| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due
to changes on libraries used by umdns now using slightly different
calls.
Found using
/etc/init.d/umdns trace
now use umdns, ie. cover all ubus call etc., then
/etc/init.d/umdns stop
find list of syscalls traced in /tmp/umdns.*.json
Fixes: FS#3355 ("UMDNS: does not start on master with seccomp")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 00a85a163405fdf9bee4d8c3f0ee87ca9ed259d6)
|
| |
|
|
|
|
|
|
| |
Now that ujail supports seccomp also on Aarch64, add missing syscall
'fstat' to the list of allowed syscalls.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d28880cdd86e10142fd86936f5da188eaeeaf9eb)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream iproute2 detects libbpf using a one-line $CC test-compile, which
normally ignores LDFLAGS. With NLS enabled however, LDFLAGS includes an
"rpath-link" linker option needed to resolve libintl.so. Its absence
causes both the compile and libbpf detection to fail:
ld: warning: libintl.so.8, needed by libbpf.so, not found (try using
-rpath or -rpath-link)
ld: libelf.so.1: undefined reference to `libintl_dgettext'
collect2: error: ld returned 1 exit status
Fix this by directly including $LDFLAGS in the test-compile command.
Reported-by: Ian Cooper <iancooper@hotmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit aab3a04ce87c27996b7ce9ea306db8c6eed86941)
|
| |
|
|
|
|
|
|
|
| |
There is no direct linking of libintl from bpftools, only secondary linking
through libelf, so remove "-lintl" from TARGET_LDFLAGS.
Fixes: 5582fbd6135f ("bpftools: support NLS, fix ppc build and update to 5.8.9")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit c8c638a19b63bf6c3bf8094aebd8fde6feda36ba)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change was investigated previously [1] but not deemed necessary. With
the recent addition [2] of modern BPF loader support, however, tc gained
dependencies on libelf and libbpf, with a larger installation footprint.
Similar to ip-tiny/ip-full, split tc into tc-full and tc-tiny variants,
where the latter excludes the eBPF loader, uses a smaller executable, and
avoids libelf and libbpf package dependencies. Both variants provide the
'tc' virtual package, with tc-tiny as the default.
The previous tc package included a loadable module for iptables actions.
Separate this out into a common package, tc-mod-iptables, which both
variants depend on. Some package sizes on mips_24kc:
Before:
148343 tc_5.11.0-1_mips_24kc.ipk
After:
144833 tc-full_5.11.0-2_mips_24kc.ipk
138430 tc-tiny_5.11.0-2_mips_24kc.ipk (and no libelf or libbpf)
4115 tc-mod-iptables_5.11.0-2_mips_24kc.ipk
Also fix up some Makefile indentation.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447619962
[2] b048a305a3d3 ("iproute2: update to 5.11.0")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 72885e9608d9c0fa06abce6bdb6dd054c2116eb7)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The link equalizer sch_teql.ko of package kmod-sched relies on a hotplug
script historically included in iproute2's tc package. In previous
discussion [1], consensus was the hotplug script is best located together
with the module in kmod-sched, but this change was deferred at the time.
Relocate the hotplug script now. This change also simplifies adding a tc
variant for minimal size with reduced functionality.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447923636
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 863ce4f15f74a674f01ab47f445b362c113b113b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch has been submitted upstream to fix an error reported by a few
users. One instance seen using gcc 10.2.0, binutils 2.35.1 and musl 1.1.24:
bpf_glue.c: In function 'get_libbpf_version':
bpf_glue.c:46:11: error: 'PATH_MAX' undeclared (first use in this function);
did you mean 'AF_MAX'?
46 | char buf[PATH_MAX], *s;
| ^~~~~~~~
| AF_MAX
Reported-by: Rui Salvaterra <rsalvaterra@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 10ffefe60299637bc592ec4ef0dde93e0e2e8344)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The latest iproute2 version brings various improvements and fixes:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?qt=range&q=v5.10.0..v5.11.0
In particular, ip and tc now use libbpf as the standard way to load BPF
programs, rather than the old, limited custom loader. This allows more
consistent and featureful BPF program handling e.g. support for global
initialized variables.
