RISCi_ATOM [Sun, 17 Sep 2023 15:23:23 +0000 (11:23 -0400)]
tor: Bump to 0.4.8.5
RISCi_ATOM [Sun, 17 Sep 2023 15:22:49 +0000 (11:22 -0400)]
openvpn: Bump to 2.5.9
RISCi_ATOM [Sun, 17 Sep 2023 15:22:05 +0000 (11:22 -0400)]
ustream-ssl: Make wolfssl variant the default
RISCi_ATOM [Sun, 17 Sep 2023 15:19:36 +0000 (11:19 -0400)]
openssl: Bump to 1.1.1w
RISCi_ATOM [Sun, 17 Sep 2023 15:17:58 +0000 (11:17 -0400)]
wolfssl : Bump to 5.6.3
Wolfssl is now the default in luci
RISCi_ATOM [Sat, 16 Sep 2023 15:12:11 +0000 (11:12 -0400)]
tools/cmake : Bump to 3.19.8
Resolves compat issues when building against newer distros and toolchains.
RISCi_ATOM [Sat, 16 Sep 2023 15:10:05 +0000 (11:10 -0400)]
kernel : Bump to 4.14.325
RISCi_ATOM [Tue, 9 May 2023 15:12:49 +0000 (11:12 -0400)]
kernel: Bump to 4.14.314
RISCi_ATOM [Thu, 13 Apr 2023 16:49:24 +0000 (12:49 -0400)]
librecmc: Add package mesh11sd from 21.02 feed
RISCi_ATOM [Tue, 4 Apr 2023 18:58:25 +0000 (14:58 -0400)]
openvpn : Remove leftover patches
RISCi_ATOM [Sat, 1 Apr 2023 19:26:24 +0000 (15:26 -0400)]
librecmc: Bump to v1.5.13
RISCi_ATOM [Sat, 1 Apr 2023 19:24:50 +0000 (15:24 -0400)]
openvpn : Bump to 2.5.8
RISCi_ATOM [Thu, 30 Mar 2023 16:39:17 +0000 (12:39 -0400)]
ca-certs: Update to
20211016
RISCi_ATOM [Thu, 30 Mar 2023 16:38:24 +0000 (12:38 -0400)]
mirrors: Add Debian source mirrors
RISCi_ATOM [Sun, 26 Mar 2023 19:34:21 +0000 (15:34 -0400)]
kernel: Bump to 4.14.311
John Audia [Tue, 7 Feb 2023 19:56:52 +0000 (14:56 -0500)]
openssl: bump to 1.1.1t
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit
4ae86b3358a149a17411657b12103ccebfbdb11b)
The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 21.02, so it doesn't have to be removed.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
RISCi_ATOM [Tue, 24 Jan 2023 23:33:22 +0000 (18:33 -0500)]
rockchip: Fixup arm-trusted-firmware with deblobbed version (missing HDCP)
RISCi_ATOM [Tue, 24 Jan 2023 15:38:06 +0000 (10:38 -0500)]
rockchip: fixup, add kmod-usb-net pkg
RISCi_ATOM [Sat, 21 Jan 2023 21:21:50 +0000 (16:21 -0500)]
librecmc: Bump version to v1.5.12
RISCi_ATOM [Sat, 21 Jan 2023 21:11:08 +0000 (16:11 -0500)]
kernel: Bump to 4.14.303
RISCi_ATOM [Mon, 9 Jan 2023 17:43:48 +0000 (12:43 -0500)]
target: Add rockchip target
This adds initial support for the rockchip target, including the TPE-R1400.
arm-trusted-firmware and uboot for this target needs a little bit of work to support
other targets.
RISCi_ATOM [Mon, 9 Jan 2023 17:38:08 +0000 (12:38 -0500)]
kernel: Bump to 4.14.302
RISCi_ATOM [Thu, 5 Jan 2023 15:44:26 +0000 (10:44 -0500)]
wolfssl: Bump to 5.5.4-stable
RISCi_ATOM [Wed, 16 Nov 2022 16:52:24 +0000 (11:52 -0500)]
openssl: Bump to 1.1.1s
RISCi_ATOM [Fri, 30 Sep 2022 20:38:57 +0000 (16:38 -0400)]
librecmc: Bump to v1.5.11
RISCi_ATOM [Thu, 29 Sep 2022 22:45:53 +0000 (18:45 -0400)]
wireguard: Bump to v1.0.
