aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* f2fs-tools: fix mkfs.f2fs on big-endian systemsStijn Tintel2017-09-032-1/+67
| | | | | | | Fixes: FS#749 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit cdb494fdc2d3399e698893ff0cfd06d3c802364f)
* f2fs-tools: drop musl compat patchStijn Tintel2017-09-031-10/+0
| | | | | | | It is no longer needed since version 1.4.1. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit 252c8ddf146f196faaa34cf7af9b3eacb79e6add)
* f2fs-tools: drop patch in favour of CONFIGURE_VARSStijn Tintel2017-09-032-19/+3
| | | | | | | | | Override the failing check in configure with CONFIGURE_VARS instead of carrying a patch that's unlikely to be accepted by upstream. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: John Crispin <john@phrozen.org> (cherry picked from commit d87f27af54e7c122c8f320f7266dd5061bb47a8b)
* f2fs-tools: Switch to gz tarballDaniel Engberg2017-09-031-3/+3
| | | | | | At some point kernel.org decided to drop xz generated tarballs, switch to gz which they still provide. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* dnsmasq: forward.c: fix CVE-2017-13704Kevin Darbyshire-Bryant2017-08-302-1/+38
| | | | | | | | | | | | | | | | Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset() is called with header & limit pointing at the same address and thus tries to clear memory from before the buffer begins. answer_request() is called with an invalid edns packet size provided by the client. Ensure the udp_size provided by the client is bounded by 512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512 MUST be treated as equal to 512" The client that exposed the problem provided a payload udp size of 0. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* tcpdump: Update to 4.9.1Daniel Engberg2017-08-151-2/+2
| | | | | | | Fixes: * CVE-2017-11108: Fix bounds checking for STP. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: Re-allow SHA1-signed certificatesBaptiste Jonglez2017-08-112-1/+10
| | | | | | | | | | | | Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates. This breaks openvpn clients that try to connect to servers that present a TLS certificate signed with SHA1, which is fairly common. Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx. Fixes: FS#942 Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
* base-files: don't setup network in preinit if failsafe is disabledRafał Miłecki2017-08-091-1/+4
| | | | | | | | | | | | With failsafe disabled there is no point in early network setup. We don't send announcement over UDP and there is no way to ssh to the device. A side effect of this is avoiding a possibly incorrect network config (only with failsafe disabled). This problem is related to possible changes made by user in /etc/config/network. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* dnsmasq: backport remove ping check of configured dhcp addressHans Dedecker2017-08-082-1/+29
| | | | | | | Remove ping check in DHCPDISCOVER case as too many buggy clients leave an interface in configured state causing the ping check to fail. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: update to the latest git HEADHans Dedecker2017-08-081-3/+3
| | | | | | 66be6a2 watchdog: fix inline watchdog_get_magicclose function prototype Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: update to latest git HEADJohn Crispin2017-08-011-3/+3
| | | | | | 3e68cdf procd: Do not leak pipe file descriptors to children Signed-off-by: John Crispin <john@phrozen.org>
* curl: fix CVE-2017-7407 and CVE-2017-7468Hauke Mehrtens2017-07-283-1/+430
| | | | | | | | This fixes the following security problems: * CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html * CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* kernel: netfilter: fix nf-nathelper(-extra) descriptionUwe Arnold2017-07-251-2/+2
| | | | | | | | | The tftp and irc netfilter modules are provided by nf-nathelper-extra and not by nf-nathelper. Signed-off-by: Uwe Arnold <donvipre@gmail.com> [move the irc module as well] Signed-off-by: Mathias Kresin <dev@kresin.me>
* uboot-envtools: add support for ALFA Network AP121FPiotr Dymacz2017-07-231-0/+1
| | | | Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* procd: backport kernel watchdog start/stop supportHans Dedecker2017-07-131-3/+3
| | | | | | 4dbf57a watchdog: add support for starting/stopping kernel watchdog Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: backport patch fixing DNS failover (FS#841)Hans Dedecker2017-07-121-0/+31
