aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* uci: Backport security fixesHauke Mehrtens2020-10-283-1/+156
| | | | | | | This packports two security fixes from master. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit f9005d4f80dee3dcc257d4613cbc46668faad094)
* uboot-envtools: mvebu: fix config for mainline u-bootAndre Heider2020-10-281-1/+8
| | | | | | | | | | | | | Mainline u-boot dynamically passes the mtd partitions via devicetree: $ cat /proc/mtd dev: size erasesize name mtd0: 003f0000 00001000 "firmware" mtd1: 00010000 00001000 "u-boot-env" Add support for this setup. Signed-off-by: Andre Heider <a.heider@gmail.com> (cherry picked from commit 60c9a27cbcc6ba00d75b4b592f507237dbfb460f)
* firmware: intel-microcode: update to 20200616Tan Zien2020-10-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | intel-microcode (3.20200616.1) * New upstream microcode datafile 20200616 + Downgraded microcodes (to a previously shipped revision): sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3, * This update *removes* the SRBDS mitigations from the above processors * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2 intel-microcode (3.20200609.2) * REGRESSION FIX: 0x406e3: rollback to rev 0xd6 and document regression * Microcode rollbacks (closes: LP#1883002) sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 * THIS REMOVES THE SECURITY FIXES FOR SKYLAKE-U/Y PROCESSORS * Avoid hangs on boot on (some?) Skylake-U/Y processors, * ucode-blacklist: blacklist models 0x8e and 0x9e from late-loading, just in case. Note that Debian does not do late loading by itself. Refer to LP#1883002 for the report, 0x806ec hangs upon late load. intel-microcode (3.20200609.1) * SECURITY UPDATE * For most processors: SRBDS and/or VRDS, L1DCES mitigations depending on the processor model * For Skylake HEDT and Skylake Xeons with signature 0x50654: VRDS and L1DCES mitigations, plus mitigations described in the changelog entry for package release 3.20191112.1. * Expect some performance impact, the mitigations are enabled by default. A Linux kernel update will be issued that allows one to selectively disable the mitigations. * New upstream microcode datafile 20200609 * Implements mitigation for CVE-2020-0543 Special Register Buffer Data Sampling (SRBDS), INTEL-SA-00320, CROSSTalk * Implements mitigation for CVE-2020-0548 Vector Register Data Sampling (VRDS), INTEL-SA-00329 * Implements mitigation for CVE-2020-0549 L1D Cache Eviction Sampling (L1DCES), INTEL-SA-00329 * Known to fix the regression introduced in release 2019-11-12 (sig 0x50564, rev. 0x2000065), which would cause several systems with Skylake Xeon, Skylake HEDT processors to hang while rebooting * Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2019-11-12, rev 0x0028, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-11-12, rev 0x002f, size 19456 sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528 sig 0x00040661, pf_mask 0x32, 2019-11-12, rev 0x001c, size 25600 sig 0x00040671, pf_mask 0x22, 2019-11-12, rev 0x0022, size 14336 sig 0x000406e3, pf_mask 0xc0, 2020-04-27, rev 0x00dc, size 104448 sig 0x00050653, pf_mask 0x97, 2020-04-24, rev 0x1000157, size 32768 sig 0x00050654, pf_mask 0xb7, 2020-04-24, rev 0x2006906, size 34816 sig 0x00050656, pf_mask 0xbf, 2020-04-23, rev 0x4002f01, size 52224 sig 0x00050657, pf_mask 0xbf, 2020-04-23, rev 0x5002f01, size 52224 sig 0x000506e3, pf_mask 0x36, 2020-04-27, rev 0x00dc, size 104448 sig 0x000806e9, pf_mask 0x10, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806e9, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ea, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806eb, pf_mask 0xd0, 2020-04-27, rev 0x00d6, size 103424 sig 0x000806ec, pf_mask 0x94, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906e9, pf_mask 0x2a, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ea, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906eb, pf_mask 0x02, 2020-04-23, rev 0x00d6, size 103424 sig 0x000906ec, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 sig 0x000906ed, pf_mask 0x22, 2020-04-23, rev 0x00d6, size 103424 * Restores the microcode-level fixes that were reverted by release 3.20191115.2 for sig 0x50654 (Skylake Xeon, Skylake HEDT) intel-microcode (3.20200520.1) * New upstream microcode datafile 20200520 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2020-03-04, rev 0x0621, size 18432 sig 0x000206d7, pf_mask 0x6d, 2020-03-24, rev 0x071a, size 19456 intel-microcode (3.20200508.1) * New upstream microcode datafile 20200508 + Updated Microcodes: sig 0x000706e5, pf_mask 0x80, 2020-03-12, rev 0x0078, size 107520 * Likely fixes several critical