aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* tcpdump: update to version 4.9.0Hauke Mehrtens2017-02-064-81/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following 41 security problems: + CVE-2016-7922: buffer overflow in print-ah.c:ah_print(). + CVE-2016-7923: buffer overflow in print-arp.c:arp_print(). + CVE-2016-7924: buffer overflow in print-atm.c:oam_print(). + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print(). + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print(). + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print(). + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print(). + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header(). + CVE-2016-7930: buffer overflow in print-llc.c:llc_print(). + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print(). + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum(). + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print(). + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print(). + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print(). + CVE-2016-7936: buffer overflow in print-udp.c:udp_print(). + CVE-2016-7937: buffer overflow in print-udp.c:vat_print(). + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame(). + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions. + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions. + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions. + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions. + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print(). + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print(). + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print(). + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print(). + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions. + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print(). + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM). + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print(). + CVE-2016-8575: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print(). + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print(). + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print(). + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print(). + CVE-2017-5341: buffer overflow in print-otv.c:otv_print(). + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). + CVE-2017-5482: buffer overflow in print-fr.c:q933_print(). + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse(). + CVE-2017-5484: buffer overflow in print-atm.c:sig_print(). + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap(). + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print(). The size of the package is only incread very little: new size: 306430 tcpdump_4.9.0-1_mips_24kc.ipk 130324 tcpdump-mini_4.9.0-1_mips_24kc.ipk old size: 302782 tcpdump_4.8.1-1_mips_24kc.ipk 129033 tcpdump-mini_4.8.1-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* dnsmasq: update to dnsmasq 2.77test1Kevin Darbyshire-Bryant2017-02-056-257/+145
| | | | | | | | | | | | | | | | | | | | | | | Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76 and allows dropping of 2 LEDE carried patches. Notable fix in rrfilter code when talking to Nominum's DNS servers especially with DNSSEC. A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses from dns servers is also included. This mean dnsmasq tries all configured servers before giving up. A 'localise queries' enhancement has also been backported (it will appear in test2/rc'n') this is especially important if using the recently imported to LEDE 'use dnsmasq standalone' feature 9525743c I have been following dnsmasq HEAD ever since 2.76 release. Compile & Run tested: ar71xx, Archer C7 v2 Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: fix instances in dhcp_add()Eric Luehrsen2017-02-051-2/+2
| | | | | | | | | ref commit 9525743c076393336cd2129539c974f8a01c7894 dnsmasq: make DHCPv6 viable for standalone dnsmasq install Above commit broke instancing by missing filter_dnsmasq() as part of the dhcp_add() execution. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
* dnsmasq: honor quietdhcp option for DHCPv6Arjen de Korte2017-02-051-0/+1
| | | | | | | | | | | Do not spam the syslog with DHCPv6 lease info if quietdhcp option is selected. This already works for DHCPv4, make it work in the same way for DHCPv6. Signed-off-by: Arjen de Korte <build+lede@de-korte.org> [Originally written by Arjen de Korte on GitHub but had issues providing a SoB in correct format.] Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* openvpn: adding key_direction to append_params.Brandon Koepke2017-02-031-2/+2
| | | | | | key_direction shows up as an openvpn option in the user-interface but does not end up in the /var/etc/openvpn*.conf file. Adding it to the list here fixed the issue for me. Signed-off-by: Brandon Koepke <bdkoepke@fastmail.com>
* ccache, samba36: fix samba.org addresses to use httpsHannu Nyman2017-02-022-5/+5
| | | | | | | | | | | | samba.org has started to enforce https and currently plain http downloads with curl/wget fail, so convert samba.org download links to use https. Modernise links at the same time. Also convert samba.org URL fields to have https. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* dnsmasq: make DHCPv6 viable for standalone dnsmasq installEric Luehrsen2017-02-022-29/+152