| | | | | | | Backport upstream dnsmasq patch fixing DNS failover when first servers returns REFUSED in strict mode; fixes issue FS#841. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* fstools: backport fixes from master branchDaniel Golle2017-07-112-60/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following changes are backported from the master branch bdcb075 libfstools: fix matching device name (f038a61 on master) ef2d438 fstools: use -Wno-format-truncation instead of -Wno-error=format-truncation (c43ae11 on master) d361923 build: disable the format-truncation warning error to fix gcc 7 build errors (a19f2b3 on master) cddc830 libfstools: silence mkfs.{ext4,f2fs} (88d48d5 on master) be5004c libfstools: add basic documentation of mount functions (92b4c2c on master) 34d36c2 add missing includes (7d78836 on master) A previously added hotfix was replaced by a git commit, hence the patch file is removed and we got instead 45c2a6f libfstools: fix multiple volume_identify usages with the same volume (633a8d0 on master) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* mtd-utils: use source package name for lzo in PKG_BUILD_DEPENDSMatthias Schiffer2017-07-081-1/+1
| | | | | | PKG_BUILD_DEPENDS should always refer to source package names. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* dnsmasq: backport tweak ICMP ping logic for DHCPv4Hans Dedecker2017-07-012-1/+26
| | | | | | | | | | Don't start ping-check of address in DHCP discover if there already exists a lease for the address. It has been reported under some circumstances android and netbooted windows devices can reply to ICMP pings if they have a lease and thus block the allocation of the IP address the device already has during boot. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)Hans Dedecker2017-06-292-2/+2
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: backport fixes from master branchDaniel Golle2017-06-281-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following commits have been cherry-picked into the lede-17.01 branch of procd, listed here in git-log-order ie. with head first: 89918c8 system: introduce new attribute board_name (79bbe6d and 453116e on master branch) 8297c38 preinit: define _GNU_SOURCE (e5b963a on master branch) 8fd57dd upgraded: cmake: Find and include uloop.h (e5ff8ca on master branch) 6b0da20 hotplug: fix a memory leak in handle_button_complete() (f367ec6 on master branch) 558ffb5 service/service_stopped(): fix a use-after-free (796ba3b on master branch) 22f89e1 upgraded: define __GNU_SOURCE (e7bb2c8 on master branch) 6e8ea8b rcS: add missing fcntl.h include (992b796 on master branch) cd5225d procd/rcS: Use /dev/null as stdin (d42b21e on master branch) 5131bec procd: Log initscript output prefixed with script name (1247db1 on master branch) 225b18d procd: Don't use syslog before its initialization (8d720b2 on master branch) 889442c procd: Add missing \n in debug message (2555474 on master branch) 2716228 procd: service gets deleted when its last instance is freed (8f218f5 on master branch) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* base-files: fix PKG_CONFIG_DEPENDS to include version.mk entriesRafał Miłecki2017-06-261-1/+2
| | | | | | | | Including version.mk sets PKG_CONFIG_DEPENDS to config entries used for VERSION_SED command. We should keep these configs to make sure package gets refreshed when needed. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* ca-certificates: Update to version 20161130+nmu1Christian Schoenebeck2017-06-261-3/+3
| | | | Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
* openvpn: update to 2.4.3Magnus Kroken2017-06-265-13/+14
| | | | | | | | | | | | | | | | | | | | Fixes for security and other issues. See security announcement for more details: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 * Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508) * Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520) * Potential double-free in --x509-alt-username (CVE-2017-7521) * Remote-triggerable memory leaks (CVE-2017-7512) * Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522) * Null-pointer dereference in establish_http_proxy_passthru() * Restrict --x509-alt-username extension types * Fix potential 1-byte overread in TCP option parsing * Fix mbedtls fingerprint calculation * openssl: fix overflow check for long --tls-cipher option * Ensure option array p[] is always NULL-terminated * Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6) Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to 2.5.1Magnus Kroken2017-06-262-27/+27
| | | | | | | | | | | | | | | Fixes some security issues (no remote exploits), and introduces some changes. See release notes for details: https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released * Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read() * Adds exponent blinding to RSA private operations * Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()) * Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes. * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* Revert "dnsmasq: don't point --resolv-file to default location unconditionally"Hans Dedecker2017-06-191-3/+3
| | | | | | | | | | This reverts commit 78edfff5303533dc52a1ac64ad745acc0a8a743e. This breaks local dns resolving in case noresolv=1 as resolv.conf is not populated anymore with 127.0.0.1 as resolvfile does not equal /tmp/resolv.conf.auto anymore. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: fix service trigger syntax errorKevin Darbyshire-Bryant2017-06-172-2/+2
