aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* OpenWrt v22.03.5: revert to branch defaultsHauke Mehrtens2023-04-271-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* OpenWrt v22.03.5: adjust config defaultsv22.03.5Hauke Mehrtens2023-04-271-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* openssl: fix CVE-2023-464 and CVE-2023-465Eneas U de Queiroz2023-04-173-1/+263
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply two patches fixing low-severity vulnerabilities related to certificate policies validation: - Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. - Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Note: OpenSSL also released a fix for low-severity security advisory CVE-2023-466. It is not included here because the fix only changes the documentation, which is not built nor included in any OpenWrt package. Due to the low-severity of these issues, there will be not be an immediate new release of OpenSSL. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* uclient: update to Git version 2023-04-13Matthias Schiffer2023-04-131-3/+3
| | | | | | | | | 007d94546749 uclient: cancel state change timeout in uclient_disconnect() 644d3c7e13c6 ci: improve wolfSSL test coverage dc54d2b544a1 tests: add certificate check against letsencrypt.org Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit 4f1c2e8deef10e9ca34ceff5a096e62aaa668e90)
* OpenWrt v22.03.4: revert to branch defaultsDaniel Golle2023-04-091-2/+2
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* OpenWrt v22.03.4: adjust config defaultsv22.03.4Daniel Golle2023-04-091-2/+2
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* iproute2: add missing libbpf dependencyKien Truong2023-04-021-1/+1
| | | | | | | | | | | | | | | | | | | This patch adds libbpf to the dependencies of tc-mod-iptables. The package tc-mod-iptables is missing libbpf as a dependency, which leads to the build failure described in bug #9491 LIBBPF_FORCE=on set, but couldn't find a usable libbpf The build dependency is already automatically added because some other packages from iproute2 depend on libbpf, but bpftools has multiple build variants. With multiple build variants none gets build by default and the build system will not build bpftools before iproute2. Fixes: #9491 Signed-off-by: Kien Truong <duckientruong@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit fa468d4bcdc7e6eb84ea51d9b05368ed87c43aae)
* openssl: fix variable reference in conffilesEneas U de Queiroz2023-04-021-3/+3
| | | | | | | | | | | | | Fix the trivial abscence of $() when assigning engine config files to the main libopenssl-config package even if the corresponding engines were not built into the main library. This is mostly cosmetic, since scripts/ipkg-build tests the file's presence before it is actually included in the package's conffiles. Fixes: 30b0351039 "openssl: configure engine packages during install" Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit c75cd5f6028da6ceb1fb3438da93e2305cd720b1)
* wireless-regdb: update to 2023.02.13Yuu Toriyama2023-04-021-2/+2
| | | | | | | | | | | | | Changes: 7f7a9f7 wireless-regdb: update regulatory database based on preceding changes 660a1ae wireless-regdb: Update regulatory info for Russia (RU) on 5GHz fe05cc9 wireless-regdb: Update regulatory rules for Japan (JP) on 6GHz d8584dc wireless-regdb: Update regulatory rules for Japan (JP) on 5GHz c04fd9b wireless-regdb: update regulatory rules for Switzerland (CH) f29772a wireless-regdb: Update regulatory rules for Brazil (BR) Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com> (cherry picked from commit 1173edf23b3440137d60162d1ef9f48ffa13e3e2)
* bpf-headers: fix package categoryChukun Pan2023-04-021-1/+1
