RISCi_ATOM [Wed, 5 Jun 2024 19:46:21 +0000 (15:46 -0400)]
libxslt: update to 1.1.39
Christian Marangi [Wed, 18 Jan 2023 19:44:56 +0000 (20:44 +0100)]
bpf-headers: fix use of netlink.h header
netlink.h header have NL_SET_ERR_MSG_MOD that is tied to kmods. We don't
need kmods on bpf tools and this cause compilation error if the header
is included. Fix it by dropping NL_SET_ERR_MSG_MOD.
Link: https://github.com/openwrt/openwrt/pull/11825
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Christian Marangi [Wed, 18 Jan 2023 19:50:58 +0000 (20:50 +0100)]
xdp-tools: fix compilation wrongly using host header
Currently it's needed to have gcc-multilib on the host to correctly
compile xdp-tools. This is wrong and means that we are using host header
to compile a tool.
By some searching in how the makefile works it was discovered that
BPF_CFLAGS were not used and required to be appended to config.mk
Only one single header was added but we should include each BPF_CFLAGS
from bpf.mk. To make this some patching to bpf-header were required and
some patches to xdp-tools were required.
Also it's needed to pass the correct target to BPF_CFLAGS.
With the following changes xdp-tools can correctly compile with each
header from bpf-headers and should not use any host header.
Co-Developed-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Andre Heider <a.heider@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/11825
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
RISCi_ATOM [Tue, 4 Jun 2024 16:06:15 +0000 (12:06 -0400)]
gettext-full: Fixup host build configuration args
RISCi_ATOM [Tue, 4 Jun 2024 15:58:46 +0000 (11:58 -0400)]
libxml2: update to 2.12.5
Release Notes:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5
Remove patch:
- 010-iconv.patch
Fixes: CVE-2024-25062
Alexandru Gagniuc [Wed, 3 Apr 2024 19:32:08 +0000 (14:32 -0500)]
wifi-scripts: fix creation of IBSS in legacy (non-HT) mode
When an IBBS interface is configured for IBSS legacy mode, wdev.htmode
is empty. This is empty string results in an empty positional argument
to the "ibbs join" command, for example:
iw dev phy0-ibss0 ibss join crymesh 2412 '' fixed-freq beacon-interval 100
This empty argument is interpreted as an invalid HT mode by 'iw',
causing the entire command to fail and print a "usage" message:
daemon.notice netifd: radio0 (4527): Usage: iw [options] \
dev <devname> ibss join <SSID> <freq in MHz> ...
Although nobody will ever need more than 640K of IBSS, explicitly use
"NOHT" if an HT mode is not given. This fixes the problem.
Fixes:
e56c5f7b276a ("hostapd: add ucode support, use ucode for the main ubus object")
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [extend to cover more cases]
(cherry picked from commit
cee9fcdb7350911f474544189817d25fd4070111)
Christian Marangi [Wed, 22 May 2024 10:41:10 +0000 (12:41 +0200)]
tools: refresh all patches
Refresh all tools patches now that tools/refresh correctly works.
CI now checks for them and actively complain if tools have unrefreshed
patches.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Christian Marangi [Mon, 25 Sep 2023 00:29:31 +0000 (02:29 +0200)]
quilt.mk: don't error on refresh/update if patches doesn't exist
The current code fails if we have package or host tools with no patches
to apply. The error printend is the following: (taking ubus as an
example)
make[2]: Entering directory '/home/ansuel/openwrt-ansuel/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/ansuel/openwrt-ansuel/openwrt/scripts/config'
make[1]: Entering directory '/home/ansuel/openwrt-ansuel/openwrt'
make[2]: Entering directory '/home/ansuel/openwrt-ansuel/openwrt/package/system/ubus'
The source directory contains no quilt patches.
make[2]: *** [Makefile:81: quilt-check] Error 1
make[2]: Leaving directory '/home/ansuel/openwrt-ansuel/openwrt/package/system/ubus'
time: package/system/ubus/refresh#0.06#0.00#0.07
ERROR: package/system/ubus failed to build.
make[1]: *** [package/Makefile:120: package/system/ubus/refresh] Error 1
make[1]: Leaving directory '/home/ansuel/openwrt-ansuel/openwrt'
make: *** [/home/ansuel/openwrt-ansuel/openwrt/include/toplevel.mk:232: package/ubus/refresh] Error 2
We exit 1 after saying that there are no patches because later in the
function quilt pop fails to execute.
Having no patches for a package and calling refresh should not be
a critical error and the function should just do nothing.
To handle this improve quilt.mk with the following addition.
- If we don't have any patch for the package, we print a warning and we
create an empty series. This is useful to trick quilt and make it do
nothing.
We also create a status file .quilt_no_patch to detect in the other
function that we don't have patches to handle.
- In refresh makefile target, we check if .quilt_no_patch exist and
we skip quilt cleanup if this exist.
- In RefreshDir function we change the logic and now we delete the
patches directory and not only the content. This is done as a cleanup
to clean case with empty patches directory.
- In RefreshDir we check if .quilt_no_patch exist and we skip creating
the patches directory and copying the refreshed patches.
- In RefreshDir we delete at the end any trace of .quilt_no_patch if
present.
This is needed to support run like package/refresh that will run the
refresh process on any package present in the buildroot.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
9536446965e853231e34c4e5dc4cf13f838b9e90)
Christian Marangi [Mon, 25 Sep 2023 00:26:43 +0000 (02:26 +0200)]
quilt.mk: use CURDIR instead of ./ for PATCH_DIR and FILES_DIR
To better reference them for diagnostic use, reference the PATCH_DIR and
FILES_DIR with the absolute path instead of using ./ and reference by
the relative location.
No behaviour change intended.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
bb1bfb46020b38179ef97d30333c90ab00b71c97)
Christian Marangi [Wed, 22 May 2024 09:56:45 +0000 (11:56 +0200)]
tools/padjffs2: use Host/Prepare/Default instead of raw commands
Now that Host/Prepare/Default is always defined, we can use that instead
of using raw commands to move files from the src directory to
HOST_BUILD_DIR.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
01048c7456785bc4a45452c84d8f31635e1fa60b)
Christian Marangi [Wed, 22 May 2024 09:53:52 +0000 (11:53 +0200)]
tools/missing-macros: install files from HOST_BUILD_DIR instead of src
Install files from HOST_BUILD_DIR instead of src. These files are now
correctly copied to HOST_BUILD_DIR and can be referenced from there.
(cherry picked from commit
46bcbe42236bbe058eaeb89a0d1a4f22926cfdf9)
[ rebased on top of openwrt-23.05 ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Christian Marangi [Wed, 22 May 2024 09:38:49 +0000 (11:38 +0200)]
host-build: always define Host/Prepare/Default
We currently skip defining Host/Prepare/Default if HOST_UNPACK is not
defined.
This is mostly the case for Host packages that just provide files with
the src directory and don't need to be downloaded/extracted.
