aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* uboot-zynq: add support for the zybo z7 boardLuis Araneda2018-08-254-6/+612
| | | | | | | | Backport board support from the upcoming v2018.09 release, and add an additional patch to read the MAC address from flash memory Signed-off-by: Luis Araneda <luaraneda@gmail.com>
* libevent2: Switch to using release tarballRosen Penev2018-08-252-45/+8
| | | | | | | | | | | | | Starting with version 2.1.8, a release tarball is available. Simplifies the Makefile slightly. Updated the project URL. HTTPS is broken. Issue has been reported upstream Adjusted patches. CMake support is not present in the tarball. It's made for Windows anyway. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* mt76: update to the latest versionFelix Fietkau2018-08-241-3/+3
| | | | | | | | 7daf962 mt7603: add survey support 980c606 mt7603: add fix for CCA signal configuration 30b8371 mt7603: fix BAR rate Signed-off-by: Felix Fietkau <nbd@nbd.name>
* dropbear: backport upstream fix for CVE-2018-15599Hans Dedecker2018-08-243-3/+224
| | | | | | | | | | CVE description : The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wolfssl: disable broken shipped Job server macroJo-Philipp Wich2018-08-231-0/+21
| | | | | | | | | | | | | | | | The AX_AM_JOBSERVER macro shipped with m4/ax_am_jobserver.m4 is broken on plain POSIX shells due to the use of `let`. Shells lacking `let` will fail to run the generated m4sh code and end up invoking "make" with "-jyes" as argument, fialing the build. Since there is no reason in the first place for some random package to muck with the make job server settings and since we do not want it to randomly override "-j" either, simply remove references to this defunct macro to let the build succeed on platforms which not happen to use bash as default shell. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* grub2: rebase patchesJo-Philipp Wich2018-08-231-8/+4
| | | | | | | | | Patch 300-CVE-2015-8370.patch was added without proper rebasing on the version used by OpenWrt, make it apply and refresh the patch to fix compilation. Fixes: 7e73e9128f ("grub2: Fix CVE-2015-8370") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uhttpd: support multiple Lua prefixesJo-Philipp Wich2018-08-233-21/+32
| | | | | | | | | | | | | | | | | | | Update to latest git HEAD in order to support configuring multiple concurrent Lua prefixes in a single uhttpd instance: b741dec lua: support multiple Lua prefixes Additionally rework the init script and update the default configuration example to treat the lua_prefix option as key=value uci list, similar to the interpreter extension mapping. Support for the old "option lua_prefix" plus "option lua_handler" notation is still present. Finally drop the sed postinstall hack in uhttpd-mod-lua to avoid mangling files belonging to other packages. Since Lua prefixes have precedence over CGI prefixes, simply register `/cgi-bin/luci` as Lua handler which will only become active if both luci-base and uhttpd-mod-lua is installed. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* grub2: Fix CVE-2015-8370Rosen Penev2018-08-232-1/+45
| | | | | | | | | | | This CVE is a culmination of multiple integer overflow issues that cause multiple issues like Denial of Service and authentication bypass. More info: https://nvd.nist.gov/vuln/detail/CVE-2015-8370 Taken from Fedora. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* bzip2: Fix CVE-2016-3189Rosen Penev2018-08-232-1/+12
| | | | | | | | | | Issue causes a crash with specially crafted bzip2 files. More info: https://nvd.nist.gov/vuln/detail/CVE-2016-3189 Taken from Fedora. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* samba36: Enable umdnsd supportRosen Penev2018-08-222-1/+2
| | | | | | | | | | Allows discovery without having to use NetBIOS. Useful for mobile devices. Could eventually throw nbmd away. But that requires Windows 10... Tested on Fedora 28 with avahi-discover. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* yamonenv: Remove dead URLsRosen Penev2018-08-221-2/+1
| | | | | | uscan errors on the URL as it is no longer available. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* fconfig: Remove dead URLsRosen Penev2018-08-221-2/+1
| | | | | | uscan errors on the URL as it is no longer available. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* apex: Remove dead URL.Rosen Penev2018-08-221-2/+1