20220627
RISCi_ATOM [Thu, 29 Sep 2022 22:45:13 +0000 (18:45 -0400)]
openssl: Bump to 1.1.1q
RISCi_ATOM [Thu, 29 Sep 2022 22:43:25 +0000 (18:43 -0400)]
wolfssl: Bump to 5.5.0-stable
RISCi_ATOM [Thu, 29 Sep 2022 22:42:31 +0000 (18:42 -0400)]
librecmc: Add Python 3.11 for Python 3 check.
RISCi_ATOM [Thu, 29 Sep 2022 22:41:26 +0000 (18:41 -0400)]
kernel: Bump to 4.14.294
RISCi_ATOM [Mon, 27 Jun 2022 03:23:46 +0000 (23:23 -0400)]
librecmc: bump version to v1.5.10
RISCi_ATOM [Mon, 27 Jun 2022 03:08:44 +0000 (23:08 -0400)]
kernel: bump to 4.14.284
RISCi_ATOM [Sun, 26 Jun 2022 20:19:12 +0000 (16:19 -0400)]
openssl: Bump to 1.1.1p
RISCi_ATOM [Sun, 26 Jun 2022 18:26:29 +0000 (14:26 -0400)]
openvpn: Bump to 2.4.12
Eneas U de Queiroz [Wed, 13 Apr 2022 13:30:15 +0000 (10:30 -0300)]
wolfssl: fix compilation with /dev/crypto
This is trivial fix of a duplicate definition of 'int ret'.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit
df622768da10f36ceeb20346b4c4ee4eb9a8a9ad)
(cherry picked from commit
75cbd8de006698a766126da682d8ae621bc7b0d4)
Eneas U de Queiroz [Fri, 8 Apr 2022 13:27:25 +0000 (10:27 -0300)]
wolfssl: bump to 5.2.0
Fixes two high-severity vulnerabilities:
- CVE-2022-25640: A TLS v1.3 server who requires mutual authentication
can be bypassed. If a malicious client does not send the
certificate_verify message a client can connect without presenting a
certificate even if the server requires one.
- CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS
v1.3 server can have its certificate heck bypassed. If the sig_algo in
the certificate_verify message is different than the certificate
message checking may be bypassed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [ABI version change]
(cherry picked from commit
e89f3e85eb1c1d81294e5d430a91b0ba625e2ec0)
(cherry picked from commit
2393b09b5906014047a14a79c03292429afcf408)
RISCi_ATOM [Tue, 10 May 2022 20:10:32 +0000 (16:10 -0400)]
kernel: Bump to 4.14.277
Hauke Mehrtens [Mon, 11 Apr 2022 20:14:47 +0000 (22:14 +0200)]
mac80211: Update to version 4.19.237-1
This updates mac80211 to version 4.19.237-1 which is based on kernel
4.19.237.
This new release contains many fixes which were merged into the upstream
Linux kernel.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Sven Eckelmann [Sat, 11 Sep 2021 19:03:34 +0000 (21:03 +0200)]
uboot-sunxi: Fix build with GCC-10 as host compiler
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:
HOSTLD scripts/dtc/dtc
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
collect2: error: ld returned 1 exit status
The easiest workaround is to add the upstream commit
018921ee79d3 ("Remove
redundant YYLOC global declaration").