errata on IceLake-U/Y causing system hangs intel-microcode (3.20191115.2) * Microcode rollbacks (closes: #946515, LP#1854764): sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 * Avoids hangs on warm reboots (cold boots work fine) on HEDT and Xeon processors with signature 0x50654. intel-microcode (3.20191115.1) * New upstream microcode datafile 20191115 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 sig 0x000806e9, pf_mask 0x10, 2019-10-15, rev 0x00ca, size 100352 sig 0x000806e9, pf_mask 0xc0, 2019-09-26, rev 0x00ca, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806eb, pf_mask 0xd0, 2019-10-03, rev 0x00ca, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-10-03, rev 0x00ca, size 100352 sig 0x000906ec, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 sig 0x000906ed, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 100352 sig 0x000a0660, pf_mask 0x80, 2019-10-03, rev 0x00ca, size 91136 intel-microcode (3.20191113.1) * New upstream microcode datafile 20191113 + SECURITY UPDATE, refer to the 3.20191112.1 changelog entry for details Adds microcode update for CFL-S (Coffe Lake Desktop) INTEL-SA-00270, CVE-2019-11135, CVE-2019-0117 + Updated Microcodes (previously removed): sig 0x000906ec, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 intel-microcode (3.20191112.1) * New upstream microcode datafile 20191112 + SECURITY UPDATE - Implements MDS mitigation (TSX TAA), INTEL-SA-00270, CVE-2019-11135 - Implements TA Indirect Sharing mitigation, and improves the MDS mitigation (VERW) - Fixes FIVR (Xeon Voltage Modulation) vulnerability, INTEL-SA-00271, CVE-2019-11139 - Fixes SGX vulnerabilities and errata (including CVE-2019-0117) + CRITICAL ERRATA FIXES - Fixes Jcc conditional jump macro-fusion erratum (Skylake+, except Ice Lake), causes a 0-3% typical perforance hit (can be as bad as 10%). But ensures the processor will actually jump where it should, so don't even *dream* of not applying this fix. - Fixes AVX SHUF* instruction implementation flaw erratum + Removed Microcodes: sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 + New Microcodes: sig 0x000406d8, pf_mask 0x01, 2019-09-16, rev 0x012d, size 84992 sig 0x00050656, pf_mask 0xbf, 2019-09-05, rev 0x400002c, size 51200 sig 0x00060663, pf_mask 0x80, 2018-04-17, rev 0x002a, size 87040 sig 0x000706a8, pf_mask 0x01, 2019-08-29, rev 0x0016, size 74752 sig 0x000706e5, pf_mask 0x80, 2019-09-05, rev 0x0046, size 102400 sig 0x000a0660, pf_mask 0x80, 2019-08-27, rev 0x00c6, size 91136 + Updated Microcodes: sig 0x000406e3, pf_mask 0xc0, 2019-08-14, rev 0x00d4, size 101376 sig 0x00050654, pf_mask 0xb7, 2019-09-05, rev 0x2000065, size 34816 sig 0x00050657, pf_mask 0xbf, 2019-09-05, rev 0x500002c, size 51200 sig 0x000506e3, pf_mask 0x36, 2019-08-14, rev 0x00d4, size 101376 sig 0x000706a1, pf_mask 0x01, 2019-08-28, rev 0x0032, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-08-14, rev 0x00c6, size 99328 sig 0x000806e9, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 100352 sig 0x000806ea, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-08-14, rev 0x00c6, size 100352 sig 0x000806ec, pf_mask 0x94, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906e9, pf_mask 0x2a, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906ea, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 sig 0x000906eb, pf_mask 0x02, 2019-08-14, rev 0x00c6, size 100352 sig 0x000906ed, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 + Updated Microcodes (previously removed): sig 0x00050653, pf_mask 0x97, 2019-09-09, rev 0x1000151, size 32768 Signed-off-by: Tan Zien <nabsdh9@gmail.com> (cherry picked from commit e826e007658911df91385935e74621889abbda24)
* firmware: amd64-microcode: update to 20191218Tan Zien2020-10-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | amd64-microcode (3.20191218.1) * New microcode update packages from AMD upstream: + Removed Microcode updates (known to cause issues): sig 0x00830f10, patch id 0x08301025, 2019-07-11 * README: update for new release amd64-microcode (3.20191021.1) * New microcode update packages from AMD upstream: + New Microcodes: sig 0x00830f10, patch id 0x08301025, 2019-07-11 + Updated Microcodes: sig 0x00800f12, patch id 0x08001250, 2019-04-16 sig 0x00800f82, patch id 0x0800820d, 2019-04-16 amd64-microcode (3.20181128.1) * New microcode update packages from AMD upstream: + New Microcodes: sig 0x00800f82, patch id 0x0800820b, 2018-06-20 Signed-off-by: Tan Zien <nabsdh9@gmail.com> (cherry picked from commit 182c7d955f872cb712f6d16d4b5cc0824bf4cc67)
* firewall: options: fix parsing of boolean attributesHauke Mehrtens2020-10-162-1/+39