| | | | | | | | uscan errors on the URL as it is no longer available. Also switched the download URL to HTTPS. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* iptables: make iptables-mod-conntrack-extra depend on kmod-ipt-rawJo-Philipp Wich2018-08-221-2/+2
| | | | | | | Since kernel 4.14 there is no auto assignment of conntrack helpers anymore so fw3 needs raw table support in order to stage ct helper assignment rules. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: remove creation of /etc/ethersHans Dedecker2018-08-212-4/+1
| | | | | | | | Remove creation of file /etc/ethers in dnsmasq init script as the file is now created by default in the base-files package by commit fa3301a28e Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* base-files: create /etc/ethers by defaultLuiz Angelo Daros de Luca2018-08-212-0/+7
| | | | | | | | | | | /etc/ethers is missing on /rom but always created when dnsmasq runs. It is better to have it in place and avoid an extra change in flash after firstboot. It will generate an extra /etc/ethers-opkg when it has changed. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: update to latest Git headJo-Philipp Wich2018-08-211-3/+3
| | | | | | | 952bf9d build: use _DEFAULT_SOURCE 30a18cb uhttpd: recognize PATCH, PUT and DELETE HTTP methods Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mwlwifi: Update to 10.3.8.0-20180810Daniel Engberg2018-08-211-3/+3
| | | | | Update mwlwifi to 10.3.8.0-20180810 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* netifd: update to latest git HEADHans Dedecker2018-08-201-3/+3
| | | | | | | | | 7454d12 interface: let interface_set_down() return void 32f11a8 interface: make __interface_set_down() static b9d5a8c interface: extend interface error messages in interface_set_up() de394b3 interface: ensure NO_DEVICE error is always reported Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: process all CSA parametersYury Shvedov2018-08-201-6/+31
| | | | | | | This adds processing of all CSA arguments from ubus switch_chan request in the same manner as in the control interface API. Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
* util-linux: Update to 2.32.1Daniel Engberg2018-08-161-3/+3
| | | | | | | | Update util-linux to 2.32.1 For release notes see https://lwn.net/Articles/759922/ Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* treewide: consolidate upgrade state setMathias Kresin2018-08-162-0/+6
| | | | | | | | | | Set the (sys)upgrade state when sourcing the stage2 script instead of setting the state for each target individual. This change fixes the, due to a missing state set, not working upgrade led on ath79 and apm821xx. Signed-off-by: Mathias Kresin <dev@kresin.me>
* rpcd: update to latest git HEADJo-Philipp Wich2018-08-161-3/+3
| | | | | | | | | | 41333ab uci: tighten uci reorder operation error handling f91751b uci: tighten uci delete operation error handling c2c612b uci: tighten uci set operation error handling 948bb51 uci: tighten uci add operation error handling 51980c6 uci: reject invalid section and option names Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openssl: update to version 1.0.2pHauke Mehrtens2018-08-153-4/+4
| | | | | | | | This fixes the following security problems: * CVE-2018-0732: Client DoS due to large DH parameter * CVE-2018-0737: Cache timing vulnerability in RSA Key Generation Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libubox: set RPATH for host buildJo-Philipp Wich2018-08-141-0/+3
| | | | | | | This is required for programs that indirectly link libjson-c through the libubox blobmsg_json library. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: update to latest git HEADHans Dedecker2018-08-141-3/+3
| | | | | | 522456b device: gracefully handle device names exceeding IFNAMESIZ Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: bump to git HEADStijn Tintel2018-08-131-3/+3
| | | | | | | | 12a7cf9 Add support for DSCP matches and target 06fa692 defaults: use a generic check_kmod() function 1c4d5bc defaults: fix check_kmod() function Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* packages: nvram: make it possible to include it for ath79 targetsChristian Lamparter2018-08-131-1/+1
| | | | | | | | | The WD My Net Range Extender stores the MAC addresses inside the nvram partition. This utility can extract it, but it's currently not avilable on the ath79 target. Hence, this patch adds the necessary target declaration, so it can be built. Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* uboot-zynq: update to 2018.07Luis Araneda2018-08-133-3/+46
