aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* mbedtls: Update to version 2.16.12Hauke Mehrtens2022-02-131-2/+2
| | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. CVE-2021-44732 The sizes of the ipk changed on MIPS 24Kc like this: 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 57f38e2c827e3be71d8b1709073e366afe011985)
* mbedtls: update to 2.16.11Rosen Penev2022-02-131-2/+2
| | | | | | | | | | Switched to AUTORELEASE to avoid manual increments. Release notes: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11 Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit fcfd741eb83520e496eb09de5f8b2f2b62792a80)
* tcpdump: libpcap: Remove http://www.us.tcpdump.org mirrorHauke Mehrtens2022-02-131-2/+1
| | | | | | | | | | | | The http://www.us.tcpdump.org mirror will go offline soon, only use the normal download URL. Reported-by: Denis Ovsienko <denis@ovsienko.info> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 18bdfc803bef00fad03f90b73b6e65c3c79cb397) Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [rebased for OpenWrt 21.02 branch] (cherry picked from commit 4dddb7ca3669e93d4da2b1ca43b8bc22bd007e48)
* openssl: bump to 1.1.1mEneas U de Queiroz2022-01-162-3/+3
| | | | | | | | | | | | | | This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 5beaa75d94c4a981c580905b84c7ef33caf0c3e2)
* openssl: bump to 1.1.1lEneas U de Queiroz2021-08-302-6/+5
| | | | | | | | | | | This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: use --cross-compile-prefix in ConfigureEneas U de Queiroz2021-08-301-3/+2
| | | | | | | | | | | | | | This sets the --cross-compile-prefix option when running Configure, so that that it will not use the host gcc to figure out, among other things, compiler defines. It avoids errors, if the host 'gcc' is handled by clang: mips-openwrt-linux-musl-gcc: error: unrecognized command-line option '-Qunused-arguments' Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> Tested-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit 2f75348923e564f1b73fbc32f7cabc355cd6e2b9)
* openssl: bump to 1.1.1kEneas U de Queiroz2021-03-272-24/+23
| | | | | | | | | | | | | This version fixes 2 security vulnerabilities, among other changes: - CVE-2021-3450: problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 0bd0de7d43b3846ad0d7006294e1daaadfa7b532)
* openssl: sync package download URLs with masterPetr Štetiar2021-03-271-3/+5
| | | | | | | Apparently it fixes some broken URLs and as a bonus it makes cherry-picking of fixes easier. Signed-off-by: Petr Štetiar <ynezz@true.cz>
* mbedtls: update to 2.16.10Magnus Kroken2021-03-272-13/+13
| | | | | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. Security fixes: * Fix a buffer overflow in mbedtls_mpi_sub_abs() * Fix an errorneous estimation for an internal buffer in mbedtls_pk_write_key_pem() * Fix a stack buffer overflow with mbedtls_net_poll() and mbedtls_net_recv_timeout() * Guard against strong local side channel attack against base64 tables by making access aceess to them use constant flow code Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10 Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit dbde2bcf60b5d5f54501a4b440f25fe7d02fbe5d)
* wolfssl: bump to v4.7.0-stableEneas U de Queiroz2021-03-065-92/+4
| | | | | | | | | | | | | | | Biggest fix for this version is CVE-2021-3336, which has already been applied here. There are a couple of low severity security bug fixes as well. Three patches are no longer needed, and were removed; the one remaining was refreshed. This tool shows no ABI changes: https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d1dfb577f1c0d5b1f1fa35000c9ad7abdb7d10ed)
* openssl: bump to 1.1.1jEneas U de Queiroz2021-02-171-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes 4 security vulnerabilities/bugs: - CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support SSLv2, but the affected functions still exist. Considered just a bug. - CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. - CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. - Fixed SRP_Calc_client_key so that it runs in constant time. This could be exploited in a side channel attack to recover the password. The 3 CVEs above are currently awaiting analysis. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 482c9ff289c65480c8e7340e1740db24c62f91df)
* wolfssl: Backport fix for CVE-2021-3336Hauke Mehrtens2021-02-102-1/+54
| | | | | | | | | | | | | This should fix CVE-2021-3336: DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The patch is backported from the upstream wolfssl development branch. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 1f559cafe5cc1193a5962d40a2d938c66c783171)
* wolfssl: enable HAVE_SECRET_CALLBACKFelix Fietkau2021-02-021-0/+10
| | | | | | | Fixes wpad-wolfssl build Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 55e23f2c02ae95e84613ed7d1cbf8aba557b8682)
* wolfssl: Fix hostapd build with wolfssl 4.6.0Hauke Mehrtens2021-02-021-0/+25