| | | | | | | | | | | Boolean attributes were parsed the same way as string attributes, so a value of { "bool_attr": "true" } would be parsed correctly, but { "bool_attr": true } (without quotes) was parsed as false. Fixes FS#3284 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 7f676b5ed6a2bcd6786a0fcb6a6db3ddfeedf795)
* mac80211: do not allow bigger VHT MPDUs than the hardware supportsFelix Fietkau2020-10-121-0/+34
| | | | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit caf727767ab5c8f8d884ef458c74726a8e610d96) [Refreshed patch] Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* openssl: bump to 1.1.1hEneas U de Queiroz2020-09-283-5/+5
| | | | | | | This is a bug-fix release. Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 475838de1a33d49d1a0b81aad374a8db6dd2b3c8)
* comgt: fix hotplug event handlingRozhuk Ivan2020-09-192-5/+5
| | | | | | | | | | | | Hotplug manager send: "remove" -> "add" -> "bind" events, script interpret bind as "not add" = "remove" and mark device as unavailable. Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase] (cherry picked from commit 4821ff064b735c320ae2625a739018d1fc7d6457) Fixes: FS#3351 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* OpenWrt v19.07.4: revert to branch defaultsHauke Mehrtens2020-09-071-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* OpenWrt v19.07.4: adjust config defaultsv19.07.4Hauke Mehrtens2020-09-071-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* ath10k-ct-firmware: update firmware imagesMichael Yartys2020-09-061-21/+21
| | | | | | | | | | | | | | | | Not a large change from last time, but should fix at least one rare wave-2 crash. Tested on Netgear R7800. Signed-off-by: Michael Yartys <michael.yartys@gmail.com> Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> (cherry picked from commit 91aab77bf1ce91b0e60e720eb147c94a02c1f2fd) [adapt variables and package names] [remove changes to non-full htt-mgt variants because we did not backport a882bfce052e ("ath10k-ct-firmware: add htt-mgt variants")] Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Tested-by: Baptiste Jonglez <git@bitsofnetworks.org> [QCA9886, QCA9887]
* ath10k-ct-firmware: update firmware imagesÁlvaro Fernández Rojas2020-09-061-25/+25
| | | | | | | | | | No release notes this time. Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> (cherry picked from commit 06f510df6e2aa0b1e40124bbd758672458d01482) [adapt variables and package names because we did not backport 2e5e9b459ed5 ("ath10k-ct-firmware: rename ct-htt packages")] Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
* ath10k-firmware: move CT firmwares to new packageÁlvaro Fernández Rojas2020-09-062-446/+524
| | | | | Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> (cherry picked from commit 658e68f85c2645e0132edc6b30a9c76cc17292de)
* ath10k-firmware: update ath10k-ct firmware imagesÁlvaro Fernández Rojas2020-09-061-24/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes for 017: Wave-1: * March 19, 2020: Fix problem where power-save was not enabled when going off-channel to scan. The problem was a boolean logic inversion in the chmgr code, a regression I introduced a long time ago. * March 19, 2020: When scanning only on current working channel, do not bother with disable/enable powersave. This should make an on-channel scan less obtrusive than it was previously. * March 23, 2020: Fix channel-mgr use-after-free problem that caused crashes in some cases. The crash was exacerbated by recent power-save changes. * March 23, 2020: Fix station-mode power-save related crash: backported the fix from 10.2 QCA firmware. * March 23, 2020: Attempt to better clean up power-save objects and state, especially in station mode. Release notes for 016: Wave-1 changes, some debugging code for a crash someone reported, plus: * February 28, 2020: Fix custom-tx path when sending in 0x0 for rate-code. Have tries == 0 mean one try but NO-ACK (similar to how wave-2 does it). wave-2: * Fixed some long-ago regressions related to powersave and/or multicast. Maybe fix some additional multicast and/or tx-scheduling bugs. Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> Acked-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 84f4a783c6987fd9d67c089a76e2f90b7491f446)
* ath10k-firmware: update ath10k-ct firmwareMichael Yartys2020-09-061-24/+24
| | | | | | | | | | | | | | | This supports better per-chain noise floor reporting, which in turn allows for better RSSI reporting in the driver. Wave-2 fixes a long-standing rate-ctrl problem when connected to xbox (and probably other devices). Wave-2 has fix for crash likely related to rekeying. Wave-1 has some debugging code added where a user reported a crash. Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq806x+qca9984,ipq4019+qca9986] Signed-off-by: Michael Yartys <michael.yartys@protonmail.com> (cherry picked from commit 18622638831707038556b9b8bd5a0b4d4a53ce53)
