aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
...
* mdadm: Do not check RUN_DIRFlorian Fainelli2017-12-131-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Fixes build failure on hosts that do not have mdadm installed/configured: make[3]: Entering directory `/local/users/fainelli/openwrt/trunk/build_dir/target-mipsel-linux-gnu_glibc/mdadm-4.0' ***** Parent of /run/mdadm does not exist. Maybe set different RUN_DIR= ***** e.g. make RUN_DIR=/dev/.mdadm ***** or set CHECK_RUN_DIR=0 make[3]: *** [check_rundir] Error 1 make[3]: Leaving directory `/local/users/fainelli/openwrt/trunk/build_dir/target-mipsel-linux-gnu_glibc/mdadm-4.0' make[2]: *** [/local/users/fainelli/openwrt/trunk/build_dir/target-mipsel-linux-gnu_glibc/mdadm-4.0/.built] Error 2 make[2]: Leaving directory `/local/users/fainelli/openwrt/trunk/package/utils/mdadm' make[1]: *** [package/utils/mdadm/compile] Error 2 make[1]: Leaving directory `/local/users/fainelli/openwrt/trunk' make: *** [package/mdadm/compile] Error 2 Fixes: 980c41f8e04f ("utils/mdadm: Update to 4.0") Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> (cherry picked from commit 5229c453630c0b023c3d65ef6005adbe48062bbb)
* kernel: remove out of tree direct-io disable hackFelix Fietkau2017-12-131-1/+1
| | | | | | | | | Direct-IO support has to be enabled for the release build anyway, so this hack is not worth keeping Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from commit 0b7ed65cec8084bb98ae0e2758b7aca6c447cd4b) Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* utils/mdadm: Update to 4.0Daniel Engberg2017-12-135-31/+53
| | | | | | | | | | | | Update mdadm to 4.0 Remove 000-compile.patch as it's fixed upstream Refresh patches Add mdadm.h-Undefine-dprintf-before-redefining.patch Source: http://git.openembedded.org/openembedded-core/tree/meta/recipes-extended/mdadm/files Add RAID 0,1 and 10 as depends to make mdadm usable. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net> (cherry picked from commit 980c41f8e04f5586731e84492001971eb8371590)
* mdadm: extend uci config supportJo-Philipp Wich2017-12-133-7/+82
| | | | | | | | Extend the mdadm package to allow to explicitely configure arrays as well as device list entries. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 813efe57e434037fb58bd3e16ebd3a1cfd6ceb82)
* uqmi: also try newer pin verificationKoen Vandeputte2017-12-111-1/+1
| | | | | | | | | Newer devices tend to only support the newer version of the pin verification command, so also try that one. Fixes PIN issues with modems like the Sierra Wireless MC7455 Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* opkg: bump to version 2017-12-08Rafał Miłecki2017-12-081-3/+3
| | | | | | | | | | | | | | | | | This updates package to the latest commit from the lede-17.01 branch. It contains few fixes backported from the master: 1) SHA256 fix 2) URL encoding which allows hosting packages on some more picky servers Changes: 9f61f7a opkg_download: decode file:/ URLs 3c46c88 file_util: implement urldecode_path() 79908c2 file_util: consolidate hex/unhex routines 793fbac opkg: encode archive filenames while constructing download URLs a6bb5cb file_util: implement urlencode_path() helper 098e774 libopkg: fix SHA256 calculation for big endian system Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* hostapd: backport fix for wnm_sleep_mode=0Timo Sigurdsson2017-12-072-1/+36
| | | | | | | | | | | | | | | | | | wpa_disable_eapol_key_retries can't prevent attacks against the Wireless Network Management (WNM) Sleep Mode handshake. Currently, hostapd processes WNM Sleep Mode requests from clients regardless of the setting wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in order to ignore such requests by clients when wnm_sleep_mode is disabled (which is the default). Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> [rewrite commit subject (<= 50 characters), bump PKG_RELEASE] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit bd45e15d0afe64dfed5a02a50a634f7947b50144 fixed PKG_RELEASE and renumbered patch) Conflicts: package/network/services/hostapd/Makefile
* hostapd: Expose the tdls_prohibit option to UCITimo Sigurdsson2017-12-071-1/+6