This was probably done lots of times ago due to quilt causing error as
the patches directory wasn't present.
This has changed now and quilt can correctly detect if no patches needs
to be applied (instead of terminating with error)
Always define Host/Prepare/Default to make tools/refresh correctly works
as HOST_QUILT is hardcoded enabled for this make target and will
complain for tool not prepared for quilt patches.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
725389b7c745b0fa68426986c9bca14171f16887)
Yuu Toriyama [Sat, 18 May 2024 22:08:37 +0000 (07:08 +0900)]
wireless-regdb: update to 2024.05.08
Changes:
73529a8 Revert "wireless-regdb: Update and disable 5470-5730MHz band according to TPC requirement for Singapore (SG)"
87941e4 wireless-regdb: Update regulatory rules for Taiwan (TW) on 6GHz
33797ae wireless-regdb: update regulatory database based on preceding changes
Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit
65c1f0d433e89c794a6d22dbe474666c241f9e7b)
RISCi_ATOM [Tue, 4 Jun 2024 15:50:20 +0000 (11:50 -0400)]
kernel : Bump to 5.15.160
Christian Marangi [Wed, 1 May 2024 13:42:57 +0000 (15:42 +0200)]
gengetopt: backport patch fixing support for c++17
Backport patch fixing support for c++17 that got merged upstream in
gengetopt.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
a8bfdf2ed4d930ca5a31b5c4bc7061ad5ef11ba3)
Rosen Penev [Sun, 11 Feb 2024 23:06:44 +0000 (15:06 -0800)]
lua: fix CVE-2014-5461
Patch taken from Debian.
Refresh patches
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit
78b0106f7d5093641f68d37c041a5863eb9dd9a0)
Josef Schlehofer [Sun, 28 Apr 2024 21:04:03 +0000 (23:04 +0200)]
toolchain/gdb: backport patch for macOS to fix invalid range
With the recent macOS update to Ventura, it looks like gdb could not be
compiled with clang16 and newer version, because it fails with:
./../gdbsupport/enum-flags.h:95:52: error: integer value -1 is outside the valid range of values [0, 15] for this enumeration type [-Wenum-constexpr-conversion]
integer_for_size<sizeof (T), static_cast<bool>(T (-1) < T (0))>::type
^
./../gdbsupport/enum-flags.h:95:52: error: integer value -1 is outside the valid range of values [0, 1] for this enumeration type [-Wenum-constexpr-conversion]
./../gdbsupport/enum-flags.h:95:52: error: integer value -1 is outside the valid range of values [0, 3] for this enumeration type [-Wenum-constexpr-conversion]
./../gdbsupport/enum-flags.h:95:52: error: integer value -1 is outside the valid range of values [0, 3] for this enumeration type [-Wenum-constexpr-conversion]
4 errors generated.
- Upstream bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=30423
- Backported upstream commit:
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=
ae61525fcf456ab395d55c45492a106d1275873a
Fixes: https://github.com/openwrt/openwrt/issues/15314
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15315
Signed-off-by: Robert Marko <robimarko@gmail.com>
Christian Marangi [Mon, 29 Apr 2024 19:17:31 +0000 (21:17 +0200)]
procd: make mDNS TXT record parsing more solid
mDNS broadcast can't accept empty TXT record and would fail
registration.
Current procd_add_mdns_service checks only if the first passed arg is
empty but don't make any verification on the other args permittins
insertion of empty values in TXT record.
Example:
procd_add_mdns "blah" \
"tcp" "50" \
"1" \
"" \
"3"
Produce:
{ "blah_50": { "service": "_blah._tcp.local", "port": 50, "txt": [ "1", "", "3" ] } }
The middle empty TXT record should never be included as it's empty.
This can happen with scripts that make fragile parsing and include
variables even if they are empty.
Prevent this and make the TXT record more solid by checking every
provided TXT record and include only the non-empty ones.
The fixed JSON is the following:
{ "blah_50": { "service": "_blah._tcp.local", "port": 50, "txt": [ "1", "3" ] } }
Fixes:
b0d9dcf84dd0 ("procd: update to latest git HEAD")
Reported-by: Paul Donald <newtwen@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15331
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
4b043047132de0b3d90619d538f103af6153fa5a)
Petr Štetiar [Mon, 30 Oct 2023 19:38:04 +0000 (19:38 +0000)]
Revert "uboot-sunxi: add missing type __u64"
This reverts commit
3cc57ba4627c9c7555f8ad86e4f78d86d8f9ddf0 as it
should be fixed in commit
78cbd5a57e11 ("tools: macOS: types.h: fix
missing unsigned types").
References: #13833
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
bc47613cf0215743cde641f962386d59b57a332a)
Petr Štetiar [Mon, 30 Oct 2023 19:31:03 +0000 (19:31 +0000)]
tools: macOS: types.h: fix missing unsigned types
For some reason unsigned types were not added in commit
0a06fcf608dd
("build: fix kernel 5.4 on macos"), which led to bunch of hacks, like
commit
3cc57ba4627c ("uboot-sunxi: add missing type __u64") or
commit
997ff740dc44 ("uboot-mediatek: fix build on Mac OS X").
So lets add the missing unsigned types to workaround it in a bit more
maintainable way.
Fixes: #13833
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
4a8961f1dfba33b1e9a38dd0ecb3a8b03c46edbb)
Petr Štetiar [Thu, 20 Jul 2023 06:41:44 +0000 (08:41 +0200)]
toolchain: kernel-headers: remove debugging env dump
Remove debugging `env` dump left over as build environments might
contain some sensitive information, which then might leak into the build
logs.
Fixes:
2105acbe2804 ("kernel-headers: fix compile error caused by wrong host include path when the toolchain is already built")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
def41cf2bab825e46a31eb0a9ccf51288edfe27d)
Petr Štetiar [Thu, 20 Jul 2023 13:48:39 +0000 (15:48 +0200)]
toolchain: kernel-headers: fix check target for external Git trees
Executing following command currently fails:
$ make toolchain/kernel-headers/{download,check} V=sc FIXUP=1
...
include/kernel-version.mk:11: *** Missing kernel version/hash file for . Please create include/kernel-. Stop.
So lets fix it by adding the necessary missing KERNEL_PATCHVER variable.
That additional kernel-build.mk include is needed to add another set of
missing variables:
$ make toolchain/kernel-headers/{download,check} V=sc FIXUP=1
...
Makefile:115: *** ERROR: Unknown pack format for file tmp/dl/. Stop.
Fixes:
0765466a42f4 ("kernel: split kernel version to dedicated files")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
6b7f1ffbad732c5e1818f9387c02dda109c2748b)
Christian Marangi [Thu, 18 Apr 2024 10:40:18 +0000 (12:40 +0200)]
netifd: packet-steering: silence error on applying queue mask
Some queues can't be tweaked and return -ENOENT if it's not multiqueue.
Silence any error from echo to produce a more clean bootlog.
