| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Upstream commit: 346d4c75eaa7a1d9bc8fcddc5db10a6aca95c005
5322f9d mbedtls: Fix setting allowed cipher suites
e8a1469 mbedtls: Add support for a session cache
Signed-off-by: John Crispin <john@phrozen.org>
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit: 52ba5760b771d873fe21d260e3b53506663b6144
527e700 ustream-ssl: Remove RC4 from ciphersuite in server mode.
39a6ce2 ustream-ssl: Enable ECDHE with OpenSSL.
45ac930 remove polarssl support
Signed-off-by: John Crispin <john@phrozen.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream commit: f2c8f6dc3249b506b915741d12905402dfffe162
This make sit possible to store informations about a session and reuse
it later. When used by a server it increases the time to create a new
TLS session from about 1 second to less than 0.1 seconds.
The size of the ipkg file increased by about 800 Bytes.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
| |
This fixes some minor security problems and other bugs.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mbedtls changed in version 2.7.0 and 2.7.2 the soversion of the
libmbedcrypto.so library, use the old version again to be able to use
the new library with binaries compiled against the old mbedtls library.
Some binaries got rebuild to for the 2.7.0 release and are now using
libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0.
Go back to libmbedcrypto.so.0 and make the system rebuild the binaries
which were rebuild for 2.7.0 again.
This should make the libmbedcrypto.so library be compatible with the old
version shipped with 17.01.
Fixes: 3ca1438ae0 ("mbedtls: update to version 2.7.2")
Fixes: f609913b5c ("mbedtls: update to version 2.7.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
| |
This fixes some minor security problems.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
| |
Fixes CVE-2018-0739
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following security problems:
* CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled
* CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures
This release is also ABI incompatible with the previous one, but it is
API compatible.
Some functions used by a lot of other software was renamed and the old
function names are provided as a static inline now, but they are only
active when deprecated functions are allowed, deactivate the removal of
deprecated functions for now.
Also increase the PKG_RELEASE version to force a rebuild and update of
packages depending on mbedtls to handle the changed ABI.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Works around two incompatiblities between glibc and (POSIX-compliant) musl:
- missing register definitions from asm/ptrace.h
- non-POSIX-compliant ucontext_t on PPC32 with glibc
Compile tested on mpc85xx.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
| |
Tested with perf on mvebu.
Signed-off-by: Maxim Gorbachyov <maxim.gorbachyov@gmail.com>
|
|
|
|
|
|
|
|
| |
1dafcd7 jshn: properly support JSON "null" type
6abafba jshn: read and write 64-bit integers
cfc75c5 runqueue: fix use-after-free bug
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
| |
Simplifies the code and reduces size
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit d5bcd0240a8f42a05ef31005a9a9dea848d3f7a8)
|
|
|
|
|
|
|
|
| |
When a library is using fortify-packages GCC will complain about
"error: format not a string literal, argument types not checked".
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
(cherry picked from commit 6ab45214644166846398e5e520d151c05cc4dd55)
|
|
|
|
|
| |
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
(cherry picked from commit f5468d248613fee51d19715e0fa6e37012c0eda7)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we enable -fstack-protector while building libunwind, function
__stack_chk_fail_local will be referred to for i386 and powerpc32
arches. This will cause link failure because the default gcc build
specs says no link_ssp if -nostdlib is given.