| | | | | | | | | | | | | | | | | wpa_disable_eapol_key_retries can't prevent attacks against the Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested that the existing hostapd option tdls_prohibit can be used to further complicate this possibility at the AP side. tdls_prohibit=1 makes hostapd advertise that use of TDLS is not allowed in the BSS. Note: If an attacker manages to lure both TDLS peers into a fake AP, hiding the tdls_prohibit advertisement from them, it might be possible to bypass this protection. Make this option configurable via UCI, but disabled by default. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> (cherry picked from commit 6515887ed9b3f312635409702113dca7c14043e5)
* dnsmasq: backport infinite dns retries fixHans Dedecker2017-12-062-1/+46
| | | | | | | | | | If all configured dns servers return refused in response to a query in strict mode; dnsmasq will end up in an infinite loop retransmitting the dns query resulting into high CPU load. Problem is fixed by checking for the end of a dns server list iteration in strict mode. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* curl: apply CVE 2017-8816 and 2017-8817 security patchesStijn Segers2017-12-043-1/+209
| | | | | | | | | This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01 Curl package. Compile-tested on ar71xx, ramips and x86. Signed-off-by: Stijn Segers <foss@volatilesystems.org>
* mt76: update to the latest versionFelix Fietkau2017-12-041-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Significant performance/stability improvements for MT76x2 and MT7603. Adds LED support. Changes: 2895775 mt76x2: mcu: remove unused parameter in mt76x2_mcu_msg_alloc signature 1dae8f0 mt7603: mcu: remove unused parameter in mt7603_mcu_msg_alloc() signature 5e49aa9 Fix errors found by cppcheck 1b8c8a0 mt7603: add LED definition registers 4d83561 mt76x2: add LED register definitions 2f40e4a mt76x2: Support using PCI ID as chip ID 27c64bc mt76: add led support using mac80211 led framework dfd64fc mt76x2: init: add ma80211 led callbacks 215edf1 mt7603: init: add ma80211 led callbacks 9d36ff2 mt76x2: Add PCI identifier for MT7602 0b7984e mt7603: remove unnecessary mcu register read function f5498d2 debugfs: add support for changing the LED pin 8e453b3 mac80211: move DT led configuration to the "led" child node 8f1673a mt76x2: limit client WCID entries to 0-127 f9d9c22 mt76x2: clear drop flag for all WCIDs on init 0dd8b68 mt76x2: clear per-WCID tx rate lookup register 3e5afe7 mt76x2: add helper function for setting drop mask 941555b mt76x2: clear drop mask when sending a PS response 7dfb354 mt76: increase rx ring size for mt76x2 73902dc mt76x2: add rx statistics registers fe79816 mt76x2: fix LNA gain register annotation cc588c5 mt76x2: sync channel gain value with latest reference driver 60a4d67 mt76x2: implement dynamic AGC tuning based on false packet detection count 4bc9aa9 mt76x2: add more gain tuning based on the latest reference driver 0a0d16f mt76x2: sync tx power related values with reference driver 8c821aa mac80211: add missing include 82acc85 mt7603: add missing include required on newer kernels 2c1a77c mt76x2: fix transmission of encrypted management frames 0532315 mt76x2: increase OFDM SIFS time 1acde21 mt76x2: add channel argument to eeprom tx power functions 58364a2 mt76x2: initialize channel power limits c2bd89e mt76x2: convert between per-chain tx power and combined output e7eaa7c mt7603: rename mt7603_mac_reset to mt7603_pse_reset ea4c2a1 mt7603: rename MT_PSE_RESET register c86c3a0 mt7603: remove watchdog reset on interface stop 4490f93 mt7603: remove WARN_ON_ONCE for workaround checks 3075059 mt7603: simplify PSE reset 4ed7e07 mt7603: warn if PSE reset fails 7dc8db1 mt7603: clean up dma debug reads 41e6a04 mt7603: make mt7603_mac_watchdog_reset() static dc7a351 mt7603: clear wtbl PS bit for powersave responses 123acf2 mt7603: set tx-skip flag for powersave clients 7dd2a9e mt7603: initialize wtbl ps flag on station add 86ddef3 mt76x2: remove some harmless WARN_ONs in tx status and rx path e326bc2 mt7603: remove some harmless WARN_ONs in rx path Signed-off-by: Felix Fietkau <nbd@nbd.name>
* samba36: backport an upstream fix for an information leak (CVE-2017-15275)Felix Fietkau2017-12-042-1/+41
