aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* wolfssl: Update to version 4.5.0Hauke Mehrtens2020-09-023-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. * Denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages. (CVE-2020-12457) * Potential cache timing attacks on public key operations in builds that are not using SP (single precision). (CVE-2020-15309) * When using SGX with EC scalar multiplication the possibility of side- channel attacks are present. * Leak of private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. * During the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Full changelog: https://www.wolfssl.com/docs/wolfssl-changelog/ Fix a build error on big endian systems by backporting a pull request: https://github.com/wolfSSL/wolfssl/pull/3255 The size of the ipk increases on mips BE by 1.4% old: libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246 new: libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 00722a720c778e623d6f37af3a3b4e43b29c3fe8)
* wolfssl: use -fomit-frame-pointer to fix asm errorEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | 32-bit x86 fail to compile fast-math feature when compiled with frame pointer, which uses a register used in a couple of inline asm functions. Previous versions of wolfssl had this by default. Keeping an extra register available may increase performance, so it's being restored for all architectures. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 750d52f6c90e2a144c250779741607f0cb306a94)
* wolfssl: update to 4.4.0-stableEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | | This version adds many bugfixes, including a couple of security vulnerabilities: - For fast math (enabled by wpa_supplicant option), use a constant time modular inverse when mapping to affine when operation involves a private key - keygen, calc shared secret, sign. - Change constant time and cache resistant ECC mulmod. Ensure points being operated on change to make constant time. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 3481f6ffc79f46fc7ba86a4cc15ad958e99b5a82)
* mbedtls: update to 2.16.8Magnus Kroken2020-09-022-25/+25
| | | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories. * Local side channel attack on RSA and static Diffie-Hellman * Local side channel attack on classical CBC decryption in (D)TLS * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 66893063abf56b7d8c21eceed56e5d27859eaaea)
* mbedtls: update to 2.16.7Magnus Kroken2020-08-272-27/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07 * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some changes to the download URLs are required. For the time being, the ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS. Signed-off-by: Magnus Kroken <mkroken@gmail.com> [Use https://codeload.github.com and new tar.gz file] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 201d6776a0b5858b8ce43a2392c9fe48aa1c4dd7)
* nghttp2: bump to 1.41.0Hans Dedecker2020-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 8f7b008b Update bash_completion 83086ba9 Update manual pages c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr 3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20 881c060d Update AUTHORS f8da73bd Earlier check for settings flood 336a98fe Implement max settings option ef415836 Revert "Add missing connection error handling" 979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2 b7d16101 Add missing connection error handling cd53bd81 Merge pull request #1460 from gportay/patch-1 e5625b8c Fix doc c663349f integration: Add PROXY protocol v2 tests 854e9fe3 nghttpx: Always call init_forwarded_for c60ea227 Update doc 49cd8e6e nghttpx: Add PROXY-protocol v2 support 3b17a659 Merge pull request #1453 from Leo-Neat/master 600fcdf5 Merge pull request #1455 from xjtian/long_serials 4922bb41 static_cast size parameter in StringRef constructor to size_t aad86975 Fix get_x509_serial for long serial numbers dc7a7df6 Adding CIFuzz b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue ffb49c6c Merge pull request #1435 from geoffhill/master 2ec58551 Fix receiving stream data stall 459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp a4c1fed5 Bump llhttp to 2.0.4 866eadb5 Enable session_create_idle_stream test, fix errors 5e13274b Fix typo e0d7f7de h2load: Allow port in --connect-to df575f96 h2load: add --connect-to option 1fff7379 clang-format-9 b40c6c86 Merge pull request #1418 from vszakats/patch-1 9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional 2d5f7659 Bump up version number to 1.41.0-DEV Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Note this is cherry-pick from master. It fixes CVE-2020-11080 and https://github.com/nxhack/openwrt-node-packages/issues/679 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* libnetfilter-queue: fix package title and descriptionCatalin Patulea2020-06-281-3/+3
| | | | | | | | | | | The original text was copy/pasted from some other package. Adjust the package title and description to match the description on the publishers page. Signed-off-by: Catalin Patulea <catalinp@google.com> [slightly adjust content and commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 492a6594b97e765a2a93fadbe23534ae94f710fa)
* uclient: update to 19.07 Git HEADJo-Philipp Wich2020-06-171-3/+3
| | | | | | | | 51e16eb uclient-fetch: add option to read POST data from file 99aebe3 uclient: Add string error function Fixes: 0c910d8459 ("uclient: Update to version 2020-06-17") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "uclient: Update to version 2020-06-17"Jo-Philipp Wich2020-06-171-3/+3
| | | | | | | | | This reverts commit 0c910d845941b1df9c78a5039c1658e676c409be. We cannot use uclient Git HEAD as-is on 19.07 due to an older version of the ustream-ssl API. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uclient: Update to version 2020-06-17Daniel Golle2020-06-171-3/+3
| | | | | | | | | | | | fef6d3d uclient: Add string error function af585db uclient-fetch: support specifying advertised TLS ciphers c660986 uclient-fetch: add option to read POST data from file Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry-squashed from commits 05145ffbefc71a94c1692dfb8ac440bc67974ded 98017228ddd5ce41a63da20b78f5d2e30c87c494 dd166960f48580bf6d4a8dde071b96832bfd9e1f 8e98613f4da82628cdb490c8202b56dc989e088b)
* libubox: update to the latest versionFelix Fietkau2020-05-261-3/+3
| | | | | | | | | | | 86818eaa976b blob: make blob_parse_untrusted more permissive cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len c2fc622b771f blobmsg: fix length in blobmsg_check_array 639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name 66195aee5042 blobmsg: fix missing length checks Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit b371182d2450b3c4f15cbe790351d92a2a7b5a67)
* libubox: update to the latest masterRafał Miłecki2020-05-261-3/+3
| | | | | | | | | | | 5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len() eeddf22 tests: runqueue: try to fix race on GitLab CI 89fb613 libubox: runqueue: fix use-after-free bug 1db3e7d libubox: runqueue fix comment in header 7c4ef0d tests: list: add test case for list_empty iterator Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit a765b063ee3e1dd6519f6a4a9e4d4f72214b33b8)
* libjson-c: backport security fixesRobert Marko2020-05-134-2/+117
| | | | | | | | | | | | | This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit bc0288b76816578f5aeccb2abd679f82bfc5738e)
* ustream-ssl: update to 19.07 Git HEADJo-Philipp Wich2020-05-061-4/+4
| | | | | | | | 40b563b ustream-openssl: clear error stack before SSL_read/SSL_write 30cebb4 ustream-ssl: mbedtls: fix ssl client verification 77de09f ustream-ssl: mbedtls: fix net_sockets.h include warning Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* libpcap: fix library packaging issuesJo-Philipp Wich2020-05-061-1/+5
| | | | | | | | | | | | | Workaround a bug in patches/100-debian_shared_lib.patch - it attemptss to extract the library major version from debian/changelog which does not exist in the vanilla upstream tarball. Create a fake changelog file for now to satisfy the version extraction routine until we get around to properly augment the patch. Fixes: FS#2970 Fixes: 96ee7c8bfd ("libpcap: Update shared-lib patch from Debian to fix linking problems") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* libpcap: fix build breakage with very high number of simultaneous jobsPetr Štetiar2020-04-251-1/+1