| | | | | | | | | | | | | This fixes the following build problem in hostapd: mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_add': <artificial>:(.text.crypto_ec_point_add+0x170): undefined reference to `ecc_projective_add_point' mipsel-openwrt-linux-musl/bin/ld: <artificial>:(.text.crypto_ec_point_add+0x18c): undefined reference to `ecc_map' mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_to_bin': <artificial>:(.text.crypto_ec_point_to_bin+0x40): undefined reference to `ecc_map' Fixes: ba40da9045f7 ("wolfssl: Update to v4.6.0-stable") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit e7d0d2e9dcaa0ff1197fb7beee139b6a5bd35c79)
* wolfssl: Update to v4.6.0-stableEneas U de Queiroz2021-02-023-30/+3
| | | | | | | | | | | | | | | | | | | This version fixes a large number of bugs and fixes CVE-2020-36177. Full changelog at: https://www.wolfssl.com/docs/wolfssl-changelog/ or, as part of the version's README.md: https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md Due a number of API additions, size increases from 374.7K to 408.8K for arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version. Backported patches were removed; remaining patch was refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> [added reference to CVE] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit ba40da9045f77feb04abe63eb8a92f13f9efe471)
* mbedtls: update to 2.16.9Rosen Penev2021-01-181-2/+2
| | | | | Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit f13b623f5e53a72b65f45cbaf56c73df35e70ed2)
* openssl: update to 1.1.1iEneas U de Queiroz2020-12-161-2/+2
| | | | | | | | | Fixes: CVE-2020-1971, defined as high severity, summarized as: NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS attack. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 882ca13d923796438fd06badeb00dc95b7eb1467)
* openssl: bump to 1.1.1hEneas U de Queiroz2020-09-283-5/+5
| | | | | | | This is a bug-fix release. Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 475838de1a33d49d1a0b81aad374a8db6dd2b3c8)
* wolfssl: Update to version 4.5.0Hauke Mehrtens2020-09-023-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. * Denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages. (CVE-2020-12457) * Potential cache timing attacks on public key operations in builds that are not using SP (single precision). (CVE-2020-15309) * When using SGX with EC scalar multiplication the possibility of side- channel attacks are present. * Leak of private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. * During the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Full changelog: https://www.wolfssl.com/docs/wolfssl-changelog/ Fix a build error on big endian systems by backporting a pull request: https://github.com/wolfSSL/wolfssl/pull/3255 The size of the ipk increases on mips BE by 1.4% old: libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246 new: libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 00722a720c778e623d6f37af3a3b4e43b29c3fe8)
* wolfssl: use -fomit-frame-pointer to fix asm errorEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | 32-bit x86 fail to compile fast-math feature when compiled with frame pointer, which uses a register used in a couple of inline asm functions. Previous versions of wolfssl had this by default. Keeping an extra register available may increase performance, so it's being restored for all architectures. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 750d52f6c90e2a144c250779741607f0cb306a94)
* wolfssl: update to 4.4.0-stableEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | | This version adds many bugfixes, including a couple of security vulnerabilities: - For fast math (enabled by wpa_supplicant option), use a constant time modular inverse when mapping to affine when operation involves a private key - keygen, calc shared secret, sign. - Change constant time and cache resistant ECC mulmod. Ensure points being operated on change to make constant time. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 3481f6ffc79f46fc7ba86a4cc15ad958e99b5a82)
* mbedtls: update to 2.16.8Magnus Kroken2020-09-022-25/+25
| | | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories. * Local side channel attack on RSA and static Diffie-Hellman * Local side channel attack on classical CBC decryption in (D)TLS * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 66893063abf56b7d8c21eceed56e5d27859eaaea)
* mbedtls: update to 2.16.7Magnus Kroken2020-08-272-27/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07 * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some changes to the download URLs are required. For the time being, the ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS. Signed-off-by: Magnus Kroken <mkroken@gmail.com> [Use https://codeload.github.com and new tar.gz file] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 201d6776a0b5858b8ce43a2392c9fe48aa1c4dd7)