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard: bump to snapshot 20171127Kevin Darbyshire-Bryant2017-11-271-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | == Changes == * compat: support timespec64 on old kernels * compat: support AVX512BW+VL by lying * compat: fix typo and ranges * compat: support 4.15's netlink and barrier changes * poly1305-avx512: requires AVX512F+VL+BW Numerous compat fixes which should keep us supporting 3.10-4.15-rc1. * blake2s: AVX512F+VL implementation * blake2s: tweak avx512 code * blake2s: hmac space optimization Another terrific submission from Samuel Neves: we now have an implementation of Blake2s using AVX512, which is extremely fast. * allowedips: optimize * allowedips: simplify * chacha20: directly assign constant and initial state Small performance tweaks. * tools: fix removing preshared keys * qemu: use netfilter.org https site * qemu: take shared lock for untarring Small bug fixes. Remove myself from the maintainers list: we have enough and I'm happy to carry on doing package bumps on ad-hoc basis without the 'official' title. Run-tested: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 20171122Kevin Darbyshire-Bryant2017-11-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest WireGuard snapshot release: ed479fa (tag: 0.0.20171122) version: bump snapshot efd9db0 chacha20poly1305: poly cleans up its own state 5700b61 poly1305-x86_64: unclobber %rbp 314c172 global: switch from timeval to timespec 9e4aa7a poly1305: import MIPS64 primitive from OpenSSL 7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL 6507a03 chacha20poly1305: add more test vectors, some of which are weird 6f136a3 compat: new kernels have netlink fixes e4b3875 compat: stable finally backported fix cc07250 qemu: use unprefixed strip when not cross-compiling 64f1a6d tools: tighten up strtoul parsing c3a04fe device: uninitialize socket first in destruction 82e6e3b socket: only free socket after successful creation of new df318d1 compat: fix compilation with PaX d911cd9 curve25519-neon: compile in thumb mode d355e57 compat: 3.16.50 got proper rt6_get_cookie 666ee61 qemu: update kernel 2420e18 allowedips: do not write out of bounds 185c324 selftest: allowedips: randomized test mutex update 3f6ed7e wg-quick: document localhost exception and v6 rule Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: load instance-specific conf-file if existsEmerson Pinter2017-11-202-8/+8
| | | | | | | Without this change, the instance-specific conf-file is being added to procd_add_jail_mount, but not used by dnsmasq. Signed-off-by: Emerson Pinter <dev@pinter.com.br>
* rpcd: update to version 2017-11-12Daniel Golle2017-11-171-3/+3
| | | | | | | a0231be8fbc61 fix memory leak in packagelist 4e483312b0216 sys: add packagelist method Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wireguard: fix portability issueFelix Fietkau2017-11-161-0/+18
| | | | | | | Check if the compiler defines __linux__, instead of assuming that the host OS is the same as the target OS. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard: move to kernel build directoryFelix Fietkau2017-11-161-1/+1
| | | | | | It builds a kernel module, so its build dir should be target specific Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard: bump to 0.0.20171111Kevin Darbyshire-Bryant2017-11-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | edaad55 (tag: 0.0.20171111) version: bump snapshot 7a989b3 tools: allow for NULL keys everywhere 46f8cbc curve25519: reject deriving from NULL private keys 9b43542 tools: remove ioctl cruft f6cea8e allowedips: rename from routingtable 23f553e wg-quick: allow for tabs in keys ab9befb netlink: make sure we reserve space for NLMSG_DONE 73405c0 compat: 4.4.0 has strange ECN function 868be0c wg-quick: stat the correct enclosing folder of config file ceb11ba qemu: bump kernel version 0a8e173 receive: hoist fpu outside of receive loop bee188a qemu: more debugging f1fdd8d device: wait for all peers to be freed before destroying 2188248 qemu: check for memory leaks c77a34e netlink: plug memory leak 0ac8efd device: please lockdep a51e196 global: revert checkpatch.pl changes 65c49d7 Kconfig: remove trailing whitespace Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* procd: update to latest git HEAD (fixes and improvements)Hans Dedecker2017-11-151-3/+3
| | | | | | | | d9dc0e0 service: fix calls to blobmsg_parse() 5db8f70 procd: add missing new lines inside debug code 8d5d29c service: fix SERVICE_ATTR_NAME usage in service_handle_set Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openssl: update to 1.0.2mPeter Wagner2017-11-132-4/+4
| | | | | | | | | | don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error: ../libssl.so: undefined reference to `SSLv3_client_method' Fixes CVE: CVE-2017-3735, CVE-2017-3736 Signed-off-by: Peter Wagner <tripolar@gmx.at>