| | | | | | | | | | | | | | | | | | | | | Building libpcap with high number (64) of simultaneous jobs fails: In file included from ./fmtutils.c:42:0: ./ftmacros.h:106:0: warning: "_BSD_SOURCE" redefined #define _BSD_SOURCE <command-line>:0:0: note: this is the location of the previous definition ./gencode.c:67:10: fatal error: grammar.h: No such file or directory #include "grammar.h" ^~~~~~~~~~~ compilation terminated. Makefile:99: recipe for target 'gencode_pic.o' failed So fix this by less intrusive way by disabling the parallel builds for this package. Ref: FS#3010 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* openssl: bump to 1.1.1gPetr Štetiar2020-04-211-2/+2
| | | | | | | | | Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with high severity, assigned CVE-2020-1967. Ref: https://www.openssl.org/news/secadv/20200421.txt Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 3773ae127ac83766028f767ac744e87a7ddcaf50)
* mbedtls: update to 2.16.6Magnus Kroken2020-04-181-2/+2
| | | | | | | | | | | | | Security fixes for: * CVE-2020-10932 * a potentially remotely exploitable buffer overread in a DTLS client * bug in DTLS handling of new associations with the same parameters Full release announement: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 02fcbe2f3d4eaf65e90bb167aa7818eacc08c633)
* mbedtls: update to version 2.16.5Josef Schlehofer2020-04-131-2/+2
| | | | | | | | | | | Changelog: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.5-and-2.7.14-released Security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> (cherry picked from commit 36af1967f5fcfc889594a8af0f92f873f445d249)
* openssl: bump to 1.1.1fEneas U de Queiroz2020-04-012-83/+3
| | | | | | | | | | There were two changes between 1.1.1e and 1.1.1f: - a change in BN prime generation to avoid possible fingerprinting of newly generated RSA modules - the patch reversing EOF detection we had already applied. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit af5ccfbac74b859801cf174460fb8dbf9ed9e181)
* libpcap: Update shared-lib patch from Debian to fix linking problemsHauke Mehrtens2020-03-294-48/+156
| | | | | | | | | | | | | This updates the shared-lib patch to the recent version from debian found here: https://salsa.debian.org/rfrancoise/libpcap/-/blob/debian/1.9.1-2/debian/patches/shared-lib.diff This patch makes it include missing/strlcpy.o to the shared library which is needed for OpenWrt glibc builds, otherwise there is an undefined symbol and tcpdump and other builds are failing. Fixes: 44f11353de04 ("libpcap: update to 1.9.1") Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
* readline: needs host depend on ncurses to buildJan Kardell2020-03-291-0/+2
| | | | | | | We must ensure that host ncurses is build before host readline. Signed-off-by: Jan Kardell <jan.kardell@telliq.com> (cherry picked from commit ecef29b29463e7549779e90739e61f8729ccaf09)
* openssl: revert EOF detection change in 1.1.1Eneas U de Queiroz2020-03-292-1/+81
| | | | | | | | | | | | | | | | | | | | | | | This adds patches to avoid possible application breakage caused by a change in behavior introduced in 1.1.1e. It affects at least nginx, which logs error messages such as: nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error: 4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while keepalive, client: xxxx, server: [::]:443 Openssl commits db943f4 (Detect EOF while reading in libssl), and 22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the behavior when encountering an EOF in SSL_read(). Previous behavior was to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits being reverted changed it to SSL_ERRO_SSL, and add an error to the stack, which is correct. Unfortunately this affects a number of applications that counted on the old behavior, including nginx. The reversion was discussed in openssl/openssl#11378, and implemented as PR openssl/openssl#11400. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 2e8a4db9b6b942e3180afda0dc0fd8ac506527f1)