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dnsmasq has sufficient services to meet the needs of DHCP and RA with IP6 for single router router users. This is the most common use for consumer routers. Its reenforced as most ISP tend to only DHCP-PD /64. dnsmasq has year over year demonstrated great flexibility in its option set, and support for off-standard DHCP clients. odhcpd has enhanced capabilities focused on IP6 such as DHCP/RA relay and NDP proxy. However, it is not as flexible in its option set. odhcpd is not as forgiving with off-standard DHCP clients. Some points may represent a long term TODO list, but it is the state currently. These changes make any such combination possible. Already odhcpd can be set as the main dhcp server. Now odhcpd can be removed or disabled and dnsmasq will take over if DHCPv6 compiled in. The existing DHCPv6 and RA UCI are translated into dnsmasq.conf. The changes focus on '--dhcp-range', '--dhcp-host', and '--dhcp-options'. DHCP host ID is least 16 bits [::1000-::FFFF], but leaves low range for typical infrastructure assignments. dnsmasq accepts DHCPv6 options in the tranditional '--dhcp-option' put they must be prefixed 'option6:'. dnsmasq will also discover SLAAC DNS entries from DHCPv4 clients MAC, and confirm with a ping at least renew. Long term TODO include improving use of dnsmasq relay options for DHCPv4 and DHCPv6 in parallel. It would also be possible to preconfigure DHCP-PD in host-with-options records for fixed infrastructure. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com> [Jo-Philipp Wich: emit proper IPv6 hostid format in dhcp-host directive] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: expand 'add_local_hostname' fexibility including FQDNEric Luehrsen2017-02-022-23/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ref commit 612e2276b4a2f57fcbbe79b95bec4a46e89d748c ref commit ec63e3bf1312ab4c666f7417ca9844857214047f 'option add_local_hostname' scripted implementation statically assigns this host in auto generated host file at init. If IFUP or other signals do not occur, then address changes are not tracked. The script doesn't apply all the addresses at an interface. This may make logs obscure. The script only puts the bare host name (maybe not FQDN) in host file, but if '--exapandhosts' is enabled, then /etc/hosts entries will be suffixed, and "127.0.0.1 localhost" becomes "localhost.lan". dnsmasq provides an option to perform this function, but it is rather greedy. '--interface-name=<name>,<iface>' will assign the name to all IP on the specified interface (except link local). This is a useful feature, but some setups depend on the original restrictive behavior. 'option add_local_fqdn' is added to enhance the feature set, but if not entered or empty string, then it will default to original option and behavior. This new option has a few settings. At each increased setting the most detailed name becomes the PTR record: 0 - same as add_local_hostname 0 or disabled 1 - same as add_local_hostname 1 2 - assigns the bare host name to all IP w/ --dnsmasq-interface 3 - assigns the FQDN and host to all IP w/ --dnsmasq-interface 4 - assigns <iface>.<host>.<domain> and above w/ --dnsmasq-nterface 'option add_wan_fqdn' is added to run the same procedure on inferred WAN intefaces. If an interface has 'config dhcp' and 'option ignore 1' set, then it is considered WAN. The original option would only run on DHCP serving interfaces. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
* odhcp6c: fix PKG_SOURCE_URLHans Dedecker2017-02-011-1/+1
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: update to git HEAD versionHans Dedecker2017-02-011-5/+5
| | | | | | | | 3317c86 dhcpv6-ia: apply lease delete based on assignment bound state df50429 odhcpd: properly handle netlink messages (FS#388) 83d72cf odhcpd: fix coding style Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* xtables-addons: update to version 2.12Felix Fietkau2017-02-011-2/+2
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* odhcp6c: use LEDE_GIT in package source urlHans Dedecker2017-01-311-1/+1
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: enable support for logging wpa_printf messages to syslogRafał Miłecki2017-01-312-0/+6
| | | | | | | This will allow starting hostapd with the new -s parameter and finally read all (error) messages from the syslog. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* mdns: update to the latest versionFelix Fietkau2017-01-311-3/+3
| | | | | | | - fixes unaligned acccesses, causing DNS parsing issues on ARMv5 - fixes service timeout handling Signed-off-by: Felix Fietkau <nbd@nbd.name>
* odhcpd: use LEDE_GIT in package source urlHans Dedecker2017-01-301-1/+1
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: cake: update cake supportKevin Darbyshire-Bryant2017-01-302-11/+24
| | | | | | | Updated cake's tc patch to match the official cake repository formatting. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* odhcp6c: update to git HEAD versionHans Dedecker2017-01-301-3/+3
| | | | | | | | | | c13b6a0 dhcpv6: fix white space error e9d80cc dhcpv6: trigger restart of DHCPv6 state machine when not receiving statefull options c7122ec update README 419fb63 dhcpv6: server unicast option support Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: backport support for sending debug messages to the syslogRafał Miłecki2017-01-306-24/+169