Fixes: #12095
Suggested-by: Andris PE <neandris@gmail.com>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Felix Fietkau [Thu, 4 Jan 2024 12:46:34 +0000 (13:46 +0100)]
netifd: update to Git openwrt-23.05 (2024-01-04)
c739dee0a37b system-linux: refresh MAC address on DSA port conduit change
8587c074f1eb interface-ip: fix IPv4 route target masking
33d6c261aacb system-linux: fix bogus debug error messages on adding bridge members
0832e8f04778 wireless: add bridge_isolate option
5ca7a9058e98 bridge: fix reload on bridge vlan changes
be4ffb3b78bc bridge: rework config change pvid handling
923c4370a1d4 system-linux: set master early on apply settings
b9442415c785 system-linux: skip refreshing MAC on master change if custom MAC
b635a09cdadf system-linux: set pending to 0 on ifindex found or error for if_get_master
2bbe49c36224 device: Log error message if device initialization failed
2703f740a23e Revert "system-linux: set pending to 0 on ifindex found or error for if_get_master"
9cb0cb418303 system-linux: fix race condition in netlink socket error handing
c18cc79d5000 device: restore cleared flags on device down
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Robert Marko [Mon, 8 Apr 2024 20:05:19 +0000 (22:05 +0200)]
config: fix CONFIG_GDB appearing in main menuconfig menu
I noticed that CONFIG_GDB was suddenly appearing in the main menuconfig
menu despite the fact that it should be visible only when TOOLCHAINOPTS
is selected and under a dedicated menu.
After some trial and error, it seems that this was caused by the recent
addition of GCC_USE_DEFAULT_VERSION, and after even more trial and error
it gets fixed as soon GCC_USE_DEFAULT_VERSION is placed after GCC_VERSION.
So, lets simply put GCC_USE_DEFAULT_VERSION after GCC_VERSION.
Fixes:
501ef81040ba ("config: select KERNEL_WERROR if building with default GCC version")
Signed-off-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [rebased]
(cherry picked from commit
12b2cb2ec3f1366b65caa0dbbdd83846c1c88d4e)
Daniel Golle [Sun, 7 Apr 2024 18:50:04 +0000 (19:50 +0100)]
config: select KERNEL_WERROR if building with default GCC version
[ during cherry-pick GCC version was changed to default GCC 12 version ]
At the moment we have to manually follow the default GCC version
also in config/Config-kernel.in. This tends to be forgotten at GCC
version bumps (just happened when switching from version 12 to 13).
Instead, introduce a hidden Kconfig symbol which implies KERNEL_WERROR
in toolchain/gcc/Config.in where it is visible for developers changing
the default version.
Also remove the explicit default on BUILDBOT to avoid a circular
dependency and also because buildbots anyway implicitly always select
the default GCC version.
Reference: https://github.com/openwrt/openwrt/pull/15064
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [GCC 12 default]
(cherry picked from commit
501ef81040baa2ee31de6dd9f75d619de0e4c9bc)
Petr Štetiar [Wed, 24 May 2023 07:46:45 +0000 (09:46 +0200)]
kernel: introduce KERNEL_WERROR config option
In commit
b2d1eb717b65 ("generic: 5.15: enable Werror by default for
kernel compile") CONFIG_WERROR=y was enabled and all warnings/errors
reported with GCC 12 were fixed.
Keeping this in sync with past/future GCC versions is going to be uphill
battle, so lets introduce new KERNEL_WERROR config option, enable it by
default only for tested/known working combinations and on buildbots.
References: #12687
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
ce8c639a6c539534be14a540e7c3e9933d3a34ef)
Rafał Miłecki [Mon, 1 Apr 2024 20:59:10 +0000 (22:59 +0200)]
mac80211: backport some upstream EHT patches
Those changes are needed by Wi-Fi 7 drivers.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Felix Fietkau [Sun, 31 Mar 2024 17:57:03 +0000 (19:57 +0200)]
unetd: update to Git HEAD (2024-03-31)
52144f723bec pex: after receiving data update req, notify peer of local address/port
29aacb9386e0 pex: track indirect hosts (reachable via gateway) as peers without adding them to wg
48049524d4fc pex: do not send peer notifications for hosts with a gateway
12ac684ee22a pex: do not query for hosts with a gateway
203c88857354 pex: fix endian issues on config transfer
a29d45c71bca network: fix endian issue in converting port to network id
cbbe9d337a17 unet-cli: emit id by default
806457664ab6 unet-cli: strip initial newline in usage message
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
a112ed4126c258a63698774b1e600584c1ccd5a8)
RISCi_ATOM [Fri, 19 Apr 2024 21:03:53 +0000 (17:03 -0400)]
gettext-full: link libiconv when building host pkg
On Fedora 40 system, some compile error happens when
building iconv-ostream.c. Linking to libiconv-full
fixes this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
Picked from upstream
63dd14b906e9eb27bc878b95ac6777a3624b1135
RISCi_ATOM [Fri, 19 Apr 2024 21:02:23 +0000 (17:02 -0400)]
kernel: Bump to 5.15.156
Patches removed upstream:
* target/linux/generic/backport-5.15/081-v5.17-regmap-allow-to-define-reg_update_bits-for-no-bus.patch
* target/linux/generic/backport-5.15/704-15-v5.19-net-mtk_eth_soc-move-MAC_MCR-setting-to-mac_finish.patch
* target/linux/generic/pending-5.15/737-net-ethernet-mtk_eth_soc-add-paths-and-SerDes-modes-.patch
Reworked:
* target/linux/generic/hack-5.15/221-module_exports.patch
Nick Hainke [Wed, 24 Jan 2024 12:18:53 +0000 (13:18 +0100)]
tools/cpio: update to 2.15
Release Notes:
https://lists.gnu.org/archive/html/info-gnu/2024-01/msg00006.html
Signed-off-by: Nick Hainke <vincent@systemli.org>
Hauke Mehrtens [Mon, 18 Mar 2024 21:39:56 +0000 (22:39 +0100)]
dnsmasq: Backport 2 upstream patches
These two patches are fixing minor problems with DNSSEC found shortly
after the dnsmasq 2.90 release.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
28c87d7ecd142a31772572faac079b77163ceeca)
Robert Marko [Wed, 13 Mar 2024 11:47:31 +0000 (12:47 +0100)]
dnsmasq: reset PKG_RELEASE
dnsmasq was recently updated to 2.90, but PKG_RELEASE was not reset to 1.
Fixes:
838a27f64f56 ("dnsmasq: version 2.90")
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
694e6477848eade21851ec27d90c173b373099fc)
Nathaniel Wesley Filardo [Sun, 18 Feb 2024 13:12:10 +0000 (13:12 +0000)]
dnsmasq: version 2.90
Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387,
CVE-2023-50868) among many other goodies and fixes (notably, upstream
568fb024... fixes a UAF in cache_remove_uid that was routinely crashing
dnsmasq in my deployment).