| | | | | | The classic single '&' when double '&&' conditional was meant. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* LEDE v17.01.2: revert to branch defaultsAlexander Couzens2017-06-101-2/+2
| | | | Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* LEDE v17.01.2: adjust config defaultsv17.01.2Alexander Couzens2017-06-101-2/+2
| | | | Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* base-files: network.sh: fix a number of IPv6 logic flawsJo-Philipp Wich2017-06-081-17/+48
| | | | | | | | | | | | | | | | | | | | | | * Change network_get_subnet6() to sensibly guess a suitable prefix Attempt to return the first non-linklocal, non-ula range, then attempt to return the first non-linklocal range and finally fall back to the previous behaviour of simply returning the first found item. * Fix network_get_ipaddrs_all() Instead of replicating the flawed logic appending a fixed ":1" suffix to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6() to build a single list of all interface addresses. * Fix network_get_subnets6() Instead of replicating the flawed logic appending a fixed ":1" suffix to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address field to figure out the proper network address. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mwlwifi: update to version 10.3.4.0 / 2017-06-06Jo-Philipp Wich2017-06-081-3/+3
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* base-files: network.sh: properly report local IPv6 addressesJo-Philipp Wich2017-06-082-18/+14
| | | | | | | | | | Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to fetch the effective local IPv6 address of delegated prefix from the "local-address" field instead of naively hardcoding ":1" as static suffix. Fixes FS#829. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* base-files: always set proto passed to _ucidef_set_interface()Mathias Kresin2017-06-031-1/+1
| | | | | | | | | | | | | | | Overwrite an already set proto if a new one is passed to _ucidef_set_interface() similar to what is done for the interface. It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'" after some initial wan interface configuration is already done by ucidef_add_switch. The "json_is_a protocol string" guard is meant to not reset an earlier set interface proto in case something like "ucidef_set_interface_lan 'eth0'" is used afterwards. Signed-off-by: Mathias Kresin <dev@kresin.me>
* umdns: remove superfluous include in init scriptJo-Philipp Wich2017-06-021-2/+0
| | | | | | | | | | | | | The umdns init script includes function/network.sh globally, outside of any service procedure. This causes init script activation to fail in buildroot and IB context if umdns is set to builtin. Additionally, the network.sh helper is not actually used. Drop the entire include in order to repair init script activation in build host context. Fixes FS#658. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: bump to 2.77Jo-Philipp Wich2017-06-026-393/+22
| | | | | | | | | | | This is a cumulative backport of multiple dnsmasq update commits in master. Drops three LEDE specific patches which are included upstream and another patch which became obsolete. Remaining LEDE specific patches are rebased. Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: make tftp root if not existingAlberto Bursi2017-06-021-1/+1
| | | | | | | | | | If there's a TFTP root directory configured, create it with mkdir -p (which does not throw an error if the folder exists already) before starting dnsmasq. This is useful for TFTP roots in /tmp, for example. Originally submitted by nfw user aka Nathaniel Wesley Filardo Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
* dnsmasq: use logical interface name for dhcp relay configKarl Vogel2017-06-021-1/+2
| | | | | | | | | The relay section should use the logical interface name and not the linux network device name directly. This to be consistent with other sections of the dnsmasq config where 'interface' means the logical interface. Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
* dnsmasq: don't point --resolv-file to default location unconditionallyPhilip Prindeville2017-06-021-3/+3
| | | | | | | If noresolv is set, we should not generate a --resolv-file parameter. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
* usbmode: update usb-modeswitch-data to 20170205Julian Labus2017-05-291-2/+2
| | | | | | add support for new hardware Signed-off-by: Julian Labus <julian@labus-online.de>
* usbmode: update to latest versionJulian Labus2017-05-291-3/+3
| | | | | | 453da8e convert-modeswitch.pl: fix message indices Signed-off-by: Julian Labus <julian@labus-online.de>
* usbmode: Update to latest HEADFlorian Fainelli2017-05-291-3/+3
