| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.
This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.
Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.
Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
| |
This reverts commit a596a8396b1ef23cd0eda22d9a628392e70e1e1a as I've
just discovered private email, that the issue has CVE-2022-39173
assigned so I'm going to reword the commit and push it again.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
| |
So they're tidy and apply cleanly.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.
This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.
Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.
Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
| |
The luci ucode rewrite exposed the definition of START as being over 1K
from start of file. Initial versions limited the search for START &
STOP to within the 1st 1K of a file. Whilst the search has been
expanded, it doesn't do any harm to define START early in the file like
all other init scripts seen so far.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename libwolfssl-cpu-crypto to libwolfsslcpu-crypto so that the
regular libwolfssl version comes first when running:
opkg install libwolfssl
Normally, if the package name matches the opkg parameter, that package
is preferred. However, for libraries, the ABI version string is
appended to the package official name, and the short name won't match.
Failing a name match, the candidate packages are sorted in alphabetical
order, and a dash will come before any number. So in order to prefer
the original library, the dash should be removed from the alternative
library.
Fixes: c3e7d86d2b (wolfssl: add libwolfssl-cpu-crypto package)
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Move CONFIG_PACKAGE_libwolfssl-benchmark from the top of
PKG_CONFIG_DEPENDS to after PKG_ABI_VERSION is set.
This avoids changing the ABI version hash whether the bnechmark package
package is selected or not.
Fixes: 05df135cac (wolfssl: Rebuild when libwolfssl-benchmark gets changes)
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'fxload' tool contained in the examples provided with libusb is
actually useful and turns out to be the only way to load firmware into
some rather ancient EZ-USB microcontrollers made by Cypress (formerly
Anchor Chips).
The original 'fxload' tool from hotplug-linux has been abandonned long
ago and requires usbfs to be mounted in /proc/bus/usb/ (like it was in
Linux 2.4...).
Hence the best option is to package the modern 'fxload' from the libusb
examples which (unsurprisingly) uses libusb and works on modern
systems.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
libwolfssl-cpu-crypto is a variant of libwolfssl with support for
cryptographic CPU instructions on x86_64 and aarch64.
On aarch64, wolfSSL does not perform run-time detection, so the library
will crash when the AES functions are called. A preinst script attempts
to check for support by querying /proc/cpuinfo, if installed in a
running system. When building an image, the script will check the
DISTRIB_TARGET value in /etc/openwrt_release, and will abort
installation if target is bcm27xx.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |
|
|
|
|
|
| |
Patch a script to use a shebang that works on systems that don't have
a /bin/bash, e.g. NixOS or GuixSD.
Signed-off-by: Ilya Katsnelson <me@0upti.me>
|
| |
|
|
|
|
|
|
|
|
|
| |
Update to latest version. Needs libmd.
Old size:
37615 libbsd0_0.10.0-1_aarch64_cortex-a53.ipk
new size (libmd linked static):
38514 libbsd0_0.11.6-1_aarch64_cortex-a53.ipk
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
This library is needed by >= libbsd-0.11.3.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
| |
Remove upstreamed:
- 001-Don-t-force-exec_prefix-lib64-libdir-on-ppc64.patch
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Add CPE ID for tracking CVEs.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
| |
Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch
Some low severity vulnerabilities fixed
OpenVPN compatibility fixed (broken in 5.4.0)
Other fixes && improvements
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
|
| |
|
|
|
|
|
| |
Release Notes:
https://lists.gnu.org/archive/html/info-gnu/2022-07/msg00010.html
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Update to latest version.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
| |
This forces a rebuild of the wolfssl package when the
libwolfssl-benchmark OpenWrt package gets activated or deactivated.
Without this change the wolfssl build will fail when it compiled without
libwolfssl-benchmark before and it gets activated for the next build.
Fixes: 18fd12edb810 ("wolfssl: add benchmark utility")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes from popt 1.16:
- fix an ugly and ancient security issue with popt failing to drop privileges on alias exec from a SUID/SGID program
- perform rudimentary sanity checks when reading in popt config files
- collect accumulated misc fixes (memleaks etc) from distros
- convert translations to utf-8 encoding
- convert old postscript documentation to pdf
- dust off ten years worth of autotools sediment
- reorganize and clean up the source tree for clarity
- remove the obnoxious splint annotations from the sources
Switch to new mirror:
http://ftp.rpm.org/popt/releases/
Switch URL to:
https://github.com/rpm-software-management/popt
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
| |
Changes:
817c8b6 build: libnftnl 1.2.3 release
84d12cf build: fix clang+glibc snprintf substitution error
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.
The build problem was reported upstream:
https://github.com/Mbed-TLS/mbedtls/issues/6243
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The curl developers found test case that crashed in their testing when
using zlib patched against CVE-2022-37434, same patch we've backported
in commit 7df6795d4c25 ("zlib: backport fix for heap-based buffer
over-read (CVE-2022-37434)"). So we need to backport following patch in
order to fix issue introduced in that previous CVE-2022-37434 fix.
References: https://github.com/curl/curl/issues/9271
Fixes: 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
| |
The soversion of the shipped libjansson.so library didn't change, so the
ABI version change is unwarranted and leads to opkg file clashes.
