aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* wolfssl: make WOLFSSL_HAS_OPENVPN default to yEneas U de Queiroz2022-06-091-1/+1
| | | | | | | | | | | | | Openvpn forces CONFIG_WOLFSSL_HAS_OPENVPN=y. When the phase1 bots build the now non-shared package, openvpn will not be selected, and WolfSSL will be built without it. Then phase2 bots have CONFIG_ALL=y, which will select openvpn and force CONFIG_WOLFSSL_HAS_OPENVPN=y. This changes the version hash, causing dependency failures, as shared packages expect the phase2 hash. Fixes: #9738 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* Revert "wolfssl: set nonshared flag global"Christian 'Ansuel' Marangi2022-06-091-9/+1
| | | | | | | This reverts commit e0cc5b9b3ae65113f0e0dd9249dae4776b65c503. A better and correct solution was found. Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
* wolfssl: set nonshared flag globalChristian 'Ansuel' Marangi2022-06-091-1/+9
| | | | | | | | | | | | | | | | libwolfssl-benchmark should NOT be compiled as nonshared but currently there is a bug where, on buildbot stage2, the package is recompiled to build libwolfssl-benchmark and the dependency change to the new libwolfssl version. Each dependant package will now depend on the new wolfssl package instead of the one previously on stage1 that has a different package HASH. Set the nonshared PKGFLAGS global while this gets investigated and eventually fixed. Fixes: 0a2edc2714dc ("wolfssl: enable CPU crypto instructions") Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
* wolfssl: enable CPU crypto instructionsEneas U de Queiroz2022-06-072-0/+23
| | | | | | | | | | | | | | | | | | This enables AES & SHA CPU instructions for compatible armv8, and x86_64 architectures. Add this to the hardware acceleration choice, since they can't be enabled at the same time. The package was marked non-shared, since the arm CPUs may or may not have crypto extensions enabled based on licensing; bcm27xx does not enable them. There is no run-time detection of this for arm. NOTE: Should this be backported to a release branch, it must be done shortly before a new minor release, because the change to nonshared will remove libwolfssl from the shared packages, but the nonshared are only built in a subsequent release! Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: add benchmark utilityEneas U de Queiroz2022-06-071-3/+23
| | | | | | This packages the wolfssl benchmark utility. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: don't change ABI because of hw cryptoEneas U de Queiroz2022-06-071-10/+21
| | | | | | | | Enabling different hardware crypto acceleration should not change the library ABI. Add them to PKG_CONFIG_DEPENDS after the ABI version hash has been computed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libnl-tiny: update to the latest versionFelix Fietkau2022-05-231-4/+4
| | | | | | b5b2ba09c4f1 netlink: add NLA_F_NESTED to all nested attributes Signed-off-by: Felix Fietkau <nbd@nbd.name>
* elfutils: move host build to toolsStijn Tintel2022-05-181-4/+0
| | | | | | | | | | | The upcoming dwarves host package requires elfutils. As dependencies for tools must exist in tools, we need to move elfutils host build there. As there is at least one package that depends on this, and there is no proper way to create such dependency in the build system, build it unconditionally when not building on macOS. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* wolfssl: bump to v5.3.0-stableEneas U de Queiroz2022-05-153-45/+2
| | | | | | | | | This is mostly a bug fix release, including two that were already patched here: - 300-fix-SSL_get_verify_result-regression.patch - 400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: bump to 1.1.1oEneas U de Queiroz2022-05-152-6/+6
| | | | | | | | | | This release comes with a security fix related to c_rehash. OpenWrt does not ship or use it, so it was not affected by the bug. There is a fix for a possible crash in ERR_load_strings() when configured with no-err, which OpenWrt does by default. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libubox: update to the latest versionFelix Fietkau2022-05-151-3/+3
| | | | | | | | | f2d6752901f2 blob: clear buf->head when freeing a buffer 45210ce14136 list.h: add container_of_safe macro cfa372ff8aed blobmsg: implicitly reserve space for 0-terminator in string buf alloc d2223ef9da71 blobmsg: work around false positive gcc -Warray-bounds warnings Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wolfssl: fix compilation with /dev/cryptoEneas U de Queiroz2022-04-201-0/+19
| | | | | | This is trivial fix of a duplicate definition of 'int ret'. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* readline: add host PICRosen Penev2022-04-161-0/+1