* ath10k-firmware: update Candela Tech firmware imagesStefan Lippers-Hollmann2020-09-061-20/+20
| | | | | | | | | | | | | | | | | | The release notes since last time for wave-1: * No changes to wave-1, but I make a version .014 copy anyway to keep the makefile in sync. The release notes since last time for wave-2: * December 16, 2019: Wave-2 has a fix to make setting txpower work better. Before setting the power was ignored at least some of the time (it also appeared to work mostly, so I guess it was being correctly set in other ways). Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> (cherry picked from commit 65982642668e859540b21c2bd3bf907493df830a)
* hostapd: Fix compile errors after wolfssl updateHauke Mehrtens2020-09-041-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following compile errors after the wolfssl 4.5.0 update: LD wpa_cli ../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject': ../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'? type = GEN_EMAIL; ^~~~~~~~~ ENAVAIL ../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in ../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function) type = GEN_DNS; ^~~~~~~ ../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function) type = GEN_URI; ^~~~~~~ ../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event': ../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'? if (gen->type != GEN_EMAIL && ^~~~~~~~~ ENAVAIL ../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function) gen->type != GEN_DNS && ^~~~~~~ ../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function) gen->type != GEN_URI) ^~~~~~~ Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed Fixes: 00722a720c77 ("wolfssl: Update to version 4.5.0") Reported-by: Andre Heider <a.heider@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit bc19481826e0da9119945eaae4f25736306f023b)
* wolfssl: Update to version 4.5.0Hauke Mehrtens2020-09-023-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. * Denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages. (CVE-2020-12457) * Potential cache timing attacks on public key operations in builds that are not using SP (single precision). (CVE-2020-15309) * When using SGX with EC scalar multiplication the possibility of side- channel attacks are present. * Leak of private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. * During the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Full changelog: https://www.wolfssl.com/docs/wolfssl-changelog/ Fix a build error on big endian systems by backporting a pull request: https://github.com/wolfSSL/wolfssl/pull/3255 The size of the ipk increases on mips BE by 1.4% old: libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246 new: libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 00722a720c778e623d6f37af3a3b4e43b29c3fe8)
* wolfssl: use -fomit-frame-pointer to fix asm errorEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | 32-bit x86 fail to compile fast-math feature when compiled with frame pointer, which uses a register used in a couple of inline asm functions. Previous versions of wolfssl had this by default. Keeping an extra register available may increase performance, so it's being restored for all architectures. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 750d52f6c90e2a144c250779741607f0cb306a94)
* wolfssl: update to 4.4.0-stableEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | | This version adds many bugfixes, including a couple of security vulnerabilities: - For fast math (enabled by wpa_supplicant option), use a constant time modular inverse when mapping to affine when operation involves a private key - keygen, calc shared secret, sign. - Change constant time and cache resistant ECC mulmod. Ensure points being operated on change to make constant time. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 3481f6ffc79f46fc7ba86a4cc15ad958e99b5a82)
* mbedtls: update to 2.16.8Magnus Kroken2020-09-022-25/+25
| | | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories. * Local side channel attack on RSA and static Diffie-Hellman * Local side channel attack on classical CBC decryption in (D)TLS * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit 66893063abf56b7d8c21eceed56e5d27859eaaea)
* mac80211: Fix potential endless loopHauke Mehrtens2020-08-301-0/+31
| | | | | | | Backport a fix from kernel 5.8.3. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit ca5ee6eba34593ec9f8b5b195c94cf6c3f6ff914)
