| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.
Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.
Runtime tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.
Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b3aa2909a79aeff20d594160b207a89dc807c033)
(cherry picked from commit 3965dda0fa70dc9408f1a2e55a3ddefde78bd50e)
(cherry picked from commit f65edc9b990c2bcc10c9e9fca29253adc6fe316d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a bugfix release. Changelog:
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli. (CVE-2022-0778)
*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
(RFC 5489) to the list of ciphersuites providing Perfect Forward
Secrecy as required by SECLEVEL >= 3.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit e17c6ee62770005e398364ee5d955c9a8ab6f016)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenWrt uses a lot of (b)ash scripts for initial setup. This isn't the
best solution as they almost never consider syncing files / data. Still
this is what we have and we need to try living with it.
Without proper syncing OpenWrt can easily get into an inconsistent state
on power cut. It's because:
1. Actual (flash) inode and data writes are not synchronized
2. Data writeback can take up to 30 seconds (dirty_expire_centisecs)
3. ubifs adds extra 5 seconds (dirty_writeback_centisecs) "delay"
Some possible cases (examples) for new files:
1. Power cut during 5 seconds after write() can result in all data loss
2. Power cut happening between 5 and 35 seconds after write() can result
in empty file (inode flushed after 5 seconds, data flush queued)
Above affects e.g. uci-defaults. After executing some migration script
it may get deleted (whited out) without generated data getting actually
written. Power cut will result in missing data and deleted file.
There are three ways of dealing with that:
1. Rewriting all user-space init to proper C with syncs
2. Trying bash hacks (like creating tmp files & moving them)
3. Adding sync and hoping for no power cut during critical section
This change introduces the last solution that is the simplest. It
reduces time during which things may go wrong from ~35 seconds to
probably less than a second. Of course it applies only to IO operations
performed before /etc/init.d/boot . It's probably the stage when the
most new files get created.
All later changes are usually done using smarter C apps (e.g. busybox or
uci) that creates tmp files and uses rename() that is expected to be
atomic.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
(cherry picked from commit 9851d4b6ce6e89d164a04803817625a9041b060a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:
$ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
Downloading 'https://letsencrypt.org'
Connecting to 18.159.128.50:443
Connection error: Invalid SSL certificate
Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b9251e3b407592f3114e739231088c3d27663c4c)
(cherry picked from commit b99d7aecc83fd180f7a3c3efaae00845e7a73129)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backporting following fixes:
a72457b61df0 libubus: increase stack depth for processing obj msgs
ef038488edc3 libubus: process pending messages in data handler if stack depth is 0
2099bb3ad997 libubus: use list_empty/list_first_entry in ubus_process_pending_msg
where at least commit 2099bb3ad997 ("libubus: use
list_empty/list_first_entry in ubus_process_pending_msg") fixes UAF
issue I've introduced in commit c5f2053dfcfd ("workaround possibly false
positive uses of memory after it is freed") while fixing another false
positive UAF reported[1] by clang's static analyzer.
Those fixes are being used in master/21.02 for about 6 months, so should
be tested enough and considered for backporting. I've runtested those
fixes on mvebu/turris-omnia and ipq40xx/glinet-b1300 devices.
1. https://openwrt.gitlab.io/-/project/ubus/-/jobs/2096090992/artifacts/build/scan/2022-02-15-150310-70-1/index.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is amalgamation of backported changes since 4.7.0-stable release:
Sergey V. Lobanov (2):
5b13b0b02c70 wolfssl: update to 5.1.1-stable
7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support
Andre Heider (3):
3f8adcb215ed wolfssl: remove --enable-sha512 configure switch
249478ec4850 wolfssl: always build with --enable-reproducible-build
4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
Ivan Pavlov (1):
16414718f9ae wolfssl: update to 4.8.1-stable
David Bauer (1):
f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng
Christian Lamparter (1):
86801bd3d806 wolfssl: fix Ed25519 typo in config prompt
The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:
* OCSP request/response verification issue. (fixed in 4.8.0)
* Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1)
* Issue with incorrectly validating a certificate (fixed in 5.0.0)
* Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0)
* Client side session resumption issue (fixed in 5.1.0)
* Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
* Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |
|
|
| |
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
| |
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
This fixes some recent security problems in hostapd.
See here for details: https://w1.fi/security/2022-1
* CVE-2022-23303
* CVE-2022-23304
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice. CVE-2021-44732
The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 57f38e2c827e3be71d8b1709073e366afe011985)
|
| |
|
|
|
|
|
|
|
|
| |
Switched to AUTORELEASE to avoid manual increments.
Release notes:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit fcfd741eb83520e496eb09de5f8b2f2b62792a80)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.
Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 18bdfc803bef00fad03f90b73b6e65c3c79cb397)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[rebased for OpenWrt 21.02 branch]
(cherry picked from commit 4dddb7ca3669e93d4da2b1ca43b8bc22bd007e48)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8f5875c4e221453932f217a82f8c3092cacba3e5)
(cherry picked from commit 59e7ae8d65ab9a9315608a69565f6a4247d3b1ac)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a bugfix release. Changelog:
*) Avoid loading of a dynamic engine twice.
*) Fixed building on Debian with kfreebsd kernels
*) Prioritise DANE TLSA issuer certs over peer certs
*) Fixed random API for MacOS prior to 10.12
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 5beaa75d94c4a981c580905b84c7ef33caf0c3e2)
|
| |
|
|
|
|
|
|
| |
The following patch was backported from upstream before and is not
needed any more:
package/kernel/mac80211/patches/ath/980-ath10k-fix-max-antenna-gain-unit.patch
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When doing parallel build on a fast machine with bottleneck in i/o,
m_xt.so may start linking faster than dynsyms.list gets populated,
resulting in error:
ld:dynsyms.list:0: syntax error in dynamic list
Fix this by adding dynsyms.list as make dependency to m_xt.so
Described also here:
https://bugs.openwrt.org/index.php?do=details&task_id=3353
Change from v1:
- add dynsysms.list dependancy only when shared libs are enabled
Signed-off-by: Roman Yeryomin <roman@advem.lv>
Fixes: FS#3353
(cherry-picked from commit edd53df16843a0a6380920ed17b88bfe7d26d71b)
|
| |
|
|
|
|
|
| |
Follow up to commit 8fb714edd6e4340729e271139164a0163b027d68. Managed to
hit the very same issue again while playing with the NOR SPL builds.
Signed-off-by: Mathias Kresin <dev@kresin.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At least since gcc 7.3.0 (OpenWrt 18.06) lwr/lwl are used in the
assembly of LzmaProps_Decode. While the decission made by the compiler
looks perfect fine, it triggers some obscure hang on lantiq danube-s
v1.5 with MX29LV640EB NOR flash chips.
Only if the offset 1 is used, the hang can be observed. Using any other
offset works fine:
lwl s0,0(a1) - s0 == 0x6d000080
lwl s0,1(a1) - hangs
lwl s0,2(a1) - s0 == 0x0080xxxx
lwl s0,3(a1) - s0 == 0x80xxxxxx
It isn't clear whether it is a limitation of the flash chip, the EBU or
something else.
Force 8bit reads to prevent gcc optimizing the read with lwr/lwl
instructions.
Signed-off-by: Mathias Kresin <dev@kresin.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
e983a25 Update regulatory rules for Ecuador (EC)
a0bcb88 wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
cdf854d wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
86cba52 wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
6fa2384 wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
9839e1e wireless-regdb: recent FCC report and order allows 5850-5895 immediately
42dfaf4 wireless-regdb: update 5725-5850 MHz rule for GB
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit dbb4c47798b17112cb1eed2a309cdefd33b5f193)
|
| |
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit d76535c45e6e970b212744781431e152e90c1ce6)
|
| |
|
|
|
|
|
|
|
| |
Backport of u-boot commit "includes: move openssl headers to include/u-boot"
https://github.com/u-boot/u-boot/commit/2b9912e6a7df7b1f60beb7942bd0e6fa5f9d0167
Fixes: FS#3955
Signed-off-by: Alan Swanson <reiver@improbability.net>
(cherry picked from commit 8db641049292035604f0e1fb788608fdea879eca)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refresh all patches.
This contains fixes for CVE-2020-3702
1. These patches (ath, ath9k, mac80211) were included in kernel
versions since 4.14.245 and 4.19.205. They fix security vulnerability
CVE-2020-3702 [1] similar to KrØØk, which was found by ESET [2].
Thank you Josef Schlehofer for reporting this problem.
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-3702
[2] https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
gcc 10 defaults to -fno-common, which causes an error
when linking.
