aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* OpenWrt v19.07.4: adjust config defaultsv19.07.4Hauke Mehrtens2020-09-071-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* ath10k-ct-firmware: update firmware imagesMichael Yartys2020-09-061-21/+21
| | | | | | | | | | | | | | | | Not a large change from last time, but should fix at least one rare wave-2 crash. Tested on Netgear R7800. Signed-off-by: Michael Yartys <michael.yartys@gmail.com> Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> (cherry picked from commit 91aab77bf1ce91b0e60e720eb147c94a02c1f2fd) [adapt variables and package names] [remove changes to non-full htt-mgt variants because we did not backport a882bfce052e ("ath10k-ct-firmware: add htt-mgt variants")] Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Tested-by: Baptiste Jonglez <git@bitsofnetworks.org> [QCA9886, QCA9887]
* ath10k-ct-firmware: update firmware imagesÁlvaro Fernández Rojas2020-09-061-25/+25
| | | | | | | | | | No release notes this time. Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> (cherry picked from commit 06f510df6e2aa0b1e40124bbd758672458d01482) [adapt variables and package names because we did not backport 2e5e9b459ed5 ("ath10k-ct-firmware: rename ct-htt packages")] Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
* ath10k-firmware: move CT firmwares to new packageÁlvaro Fernández Rojas2020-09-062-446/+524
| | | | | Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> (cherry picked from commit 658e68f85c2645e0132edc6b30a9c76cc17292de)
* ath10k-firmware: update ath10k-ct firmware imagesÁlvaro Fernández Rojas2020-09-061-24/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes for 017: Wave-1: * March 19, 2020: Fix problem where power-save was not enabled when going off-channel to scan. The problem was a boolean logic inversion in the chmgr code, a regression I introduced a long time ago. * March 19, 2020: When scanning only on current working channel, do not bother with disable/enable powersave. This should make an on-channel scan less obtrusive than it was previously. * March 23, 2020: Fix channel-mgr use-after-free problem that caused crashes in some cases. The crash was exacerbated by recent power-save changes. * March 23, 2020: Fix station-mode power-save related crash: backported the fix from 10.2 QCA firmware. * March 23, 2020: Attempt to better clean up power-save objects and state, especially in station mode. Release notes for 016: Wave-1 changes, some debugging code for a crash someone reported, plus: * February 28, 2020: Fix custom-tx path when sending in 0x0 for rate-code. Have tries == 0 mean one try but NO-ACK (similar to how wave-2 does it). wave-2: * Fixed some long-ago regressions related to powersave and/or multicast. Maybe fix some additional multicast and/or tx-scheduling bugs. Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> Acked-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 84f4a783c6987fd9d67c089a76e2f90b7491f446)
* ath10k-firmware: update ath10k-ct firmwareMichael Yartys2020-09-061-24/+24
| | | | | | | | | | | | | | | This supports better per-chain noise floor reporting, which in turn allows for better RSSI reporting in the driver. Wave-2 fixes a long-standing rate-ctrl problem when connected to xbox (and probably other devices). Wave-2 has fix for crash likely related to rekeying. Wave-1 has some debugging code added where a user reported a crash. Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq806x+qca9984,ipq4019+qca9986] Signed-off-by: Michael Yartys <michael.yartys@protonmail.com> (cherry picked from commit 18622638831707038556b9b8bd5a0b4d4a53ce53)
* ath10k-firmware: update Candela Tech firmware imagesStefan Lippers-Hollmann2020-09-061-20/+20
| | | | | | | | | | | | | | | | | | The release notes since last time for wave-1: * No changes to wave-1, but I make a version .014 copy anyway to keep the makefile in sync. The release notes since last time for wave-2: * December 16, 2019: Wave-2 has a fix to make setting txpower work better. Before setting the power was ignored at least some of the time (it also appeared to work mostly, so I guess it was being correctly set in other ways). Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> (cherry picked from commit 65982642668e859540b21c2bd3bf907493df830a)
