@kresin.me>
|
| |
|
|
|
|
|
|
| |
This fixes the following security problems:
* CVE-2017-1000100 TFTP sends more than buffer size
* CVE-2017-1000101 URL globbing out of bounds read
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
4.4.80+ contains 71a165f6397df07a06ce643de5c2dbae29bd3cfb, 4.9.41+ contains
6c78197e4a69c19e61dfe904fdc661b2aee8ec20 which are all backports of upstream
commit 0878fff1f42c18e448ab5b8b4f6a3eb32365b5b6 ("net: phy: Do not perform
software reset for Generic PHY").
Our local patch is no longer needed, all this patch was doing was utilizing
gen10g_soft_reset which does nothing either, so just keep the code unchanged.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
|
| |
|
|
| |
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
With ltq-vdsl-mei 1.5.17.6 an optimized firmware download was added and
enabled by default. As soon as the optimized firmware download is
enabled, a watchdog based reboot is trigger between 24h to 48h of
uptime if the board isn't connected to a xdsl line.
Signed-off-by: Mathias Kresin <dev@kresin.me>
|
| |
|
|
|
|
|
|
| |
This is a backport form drv_dsl_cpe_api-4.18.10 and fixes some PM
thread handling issues which lead to high system load and watchdog
trigger within 1h of uptime for boards not connected to a xdsl line.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
|
| |
|
|
|
|
|
|
| |
This option is used to specify a file containing PEM certs, to complete the
local certificate chain. Which is quite usefull for "split-CA" setups.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
USB doesn't work in some danube boards because otg_cap
is missing since previous changes made on the USB-dwc2
lantiq driver. Fix it.
Tested on the ARV7518PW router.
Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When bumping tcpdump from 4.9.1 to 4.9.2, I did not include the fixed
CVEs in the commit message. As the list of fixed CVEs is quite long,
we should probably mention them in the changelogs of the releases to
come. This commit will make sure this happens.
The following CVEs were fixed in 21014d9708d586becbd62da571effadb488da9fc:
CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2375e279a7cb462d62fd6028cb3fbd56217222de)
|
| |
|
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 21014d9708d586becbd62da571effadb488da9fc)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add actual mirror and use main site as last resport
Source: http://www.tcpdump.org/mirrors.html
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit fd95397ee33a34704771de2ab26a5910b1a88c6f)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Conflicts:
package/network/utils/tcpdump/Makefile
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setting ipv6 to auto in case of a pppoe interface will trigger the
creation of a dynamic wan_6 interface meaning two IPv6 interfaces
(wan6 and wan_6) will be active on top of the pppoe interface.
This leads to unpredictable behavior in the network; therefore set
ipv6 to 1 which will prevent the dynamic creation of the wan_6
interface.
Further alias the wan6 interface on top of the wan interface for pppoe
as the wan6 interface can only be started when the link local address is
ready. In case of pppoe the link local address is negotiated during the
Internet Protocol Control Protocol when the PPP link is setup meaning
all the IP address info is only available when the wan interface is up.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