Back-port the following Linux kernel commit to fix it:
e33a814e772c (scripts/dtc: Remove redundant YYLOC global declaration)
Tested on an Arch Linux host with gcc 10.1.0
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
(cherry picked from commit 8b870418f18d86761247633e57560ffa1c2485d0)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:
HOSTLD scripts/dtc/dtc
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
collect2: error: ld returned 1 exit status
The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:
HOSTLD scripts/dtc/dtc
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
collect2: error: ld returned 1 exit status
The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
| |
|
|
|
|
|
| |
Backport a patch from upstream U-Boot to fix the compile with host GCC 10.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8d143784cb8fafccdbcdc0bd5d1aa47d3d676f70)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:
HOSTLD scripts/dtc/dtc
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
collect2: error: ld returned 1 exit status
The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:
HOSTLD scripts/dtc/dtc
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
collect2: error: ld returned 1 exit status
The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This version fixes two vulnerabilities:
- SM2 Decryption Buffer Overflow (CVE-2021-3711)
Severity: High
- Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Severity: Medium
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets the --cross-compile-prefix option when running Configure, so
that that it will not use the host gcc to figure out, among other
things, compiler defines. It avoids errors, if the host 'gcc' is
handled by clang:
mips-openwrt-linux-musl-gcc: error: unrecognized command-line option
'-Qunused-arguments'
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 2f75348923e564f1b73fbc32f7cabc355cd6e2b9)
|
| |
|
|
| |
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
| |
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
| |
This update cherry picks following fix:
* ubusd: fix tx_queue linked list usage
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This update cherry picks following changes:
* cmake: add a possibility to set library version
* ubusd: protect against too-short messages
* ubusd: add per-client tx queue limit
* ubusd: convert tx_queue to linked list
* lua: avoid truncation of large numeric values
Fixes: FS#1525
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a support for setting of new `ABIVERSION` CMake define which allows
to control the SOVERSION used for the built shared library. This is
needed for downstream packaging to properly track breaking ABI changes
when updating to newer versions of the library.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(backported from commit 8edb1797d55d259c6eda18c89784f152328436fc)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This rebases -ct changes on top of upstream stable kernel's latest code.
Including the wifi security fixes that recently went in.
Removed upstreamed 203-ath10k-Limit-available-channels-via-DT-ieee80211-fre.patch
and refreshed patches.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [backport]
(backported from commit 2e10ed925e1e07c28570731a429efa5e7de3b826)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The zoneinfo packages are not installed per default so neither
/tmp/localtime nor /tmp/TZ is generated.
This patch mostly reverts the previous fix and instead incooperates a
solution suggested by Jo.
Fixes "base-files: fix zoneinfo support " 8af62ed
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 56bdb6bb9781f8a0bbec5fc3075b9d2b8d12f9a8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system init script currently sets /tmp/localinfo when zoneinfo is
populated. However, zoneinfo has spaces in it whereas the actual files
have _ instead of spaces. This made the if condition never return true.
Example failure when removing the if condition:
/tmp/localtime -> /usr/share/zoneinfo/America/Los Angeles
This file does not exist. America/Los_Angeles does.
Ran through shfmt -w -ci -bn -sr -s
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 8af62ede189aa504135db05474d34c9f8a1ed35d)
|
| |
|
|
|
|
|
|
|
|
| |
The user can now enable the ACK timeout estimation algorithm (dynack)
for drivers that support it.
It is also expected that the distance config accepts the same values as:
$ iw phyX set distance XXX
Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
(cherry picked from commit a8a1ef856871dc8403ea9c0a3bb347c7120b0e65)
|
| |
|
|
| |
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
The underlying logread process uses usock() to handle remote connections
which is able to handle both hostnames and IP addresses.
Ref: https://github.com/openwrt/luci/issues/5077
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit ec83fb9ced138b7945135adffb9ff0ba63b695ec)
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the OpenWrt 19.07
feeds and the 21.02 feeds to allow checking the next release.
If one of the other keys would be compromised this would not affect
users of 19.07 release builds.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
| |
49283916005d usign: add 21.02 release build pubkey
bc4d80f064f2 gpg: add OpenWrt 21.02 signing key
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 1bf6d70e60fdb45d81a8f10b90904cef38c73f70)
|
| |
|
|
|
|
| |
The removed patches were applied upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
| |
This backports a fix from dropbear 2020.81.
CVE-2020-36254 description:
scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes two related security vulnerabilities (CVE-2020-15078) which under
very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.
This release also includes other bug fixes and improvements.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810) which allows
disrupting service of a freshly connected client that has not yet
negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.
Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry-picked from commit d7e98bd7c5316f95cc11635371a39c6c0e18b9a7)
|
| |
|
|
|
|
|
|
|
|
|
| |
Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.
Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry-picked from commit bf43e5bbf91ca1a90df8dae3e2cce6bbb61d5cd9)
|
| |
|
|
|
|
|
|
|
| |
This patch is already included in ppp-2.4.9 which is used in openwrt
master.
Backport this patch to openwrt-19.07.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
|
| |
|
|
|
|
|
| |
Refreshed all patches.
Includes all fixes up to 4.19.184
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
|
