aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* curl: fix security problemsHauke Mehrtens2017-09-303-1/+75
| | | | | | | | This fixes the following security problems: * CVE-2017-1000100 TFTP sends more than buffer size * CVE-2017-1000101 URL globbing out of bounds read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to 2.6.0 CVE-2017-14032Kevin Darbyshire-Bryant2017-09-302-30/+30
| | | | | | | | | | | | | | | Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted). Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Tested-by: Magnus Kroken <mkroken@gmail.com>
* generic: drop 704-phy-no-genphy-soft-reset.patchFlorian Fainelli2017-09-301-11/+0
| | | | | | | | | | | | 4.4.80+ contains 71a165f6397df07a06ce643de5c2dbae29bd3cfb, 4.9.41+ contains 6c78197e4a69c19e61dfe904fdc661b2aee8ec20 which are all backports of upstream commit 0878fff1f42c18e448ab5b8b4f6a3eb32365b5b6 ("net: phy: Do not perform software reset for Generic PHY"). Our local patch is no longer needed, all this patch was doing was utilizing gen10g_soft_reset which does nothing either, so just keep the code unchanged. Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* kernel: update 4.4 to 4.4.89Hauke Mehrtens2017-09-3010-35/+35
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* ltq-vdsl-mei: disable optimized firmware downloadMathias Kresin2017-09-281-2/+2
| | | | | | | | | With ltq-vdsl-mei 1.5.17.6 an optimized firmware download was added and enabled by default. As soon as the optimized firmware download is enabled, a watchdog based reboot is trigger between 24h to 48h of uptime if the board isn't connected to a xdsl line. Signed-off-by: Mathias Kresin <dev@kresin.me>
* ltq-vdsl: fix PM thread suspend and resume handlingMartin Schiller2017-09-282-1/+108
| | | | | | | | This is a backport form drv_dsl_cpe_api-4.18.10 and fixes some PM thread handling issues which lead to high system load and watchdog trigger within 1h of uptime for boards not connected to a xdsl line. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* openvpn: add "extra-certs" optionSven Roederer2017-09-252-1/+2
| | | | | | | | This option is used to specify a file containing PEM certs, to complete the local certificate chain. Which is quite usefull for "split-CA" setups. Signed-off-by: Sven Roederer <devel-sven@geroedel.de> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* lantiq: fix missing otg_cap on danube platformDaniel Gonzalez Cabanelas2017-09-201-24/+54
| | | | | | | | | | USB doesn't work in some danube boards because otg_cap is missing since previous changes made on the USB-dwc2 lantiq driver. Fix it. Tested on the ARV7518PW router. Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
* tcpdump: noop commit to refer CVEs fixed in 4.9.2Stijn Tintel2017-09-181-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When bumping tcpdump from 4.9.1 to 4.9.2, I did not include the fixed CVEs in the commit message. As the list of fixed CVEs is quite long, we should probably mention them in the changelogs of the releases to come. This commit will make sure this happens. The following CVEs were fixed in 21014d9708d586becbd62da571effadb488da9fc: CVE-2017-11541 CVE-2017-11541 CVE-2017-11542 CVE-2017-11542 CVE-2017-11543 CVE-2017-11543 CVE-2017-12893 CVE-2017-12894 CVE-2017-12895 CVE-2017-12896 CVE-2017-12897 CVE-2017-12898 CVE-2017-12899 CVE-2017-12900 CVE-2017-12901 CVE-2017-12902 CVE-2017-12985 CVE-2017-12986 CVE-2017-12987 CVE-2017-12988 CVE-2017-12989 CVE-2017-12990 CVE-2017-12991 CVE-2017-12992 CVE-2017-12993 CVE-2017-12994 CVE-2017-12995 CVE-2017-12996 CVE-2017-12997 CVE-2017-12998 CVE-2017-12999 CVE-2017-13000 CVE-2017-13001 CVE-2017-13002 CVE-2017-13003 CVE-2017-13004 CVE-2017-13005 CVE-2017-13006 CVE-2017-13007 CVE-2017-13008 CVE-2017-13009 CVE-2017-13010 CVE-2017-13011 CVE-2017-13012 CVE-2017-13013 CVE-2017-13014 CVE-2017-13015 CVE-2017-13016 CVE-2017-13017 CVE-2017-13018 CVE-2017-13019 CVE-2017-13020 CVE-2017-13021 CVE-2017-13022 CVE-2017-13023 CVE-2017-13024 CVE-2017-13025 CVE-2017-13026 CVE-2017-13027 CVE-2017-13028 CVE-2017-13029 CVE-2017-13030 CVE-2017-13031 CVE-2017-13032 CVE-2017-13033 CVE-2017-13034 CVE-2017-13035 CVE-2017-13036 CVE-2017-13037 CVE-2017-13038 CVE-2017-13039 CVE-2017-13040 CVE-2017-13041 CVE-2017-13042 CVE-2017-13043 CVE-2017-13044 CVE-2017-13045 CVE-2017-13046 CVE-2017-13047 CVE-2017-13048 CVE-2017-13049 CVE-2017-13050 CVE-2017-13051 CVE-2017-13052 CVE-2017-13053 CVE-2017-13054 CVE-2017-13055 CVE-2017-13687 CVE-2017-13688 CVE-2017-13689 CVE-2017-13690 CVE-2017-13725 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit 2375e279a7cb462d62fd6028cb3fbd56217222de)