Catch up our 200-ubus_dns.patch, too.
Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
(cherry picked from commit
838a27f64f56e75aae98a3ab2556856224d48d8b)
Sven Eckelmann [Sat, 18 Nov 2023 15:29:09 +0000 (16:29 +0100)]
dnsmasq: mark global ubus context as closed after fork
If the dnsmasq process forks to handle TCP connections, it closes the ubus
context. But instead of changing the daemon wide pointer to NULL, only the
local variable was adjusted - and this portion of the code was even dropped
(dead store) by some optimizing compilers.
It makes more sense to change the daemon->ubus pointer because various
functions are already checking it for NULL. It is also the behavior which
ubus_destroy() implements.
Fixes:
d8b33dad0bb7 ("dnsmasq: add support for monitoring and modifying dns lookup results via ubus")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit
711dcb77630e96e75413b5cdbe3ddb5432f394f6)
Petr Štetiar [Mon, 4 Mar 2024 16:12:05 +0000 (16:12 +0000)]
umdns: update to Git
7c675979 (2024-03-04)
Backport of single commit
9040335e102 ("interface: fix interface memory
corruption").
Fixes: openwrt/openwrt/issues/14120
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Jesus Fernandez Manzano [Mon, 22 Jan 2024 12:46:14 +0000 (13:46 +0100)]
hostapd: fix 11r defaults when using WPA
802.11r can not be used when selecting WPA. It needs at least WPA2.
This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.
Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
(cherry picked from commit
cdc4c551755115e0e1047a0c90a658e6238e96ee)
Jesus Fernandez Manzano [Mon, 22 Jan 2024 12:52:18 +0000 (13:52 +0100)]
hostapd: fix 11r defaults when using SAE
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
(cherry picked from commit
e2f6bfb833a1ba099e1dcf0e569e4ef11c31c391)
Fixes: https://github.com/openwrt/luci/issues/6930
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Matthias Schiffer [Mon, 4 Mar 2024 22:45:15 +0000 (23:45 +0100)]
build: do not depend on $(STAGING_DIR)/.prepared when in SDK
The dependency can't be satisfied when building using the SDK, breaking
package builds. As the staging and bin dirs are distributed with the SDK
archive, ignoring the dependency is fine when SDK is set.
Fixes:
fbb924abff8a ("build: add $(STAGING_DIR) and $(BIN_DIR) ...")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit
2b46cbef8179b4a131bd008c520339441bc87c97)
Matthias Schiffer [Thu, 1 Feb 2024 23:46:58 +0000 (00:46 +0100)]
build: add $(STAGING_DIR) and $(BIN_DIR) preparation to target and package subdir compile dependencies
In a pristine build, these directories are created as dependencies of
the tools subdir compile, however this step never runs when the tools
compile stamp already exists. Since commit
ed6ba2801c0a ("tools: keep
stamp file in $(STAGING_DIR_HOST)"), this will happen after `make clean`:
$(STAGING_DIR) has been deleted, but the tools stamp still exists, so
the next build will fail because $(STAGING_DIR) has not been set up
correctly.
Fix builds after `make clean` by adding the preparation as dependencies
for the target and package directories as well.
Fixes:
ed6ba2801c0a ("tools: keep stamp file in $(STAGING_DIR_HOST)")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit
fbb924abff8af9e69ec90d7bf099046c24145b74)
RISCi_ATOM [Thu, 14 Mar 2024 14:33:18 +0000 (10:33 -0400)]
luci: Remove stray binary
RISCi_ATOM [Thu, 14 Mar 2024 14:30:24 +0000 (10:30 -0400)]
kernel : Bump to 5.15.151
* removes dsmark support, as it was removed in 5.15.150
Effected patches:
ath79/patches-5.15/900-unaligned_access_hacks.patch : rewored for 5.15.149
David Bauer [Mon, 26 Feb 2024 13:43:09 +0000 (14:43 +0100)]
generic l2tp: drop flow hash on forward
Drop the flow-hash of the skb when forwarding to the L2TP netdev.
This avoids the L2TP qdisc from using the flow-hash from the outer
packet, which is identical for every flow within the tunnel.
This does not affect every platform but is specific for the ethernet
driver. It depends on the platform including L4 information in the
flow-hash.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
35a5e62da7275a4a1423df6238340dd08eeff3c9)
David Bauer [Sat, 17 Feb 2024 21:37:05 +0000 (22:37 +0100)]
generic vxlan: don't learn non-unicast L2 destinations
This patch avoids learning non-unicast targets in the vxlan FDB. They
are non-unicast and thus should be sent to the broadcast-IPv6 instead of
a unicast address
Link: https://lore.kernel.org/netdev/15ee0cc7-9252-466b-8ce7-5225d605dde8@david-bauer.net/
Link: https://github.com/freifunk-gluon/gluon/issues/3191
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
0985262fd0f0b9c33e1fb559e71c041379199a91)
Hauke Mehrtens [Sat, 17 Feb 2024 16:58:50 +0000 (17:58 +0100)]
wifi-scripts: Support HE Iftypes with multiple entries
With mac80211_hwsim I have seen such entries in OpenWrt 22.03:
HE Iftypes: managed, AP
The mac80211.sh script did not detect the entry and failed. Allow
arbitrary other entries before to fix this problem.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
5df7a78e821cbdcc3beb80150798712a4c00b00e)
Oto Šťáva [Fri, 16 Feb 2024 15:28:10 +0000 (16:28 +0100)]
build: add explicit --no-show-signature for git
When `log.showSignature` is set, it causes the `SOURCE_DATE_EPOCH` to
include a textual signature description on OpenPGP-signed commits,
because Git prints the description into stdout. This then causes some
scripts to fail because they cannot parse the date from the variable.
Adding an explicit `--no-show-signature` prevents the signatures from
being displayed even when one has Git configured to show them by
default, fixing the scripts.
Signed-off-by: Oto Šťáva <oto.stava@gmail.com>
(cherry picked from commit
1e93208bd2c605704b19fe8b04025c20c17e808d)
Eneas U de Queiroz [Sat, 3 Feb 2024 19:33:14 +0000 (16:33 -0300)]
hostapd: fix FILS AKM selection with EAP-192
Fix netifd hostapd.sh selection of FILS-SHA384 algorithm with eap-192.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit
472312f83f886a0749672a634948726fda9c2401)
Christian Marangi [Thu, 8 Feb 2024 22:04:55 +0000 (23:04 +0100)]
linux: add dtb makefile target to targets list
Add dtb makefile target to targets list to permit correct working of
make target/linux/dtb
Fixes:
c47532b1ea7f ("kernel-build
\eOnmk: add support for compiling only DTS")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
c4910e9cb37c626ab9f4a47579bc8ec8981cdf4a)
Christian Marangi [Wed, 7 Feb 2024 23:49:27 +0000 (00:49 +0100)]
kernel-build.mk: add support for compiling only DTS
Add support for compiling DTS for the selected target. This can be
useful for testing if the DTS correctly compile and doesn't produce any
error.