| | | | | | | | | | | Brings the following changes: 22f041e18df0 Extend StandardEject sequence to include LUN 1 61fdf7e9b1cc cmake: Search for libjson-c 2769852e76b5 cmake: Find libubox/blobmsg_json.h 8a47c4b6649f add TargetClass support Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* samba: bump PKG_RELEASEJo-Philipp Wich2017-05-271-1/+1
| | | | | | | | | | | The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the fixed samba package does not appear as opkg update. Bump the PKG_RELEASE to signify upgrades to downstream users. Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: resync with masterJo-Philipp Wich2017-05-271-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update to latest Git HEAD in order to import a number of fixes and other improvements: a4d98ae options: remove stray continue statement 3d2c18a options: improve handling of negations when parsing space separated values 0e5dd73 iptables: support -i, -o, -s and -d in option extra 4cb06c7 ubus: increase ubus network interface dump timeout e5dfc82 iptables: add exception handling f625954 firewall3: add check_snat() function 7d3d9dc firewall3: display the section type for UBUS rules 53ef9f1 firewall3: add UBUS support for include scripts 5cd4af4 firewall3: add UBUS support for ipset sections 02d6832 firewall3: add UBUS support for forwarding sections 0a7d36d firewall3: add UBUS support for redirect sections d44f418 firewall3: add fw3_attr_parse_name_type() function e264c8e firewall3: replace warn_rule() by warn_section() 6039c7f firewall3: check the return value of fw3_parse_options() c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation e06e537 utils: replace sprintf use with snprintf to avoid overflows 533f834 build: disable the format-truncation warning error to fix gcc 7 build errors e751cde zones: drop outgoing invalid traffic in masqueraded zones d596f72 rules: fix UCI context in error reporting 1d0564c ubus: fix interface name and proto lookup 82ccd9e firewall3: fix handling of UTC times 1949e0c iptables: support xtables API > 11 Fixes FS#548, FS#640, FS#806, FS#811. Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mac80211, hostapd: always explicitly set beacon intervalMatthias Schiffer2017-05-274-9/+10
| | | | | | | | | | | | | | | | One of the latest mac80211 updates added sanity checks, requiring the beacon intervals of all VIFs of the same radio to match. This often broke AP+11s setups, as these modes use different default intervals, at least in some configurations (observed on ath9k). Instead of relying on driver or hostapd defaults, change the scripts to always explicitly set the beacon interval, defaulting to 100. This also applies the beacon interval to 11s interfaces, which had been forgotten before. VIF-specific beacon_int setting is removed from hostapd.sh. Fixes FS#619. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* hostapd: add legacy_rates option to disable 802.11b data rates.Nick Lowe2017-05-271-8/+20
| | | | | | | | | | | | | | | | | | Setting legacy_rates to 0 disables 802.11b data rates. Setting legacy_rates to 1 enables 802.11b data rates. (Default) The basic_rate option and supported_rates option are filtered based on this. The rationale for the change, stronger now than in 2014, can be found in: https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx The balance of equities between compatibility with b clients and the detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b rates by default. Signed-off-by: Nick Lowe <nick.lowe@gmail.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
* ath10k-firmware: do not select the qca988x by defaultMathias Kresin2017-05-271-1/+0
| | | | | | | | Do not select the qca988x by default as soon as kmod-ath10k is selected. We do support more ath10k chips than the qca988x in the meantime, so this dependency doesn't make sense any longer. Signed-off-by: Mathias Kresin <dev@kresin.me>
* kernel: fix autoloading arch-specific modulesYousong Zhou2017-05-253-9/+9
| | | | | | Fixes FS#745 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* backlight-pwm: fix module descriptionYousong Zhou2017-05-251-1/+1
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* binutils: fix build with host gcc < 4.9Hauke Mehrtens2017-05-242-0/+1323
| | | | | | | | | binutils 2.27 checks if the target compiler supports -Wstack- usage=262144, and also uses this setting for the host compiler. If the host compiler is gcc < 4.9 binutils build will fail. This backports 2 commits which are fixing this problem for binutils 2.28. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* util-linux: fix build with uclibcHauke Mehrtens2017-05-241-0/+24
| | | | | | | | | | Fix build of scriptreplay with uClibc. Some parts of the libm detection were backported to 2.29.2, but some parts were missing, which are added here. This patch is needed when libm is a separate library, this is not needed for LEDE master, because libm is there integrated in the libc for uClibc and musl. Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>