* hostapd: Fix compile errors after wolfssl updateHauke Mehrtens2020-09-041-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following compile errors after the wolfssl 4.5.0 update: LD wpa_cli ../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject': ../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'? type = GEN_EMAIL; ^~~~~~~~~ ENAVAIL ../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in ../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function) type = GEN_DNS; ^~~~~~~ ../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function) type = GEN_URI; ^~~~~~~ ../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event': ../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'? if (gen->type != GEN_EMAIL && ^~~~~~~~~ ENAVAIL ../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function) gen->type != GEN_DNS && ^~~~~~~ ../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function) gen->type != GEN_URI) ^~~~~~~ Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed Fixes: 00722a720c77 ("wolfssl: Update to version 4.5.0") Reported-by: Andre Heider <a.heider@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit bc19481826e0da9119945eaae4f25736306f023b)
* wolfssl: Update to version 4.5.0Hauke Mehrtens2020-09-023-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. * Denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages. (CVE-2020-12457) * Potential cache timing attacks on public key operations in builds that are not using SP (single precision). (CVE-2020-15309) * When using SGX with EC scalar multiplication the possibility of side- channel attacks are present. * Leak of private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. * During the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Full changelog: https://www.wolfssl.com/docs/wolfssl-changelog/ Fix a build error on big endian systems by backporting a pull request: https://github.com/wolfSSL/wolfssl/pull/3255 The size of the ipk increases on mips BE by 1.4% old: libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246 new: libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 00722a720c778e623d6f37af3a3b4e43b29c3fe8)
* wolfssl: use -fomit-frame-pointer to fix asm errorEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | 32-bit x86 fail to compile fast-math feature when compiled with frame pointer, which uses a register used in a couple of inline asm functions. Previous versions of wolfssl had this by default. Keeping an extra register available may increase performance, so it's being restored for all architectures. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 750d52f6c90e2a144c250779741607f0cb306a94)
* wolfssl: update to 4.4.0-stableEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | | This version adds many bugfixes, including a couple of security vulnerabilities: - For fast math (enabled by wpa_supplicant option), use a constant time modular inverse when mapping to affine when operation involves a private key - keygen, calc shared secret, sign. - Change constant time and cache resistant ECC mulmod. Ensure points being operated on change to make constant time. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 3481f6ffc79f46fc7ba86a4cc15ad958e99b5a82)
* mbedtls: update to 2.16.8Magnus Kroken2020-09-022-25/+25
| | | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories. * Local side channel attack on RSA and static Diffie-Hellman * Local side channel attack on classical CBC decryption in (D)TLS * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 66893063abf56b7d8c21eceed56e5d27859eaaea)
* mac80211: Fix potential endless loopHauke Mehrtens2020-08-301-0/+31
| | | | | | | Backport a fix from kernel 5.8.3. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit ca5ee6eba34593ec9f8b5b195c94cf6c3f6ff914)
* mbedtls: update to 2.16.7Magnus Kroken2020-08-272-27/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07 * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some changes to the download URLs are required. For the time being, the ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS. Signed-off-by: Magnus Kroken <mkroken@gmail.com> [Use https://codeload.github.com and new tar.gz file] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 201d6776a0b5858b8ce43a2392c9fe48aa1c4dd7)