* nghttp2: bump to 1.41.0Hans Dedecker2020-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 8f7b008b Update bash_completion 83086ba9 Update manual pages c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr 3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20 881c060d Update AUTHORS f8da73bd Earlier check for settings flood 336a98fe Implement max settings option ef415836 Revert "Add missing connection error handling" 979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2 b7d16101 Add missing connection error handling cd53bd81 Merge pull request #1460 from gportay/patch-1 e5625b8c Fix doc c663349f integration: Add PROXY protocol v2 tests 854e9fe3 nghttpx: Always call init_forwarded_for c60ea227 Update doc 49cd8e6e nghttpx: Add PROXY-protocol v2 support 3b17a659 Merge pull request #1453 from Leo-Neat/master 600fcdf5 Merge pull request #1455 from xjtian/long_serials 4922bb41 static_cast size parameter in StringRef constructor to size_t aad86975 Fix get_x509_serial for long serial numbers dc7a7df6 Adding CIFuzz b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue ffb49c6c Merge pull request #1435 from geoffhill/master 2ec58551 Fix receiving stream data stall 459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp a4c1fed5 Bump llhttp to 2.0.4 866eadb5 Enable session_create_idle_stream test, fix errors 5e13274b Fix typo e0d7f7de h2load: Allow port in --connect-to df575f96 h2load: add --connect-to option 1fff7379 clang-format-9 b40c6c86 Merge pull request #1418 from vszakats/patch-1 9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional 2d5f7659 Bump up version number to 1.41.0-DEV Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Note this is cherry-pick from master. It fixes CVE-2020-11080 and https://github.com/nxhack/openwrt-node-packages/issues/679 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* libnetfilter-queue: fix package title and descriptionCatalin Patulea2020-06-281-3/+3
| | | | | | | | | | | The original text was copy/pasted from some other package. Adjust the package title and description to match the description on the publishers page. Signed-off-by: Catalin Patulea <catalinp@google.com> [slightly adjust content and commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 492a6594b97e765a2a93fadbe23534ae94f710fa)
* uclient: update to 19.07 Git HEADJo-Philipp Wich2020-06-171-3/+3
| | | | | | | | 51e16eb uclient-fetch: add option to read POST data from file 99aebe3 uclient: Add string error function Fixes: 0c910d8459 ("uclient: Update to version 2020-06-17") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "uclient: Update to version 2020-06-17"Jo-Philipp Wich2020-06-171-3/+3
| | | | | | | | | This reverts commit 0c910d845941b1df9c78a5039c1658e676c409be. We cannot use uclient Git HEAD as-is on 19.07 due to an older version of the ustream-ssl API. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uclient: Update to version 2020-06-17Daniel Golle2020-06-171-3/+3
| | | | | | | | | | | | fef6d3d uclient: Add string error function af585db uclient-fetch: support specifying advertised TLS ciphers c660986 uclient-fetch: add option to read POST data from file Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry-squashed from commits 05145ffbefc71a94c1692dfb8ac440bc67974ded 98017228ddd5ce41a63da20b78f5d2e30c87c494 dd166960f48580bf6d4a8dde071b96832bfd9e1f 8e98613f4da82628cdb490c8202b56dc989e088b)
* libubox: update to the latest versionFelix Fietkau2020-05-261-3/+3
| | | | | | | | | | | 86818eaa976b blob: make blob_parse_untrusted more permissive cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len c2fc622b771f blobmsg: fix length in blobmsg_check_array 639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name 66195aee5042 blobmsg: fix missing length checks Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit b371182d2450b3c4f15cbe790351d92a2a7b5a67)
* libubox: update to the latest masterRafał Miłecki2020-05-261-3/+3
| | | | | | | | | | | 5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len() eeddf22 tests: runqueue: try to fix race on GitLab CI 89fb613 libubox: runqueue: fix use-after-free bug 1db3e7d libubox: runqueue fix comment in header 7c4ef0d tests: list: add test case for list_empty iterator Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit a765b063ee3e1dd6519f6a4a9e4d4f72214b33b8)
* libjson-c: backport security fixesRobert Marko2020-05-134-2/+117
| | | | | | | | | | | | | This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit bc0288b76816578f5aeccb2abd679f82bfc5738e)
* ustream-ssl: update to 19.07 Git HEADJo-Philipp Wich2020-05-061-4/+4
| | | | | | | | 40b563b ustream-openssl: clear error stack before SSL_read/SSL_write 30cebb4 ustream-ssl: mbedtls: fix ssl client verification 77de09f ustream-ssl: mbedtls: fix net_sockets.h include warning Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* libpcap: fix library packaging issuesJo-Philipp Wich2020-05-061-1/+5