* tcpdump: bump to 4.9.2Stijn Tintel2017-09-182-37/+41
| | | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit 21014d9708d586becbd62da571effadb488da9fc)
* utils/tcpdump: Rework URLsDaniel Engberg2017-09-181-2/+2
| | | | | | | | | | | | Add actual mirror and use main site as last resport Source: http://www.tcpdump.org/mirrors.html Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net> (cherry picked from commit fd95397ee33a34704771de2ab26a5910b1a88c6f) Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Conflicts: package/network/utils/tcpdump/Makefile
* base-files: fix wan6 interface config generation for pppoeHans Dedecker2017-09-182-6/+3
| | | | | | | | | | | | | | | | Setting ipv6 to auto in case of a pppoe interface will trigger the creation of a dynamic wan_6 interface meaning two IPv6 interfaces (wan6 and wan_6) will be active on top of the pppoe interface. This leads to unpredictable behavior in the network; therefore set ipv6 to 1 which will prevent the dynamic creation of the wan_6 interface. Further alias the wan6 interface on top of the wan interface for pppoe as the wan6 interface can only be started when the link local address is ready. In case of pppoe the link local address is negotiated during the Internet Protocol Control Protocol when the PPP link is setup meaning all the IP address info is only available when the wan interface is up. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ipq806x: Archer C2600: fix switch ports numberingBaptiste Jonglez2017-09-141-1/+4
| | | | | | | The order of LAN ports shown in Luci is reversed compared to what is written on the case of the device. Fix the order so that they match. Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
* treewide: fix shellscript syntax errors/typosLorenzo Santina2017-09-1310-11/+10
| | | | | | | | | Fix multiple syntax errors in shelscripts (of packages only) These errors were causing many conditions to not working properly Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> [increase PKG_RELEASE, drop command substitution from directip.sh] Signed-off-by: Mathias Kresin <dev@kresin.em>
* ramips: fix hg255d LED status supportDavid Yang2017-09-131-0/+1
| | | | | | | | Use the green power LED for boot status indication. Source: https://my.oschina.net/osbin/blog/278782 Para 3 Signed-off-by: David Yang <mmyangfl@gmail.com>
* ar71xx: fix MAC addresses on TP-Link TL-WR1043ND v4Matthias Schiffer2017-09-112-2/+3
| | | | | | | | | | The addresses were read from the 'config' partition, which would not always contain the addresses at the same offsets, depending on the stock firmware version used before flashing LEDE. Change this to get the addresses from the 'product-info' partition, which is read-only. Reported-and-tested-by: Andreas Ziegler <ml@andreas-ziegler.de> Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* hostapd: fix iapp_interface optionLorenzo Santina2017-09-101-1/+1
| | | | | | | ifname variable were not assigned due to syntax error causing the hostapd config file to have an empty iapp_interface= option Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
* kernel: update 4.4 to 4.4.87Kevin Darbyshire-Bryant2017-09-081-2/+2
| | | | | | | | | | Fixes CVE-2017-11600 No patch refresh required Compile & run tested: ar71xx - Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport arcount edns0 fixKevin Darbyshire-Bryant2017-09-082-1/+45
| | | | | | | | | Don't return arcount=1 if EDNS0 RR won't fit in the packet. Omitting the EDNS0 RR but setting arcount gives a malformed packet. Also, don't accept UDP packet size less than 512 in received EDNS0. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport official fix for CVE-2017-13704Kevin Darbyshire-Bryant2017-09-073-38/+95
| | | | | | | | | Remove LEDE partial fix for CVE-2017-13704. Backport official fix from upstream. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
* uclient: update to 2017-09-06Matthias Schiffer2017-09-061-3/+3