| | | | | | | Python seems to fail to link to libreadline properly because of this. Not a fatal error but an error nontheless. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* pcre: pass -fPIC under host as wellRosen Penev2022-04-161-4/+4
| | | | | | static libraries need them as they are not PIC by default. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* wolfssl: bump to 5.2.0Eneas U de Queiroz2022-04-114-9/+7
| | | | | | | | | | | | | | | | Fixes two high-severity vulnerabilities: - CVE-2022-25640: A TLS v1.3 server who requires mutual authentication can be bypassed. If a malicious client does not send the certificate_verify message a client can connect without presenting a certificate even if the server requires one. - CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS v1.3 server can have its certificate heck bypassed. If the sig_algo in the certificate_verify message is different than the certificate message checking may be bypassed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libmnl: update to 1.0.5Nick Hainke2022-04-091-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: Duncan Roe (5): nlmsg: Fix a missing doxygen section trailer build: doc: "make" builds & installs a full set of man pages build: doc: get rid of the need for manual updating of Makefile build: If doxygen is not available, be sure to report "doxygen: no" to ./configure src: doc: Fix messed-up Netlink message batch diagram Fernando Fernandez Mancera (1): src: fix doxygen function documentation Florian Westphal (1): libmnl: zero attribute padding Guillaume Nault (1): callback: mark cb_ctl_array 'const' in mnl_cb_run2() Kylie McClain (1): examples: nfct-daemon: Fix test building on musl libc Laura Garcia Liebana (4): examples: add arp cache dump example examples: fix neigh max attributes examples: fix print line format examples: reduce LOCs during neigh attributes validation Pablo Neira Ayuso (3): doxygen: remove EXPORT_SYMBOL from the output include: add MNL_SOCKET_DUMP_SIZE definition build: libmnl 1.0.5 release Petr Vorel (1): examples: Add rtnl-addr-add.c Stephen Hemminger (1): examples: rtnl-addr-dump: fix typo igo95862 (1): doxygen: Fixed link to the git source tree on the website. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libnfnetlink: update to 1.0.2Nick Hainke2022-04-092-23/+3
| | | | | | | | | | | | | | | | | | | | | | | Changes: c63f193 bump version to 1.0.2 3cffa84 libnfnetlink: Check getsockname() return code 90ba679 include: Silence gcc warning in linux_list.h bb4f6c8 Make it clear that this library is deprecated e46569c Minimally resurrect doxygen documentation 5087de4 libnfnetlink: hide private symbols 62ca426 autogen: don't convert __u16 to u_int16_t efa1d8e src: Use stdint types everywhere 7a1a07c include: Sync with kernel headers 7633f0c libnfnetlink: initialize attribute padding to resolve valgrind warnings 94b68f3 configure: uclinux is also linux 617fe82 src: get source code license header in sync with current licensing terms 97a3960 build: resolve automake-1.12 warnings Removed the patch 100-missing_include.patch, libnfnetlink compiles fine with musl without this patch. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libselinux: add missing host-build dependency on libsepol/hostDaniel Golle2022-04-061-1/+1
| | | | | | | | The host-build of libselinux requires libsepol/host. Add the libsepol/host to HOST_BUILD_DEPENDS to allow build on hosts which don't have libsepol installed. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* toolchain: reproducible libstdcppPaul Spooren2022-04-011-1/+2
| | | | | | | A Python script containing an unreproducible path is copied by default. Remove it before generating the package. Signed-off-by: Paul Spooren <mail@aparcar.org>
* libs/zlib: fix implicit function declaration warningPetr Štetiar2022-03-281-3/+3
| | | | | | | | | Fixes following warning: adler32.c:141:12: warning: implicit declaration of function 'NEON_adler32' [-Wimplicit-function-declaration] 141 | return NEON_adler32(adler, buf, len); Signed-off-by: Petr Štetiar <ynezz@true.cz>
* libs/zlib: bump to latest stable release 1.2.12 (CVE-2018-25032)Petr Štetiar2022-03-283-362/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | List of changes since previous release from 2018 is quite long: * Fix crc32.c to compile local functions only if used. * Check for cc masquerading as gcc or clang in configure. * Remove destructive aspects of make distclean. * Separate out address sanitizing from warnings in configure. * Eliminate use of ULL constants. * Add fallthrough comments for gcc. * Clean up minizip to reduce warnings for testing. * Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner) * minizip warning fix if MAXU32 already defined. (gvollant) * Replace black/white with allow/block. (theresa-m) * Fix indentation in minizip's zip.c. * Improve portability of contrib/minizip. * Correct typo in blast.c. * Change