This adds a new make target. To compile only DTS use:
make target/linux/dtb
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
c47532b1ea7f8459f05a223a71317a1461c6e750)
Hauke Mehrtens [Wed, 7 Feb 2024 20:30:52 +0000 (21:30 +0100)]
toolchain: glibc: Update glibc 2.37 to recent HEAD
512e30fd56 Revert "elf: Remove unused l_text_end field from struct link_map"
55d3dfadf8 Revert "elf: Always call destructors in reverse constructor order (bug 30785)"
8e20aedfd7 Revert "elf: Move l_init_called_next to old place of l_text_end in link map"
5014fb12f4 elf: Fix wrong break removal from
8ee878592c
874d418697 elf: Fix TLS modid reuse generation assignment (BZ 29039)
8bd00f5b6d x86-64: Fix the dtv field load for x32 [BZ #31184]
d052665f35 x86-64: Fix the tcb field load for x32 [BZ #31185]
0ca9ba3a9e NEWS: Mention bug fixes for 29039/30745/30843
9b90e763db getaddrinfo: translate ENOMEM to EAI_MEMORY (bug 31163)
bd9f194c34 libio: Check remaining buffer size in _IO_wdo_write (bug 31183)
8b8a3f0aaf sunrpc: Fix netname build with older gcc
97a4292aa4 syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
67062eccd9 syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6779)
2b58cba076 syslog: Fix integer overflow in __vsyslog_internal (CVE-2023-6780)
1d8bb622df i386: Use pthread_barrier for synchronization on tst-bz21269
32450f6e8d sysdeps: tst-bz21269: fix test parameter
f7e97cea20 sysdeps: tst-bz21269: handle ENOSYS & skip appropriately
d97929eadc sysdeps: tst-bz21269: fix -Wreturn-type
5bbe7e0da5 x86_64: Optimize ffsll function code size.
98ec3e004e sparc: Fix broken memset for sparc32 [BZ #31068]
2ce7abef67 sparc64: Remove unwind information from signal return stubs [BZ#31244]
18da90677c sparc: Fix sparc64 memmove length comparison (BZ 31266)
8b849f70b3 sparc: Remove unwind information from signal return stubs [BZ #31244]
eee7525d35 arm: Remove wrong ldr from _dl_start_user (BZ 31339)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
2ef5714277ce32d0dc7d59e59f20591004f070c4)
Yuu Toriyama [Sat, 3 Feb 2024 19:09:14 +0000 (04:09 +0900)]
wireless-regdb: update to 2024.01.23
The maintainer and repository of wireless-regdb has changed.
https://lore.kernel.org/all/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/
Changes:
37dcea0 wireless-regdb: Update keys and maintainer information
9e0aee6 wireless-regdb: Makefile: Reproducible signatures
8c784a1 wireless-regdb: Update regulatory rules for China (CN)
149c709 wireless-regdb: Update regulatory rules for Japan (JP) for December 2023
bd69898 wireless-regdb: Update regulatory rules for Singapore (SG) for September 2023
d695bf2 wireless-regdb: Update and disable 5470-5730MHz band according to TPC requirement for Singapore (SG)
4541300 wireless-regdb: update regulatory database based on preceding changes
Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit
b463737826eaa6c519eba93e13757a0cd3e09d47)
Ivan Pavlov [Fri, 2 Feb 2024 05:46:52 +0000 (08:46 +0300)]
openssl: update to 3.0.13
Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
* Fixed PKCS12 Decoding crashes
([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
CPUs which support PowerISA 2.07
([CVE-2023-6129])
* Fix excessive time spent in DH check / generation with large Q parameter
value ([CVE-2023-5678])
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit
44cd90c49a7457345c0fba186d5d762d3a04d854)
Chad Monroe [Tue, 16 Jan 2024 23:44:33 +0000 (15:44 -0800)]
ucode: add libjson-c/host dependency
ensure host libjson-c is built prior to ucode
Signed-off-by: Chad Monroe <chad@monroe.io>
(cherry picked from commit
5a3f6c50ef29c8b11fe6967e65277b8331be0ff0)
Rosen Penev [Sun, 17 Dec 2023 01:12:33 +0000 (17:12 -0800)]
kernel: backport ethtool_puts
Will be used for conversions in later commits and is a requirement for
PHY backports.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[rmilecki: update commit message for 23.05]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit
511c7ff03231752ea2adbdf7cc1af4be962c9b65)
orangepizza [Mon, 29 Jan 2024 02:37:43 +0000 (11:37 +0900)]
mbedtls: security bump to version 2.28.7
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for following security issues:
* Timing side channel in private key RSA operations (CVE-2024-23170)
Mbed TLS is vulnerable to a timing side channel in private key RSA
operations. This side channel could be sufficient for an attacker to
recover the plaintext. A local attacker or a remote attacker who is
close to the victim on the network might have precise enough timing
measurements to exploit this. It requires the attacker to send a large
number of messages for decryption.
* Buffer overflow in mbedtls_x509_set_extension() (CVE-2024-23775)
When writing x509 extensions we failed to validate inputs passed in to
mbedtls_x509_set_extension(), which could result in an integer overflow,
causing a zero-length buffer to be allocated to hold the extension. The
extension would then be copied into the buffer, causing a heap buffer
overflow.
Fixes: CVE-2024-23170, CVE-2024-23775
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
Signed-off-by: orangepizza <tjtncks@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [formal fixes]
(cherry picked from commit
920414ca8848fe1b430e436207b4f8c927819368)
Rafał Miłecki [Wed, 27 Dec 2023 15:20:45 +0000 (16:20 +0100)]
uhttpd: handle reload after uhttpd-mod-ubus installation using postinst
Use postinst script to reload service instead of uci-defaults hack. It's
possible thanks to recent base-files change that executes postinst after
uci-defaults.
This fixes support for uhttpd customizations. It's possible (again) to
adjust uhttpd config with custom uci-defaults before it gets started.
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes:
d25d281fd668 ("uhttpd: Reload config after uhttpd-mod-ubus was added")
Ref:
b799dd3c705d ("base-files: execute package's "postinst" after executing uci-defaults")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit
1f11a4e28336c07aca61dd3b4fef01ef872a362d)
Rafał Miłecki [Sun, 26 Nov 2023 20:24:28 +0000 (21:24 +0100)]
base-files: execute package's "postinst" after executing uci-defaults
Allow "postinst" scripts to perform extra actions after applying all
kind of fixups implemented using uci-defaults.
This is needed e.g. by uhttpd-mod-ubus which after installation in a
running systems needs to:
1. Update uhttpd config using its uci-defaults script
2. Reload uhttpd
While this approach makes sense there is a risk it'll blow up some
corner case postinst usages. There is only 1 way to find out.