Signed-off-by: Sven Eckelmann <sven@narfation.org>
RISCi_ATOM [Mon, 4 Apr 2022 18:43:47 +0000 (14:43 -0400)]
mvebu: Fixup kernel config
RISCi_ATOM [Fri, 1 Apr 2022 18:44:44 +0000 (14:44 -0400)]
librecmc: Bump version to v1.5.9
RISCi_ATOM [Mon, 28 Mar 2022 17:09:17 +0000 (13:09 -0400)]
wolfssl: bump to 5.1.1-stable
This is amalgamation of backported changes since 4.7.0-stable release:
Sergey V. Lobanov (2):
5b13b0b wolfssl: update to 5.1.1-stable
7d376e6 libs/wolfssl: add SAN (Subject Alternative Name) support
Andre Heider (3):
3f8adcb wolfssl: remove --enable-sha512 configure switch
249478e wolfssl: always build with --enable-reproducible-build
4b212b1 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
Ivan Pavlov (1):
1641471 wolfssl: update to 4.8.1-stable
David Bauer (1):
f6d8c0c wolfssl: always export wc_ecc_set_rng
Christian Lamparter (1):
86801bd wolfssl: fix
Ed25519 typo in config prompt
The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:
* OCSP request/response verification issue. (fixed in 4.8.0)
* Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1)
* Issue with incorrectly validating a certificate (fixed in 5.0.0)
* Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0)
* Client side session resumption issue (fixed in 5.1.0)
* Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
* Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Includes upstream commit :
f49eec6335ea9c0d652e8525a04c166f1fe3eedd
wolfssl: fix API breakage of SSL_get_verify_result
Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:
$ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
Downloading 'https://letsencrypt.org'
Connecting to 18.159.128.50:443
Connection error: Invalid SSL certificate
Fixes: #9283
References: wolfSSL/wolfssl#4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
b9251e3)
(cherry picked from commit
b99d7ae)
Hauke Mehrtens [Sat, 12 Feb 2022 22:13:47 +0000 (23:13 +0100)]
tcpdump: Fix CVE-2018-16301
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
8f5875c4e221453932f217a82f8c3092cacba3e5)
(cherry picked from commit
59e7ae8d65ab9a9315608a69565f6a4247d3b1ac)
Hauke Mehrtens [Sun, 26 Dec 2021 22:38:52 +0000 (23:38 +0100)]
tcpdump: libpcap: Remove www.us.tcpdump.org mirror
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.
Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
18bdfc803bef00fad03f90b73b6e65c3c79cb397)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[rebased for OpenWrt 21.02 branch]
(cherry picked from commit
4dddb7ca3669e93d4da2b1ca43b8bc22bd007e48)
Hauke Mehrtens [Sat, 12 Feb 2022 19:37:12 +0000 (20:37 +0100)]
hostapd: Apply SAE/EAP-pwd side-channel attack update 2
This fixes some recent security problems in hostapd.
See here for details: https://w1.fi/security/2022-1
* CVE-2022-23303
* CVE-2022-23304
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 29 Jan 2022 10:56:27 +0000 (11:56 +0100)]
mbedtls: Update to version 2.16.12
This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice. CVE-2021-44732
The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
57f38e2c827e3be71d8b1709073e366afe011985)
Rosen Penev [Tue, 13 Jul 2021 20:27:09 +0000 (13:27 -0700)]
mbedtls: update to 2.16.11
Switched to AUTORELEASE to avoid manual increments.
Release notes:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit
fcfd741eb83520e496eb09de5f8b2f2b62792a80)
Rafał Miłecki [Tue, 1 Mar 2022 17:46:27 +0000 (18:46 +0100)]
base-files: call "sync" after initial setup
OpenWrt uses a lot of (b)ash scripts for initial setup. This isn't the
best solution as they almost never consider syncing files / data. Still
this is what we have and we need to try living with it.
Without proper syncing OpenWrt can easily get into an inconsistent state
on power cut. It's because:
1. Actual (flash) inode and data writes are not synchronized
2. Data writeback can take up to 30 seconds (dirty_expire_centisecs)
3. ubifs adds extra 5 seconds (dirty_writeback_centisecs) "delay"
Some possible cases (examples) for new files:
1. Power cut during 5 seconds after write() can result in all data loss
2. Power cut happening between 5 and 35 seconds after write() can result
in empty file (inode flushed after 5 seconds, data flush queued)
Above affects e.g. uci-defaults. After executing some migration script
it may get deleted (whited out) without generated data getting actually
written. Power cut will result in missing data and deleted file.