| | | | | | | | | | | | | | | | | It wasn't possible to read hostapd wpa_printf messages unless running hostapd manually. It was because hostapd was printing them using vprintf and not directly to the syslog. We were trying to workaround this problem by redirecting STDIN_FILENO and STDOUT_FILENO but it was working only for the initialization phase. As soon as hostapd did os_daemonize our solution stopped working. Please note despite the subject this change doesn't affect debug level messages only but just everything printed by hostapd with wpa_printf including MSG_ERROR-s. This makes it even more important as reading error messages can be quite useful for debugging. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* openvpn: add support for various new 2.4 configuration optionsMagnus Kroken2017-01-271-24/+19
| | | | | | | Updates to openvpn.init were included in early OpenVPN 2.4 patch series, but got lost along the way and were never merged. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* odhcpd: update to git HEAD versionHans Dedecker2017-01-261-3/+3
| | | | | | | | c4f9ace odhcpd: decrease default log level to LOG_INFO a6eadd7 odhcpd: rework IPv6 interface address dump 44965f1 odhcpd: extra syslog tracing Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to git HEAD versionHans Dedecker2017-01-261-3/+3
| | | | | | 650758b interface-ip: route proto config support (FS#170) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openvpn: ssl-enabled variants also provide a virtual openvpn-crypto packageSven Roederer2017-01-261-1/+5
| | | | | | | | | | When relying on x.509 certs for auth and / or encryption of traffic you can't use package openvpn-nossl. Just have your package depend on openvpn-crypto to have SSL-encryption and X.509-support enabled in OpenVPN. If encryption / X.509 is not a must, use virtual packge openvpn, which is provided by all OpenVPN-variants. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* iproute2: cake: add 'mpu' minimum packet length supportKevin Darbyshire-Bryant2017-01-262-4/+28
| | | | | | | Add 'mpu' minimum length packet size parameter for scheduling/bandwidth accounting. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* hostapd: default to wps_independent 1Steven Honson2017-01-261-1/+2
| | | | Signed-off-by: Steven Honson <steven@honson.id.au>
* hostapd: expose wps_independent and ap_setup_locked as uci optionsSteven Honson2017-01-261-3/+5
| | | | | | | ap_setup_locked is named wps_ap_setup_locked in uci for consistency with other wps related uci options. Signed-off-by: Steven Honson <steven@honson.id.au>
* Fix dependency for hostapdWilco Baan Hofman2017-01-261-1/+1
| | | | Signed-off-by: Wilco Baan Hofman <wilco@baanhofman.nl>
* odhcpd: update to git HEAD versionHans Dedecker2017-01-241-3/+3
| | | | | | e447ff9 router: fix compile issue on 64 bit systems Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* packages: mark packages depending on a target as nonsharedMathias Kresin2017-01-241-0/+2
| | | | | | | | | The packages can't be build as shared packages due to the unmet dependencies. Fixes FS#418. Signed-off-by: Mathias Kresin <dev@kresin.me>
* odhcpd: update to git HEAD versionHans Dedecker2017-01-231-3/+3
| | | | | | | | | | | | 237f1f4 router: convert syslog lifetime traces into LOG_INFO prio da660c7 treewide: rework prio of syslog messages 0485580 ndp: code cleanup c5040fe router: add syslog debug tracing for trouble shooting df023ad treewide: use RELAYD_MAX_ADDRS as address array size c8ac572 ndp: don't scan netlink attributes in case of netlink route event Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: fix stray "out of range" shell errors in hostapd.shJo-Philipp Wich2017-01-232-3/+3
| | | | | | | | | | | | The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized $ieee80211r and $ieee80211w variables in a numerical comparisation, leading to stray "netifd: radio0 (0000): sh: out of range" errors in logread when WPA-PSK security is enabled. Ensure that those variables are substituted with a default value in order to avoid emitting this (harmless) shell error. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* 6in4: add missing colon when setting default ca_pathDaniel Golle2017-01-231-1/+1
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* openvpn: let all openvpn variants provide a virtual openvpn packageJo-Philipp Wich2017-01-211-1/+2
| | | | | | | | | | Add PROVIDES:=openvpn to the default recipe in order to let all build variants provide a virtual openvpn package. The advantage of this approach is that downstream packages can depend on just "openvpn" without having to require a specific flavor. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: update to git HEAD versionHans Dedecker2017-01-171-2/+2
| | | | | | a057f6e device: fix DEV_OPT_SENDREDIRECTS definition Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* curl: fix HTTPS network timeouts with OpenSSLStijn Segers2017-01-161-0/+36
| | | | | | | | | Backport an upstream change to fix HTTPS timeouts with OpenSSL. Upstream curl bug #1174. Signed-off-by: Stijn Segers <francesco.borromini@inventati.org> [Jo-Philipp Wich: reword commit message, rename patch to 001-*] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: fix passing jobserver to hostapd/supplicant build processesFelix Fietkau2017-01-151-3/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: backport a few upstream fixesFelix Fietkau2017-01-155-4/+163