| | | | | | | | This removes the non-selectable 'Kernel' item when make menuconfig. Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> (cherry picked from commit 3e4c014008659c760b2e4638f606da90df1e3c93)
* ksmbd: update to 3.4.7Rosen Penev2023-04-023-103/+4
| | | | | | | | | Remove upstreamed patches. Switch to normal tarballs. Codeload recently had a reproducibility issue. Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit 44c24b3ac5d4523c0f9f55691d28387508e93de5)
* hostapd: add missing return code for the bss_mgmt_enable ubus methodFelix Fietkau2023-04-021-0/+2
| | | | | | | Fixes bogus errors on ubus calls Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit cf992ca862f271936f61367236378378f0d91b6d)
* dnsmasq: add dhcphostsfile to ujail sandboxRuben Jenster2023-04-021-0/+1
| | | | | | | | The dhcphostsfile must be mounted into the (ujail) sandbox. The file can not be accessed without this mount. Signed-off-by: Ruben Jenster <rjenster@gmail.com> (cherry picked from commit 936df715de3d33947ce38ca232b05c2bd3ef58f1)
* netifd: strip mask from IP address in DHCP client paramsAndrey Erokhin2023-04-021-1/+1
| | | | | | | | ipaddr option can be in CIDR notation, but udhcp wants just an IP address Signed-off-by: Andrey Erokhin <a.erokhin@inango-systems.com> (cherry picked from commit 506bb436c678779e8ee54e83a7fb3e4e880037ec)
* mac80211: fix invalid calls to drv_sta_pre_rcu_removeFelix Fietkau2023-04-021-0/+25
| | | | | | | | | Potentially fixes some driver data structure corruption issues Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 9779ee021d30508eb9e7ebf1ec0a28a4be3c4c19) [Change patch number] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* uboot-envtools: add support for ramips Asus RX-AX53UFelix Baumann2023-04-021-0/+1
| | | | | | | | | | Adds uboot-envtools support for ramips Asus RX-AX53U now that partition can be correctly read. Signed-off-by: Felix Baumann <felix.bau@gmx.de> [ improve commit title and description ] Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> (cherry picked from commit 75451681d03e609ac8a3d1cd7469eefa53e18ca4)
* comgt: ncm: support Mikrotik R11e-LTE6 modemSzabolcs Hubai2023-04-011-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Mikrotik R11e-LTE6 modem is similar to ZTE MF286R modem, added earlier: it has a Marvel chip, able to work in ACM+RNDIS mode, knows ZTE specific commands, runs OpenWrt Barrier Breaker fork. While the modem is able to offer IPv6 address, the RNDIS setup is unable to complete if there is an IPv6 adress. While it works in ACM+RNDIS mode, the user experience isn't as good as with "proto 3g": the modem happily serves a local IP (192.168.1.xxx) without internet access. Of course, if the modem has enough time (for example at the second dialup), it will serve a public IP. Modifing the DHCP Lease (to a short interval before connect and back to default while finalizing) is a workaround to get a public IP at the first try. A safe workaround for this is to excercise an offline script of the pingcheck program: simply restart (ifdown - ifup) the connection. Another pitfall is that the modem writes a few messages at startup, which confuses the manufacturer detection algorithm and got disabled. daemon.notice netifd: Interface 'mikrotik' is setting up now daemon.notice netifd: mikrotik (2366): Failed to parse message data daemon.notice netifd: mikrotik (2366): WARNING: Variable 'ok' does not exist or is not an array/object daemon.notice netifd: mikrotik (2366): Unsupported modem daemon.notice netifd: mikrotik (2426): Stopping network mikrotik daemon.notice netifd: mikrotik (2426): Failed to parse message data daemon.notice netifd: mikrotik (2426): WARNING: Variable '*simdetec:1,sim' does not exist or is not an array/object daemon.notice netifd: mikrotik (2426): Unsupported modem daemon.notice netifd: Interface 'mikrotik' is now down A workaround for this is to use the "delay" option in the interface configuration. I want to thank Forum members dchard (in topic Adding support for MikroTik hAP ac3 LTE6 kit (D53GR_5HacD2HnD)) [1] and mrhaav (in topic OpenWrt X86_64 + Mikrotik R11e-LTE6) [2] for sharing their experiments and works. Another information page was found at eko.one.pl [3]. [1]: https://forum.openwrt.org/t/137555 [2]: https://forum.openwrt.org/t/151743 [3]: https://eko.one.pl/?p=modem-r11elte Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com> (cherry picked from commit dbd6ebd6d84b35599a0446559576df41f487200e)
* comgt: add quirk for Mikrotik modems based on Mikrotik R11e-LTE6Szabolcs Hubai2023-04-012-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The MikroTik R11e-LTE6 modem goes into flight mode (CFUN=4) at startup and the radio is off (*RADIOPOWER: 0): AT+RESET OK OK *SIMDETEC:2,NOS *SIMDETEC:1,SIM *ICCID: 8936500119010596302 *EUICC: 1 +MSTK: 11, D025....74F3 *ADMINDATA: 0, 2, 0 +CPIN: READY *EUICC: 1 *ECCLIST: 5, 0, 112, 0, 000, 0, 08, 0, 118, 0, 911 +CREG: 0 $CREG: 0 +CESQ: 99,99,255,255,255,255 *CESQ: 99,99,255,255,255,255,0 +CGREG: 0 +CEREG: 0 +CESQ: 99,99,255,255,255,255 *CESQ: 99,99,255,255,255,255,0 *RADIOPOWER: 0 +MMSG: 0, 0 +MMSG: 0, 0 +MMSG: 1, 0 +MPBK: 1 While the chat script is able to establish the PPP connection, it's closed instantly by the modem: LCP terminated by peer. local2.info chat[7000]: send (ATD*99***1#^M) local2.info chat[7000]: expect (CONNECT) local2.info chat[7000]: ^M local2.info chat[7000]: ATD*99***1#^M^M local2.info chat[7000]: CONNECT local2.info chat[7000]: -- got it local2.info chat[7000]: send ( ^M) daemon.info pppd[6997]: Serial connection established. kern.info kernel: [ 453.659146] 3g-mikrotik: renamed from ppp0 daemon.info pppd[6997]: Renamed interface ppp0 to 3g-mikrotik daemon.info pppd[6997]: Using interface 3g-mikrotik daemon.notice pppd[6997]: Connect: 3g-mikrotik <--> /dev/ttyACM0 daemon.info pppd[6997]: LCP terminated by peer daemon.notice pppd[6997]: Connection terminated. daemon.notice pppd[6997]: Modem hangup daemon.info pppd[6997]: Exit. daemon.notice netifd: Interface 'mikrotik' is now down Sending "AT+CFUN=1" to modem deactivates the flight mode and solves the issue: daemon.notice netifd: Interface 'mikrotik' is setting up now daemon.notice netifd: mikrotik (7051): sending -> AT+CFUN=1 daemon.notice pppd[7137]: pppd 2.4.9 started by root, uid 0 local2.info chat[7140]: abort on (BUSY) local2.info chat[7140]: abort on (NO CARRIER) local2.info chat[7140]: abort on (ERROR) local2.info chat[7140]: report (CONNECT) local2.info chat[7140]: timeout set to 10 seconds local2.info chat[7140]: send (AT&F^M) local2.info chat[7140]: expect (OK) local2.info chat[7140]: ^M local2.info chat[7140]: +CESQ: 99,99,255,255,255,255^M local2.info chat[7140]: ^M local2.info chat[7140]: *CESQ: 99,99,255,255,255,255,0^M local2.info chat[7140]: AT&F^MAT&F^M^M local2.info chat[7140]: OK local2.info chat[7140]: -- got it ... local2.info chat[7140]: send (ATD*99***1#^M) local2.info chat[7140]: expect (CONNECT) local2.info chat[7140]: ^M local2.info chat[7140]: ATD*99***1#^M^M local2.info chat[7140]: CONNECT local2.info chat[7140]: -- got it local2.info chat[7140]: send ( ^M) daemon.info pppd[7137]: Serial connection established. kern.info kernel: [ 463.094254] 3g-mikrotik: renamed from ppp0 daemon.info pppd[7137]: Renamed interface ppp0 to 3g-mikrotik daemon.info pppd[7137]: Using interface 3g-mikrotik daemon.notice pppd[7137]: Connect: 3g-mikrotik <--> /dev/ttyACM0 daemon.warn pppd[7137]: Could not determine remote IP address: defaulting to 10.64.64.64 daemon.notice pppd[7137]: local IP address 100.112.63.62 daemon.notice pppd[7137]: remote IP address 10.64.64.64 daemon.notice pppd[7137]: primary DNS address 185.29.83.64 daemon.notice pppd[7137]: secondary DNS address 185.62.131.64 daemon.notice netifd: Network device '3g-mikrotik' link is up daemon.notice netifd: Interface 'mikrotik' is now up To send this AT command to the modem the "runcommand.gcom" script dependency is moved from comgt-ncm to comgt. As the comgt-ncm package depends on comgt already, this change is a NOOP from that point of view. But from the modem's point it is a low hanging fruit as the modem is usable with installing comgt and kmod-usb-ncm packages. Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com> (cherry picked from commit 91eca7b04ff1309c7408baa1f1631d7623ce50cf)
* mac80211, mt76: add fixes for recently discovered security issuesFelix Fietkau2023-03-307-0/+660
| | | | | | | Fixes CVE-2022-47522 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit d54c91bd9ab3c54ee06923eafbd67047816a37e4)
* ncm: add error check and retry mechanism for gcom callMike Wilson2023-03-301-4/+19
| | | | | | | | | | | | | This patch solves the problem of receiving "error" responses when initially calling gcom. This avoids unnecessary NO_DEVICE failures. A retry loop retries the call after an "error" response within the specified delay. A successful response will continue with the connection immediately without waiting for max specified delay, bringing the interface up sooner. Signed-off-by: Mike Wilson <mikewse@hotmail.com> (cherry picked from commit 8f27093ce784daad5a9b1c89f51d0a76a8bbb07b)
* kernel: tcindex classifier has been retiredJohn Audia2023-03-271-2/+1
| | | | | | | https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sched?h=v5.10.173&id=18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6 Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit fbfec3286e8bfce3a78749b7bcb67e658665f197)
* mpc85xx: add support for Watchguard Firebox T10David Bauer2023-03-101-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Hardware -------- SoC: Freescale P1010 RAM: 512MB FLASH: 1 MB SPI-NOR 512 MB NAND ETH: 3x Gigabite Ethernet (Atheros AR8033) SERIAL: Cisco RJ-45 (115200 8N1) RTC: Battery-Backed RTC (I2C) Installation ------------ 1. Patch U-Boot by dumping the content of the SPI-Flash using a SPI programmer. The SHA1 hash for the U-Boot password is currently unknown. A tool for patching U-Boot is available at https://github.com/blocktrron/t10-uboot-patcher/ You can also patch the unknown password yourself. The SHA1 hash is E597301A1D89FF3F6D318DBF4DBA0A5ABC5ECBEA 2. Interrupt the bootmenu by pressing CTRL+C. A password prompt appears. The patched password is '1234' (without quotation marks) 3. Download the OpenWrt initramfs image. Copy it to a TFTP server reachable at 10.0.1.13/24 and rename it to uImage. 4. Connect the TFTP server to ethernet port 0 of the Watchguard T10. 5. Download and boot the initramfs image by entering "tftpboot; bootm;" in U-Boot. 6. After OpenWrt booted, create a UBI volume on the old data partition. The "ubi" mtd partition should be mtd7, check this using $ cat /proc/mtd Create a UBI partition by executing $ ubiformat /dev/mtd7 -y 7. Increase the loadable kernel-size of U-Boot by executing $ fw_setenv SysAKernSize 800000 8. Transfer the OpenWrt sysupgrade image to the Watchguard T10 using scp. Install the image by using sysupgrade: $ sysupgrade -n <path-to-sysupgrade> Note: The LAN ports of the T10 are 1 & 2 while 0 is WAN. You might have to change the ethernet-port. 9. OpenWrt should now boot from the internal NAND. Enjoy. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 35f6d795134e9b089c4e763a7f58cba7d4e15e42)