* busybox: delete redundant patchMagnus Kroken2020-08-122-14/+1
| | | | | | | | | | | This problem has been fixed in upstream commit 6b6a3d9339f1c08efaa18a7fb7357e20b48bdc95. This patch now (harmlessly) adds the same definition a second time. Signed-off-by: Magnus Kroken <mkroken@gmail.com> [bump PKG_RELEASE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 4165232c45df224f32a94f43b9938d13d643b2a8)
* mac80211: Fix build on mpc85xx targetHauke Mehrtens2020-08-112-1/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following compile error seen on the mpc85xx target: CC [M] /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.o In file included from /builder/shared-workdir/build/staging_dir/toolchain-powerpc_8540_gcc-8.4.0_musl/include/stddef.h:17, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/include/uapi/linux/wireless.h:77, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/include/linux/wireless.h:13, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.c:89: /builder/shared-workdir/build/staging_dir/toolchain-powerpc_8540_gcc-8.4.0_musl/include/bits/alltypes.h:106:15: error: conflicting types for 'ptrdiff_t' typedef _Addr ptrdiff_t; ^~~~~~~~~ In file included from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/types.h:4, from ./include/linux/list.h:5, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/list.h:3, from ./include/linux/module.h:9, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/module.h:3, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.c:79: ./include/linux/types.h:65:28: note: previous declaration of 'ptrdiff_t' was here typedef __kernel_ptrdiff_t ptrdiff_t; ^~~~~~~~~ scripts/Makefile.build:265: recipe for target '/linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.o' failed Fixes: d6b158b86981 ("mac80211: Update to 4.19.137-1") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 04b1a11f5ca72a741493addca1b1ae093f37934f)
* mac80211: Update to 4.19.137-1Hauke Mehrtens2020-08-1127-64/+64
| | | | | | | b43 and b43legacy now support ieee80211w, hardware crypto will be deactivated in such cases. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* uboot-envtools: ar71xx: add ZyXEL NBG6616 uboot env supportChristoph Krapp2020-08-101-0/+1
| | | | | | | | | This adds support for ZyXEL NBG6616 uboot-env access Signed-off-by: Christoph Krapp <achterin@googlemail.com> [add "ar71xx" to commit title] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit eb95ca3b5c8b33e3212896f906922eba5f72abb3)
* hostapd: add wpad-basic-wolfssl variantPetr Štetiar2020-08-102-0/+16
| | | | | | | | | | Add package which provides size optimized wpad with support for just WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w. Signed-off-by: Petr Štetiar <ynezz@true.cz> [adapt to recent changes, add dependency for WPA_WOLFSSL config] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit c487cf8e94cbdf582dfc3c2bdaab913a146a2100)
* hostapd: reorganize config selection hierarchy for WPA3Adrian Schmutzler2020-08-101-16/+18
| | | | | | | | | | | | | | | | | | | | | The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is exceptionally hard to read. This tries to make things a little easier by inverting the hierarchy of the conditions, so SSL_VARIANT is checked first and LOCAL_VARIANT is checked second. This exploits the fact that some of the previous conditions were unnecessary, e.g. there is no hostapd-mesh*, so we don't need to exclude this combination. It also should make it a little easier to see which options are actually switched by SSL_VARIANT and which by LOCAL_VARIANT. The patch is supposed to be cosmetic. However, the improvement for readers and the maintained consistency with master qualify this for backporting. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit c4dd7fc23bfcf3b3f1a838668bb070edc9db5d4b)
* hostapd: improve TITLE for packagesAdrian Schmutzler2020-07-301-25/+33
| | | | | | | | | | | | | | | For a few packages, the current TITLE is too long, so it is not displayed at all when running make menuconfig. Despite, there is no indication of OpenSSL vs. wolfSSL in the titles. Thus, this patch adjusts titles to be generally shorter, and adds the SSL variant to it. While at it, make things easier by creating a shared definition for eapol-test like it's done already for all the other flavors. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 917980fd8a6589d6911797211f1871016f527f8c)