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit
b799dd3c705dfd95745cdd94b13d1cd2ad2367a6)
Lech Perczak [Sun, 17 Dec 2023 17:25:55 +0000 (18:25 +0100)]
ath79: generic: disable SPI-NOR write protect unconditionally
Kernel 5.15 introduced a significant change to spi-nor subsystem [1],
which would the SPI-NOR core to no longer unprotect the Flash chips if
their protection bits are non-volatile, which is the case for MX25L6405D
and MX25L12805D, used in Ubiquiti XW and WA lines of devices [2].
However, their bootloader forcibly enables this protection before
continuing to boot, making the kernel not unprotect the flash upon boot,
causing JFFS2 to be unable write to the filesystem. Because sysupgrade
seems to unlock the flash explicitly, the upgrade will work, but the
system will be unable to save configrationm showing the following symptom
in the kernel log:
[ 86.168016] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[ 86.192344] jffs2_build_filesystem(): unlocking the mtd device...
[ 86.192443] done.
[ 86.200669] jffs2_build_filesystem(): erasing all blocks after the end marker...
[ 86.220646] jffs2: Newly-erased block contained word 0x19852003 at offset 0x001e0000
[ 86.292388] jffs2: Newly-erased block contained word 0x19852003 at offset 0x001d0000
[ 86.324867] jffs2: Newly-erased block contained word 0x19852003 at offset 0x001c0000
[ 86.355316] jffs2: Newly-erased block contained word 0x19852003 at offset 0x001b0000
[ 86.402855] jffs2: Newly-erased block contained word 0x19852003 at offset 0x001a0000
Disable the write protection unconditionally for ath79/generic subtarget,
so the XW and WA devices can function again. However, this is only a
stopgap solution - it probably should be investigated if there is a way
to selectively unlock the area used by rootfs_data - but given the lock
granularity, this seems unlikely.
With this patch in place, rootfs_data partition on my Nanostation Loco
M5 XW is writable again.
Fixes: #12882
Fixes: #13750
Fixes:
579703f38c14 ("ath79: switch to 5.15 as default kernel")
Link: http://www.infradead.org/pipermail/linux-mtd/2020-October/082805.html
Link: https://forum.openwrt.org/t/powerbeam-m5-xw-configuration-loss-after-reboot/141925
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit
f024f4b1b0380b3b2e18115bd8e4f35393fccc70)
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Jo-Philipp Wich [Tue, 23 Jan 2024 08:07:16 +0000 (09:07 +0100)]
jsonfilter: update to Git HEAD (2024-01-23)
013b75ab0598 jsonfilter: drop legacy json-c support
594cfa86469c main: fix spurious premature parse aborts in array mode
Fixes: https://bugs.openwrt.org/?task_id=3683
Fixes: https://github.com/openwrt/openwrt/issues/8703
Fixes: https://github.com/openwrt/openwrt/issues/11649
Fixes: https://github.com/openwrt/openwrt/issues/12344
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit
33f15dd6d41873b02eb8895b8886763659f1390c)
David Bauer [Thu, 18 Jan 2024 21:47:17 +0000 (22:47 +0100)]
hostapd: ACS: Fix typo in bw_40 frequency array
[Upstream Backport]
The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.
Fixes:
ed8e13decc71 (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
56d7887917102877ed2f03414f7ed812a29d6b39)
David Bauer [Tue, 9 Jan 2024 19:52:56 +0000 (20:52 +0100)]
ath79: read back reset register
Read back the reset register in order to flush the cache. This fixes
spurious reboot hangs on TP-Link TL-WDR3600 and TL-WDR4300 with Zentel
DRAM chips.
This issue was fixed in the past, but switching to the reset-driver
specific implementation removed the cache barrier which was previously
implicitly added by reading back the register in question.
Link: https://github.com/freifunk-gluon/gluon/issues/2904
Link: https://github.com/openwrt/openwrt/issues/13043
Link: https://dev.archive.openwrt.org/ticket/17839
Link:
f8a7bfe1cb2c ("MIPS: ath79: fix system restart")
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
2fe8ecd880396b5ae25fe9583aaa1d71be0b8468)
Felix Fietkau [Tue, 9 Jan 2024 13:36:42 +0000 (14:36 +0100)]
mac80211: do not emit VHT160 capabilities if channel width is less than 160 MHz
Fixes compatibility issues with VHT160 capable clients
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
80e4e2285fdf4a7b19c84532deafe2d1e690ed30)
Felix Fietkau [Tue, 9 Jan 2024 10:05:45 +0000 (11:05 +0100)]
hostapd: add missing NULL pointer check on radar notification
Fixes a race condition that can lead to a hostapd crash
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
d864f68232e910f2c8ab06a66347fc08c257dfcc)
David Bauer [Thu, 30 Nov 2023 06:32:52 +0000 (07:32 +0100)]
mac80211: avoid crashing on invalid band info
Frequent crashes have been observed on MT7916 based platforms. While the
root of these crashes are currently unknown, they happen when decoding
rate information of connected STAs in AP mode. The rate-information is
associated with a band which is not available on the PHY.
Check for this condition in order to avoid crashing the whole system.
This patch should be removed once the roout cause has been found and
fixed.
Link: https://github.com/freifunk-gluon/gluon/issues/2980
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
1278d47beaabaa963b2956e81936269b7fea4003)
Tianling Shen [Mon, 25 Dec 2023 03:23:58 +0000 (11:23 +0800)]
rockchip: configure eth pad driver strength for orangepi r1 plus lts
The default strength is not enough to provide stable connection
under 3.3v LDO voltage.
Fixes:
3f3586a06d27 ("rockchip: add Orange Pi R1 Plus LTS support")
Fixes: #13117
Fixes: #13759
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit
3645ac8a10d9abb1451343beaf7d65b53eeecffd)
[rebased onto openwrt-23.05 branch]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Rany Hany [Wed, 3 Jan 2024 16:43:33 +0000 (18:43 +0200)]
mac80211: add missing newline for "min_tx_power"
This prevents min_tx_power from functioning properly in some circumstances.
Add the missing newline.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
(cherry picked from commit
6ca8752a9cadac810f8541ec1be67d02265175aa)
Eric J. Anderson [Mon, 4 Dec 2023 21:41:47 +0000 (22:41 +0100)]
ath79: make boot-leds service executable
This service was unfunctional due to not having its executable bit
set.
Fixes #13500.
Signed-off-by: Eric J. Anderson <eric.j.ason256@gmail.com>
(cherry picked from commit
807acbce66c34596ac80cad8ea2a3f170f58429c)
RISCi_ATOM [Wed, 3 Jan 2024 16:14:17 +0000 (11:14 -0500)]
librecmc : Add requested packages from package feed to base
These packages provide essential functionality and are now
part of the libreCMC base.
avahi
gdbm
getdns
ldns
libcbor
libdaemon
libevdev
libfido2
libsodium
libudev-zero
protobuf-c
protobuf
tcp_wrappers
yaml
luci-app-dnscrypt-proxy
luci-app-unbound
dnscrypt-proxy
mesh11sd
openssh
sshtunnel
stubby
unbound
usbip
htop
nano
zile
Christian Marangi [Sun, 10 Dec 2023 10:43:45 +0000 (11:43 +0100)]
lua5.3: fix typo calling lua53 instead of lua5.3 for Package Default
Fix typo calling lua53 instead of lua5.3 for Package Default definition.