* kernel: can: fix MCP251x CAN controller module autoloadTim Harvey2023-02-261-1/+1
| | | | | | | Fix autoload module name for can-mcp251x kmod. Signed-off-by: Tim Harvey <tharvey@gateworks.com> (cherry picked from commit 29d02d8ce584fa7e420204e04dde1e17e14e009c)
* openssl: bump to 1.1.1tJohn Audia2023-02-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario] Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit 4ae86b3358a149a17411657b12103ccebfbdb11b) The original commit removed the upstreamed patch 010-padlock.patch, but it's not on OpenWrt 22.03, so it doesn't have to be removed. Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
* mac80211: Update to version 5.15.92-1Hauke Mehrtens2023-02-081-3/+3
| | | | | | | This update mac80211 to version 5.15.92-1. This includes multiple bugfixes. Some of these bugfixes are fixing security relevant bugs. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mac80211: use 802.11ax iw modesDavid Bauer2023-01-281-3/+3
| | | | | | | | | | | This adds missing HE modes to mac80211_prepare_ht_modes. Previously mesh without wpa_supplicant would be initialized with 802.11g /NO-HT only, as this method did not parse channel bandwidth for HE operation. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit a63430eac33ceb1dbf96d3667e2a0f2e04ba391f)
* mbedtls: move source modification to patchDavid Bauer2023-01-182-3/+15
| | | | | | | | Patch the mbedtls source instead of modifying the compile-targets in the prepare buildstep within OpenWrt. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 00f1463df7e690862403208082f71fb4741baf02)
* ksmbd: Fix ZDI-CAN-18259Hauke Mehrtens2023-01-113-1/+100
| | | | | | | | | | | | This fixes a security problem in ksmbd. It currently has the ZDI-CAN-18259 ID assigned, but no CVE yet. Backported from: https://github.com/cifsd-team/ksmbd/commit/8824b7af409f51f1316e92e9887c2fd48c0b26d6 https://github.com/cifsd-team/ksmbd/commit/cc4f3b5a6ab4693aba94a45cc073188df4d67175 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 76c67fcc66116381c69439f20159b636573080ba)
* ksmbd: update to 3.4.6Nick Hainke2023-01-072-55/+2
| | | | | | | | | | | | | | | | | | | Release Announcement: https://github.com/cifsd-team/ksmbd/releases/tag/3.4.6 Remove upstreamed: - 10-fix-build-on-kernel-5.15.52-or-higher.patch This fixes the following security bugs: * CVE-2022-47938, ZDI-22-1689 * CVE-2022-47939, ZDI-22-1690 (patch was already backported before) * CVE-2022-47940, ZDI-22-1691 * CVE-2022-47941, ZDI-22-1687 * CVE-2022-47942, ZDI-22-1688 * CVE-2022-47943, ZDI-CAN-17817 Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 78cbcc77cc33638b185f85c0e40daee1906a2c3c)
* OpenWrt v22.03.3: revert to branch defaultsHauke Mehrtens2023-01-031-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* OpenWrt v22.03.3: adjust config defaultsv22.03.3Hauke Mehrtens2023-01-031-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mac80211: Do not build brcmsmac on bcm47xx_legacyHauke Mehrtens2023-01-031-1/+1
| | | | | | | | | | brcmsmac needs bcma. bcma is build into the kernel for the other bcm47xx subtargets, but not for the legacy target because it only uses ssb. We could build bcma as a module for bcm47xx_legacy, but none of these old devices uses a wifi card supported by brcsmac. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit cb7d662dac897dd7df6ba6ba60417db822bd68f2)
* gdb: Do not link against xxhashHauke Mehrtens2023-01-021-0/+1
| | | | | | | | | | | libxxhash is now available in the OpenWrt package feed and gdb will link against it if gdb finds this library. Explicitly deactivate the usage of xxhash. This should fix the build of gdb in build bots. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit a442974cfa89c7182c37b3b422b2d49319e2b339)