* curl: patch CVE-2020-8169Jan Pavlinec2020-07-292-1/+39
| | | | | | | | | | | Affected versions: curl 7.62.0 to and including 7.70.0 https://curl.haxx.se/docs/CVE-2020-8169.html Run tested on Omnia with OpenWrt 19.07 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz> [added missing commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firewall: backport patch for mss clamping in both directionsYousong Zhou2020-07-262-1/+34
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* vxlan: bump and change to PKG_RELEASEAdrian Schmutzler2020-07-171-1/+1
| | | | | | | | | | | | | | Bumping package version has been overlooked in a previous commit. While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter is meant for upstream version number only. (The effective version string for the package would be "3" in both cases, so there is no harm done for version comparison.) Fixes: 0453c3866feb ("vxlan: fix udp checksum control") Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit b29d620ed2521fe6fda40ddafe6cb0f1d70e4503)
* vxlan: fix udp checksum controlJohannes Kimmel2020-07-171-0/+2
| | | | | | | | | | | | So far, passing "rxcsum" and "txcsum" had no effect. Fixes: 95ab18e0124e ("vxlan: add options to enable and disable UDP checksums") Signed-off-by: Johannes Kimmel <fff@bareminimum.eu> [add Fixes:] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 0453c3866feb701160bbab4ecf9762c5a3038503)
* nghttp2: bump to 1.41.0Hans Dedecker2020-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 8f7b008b Update bash_completion 83086ba9 Update manual pages c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr 3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20 881c060d Update AUTHORS f8da73bd Earlier check for settings flood 336a98fe Implement max settings option ef415836 Revert "Add missing connection error handling" 979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2 b7d16101 Add missing connection error handling cd53bd81 Merge pull request #1460 from gportay/patch-1 e5625b8c Fix doc c663349f integration: Add PROXY protocol v2 tests 854e9fe3 nghttpx: Always call init_forwarded_for c60ea227 Update doc 49cd8e6e nghttpx: Add PROXY-protocol v2 support 3b17a659 Merge pull request #1453 from Leo-Neat/master 600fcdf5 Merge pull request #1455 from xjtian/long_serials 4922bb41 static_cast size parameter in StringRef constructor to size_t aad86975 Fix get_x509_serial for long serial numbers dc7a7df6 Adding CIFuzz b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue ffb49c6c Merge pull request #1435 from geoffhill/master 2ec58551 Fix receiving stream data stall 459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp a4c1fed5 Bump llhttp to 2.0.4 866eadb5 Enable session_create_idle_stream test, fix errors 5e13274b Fix typo e0d7f7de h2load: Allow port in --connect-to df575f96 h2load: add --connect-to option 1fff7379 clang-format-9 b40c6c86 Merge pull request #1418 from vszakats/patch-1 9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional 2d5f7659 Bump up version number to 1.41.0-DEV Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Note this is cherry-pick from master. It fixes CVE-2020-11080 and https://github.com/nxhack/openwrt-node-packages/issues/679 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* wireguard: bump to 1.0.20200611Stijn Segers2020-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This bump fixes breakage introduced by kernel commit 8ab8786f78c3fc930f9abf6d6d85e95567de4e1f, which is part of the 4.14.181 kernel bump, and backported ip6_dst_lookup_flow to 4.14. This breaks the older WireGuard version currently in 19.07. For reference, the compilation error is the one below: build_dir/target-x86_64_musl/linux-x86_64/wireguard-linux-compat-1.0.20200506/src/compat/compat.h:104:42: error: 'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 'ipv6_dst_lookup_flow'? #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst Changelogs below taken from the official release announcements. == Changes since