This cause only missing description of the package and doesn't cause
any build regression.
Fixes:
c52ca08d4008 ("lua5.3: build shared library")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
25e215c14ee6c9f3d54cd1da46a48d9ffe6b254e)
David Bauer [Thu, 28 Dec 2023 22:16:02 +0000 (23:16 +0100)]
dropbear: increase default receive window size
Increasing the receive window size improves throughout on higher-latency
links such as WAN connections. The current default of 24KB caps out at
around 500 KB/s.
Increasing the receive buffer to 256KB increases the throughput to at
least 11 MB/s.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
f95eecfb21ff08662e022accd30e8254028ff63b)
RISCi_ATOM [Mon, 1 Jan 2024 06:26:46 +0000 (01:26 -0500)]
luci : Make luci-app-opkg the default
RISCi_ATOM [Sat, 30 Dec 2023 22:54:24 +0000 (17:54 -0500)]
wolfssl : Bump to 5.6.6
RISCi_ATOM [Thu, 28 Dec 2023 18:16:39 +0000 (13:16 -0500)]
librecmc: Refresh libreCMC 6.x branch
libreCMC v6.0 is now based upon upstream's 23.05 branch, with an epoch
@ :
6264d12ed8e4beef6e3707837cb95f0e0d9e4e92
Paul Spooren [Tue, 9 May 2023 19:39:58 +0000 (21:39 +0200)]
build: generate index.json
The index.json file lies next to Packages index files and contains a
json dict with the package architecture and a dict of package names and
versions.
This can be used for downstream project to know what packages in which
versions are available.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit
218ce40cd738f3373438aab82467807a8707fb9c)
Yuu Toriyama [Thu, 4 May 2023 10:26:13 +0000 (19:26 +0900)]
wireless-regdb: update to 2023.05.03
Changes:
43f81b4 wireless-regdb: update regulatory database based on preceding changes
66f245d wireless-regdb: Update regulatory rules for Hong Kong (HK)
e78c450 wireless-regdb: update regulatory rules for India (IN)
1647bb6 wireless-regdb: Update regulatory rules for Russia (RU). Remove DFS requirement.
c076f21 Update regulatory info for Russia (RU) on 6GHz
Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit
97d20525b24e96558f974858f4d8ad6d9148e61f)
Nick Hainke [Sun, 28 Aug 2022 13:00:54 +0000 (15:00 +0200)]
ccache: update to 4.6.3
Release Notes:
https://ccache.dev/releasenotes.html#_ccache_4_6_3
Refresh patch:
- 100-honour-copts.patch
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit
83ea2e11b4b7872642bc7ac587361ccd783308f2)
Nick Hainke [Wed, 24 Aug 2022 08:57:35 +0000 (10:57 +0200)]
tools/ccache: update to 4.6.2
Release notes:
https://ccache.dev/releasenotes.html#_ccache_4_6_2
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit
ac61cf596cc4cdfb93981361b093c1d97e4a1b96)
Nick Hainke [Thu, 18 Aug 2022 05:53:00 +0000 (07:53 +0200)]
tools/ccache: update to 4.6.1
Release notes:
https://ccache.dev/releasenotes.html#_ccache_4_6_1
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit
2e87e24e43c49565e23643eb6eceef8455434647)
Michal Vasilek [Thu, 8 Dec 2022 12:56:45 +0000 (13:56 +0100)]
tools/ccache: fix build with musl and gcc 12
* refresh patches
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
Eneas U de Queiroz [Tue, 4 Apr 2023 18:39:56 +0000 (15:39 -0300)]
openssl: fix CVE-2023-464 and CVE-2023-465
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:
- Excessive Resource Usage Verifying X.509 Policy Constraints
(CVE-2023-0464)
Severity: Low
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit
this vulnerability by creating a malicious certificate chain that
triggers exponential use of computational resources, leading to a
denial-of-service (DoS) attack on affected systems.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
- Invalid certificate policies in leaf certificates are silently ignored
(CVE-2023-0465)
Severity: Low
Applications that use a non-default option when verifying certificates
may be vulnerable to an attack from a malicious CA to circumvent
certain checks.
Invalid certificate policies in leaf certificates are silently ignored
by OpenSSL and other certificate policy checks are skipped for that
certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on
the certificate altogether.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466. It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.
Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Matthias Schiffer [Thu, 13 Apr 2023 18:51:05 +0000 (20:51 +0200)]
uclient: update to Git version 2023-04-13
007d94546749 uclient: cancel state change timeout in uclient_disconnect()
644d3c7e13c6 ci: improve wolfSSL test coverage
dc54d2b544a1 tests: add certificate check against letsencrypt.org
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit
4f1c2e8deef10e9ca34ceff5a096e62aaa668e90)
Paul Spooren [Sun, 12 Mar 2023 15:56:41 +0000 (16:56 +0100)]
imagebuilder: allow to specific ROOTFS_PARTSIZE
Setting this options modifies the rootfs size of created images. When
installing a large number of packages it may become necessary to
increase the size to have enough storage.
This option is only useful for supported devices, i.e. with an attached
SD Card or installed on a hard drive.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit
7b7edd25a571568438c886529d3443054e02f55f)
Kien Truong [Sat, 10 Sep 2022 08:25:35 +0000 (15:25 +0700)]
iproute2: add missing libbpf dependency
This patch adds libbpf to the dependencies of tc-mod-iptables.
The package tc-mod-iptables is missing libbpf as a dependency,
which leads to the build failure described in bug #9491
LIBBPF_FORCE=on set, but couldn't find a usable libbpf
The build dependency is already automatically added because some other
packages from iproute2 depend on libbpf, but bpftools has multiple build
variants. With multiple build variants none gets build by default and
the build system will not build bpftools before iproute2.
Fixes: #9491
Signed-off-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
fa468d4bcdc7e6eb84ea51d9b05368ed87c43aae)
Eneas U de Queiroz [Mon, 6 Mar 2023 14:58:56 +0000 (11:58 -0300)]
openssl: fix variable reference in conffiles
Fix the trivial abscence of $() when assigning engine config files to
the main libopenssl-config package even if the corresponding engines
were not built into the main library.
This is mostly cosmetic, since scripts/ipkg-build tests the file's
presence before it is actually included in the package's conffiles.