Also stop shipping an unversioned library symlink while we're at it as
it only needed at compile/link time and leading to file level clashes
between packages on future ABI bumps.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
| |
Needed by trace-cmd.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
| |
Needed by trace-cmd.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
debuginfod: Support -C option for connection thread pooling.
debuginfod-client: Negative cache file are now zero sized instead of
no-permission files.
addr2line: The -A, --absolute option, which shows file names including
the full compilation directory is now the default. To get the
old behavior use the new option --relative.
readelf, elflint: Recognize FDO Packaging Metadata ELF notes
libdw, debuginfo-client: Load libcurl lazily only when files need to
be fetched remotely. libcurl is now never
loaded when DEBUGINFOD_URLS is unset. And when
DEBUGINFOD_URLS is set, libcurl is only loaded
when the debuginfod_begin function is called.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
in inflate in inflate.c via a large gzip header extra field. NOTE: only
applications that call inflateGetHeader are affected. Some common
applications bundle the affected zlib source code but may be unable to
call inflateGetHeader.
Fixes: CVE-2022-37434
References: https://github.com/ivd38/zlib_overflow
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes the libmnl build on macOS, which ships with an outdated bash
at /bin/bash. During the OpenWrt build, a modern host bash is built and
made available at staging_dir/host/bin/bash, which is present before
/bin/bash in the build's PATH.
This is similar to 8f7ce3aa6dda, presently appearing at
package/kernel/mac80211/patches/build/001-fix_build.patch.
Signed-off-by: Mark Mentovai <mark@mentovai.com>
|
| |
|
|
|
|
| |
Prevented unused crypto lib dependencies from being compiled
Signed-off-by: Boris Krasnovskiy <borkra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Apply upstream patch[1] to fix breakage around math libraries.
This can likely be removed when 5.5.0-stable is tagged and released.
Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
1. https://github.com/wolfSSL/wolfssl/pull/5390
Signed-off-by: John Audia <therealgraysky@proton.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
a47d86d Up the release version to 2.65
fc99e56 Include more signatures in pgp.keys.asc.
52288cc Close out this comment in the go/Makefile
eb0f1df Prevent 'capsh --user=xxx --' from generating a bash error.
9a95791 Improve documentation for cap_get_pid and cap_reset_ambient.
21d08b0 Fix syntax error in DEBUG protected setcap.c code.
9425048 More useful captree usage string and man page.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
38cfa2e Up the release version to 2.64
7617af6 Avoid a deadlock in forked psx thread exit.
fc029cb Include LIBCAP_{MAJOR,MINOR} #define's in sys/capability.h
ceaa591 Clarify how the cap_get_pid() argument is interpreted.
15cacf2 Fix prctl return code/errno handling in libcap.
aae9374 Be explicit about CGO_ENABLED=1 for compare-cap build.
66a8a14 psx: free allocated memory at exit.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Disable the usage of target specific CPU crypto instructions by default
to allow the package being shared again. Since WolfSSL does not offer
a stable ABI or a long term support version suitable for OpenWrt release
timeframes, we're forced to frequently update it which is greatly
complicated by the package being nonshared.
People who want or need CPU crypto instruction support can enable it in
menuconfig while building custom images for the few platforms that support
them.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The armvirt target is also used to run OpenWrt in lxc on other targets
like a Raspberry Pi. If we set WOLFSSL_HAS_CPU_CRYPTO by default the
wolfssl binray is only working when the CPU supports the hardware crypto
extension.
Some targets like the Raspberry Pi do not support the ARM CPU crypto
extension, compile wolfssl without it by default. It is still possible
to activate it in custom builds.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
| |
Now that libiconv-stub is gone, a replacement for its host build is
needed.
Fixes: c0ba4201f837 ("libiconv-stub: remove")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
| |
|
|
|
|
| |
Fixes compilation with GCC12 and dependent packages for some reason.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
This version fixes two vulnerabilities:
-CVE-2022-34293[high]: Potential for DTLS DoS attack
-[medium]: Ciphertext side channel attack on ECC and DH operations.
The patch fixing x86 aesni build has been merged upstream.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |
|
|
|
|
| |
No longer used.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
6d7ce133 version 2.4.7
b4a37606 NEWS: roll-back manually filled NEWS versioning
33615a45 NEWS: fill entries for past commits
f5eb6f11 libltdl: bump libltdl.la version-info.
28fbcb6a libtool: correct linter syntax complaints in M4
7e69e441 gnulib: update submodule to new repository.
2dc7dad7 maint: update copyrights across project.
b55b1cc8 libtool: Do not pass '-pthread' to Solaris linker.