v1.0.20200506 == This release aligns with the changes I sent to DaveM for 5.7-rc7 and were pushed to net.git about 45 minutes ago. * qemu: use newer iproute2 for gcc-10 * qemu: add -fcommon for compiling ping with gcc-10 These enable the test suite to compile with gcc-10. * noise: read preshared key while taking lock Matt noticed a benign data race when porting the Linux code to OpenBSD. * queueing: preserve flow hash across packet scrubbing * noise: separate receive counter from send counter WireGuard now works with fq_codel, cake, and other qdiscs that make use of skb->hash. This should significantly improve latency spikes related to buffer bloat. Here's a before and after graph from some data Toke measured: https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png * compat: support RHEL 8 as 8.2, drop 8.1 support * compat: support CentOS 8 explicitly * compat: RHEL7 backported the skb hash renamings The usual RHEL churn. * compat: backport renamed/missing skb hash members The new support for fq_codel and friends meant more backporting work. * compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4 == Changes since v1.0.20200611 == * qemu: always use cbuild gcc rather than system gcc * qemu: remove -Werror in order to build ancient kernels better * qemu: patch kernels that rely on ancient make * qemu: force 2MB pages for binutils 2.31 * qemu: use cbuild gcc for avx512 exclusion * qemu: add extra fill in idt handler for newer binutils * qemu: support fetching kernels for arbitrary URLs * qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detection * qemu: work around broken centos8 kernel * qemu: mark per_cpu_load_addr as static for gcc-10 Our qemu test suite can now handle more kernels and more compilers. Scroll down to the bottom of https://www.wireguard.com/build-status/ to see the expanded array of kernels we now test against, including some distro kernels. * compat: widen breadth of integer constants * compat: widen breadth of memzero_explicit backport * compat: backport skb_scrub_packet to 3.11 * compat: widen breadth of prandom_u32_max backport * compat: narrow the breadth of iptunnel_xmit backport * compat: backport iptunnel_xmit to 3.11 With the expanded qemu test suite, it was possible to expand our list of mainline kernels, so the backport compat layer is now more precise. * compat: ubuntu appears to have backported ipv6_dst_lookup_flow * compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flow Ubuntu kernels changed recently, so this ensures we can compile with the latest Ubuntu releases. * compat: remove stale suse support Signed-off-by: Stijn Segers <foss@volatilesystems.org> (cherry picked from commit 1fd1f5e8cff18f97675ce303b05d411136b99fb0)
* mac80211: fix use of local variableLeon M. George2020-06-301-1/+1
| | | | | | | | | | | mac80211_get_addr is called from mac80211_generate_mac, where the local variable initialisation id="${macidx:-0}" suggests that macidx is not always defined. Probably, idx was supposed to be used instead of $(($macidx + 1)). Fixes: 4d99db168cf7 ("mac80211: try to get interface addresses from wiphy sysfs 'addresses' if no mask is set") Signed-off-by: Leon M. George <leon@georgemail.eu> (cherry picked from commit 8f95220bcb554b1b668114e5264ebce4028c5f93)
* libnetfilter-queue: fix package title and descriptionCatalin Patulea2020-06-281-3/+3
| | | | | | | | | | | The original text was copy/pasted from some other package. Adjust the package title and description to match the description on the publishers page. Signed-off-by: Catalin Patulea <catalinp@google.com> [slightly adjust content and commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 492a6594b97e765a2a93fadbe23534ae94f710fa)
* base-files: remove urandom-seed definitionSungbo Eo2020-06-281-9/+0
| | | | | | | | | urandom-seed has a separate Makefile, we can safely remove the definition here. Fixes: 27bfde9c9f78 ("base-files: move urandom seed bits into separate package") Signed-off-by: Sungbo Eo <mans0n@gorani.run> (cherry picked from commit 46a6586c83e029446ea35b02a328e5f7935d4a9f)
* uclient: update to 19.07 Git HEADJo-Philipp Wich2020-06-171-3/+3