macro name in inflate.c to avoid collision in VxWorks. * Clarify gz* function interfaces, referring to parameter names. * Fix error in comment on the polynomial representation of a byte. * Fix memory leak on error in gzlog.c. * Avoid adding empty gzip member after gzflush with Z_FINISH. * Explicitly note that the 32-bit check values are 32 bits. * Use ARM crc32 instructions if the ARM architecture has them. * Add use of the ARMv8 crc32 instructions when requested. * Correct comment in crc32.c. * Don't bother computing check value after successful inflateSync(). * Use atomic test and set, if available, for dynamic CRC tables. * Speed up software CRC-32 computation by a factor of 1.5 to 3. * Add crc32_combine_gen() and crc32_combine_op() for fast combines. * Add tables for crc32_combine(), to speed it up by a factor of 200. * Fix the zran.c example to work on a multiple-member gzip file. * Add gznorm.c example, which normalizes gzip files. * Show all the codes for the maximum tables size in enough.c. * Clarify that prefix codes are counted in enough.c. * Use inline function instead of macro for index in enough.c. * Clean up code style in enough.c, update version. * Use a macro for the printf format of big_t in enough.c. * Use a structure to make globals in enough.c evident. * Assure that the number of bits for deflatePrime() is valid. * Fix a bug that can crash deflate on some input when using Z_FIXED. * Correct the initialization requirements for deflateInit2(). * Emphasize the need to continue decompressing gzip members. * Add legal disclaimer to README. * Fix deflateEnd() to not report an error at start of raw deflate. * Remove old assembler code in which bugs have manifested. * Make the names in functions declarations identical to definitions. * Avoid an undefined behavior of memcpy() in _tr_stored_block(). * Avoid undefined behaviors of memcpy() in gz*printf(). * Avoid an undefined behavior of memcpy() in gzappend(). * Avoid the use of ptrdiff_t. * Handle case where inflateSync used when header never processed. * Don't compute check value for raw inflate if asked to validate. * Add address checking in clang to -w option of configure. * Return an error if the gzputs string length can't fit in an int. * Small speedup to inflate [psumbera]. * Update use of errno for newer Windows CE versions. * Avoid some conversion warnings in gzread.c and gzwrite.c. * Have Makefile return non-zero error code on test failure. * Avoid a conversion error in gzseek when off_t type too small. * Fix CLEAR_HASH macro to be usable as a single statement. * Fix bug when window full in deflate_stored(). * Limit hash table inserts after switch from stored deflate. * Permit a deflateParams() parameter change as soon as possible. * Cygwin does not have _wopen(), so do not create gzopen_w() there. Removed 006-fix-compressor-crash-on-certain-inputs.patch which was hotfix for CVE-2018-25032 and is now included in this release. This release is not available on @SF (yet?) so the sources are now pulled from GitHub. Fixes: CVE-2018-25032 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* elfutils: fix host compilation with Alpine LinuxRosen Penev2022-03-271-0/+4
| | | | | | | | | | | | | intl is not included in libc, disable it as is done with the target package. argp is also not included. Add build depends for argp-standalone. fts is also not included. Add build depends for musl-fts. Disable shared libraries to avoid having to manually add rpath. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* pcre: disable shared libraries for host buildsRosen Penev2022-03-271-0/+1
| | | | | | | | Getting rid of shared libraries for hostpkg avoids having to use rpath hacks to find the library. It also fixes compilation with host glib2 binaries. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* musl-fts: remove shared libraries from hostRosen Penev2022-03-271-0/+1
| | | | | | | | Avoids having to add rpath to the various packages using it. Also add PIC to fix compilation as static libraries do not use PIC by default. Fixes: 1fb099341e58 ("musl-fts: add host build") Signed-off-by: Rosen Penev <rosenp@gmail.com>
* libselinux: use musl-fts for host buildsRosen Penev2022-03-251-2/+5
| | | | | | | | Fixes compilation under musl based distros like Alpine Linux. Also add pcre/host as a build dependency as it's needed. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* musl-fts: add host buildRosen Penev2022-03-251-0/+2
| | | | | | This will be used for libselinux. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* gettext-full: add gmsgfmt symlink in host installStijn Tintel2022-03-251-0/+5