| | | | Signed-off-by: Luis Araneda <luaraneda@gmail.com>
* wireguard: bump to 0.0.20180809Jason A. Donenfeld2018-08-121-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * send: switch handshake stamp to an atomic Rather than abusing the handshake lock, we're much better off just using a boring atomic64 for this. It's simpler and performs better. Also, while we're at it, we set the handshake stamp both before and after the calculations, in case the calculations block for a really long time waiting for the RNG to initialize. * compat: better atomic acquire/release backport This should fix compilation and correctness on several platforms. * crypto: move simd context to specific type This was a suggestion from Andy Lutomirski on LKML. * chacha20poly1305: selftest: use arrays for test vectors We no longer have lines so long that they're rejected by SMTP servers. * qemu: add easy git harness This makes it a bit easier to use our qemu harness for testing our mainline integration tree. * curve25519-x86_64: avoid use of r12 This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. * chacha20: use memmove in case buffers overlap A small correctness fix that we never actually hit in WireGuard but is important especially for moving this into a general purpose library. * curve25519-hacl64: simplify u64_eq_mask * curve25519-hacl64: correct u64_gte_mask Two bitmath fixes from Samuel, which come complete with a z3 script proving their correctness. * timers: include header in right file This fixes compilation in some environments. * netlink: don't start over iteration on multipart non-first allowedips Matt Layher found a bug where a netlink dump of peers would never terminate in some circumstances, causing wg(8) to keep trying forever. We now have a fix as well as a unit test to mitigate this, and we'll be looking to create a fuzzer out of Matt's nice library. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* base-files: add function to get mac as text from flashMathias Kresin2018-08-111-0/+23
| | | | | | | | | Add a function to get a mac stored as text from flash. The octets of the mac address need to be separated by any separator supported by macaddr_canonicalize(). Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com> Signed-off-by: Mathias Kresin <dev@kresin.me>
* base-files: use consistent coding styleMathias Kresin2018-08-111-8/+4
| | | | | | | | Add the opening bracket right after the function name, to do it the same way for all functions in this file. Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com> Signed-off-by: Mathias Kresin <dev@kresin.me>
* uci: bump to source date 2018-08-11Yousong Zhou2018-08-111-3/+3
| | | | | | Fixes segfault when parsing malformed delta lines Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* wpa_supplicant: fix CVE-2018-14526John Crispin2018-08-101-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unauthenticated EAPOL-Key decryption in wpa_supplicant Published: August 8, 2018 Identifiers: - CVE-2018-14526 Latest version available from: https://w1.fi/security/2018-1/ Vulnerability A vulnerability was found in how wpa_supplicant processes EAPOL-Key frames. It is possible for an attacker to modify the frame in a way that makes wpa_supplicant decrypt the Key Data field without requiring a valid MIC value in the frame, i.e., without the frame being authenticated. This has a potential issue in the case where WPA2/RSN style of EAPOL-Key construction is used with TKIP negotiated as the pairwise cipher. It should be noted that WPA2 is not supposed to be used with TKIP as the pairwise cipher. Instead, CCMP is expected to be used and with that pairwise cipher, this vulnerability is not applicable in practice. When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data field is encrypted using RC4. This vulnerability allows unauthenticated EAPOL-Key frames to be processed and due to the RC4 design, this makes it possible for an attacker to modify the plaintext version of the Key Data field with bitwise XOR operations without knowing the contents. This can be used to cause a denial of service attack by modifying GTK/IGTK on the station (without the attacker learning any of the keys) which would prevent the station from accepting received group-addressed frames. Furthermore, this might be abused by making wpa_supplicant act as a decryption oracle to try to recover some of the Key Data payload (GTK/IGTK) to get knowledge of the group encryption keys. Full recovery of the group encryption