* mbedtls: update to 2.16.7Magnus Kroken2020-08-272-27/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07 * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some changes to the download URLs are required. For the time being, the ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS. Signed-off-by: Magnus Kroken <mkroken@gmail.com> [Use https://codeload.github.com and new tar.gz file] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 201d6776a0b5858b8ce43a2392c9fe48aa1c4dd7)
* busybox: delete redundant patchMagnus Kroken2020-08-122-14/+1
| | | | | | | | | | | This problem has been fixed in upstream commit 6b6a3d9339f1c08efaa18a7fb7357e20b48bdc95. This patch now (harmlessly) adds the same definition a second time. Signed-off-by: Magnus Kroken <mkroken@gmail.com> [bump PKG_RELEASE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 4165232c45df224f32a94f43b9938d13d643b2a8)
* mac80211: Fix build on mpc85xx targetHauke Mehrtens2020-08-112-1/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following compile error seen on the mpc85xx target: CC [M] /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.o In file included from /builder/shared-workdir/build/staging_dir/toolchain-powerpc_8540_gcc-8.4.0_musl/include/stddef.h:17, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/include/uapi/linux/wireless.h:77, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/include/linux/wireless.h:13, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.c:89: /builder/shared-workdir/build/staging_dir/toolchain-powerpc_8540_gcc-8.4.0_musl/include/bits/alltypes.h:106:15: error: conflicting types for 'ptrdiff_t' typedef _Addr ptrdiff_t; ^~~~~~~~~ In file included from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/types.h:4, from ./include/linux/list.h:5, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/list.h:3, from ./include/linux/module.h:9, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/module.h:3, from /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.c:79: ./include/linux/types.h:65:28: note: previous declaration of 'ptrdiff_t' was here typedef __kernel_ptrdiff_t ptrdiff_t; ^~~~~~~~~ scripts/Makefile.build:265: recipe for target '/linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.o' failed Fixes: d6b158b86981 ("mac80211: Update to 4.19.137-1") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 04b1a11f5ca72a741493addca1b1ae093f37934f)
* mac80211: Update to 4.19.137-1Hauke Mehrtens2020-08-1127-64/+64
| | | | | | | b43 and b43legacy now support ieee80211w, hardware crypto will be deactivated in such cases. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* uboot-envtools: ar71xx: add ZyXEL NBG6616 uboot env supportChristoph Krapp2020-08-101-0/+1
| | | | | | | | | This adds support for ZyXEL NBG6616 uboot-env access Signed-off-by: Christoph Krapp <achterin@googlemail.com> [add "ar71xx" to commit title] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit eb95ca3b5c8b33e3212896f906922eba5f72abb3)
* hostapd: add wpad-basic-wolfssl variantPetr Štetiar2020-08-102-0/+16
| | | | | | | | | | Add package which provides size optimized wpad with support for just WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w. Signed-off-by: Petr Štetiar <ynezz@true.cz> [adapt to recent changes, add dependency for WPA_WOLFSSL config] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit c487cf8e94cbdf582dfc3c2bdaab913a146a2100)
* hostapd: reorganize config selection hierarchy for WPA3Adrian Schmutzler2020-08-101-16/+18
| | | | | | | | | | | | | | | | | | | | | The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is exceptionally hard to read. This tries to make things a little easier by inverting the hierarchy of the conditions, so SSL_VARIANT is checked first and LOCAL_VARIANT is checked second. This exploits the fact that some of the previous conditions were unnecessary, e.g. there is no hostapd-mesh*, so we don't need to exclude this combination. It also should make it a little easier to see which options are actually switched by SSL_VARIANT and which by LOCAL_VARIANT. The patch is supposed to be cosmetic. However, the improvement for readers and the maintained consistency with master qualify this for backporting. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit c4dd7fc23bfcf3b3f1a838668bb070edc9db5d4b)
* hostapd: improve TITLE for packagesAdrian Schmutzler2020-07-301-25/+33
