| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This version fixes 3 low-severity vulnerabilities:
- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
Patches were refreshed, PKG_SOURCE_URL was updated to match
openwrt-18.06, and Eneas U de Queiroz added as maintainer.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |
|
|
|
|
|
|
| |
Patch getting RAM info got upstreamed. A debugging fs entry for testing
reset feature was added.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 681acdcc54d2e59135bb706c38bed942f74ccf74)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since usign miscalculates SHA-512 digests for input sizes of exactly
64 + N * 128 + 110 or 64 + N * 128 + 111 bytes, we need to apply some
white space padding to avoid triggering the hashing edge case.
While usign itself has been fixed already, there is still many firmwares
in the wild which use broken usign versions to verify current package
indexes so we'll need to carry this workaround in the forseeable future.
Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Ref: https://git.openwrt.org/5a52b379902471cef495687547c7b568142f66d2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit e1f588e446c7ceb696b644b37aeab9b3476e2a57)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This update fixes usign signature verification on files with certain
file sizes triggering a bug in the shipped SHA-512 implementation.
5a52b37 sha512: fix bad hardcoded constant in sha512_final()
3e6648b README: replace unicode character
716c3f2 README: add reference to OpenBSD signify
86d3668 README: provide reference for ed25519 algorithm
939ec35 usign: main.c: describe necessary arguments for -G
Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 991dd5a89340367920315a3fd0390a7423e6b34a)
|
| |
|
|
|
|
|
| |
This provides a complete console messages dump.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit f51e2d031e8125632487d2a0f56b9fa31b71e54f)
|
| |
|
|
|
|
|
| |
Use commits from wireless-drivers-next.git.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 95745e26b319c630a49d2b8284f8afeaa30506da)
|
| |
|
|
|
|
|
|
|
|
| |
This fixes:
1) Crash during USB disconnect
2) Crash in brcmf_txfinalize() on rmmod with packets queued
3) Some errors in exit path
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 8231f67218e584be61d32b24bd17cc55e500638c)
|
| |
|
|
|
|
| |
They were skipped due to missing BCDC patches that are backported now.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
|
|
|
| |
Those changes are needed for backporting more recent crash fixes. There
are quite many BCDC patches but it's hopefully a very well tested code
by now.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
| |
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
| |
Somehow perf depended on libunwind, and libunwind also builds on
aarch64.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
| |
This fixes multiple bugs and this security problem:
* CVE-2018-19608 Local timing attack on RSA decryption
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
- CVE-2019-11479
- CVE-2019-11478
- CVE-2019-11477
- CVE-2019-11833
- CVE-2019-11091
- CVE-2018-12126
- CVE-2018-12130
- CVE-2018-12127
- CVE-2019-3882
- CVE-2019-6974
- CVE-2019-3819
- CVE-2019-7221
- CVE-2019-7222
- CVE-2019-3701
- CVE-2018-19985
- CVE-2018-1120
And probably more
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
1) Crash/Oops fixes
2) One-line patch for BCM43456 support
3) Fix communication with some specific FullMAC firmwares
4) Potential fix for "Invalid packet id" errors
5) Important helper for reporting FullMAC firmware crashes
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 2cd234d96bd772119363a77a35bffa6a4931613e)
|
| |
|
|
|
|
|
|
| |
This avoids CVE-2019-9498 and CVE-2019-9499 in hostapd
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[DMARC removal, refreshed patches]
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes the following security problems:
1.0.2r:
* CVE-2019-1559: 0-byte record padding oracle
Signed-off-by: Daniel Bailey <dbailey@datto.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[fixed patch, refreshed patches]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Tested on Turris MOX, OpenWrt master
- Removed PKG_BUILD_DIR
In build_dir there were two folders
ca-certificates and ca-certificates-20190110 and it failed as files
were in ca-certificates-20190110
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry-picked from commit: f22c33b40cc7b542b3b31fa0d873d28d3a3482b5)
|
| |
|
|
|
|
|
|
| |
remove myself as PKG_MAINTAINER
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry-picked from commit: c89195eb25a4dfd093f9d0d3b3adac896bb471ad)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL defaults X509_CERT_FILE to /etc/ssl/cert.pem. This change is
needed for wget-ssl and possibly others to work seamlessly with fresh
ca-bundle installation
Fixes openwrt/packages#6152
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry-picked from commit: 191078e83d127f5ed9a38366d2edaac49f9333c5)
|
| |
|
|
|
|
|
|
| |
ca-certificates: Update to Version 20180409
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry-picked from commit: 80cb5c5703d7778ee7390da1bcde4878a2349806)
|
| |
|
|
|
|
|
|
|
| |
Previous commit backported USB fixes instead of firmware crash recovery
patches.