keys requires multiple attempts (128 connection attempts per octet) and each attempt results in disconnection due to a failure to complete the 4-way handshake. These failures can result in the AP/network getting disabled temporarily or even permanently (requiring user action to re-enable) which may make it impractical to perform the attack to recover the keys before the AP has already changes the group keys. By default, wpa_supplicant is enforcing at minimum a ten second wait time between each failed connection attempt, i.e., over 20 minutes waiting to recover each octet while hostapd AP implementation uses 10 minute default for GTK rekeying when using TKIP. With such timing behavior, practical attack would need large number of impacted stations to be trying to connect to the same AP to be able to recover sufficient information from the GTK to be able to determine the key before it gets changed. Vulnerable versions/configurations All wpa_supplicant versions. Acknowledgments Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU Leuven for discovering and reporting this issue. Possible mitigation steps - Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This can be done also on the AP side. - Merge the following commits to wpa_supplicant and rebuild: WPA: Ignore unauthenticated encrypted EAPOL-Key data This patch is available from https://w1.fi/security/2018-1/ - Update to wpa_supplicant v2.7 or newer, once available Signed-off-by: John Crispin <john@phrozen.org>
* base-files: make wifi report unknown commandThibaut VARÈNE2018-08-101-2/+3
| | | | | | | | | | | Avoid having /sbin/wifi silently ignore unknown keywords and execute "up"; instead display the help message and exit with an error. Spell out the "up" keyword (which has users), add it to usage output, and preserve the implicit assumption that runing /sbin/wifi without argument performs "up". Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
* ath79: add support for OCEDO KoalaDavid Bauer2018-08-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds support for the OCEDO Koala SOC: Qualcomm QCA9558 (Scorpion) RAM: 128MB FLASH: 16MiB WLAN1: QCA9558 2.4 GHz 802.11bgn 3x3 WLAN2: QCA9880 5 GHz 802.11nac 3x3 INPUT: RESET button LED: Power, LAN, WiFi 2.4, WiFi 5, SYS Serial: Header Next to Black metal shield Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V) The Serial setting is 115200-8-N-1. Tested and working: - Ethernet - 2.4 GHz WiFi - 5 GHz WiFi - TFTP boot from ramdisk image - Installation via ramdisk image - OpenWRT sysupgrade - Buttons - LEDs Installation seems to be possible only through booting an OpenWRT ramdisk image. Hold down the reset button while powering on the device. It will load a ramdisk image named 'koala-uImage-initramfs-lzma.bin' from 192.168.100.8. Note: depending on the present software, the device might also try to pull a file called 'koala-uimage-factory'. Only the name differs, it is still used as a ramdisk image. Wait for the ramdisk image to boot. OpenWRT can be written to the flash via sysupgrade or mtd. Due to the flip-flop bootloader which we not (yet) support, you need to set the partition the bootloader is selecting. It is possible from the initramfs image with > fw_setenv bootcmd run bootcmd_1 Afterwards you can reboot the device. Signed-off-by: David Bauer <mail@david-bauer.net>
* odhcp6c: apply IPv6/ND configuration earlierHans Dedecker2018-08-092-8/+9
| | | | | | | | | | Apply IPv6/ND configuration before proto_send_update so that all config info is available when netifd is handling the notify_proto ubus call. In particular this fixes an issue when netifd is updating the downstream IPv6 mtu as netifd was still using the not yet updated upstream IPv6 mtu to set the downstream IPv6 mtu Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: remove libutil from InstallDev sectionHans Dedecker2018-08-091-3/+2
| | | | | | | | | | | Commit 4d961538f6 added libutil to the iproute2 InstallDev section but lead to compile issues with packages picking up the wrong libutil since libutil is quite a generic name ... Further libutil is rather meant for internal usage in iproute2 than a public API; therefore let's remove it from the InstallDev section together with ll_map.h Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest git HEADHans Dedecker2018-08-091-3/+3
| | | | | | 115a694 interface-ip: always override downstream IPv6 mtu Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* sunxi: Added support for Xunlong Orange Pi PC2Antonio Silverio2018-08-091-0/+9