There are three ways of dealing with that:
1. Rewriting all user-space init to proper C with syncs
2. Trying bash hacks (like creating tmp files & moving them)
3. Adding sync and hoping for no power cut during critical section
This change introduces the last solution that is the simplest. It
reduces time during which things may go wrong from ~35 seconds to
probably less than a second. Of course it applies only to IO operations
performed before /etc/init.d/boot . It's probably the stage when the
most new files get created.
All later changes are usually done using smarter C apps (e.g. busybox or
uci) that creates tmp files and uses rename() that is expected to be
atomic.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
(cherry picked from commit
9851d4b6ce6e89d164a04803817625a9041b060a)
Martin Schiller [Wed, 16 Mar 2022 14:04:56 +0000 (15:04 +0100)]
openssl: bump to 1.1.1n
This is a bugfix release. Changelog:
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli. (CVE-2022-0778)
*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
(RFC 5489) to the list of ciphersuites providing Perfect Forward
Secrecy as required by SECLEVEL >= 3.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit
e17c6ee62770005e398364ee5d955c9a8ab6f016)
Petr Štetiar [Thu, 24 Mar 2022 05:45:04 +0000 (06:45 +0100)]
zlib: backport security fix for a reproducible crash in compressor
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.
Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.
Runtime tested on ipq40xx/glinet-b1300 and mvebu/turris-omnia.
Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
b3aa2909a79aeff20d594160b207a89dc807c033)
(cherry picked from commit
3965dda0fa70dc9408f1a2e55a3ddefde78bd50e)
(cherry picked from commit
f65edc9b990c2bcc10c9e9fca29253adc6fe316d)
RISCi_ATOM [Mon, 28 Mar 2022 16:55:36 +0000 (12:55 -0400)]
kernel: Bump to 4.14.273
RISCi_ATOM [Fri, 21 Jan 2022 18:45:17 +0000 (13:45 -0500)]
librecmc: Bump to v1.5.8
RISCi_ATOM [Fri, 14 Jan 2022 18:23:36 +0000 (13:23 -0500)]
tor: Bump to 0.4.5.10
RISCi_ATOM [Thu, 13 Jan 2022 19:14:23 +0000 (14:14 -0500)]
libgpg-error : Bump to 1.42
Fixes cross-compilation issues among other things.
RISCi_ATOM [Thu, 13 Jan 2022 19:08:54 +0000 (14:08 -0500)]
kernel: Bump to 4.14.261
RISCi_ATOM [Mon, 3 Jan 2022 20:08:17 +0000 (15:08 -0500)]
openssl: bump to 1.1.1m
RISCi_ATOM [Mon, 3 Jan 2022 20:06:28 +0000 (15:06 -0500)]
kernel: Bump to 4.14.260
RISCi_ATOM [Fri, 31 Dec 2021 17:53:50 +0000 (12:53 -0500)]
wolfssl: Bump to 4.8.1
RISCi_ATOM [Wed, 29 Dec 2021 20:15:49 +0000 (15:15 -0500)]
base: Update python requirements
RISCi_ATOM [Fri, 17 Dec 2021 18:40:38 +0000 (13:40 -0500)]
wireguard : Bump to v1.0.
20211208
Bump wireguard to v1.0.
20211208 and wireguard-tools to v1.0.