960a33e4 docs: manually recording dependencies in Automake
78652682 tests: remove deprecated old-ltdl-iface.at test.
f51eddf0 * libtool: Bump M4 serial versions and add missing AC_PROG_SED to ltdl.m4
ccc878dd libtool: replace raw invocations of sed with $SED
5df7dd49 libtool: add support for MidnightBSD
8f4bdbda libtool: powerpc 10.5 detection without a deployment target
9e8c8825 libtool: support macOS 11
0904164d libtool: correct m4 quoting in sed expression
da2e3527 libtool: replace some references to /usr/bin/file and /bin/sh
1b74d784 libtool: Add -Wa,* link-mode flag for assembler pass-thru
86d71e86 libtool: Pass -Xassembler flag and arguments to compiler
fc7779d7 maint: update Bootstrap git module
0c1bc69d maint: update copyrights across project.
28fb394f maint: update AUTHORS, copyright date.
b9b44533 bootstrap: use $gnulib_clone_since
544fc0e2 maint: update bootstrap, gnulib, copyright dates
b88cebd5 maint: update bootstrap, gnulib, copyright dates
99bd0948 libtool: add icl.exe support
6ca5e224 docs: typo in 'win32-dll' description
1bfb11a4 libtool: quote 'cd' command in shipped relink_command
722b6af0 doc: fix typos in --mode=install invocations
350082b6 libtool: exit verbosely for fatal configure problems
792b6807 maint: update copyright years
f003a1f9 libltdl: handle ENOMEM in lt_dlloader_remove()
08c5524f bootstrap: use the upstream repo as git module
a938703c libtool: set file_list_spec to '@' on OS/2
f10e22c2 tests: fix $objdir hardcoding check with CFLAGS=-g3
f9970d99 libtool: pass through -fuse-ld flags
d7c8d3b4 m4/libtool.m4: FreeBSD elftoolchain strip support
807cbd63 libtoolize: exec automake and autoconf only with --help
40bc0628 edit-readme-alpha: generate the "stable" README properly
b89a47ea maint: fix for 'make sc_immutable_NEWS' hints
bb8e7b4a maint: update copyright years
b5d44b84 libltdl: handle ENOMEM sooner
5944fdcc gl: minor typo fixes
49856679 gl-tests: dash && option-parser test fix
a5c64665 libtool: fix GCC/clang linking with -fsanitize=*
ae816ace gl-tests: make the failure more readable
d15b3214 m4/libtool.m4: export AIX TLS symbols
aabc46ac gl/tests: new tests for options-parser
dc8bd92d gl/funclib.sh: func_quotefast_eval & tilde fix
a3c6e99c syntax-check: fix sed syntax errors
f323f10d gl/tests: new tests for func_quote* family
ed4f739f check: enable gnulib's testsuite
9187e9a2 funclib: refactor quoting methods a bit
16dbc070 libtool: optimizing options-parser hooks
32f0df98 libtool: mitigate the $sed_quote_subst slowdown
b7b6ec33 gnulib: sync with upstream
5859cc50 maint: relax 'sc_prohibit_test_dollar' check
418129bc ARFLAGS: use 'cr' instead of 'cru' by default
4335de1d libool.m4: add ARFLAGS variable
0f842177 maint: put newline after 'Subject' in ChangeLog
03ec5f49 gnulib: sync with upstream
351a88fe libtoolize: fix infinite recursion in m4
de7b2cb2 bootstrap: fix race in temporary Makefile
702a97fb libtool: fix GCC linking with -specs=*
4ff16210 maint: demote myself from maintainer to former maintainer.
c12d38e4 maint: post-release administrivia
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add libatomic as dependency.
Changelog:
2022-04-10: v1.0.26
* Fix regression with transfer free's after closing device
* Fix regression with destroyed context if API is misused
* Workaround for applications using missing default context
* Fix hotplog enumeration regression
* Fix Windows isochronous transfer regression since 1.0.24
* Fix macOS exit crash in some multi-context cases
* Build fixes for various platforms and configurations
* Fix Windows HID multi-interface product string retrieval
* Update isochronous OUT packet actual lengths on Windows
* Add interface bound checking for broken devices
* Add umockdev tests on Linux
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove upstreamed patche:
- 001-Correct-a-typo-in-the-Changelog-and-clean-up-a-stray.patch
- 002-linux_usbfs-Fix-parsing-of-descriptors-for-multi-con.patch
Changelog:
2022-01-31: v1.0.25
* Linux: Fix regression with some particular devices
* Linux: Fix regression with libusb_handle_events_timeout_completed()
* Linux: Fix regression with cpu usage in libusb_bulk_transfer
* Darwin (macOS): Add support for detaching kernel drivers with authorization.
* Darwin (macOS): Do not drop partial data on timeout.
* Darwin (macOS): Silence pipe error in set_interface_alt_setting().
* Windows: Fix HID backend missing byte
* Windows: Fix segfault with libusbk driver
* Windows: Fix regression when using libusb0 driver
* Windows: Support LIBUSB_TRANSFER_ADD_ZERO_PACKET on winusb
* New NO_DEVICE_DISCOVERY option replaces WEAK_AUTHORITY option
* Various other bug fixes and improvements
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes (2021-09-09):
* New Features:
- Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the
corresponding `nocheck` functions.
* Fixes:
- Handle `sprintf` corner cases
* Build:
- Symbol versioning for all exported symbols
- Fix compiler warnings
* Documentation:
- Small fixes
- Sphinx 3 compatibility
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