| | | | | | | | | | | | | | | | CPU: H5 High Performance Quad-core 64-bit Cortex-A53 GPU: Mali450 OpenGL ES 2.0/1.1/1.0, OpenVG 1.1, EGL Memory: 1GB DDR3 (shared with GPU) Onboard Storage: TF card (Max. 32GB) / NOR flash(2MB) Onboard Network: 1000M/100M Ethernet RJ45 USB 2.0 Ports: Three USB 2.0 HOST, one USB 2.0 OTG, HOST mode role by default in DTS Buttons: Power Button(SW4) Debug TTL UART: ..DC-IN.. >[GND][RX][TX] ..HDMI.. Signed-off-by: Antonio Silverio <menion@gmail.com>
* firmware: intel-microcode: bump to 20180703Zoltan HERPAI2018-08-091-6/+6
| | | | | | | | | | | | | | | | | | | | | | | * New upstream microcode data file 20180703 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2018-05-08, rev 0x061d, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-05-08, rev 0x0714, size 19456 sig 0x000306e4, pf_mask 0xed, 2018-04-25, rev 0x042d, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-04-25, rev 0x0714, size 17408 sig 0x000306f2, pf_mask 0x6f, 2018-04-20, rev 0x003d, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-04-20, rev 0x0012, size 17408 sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672 sig 0x00050654, pf_mask 0xb7, 2018-05-15, rev 0x200004d, size 31744 sig 0x00050665, pf_mask 0x10, 2018-04-20, rev 0xe00000a, size 18432 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + First batch of fixes for: Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + SSBD support (Spectre-v4 mitigation) and fix Spectre-v3a for: Sandybridge server, Ivy Bridge server, Haswell server, Skylake server, Broadwell server, a few HEDT Core i7/i9 models that are actually gimped server dies. Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* busybox: prevent compile hang with bzip2 enabledRob Mosher2018-08-081-0/+9
| | | | | | | | The BZIP2_SMALL option was not being exposed via Config.in which caused the build to fail as 'yes' is piped to the config during build. As it's expecting a number, it gets stuck in a loop. Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>
* ucert: update to lastest git HEADJo-Philipp Wich2018-08-081-3/+3
| | | | | | | | Update to latest HEAD in order to fix a stack memory corruption issue: 1056e73 Change the sigb buffer to be the same size as the fread Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iproute2: add libutil to InstallDev sectionHans Dedecker2018-08-081-0/+1
| | | | | | | | In iproute2 v4.17 ll_map has been moved from the libnetlink to the libutil library; add libutil as well to the staging dir in order to keep support for ll_map Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uboot-envtools: add ath79 targetDavid Bauer2018-08-081-0/+26
| | | | | | | | This adds uci entries for all ath79 devices for which this already was the case on ar71xx. Additionally we add the OCEDO Koala as there was no support in OpenWRT yet. Signed-off-by: David Bauer <mail@david-bauer.net>
* base-files: introduce sysupgrade signature chain verificationDaniel Golle2018-08-083-3/+31
| | | | | | | | | Verify ucert signature chains in sysupgrade images in case ucert is installed and $CHECK_IMAGE_SIGNARURE = 1. Also make sure ucert host binary is present and generate a self-signed ucert in case $TOPDIR/key-build.ucert is missing. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* ucert: update sourceDaniel Golle2018-08-071-4/+10
| | | | | | | | | | | | ad816fc set rpath to make bundle-libraries.sh happy 63ad591 blob_buf needs to be zero'd Now that libubox, libjson-c and libblobms_json are installed into STAGING_DIR_HOST we can properly bundle ucert in the ImageBuilder. Follow-up commits will make use of it to include a signature-chain in sysupgrade images using fwtool. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libubox: set HOST_BUILD_PREFIXDaniel Golle2018-08-071-1/+2
| | | | | | | Install into STAGING_DIR_HOST rather than STAGING_DIR_HOSTPKG to make bundle-libraries.sh happy. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libjson-c: set HOST_BUILD_PREFIXDaniel Golle2018-08-071-1/+2
| | | | | | | Install into STAGING_DIR_HOST rather than STAGING_DIR_HOSTPKG to make bundle-libraries.sh happy. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libubox: fix source version dateJo-Philipp Wich2018-08-071-1/+1
| | | | | | | | The referenced Git commit was made on the 25th of July, not June. Fixes 432eaa940f ("libubox: fix mirror hash") Fixes 5dc32620c4 ("libubox: update to latest git HEAD") Signed-off-by: Jo-Philipp Wich <jo@mein.io>