The error message:
OpenWrt-libtool: link: ccache_cc -shared -fPIC -DPIC .libs/os-linux.o mi/.libs/init.o mi/.libs/flush_cache.o mi/.libs/mempool.o mi/.libs/strerror.o x86/.libs/is_fpreg.o x86/.libs/regname.o x86/.libs/Los-linux.o mi/.libs/backtrace.o mi/.libs/dyn-cancel.o mi/.libs/dyn-info-list.o mi/.libs/dyn-register.o mi/.libs/Ldyn-extract.o mi/.libs/Lfind_dynamic_proc_info.o mi/.libs/Lget_accessors.o mi/.libs/Lget_proc_info_by_ip.o mi/.libs/Lget_proc_name.o mi/.libs/Lput_dynamic_unwind_info.o mi/.libs/Ldestroy_addr_space.o mi/.libs/Lget_reg.o mi/.libs/Lset_reg.o mi/.libs/Lget_fpreg.o mi/.libs/Lset_fpreg.o mi/.libs/Lset_caching_policy.o x86/.libs/Lcreate_addr_space.o x86/.libs/Lget_save_loc.o x86/.libs/Lglobal.o x86/.libs/Linit.o x86/.libs/Linit_local.o x86/.libs/Linit_remote.o x86/.libs/Lget_proc_info.o x86/.libs/Lregs.o x86/.libs/Lresume.o x86/.libs/Lstep.o x86/.libs/getcontext-linux.o -Wl,--whole-archive ./.libs/libunwind-dwarf-local.a ./.libs/libunwind-elf32.a -Wl,--no-whole-archive -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/target-i386_i486_musl-1.1.16/usr/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/target-i386_i486_musl-1.1.16/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/toolchain-i386_i486_gcc-5.4.0_musl-1.1.16/usr/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/toolchain-i386_i486_gcc-5.4.0_musl-1.1.16/lib -lc -lgcc -Os -march=i486 -fstack-protector -Wl,-z -Wl,now -Wl,-z -Wl,relro -nostartfiles -nostdlib -Wl,-soname -Wl,libunwind.so.8 -o .libs/libunwind.so.8.0.1
.libs/os-linux.o: In function `_Ux86_get_elf_image':
os-linux.c:(.text+0x588): undefined reference to `__stack_chk_fail_local'
x86/.libs/Lregs.o: In function `_ULx86_access_fpreg':
Lregs.c:(.text+0x25b): undefined reference to `__stack_chk_fail_local'
x86/.libs/Lresume.o: In function `_ULx86_resume':
Lresume.c:(.text+0xdc): undefined reference to `__stack_chk_fail_local'
collect2: error: ld returned 1 exit status
Makefile:2249: recipe for target 'libunwind.la' failed
The snippet from gcc -dumpspecs
%{!nostdlib:%{!nodefaultlibs:%(link_ssp) %(link_gcc_c_sequence)}}
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit f0c37f6ceb10a1db0193d4270c6807c0b2f7a3a0)
|
|
|
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 462ca4e059dbead678163da26fb4e14748f3021e)
|
|
|
|
|
| |
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit b3cba687a447478253f95febf17fa9376c98105d)
|
|
|
|
|
|
|
|
|
|
|
| |
Changes since 1.2
a77b0cd Bump version to v1.2.1
5f354cb mips/tilegx: Add missing unwind_i.h header file
620d1c3 Add aarch64 getcontext functionality.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit 77dc6a2ae7c94ac3d496ebab589d4574ac7169d0)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
elfutils turns on -Werror by default, and patch 100-musl-compat.patch
changes how strerror_r is used and we no longer use the function's
return value. This causes the following build error/warning to occur
with glibc-based toolchains:
dwfl_error.c: In function 'dwfl_errmsg':
dwfl_error.c:158:18: error: ignoring return value of 'strerror_r',
declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r (error & 0xffff, s, sizeof(s));
^
cc1: all warnings being treated as errors
Fixing this would be tricky as there are two possible signatures for
strerror_r (XSI and GNU), just turn off unused-result warnings instead.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
(cherry picked from commit 484f768dfa295d9fccd82c57cae00458f32b7182)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Addresses CVE-2015-3239: Off-by-one error in the dwarf_to_unw_regnum
function in include/dwarf_i.h in libunwind 1.1 allows local users to
have unspecified impact via invalid dwarf opcodes.
Upstream stable-v1.2 fixed the missing unwind_i.h issue but no new
tarball is released yet
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit 5d48dc1146171520445c43ee894d9dfce09ae4e2)
|
|
|
|
|
|
|
|
|
| |
Removed patches (now upstream):
- 004-maybe-uninitialized.patch
- 007-fix_TEMP_FAILURE_RETRY.patch
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit ccc54b29352a7d30762b84761414aa1798ce1183)
|
|
|
|
|
|
|
| |
Update lzo to 2.10
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit cc5721c3b8e399126a270fd46f5ac4dffc9b3319)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
uClibc doesn't implement strerror_l() and thus libnl starting from
3.2.29 couldn't be compiled with it any longer, see
https://github.com/thom311/libnl/commit/6c2d111177e91184073c44f83d4a6182aaba06d7
To work-around that problem we'll just do a check on strerror_l()
availability during configuration and if it's not there just fall back
to locale-less strerror().