20210914
RISCi_ATOM [Fri, 17 Dec 2021 18:08:14 +0000 (13:08 -0500)]
kernel: bump 4.14 to 4.14.254
RISCi_ATOM [Fri, 17 Dec 2021 17:16:50 +0000 (12:16 -0500)]
mac80211: Update to version 4.19.221
Christian Lamparter [Sat, 23 Oct 2021 16:08:51 +0000 (18:08 +0200)]
wireless-regdb: update to version 2021.08.28
e983a25 Update regulatory rules for Ecuador (EC)
a0bcb88 wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
cdf854d wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
86cba52 wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
6fa2384 wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
9839e1e wireless-regdb: recent FCC report and order allows 5850-5895 immediately
42dfaf4 wireless-regdb: update 5725-5850 MHz rule for GB
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit
dbb4c47798b17112cb1eed2a309cdefd33b5f193)
Felix Fietkau [Fri, 21 May 2021 12:29:31 +0000 (14:29 +0200)]
wireless-regdb: update to version 2021.04.21
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
d76535c45e6e970b212744781431e152e90c1ce6)
Rosen Penev [Thu, 4 Mar 2021 02:00:26 +0000 (18:00 -0800)]
tools/m4: update to 1.4.19
Remove upstreamed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit
fc9682ed3961e098ace708ca1ca41c2239a4e2ee)
RISCi_ATOM [Thu, 30 Sep 2021 21:21:11 +0000 (17:21 -0400)]
librecmc: Bump version to 1.5.7
RISCi_ATOM [Thu, 30 Sep 2021 21:11:38 +0000 (17:11 -0400)]
luci: Remove jsmin from luci and use the jsmin Python module instead.
The project is being forced to remove jsmin from luci due to it being under the infamous JSON license.
This commit removes jsmin and, as a result, the jsmin Python module will need to be installed
in order to build libreCMC / luci.
RISCi_ATOM [Thu, 30 Sep 2021 15:12:47 +0000 (11:12 -0400)]
mac80211: Update to backports-4.19.207-1
Refresh all patches.
This contains fixes for CVE-2020-3702
1. These patches (ath, ath9k, mac80211) were included in kernel
versions since 4.14.245 and 4.19.205. They fix security vulnerability
CVE-2020-3702 [1] similar to KrØØk, which was found by ESET [2].
Thank you Josef Schlehofer for reporting this problem.
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-3702
[2] https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
See upstream commit :
123d12eada9a8d63e790af372f30359415812228
RISCi_ATOM [Thu, 30 Sep 2021 15:12:15 +0000 (11:12 -0400)]
kernel: Bump to 4.14.248-gnu1
RISCi_ATOM [Wed, 8 Sep 2021 21:11:42 +0000 (17:11 -0400)]
kernel: Bump to 4.14.246
Bumps the kernel 4.14.246 and addresses recent linux-libre kernel issues [1].
[1] https://www.fsfla.org/pipermail/linux-libre/2021-August/003439.html
RISCi_ATOM [Wed, 8 Sep 2021 21:08:50 +0000 (17:08 -0400)]
openssl: bump to 1.1.1l
This version fixes two vulnerabilities:
- SM2 Decryption Buffer Overflow (CVE-2021-3711)
Severity: High
- Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Severity: Medium
Upstream commits :
fdea0036a210427477b6cc1de7cee036e18aff39
40c03b101cf40af4a6f6e1efb4731edabfe88ea9
RISCi_ATOM [Sat, 3 Jul 2021 01:15:43 +0000 (21:15 -0400)]
librecmc: Bump to v1.5.6
RISCi_ATOM [Fri, 2 Jul 2021 15:22:21 +0000 (11:22 -0400)]
wireguard: Bump to v1.0.
20210606
RISCi_ATOM [Fri, 2 Jul 2021 14:45:38 +0000 (10:45 -0400)]
tor: Bump to 0.4.4.9
RISCi_ATOM [Thu, 1 Jul 2021 18:41:03 +0000 (14:41 -0400)]
kernel: Bump to 4.14.138
Hauke Mehrtens [Sat, 5 Jun 2021 22:36:57 +0000 (00:36 +0200)]
mac80211: Update to backports version 4.19.193-test1
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
RISCi_ATOM [Sat, 26 Jun 2021 23:11:18 +0000 (19:11 -0400)]
kernel: Bump to 4.14.237
RISCi_ATOM [Fri, 21 May 2021 15:59:31 +0000 (11:59 -0400)]
kernel: Bump to 4.14.232
RISCi_ATOM [Wed, 19 May 2021 20:20:56 +0000 (16:20 -0400)]
wireguard: bump to v1.0.
20210424
Bas Mevissen [Mon, 19 Apr 2021 23:08:19 +0000 (01:08 +0200)]
Extend checks on build prerequisites for building OpenWRT core
OpenWRT requires a number of Perl modules to be installed. It wasn't checking on all of them.