* openssl: update to 1.1.1eEneas U de Queiroz2020-03-224-41/+22
| | | | | | | | This version includes bug and security fixes, including medium-severity CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit dcef8d6093cd54aa990a5ae0099a16e88a18dfbd)
* openssl: add configuration example for afalg-syncEneas U de Queiroz2020-03-222-2/+31
| | | | | | | | This adds commented configuration help for the alternate, afalg-sync engine to /etc/ssl/openssl.cnf. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d9d689589b96bd80e57e5c603d84d6ee95049800)
* libubox: update to latest Git HEADJo-Philipp Wich2020-02-271-3/+3
| | | | | | | | | 7da6643 tests: blobmsg: add test case 75e300a blobmsg: fix wrong payload len passed from blobmsg_check_array Fixes: FS#2833 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 955634b473284847e3c8281a6ac85655329d8b06)
* mbedtls: update to 2.16.4Magnus Kroken2020-01-262-24/+24
| | | | | | | | | | | | | | | | Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA. Release announcement: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released Security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 Fixes: * CVE-2019-18222: Side channel attack on ECDSA Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 6e96fd90471a49185bcfe9dcb4844d444674ecab)
* libubox: update to version 2020-01-20Petr Štetiar2020-01-201-3/+3
| | | | | | | | | | | | | | | | | 43a103ff17ee blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes 5c0faaf4f5e2 tests: prefer dynamically allocated buffers 1ffa41535369 blobmsg_json: prefer snprintf usage 132ecb563da7 blobmsg: blobmsg_vprintf: prefer vsnprintf a2aab30fc918 jshn: prefer snprintf usage b0886a37f39a cmake: add a possibility to set library version a36ee96618a9 blobmsg: blobmsg_add_json_element() 64-bit values f0da3a4283b7 blobmsg_json: fix int16 serialization 20a070f08139 tests: blobmsg/json: add more test cases 379cd33d1992 tests: include json script shunit2 based testing Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 5c73bb12c82c078d8a93cb896348b41598ed9e19)
* libubox: update to version 2019-12-28Petr Štetiar2020-01-051-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contains following changes: cd75136b1342 blobmsg: fix wrong payload len passed from blobmsg_check_array eb7eb6393d47 blobmsg: fix array out of bounds GCC 10 warning 86f6a5b8d1f1 blobmsg: reuse blobmsg_namelen in blobmsg_data 586ce031eaa0 tests: fuzz: fuzz _len variants of checking methods b0e21553ae8c blobmsg: add _len variants for all attribute checking methods cd3059796a57 Replace use of blobmsg_check_attr by blobmsg_check_attr_len 143303149c8b Ensure blob_attr length check does not perform out of bounds reads f2b2ee441adb blobmsg: fix heap buffer overflow in blobmsg_parse 4dfd24ed88c4 blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value 2df6d35e3299 tests: add test cases for blobmsg parsing 8a34788b46c4 test: fuzz: add blobmsg_check_attr crashes 478597b9f9ae blob: fix OOB access in blob_check_type 325418a7a3c0 tests: use blob_parse_untrusted variant 0b24e24b93e1 blob: introduce blob_parse_untrusted 6d27336e4a8b blob: refactor attr parsing into separate function 833d25797b16 test: fuzz: add blob_parse crashes 09ee90f8d6ed tests: add test cases for blob parsing 436d6363a10b tests: add libFuzzer based tests bf680707acfd tests: add unit tests covered with Clang sanitizers f804578847de cmake: add more hardening compiler flags 46f8268b4b5b blobmsg/ulog: fix format string compiler warnings eb216a952407 cmake: use extra compiler warnings only on gcc6+ 07413cce72e1 tests: jshn: add more test cases 26586dae43a8 jshn: fix missing usage for -p and -o arguments 8e832a771d3a jshn: fix off by one in jshn_parse_file cb698e35409b jshn: jshn_parse: fix leaks of memory pointed to by 'obj' c42f11cc7c0f jshn: main: fix leak of memory pointed to by 'vars' 93848ec96dc5 jshn: refactor main into smaller pieces 9b6ede0e5312 avl: guard against theoretical null pointer dereference c008294a8323 blobmsg_json: fix possible uninitialized struct member 0003ea9c45cc base64: fix possible null pointer dereference 8baeeea1f52d add assert.h component b0a5cd8a28bf add cram based unit tests 1fefb7c4d7f9 add initial GitLab CI support c955464d7a9b enable extra compiler checks 6228df9de91d iron out all extra compiler warnings and bumps ABI_VERSION to 20191228. Acked-by: Hauke Mehrtens <hauke@hauke-m.de> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* wolfssl: bump to 4.3.0-stableEneas U de Queiroz2020-01-041-3/+3