| | | | | | | | | | | | | | Some configure scripts look for msgfmt and gmsgfmt. As we don't install the latter, configure might pick up one from staging_dir/hostpkg, and the other from the host: checking for msgfmt... /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/msgfmt checking for gmsgfmt... /usr/bin/gmsgfmt This could potentially lead to hard to debug undefined behaviour. Install a symlink in the host install phase to avoid this. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* zlib: backport security fix for a reproducible crash in compressorPetr Štetiar2022-03-242-1/+344
| | | | | | | | | | | | | | Tavis has just reported, that he was recently trying to track down a reproducible crash in a compressor. Believe it or not, it really was a bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs. Tavis has reported it upstream, but it turns out the issue has been public since 2018, but the patch never made it into a release. As far as he knows, nobody ever assigned it a CVE. Suggested-by: Tavis Ormandy <taviso@gmail.com> References: https://www.openwall.com/lists/oss-security/2022/03/24/1 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* openssl: move engine.mk to INCLUDE_DIREneas U de Queiroz2022-03-232-48/+2
| | | | | | | | | engine.mk is supposed to be included by engine packages, but it will not be present in the SDK in the same place as in the main repository. Move it to include/openssl-engine.mk to avoid this. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* ncurses: update to 6.3Huangbin Zhan2022-03-196-37/+37
| | | | | | release notes: https://invisible-island.net/ncurses/announce-6.3.html Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
* argp-standalone: fix compilation with Alpine LinuxRosen Penev2022-03-161-1/+3
| | | | | | This package is a C89 one. Add the proper CFLAG to fix compilation. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* openssl: bump to 1.1.1nMartin Schiller2022-03-161-3/+3
| | | | | | | | | | | | | This is a bugfix release. Changelog: *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli. (CVE-2022-0778) *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* libnetfilter-conntrack: backport patch fixing compilation with 5.15Ansuel Smith2022-03-052-1/+50
| | | | | | Backport patch fixing compilation with 5.15 and musl provided by Robert Marko Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* argp-standalone: add host-compile abilitySergey V. Lobanov2022-02-261-1/+12
| | | | | | | | | This patch adds host-compile ability to argp-standalone for build hosts without glibc and argp lib, e.g. MacOS. iucode-tool/host can not be built on MacOS due to lack of argp. Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* mbedtls: update to 2.28.0 LTS branchLucian Cristian2022-02-262-24/+28
| | | | | | | | | | | | | | | | | | | | | | | | <https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0> "Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024." <https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md> "Currently, the only supported LTS branch is: mbedtls-2.28. For a short time we also have the previous LTS, which has recently ended its support period, mbedtls-2.16. This branch will move into the archive namespace around the time of the next release." this will also add support for uacme ualpn support. size changes 221586 libmbedtls12_2.28.0-1_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com> (remark about 2.16's EOS, slightly reworded) Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* wolfssl: fix API breakage of SSL_get_verify_resultPetr Štetiar2022-02-221-0/+26
| | | | | | | | | | | | | | | | | | Backport fix for API breakage of SSL_get_verify_result() introduced in v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return X509_V_OK when used on LE powered sites or other sites utilizing relaxed/alternative cert chain validation feature. After an update to v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA error and thus rendered all such connection attempts imposible: $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org" Downloading 'https://letsencrypt.org' Connecting to 18.159.128.50:443 Connection error: Invalid SSL certificate Fixes: #9283 References: https://github.com/wolfSSL/wolfssl/issues/4879 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* openssl: configure engines with uciEneas U de Queiroz2022-02-225-62/+54
| | | | | | | | | | | | | | | | | | | | | | | | This uses uci to configure engines, by generating a list of enabled engines in /var/etc/ssl/engines.cnf from engines configured in /etc/config/openssl: config engine 'devcrypto' option enabled '1' Currently the only options implemented are 'enabled', which defaults to true and enables the named engine, and the 'force' option, that enables the engine even if the init script thinks the engine does not exist. The existence test is to check for either a configuration file /etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file /usr/lib/engines-1.1/%ENGINE%.so. The engine list is generated by an init script which is set to run after 'log' because it informs the engines being enabled or skipped. It should run before any service using OpenSSL as the crypto library, otherwise the service will not use any engine. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: configure engine packages during installEneas U de Queiroz2022-02-224-43/+111
