aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* treewide: Add extra CPE identifierHauke Mehrtens2023-09-272-0/+2
| | | | | | | This adds some Common Platform Enumerations (CPE) identifiers which I found. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* packages: assign PKG_CPE_ID for all missing packagesAlexander Couzens2023-09-275-0/+5
| | | | | | | | | The PKG_CPE_ID links to NIST CPE version 2.2. Assign PKG_CPE_ID to all remaining package which have a CPE ID. Not every package has CPE id. Related: https://github.com/openwrt/packages/issues/8534 Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* openssl: update to 3.0.11Ivan Pavlov2023-09-241-2/+2
| | | | | | | | Changes between 3.0.10 and 3.0.11 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. ([CVE-2023-4807]) Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit bfd54529fac075eeb70f2408042e0da03b5ec8cc)
* nettle: update to 3.9.1Nick Hainke2023-08-271-2/+2
| | | | | | | | Announcement: https://lists.gnu.org/archive/html/info-gnu/2023-06/msg00000.html Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit fabd8915698d9fb21aa80100a51e097505b61225)
* mbedtls: Update to version 2.28.4Hauke Mehrtens2023-08-112-5/+5
| | | | | | | | This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit d773fe5411cd4fdd8e107cfe338ed731001a1ade)
* openssl: update to 3.0.10Ivan Pavlov2023-08-092-4/+4
| | | | | | | | | | Changes between 3.0.9 and 3.0.10 [1 Aug 2023] * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit 92602f823a5f29fee41209ccef53ddddb2e89222)
* openssl: opt-out of lto usageChristophe Sokol2023-08-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes building with USE_LTO enabled: aarch64-openwrt-linux-musl-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/build_dir/target-aarch64_cortex-a53_musl/openssl-3.0.9=openssl-3.0.9 -ffunction-sections -fdata-sections -flto=auto -fno-fat-lto-objects -Wformat -Werror=format-security -DPIC -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -DPIC -fPIC -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/build_dir/target-aarch64_cortex-a53_musl/openssl-3.0.9=openssl-3.0.9 -ffunction-sections -fdata-sections -flto=auto -fno-fat-lto-objects -Wformat -Werror=format-security -fPIC -fstack-protector-strong -fPIC -fuse-ld=bfd -flto=auto -fuse-linker-plugin -fPIC -specs=/include/hardened-ld-pie.specs -znow -zrelro -L. -Wl,-z,defs -Wl,-znodelete -shared -Wl,-Bsymbolic -Wl,-z,now -Wl,-z,relro -L/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.1.0_musl/usr/lib -L/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.1.0_musl/lib -Wl,--gc-sections \ -o providers/legacy.so -Wl,--version-script=providers/legacy.ld \ providers/legacy-dso-legacyprov.o \ providers/liblegacy.a providers/libcommon.a -lcrypto -ldl -pthread ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `legacy_get_params': <artificial>:(.text.legacy_get_params+0xd4): undefined reference to `ossl_prov_is_running' ld.bfd: <artificial>:(.text.legacy_get_params+0xd8): undefined reference to `ossl_prov_is_running' ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `legacy_teardown': <artificial>:(.text.legacy_teardown+0x4): undefined reference to `ossl_prov_ctx_get0_libctx' ld.bfd: <artificial>:(.text.legacy_teardown+0x8): undefined reference to `ossl_prov_ctx_get0_libctx' ld.bfd: <artificial>:(.text.legacy_teardown+0x34): undefined reference to `ossl_prov_ctx_free' ld.bfd: <artificial>:(.text.legacy_teardown+0x38): undefined reference to `ossl_prov_ctx_free' ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `OSSL_provider_init': <artificial>:(.text.OSSL_provider_init+0x14): undefined reference to `ossl_prov_ctx_new' ld.bfd: <artificial>:(.text.OSSL_provider_init+0x18): undefined reference to `ossl_prov_ctx_new' ld.bfd: <artificial>:(.text.OSSL_provider_init+0x84): undefined reference to `ossl_prov_ctx_set0_libctx' ld.bfd: <artificial>:(.text.OSSL_provider_init+0x88): undefined reference to `ossl_prov_ctx_set0_libctx' ld.bfd: <artificial>:(.text.OSSL_provider_init+0x98): undefined reference to `ossl_prov_ctx_set0_handle' ld.bfd: <artificial>:(.text.OSSL_provider_init+0x9c): undefined reference to `ossl_prov_ctx_set0_handle' ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_kdfs+0x10): undefined reference to `ossl_kdf_pbkdf1_functions' ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_ciphers+0x10): undefined reference to `ossl_cast5128ecb_functions' ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_ciphers+0x30): undefined reference to `ossl_cast5128cbc_functions' [...] ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_digests+0x10): undefined reference to `ossl_md4_functions' ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_digests+0x30): undefined reference to `ossl_ripemd160_functions' collect2: error: ld returned 1 exit status Signed-off-by: Christophe Sokol <christophe@wk3.org> (cherry picked from commit 906616d20183bb7be4eb71812ef5e76cb3af56a0)
* libnl-tiny: update to latest Git HEADJo-Philipp Wich2023-07-271-6/+6
| | | | | | | | | | | | 8667347 build: allow passing SOVERSION value for dynamic library Also adjust packaging of the library to only ship the SOVERSION suffixed library object, to allow for concurrent installation of ABI-incompible versions in the future. Fixes: #13082 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 4af0a72a65d7c92ed4e7c2455090f695f424903d)
* libbpf: Update to v1.2.2Tony Ambardar2023-07-201-3/+3
| | | | | | | | Update to the latest upstream release to include recent bugfixes: Link: https://github.com/libbpf/libbpf/compare/v1.2.0...v1.2.2 Signed-off-by: Tony Ambardar <itugrok@yahoo.com> (cherry picked from commit 1d5e7b85ccc58f3d010a54e82ccea81fc102262b)
* libnftnl: update to 1.2.6Nick Hainke2023-07-201-3/+3
| | | | | | | | Release Notes: https://lists.netfilter.org/pipermail/netfilter-announce/2023/000250.html Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit e57a752217113d066cdea2073f35e8c7c1fafaa6)
* wolfssl: update to 5.6.3Nick Hainke2023-07-083-6/+31
| | | | | | | | | | | | | | | | Release Notes: - https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.0-stable - https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.2-stable - https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.3-stable Refresh patch: - 100-disable-hardening-check.patch Backport patch: - 001-fix-detection-of-cut-tool-in-configure.ac.patch Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 0e83b5e6cc8e2970905a2b32c990fa7491ff733c)
* libnl-tiny: update to latest git HEADHauke Mehrtens2023-07-021-3/+3
| | | | | | | d433990 Make struct nla_policy and struct nlattr const Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 513bcfdf78d7ffbcf244da2e6910a3d04b17ae01)
* openssl: passing cflags to configureJitao Lu2023-06-171-1/+2
| | | | | | | | | openssl sets additional cflags in its configuration script. We need to make it aware of our custom cflags to avoid adding conflicting cflags. Fixes: #12866 Signed-off-by: Jitao Lu <dianlujitao@gmail.com> (cherry picked from commit 51f57e7c2dd2799e34036ec74b3436bf490fade0)
* openssl: add linux-riscv64 into the targets listZoltan HERPAI2023-06-141-1/+5
| | | | | | | | Add "linux-riscv64-openwrt" into openssl configurations to enable building on riscv64. Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu> (cherry picked from commit a0840ecd5309921b62fcf5f563180ef8f955509e)
* wolfssl: change armvirt reference to armsrMathew McBride2023-06-131-2/+2
| | | | | | | armvirt target has been renamed to armsr (Arm SystemReady). Signed-off-by: Mathew McBride <matt@traverse.com.au> (cherry picked from commit 203deef82cdcb2c4deb01e2a4cee62a600723320)
* libubox: update to the latest versionFelix Fietkau2023-06-121-3/+3
| | | | | | | | | | | | | b09b316aeaf6 blobmsg: add blobmsg_parse_attr function eac92a4d5d82 blobmsg: add blobmsg_parse_array_attr ef5e8e38bd38 usock: fix poll return code check 6fc29d1c4292 jshn.sh: Add pretty-printing to json_dump 5893cf78da40 blobmsg: Don't do at run-time what can be done at compile-time 362951a2d96e uloop: fix uloop_run_timeout 75a3b870cace uloop: add support for integrating with a different event loop Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit b6e0a24c492537e5bbfa015e2a3638ccc53c164b)
* openssl: update to 3.0.9Ivan Pavlov2023-06-095-294/+4
| | | | | | | | | | | | | | | CVE-2023-2650 fix Remove upstreamed patches Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023] * Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) * Limited the number of nodes created in a policy tree (CVE-2023-0464) Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit 6348850f10545aac70db94d3a9555a4f2eb84281)