| | | | | | | | | | | | | | | For a few packages, the current TITLE is too long, so it is not displayed at all when running make menuconfig. Despite, there is no indication of OpenSSL vs. wolfSSL in the titles. Thus, this patch adjusts titles to be generally shorter, and adds the SSL variant to it. While at it, make things easier by creating a shared definition for eapol-test like it's done already for all the other flavors. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 917980fd8a6589d6911797211f1871016f527f8c)
* curl: patch CVE-2020-8169Jan Pavlinec2020-07-292-1/+39
| | | | | | | | | | | Affected versions: curl 7.62.0 to and including 7.70.0 https://curl.haxx.se/docs/CVE-2020-8169.html Run tested on Omnia with OpenWrt 19.07 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz> [added missing commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firewall: backport patch for mss clamping in both directionsYousong Zhou2020-07-262-1/+34
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* vxlan: bump and change to PKG_RELEASEAdrian Schmutzler2020-07-171-1/+1
| | | | | | | | | | | | | | Bumping package version has been overlooked in a previous commit. While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter is meant for upstream version number only. (The effective version string for the package would be "3" in both cases, so there is no harm done for version comparison.) Fixes: 0453c3866feb ("vxlan: fix udp checksum control") Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit b29d620ed2521fe6fda40ddafe6cb0f1d70e4503)
* vxlan: fix udp checksum controlJohannes Kimmel2020-07-171-0/+2
| | | | | | | | | | | | So far, passing "rxcsum" and "txcsum" had no effect. Fixes: 95ab18e0124e ("vxlan: add options to enable and disable UDP checksums") Signed-off-by: Johannes Kimmel <fff@bareminimum.eu> [add Fixes:] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 0453c3866feb701160bbab4ecf9762c5a3038503)
* nghttp2: bump to 1.41.0Hans Dedecker2020-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 8f7b008b Update bash_completion 83086ba9 Update manual pages c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr 3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20 881c060d Update AUTHORS f8da73bd Earlier check for settings flood 336a98fe Implement max settings option ef415836 Revert "Add missing connection error handling" 979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2 b7d16101 Add missing connection error handling cd53bd81 Merge pull request #1460 from gportay/patch-1 e5625b8c Fix doc c663349f integration: Add PROXY protocol v2 tests 854e9fe3 nghttpx: Always call init_forwarded_for c60ea227 Update doc 49cd8e6e nghttpx: Add PROXY-protocol v2 support 3b17a659 Merge pull request #1453 from Leo-Neat/master 600fcdf5 Merge pull request #1455 from xjtian/long_serials 4922bb41 static_cast size parameter in StringRef constructor to size_t aad86975 Fix get_x509_serial for long serial numbers dc7a7df6 Adding CIFuzz b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue ffb49c6c Merge pull request #1435 from geoffhill/master 2ec58551 Fix receiving stream data stall 459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp a4c1fed5 Bump llhttp to 2.0.4 866eadb5 Enable session_create_idle_stream test, fix errors 5e13274b Fix typo e0d7f7de h2load: Allow port in --connect-to df575f96 h2load: add --connect-to option 1fff7379 clang-format-9 b40c6c86 Merge pull request #1418 from vszakats/patch-1 9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional 2d5f7659 Bump up version number to 1.41.0-DEV Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Note this is cherry-pick from master. It fixes CVE-2020-11080 and https://github.com/nxhack/openwrt-node-packages/issues/679 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* wireguard: bump to 1.0.20200611Stijn Segers2020-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This bump fixes breakage introduced by kernel commit 8ab8786f78c3fc930f9abf6d6d85e95567de4e1f, which is part of the 4.14.181 kernel bump, and backported ip6_dst_lookup_flow to 4.14. This breaks the older WireGuard version currently in 19.07. For reference, the compilation error is the one below: build_dir/target-x86_64_musl/linux-x86_64/wireguard-linux-compat-1.0.20200506/src/compat/compat.h:104:42: error: 'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 'ipv6_dst_lookup_flow'? #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst Changelogs below taken from the official release announcements. == Changes since v1.0.20200506 == This release aligns with the changes I sent to DaveM for 5.7-rc7 and were pushed to net.git about 45 minutes ago. * qemu: use newer iproute2 for gcc-10 * qemu: add -fcommon for compiling ping with gcc-10 These enable the test suite to compile with gcc-10. * noise: read preshared key while taking lock Matt