| | | | | | | 24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses 83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* kernel: update 4.4 to 4.4.86Kevin Darbyshire-Bryant2017-09-045-9/+9
| | | | | | Refresh patches Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* brcm47xx: refresh Linux 4.4 configRafał Miłecki2017-09-041-8/+8
| | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* f2fs-tools: fix mkfs.f2fs on big-endian systemsStijn Tintel2017-09-032-1/+67
| | | | | | | Fixes: FS#749 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit cdb494fdc2d3399e698893ff0cfd06d3c802364f)
* f2fs-tools: drop musl compat patchStijn Tintel2017-09-031-10/+0
| | | | | | | It is no longer needed since version 1.4.1. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit 252c8ddf146f196faaa34cf7af9b3eacb79e6add)
* f2fs-tools: drop patch in favour of CONFIGURE_VARSStijn Tintel2017-09-032-19/+3
| | | | | | | | | Override the failing check in configure with CONFIGURE_VARS instead of carrying a patch that's unlikely to be accepted by upstream. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: John Crispin <john@phrozen.org> (cherry picked from commit d87f27af54e7c122c8f320f7266dd5061bb47a8b)
* f2fs-tools: Switch to gz tarballDaniel Engberg2017-09-031-3/+3
| | | | | | At some point kernel.org decided to drop xz generated tarballs, switch to gz which they still provide. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* dnsmasq: forward.c: fix CVE-2017-13704Kevin Darbyshire-Bryant2017-08-302-1/+38
| | | | | | | | | | | | | | | | Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset() is called with header & limit pointing at the same address and thus tries to clear memory from before the buffer begins. answer_request() is called with an invalid edns packet size provided by the client. Ensure the udp_size provided by the client is bounded by 512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512 MUST be treated as equal to 512" The client that exposed the problem provided a payload udp size of 0. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* kernel: backport usbport LED trigger driver support for DTRafał Miłecki2017-08-211-0/+106
| | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* kernel: fix of_node handling in LEDs core codeRafał Miłecki2017-08-214-0/+316
| | | | | | | | | This backports fixes for setting of_node and making it possible to read extra info from DT. This was partially fixed by: [PATCH] leds: leds-gpio: Set of_node for created LED devices but it didn't work during initialization. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* kernel: update 4.4 to 4.4.83Kevin Darbyshire-Bryant2017-08-1717-62/+44
| | | | | | | | | | | | | | | Refresh patches. Minor update 704-phy-no-genphy-soft-reset.patch which was partially accepted upstream. Compile-tested on ar71xx. Runtime-tested on ar71xx. Fixes the following vulnerabilities: - CVE-2017-7533 (4.4.80) - CVE-2017-1000111 (4.4.82) - CVE-2017-1000112 (4.4.82) Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* bcm53xx: backport DTS commits that setup USB LEDsRafał Miłecki2017-08-173-1/+214
| | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* tcpdump: Update to 4.9.1Daniel Engberg2017-08-151-2/+2
| | | | | | | Fixes: * CVE-2017-11108: Fix bounds checking for STP. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: Re-allow SHA1-signed certificatesBaptiste Jonglez2017-08-112-1/+10
| | | | | | | | | | | | Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates. This breaks openvpn clients that try to connect to servers that present a TLS certificate signed with SHA1, which is fairly common. Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx. Fixes: FS#942 Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
* ramips: fix WHR-1166D WAN portMathias Kresin2017-08-111-1/+1
| | | | | | | | | | | | By adding the ICPlus IP1001 phy driver an already set RGMII delay mode is reset during driver load. Set the rgmii rx delay to fix corrupt/no packages in case the WAN port negotiates to 1000MBit. Fixes: FS#670 Signed-off-by: Mathias Kresin <dev@kresin.me>
* base-files: don't setup network in preinit if failsafe is disabledRafał Miłecki2017-08-091-1/+4