| | | | | | | | This update fixes many bugs, and six security vulnerabilities, including CVE-2019-18840. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d5ede68f8b67f8fa2b4102b90e5dd3722172299a)
* libubox: bump to version 2019-10-29Yousong Zhou2019-12-231-3/+3
| | | | | | | | It contains a single change to vlist.h header file: "vlist: add more macros for loop iteration". This is needed for newer version of fstools Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> (cherry picked from commit 51e76247762d265d4a4aac33456876b83b0cca25)
* libubox: update to latest git HEADRoman Yeryomin2019-12-231-3/+3
| | | | | | | eb30a03 libubox, jshn: add option to write output to a file Signed-off-by: Roman Yeryomin <roman@advem.lv> (cherry picked from commit c0e7ec91a0927002942631bbc995b90f5f7dd7ed)
* wolfssl: update to v4.2.0-stableEneas U de Queiroz2019-11-103-142/+4
| | | | | | | | | | | | | | | | Many bugs were fixed--2 patches removed here. This release of wolfSSL includes fixes for 5 security vulnerabilities, including two CVEs with high/critical base scores: - potential invalid read with TLS 1.3 PSK, including session tickets - potential hang with ocspstaping2 (always enabled in openwrt) - CVE-2019-15651: 1-byte overread when decoding certificate extensions - CVE-2019-16748: 1-byte overread when checking certificate signatures - DSA attack to recover DSA private keys Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit f4853f7cca816214cd6e64cffe2b73d0b8c16def)
* wolfssl: allow building with hw-crytpo and AES-CCMEneas U de Queiroz2019-11-104-21/+160
| | | | | | | | | Hardware acceleration was disabled when AES-CCM was selected as a workaround for a build failure. This applies a couple of upstream patches fixing this. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit ab19627ecc3923687fd339f4f23dc45572d00ce0)
* ustream-ssl: update to latest Git HEADJo-Philipp Wich2019-11-102-59/+3
| | | | | | | | c9b6668 ustream-ssl: skip writing pending data if .eof is true after connect Fixes: CVE-2019-5101, CVE-2019-5102 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 6f9157e6bdea91507af84acdf53da7c0e6879bc1)
* ustream-ssl: Update to latest git HEADHauke Mehrtens2019-11-101-5/+5
| | | | | | | | | | | 465f8dc wolfssl: adjust to new API in v4.2.0 3b06c65 Update example certificate & key, fix typo 1c38fd8 wolfssl: enable CN validation 33308ee ustream-io-cyassl.c: fix client-mode connections 79d91aa Remove CyaSSL, WolfSSL < 3.10.4 support Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 57ff06405e09ebce705c01178143c3ce907993b2)
* ustream-ssl: backport fix for CVE-2019-5101, CVE-2019-5102Jo-Philipp Wich2019-11-052-1/+57
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* libevent2: Update to 2.1.11Daniel Engberg2019-11-015-81/+94
| | | | | | | | | | | | | | | Update libevent to 2.1.11 Use CMake instead GNU Autotools Backport following commits: https://github.com/libevent/libevent/commit/f05ba671931e2b4e38459899f6f63f79f99869fe ..and partially https://github.com/libevent/libevent/commit/7201062f3ef505a77baa6ccaf1cf73812462308a to fix compilation Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net> (cherry picked from commit f351beedfd47766e5e44a04af50e3724bec54dbc) (resolves FS#2435) Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* openssl: Add engine configuration to openssl.cnfEneas U de Queiroz2019-10-202-1/+57
| | | | | | | | | | | | | This adds engine configuration sections to openssl.cnf, with a commented list of engines. To enable an engine, all you have to do is uncomment the engine line. It also adds some useful comments to the devcrypto engine configuration section. Other engines currently don't have configuration commands. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit cebf024c4d9fd761e55383a582f7e29ac7cc921c) Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* libpcap: update to 1.9.1DENG Qingfang2019-10-196-38/+19