* openssl: fix uci config for built-in enginesTianling Shen2023-06-081-10/+3
| | | | | | | | | | | | | | | | | | | | | | | | Built-in engine configs are added in libopenssl-conf/install stage already, postinst/add_engine_config is just duplicating them, and due to the lack of `config` header it results a broken uci config: > uci: Parse error (invalid command) at line 3, byte 0 ``` config engine 'devcrypto' option enabled '1' engine 'devcrypto' option enabled '1' option builtin '1' ``` Add `builtin` option in libopenssl-conf/install stage and remove duplicate engine configuration in postinst/add_engine_config to fix this issue. Fixes: 0b70d55a64c39d ("openssl: make UCI config aware of built-in engines") Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org> (cherry picked from commit a0d71934253f599f4ac651b1b3a429901049e802)
* selinux-policy: update to 1.2.5Linhui Liu2023-05-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | 30d503a uci jsonfilter: pipe and leak e13cb64 rpcd leds 144781f jsonfilter, luci, ubus 1210762 rpcd and all agents get fd's leaked ab9227c rpcd 2f99e0e luci rpcd b43aaf3 rpcd (enable/disable services) luci peeraddr f20f03e rpcd 7bc74f6 rpcd reads all subj state and luci-bwc leaks 9634b17 adds inotify perms to anon_inode 3d3c17c adds bare anon_inode (linux 5.15) 7104b20 dnsmasq and luci 0de2c66 luci,rpcd, ucode, wpad 14f5cf9 luci and ucode e3ce84c rpcd, ucode and cgiio loose ends 96a2401 misc updates 9fe0490 initscript: remove redundant rules 71bd77e allow all init scripts to log to logd f697331 sandbox: make ttydev handling more robust a471877 simplify pty tty console access f738984 sandbox: also remove TIOSCTI from all ttydevs Signed-off-by: Linhui Liu <liulinhui36@gmail.com> (cherry picked from commit 4c5a9da8699a7982b8f03b28561f955d9d1313f1)
* pcre2: fix host compilation of libselinux by enabling PICPetr Štetiar2023-05-311-1/+2
| | | | | | | | | | | | | | | libselinux-3.5 fails to compile in Fedora 38 container due to the following: cc -O2 -I/openwrt/staging_dir/host/include -I/openwrt/staging_dir/hostpkg/include -I/openwrt/staging_dir/target-x86_64_musl/host/include -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -I/openwrt/staging_dir/hostpkg/include -L/openwrt/staging_dir/host/lib -L/openwrt/staging_dir/hostpkg/lib -L/openwrt/staging_dir/target-x86_64_musl/host/lib -Wl,-rpath=/openwrt/staging_dir/hostpkg/lib -shared -o libselinux.so.1 avc.lo avc_internal.lo avc_sidtab.lo booleans.lo callbacks.lo canonicalize_context.lo checkAccess.lo check_context.lo checkreqprot.lo compute_av.lo compute_create.lo compute_member.lo compute_relabel.lo compute_user.lo context.lo deny_unknown.lo disable.lo enabled.lo fgetfilecon.lo freecon.lo freeconary.lo fsetfilecon.lo get_context_list.lo get_default_type.lo get_initial_context.lo getenforce.lo getfilecon.lo getpeercon.lo init.lo is_customizable_type.lo label.lo label_db.lo label_file.lo label_media.lo label_support.lo label_x.lo lgetfilecon.lo load_policy.lo lsetfilecon.lo mapping.lo matchmediacon.lo matchpathcon.lo policyvers.lo procattr.lo query_user_context.lo regex.lo reject_unknown.lo selinux_check_securetty_context.lo selinux_config.lo selinux_internal.lo selinux_restorecon.lo sestatus.lo setenforce.lo setexecfilecon.lo setfilecon.lo setrans_client.lo seusers.lo sha1.lo stringrep.lo validatetrans.lo -L/openwrt/staging_dir/hostpkg/lib -lpcre2-8 -lfts -ldl -Wl,-soname,libselinux.so.1,--version-script=libselinux.map,-z,defs,-z,relro /usr/bin/ld: /openwrt/staging_dir/hostpkg/lib/libpcre2-8.a(pcre2_compile.c.o): relocation R_X86_64_32S against symbol `_pcre2_ucd_stage1_8' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: failed to set dynamic section sizes: bad value So lets fix it by enabling build of host static library with the position independent code option enabled. Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 12494f5b8a7bb48cbf7b2fba7d17a53981173120)
* bpftools: update, split off bpftool and libbpf packagesTony Ambardar2023-05-252-0/+85