Patch for libnl is alreadfy merged upstream, see
https://github.com/thom311/libnl/commit/e15966ac7f3b43df2acf869f98089762807d0568
and once the next libnl release happens this one must be removed from
Lede/OpenWrt.
Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: John Crispin <john@phrozen.org>
Cc: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit 51d9ac61c711e7e00f8f2eaf5b3503238864508a)
|
|
|
|
|
|
|
|
|
|
| |
musl provides a /lib/libc.so file which should be integrated into the libc
package when the external toolchain with musl is used.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit b6a8b43dd2771d4d237256417218bed862545ef4)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to let external toolchains be able to specify the path and
specification file to the libthread-db POSIX thread debugging shared
libraries.
This fixes GDB not being able to be installed because it is depending on
libthread-db:
Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies
* for gdb:
* libthread-db *
* opkg_install_cmd: Cannot install package gdb.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
(cherry picked from commit 7f0c95a7dfff8aa0b6f5e3e78263cab108245e4c)
|
|
|
|
|
|
|
|
|
|
|
| |
Some toolchains will produce executables with an interpreter that is e.g:
ld.so.1 (typically a symbolic link). Due to our current LIBC_SPEC_FILE value,
we would not be able to copy this symbolic link/file over to the rootfs and
executables would fail to load. Extend the search pattern to include all
ld*.so* files that could be needed.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
(cherry picked from commit 200d932322f3d8c436a67c53f4fbca87f0aab8af)
|
|
|
|
|
|
|
|
|
|
| |
add no-ssl3-method again as 1.0.2n compiles without the ssl3-method(s)
Fixes CVEs: CVE-2017-3737, CVE-2017-3738
Signed-off-by: Peter Wagner <tripolar@gmx.at>
(backported from commit 55e70c8b72dbb8e812ceb790bf08543d69fce86e)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
|
|
| |
Update wolfssl to the latest release v3.12.2 and backport an upstream
pending fix for CVE-2017-13099 ("ROBOT vulnerability").
Ref: https://github.com/wolfSSL/wolfssl/pull/1229
Ref: https://robotattack.org/
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 902961c148b1f6d06a6159090366250281d801d7)
|
|
|
|
|
|
|
|
|
|
| |
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:
../libssl.so: undefined reference to `SSLv3_client_method'
Fixes CVE: CVE-2017-3735, CVE-2017-3736
Signed-off-by: Peter Wagner <tripolar@gmx.at>
|
|
|
|
|
|
| |
4b87d83 uclient-fetch: fix overloading of output_file variable
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
|
|
|
|
|
|
|
| |
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.
Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
Fixes: FS#942
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released
* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.
Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,
Fixes #572
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
|
|
|
|
|
|
| |
Use the defaults instead of a custom non-portable Host/Install section
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
| |
Our opkg fork requires libubox to build, so add a host build for it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
| |
This is needed to use the nflog interface with tcpdump
Signed-off-by: Martin Schiller <mschiller@tdt.de>
|
|
|
|
|
|
|
| |
This allows binaries that links these libraries statically to be reduced
by using --gc-sections on link
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
| |
USB support could be built into the kernel as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.
Example code to reproduce:
typedef std::multimap<int, int> testmap;
testmap t;
t.insert(std::pair<int, int>(1, 1));
t.insert(std::pair<int, int>(2, 1));
t.insert(std::pair<int, int>(3, 1));
t.erase(t.begin(), t.end());
Signed-off-by: Ben Kelly <ben@benjii.net>
|
|
|
|
|
|
| |
9d6305a utils: Change calloc_a() to return size_t aligned pointers
Signed-off-by: Ted Hess <thess@kitschensync.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds the following changes:
de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.
By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:
libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`
Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
|
|
|
|
|
|
|
| |
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
|
| |
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback
Note: SF doesn't carry the 1.2.11 update yet.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
|
|
|
|
|
| |
Signed-off-by: Domagoj Pintaric <domagoj.pintaric@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
|
|
|
|
|
|
|
| |
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
|
|
|
|
|
| |
The mbedTLS 1.3 branch has been EOL since end of 2016 and now all
remaining users have been converted.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|