noticed a benign data race when porting the Linux code to OpenBSD. * queueing: preserve flow hash across packet scrubbing * noise: separate receive counter from send counter WireGuard now works with fq_codel, cake, and other qdiscs that make use of skb->hash. This should significantly improve latency spikes related to buffer bloat. Here's a before and after graph from some data Toke measured: https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png * compat: support RHEL 8 as 8.2, drop 8.1 support * compat: support CentOS 8 explicitly * compat: RHEL7 backported the skb hash renamings The usual RHEL churn. * compat: backport renamed/missing skb hash members The new support for fq_codel and friends meant more backporting work. * compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4 == Changes since v1.0.20200611 == * qemu: always use cbuild gcc rather than system gcc * qemu: remove -Werror in order to build ancient kernels better * qemu: patch kernels that rely on ancient make * qemu: force 2MB pages for binutils 2.31 * qemu: use cbuild gcc for avx512 exclusion * qemu: add extra fill in idt handler for newer binutils * qemu: support fetching kernels for arbitrary URLs * qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detection * qemu: work around broken centos8 kernel * qemu: mark per_cpu_load_addr as static for gcc-10 Our qemu test suite can now handle more kernels and more compilers. Scroll down to the bottom of https://www.wireguard.com/build-status/ to see the expanded array of kernels we now test against, including some distro kernels. * compat: widen breadth of integer constants * compat: widen breadth of memzero_explicit backport * compat: backport skb_scrub_packet to 3.11 * compat: widen breadth of prandom_u32_max backport * compat: narrow the breadth of iptunnel_xmit backport * compat: backport iptunnel_xmit to 3.11 With the expanded qemu test suite, it was possible to expand our list of mainline kernels, so the backport compat layer is now more precise. * compat: ubuntu appears to have backported ipv6_dst_lookup_flow * compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flow Ubuntu kernels changed recently, so this ensures we can compile with the latest Ubuntu releases. * compat: remove stale suse support Signed-off-by: Stijn Segers <foss@volatilesystems.org> (cherry picked from commit 1fd1f5e8cff18f97675ce303b05d411136b99fb0)
* mac80211: fix use of local variableLeon M. George2020-06-301-1/+1
| | | | | | | | | | | mac80211_get_addr is called from mac80211_generate_mac, where the local variable initialisation id="${macidx:-0}" suggests that macidx is not always defined. Probably, idx was supposed to be used instead of $(($macidx + 1)). Fixes: 4d99db168cf7 ("mac80211: try to get interface addresses from wiphy sysfs 'addresses' if no mask is set") Signed-off-by: Leon M. George <leon@georgemail.eu> (cherry picked from commit 8f95220bcb554b1b668114e5264ebce4028c5f93)
* libnetfilter-queue: fix package title and descriptionCatalin Patulea2020-06-281-3/+3
| | | | | | | | | | | The original text was copy/pasted from some other package. Adjust the package title and description to match the description on the publishers page. Signed-off-by: Catalin Patulea <catalinp@google.com> [slightly adjust content and commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 492a6594b97e765a2a93fadbe23534ae94f710fa)
* base-files: remove urandom-seed definitionSungbo Eo2020-06-281-9/+0
| | | | | | | | | urandom-seed has a separate Makefile, we can safely remove the definition here. Fixes: 27bfde9c9f78 ("base-files: move urandom seed bits into separate package") Signed-off-by: Sungbo Eo <mans0n@gorani.run> (cherry picked from commit 46a6586c83e029446ea35b02a328e5f7935d4a9f)
* uclient: update to 19.07 Git HEADJo-Philipp Wich2020-06-171-3/+3
| | | | | | | | 51e16eb uclient-fetch: add option to read POST data from file 99aebe3 uclient: Add string error function Fixes: 0c910d8459 ("uclient: Update to version 2020-06-17") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "uclient: Update to version 2020-06-17"Jo-Philipp Wich2020-06-171-3/+3
| | | | | | | | | This reverts commit 0c910d845941b1df9c78a5039c1658e676c409be. We cannot use uclient Git HEAD as-is on 19.07 due to an older version of the ustream-ssl API. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uclient: Update to version 2020-06-17Daniel Golle2020-06-171-3/+3
| | | | | | | | | | | | fef6d3d uclient: Add string error function af585db uclient-fetch: support specifying advertised TLS ciphers c660986 uclient-fetch: add option to read POST data from file Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry-squashed from commits 05145ffbefc71a94c1692dfb8ac440bc67974ded 98017228ddd5ce41a63da20b78f5d2e30c87c494 dd166960f48580bf6d4a8dde071b96832bfd9e1f 8e98613f4da82628cdb490c8202b56dc989e088b)