* odhcpd: fix null pointer dereference for INFORM messagesHans Dedecker2023-01-021-3/+3
| | | | | | 4a673e1 fix null pointer dereference for INFORM messages Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* base-files: stage2: add 'tail' to sysupgrade environmentTony Ambardar2023-01-011-1/+1
| | | | | | | | This is used to access footer data in firmare files, and is simpler and less error-prone than using 'dd' with calculated offsets. Signed-off-by: Tony Ambardar <itugrok@yahoo.com> (cherry picked from commit 9cbc825b30a60c4c4b466301b87e15e59b107f24)
* treewide: Trigger reinstall of all wolfssl dependenciesHauke Mehrtens2023-01-014-4/+4
| | | | | | | | | The ABI of the wolfssl library changed a bit between version 5.5.3 and 5.5.4. This release update will trigger a rebuild of all packages which are using wolfssl to make sure they are adapted to the new ABI. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit ee47a28cec01c7943238bae45f65a98e4fc9abbe)
* wolfssl: update to 5.5.4-stableNick Hainke2023-01-013-36/+3
| | | | | | | | | | | | | | Remove upstreamed: - 001-Fix-enable-devcrypto-build-error.patch Refresh patch: - 100-disable-hardening-check.patch Release notes: https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.4-stable Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 04634b2d8253972a3e7b663231474eb564e69077)
* mbedtls: update to version 2.28.2Hauke Mehrtens2022-12-312-6/+6
| | | | | | | | | | | | | | | | | | | | Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. Fixes the following CVEs: * CVE-2022-46393: Fix potential heap buffer overread and overwrite in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. * CVE-2022-46392: An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) could recover an RSA private key after observing the victim performing a single private-key operation if the window size used for the exponentiation was 3 or smaller. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit af3c9b74e177019b18055c263099a42c1c6c3453)
* kernel: remove hack patch, move kirkwood specific kmods to target modules.mkFelix Fietkau2022-12-272-32/+0
| | | | | | | | Tweaking the KCONFIG line of kmod-ata-marvell-sata makes the hack patch unnecessary Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 2e375e9b3148cfdb9b19494a25eebc2fa7b256a3)
* uhttpd: update to latest Git HEADHauke Mehrtens2022-12-261-3/+3
| | | | | | | 2397755 client: fix incorrectly emitting HTTP 413 for certain content lengths Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 73dca49f355fe10d1d5e629b0df584b03a1849b3)
* kernel: backport ksmbd security fix ZDI-22-1690Daniel Graña2022-12-231-0/+53
| | | | | | | Fix zero day vulnerability reported as ZDI-22-1690, no CVE assigned yet. Picked from https://github.com/cifsd-team/ksmbd/commit/1f9d85a340 Signed-off-by: Daniel Graña <dangra@gmail.com>
* sunxi: remove frequency for NanoPi R1Jan-Niklas Burfeind2022-12-221-2/+1
| | | | | | | | The frequency appears as unlisted initial frequency. Removed it as Hauke suggested. Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me> (cherry picked from commit 5b82eeb320d9f8e543232bb5dd004e644b35983e)
* arm-trusted-firmware-sunxi: drop CPE IDStijn Tintel2022-12-221-1/+0
| | | | | | | The CPE ID is already set in trusted-firmware-a.mk. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit 9ed1830bdc1e58efb3e5b17c0e484e1a2655b550)
* wolfssl: fix build with /dev/cryptoChukun Pan2022-12-221-0/+33
| | | | | | | | | | | Backport upstream patch to fix build error when /dev/crypto enabled. https://github.com/wolfSSL/wolfssl/commit/dc9f46a3be00b5e82684a158605189d1278e324c Fixes: #10944 Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> (cherry picked from commit 171691500eca0737c59d4fff50578b74a90583be)