Fixes: eaef74279c8f ("mac80211: brcmfmac: early work on FullMAC firmware crash recovery")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 2d2e615dee0421e126af9d4ebd49a720e341e3af)
|
| |
|
|
|
| |
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 02aed76968d60d254ab9d0d8768f0c54dbfc6d9d)
|
| |
|
|
|
|
|
|
|
| |
This backports the most important brcmfmac commits that:
1) Fix some bugs
2) Help debugging bugs
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit d32bbd747733de5daeb63a8f2c1307f612422f87)
|
| |
|
|
| |
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a possible crash in the brcmf_fw_request_nvram_done():
[ 31.687293] Backtrace:
[ 31.689760] [<c004fb4c>] (__wake_up_common) from [<c004fc38>] (__wake_up_locked+0x1c/0x24)
[ 31.698043] r10:c6794000 r9:00000009 r8:00000001 r7:bf54dda0 r6:a0000013 r5:c78e7d38
[ 31.705928] r4:c78e7d3c r3:00000000
[ 31.709528] [<c004fc1c>] (__wake_up_locked) from [<c00502a8>] (complete+0x3c/0x4c)
[ 31.717148] [<c005026c>] (complete) from [<bf54590c>] (brcmf_fw_request_nvram_done+0x5c8/0x6a4 [brcmfmac])
[ 31.726818] r7:bf54dda0 r6:c6794000 r5:00001990 r4:c6782380
[ 31.732544] [<bf545344>] (brcmf_fw_request_nvram_done [brcmfmac]) from [<c0204e40>] (request_firmware_work_func+0x38/0x60)
[ 31.743607] r10:00000008 r9:c6bdd700 r8:00000000 r7:c72c3cd8 r6:c67f4300 r5:c6bda300
[ 31.751493] r4:c67f4300
[ 31.754046] [<c0204e08>] (request_firmware_work_func) from [<c0034458>] (process_one_work+0x1e0/0x318)
[ 31.763365] r4:c72c3cc0
[ 31.765913] [<c0034278>] (process_one_work) from [<c0035234>] (worker_thread+0x2f4/0x448)
[ 31.774107] r10:00000008 r9:00000000 r8:c6bda314 r7:c72c3cd8 r6:c6bda300 r5:c6bda300
[ 31.781993] r4:c72c3cc0
[ 31.784545] [<c0034f40>] (worker_thread) from [<c003984c>] (kthread+0x100/0x114)
[ 31.791949] r10:00000000 r9:00000000 r8:00000000 r7:c0034f40 r6:c72c3cc0 r5:00000000
[ 31.799836] r4:c735dc00 r3:c79ed540
[ 31.803438] [<c003974c>] (kthread) from [<c00097d0>] (ret_from_fork+0x14/0x24)
[ 31.810672] r7:00000000 r6:00000000 r5:c003974c r4:c735dc00
[ 31.816378] Code: e5b53004 e1a07001 e1a06002 e243000c (e5934000)
[ 31.822487] ---[ end trace a0ffbb07a810d503 ]---
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 83bcacb5215c21e1894fbe3d651d83948479ce91)
|
| |
|
|
|
|
|
|
|
|
| |
This fixes the following security problems:
* CVE-2018-5407: Microarchitecture timing vulnerability in ECC scalar multiplication
* CVE-2018-0734: Timing vulnerability in DSA signature generation
* Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module
Signed-off-by: Sven Roederer <freifunk@it-solutions.geroedel.de>
(backport of commit 989060478ae270885727d91c25b9b52b0f33743c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
d217daf libopkg: fix replacelist parsing and writing
9dd9a07 libopkg: fix segmentation fault when traversing conflicts
34571ba libopkg: consider provided packages in pkg_vec_mark_if_matches()
18740e6 opkg_download: print error when fork() fails
e3d7330 libopkg: don't print unresolved dependencies twice
3b417b9 opkg_download: decode file:/ URLs
71c27cb file_util: implement urldecode_path()
d1fe095 file_util: consolidate hex/unhex routines
ebdfc12 add opkg option http_timeout
9f003e3 opkg: encode archive filenames while constructing download URLs
73e6c81 file_util: implement urlencode_path() helper
468158f libopkg: fix SHA256 calculation for big endian system
4bd8601 pkg_parse: fix segfault when parsing descriptions with leading newlines
52fc006 pkg_alternatives: pass if the desired symlink already exists
c668fce opkg: add --no-check-certificate argument
04e279e pkg_alternatives: use ERROR level for symlink failure
546bc72 pkg: alternatives support
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 1bd18f2b5cbf1c9c384e9725eff7804decf88c90)
|
| |
|
|
|
|
|
|
| |