This patch adds checks for Perl FindBin, File::Copy, File::Compare and Thread::Queue modules.
Failing to install these, will have the build break at some point. By adding these to the
prereq-build.mk script, they are checked on forehand.
Tested on a Fedora 33 and 34 (beta) that was freshly installed. Fedora appears to
break up Perl modules into small packages that need to be installed for the build to succeed.
Signed-off-by: Bas Mevissen <abuse@basmevissen.nl>
(cherry picked from commit
f68c9474acf9a65b5a9538db8e45c173462487e3)
Rosen Penev [Mon, 30 Mar 2020 01:13:56 +0000 (18:13 -0700)]
prereq-build: test for perl's Data::Dumper
Required for installation of autoconf:
make[5]: Entering directory `/openwrt/build_dir/host/autoconf-2.69'
Making all in bin
make[6]: Entering directory `/openwrt/build_dir/host/autoconf-2.69/bin'
autom4te_perllibdir='..'/lib AUTOM4TE_CFG='../lib/autom4te.cfg'
../bin/autom4te -B '..'/lib -B '..'/lib --language M4sh --cache
'' --melt ./autoconf.as -o autoconf.in
Can't locate Data/Dumper.pm in @INC (@INC contains: ../lib
/usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
/usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at
../lib/Autom4te/C4che.pm line 33.
BEGIN failed--compilation aborted at ../lib/Autom4te/C4che.pm line 33.
Compilation failed in require at ../bin/autom4te line 40.
BEGIN failed--compilation aborted at ../bin/autom4te line 40.
make[6]: *** [autoconf.in] Error 2
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit
dc467eac38f2447b652b6680cf4af75b05fd6cd2)
Hauke Mehrtens [Sun, 2 May 2021 21:20:40 +0000 (23:20 +0200)]
mac80211: Update to backports version 4.19.189-1
The removed patches were applied upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sun, 2 May 2021 15:35:16 +0000 (17:35 +0200)]
dropbear: Fix CVE-2020-36254
This backports a fix from dropbear 2020.81.
CVE-2020-36254 description:
scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
RISCi_ATOM [Mon, 3 May 2021 14:10:20 +0000 (10:10 -0400)]
openvpn: Bump to 2.4.11
RISCi_ATOM [Thu, 1 Apr 2021 19:40:28 +0000 (15:40 -0400)]
kernel: Bump to 4.14.224
RISCi_ATOM [Thu, 1 Apr 2021 19:39:37 +0000 (15:39 -0400)]
wireguard: Bump to 1.0.
20210219
RISCi_ATOM [Tue, 30 Mar 2021 14:26:10 +0000 (10:26 -0400)]
librecmc: bump to v1.5.5
RISCi_ATOM [Tue, 30 Mar 2021 02:56:42 +0000 (22:56 -0400)]
luci: Add luci-app-unbound to base
RISCi_ATOM [Mon, 29 Mar 2021 18:19:08 +0000 (14:19 -0400)]
tools: mklibs Add HOST_CPPFLAGS to fix compilation w/ GCC11
Magnus Kroken [Sun, 14 Mar 2021 18:42:33 +0000 (19:42 +0100)]
mbedtls: update to 2.16.10
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.
Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit
dbde2bcf60b5d5f54501a4b440f25fe7d02fbe5d)
Eneas U de Queiroz [Fri, 26 Mar 2021 17:46:29 +0000 (14:46 -0300)]
openssl: bump to 1.1.1k
This version fixes 2 security vulnerabilities, among other changes:
- CVE-2021-3450: problem with verifying a certificate chain when using
the X509_V_FLAG_X509_STRICT flag.
- CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit
0bd0de7d43b3846ad0d7006294e1daaadfa7b532)
RISCi_ATOM [Wed, 17 Mar 2021 17:04:44 +0000 (13:04 -0400)]
uboot-envtools: Add tpe-r1300
Stefan Lippers-Hollmann [Sat, 27 Feb 2021 22:55:08 +0000 (23:55 +0100)]
hostapd: P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.
Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
This fixes the following security vulnerabilities/bugs:
- CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c
in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
discovery requests. It could result in denial of service or other
impact (potentially execution of arbitrary code), for an attacker
within radio range.
Fixes:
17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
(cherry picked from commit
1ca5de13a153061feae260864d73d96f7c463785)
Raphaël Mélotte [Wed, 17 Feb 2021 14:58:16 +0000 (15:58 +0100)]
hostapd: backport ignoring 4addr mode enabling error
This is a backport of the upstream commit
58bbbb598144 ("nl80211: Ignore
4addr mode enabling error if it was already enabled").
nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
an interface that is in a bridge and has 4addr mode already enabled.
This operation would not have been necessary in the first place and this
failure results in disconnecting, e.g., when roaming from one backhaul
BSS to another BSS with Multi AP.
Avoid this issue by ignoring the nl80211 command failure in the case
where 4addr mode is being enabled while it has already been enabled.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[bump PKG_RELEASE, more verbose commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
fb860b4e418c28a0f388f215e5acce103dcee1bf)
Eneas U de Queiroz [Sun, 21 Feb 2021 21:33:30 +0000 (18:33 -0300)]
wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here. There are a couple of low severity security bug fixes as
well.
Three patches are no longer needed, and were removed; the one remaining
was refreshed.
This tool shows no ABI changes:
https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit
d1dfb577f1c0d5b1f1fa35000c9ad7abdb7d10ed)
Petr Štetiar [Mon, 1 Mar 2021 12:29:19 +0000 (13:29 +0100)]
build: fix checks for GCC11
Fedora 34 already uses GCC11.
Reported-by: Marcin Juszkiewicz <marcin-openwrt@juszkiewicz.com.pl>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
cae69d558135456976b8fc6cb08530d1358cf6d5)
Eneas U de Queiroz [Wed, 17 Feb 2021 02:21:36 +0000 (23:21 -0300)]
openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs:
- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
SSLv2, but the affected functions still exist. Considered just a bug.
- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
EVP_DecryptUpdate may overflow the output length argument in some
cases where the input length is close to the maximum permissable
length for an integer on the platform. In such cases the return value
from the function call will be 1 (indicating success), but the output
length value will be negative.
- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it was failing to
correctly handle any errors that may occur while parsing the issuer
field (which might occur if the issuer field is maliciously
constructed). This may subsequently result in a NULL pointer deref and
a crash leading to a potential denial of service attack.
- Fixed SRP_Calc_client_key so that it runs in constant time. This could
be exploited in a side channel attack to recover the password.
The 3 CVEs above are currently awaiting analysis.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit
482c9ff289c65480c8e7340e1740db24c62f91df)
Hauke Mehrtens [Mon, 8 Feb 2021 23:53:09 +0000 (00:53 +0100)]
wolfssl: Backport fix for CVE-2021-3336
This should fix CVE-2021-3336:
DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not
cease processing for certain anomalous peer behavior (sending an
ED22519, ED448, ECC, or RSA signature without the corresponding
certificate).
The patch is backported from the upstream wolfssl development branch.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
1f559cafe5cc1193a5962d40a2d938c66c783171)
Daniel Golle [Thu, 4 Feb 2021 01:01:36 +0000 (01:01 +0000)]
hostapd: fix P2P group information processing vulnerability
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners.
This issue was discovered by fuzz testing of wpa_supplicant by Google's
OSS-Fuzz.
https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[added the missing patch]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry-picked from commit
7c8c4f1be648aff9f1072ee27a2cc8f6a4a788ef)
Baptiste Jonglez [Sun, 31 Jan 2021 15:40:40 +0000 (16:40 +0100)]
opkg: update to latest git HEAD of branch openwrt-19.07
c5dccea libopkg: fix md5sum calculation
7cad0c0 opkg_verify_integrity: better logging and error conditions
14d6480 download: purge cached packages that have incorrect checksum
456efac download: factor out the logic for building cache filenames
b145030 libopkg: factor out checksum and size verification
74bac7a download: remove compatibility with old cache naming scheme
Fixes: FS#2690
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>