* Revert "mbedtls: import patch to fix illegal instruction on mpc85xx"Nick Hainke2022-12-201-30/+0
| | | | | | | | | The commit was pushed into the branch to early. It does not help fixing illegal instruction bug on mpc85xx. That's why it should be reverted. This reverts commit de6c3cca4d2b523937403ae2959597a1e48c7351. Signed-off-by: Nick Hainke <vincent@systemli.org>
* rpcd: update to latest Git HEADJo-Philipp Wich2022-12-191-5/+7
| | | | | | | | | | 7de4820 iwinfo: add "hwmodes_text" to the info output b3f530b iwinfo: clean up rpc_iwinfo_call_hw_ht_mode() c46ad61 iwinfo: reuse infos provided by libiwinfo 6c5e900 iwinfo: constify string map arg for rpc_iwinfo_call_int() Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit d15b1fbed7abb6d4d536c32551ce6d73a309889b)
* iwinfo: update to latest Git HEADJo-Philipp Wich2022-12-191-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 8d15809 cli: print current HT mode 8f86dd6 cli: use IWINFO_HTMODE_COUNT f36b72b cli: use IWINFO_KMGMT_NAMES 91be7e0 cli: use IWINFO_CIPHER_NAMES 49b6ec9 cli: fix printing the scan channel width b1c8873 cli: fix marking the active channel 9e14e64 utils: add iwinfo_band2ghz() and iwinfo_ghz2band() helpers e084781 utils: add helper functions to get names by values d09a77a utils: add iwinfo_htmode_is_{ht|vht|he} helpers 8752977 utils: add and use iwinfo_format_hwmodes() 02f433e lib: add IWINFO_80211_COUNT and IWINFO_80211_NAMES 1d30df1 lib: add IWINFO_BAND_COUNT and IWINFO_BAND_NAMES aefd0ef lib: use common IWINFO_CIPHER_NAMES strings a5b30de lib: add IWINFO_OPMODE_COUNT and use it for IWINFO_OPMODE_NAMES 9f29e79 lib: constify and fixup the string array definitions fddc015 nl80211: mark frequencies where HE operation in not allowed 6d50a7c nl80211: add support for HE htmodes 4ba5713 nl80211: properly get available bands for the hwmode 91b2ada nl80211: update the kernel header nl80211.h 3f619a5 nl80211: fix frequency/channel conversion for the 6G band a77d915 nl80211: don't guess if a name is an ifname c27ce71 devices: add usb device MediaTek MT7921AU 14f864e nl80211: add ability to describe USB devices a5a75fd nl80211: remove ancient wpa_supplicant ctrl socket path dd4e1ff nl80211: fix wpa supplicant ctrl socket permissions d638163 fix -Wdangling-else warnings 4aa6c5a fix -Wreturn-type warning 3112726 fix -Wpointer-sign warning ebd5f84 fix -Wmaybe-uninitialized warning 5469898 fix -Wunused-variable warnings 462b679 fix -Wduplicate-decl-specifier warnings ccaabb4 fix -Wformat-truncation warnings 50380db enable useful compiler warnings via -Wall Fixes: https://github.com/openwrt/openwrt/issues/10158 Fixes: https://github.com/openwrt/openwrt/issues/10687 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 4a4d0bf78ddbbf17508891c5c837e5eb00420b5c)
* iwinfo: update to the latest versionHauke Mehrtens2022-12-191-3/+3
| | | | | | | 00aab87 Correctly identify key management algorithms starting with "FT-" Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 5c70b19c425896625f891c70910a96cdf9f61345)
* iwinfo: update to the latest versionFelix Fietkau2022-12-191-3/+3
| | | | | | | 0496c722f1d7 nl80211: fix issues with renamed wiphy and multiple phy per device Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 735f5f18ddbcb5c4e2033f1c08be0113369d2b79)
* iwinfo: update to the latest versionFelix Fietkau2022-12-191-3/+3
| | | | | | | | | | | 46f04f3808e8 devices: add MediaTek MT7986 WiSoC b3e08c8b5a8f ops: make support for wireless extensions optional 1f695d9c7f82 nl80211: allow phy names that don't start with 'phy' b7f9f06e1594 nl80211: fix phy/netdev index lookup 4a43b0d40ba5 nl80211: look up the phy name instead of assuming name == phy<idx> Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit c787962e1d5016cab637cf8857bc6aa3afdda001)