| | | | | | | | | | | | | | | | My original bpftools package made "variant" builds of bpftool and libbpf as a convenience, since both used the same local kernel sources with the same versioning. This is no longer the case, since the commit below switched to using an out-of-tree build mirror hosting repos for each. Replace bpftools with separate bpftool and libbpf packages, each simplified and correctly versioned. Also fix the broken libbpf ABI introduced in the same commit. Existing build .config files are not impacted. Fixes: 00cbf6f6ab1d ("bpftools: update to standalone bpftools + libbpf, use the latest version") Signed-off-by: Tony Ambardar <itugrok@yahoo.com> (cherry picked from commit afe1bf11f2539f75e30ab3206891dbe6f8c43bd5) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libxml2: update to 2.11.4Nick Hainke2023-05-241-2/+2
| | | | | | | | | Release Notes: https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4 Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit c520d682f02890afb38e43b862ca856e2b933507) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libcap: update to 2.69Nick Hainke2023-05-241-2/+2
| | | | | | | | | | Release Notes: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe Fixes: CVE-2023-2602 CVE-2023-2603 Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 78c45c1e591ce5aeff9fb7eeae049662c4ac4ef2) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* nettle: update to 3.9Nick Hainke2023-05-202-7/+7
| | | | | | | | | | Changelog: https://git.lysator.liu.se/nettle/nettle/-/blob/26cd0222fd09b8f5dc0edba30d6908722c7e9b09/NEWS Refresh patch: - 100-portability.patch Signed-off-by: Nick Hainke <vincent@systemli.org>
* pcre2: switch to Github Releases and bump to 10.42Linhui Liu2023-05-201-4/+4
| | | | | | | | | The mirror at SourceForge is an unofficial mirror and no longer maintained. ChangeLogs: https://github.com/PCRE2Project/pcre2/blob/pcre2-10.42/ChangeLog Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
* libjson-c: import patch to fix compilation on macosNick Hainke2023-05-192-1/+185
| | | | | | | | | | | | | | Fixes errors in the form of: /Users/user/src/openwrt/openwrt/build_dir/hostpkg/json-c-0.16/json_util.c:63:35: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] const char *json_util_get_last_err() ^ void 1 error generated. ninja: build stopped: subcommand failed. Reported-by: Paul Spooren <mail@aparcar.org> Suggested-by: Paul Spooren <mail@aparcar.org> Signed-off-by: Nick Hainke <vincent@systemli.org>
* libxml2: update to 2.11.3Nick Hainke2023-05-182-4/+4
| | | | | | | | | | | | Changelog: - https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4 - https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.0 - https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.1 - https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.2 - https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.3 Fixes: CVE-2023-28484 CVE-2023-29469 Signed-off-by: Nick Hainke <vincent@systemli.org>
* treewide: replace AUTORELEASE with real PKG_RELEASETianling Shen2023-05-185-5/+5
| | | | | | | | | | | | | | | | | | Based on Paul Fertser <fercerpav@gmail.com>'s guidance: Change AUTORELEASE in rules.mk to: ``` AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile)) ``` then update all affected packages by: ``` for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';); do make package/$i/clean done ``` Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* libselinux: update to 3.5Linhui Liu2023-05-181-6/+5
| | | | | | | | | | | | | Switch from libpcre to libpcre2. While working on it remove the double defined HOST_BUILD_DEPENDS section. Release Notes: https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt Signed-off-by: Linhui Liu <liulinhui36@gmail.com> [depend on libpcre2] Signed-off-by: Nick Hainke <vincent@systemli.org>
* libsemanage: update to 3.5Linhui Liu2023-05-181-2/+2
| | | | | | | | Release Notes: https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
* libsepol: update to 3.5Linhui Liu2023-05-181-2/+2
| | | | | | | | Release Notes: https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
* pcre: move package to packages feedNick Hainke2023-05-182-140/+0
| | | | | | | With the update of selinux no package depends anymore on pcre in the base repository. Move it to packages feed. Signed-off-by: Nick Hainke <vincent@systemli.org>