| | | | | | | | 51e16eb uclient-fetch: add option to read POST data from file 99aebe3 uclient: Add string error function Fixes: 0c910d8459 ("uclient: Update to version 2020-06-17") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "uclient: Update to version 2020-06-17"Jo-Philipp Wich2020-06-171-3/+3
| | | | | | | | | This reverts commit 0c910d845941b1df9c78a5039c1658e676c409be. We cannot use uclient Git HEAD as-is on 19.07 due to an older version of the ustream-ssl API. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uclient: Update to version 2020-06-17Daniel Golle2020-06-171-3/+3
| | | | | | | | | | | | fef6d3d uclient: Add string error function af585db uclient-fetch: support specifying advertised TLS ciphers c660986 uclient-fetch: add option to read POST data from file Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry-squashed from commits 05145ffbefc71a94c1692dfb8ac440bc67974ded 98017228ddd5ce41a63da20b78f5d2e30c87c494 dd166960f48580bf6d4a8dde071b96832bfd9e1f 8e98613f4da82628cdb490c8202b56dc989e088b)
* ca-certificates: update to version 20200601Christian Lamparter2020-06-091-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch updates the ca-certificates and ca-bundle package. This version changed the files directory again, to work/, so PKG_BUILD_DIR was brought back. A list of changes from Debian's change-log entry for 20200601 [0]: * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.40. Closes: #956411, #955038 * mozilla/blacklist.txt Add distrusted Symantec CA list to blacklist for explicit removal. Closes: #911289 Blacklist expired root certificate, "AddTrust External Root" Closes: #961907 The following certificate authorities were added (+): + "Certigna Root CA" + "emSign ECC Root CA - C3" + "emSign ECC Root CA - G3" + "emSign Root CA - C1" + "emSign Root CA - G1" + "Entrust Root Certification Authority - G4" + "GTS Root R1" + "GTS Root R2" + "GTS Root R3" + "GTS Root R4" + "Hongkong Post Root CA 3" + "UCA Extended Validation Root" + "UCA Global G2 Root" The following certificate authorities were removed (-): - "AddTrust External Root" - "Certinomis - Root CA" - "Certplus Class 2 Primary CA" - "Deutsche Telekom Root CA 2" - "GeoTrust Global CA" - "GeoTrust Primary Certification Authority" - "GeoTrust Primary Certification Authority - G2" - "GeoTrust Primary Certification Authority - G3" - "GeoTrust Universal CA" - "thawte Primary Root CA" - "thawte Primary Root CA - G2" - "thawte Primary Root CA - G3" - "VeriSign Class 3 Public Primary Certification Authority - G4" - "VeriSign Class 3 Public Primary Certification Authority - G5" - "VeriSign Universal Root Certification Authority" [0] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20200601_changelog> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit f611b014a713d82d7c7da4c171f3aa04a8984063)
* qos-scripts: fix interface resolvingJo-Philipp Wich2020-05-292-8/+14
| | | | | | | | | Also ensure that the error message is actually printed to stderr and that the rule generation is aborted if an interface cannot be resolved. Ref: https://github.com/openwrt/luci/issues/3975 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 559b3384666bbc6e4e9e6d86cf54bd88d30b341f)
* broadcom-wl: don't inherit lock descriptor in nas processJo-Philipp Wich2020-05-282-2/+5
| | | | | | | | | | | | Add a local hack to prevent the Broadcom WPA authenticator process from inheriting the lock descriptor 1000 used to prevent concurrent executions of the init script. Without this fix, repeated invocations of /etc/init.d/network, e.g. for obtaining the enabled state, would hang forever. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit a03d6d2fab13c478a0f6cfc3082bec141f2adcf1)
* rpcd: update to latest openwrt-19.07 Git HEADJo-Philipp Wich2020-05-261-4/+4
| | | | | | | 67c8a3f uci: reset uci_ptr flags when merging options during section add 970ce1a session: deny access if password login is disabled Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "rpcd: update to latest Git HEAD"Jo-Philipp Wich2020-05-261-4/+4
| | | | | | | | This reverts commit adf5d753eff2385063555da8bd4323e69311752a. Reverting this commit because it relies on a changed libiwinfo API. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* rpcd: update to latest Git HEADJo-Philipp Wich2020-05-261-4/+4