* ca-certificates: update to version 20200601Christian Lamparter2020-06-091-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch updates the ca-certificates and ca-bundle package. This version changed the files directory again, to work/, so PKG_BUILD_DIR was brought back. A list of changes from Debian's change-log entry for 20200601 [0]: * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.40. Closes: #956411, #955038 * mozilla/blacklist.txt Add distrusted Symantec CA list to blacklist for explicit removal. Closes: #911289 Blacklist expired root certificate, "AddTrust External Root" Closes: #961907 The following certificate authorities were added (+): + "Certigna Root CA" + "emSign ECC Root CA - C3" + "emSign ECC Root CA - G3" + "emSign Root CA - C1" + "emSign Root CA - G1" + "Entrust Root Certification Authority - G4" + "GTS Root R1" + "GTS Root R2" + "GTS Root R3" + "GTS Root R4" + "Hongkong Post Root CA 3" + "UCA Extended Validation Root" + "UCA Global G2 Root" The following certificate authorities were removed (-): - "AddTrust External Root" - "Certinomis - Root CA" - "Certplus Class 2 Primary CA" - "Deutsche Telekom Root CA 2" - "GeoTrust Global CA" - "GeoTrust Primary Certification Authority" - "GeoTrust Primary Certification Authority - G2" - "GeoTrust Primary Certification Authority - G3" - "GeoTrust Universal CA" - "thawte Primary Root CA" - "thawte Primary Root CA - G2" - "thawte Primary Root CA - G3" - "VeriSign Class 3 Public Primary Certification Authority - G4" - "VeriSign Class 3 Public Primary Certification Authority - G5" - "VeriSign Universal Root Certification Authority" [0] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20200601_changelog> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit f611b014a713d82d7c7da4c171f3aa04a8984063)
* qos-scripts: fix interface resolvingJo-Philipp Wich2020-05-292-8/+14
| | | | | | | | | Also ensure that the error message is actually printed to stderr and that the rule generation is aborted if an interface cannot be resolved. Ref: https://github.com/openwrt/luci/issues/3975 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 559b3384666bbc6e4e9e6d86cf54bd88d30b341f)
* broadcom-wl: don't inherit lock descriptor in nas processJo-Philipp Wich2020-05-282-2/+5
| | | | | | | | | | | | Add a local hack to prevent the Broadcom WPA authenticator process from inheriting the lock descriptor 1000 used to prevent concurrent executions of the init script. Without this fix, repeated invocations of /etc/init.d/network, e.g. for obtaining the enabled state, would hang forever. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit a03d6d2fab13c478a0f6cfc3082bec141f2adcf1)
* rpcd: update to latest openwrt-19.07 Git HEADJo-Philipp Wich2020-05-261-4/+4
| | | | | | | 67c8a3f uci: reset uci_ptr flags when merging options during section add 970ce1a session: deny access if password login is disabled Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "rpcd: update to latest Git HEAD"Jo-Philipp Wich2020-05-261-4/+4
| | | | | | | | This reverts commit adf5d753eff2385063555da8bd4323e69311752a. Reverting this commit because it relies on a changed libiwinfo API. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* rpcd: update to latest Git HEADJo-Philipp Wich2020-05-261-4/+4
| | | | | | | | 078bb57 uci: reset uci_ptr flags when merging options during section add 3df62bc session: deny access if password login is disabled efe51f4 iwinfo: add current hw and ht mode to info call Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* libubox: update to the latest versionFelix Fietkau2020-05-261-3/+3
| | | | | | | | | | | 86818eaa976b blob: make blob_parse_untrusted more permissive cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len c2fc622b771f blobmsg: fix length in blobmsg_check_array 639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name 66195aee5042 blobmsg: fix missing length checks Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit b371182d2450b3c4f15cbe790351d92a2a7b5a67)
* libubox: update to the latest masterRafał Miłecki2020-05-261-3/+3
| | | | | | | | | | | 5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len() eeddf22 tests: runqueue: try to fix race on GitLab CI 89fb613 libubox: runqueue: fix use-after-free bug 1db3e7d libubox: runqueue fix comment in header 7c4ef0d tests: list: add test case for list_empty iterator Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit a765b063ee3e1dd6519f6a4a9e4d4f72214b33b8)