| | | | | | | | Fixes reassoc issues with WDS mode Fixes reassoc issues in AP mode Fixes IBSS reauthentication issues Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall: fix forwarding local subnet trafficJo-Philipp Wich2017-01-131-3/+3
| | | | | | | | | | | | | Packets which are merely forwarded by the router and which are neither involved in any DNAT/SNAT nor originate locally, are considered INVALID from a conntrack point of view, causing them to get dropped in the zone_*_dest_ACCEPT chains, since those only allow stream with state NEW or UNTRACKED. Remove the ctstate restriction on dest accept chains to properly pass- through unrelated 3rd party traffic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: use ubus signalling in ntp hotplug scriptKevin Darbyshire-Bryant2017-01-131-3/+3
| | | | | | | Use ubus process signalling instead of 'kill pidof dnsmasq' for SIGHUP signalling to dnsmasq when ntp says time is valid. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* netifd: update to the latest versionFelix Fietkau2017-01-131-3/+3
| | | | | | | This disables IGMP snooping by default, which was causing various issues over time, like FS#95 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* uqmi: mark as nonshared because of the usb dependenciesFelix Fietkau2017-01-131-0/+2
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* umbim: mark as nonshared because of the usb dependenciesFelix Fietkau2017-01-131-0/+2
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* comgt: mark as nonshared because of the usb dependenciesFelix Fietkau2017-01-131-0/+2
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* map: take over maintainershipHans Dedecker2017-01-121-1/+1
| | | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Acked-by: Jo-Philipp Wich <jo@mein.io>
* odhcp6c: take over maintainershipHans Dedecker2017-01-121-1/+1
| | | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Acked-by: Jo-Philipp Wich <jo@mein.io>
* odhcpd: take over maintainershipHans Dedecker2017-01-121-1/+1
| | | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Acked-by: Jo-Philipp Wich <jo@mein.io>
* Revert "dnsmasq: change 'add_local_hostname' to use dnsmasq '--interface-name'"Hans Dedecker2017-01-122-31/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This causes problem when a FQDN is configured in /etc/config/system. The domain name will appear twice in reverse DNS. Next to that, there seems to be a bug in dnsmasq. From the manual page: --interface-name=<name>,<interface>[/4|/6] Return a DNS record associating the name with the primary address on the given interface. This flag specifies an A or AAAA record for the given name in the same way as an /etc/hosts line, except that the address is not constant, but taken from the given interface. The interface may be followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses of the interface should be used. If the interface is down, not configured or non-existent, an empty record is returned. The matching PTR record is also created, mapping the interface address to the name. More than one name may be associated with an interface address by repeating the flag; in that case the first instance is used for the reverse address-to-name mapping. It does not just create an A/AAAA record for the primary address, it creates one for all addresses. And what is worse, it seems to actually resolve to the non-primary address first. This is quite annoying when you use floating IP addresses (e.g. VRRP), because when the floating IP is on the other device, SSH failes due to incorrect entry in the known hosts file. I know that this is not a common setup, but it would be nice if there was an option to restore the previous behaviour, rather than just forcing this new feature on everybody. Reported-by: Stijn Tintel <stijn@linux-ipv6.be> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* map: delete map-t device when tearing down map interfaceHans Dedecker2017-01-122-2/+12
| | | | | | | | | | | | Delete the map-t device when tearing down the map-t interface; as such there's no conflict when the map-t interface comes up again when trying to add the map-t device as the map-t device was still present (Can not add: device 'map-wan6_4' already exists!). Only call ifdown in teardown for map-e and lw6o4 map interfaces types in order to suppress the trace "wan6_4 (6652): Interface wan6_4_ not found" Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Revert the recent dependency and metadata scanning reworkFelix Fietkau2017-01-113-3/+3
| | | | | | | | | | | | | | | This reverts the following commits: fbe522d1204149b6c128d55e360bfc15fa8258e1 278ad007ee03c4455c3507322e34b0e3e6ec050d 863888e44f7a1fb1675a2e7a2eaabfec3561d2a2 96daf6352f6e04bc22789466cb5409b93fbec191 cfd83555fc4f0bab18a26f6812da18e64df46ff3 This seems to trigger some mconf bugs when built with all feeds packages, so I will try to find a less intrusive solution before the release. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* comgt: allow build without USB_SUPPORTFelix Fietkau2017-01-111-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* umbim: allow build without USB_SUPPORTFelix Fietkau2017-01-111-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>