* rpcd: update to the latest version from 2017-11-09Rafał Miłecki2017-11-091-3/+3
| | | | | | 9a8640183c031 plugin: use RTLD_LOCAL instead of RTLD_GLOBAL when loading library Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* mountd: bump to git HEAD version (optimization fixes)Hans Dedecker2017-11-091-4/+4
| | | | | | | 7826ca5 mount: add mount with ignore=1 for unsupported filesystems 75e7412 mount: drop duplicated filesystem check from mount_add_list Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* functions.sh: fix default_postinst functionMarko Ratkaj2017-11-081-1/+1
| | | | | | | | | | | | | | | | | | When we run "opkg install" on a package that installs an uci-defaults script, functions.sh will fail to evaluate that script in its default_postinst function. This happens because there is no "./" present and it searches for the file in paths specified by the PATH variable. This would work on bash, but it will not work on ash and some other shells like sh, zsh. This applys to the ". filename" directive used in this case. This patch will make the path relative to the /etc/uci-defaults directory. Fixes: FS#1021 Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
* wireguard: version bump to 0.0.20171101Kevin Darbyshire-Bryant2017-11-051-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update wireguard to latest snapshot: 9fc5daf version: bump snapshot 748ca6b compat: unbreak unloading on kernels 4.6 through 4.9 7be9894 timers: switch to kees' new timer_list functions 6be9a66 wg-quick: save all hooks on save 752e7af version: bump snapshot 2cd9642 wg-quick: fsync the temporary file before renaming b139499 wg-quick: allow for saving existing interface 582c201 contrib: add reresolve-dns 8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID c138276 wg-quick: allow for the hatchet, but not by default d03f2a0 global: use fewer BUG_ONs 6d681ce timers: guard entire setting in block 4bf32ca curve25519: only enable int128 if compiler support is sound 86e06a3 device: expand scope of destruct lock e3661ab global: get rid of useless forward declarations bedc77a device: only take reference if netns is different 7c07e22 wg-quick: remember to rewind DNS settings on failure 2352ec0 wg-quick: allow specifiying multiple hooks 573cb19 qemu: test using four cores e09ec4d global: style nits 4d3deae qemu: work around ccache bugs 7491cd4 global: infuriating kernel iterator style 78e079c peer: store total number of peers instead of iterating d4e2752 peer: get rid of peer_for_each magic 6cf12d1 compat: be sure to include header before testing 3ea08d8 qemu: allow for cross compilation d467551 crypto/avx: make sure we can actually use ymm registers c786c46 blake2: include headers for macros 328e386 global: accept decent check_patch.pl suggestions a473592 compat: fix up stat calculation for udp tunnel 9d930f5 stats: more robust accounting 311ca62 selftest: initialize mutex in routingtable selftest 8a9a6d3 netns: use time-based test instead of quantity-based e480068 netns: use read built-in instead of ncat hack for dmesg Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* uclient: update to the latest version, fixes fetch of multiple filesFelix Fietkau2017-11-031-3/+3
| | | | | | 4b87d83 uclient-fetch: fix overloading of output_file variable Signed-off-by: Felix Fietkau <nbd@nbd.name>
* dnsmasq: restore ability to include/exclude raw device namesJo-Philipp Wich2017-10-252-3/+3
| | | | | | | | | | | | | | Commit 5cd88f4 "dnsmasq: remove use of uci state for getting network ifname" broke the ability to specify unmanaged network device names for inclusion and exclusion in the uci configuration. Restore support for raw device names by falling back to the input value when "network_get_device" yields no result. Fixes FS#876. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit a89c36b50875e61c790113d3adee10621575788a)
* opkg: bump to 2017-10-23 (lede-17.01)Matthias Schiffer2017-10-231-3/+3
| | | | | | | | | | | | A lede-17.01 branch for bugfix backports has been added to the opkg-lede repo. c6caf07 pkg_parse: fix segfault when parsing descriptions with leading newlines 5bb5fd5 opkg: add --no-check-certificate argument 7a96972 libbb: xreadlink: fix memory leak on failure case 3f13edd pkg_run_script: use pkg->dest in half installed case Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* mountd: bump to git HEAD version (fixes SIGSEV crashes)Hans Dedecker2017-10-181-4/+4