| | | | | | | | | | | | With failsafe disabled there is no point in early network setup. We don't send announcement over UDP and there is no way to ssh to the device. A side effect of this is avoiding a possibly incorrect network config (only with failsafe disabled). This problem is related to possible changes made by user in /etc/config/network. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* dnsmasq: backport remove ping check of configured dhcp addressHans Dedecker2017-08-082-1/+29
| | | | | | | Remove ping check in DHCPDISCOVER case as too many buggy clients leave an interface in configured state causing the ping check to fail. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: update to the latest git HEADHans Dedecker2017-08-081-3/+3
| | | | | | 66be6a2 watchdog: fix inline watchdog_get_magicclose function prototype Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ramips: ArcherC50v1: fix wlan2g MAC addressThibaut VARENE2017-08-061-0/+2
| | | | | | | | | | By default the wlan eprom contains the generic ralink MAC which is not the vendor (TP-Link) one. Based on OFW bootlog, it appears that addresses are decremented from the ethernet MAC. This patch fixes the MAC address for wlan2g in line with OFW. Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
* ramips: fix Omnima MiniEMBWiFi imageMathias Kresin2017-08-021-0/+1
| | | | | | | Reference the Omnima MiniEMBWiFi device tree source file in the image build code. Otherwise the dts of the image processed before is used. Signed-off-by: Mathias Kresin <dev@kresin.me>
* ramips: build HuaWei HG255D imageMathias Kresin2017-08-021-0/+7
| | | | | | | The code to build an image was disabled some time ago for unknown reasons albeit the image looks fine. Signed-off-by: Mathias Kresin <dev@kresin.me>
* ramips: add missing partitionsMathias Kresin2017-08-022-9/+57
| | | | | | The partitions were lost during migration to device tree. Signed-off-by: Mathias Kresin <dev@kresin.me>
* procd: update to latest git HEADJohn Crispin2017-08-011-3/+3
| | | | | | 3e68cdf procd: Do not leak pipe file descriptors to children Signed-off-by: John Crispin <john@phrozen.org>
* ralink: fix rcu_sched stalls on mt7621John Crispin2017-08-011-0/+98
| | | | | | | | | | there were 2 bugs *) core1 came up with a bad bogo mips, looks like the clock needed time to stabilize *) HPT frequency was not set making r4k timers not come up properly Backport of 9551d91b1d6 "ralink: fix rcu_sched stalls on mt7621". Signed-off-by: John Crispin <john@phrozen.org>
* ramips: Archer C50v1: fix power ledThibaut VARENE2017-07-292-1/+1
| | | | | | | | | | 01_leds had a workaround for the power led to compensate for the inverted GPIO state. This patch was missing from my previous commit. Signed-off-by: Thibaut VARENE <hacks@slashdirt.org> [add the power led default-state which was omitted in the last commit by me] Signed-off-by: Mathias Kresin <dev@kresin.me>
* ramips: Archer C50v1: fix switch port numberingThibaut VARENE2017-07-291-1/+4
| | | | | | | | Luci shows switch ports in wrong order on that device. This patch fixes switch port numbering and matches them to the device silkscreen. Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
* ramips: Archer C50v1: fix LEDs active levelsThibaut VARENE2017-07-291-2/+2
| | | | | | | | | | All LEDs GPIOs are active low on this device. WAN and POWER states were inverted. Add default state for power. Tested on Archer C50v1. Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
* ramips: fix Mercury MAC1200R v2.0 board nameMathias Kresin2017-07-292-1/+2
| | | | | | | | | | | | With d2b6bf141662 ("ramips: fix image validation errors") the board name was changed to fix an image validation error. But this change wasn't applied to all other files using the board name, which broke sysupgrade. Revert this change and use the former board name in the metadata instead. Signed-off-by: Mathias Kresin <dev@kresin.me>
* brcm63xx: add NULL clock fix send upstreamMathias Kresin2017-07-295-5/+53
| | | | | | | | | | Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise. Fixes: FS#735 Signed-off-by: Mathias Kresin <dev@kresin.me>
* ramips: add NULL clock fix send upstreamMathias Kresin2017-07-291-0/+43
| | | | | | | | | | Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise. Fixes: FS#735 Signed-off-by: Mathias Kresin <dev@kresin.me>