* pcre2: import pcre2 from packages feedNick Hainke2023-05-182-0/+138
| | | | | | | pcre2 is needed by newer selinux versions, so it needs to be in the base repository. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libbsd: fix compilation with musl 1.2.4Robert Marko2023-05-161-1/+3
| | | | | | | | | | | musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so just having _GNU_SOURCE defined is not enough anymore. _LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions. Fixes: fff878c5bcda ("toolchain/musl: update to 1.2.4") Signed-off-by: Robert Marko <robimarko@gmail.com>
* libselinux: fix compilation with musl 1.2.4Robert Marko2023-05-151-0/+1
| | | | | | | | | | musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so just having _GNU_SOURCE defined is not enough anymore. _LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions. Signed-off-by: Robert Marko <robimarko@gmail.com>
* gettext-full: link to local libunistringMichael Pratt2023-05-151-2/+4
| | | | | | | Configure gettext to require and link to our local libunistring explicitly. Signed-off-by: Michael Pratt <mcpratt@pm.me>
* gettext-full: add missing link to libunistringMichael Pratt2023-05-151-0/+21
| | | | | | | | | | | | | | | | | | | | | | Running autoreconf or autogen.sh is causing the gettext-runtime subdirectory to have a configure script that looks for and attempts to link to an external libunistring. However, the macros and symbols for supporting that configuration are not present in this subdirectory yet. This results in some host machines to not build the included libunistring objects for libgrt, but at the same time, also not input the proper flag to the linker for linking to an external library when it is found or even when explicitly setting configuration to use a prefix for libunistring, resulting in the common linking failure "undefined reference". Some similar (and old...) upstream commits do the same thing, but only for gettext-tools and libgettextpo. Ref: ae943bcc1 ("Link with libunistring, if it exists.") # gettext.git Ref: 61e21a72f ("Avoid link error in programs that use libgettextpo.") # gettext.git Signed-off-by: Michael Pratt <mcpratt@pm.me>
* libunistring: add from packages feedMichael Pratt2023-05-151-0/+64
| | | | | | | | Add libunistring in order to link to gettext and other packages directly instead of the built-in substitute for it. Signed-off-by: Michael Pratt <mcpratt@pm.me>
* gettext-full: bootstrap to local gnulib sourceMichael Pratt2023-05-042-344/+39
| | | | | | | | | | | | | | | | | Using the local gnulib source during autogen.sh allows for fine-grained control over the macros and source files for use with gettext but part of gnulib instead of gettext, without having to wait for a release or deal with gnulib as a git submodule. This is an alternative to running autoreconf. It also removes the need to patch macros in the case where there is a conflict between the source and our aclocal directory. Signed-off-by: Michael Pratt <mcpratt@pm.me>
* gettext-full: link to local libxml2Michael Pratt2023-05-043-25/+35
| | | | | | | | | | | | | | | | | | | Some users have reported that gettext builds are attempting to link to libxml2 while it was supposed to be configured to use it's own built-in substitute. Configure gettext to require and link to our local libxml2 explicitly. Add a patch to revert upstream commit 87927a4e2 which forces libtextstyle to use the built-in libxml, no matter what the configuration is, making that option configurable again after the configure script is regenerated. Reported-by: Tianling Shen <cnsztl@immortalwrt.org> Signed-off-by: Michael Pratt <mcpratt@pm.me>
* gettext-full: set gperf as build prerequisiteMichael Pratt2023-05-041-0/+2
| | | | | | Require gperf to be built before gettext. Signed-off-by: Michael Pratt <mcpratt@pm.me>
* libxml2: add from packages feedMichael Pratt2023-05-042-0/+218
| | | | | | | Add libxml2 which can be used to build gettext instead of the old built-in substitute for it. Signed-off-by: Michael Pratt <mcpratt@pm.me>
* gettext-full: override SUBDIRS variable with MakefileMichael Pratt2023-05-042-23/+44