As LEDE is rebranding to OpenWrt now, adjust the Git source references
accordingly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit da95c9aa17814d691a7fed6e8297fb29c5600c27)
|
| |
|
|
|
|
|
|
|
|
|
| |
check_signature is a bool option and doesn't take any arguments. The
presence of the 1 falsely suggests setting it to 0 disables the check,
while the option actually needs to be removed or commented out to be
disabled. So remove the argument to make it more clear.
Fixes: beca028bd6bb ("build: add integration for managing opkg package feed keys")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
(backported from commit d3bf5ff9bc7b55b2a3dab93853b33a0cd2c4ca47)
|
| |
|
|
|
|
|
|
|
| |
This file is needed to properly use the tc ematch modules present in
kmod-sched-core and kmod-sched. It is a read-only index file of ematch
methods used only by tc.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
[cherry picked from commit 10a2ccb7fceef3a6dea4ece14e6141a807292d5f]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 7f694582 introduced a bug where default_postinst() often fails to
remove a uci-defaults script after application, leaving it to run again
after a reboot.
(Note: commit 7f694582 also introduced FS#1021, now fixed by 73c745f6)
The subtle problem arises from the shell logical chain:
[ -f "$i" ] && . "$i" && rm -f "$i"
Most uci-defaults scripts contain a terminal 'exit 0' statement which,
when sourced, results in the logic chain exiting before executing 'rm -f'.
This was observed while testing upgrades of 'luci-app-sqm'.
The solution is to wrap the shell sourcing in a subshell relative to the
command 'rm -f':
( [ -f "$i" ] && . "$i" ) && rm -f "$i"
Revert to using 'grep' to prefilter the list of entries from the control
file, which yields the full path of uci-defaults scripts. This allows
keeping the existence check, directory change and script sourcing inside
the subshell, with the script removal correctly outside.
This approach avoids adding a second subshell only around the "." (source)
command. The change also preserves the fix FS#1021, since the full path is
used to source the script, which is POSIX-portable irrespective of PATH
variable or reference to the CWD.
Run Tested on: LEDE 17.01.4 running ar71xx, while tracing installation of
package luci-app-sqm with its associated /etc/uci-defaults/luci-sqm file.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(backported from 4097ab6a975902b170dd7f7ac6c8025e5f32ef8d)
|
| |
|
|
|
|
|
|
|
|
|
| |
1) Using fwctx variable after brcmf_fw_request_done() was executed meant
accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
could reuslt in NULL pointer dereference on fw loading error or if
brcmf_fw_request_done() was executed quickly enough.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 529c95cc15dc9fcc7709400cc921f2a3c03cd263)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
3aa81d0 file: access exec timeout via daemon ops structure
7235f34 plugin: store pointer to exec timeout value in the ops structure
ccd7c0a treewide: rename exec_timeout to rpc_exec_timeout
c79ef22 main: fix logic bug when not specifying a timeout option
2cc4b99 file: use global exec timeout instead of own hardcoded limit
ecd1660 exec: increase maximum execution time to 120s
41333ab uci: tighten uci reorder operation error handling
f91751b uci: tighten uci delete operation error handling
c2c612b uci: tighten uci set operation error handling
948bb51 uci: tighten uci add operation error handling
51980c6 uci: reject invalid section and option names
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Usage documentation for 'procd_send_signal' states "The signal is SIGHUP
by default, and must be specified by NAME." Make actual behaviour match
the stated documented behaviour.