| | | | | | | 6efeb19 autofs: register SIGTERM for gracefull exit 01bb2b0 mount: fix SIGSEV crashes Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* LEDE v17.01.4: revert to branch defaultsStijn Tintel2017-10-181-2/+2
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* LEDE v17.01.4: adjust config defaultsv17.01.4Stijn Tintel2017-10-181-2/+2
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* wireguard: version bump to 0.0.20171017Jason A. Donenfeld2017-10-171-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a simple version bump. Changes: * noise: handshake constants can be read-only after init * noise: no need to take the RCU lock if we're not dereferencing * send: improve dead packet control flow * receive: improve control flow * socket: eliminate dead code * device: our use of queues means this check is worthless * device: no need to take lock for integer comparison * blake2s: modernize API and have faster _final * compat: support READ_ONCE * compat: just make ro_after_init read_mostly Assorted cleanups to the module, including nice things like marking our precomputations as const. * Makefile: even prettier output * Makefile: do not clean before cloc * selftest: better test index for rate limiter * netns: disable accept_dad for all interfaces Fixes in our testing and build infrastructure. Now works on the 4.14 rc series. * qemu: add build-only target * qemu: work on ubuntu toolchain * qemu: add more debugging options to main makefile * qemu: simplify shutdown * qemu: open /dev/console if we're started early * qemu: phase out bitbanging * qemu: always create directory before untarring * qemu: newer packages * qemu: put hvc directive into configuration This is the beginning of working out a cross building test suite, so we do several tricks to be less platform independent. * tools: encoding: be more paranoid * tools: retry resolution except when fatal * tools: don't insist on having a private key * tools: add pass example to wg-quick man page * tools: style * tools: newline after warning * tools: account for padding being in zero attribute Several important tools fixes, one of which suppresses a needless warning. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (cherry picked from commit f6c4a9c045797d9be12310eebc6341050fd260ce)
* hostapd: add wpa_disable_eapol_key_retries optionStijn Tintel2017-10-172-1/+6
| | | | | | | | | | | | | | | Commit b6c3931ad6554357a108127797c8d7097a93f18f introduced an AP-side workaround for key reinstallation attacks. This option can be used to mitigate KRACK on the station side, in case those stations cannot be updated. Since many devices are out there will not receive an update anytime soon (if at all), it makes sense to include this workaround. Unfortunately this can cause interoperability issues and reduced robustness of key negotiation, so disable the workaround by default, and add an option to allow the user to enable it if he deems necessary. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit c5f97c9372da3229350184fb263c97d9ea8944c5)
* hostapd: backport extra changes related to KRACKStijn Tintel2017-10-176-0/+730
| | | | | | | | | | | | While these changes are not included in the advisory, upstream encourages users to merge them. See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html Added 013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch so that 016-Optional-AP-side-workaround-for-key-reinstallation-a.patch applies without having to rework it. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* mac80211: backport kernel fix for CVE-2017-13080Stijn Tintel2017-10-171-0/+81
| | | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit 2f701194c29da50bfda968a83c6609843f74a7f4)
* mac80211: Update wireless-regdb to master-2017-03-07Ryan Mounce2017-10-161-12/+19
| | | | | | | | | | | | | | | | | The short log of changes since the 2016-06-10 release is below. Jouni Malinen (1): wireless-regdb: Remove DFS requirement for India (IN) Ryan Mounce (1): wireless-regdb: Update rules for Australia (AU) and add 60GHz rules Seth Forshee (2): wireless-regdb: Update 5 GHz rules for Canada wireless-regdb: update regulatory.bin based on preceding changes Signed-off-by: Ryan Mounce <ryan@mounce.com.au> (cherry picked from commit 8b12e62e9cd6ba2e3bb2e7f2555180df0173c7c6)
* wireguard: add wireguard to base packagesJason A. Donenfeld2017-10-162-0/+308
| | | | | | | | | | | | | | | | | | | | | | | | Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 699c6fcc314225f79156a26db418e15bbc6bf10f)