Fixes:
30b0351039 "openssl: configure engine packages during install"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit
c75cd5f6028da6ceb1fb3438da93e2305cd720b1)
Michael Pratt [Fri, 9 Dec 2022 20:45:04 +0000 (15:45 -0500)]
ath79: use lzma-loader for Senao initramfs images
Some vendors of Senao boards have put a bootloader
that cannot handle both large gzip or large lzma files.
There is no disadvantage by doing this for all of them.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
(cherry picked from commit
8342c092a03caedbf160d4ac3982c6a9be91261f)
Luo Chongjun [Thu, 15 Dec 2022 09:25:15 +0000 (17:25 +0800)]
ath79: Fix glinet ar300m usb not working
glinet forum users reported the problem at
https://forum.gl-inet.com/t/gl-ar300m16-openwrt-22-03-0-rc5-usb-port-power-off-by-default/23199
The current code uses the regulator framework to control the USB power
supply. Although usb0 described in DTS refers to the regulator by
vbus-supply, but there is no code related to regulator implemented
in the USB driver of QCA953X, so the USB of the device cannot work.
Under the regulator framework, adding the regulator-always-on attribute
fixes this problem, but it means that USB power will not be able to be
turned off. Since we need to control the USB power supply in user space,
I didn't find any other better way under the regulator framework of Linux,
so I directly export gpio.
Signed-off-by: Luo Chongjun <luochongjun@gl-inet.com>
(cherry picked from commit
b352124cd2115fec648a00956a848660df9477d3)
Hauke Mehrtens [Tue, 10 Jan 2023 18:50:12 +0000 (19:50 +0100)]
toolchain: musl: Fix symbol loading in gdb
Fix DT_DEBUG handling on MIPS in musl libc.
With this change gdb will load the symbol files for shared libraries on MIPS too.
This patch was taken from this thread: https://www.openwall.com/lists/musl/2022/01/09/4
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit
fcdd407e8e16b90e1995789ba217be5591a88d2f)
Yuu Toriyama [Tue, 14 Feb 2023 05:44:11 +0000 (14:44 +0900)]
wireless-regdb: update to 2023.02.13
Changes:
7f7a9f7 wireless-regdb: update regulatory database based on preceding changes
660a1ae wireless-regdb: Update regulatory info for Russia (RU) on 5GHz
fe05cc9 wireless-regdb: Update regulatory rules for Japan (JP) on 6GHz
d8584dc wireless-regdb: Update regulatory rules for Japan (JP) on 5GHz
c04fd9b wireless-regdb: update regulatory rules for Switzerland (CH)
f29772a wireless-regdb: Update regulatory rules for Brazil (BR)
Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit
1173edf23b3440137d60162d1ef9f48ffa13e3e2)
Prasun Maiti [Wed, 16 Nov 2022 11:03:33 +0000 (16:33 +0530)]
build: fix for sourcing targets image config installed via feeds
Sourcing of image/Config.in will not happen
When a target is installed from target/linux/feeds/
Signed-off-by: Prasun Maiti <prasunmaiti87@gmail.com>
Acked-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
522a60cd31686a3d1b6d7ed1229eb68568aa89ac)
Chukun Pan [Sun, 12 Feb 2023 15:19:16 +0000 (23:19 +0800)]
bpf-headers: fix package category
This removes the non-selectable 'Kernel' item
when make menuconfig.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit
3e4c014008659c760b2e4638f606da90df1e3c93)
Rosen Penev [Wed, 1 Feb 2023 22:50:22 +0000 (14:50 -0800)]
ksmbd: update to 3.4.7
Remove upstreamed patches.
Switch to normal tarballs. Codeload recently had a reproducibility issue.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit
44c24b3ac5d4523c0f9f55691d28387508e93de5)
Hauke Mehrtens [Sat, 7 Jan 2023 13:41:04 +0000 (14:41 +0100)]
ksmbd: Fix ZDI-CAN-18259
This fixes a security problem in ksmbd. It currently has the
ZDI-CAN-18259 ID assigned, but no CVE yet.
Backported from:
https://github.com/cifsd-team/ksmbd/commit/
8824b7af409f51f1316e92e9887c2fd48c0b26d6
https://github.com/cifsd-team/ksmbd/commit/
cc4f3b5a6ab4693aba94a45cc073188df4d67175
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
76c67fcc66116381c69439f20159b636573080ba)
Nick Hainke [Fri, 21 Oct 2022 12:23:47 +0000 (14:23 +0200)]
ksmbd: update to 3.4.6
Release Announcement:
https://github.com/cifsd-team/ksmbd/releases/tag/3.4.6
Remove upstreamed:
- 10-fix-build-on-kernel-5.15.52-or-higher.patch
This fixes the following security bugs:
* CVE-2022-47938, ZDI-22-1689
* CVE-2022-47939, ZDI-22-1690 (patch was already backported before)
* CVE-2022-47940, ZDI-22-1691
* CVE-2022-47941, ZDI-22-1687
* CVE-2022-47942, ZDI-22-1688
* CVE-2022-47943, ZDI-CAN-17817
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit
78cbcc77cc33638b185f85c0e40daee1906a2c3c)
Felix Fietkau [Tue, 7 Mar 2023 09:23:17 +0000 (10:23 +0100)]
hostapd: add missing return code for the bss_mgmt_enable ubus method
Fixes bogus errors on ubus calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
cf992ca862f271936f61367236378378f0d91b6d)
Robert Marko [Tue, 7 Mar 2023 14:00:28 +0000 (15:00 +0100)]
kernel: filter out pahole version
Pahole version is being autodetected during runtime since kernel 5.15.96
via in-kernel scripts/pahole-version.sh so add CONFIG_PAHOLE_VERSION to
kernel filter in order to prevent it from being added to target configs.
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
5d8f14bfefc6f12e93425ee522bdce75a7c979d6)
Ruben Jenster [Thu, 23 Mar 2023 10:15:52 +0000 (11:15 +0100)]
dnsmasq: add dhcphostsfile to ujail sandbox
The dhcphostsfile must be mounted into the (ujail) sandbox.
The file can not be accessed without this mount.
Signed-off-by: Ruben Jenster <rjenster@gmail.com>
(cherry picked from commit
936df715de3d33947ce38ca232b05c2bd3ef58f1)
Andrey Erokhin [Tue, 7 Mar 2023 11:52:58 +0000 (16:52 +0500)]
netifd: strip mask from IP address in DHCP client params
ipaddr option can be in CIDR notation,
but udhcp wants just an IP address
Signed-off-by: Andrey Erokhin <a.erokhin@inango-systems.com>
(cherry picked from commit
506bb436c678779e8ee54e83a7fb3e4e880037ec)
RISCi_ATOM [Mon, 8 May 2023 17:33:18 +0000 (13:33 -0400)]
kernel: Bump to 5.10.179
John Audia [Tue, 7 Feb 2023 19:56:52 +0000 (14:56 -0500)]
openssl: bump to 1.1.1t
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit
4ae86b3358a149a17411657b12103ccebfbdb11b)
The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 22.03, so it doesn't have to be removed.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>