| | | | | | | | | | | | | | | | Instead of editing the SUBDIRS variable with a patch, it can be overriden at the end of the command line when invoking Make. This tool has a series of recursive Makefiles in each subdirectory, therefore SUBDIRS is set to a pattern of Make functions so that the result is variable depending on the current subdirectory that Make is being invoked in. Some of the subdirectories don't have a Makefile and are just storing files for another subdirectory Makefile target, therefore we have to place a fake Makefile that does nothing. Signed-off-by: Michael Pratt <mcpratt@pm.me>
* openssl: fix low-severity CVE-2023-1255Eneas U de Queiroz2023-04-292-1/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This applies commit 02ac9c94 to fix this OpenSSL Security Advisory issued on 20th April 2023[1]: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255) ============================================================== Severity: Low Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one. 1. https://www.openssl.org/news/secadv/20230420.txt Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libpcap: update to 1.10.4Nick Hainke2023-04-221-2/+2
| | | | | | | Changes: https://git.tcpdump.org/libpcap/blob/104271ba4a14de6743e43bcf87536786d8fddea4:/CHANGES Signed-off-by: Nick Hainke <vincent@systemli.org>
* uclient: update to Git version 2023-04-13Matthias Schiffer2023-04-131-3/+3
| | | | | | | | 007d94546749 uclient: cancel state change timeout in uclient_disconnect() 644d3c7e13c6 ci: improve wolfSSL test coverage dc54d2b544a1 tests: add certificate check against letsencrypt.org Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* mbedtls: Update to version 2.28.3Hauke Mehrtens2023-04-103-96/+90
| | | | | | | | | | | | | | | This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: https://github.com/Mbed-TLS/mbedtls/issues/6243 https://github.com/Mbed-TLS/mbedtls/pull/7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libcap: update to 2.68Nick Hainke2023-04-081-2/+2
| | | | | | | Release Notes: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.vdh3d47czmle Signed-off-by: Nick Hainke <vincent@systemli.org>
* openssl: fix CVE-2023-464 and CVE-2023-465Eneas U de Queiroz2023-04-073-1/+252
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply two patches fixing low-severity vulnerabilities related to certificate policies validation: - Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. - Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Note: OpenSSL also released a fix for low-severity security advisory CVE-2023-466. It is not included here because the fix only changes the documentation, which is not built nor included in any OpenWrt package. Due to the low-severity of these issues, there will be not be an immediate new release of OpenSSL. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: add legacy providerEneas U de Queiroz2023-04-058-45/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adapts the engine build infrastructure to allow building providers, and packages the legacy provider. Providers are the successors of engines, which have been deprecated. The legacy provider supplies OpenSSL implementations of algorithms that have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool. Even though these algorithms are implemented in a separate package, their removal makes the regular library smaller by 3%, so the build options will remain to allow lean custom builds. Their defaults will change to 'y' if not bulding for a small flash, so that the regular legacy package will contain a complete set of algorithms. The engine build and configuration structure was changed to accomodate providers, and adapt to the new style of openssl.cnf in version 3.0. There is not a clean upgrade path for the /etc/ssl/openssl.cnf file, installed by the openssl-conf package. It is recommended to rename or remove the old config file when flashing an image with the updated openssl-conf package, then apply the changes manually. An old openssl.cnf file will silently work, but new engine or provider packages will not be enabled. Any remaining engine config files under /etc/ssl/engines.cnf.d can be removed. On the build side, the include file used by engine packages was renamed to openssl-module.mk, so the engine packages in other feeds need to adapt. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>