* brcmfmac: backport length check in brcmf_cfg80211_escan_handler()Felix Fietkau2017-10-161-0/+63
| | | | | | Fixes CVE-2017-0786 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: merge fixes for WPA packet number reuse with replayed messages and ↵Felix Fietkau2017-10-1611-10/+929
| | | | | | | | | | | | | | | | | | | | | | | key reinstallation Fixes: - CERT case ID: VU#228519 - CVE-2017-13077 - CVE-2017-13078 - CVE-2017-13079 - CVE-2017-13080 - CVE-2017-13081 - CVE-2017-13082 - CVE-2017-13086 - CVE-2017-13087 - CVE-2017-13088 For more information see: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt Backport of bbda81ce3077dfade2a43a39f772cfec2e82a9a5 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mt76: sync with version 878456caf60d from masterFelix Fietkau2017-10-131-4/+4
| | | | | | | Backport required DT changes from commit dabdd123c90c. Significantly improves stability and performance for MT76x2 and MT7603 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* LEDE v17.01.3: revert to branch defaultsStijn Tintel2017-10-031-2/+2
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* LEDE v17.01.3: adjust config defaultsv17.01.3Stijn Tintel2017-10-031-2/+2
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* uhttp: update to latest versionAdrian Panella2017-10-031-3/+3
| | | | | | | | | | | | | | 3fd58e9 2017-08-19 uhttpd: add manifest support 88c0b4b 2017-07-09 file: fix basic auth regression 99957f6 2017-07-02 file: remove unused "auth" member from struct path_info c0a569d 2017-07-02 proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS ad93be7 2017-07-02 auth: store parsed username and password fa51d7f 2017-07-02 proc: do not declare empty process variables a8bf9c0 2017-01-26 uhttpd: Add TCP_FASTOPEN support e6cfc91 2016-10-25 lua: ensure that PATH_INFO starts with a slash Signed-off-by: Adrian Panella <ianchi74@outlook.com>
* odhcpd: don't enable server mode on non-static lan portKarl Palsson2017-10-022-3/+18
| | | | | | | | | | | | Instead of blindly enabling the odhcpd v6 server and RA server on the lan port, only do that if the lan port protocol is "static" This prevents the unhelpful case of a device being a dhcpv4 client and v6 server on the same ethernet port. Signed-off-by: Karl Palsson <karlp@etactica.com> [PKG_SOURCE_DATE increase; odhcpd.defaults script cleanup] Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: backport fixes from master branch (FS#402, FS#524)Hans Dedecker2017-10-021-3/+3
| | | | | | | 336212c config: fix dhcpv4 server being started 336212c dhcpv6: assign all viable DHCPv6 addresses by default (FS#402, FS#524) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to v2.78Kevin Darbyshire-Bryant2017-10-027-226/+4
| | | | | | Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* base-files: create /etc/config/ directoryHauke Mehrtens2017-10-011-0/+1
| | | | | | | | | | | | | | | The /bin/config_generate script and some other scripts are assuming the /etc/config directory exists in the image. This is true in case for example the package firewall, dropbear or dnsmasq are included, which are adding the files under /etc/config/. Without any of these package the system will not boot up fully because the /etc/config/ directory is missing and some init scripts just fail. Make sure all images with the base-files contain a /etc/config/ directory. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: John Crispin <john@phrozen.org>
* ltq-vdsl-mei: revert disable optimized firmware downloadMathias Kresin2017-09-301-2/+2
| | | | | | | | | | | | This reverts commit b428f45c062dc8ca8c2f35f491fa467dc5b85519. If the optimized firmware download is disabled, the xdsl subsystem hangs in the "idle request" state after physically disconnecting and reconnecting the xdsl modem from the line. It might fix the failing line init on boot as well. Signed-off-by: Mathias Kresin <dev@kresin.me>
* curl: fix security problemsHauke Mehrtens2017-09-303-1/+75
| | | | | | | | This fixes the following security problems: * CVE-2017-1000100 TFTP sends more than buffer size * CVE-2017-1000101 URL globbing out of bounds read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to 2.6.0 CVE-2017-14032Kevin Darbyshire-Bryant2017-09-302-30/+30
| | | | | | | | | | | | | | | Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted). Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Tested-by: Magnus Kroken <mkroken@gmail.com>