| | | | | | | | 078bb57 uci: reset uci_ptr flags when merging options during section add 3df62bc session: deny access if password login is disabled efe51f4 iwinfo: add current hw and ht mode to info call Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* libubox: update to the latest versionFelix Fietkau2020-05-261-3/+3
| | | | | | | | | | | 86818eaa976b blob: make blob_parse_untrusted more permissive cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len c2fc622b771f blobmsg: fix length in blobmsg_check_array 639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name 66195aee5042 blobmsg: fix missing length checks Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit b371182d2450b3c4f15cbe790351d92a2a7b5a67)
* libubox: update to the latest masterRafał Miłecki2020-05-261-3/+3
| | | | | | | | | | | 5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len() eeddf22 tests: runqueue: try to fix race on GitLab CI 89fb613 libubox: runqueue: fix use-after-free bug 1db3e7d libubox: runqueue fix comment in header 7c4ef0d tests: list: add test case for list_empty iterator Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit a765b063ee3e1dd6519f6a4a9e4d4f72214b33b8)
* hostapd: backport wolfssl bignum fixesDaniel Golle2020-05-254-1/+107
| | | | | | | | | crypto_bignum_rand() use needless time-consuming filtering which resulted in SAE no longer connecting within time limits. Import fixes from hostap upstream to fix that. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 631c437a91c20df678b25dcc34fe23636116a35a)
* ucert: update to latest git HEADMatthias Schiffer2020-05-241-3/+3
| | | | | | | | | | | | | | | | | | | | 00b921d80ac0 Do not print line number in debug messages 96c42c5ed320 Fix length checks in cert_load() fe06b4b836b3 usign-exec: improve usign -F output handling 19f9e1917e1b usign-exec: return code fixes 077feb5b5824 usign-exec: close writing end of pipe early in parent process 7ec4bb764e1e usign-exec: remove redundant return statements 5a738e549d31 usign-exec: change usign_f_* fingerprint argument to char[17] 112488bbbccc usign-exec: do not close stdin and stderr before exec 38dcb1a6f121 usign-exec: fix exec error handling a9be4fb17df2 usign-exec: simplify usign execv calls 854d93e2326a Introduce read_file() helper, improve error reporting afc86f352bf7 Fix return code of write_file() fdff10852326 stdout/stderr improvements dddb2aa8124d ci: fix unit test failures by enabling full ucert build 5f206bcfe5c2 ci: enable unit testing Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* usign: update to latest git HEADMatthias Schiffer2020-05-231-3/+3
| | | | | | | f1f65026a941 Always pad fingerprints to 16 characters Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit e35e40ad824eab9d51cdd690fb747e576e01412f)
* usign: update to latest Git HEADHauke Mehrtens2020-05-231-3/+3
| | | | | | | f34a383 main: fix some resource leaks Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 81e93fff7d867851f2fedd966a931336d4092686)
* OpenWrt v19.07.3: revert to branch defaultsHauke Mehrtens2020-05-161-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* OpenWrt v19.07.3: adjust config defaultsv19.07.3Hauke Mehrtens2020-05-161-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libjson-c: backport security fixesRobert Marko2020-05-134-2/+117
| | | | | | | | | | | | | This backports upstream fixes for the out of bounds write vulnerability in json-c. It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592 Addresses CVE-2020-12762 Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr> [bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit bc0288b76816578f5aeccb2abd679f82bfc5738e)
* fstools: blockd: fix segfault triggered by non-autofs mountsDaniel Golle2020-05-121-3/+3
| | | | | | | | | | | Program received signal SIGSEGV, Segmentation fault. main_autofs (argv=<optimized out>, argc=<optimized out>) at fstools-2020-05-06-eec16e2f/block.c:1193 1193: if (!m->autofs && (mp = find_mount_point(pr->dev))) { Fixes: 3b9e4d6d4c4f ("fstools: update to the latest version") Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit b181294b02499e41b6b6fa24163f59c9ee4988ed)
* opkg: Fix PKG_MIRROR_HASHHauke Mehrtens2020-05-081-1/+1
| | | | | Fixes: c61fbdd0879b ("odhcpd: fix PKG_SOURCE_DATE") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>