Also fix a longstanding problem with iproute2 builds where unneeded DSO
dependencies are added to most utilities, bloating their installation
footprint. From research and testing, explicitly using a "--as-needed"
linker flag avoids the issue. Update accordingly and drop extra package
dependencies from Makefile.
Additional build and packaging updates include:
- install missing development header to iproute2/bpf_elf.h
- propagate OpenWrt verbose flag during build
- update and refresh patches
Compile and run tested: QEMU/malta-mips32be on kernels 5.4 & 5.10.
All iproute2 packages were built and installed to the test image. Some
regression testing using ip-full and tc was successfully performed to
exercise several kmods, tc modules, and simple BPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit b048a305a3d3cbb5375e32757e70aa129b4c7c4f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To the vast majority of the users, wireguard-tools are not useful
without the underlying kernel module. The cornercase of only generating
keys and not using the secure tunnel is something that won't be done on
an embedded OpenWrt system often. On the other hand, maintaining a
separate meta-package only for this use case introduces extra
complexity. WireGuard changes for Linux 5.10 remove the meta-package.
So let's make wireguard-tools depend on kmod-wireguard
to make WireGuard easier to use without having to install multiple
packages.
Fixes: ea980fb9 ("wireguard: bump to 20191226")
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
(cherry picked from commit cbcddc9f318607881799e329b327a68c4e76d5cb)
|
| |
|
|
|
|
|
| |
Simple version bump with accumulated fixes.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit e0f7f5bbce0d03e5192b5dad5a24fcb8566da97f)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On Linux 5.4, build WireGuard from backports. Linux 5.10 contains
wireguard in-tree.
Add in-kernel crypto libraries required by WireGuard along with
arch-specific optimizations.
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
(cherry picked from commit 06351f1bd0455abacb700db5098bb798f66948fc)
(cherry picked from commit 464451d9ab824c2ed62f7da33f0a965f562714c8)
|
| |
|
|
|
|
|
| |
Needed for an mt76 update
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 5dc501507222b38d731b89c3311d8253b73dd0e7)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pkgconfig file hardcodes a host library directory which cannot be
overridden by OpenWrt during builds. Use SED to fix this and potential
include directory problems, as is done with several other packages.
This fixes a strange issue intermittently seen building iproute2 on the
oxnas target:
iptables modules directory: /usr/lib/iptables
libc has setns: yes
SELinux support: no
libbpf support: no
libbpf version 0.3.0 is too low, please update it to at least 0.1.0
LIBBPF_FORCE=on set, but couldn't find a usable libbpf
Fixes: 2f0d672088c3 ("bpftools: add utility and library packages
supporting eBPF usage")
Reported-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 9e64e4ce26719ea81637b0e3d9754bd5190f0c21)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the environment variable FILTER is set before compilation,
compilation of the ppp-package will fail with the error message
Package ppp is missing dependencies for the following libraries:
libpcap.so.1
The reason is that the OpenWrt-patch for the Makefile only comments
out the line FILTER=y. Hence the pcap-library will be dynamically
linked if the environment variable FILTER is set elsewhere, which
causes compilation to fail. The fix consists on explicitly unsetting
the variable FILTER instead.
Signed-off-by: Eike Ritter <git@rittere.co.uk>
(cherry picked from commit 46cd0765d0c585dc0b48c8c0a3f116ef83cd580f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This includes several improvements and fixes:
61db17e rules: fix device and chain usage for DSCP/MARK targets
7b844f4 zone: avoid duplicates in devices list
c2c72c6 firewall3: remove last remaining sprintf()
12f6f14 iptables: fix serializing multiple weekdays
00f27ab firewall3: fix duplicate defaults section detection
e8f2d8f ipsets: allow blank/commented lines with loadfile
8c2f9fa fw3: zones: limit zone names to 11 bytes
78d52a2 options: fix parsing of boolean attributes
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 0d75aa27d4093625c85f2d2233dd5392a7e2aa32)
|
| |
|
|
|
|
|
| |
15346de client: Always close connection with request body in case of error
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1170655f8b792b34f899350cb0272ad94bb2d3e2)
|
| |
|
|
|
|
|
|
|
| |
Instead of doing uci commit and reload_config for each setting do it
only once when one of these options was changed. This should make it a
little faster when both conditions are taken.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 501221af542b5154fbf8788f8426bc7f5443764a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Without this change the config is only committed, but the uhttpd daemon
is not reloaded. This reload is needed to apply the config. Without the
reload of uhttpd, the ubus server is not available over http and returns
a Error 404.