| | | | | | | | | | | | | Fixed CVEs: CVE-2018-16301 CVE-2019-15161 CVE-2019-15162 CVE-2019-15163 CVE-2019-15164 CVE-2019-15165 Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn> (cherry picked from commit 44f11353de044834a442d3192b66579b99305720)
* uClibc++: Fix three bugsRosen Penev2019-10-196-20/+221
| | | | | | | | | | | | | | | | | | | | | | | | The first allows usage of several functions in the std namespace, which broke compilation of gddrescue specifically with uClibc-ng and uClibc++. The second allows usage of long long with normal C++11, which is part of the standard. Before, std=gnu++11 needed to be passsed to work around it. As a result of the second patch, the pedantic patch can safely be removed. Both patches are upstream backports. Added -std=c++11 to CFLAGS to guarentee proper inclusion of long long. Added another patch that fixes a typo with the long long support. Sent to upstream. Fixed up license information according to SPDX. Small cleanups for consistency. Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit 6ab386c9bc23420816fbcefc84b62cf5438b2c66)
* openssl: bump to 1.1.1dEneas U de Queiroz2019-09-2312-2524/+223
| | | | | | | | | | | | | | This version fixes 3 low-severity vulnerabilities: - CVE-2019-1547: ECDSA remote timing attack - CVE-2019-1549: Fork Protection - CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d868d0a5d7e1d76bb1a8980346d222fae55fa18b)
* uClibc++: Remove faulty patchRosen Penev2019-09-212-14/+1
| | | | | | | | | | | | | | | | This patch was originally added to fix compilation with v4l2rtspserver. Turns out it was v4l2rtspserver that was broken, not uClibc++. This now causes issues with a different package where the arguments are being split. Note that with this patch, shellcheck throws an error: SC2068: Double quote array expansions to avoid re-splitting elements. More: https://github.com/openwrt/packages/pull/9972#discussion_r324878373 Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit 977a8fc5fc2e1be6d159b2d9e1c617826b5d9701)
* mbedtls: update to 2.16.3Magnus Kroken2019-09-213-52/+25
| | | | | | | | Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch, the issue has been fixed upstream. Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 49d96ffc5c47e40b7f3d99a91a42ea8a54a38bd9)
* libnftnl: bump to version 1.1.4Konstantin Demin2019-09-041-2/+2
| | | | | | | | | | | | | ABI version is same. The ipkg size increase by about 2.2%: old: 47.909 libnftnl11_1.1.3-1_arm_cortex-a7_neon-vfpv4.ipk new: 48.985 libnftnl11_1.1.4-1_arm_cortex-a7_neon-vfpv4.ipk Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> (cherry picked from commit 699955a684eb8f6eb39123632ec7e193fa132753)
* openssl: always build with EC supportEneas U de Queiroz2019-09-042-19/+2
| | | | | Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit f40262697f5aebed25313a1b2eb8f68d37c97e60)
* libnfnetlink: Avoid passing both -fPIC and -fpicRosen Penev2019-09-041-3/+4
| | | | | | | | | Instead, instruct the configure script to use $(FPIC) only. Mixing -fPIC and -fpic can cause issues on some platforms like PPC. Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit 926157c2ccb02aa06b343662ecbd2571faf6eddd)
* ncurses: Do not pass both -fPIC and -fpicRosen Penev2019-09-041-2/+4
| | | | | | | | | | | The configure scripts matches Linux with -fPIC, which is not exactly what is desired. Since we are already passing $(FPIC), added a CONFIGURE_VAR to avoid passing -fPIC. Removed PKG_BUILD_DIR as it is already the default value. Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit e2ecf39e8e49e43b4d358853f9da51e3897d042c)
* openssl: refresh patchesChristian Lamparter2019-09-043-7/+7
| | | | | Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit 5ef3fe614c1e8c350ca0083f61577a89c002bc53)
* elfutils: bump to 0.177Luiz Angelo Daros de Luca2019-09-042-43/+4
| | | | | | | 200-uclibc-ng-compat.patch is upstream now. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> (cherry picked from commit 0851ce4ff97260a0fab2a507ee8370e60f78370d)