| | | | | | | | | | | This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: config engines in /etc/ssl/engines.cnf.dEneas U de Queiroz2022-02-2216-119/+82
| | | | | | | | | | | This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. Patches were refreshed with --zero-commit. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libnetfilter-conntrack: bump to 1.0.9Stijn Tintel2022-02-171-2/+2
| | | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Jo-Philipp Wich <jo@mein.io>
* wolfssl: update to 5.1.1-stableSergey V. Lobanov2022-02-015-144/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | Bump from 4.8.1-stable to 5.1.1-stable Detailed release notes: https://github.com/wolfSSL/wolfssl/releases Upstreamed patches: 001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch - https://github.com/wolfSSL/wolfssl/commit/fa8f23284d4689c2a737204b337b58d966dcbd8c 002-Update-macro-guard-on-SHA256-transform-call.patch - https://github.com/wolfSSL/wolfssl/commit/f447e4c1fa4c932c0286fa0331966756e243db81 Refreshed patches: 100-disable-hardening-check.patch 200-ecc-rng.patch CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains configure option The size of the ipk changed on aarch64 like this: 491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk 520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk Tested-by: Alozxy <alozxy@users.noreply.github.com> Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com> Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* libcap: Update to version 2.63Hauke Mehrtens2022-02-012-3/+5
| | | | | | | | | | | The sizes of the ipk changed on MIPS 24Kc like this: 11248 libcap_2.51-1_mips_24kc.ipk 14461 libcap_2.63-1_mips_24kc.ipk 18864 libcap-bin_2.51-1_mips_24kc.ipk 20576 libcap-bin_2.63-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: Update to version 2.16.12Hauke Mehrtens2022-02-011-2/+2
| | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. CVE-2021-44732 The sizes of the ipk changed on MIPS 24Kc like this: 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* ustream-ssl: update to Git version 2022-01-16Hauke Mehrtens2022-01-161-4/+4
| | | | | | 868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* elfutils: Add missing musl-fts dependencyFlorian Fainelli2022-01-071-1/+1
| | | | | | | | libdw depends on libfts.so when building with the musl-libc library, add this missing dependency. Fixes: 6835ea13f0fa ("elfutils: update to 0.186") Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* mbedtls: enable session ticketsGlenn Strauss2022-01-081-18/+0
| | | | | | | | | | session tickets are a feature of TLSv1.2 and require less memory and overhead on the server than does managing a session cache Building mbedtls with support for session tickets will allow the feature to be used with lighttpd-1.4.56 and later. Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* elfutils: update to 0.186Sergey V. Lobanov2022-01-087-145/+30
| | | | | | | | | | | | | | | | | | | | | Upstreamed patches (deleted): 0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch - https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=8382833a257b57b0d288be07d2d5e7af6c102869 110-no-cdefs.patch - https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=d390548df1942e98a1d836269a5e41ba52e121f1 Auto-refreshed: 006-Fix-build-on-aarch64-musl.patch 101-no-fts.patch Manually updated and refreshed: 005-build_only_libs.patch 003-libintl-compatibility.patch 100-musl-compat.patch Disabled _obstack_free check (via configure vars) Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* toolchain: glibc: Update to version 2.34Hauke Mehrtens2022-01-071-4/+1
| | | | | | | | | | | | glibc version 2.34 does not provide versioned shared libraries any more, it only provides shared libraries using the ABI version. Do not try to copy them any more. The functions from libpthread and librt were integrated into the main binary, the libpthread.so and librt.so are only used for backwards compatibility any more. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* openssl: bump to 1.1.1mEneas U de Queiroz2022-01-013-14/+7
| | | | | | | | | | | | | This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libs/wolfssl: add SAN (Subject Alternative Name) supportSergey V. Lobanov2021-12-292-2/+7
| | | | | | | | | x509v3 SAN extension is required to generate a certificate compatible with chromium-based web browsers (version >58) It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>