This caused problems when installing luci on the snapshots and
accessing it without reloading uhttpd.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d25d281fd6686bda67636f6c1df918145b6cb738)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.
Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
This fixes the following security vulnerabilities/bugs:
- CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c
in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
discovery requests. It could result in denial of service or other
impact (potentially execution of arbitrary code), for an attacker
within radio range.
Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
(cherry picked from commit 1ca5de13a153061feae260864d73d96f7c463785)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore
4addr mode enabling error if it was already enabled") which fixes same
issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch',
but in a different way:
nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
an interface that is in a bridge and has 4addr mode already enabled.
This operation would not have been necessary in the first place and this
failure results in disconnecting, e.g., when roaming from one backhaul
BSS to another BSS with Multi AP.
Avoid this issue by ignoring the nl80211 command failure in the case
where 4addr mode is being enabled while it has already been enabled.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[bump PKG_RELEASE, more verbose commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit fb860b4e418c28a0f388f215e5acce103dcee1bf)
|
| |
|
|
|
|
|
|
| |
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 75455b75a7ee)
|
| |
|
|
|
|
|
|
|
|
| |
Automatically setup dhcpv4 server just like it's done for dhcpv6.
To select whether odhcpd or dnsmasq are serving DHCPv4 requests there
still is the 'maindhcp' option. To make things less confusing, make
sure things really work out-of-the-box in case dnsmasq is not even
installed at the time the uci-defaults script is being run.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
The nl80211.h file is mostly matching kernel 5.10, so remove most of our
changes from the patch.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
The removed patches were applied upstream.
This adapts ath10k-ct and mt76 to changed APIs.
nl80211.h in iw is updated to match the version from backports.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
| |
5a2dd18 iwinfo: add hardware description for MediaTek MT7622
4a32b33 iwinfo: add PCI ID for MediaTek MT7613BE
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
| |
This patch is required to be able to roam from one backhaul AP to
another one in the same ESS.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(daniel@makrotopia.org: PKG_REVISION bump and refreshed patches)
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes a bug that prevents updating Multi-AP credentials
after hostapd has started.
It was sent to upstream hostapd here:
https://patchwork.ozlabs.org/bundle/rmelotte/hostapd:%20update%20WPS%20credentials%20on%20SIGHUP/
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows other applications to get events management
frames (for example: association requests).
This is useful in Multi-AP context to be able to save association
requests from stations.
It has been sent to upstream hostapd in this series:
https://patchwork.ozlabs.org/project/hostap/list/?series=217500
'700-wifi-reload.patch' is updated due to the introduction of
'110-notify-mgmt-frames.patch'.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
|
| |
|
|
|
|
|
| |
All users have been converted to ubus.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
|
| |
|
|
|
|
|
|
| |
luci now uses ubus directly, so remove 'lucistat'.
For manual usage just print the ubus output, use luci for a pretty
version.
Signed-off-by: Andre Heider <a.heider@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
luci now uses ubus directly, so remove 'lucistat'.
For manual usage just print the ubus output, use luci for a pretty
version.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
|
| |
|
|
|
|
| |
As with ltq-vdsl-app, see previous commit.
Signed-off-by: Andre Heider <a.heider@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a 'dsl' ubus object with a 'metrics' function to replace the
expensive shell parsing done by /etc/init.d/dsl_control [dsl|luci]stat.
All metrics are gathered by using syscalls. An additional thread is started
to handle ubus events.