| | | | | | | | | | | | | Workaround a bug in patches/100-debian_shared_lib.patch - it attemptss to extract the library major version from debian/changelog which does not exist in the vanilla upstream tarball. Create a fake changelog file for now to satisfy the version extraction routine until we get around to properly augment the patch. Fixes: FS#2970 Fixes: 96ee7c8bfd ("libpcap: Update shared-lib patch from Debian to fix linking problems") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* libpcap: fix build breakage with very high number of simultaneous jobsPetr Štetiar2020-04-251-1/+1
| | | | | | | | | | | | | | | | | | | | | Building libpcap with high number (64) of simultaneous jobs fails: In file included from ./fmtutils.c:42:0: ./ftmacros.h:106:0: warning: "_BSD_SOURCE" redefined #define _BSD_SOURCE <command-line>:0:0: note: this is the location of the previous definition ./gencode.c:67:10: fatal error: grammar.h: No such file or directory #include "grammar.h" ^~~~~~~~~~~ compilation terminated. Makefile:99: recipe for target 'gencode_pic.o' failed So fix this by less intrusive way by disabling the parallel builds for this package. Ref: FS#3010 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* openssl: bump to 1.1.1gPetr Štetiar2020-04-211-2/+2
| | | | | | | | | Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with high severity, assigned CVE-2020-1967. Ref: https://www.openssl.org/news/secadv/20200421.txt Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 3773ae127ac83766028f767ac744e87a7ddcaf50)
* mbedtls: update to 2.16.6Magnus Kroken2020-04-181-2/+2
| | | | | | | | | | | | | Security fixes for: * CVE-2020-10932 * a potentially remotely exploitable buffer overread in a DTLS client * bug in DTLS handling of new associations with the same parameters Full release announement: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 02fcbe2f3d4eaf65e90bb167aa7818eacc08c633)
* mbedtls: update to version 2.16.5Josef Schlehofer2020-04-131-2/+2
| | | | | | | | | | | Changelog: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.5-and-2.7.14-released Security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> (cherry picked from commit 36af1967f5fcfc889594a8af0f92f873f445d249)
* openssl: bump to 1.1.1fEneas U de Queiroz2020-04-012-83/+3
| | | | | | | | | | There were two changes between 1.1.1e and 1.1.1f: - a change in BN prime generation to avoid possible fingerprinting of newly generated RSA modules - the patch reversing EOF detection we had already applied. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit af5ccfbac74b859801cf174460fb8dbf9ed9e181)
* libpcap: Update shared-lib patch from Debian to fix linking problemsHauke Mehrtens2020-03-294-48/+156
| | | | | | | | | | | | | This updates the shared-lib patch to the recent version from debian found here: https://salsa.debian.org/rfrancoise/libpcap/-/blob/debian/1.9.1-2/debian/patches/shared-lib.diff This patch makes it include missing/strlcpy.o to the shared library which is needed for OpenWrt glibc builds, otherwise there is an undefined symbol and tcpdump and other builds are failing. Fixes: 44f11353de04 ("libpcap: update to 1.9.1") Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
* readline: needs host depend on ncurses to buildJan Kardell2020-03-291-0/+2
| | | | | | | We must ensure that host ncurses is build before host readline. Signed-off-by: Jan Kardell <jan.kardell@telliq.com> (cherry picked from commit ecef29b29463e7549779e90739e61f8729ccaf09)
* openssl: revert EOF detection change in 1.1.1Eneas U de Queiroz2020-03-292-1/+81
| | | | | | | | | | | | | | | | | | | | | | | This adds patches to avoid possible application breakage caused by a change in behavior introduced in 1.1.1e. It affects at least nginx, which logs error messages such as: nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error: 4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while keepalive, client: xxxx, server: [::]:443 Openssl commits db943f4 (Detect EOF while reading in libssl), and 22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the behavior when encountering an EOF in SSL_read(). Previous behavior was to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits being reverted changed it to SSL_ERRO_SSL, and add an error to the stack, which is correct. Unfortunately this affects a number of applications that counted on the old behavior, including nginx. The reversion was discussed in openssl/openssl#11378, and implemented as PR openssl/openssl#11400. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 2e8a4db9b6b942e3180afda0dc0fd8ac506527f1)
* openssl: update to 1.1.1eEneas U de Queiroz2020-03-224-41/+22
| | | | | | | | This version includes bug and security fixes, including medium-severity CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit dcef8d6093cd54aa990a5ae0099a16e88a18dfbd)
* openssl: add configuration example for afalg-syncEneas U de Queiroz2020-03-222-2/+31