https://wiki.openwrt.org/inbox/procd-init-scripts
Suggested-by: Jo-Philip Wich <jow@mein.io>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 37bb463daa21e2c97365c6543b2bfdfe673c5baa)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The return value of a package prerm script is discarded and not returned
correctly by default_prerm(). This allows other operations like service
shutdown to "leak" their return value, prompting workarounds like commit
48cfc826 which do not address the root cause.
Preserve a package prerm script return value for use by default_prerm(),
sharing the corresponding code from default_postinst() for consistency.
Also use consistent code for handling of /etc/init.d/ scripts.
Run Tested on: LEDE 17.01.4 running ar71xx.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 8806da86f5da3b1b1e4d24259d168e2219c01a26)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cdfc902 cgi: escape url in 403 error output
0bba1ce uhttpd: fix building without TLS and Lua support
2ed3341 help: document -A option
fa5fd45 file: fix CPP syntax error
77b774b build: avoid redefining _DEFAULT_SOURCE
b741dec lua: support multiple Lua prefixes
952bf9d build: use _DEFAULT_SOURCE
30a18cb uhttpd: recognize PATCH, PUT and DELETE HTTP methods
796d42b client: flush buffered SSL output when tearing down client ustream
393b59e proc: expose HTTP Origin header in process environment
8109b95 file: escape strings in HTML output
d3b9560 utils: add uh_htmlescape() helper
db86175 lua: honour size argument in recv()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
| |
3ba74eb uclient-http: properly handle HTTP redirects via proxy connections
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 0bd99db5118665bbe17f84427238c322af3deaae)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When restart is run on an init script, the script traps SIGTERM. This is
done as a workaround for scripts named the same name as the program they
start. In that case, the init script process will have the same name as
the program process, and so when the init script runs killall, it will
kill itself. So SIGTERM is trapped to make the init script unkillable.
However, the trap is retained when the init script runs start, and thus
processes started by restart will not respond to SIGTERM, and will thus
be unkillable unless you use SIGKILL. This fixes that by removing the
trap before running start.
Signed-off-by: Linus Kardell <linus@telliq.com>
(cherry picked from commit 2ac1a57677ce4e21513dca2a8efab1eb6e0a9c58)
|
| |
|
|
|
|
| |
4382c76 switch from typeof to the more portable __typeof__
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
|
|
|
|
|
| |
First one is a fix for reporting channels to the user space. Important
for users as they could try setting invalid channel and fail to start an
interface.
Later is a support for newer FullMAC chipset firmwares.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
|
| |
It helps debugging possible WARN-ings.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
| |
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit b50f162b3cce3d95874e4394f4765413f58765f1)
|
| |
|
|
|
|
| |
Include kernel version to help tracking changes.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently it's close to impossible to tell what part of mac80211 setup
went wrong. Errors logged into system log look like this:
radio0 (6155): command failed: No error information (-524)
radio0 (6155): command failed: Not supported (-95)
radio0 (6155): command failed: I/O error (-5)
radio0 (6155): command failed: Too many open files in system (-23)
With this commit change it's getting clear:
command failed: No error information (-524)
Failed command: iw dev wlan0 del
command failed: Not supported (-95)
Failed command: iw phy phy0 set antenna_gain 0
command failed: I/O error (-5)
Failed command: iw phy phy0 set distance 0
command failed: Too many open files in system (-23)
Failed command: iw phy phy0 interface add wlan0 type __ap
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit ffa80bf5a784a34b81e32144669f30560780bdb6)
|
| |
|
|
| |
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
| |
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
| |
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
| |
Patch 300-CVE-2015-8370.patch was added without proper rebasing on the
version used by OpenWrt, make it apply and refresh the patch to fix
compilation.
Fixes: 7e73e9128f ("grub2: Fix CVE-2015-8370")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 9ffbe84ea49fc643f41bfdf687de99aee17c9154)
|