$ time /etc/init.d/dsl_control dslstat
real 0m 2.66s
user 0m 0.90s
sys 0m 1.76s
$ time ubus call dsl metrics
real 0m 0.02s
user 0m 0.00s
sys 0m 0.01s
Example output:
{
"api_version": "4.17.18.6",
"firmware_version": "5.8.1.5.0.7",
"chipset": "Lantiq-VRX200",
"driver_version": "1.5.17.6",
"state": "Showtime with TC-Layer sync",
"up": true,
"uptime": 3891,
"atu_c": {
"vendor_id": [
181,
0,
66,
68,
67,
77,
178,
26
],
"vendor": "Broadcom 178.26",
"system_vendor_id": [
181,
0,
66,
68,
67,
77,
0,
0
],
"system_vendor": "Broadcom",
"version": [
49,
57,
46,
48,
46,
51,
53,
46,
50,
32,
86,
69,
95,
49,
49,
95
],
"serial": [
65,
65,
49,
52,
52,
54,
70,
69,
48,
90,
87,
45,
48,
56,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0
]
},
"power_state": "L0 - Synchronized",
"xtse": [
0,
0,
0,
0,
0,
0,
0,
2
],
"annex": "B",
"standard": "G.993.2",
"profile": "17a",
"mode": "G.993.2 (VDSL2, Profile 17a, with down- and upstream vectoring)",
"upstream": {
"vector": true,
"trellis": true,
"bitswap": true,
"retx": true,
"virtual_noise": false,
"interleave_delay": 0,
"data_rate": 31999000,
"latn": 8.500000,
"satn": 8.400000,
"snr": 12.700000,
"actps": -90.100000,
"actatp": 13.400000,
"attndr": 37180000
},
"downstream": {
"vector": true,
"trellis": true,
"bitswap": true,
"retx": true,
"virtual_noise": false,
"interleave_delay": 140,
"data_rate": 89998000,
"latn": 9.500000,
"satn": 9.600000,
"snr": 13.300000,
"actps": -90.100000,
"actatp": -1.600000,
"attndr": 116315372
},
"errors": {
"near": {
"es": 1,
"ses": 0,
"loss": 3,
"uas": 424,
"lofs": 0,
"fecs": 0,
"hec": 0,
"ibe": 0,
"crc_p": 0,
"crcp_p": 0,
"cv_p": 0,
"cvp_p": 0,
"rx_corrupted": 27740,
"rx_uncorrected_protected": 27010,
"rx_retransmitted": 0,
"rx_corrected": 730,
"tx_retransmitted": 16222
},
"far": {
"es": 242,
"ses": 71,
"loss": 0,
"uas": 424,
"lofs": 0,
"fecs": 22687,
"hec": 0,
"ibe": 0,
"crc_p": 0,
"crcp_p": 0,
"cv_p": 0,
"cvp_p": 0,
"rx_corrupted": 1383552,
"rx_uncorrected_protected": 1220215,
"rx_retransmitted": 0,
"rx_corrected": 163337,
"tx_retransmitted": 1574051
}
}
}
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
|
| |
|
|
|
|
|
|
|
|
| |
procd sends sigterm to stop daemons, hook it up.
This speeds up the shutdown sequence and gets rid of the following message:
daemon.info procd: Instance dsl_control::instance1 pid 15408 not stopped on SIGTERM, sending SIGKILL instead
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
|
| |
|
|
|
|
|
|
|
|
| |
dnsmasq v2.84rc2 has been promoted to release.
No functional difference between v2.83test3 and v2.84/v2.84rc2
Backport 2 patches to fix the version reporting
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
|
|
| |
Use new ubus-based hotplug call in dhcp-script.sh
As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq
no longer needs to ship ACL to cover ntpd-hotplug.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Multiple sources are hosted on OpenWrts source server only. The source
URLs to point to the server vary based on different epochs in OpenWrts
history.
Replace all by @OPENWRT which is an "empty" mirror, therefore using the
fallback servers sources.cdn.openwrt.org and sources.openwrt.org.