| | | | | | | | This adds commented configuration help for the alternate, afalg-sync engine to /etc/ssl/openssl.cnf. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d9d689589b96bd80e57e5c603d84d6ee95049800)
* libubox: update to latest Git HEADJo-Philipp Wich2020-02-271-3/+3
| | | | | | | | | 7da6643 tests: blobmsg: add test case 75e300a blobmsg: fix wrong payload len passed from blobmsg_check_array Fixes: FS#2833 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 955634b473284847e3c8281a6ac85655329d8b06)
* mbedtls: update to 2.16.4Magnus Kroken2020-01-262-24/+24
| | | | | | | | | | | | | | | | Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA. Release announcement: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released Security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 Fixes: * CVE-2019-18222: Side channel attack on ECDSA Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 6e96fd90471a49185bcfe9dcb4844d444674ecab)
* libubox: update to version 2020-01-20Petr Štetiar2020-01-201-3/+3
| | | | | | | | | | | | | | | | | 43a103ff17ee blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes 5c0faaf4f5e2 tests: prefer dynamically allocated buffers 1ffa41535369 blobmsg_json: prefer snprintf usage 132ecb563da7 blobmsg: blobmsg_vprintf: prefer vsnprintf a2aab30fc918 jshn: prefer snprintf usage b0886a37f39a cmake: add a possibility to set library version a36ee96618a9 blobmsg: blobmsg_add_json_element() 64-bit values f0da3a4283b7 blobmsg_json: fix int16 serialization 20a070f08139 tests: blobmsg/json: add more test cases 379cd33d1992 tests: include json script shunit2 based testing Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 5c73bb12c82c078d8a93cb896348b41598ed9e19)
* libubox: update to version 2019-12-28Petr Štetiar2020-01-051-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contains following changes: cd75136b1342 blobmsg: fix wrong payload len passed from blobmsg_check_array eb7eb6393d47 blobmsg: fix array out of bounds GCC 10 warning 86f6a5b8d1f1 blobmsg: reuse blobmsg_namelen in blobmsg_data 586ce031eaa0 tests: fuzz: fuzz _len variants of checking methods b0e21553ae8c blobmsg: add _len variants for all attribute checking methods cd3059796a57 Replace use of blobmsg_check_attr by blobmsg_check_attr_len 143303149c8b Ensure blob_attr length check does not perform out of bounds reads f2b2ee441adb blobmsg: fix heap buffer overflow in blobmsg_parse 4dfd24ed88c4 blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value 2df6d35e3299 tests: add test cases for blobmsg parsing 8a34788b46c4 test: fuzz: add blobmsg_check_attr crashes 478597b9f9ae blob: fix OOB access in blob_check_type 325418a7a3c0 tests: use blob_parse_untrusted variant 0b24e24b93e1 blob: introduce blob_parse_untrusted 6d27336e4a8b blob: refactor attr parsing into separate function 833d25797b16 test: fuzz: add blob_parse crashes 09ee90f8d6ed tests: add test cases for blob parsing 436d6363a10b tests: add libFuzzer based tests bf680707acfd tests: add unit tests covered with Clang sanitizers f804578847de cmake: add more hardening compiler flags 46f8268b4b5b blobmsg/ulog: fix format string compiler warnings eb216a952407 cmake: use extra compiler warnings only on gcc6+ 07413cce72e1 tests: jshn: add more test cases 26586dae43a8 jshn: fix missing usage for -p and -o arguments 8e832a771d3a jshn: fix off by one in jshn_parse_file cb698e35409b jshn: jshn_parse: fix leaks of memory pointed to by 'obj' c42f11cc7c0f jshn: main: fix leak of memory pointed to by 'vars' 93848ec96dc5 jshn: refactor main into smaller pieces 9b6ede0e5312 avl: guard against theoretical null pointer dereference c008294a8323 blobmsg_json: fix possible uninitialized struct member 0003ea9c45cc base64: fix possible null pointer dereference 8baeeea1f52d add assert.h component b0a5cd8a28bf add cram based unit tests 1fefb7c4d7f9 add initial GitLab CI support c955464d7a9b enable extra compiler checks 6228df9de91d iron out all extra compiler warnings and bumps ABI_VERSION to 20191228. Acked-by: Hauke Mehrtens <hauke@hauke-m.de> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* wolfssl: bump to 4.3.0-stableEneas U de Queiroz2020-01-041-3/+3
| | | | | | | | This update fixes many bugs, and six security vulnerabilities, including CVE-2019-18840. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d5ede68f8b67f8fa2b4102b90e5dd3722172299a)
* libubox: bump to version 2019-10-29Yousong Zhou2019-12-231-3/+3
| | | | | | | | It contains a single change to vlist.h header file: "vlist: add more macros for loop iteration". This is needed for newer version of fstools Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> (cherry picked from commit 51e76247762d265d4a4aac33456876b83b0cca25)
* libubox: update to latest git HEADRoman Yeryomin2019-12-231-3/+3
| | | | | | | eb30a03 libubox, jshn: add option to write output to a file Signed-off-by: Roman Yeryomin <roman@advem.lv> (cherry picked from commit c0e7ec91a0927002942631bbc995b90f5f7dd7ed)