Signed-off-by: Paul Spooren <mail@aparcar.org>
|
| |
|
|
|
|
|
|
| |
Commit 7c8c4f1be648 ("hostapd: fix P2P group information processing
vulnerability") was missing the actual patch for the vulnerability.
Fixes: 7c8c4f1be648 ("hostapd: fix P2P group information processing vulnerability")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
| |
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners.
This issue was discovered by fuzz testing of wpa_supplicant by Google's
OSS-Fuzz.
https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
ChangeLog:
https://netfilter.org/projects/iptables/files/changes-iptables-1.8.7.txt
Refresh patch:
None required
Signed-off-by: Curtis Deptuck <curtdept@me.com>
|
| |
|
|
|
|
| |
8d8a8cd dhcpv6-ia: apply prefix_filter on dhcpv6
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
|
|
|
|
| |
* i78aa36b umdns: fix 64-bit time format string
* start using $(AUTORELEASE)
* Update Copyright
Signed-off-by: Paul Spooren <mail@aparcar.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use the latest stable kernel since the previous 5.8.x series is EOL.
Also drop the following patches recently accepted upstream:
* 001-libbpf-ensure-no-local-symbols-counted-in-ABI-check.patch
* 002-libbpf-fix-build-failure-from-uninitialized-variable.patch
* 003-bpftool-allow-passing-BPFTOOL_VERSION-to-make.patch
* 004-v5.9-bpftool-use-only-ftw-for-file-tree-parsing.patch
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dnsmasq v2.83 has a bug in handling duplicate queries which means it may
try to reply using the incorrect network socket. This is especially
noticeable in dual stack environments where replies may be mis-directed to
IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket.
This results in system log spam such as:
dnsmasq[16020]: failed to send packet: Network unreachable
dnsmasq[16020]: failed to send packet: Address family not supported by protocol
dnsmasq v2.84test3 resolves these issues.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a helpful utility, but it does not have any dependencies
in this repository. Move it to packages feed.
The package does not seem to have a maintainer.
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Nick Hainke <vincent@systemli.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
| |
|
|
|
|
|
|
|
| |
This is a helpful utility, but it does not have any dependencies
in this repository. Move it to packages feed.
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Nick Hainke <vincent@systemli.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
| |
|
|
|
|
|
| |
This package is not needed in base. It will be imported in the packages
feed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| |
|
|
|
|
|
| |
This package is not needed in base. It will be imported in the packages
feed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| |
|
|
|
|
|
|
|
|
| |
The "cidr_contains6" functions clones the given cidr. The contains4
does not clone the cidr. Both functions do not behave the same.
I see no reason to push the cidr. I think that we get only a negligible
performance gain, but it makes ipv4 and ipv6 equal again.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
overflow in sort_rrset() when DNSSEC is used. This can allow a remote
attacker to write arbitrary data into target device's memory that can
lead to memory corruption and other unexpected behaviors on the target
device.
* CVE-2020-25682:
Dnsmasq versions before 2.83 is susceptible to buffer overflow in
extract_name() function due to missing length check, when DNSSEC is
enabled. This can allow a remote attacker to cause memory corruption
on the target device.
* CVE-2020-25683:
Dnsmasq version before 2.83 is susceptible to a heap-based buffer
overflow when DNSSEC is enabled. A remote attacker, who can create
valid DNS replies, could use this flaw to cause an overflow in a heap-
allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code
execute memcpy() with a negative size in get_rdata() and cause a crash
in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
A lack of proper address/port check implemented in Dnsmasq version <
2.83 reply_query function makes forging replies easier to an off-path
attacker.
* CVE-2020-25685:
A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
versions before 2.83 reply_query function allows remote attackers to
spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
Multiple DNS query requests for the same resource name (RRNAME) by
Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
traffic, using a birthday attack (RFC 5452), that can lead to DNS
cache poisoning.
* CVE-2020-25687:
Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
remote attacker, who can create valid DNS replies, could use this flaw
to cause an overflow in a heap-allocated memory. This flaw is caused
by the lack of length checks in rtc1035.c:extract_name(), which could
be abused to make the code execute memcpy() with a negative size in
sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
Service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
