Timo Sigurdsson [Tue, 14 Nov 2017 20:41:29 +0000 (21:41 +0100)]
hostapd: Expose the tdls_prohibit option to UCI
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.
Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.
Make this option configurable via UCI, but disabled by default.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
(cherry picked from commit
6515887ed9b3f312635409702113dca7c14043e5)
Hans Dedecker [Wed, 6 Dec 2017 13:22:59 +0000 (14:22 +0100)]
dnsmasq: backport infinite dns retries fix
If all configured dns servers return refused in response to a query in
strict mode; dnsmasq will end up in an infinite loop retransmitting the
dns query resulting into high CPU load.
Problem is fixed by checking for the end of a dns server list iteration
in strict mode.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Stijn Segers [Sun, 3 Dec 2017 11:09:20 +0000 (12:09 +0100)]
curl: apply CVE 2017-8816 and 2017-8817 security patches
This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01
Curl package.
Compile-tested on ar71xx, ramips and x86.
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Felix Fietkau [Mon, 4 Dec 2017 08:56:32 +0000 (09:56 +0100)]
samba36: backport an upstream fix for an information leak (CVE-2017-15275)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
RISCi_ATOM [Wed, 6 Dec 2017 15:48:43 +0000 (10:48 -0500)]
Add patch from domino-team to add support for later rev. gl-ar300M (spi nand flash)
RISCi_ATOM [Tue, 5 Dec 2017 13:38:35 +0000 (08:38 -0500)]
Fix toolchain and other branding bugs
RISCi_ATOM [Tue, 5 Dec 2017 13:32:00 +0000 (08:32 -0500)]
fix branding in package/base-files
RISCi_ATOM [Sat, 2 Dec 2017 23:30:23 +0000 (18:30 -0500)]
Remove omap support
RISCi_ATOM [Sat, 2 Dec 2017 23:25:25 +0000 (18:25 -0500)]
Move wiki docs to /docs
RISCi_ATOM [Sat, 2 Dec 2017 01:56:22 +0000 (20:56 -0500)]
Remove r8169
RISCi_ATOM [Sat, 2 Dec 2017 00:34:28 +0000 (19:34 -0500)]
Remove ramips/0063-set-CM_GCR_BASE_CMDEFTGT_MEM-according-to-datasheet.patch : broken fix later
RISCi_ATOM [Fri, 1 Dec 2017 20:42:01 +0000 (15:42 -0500)]
Fix default package set
RISCi_ATOM [Fri, 1 Dec 2017 20:38:21 +0000 (15:38 -0500)]
Fix base-files librecmc-keyring dep.
RISCi_ATOM [Fri, 1 Dec 2017 19:31:02 +0000 (14:31 -0500)]
Fix default IP address
RISCi_ATOM [Fri, 1 Dec 2017 19:17:43 +0000 (14:17 -0500)]
Fresh pull from upstream lede-17.01 branch @ commit
d77fe9219af17dce2d00147d904267d4489ae841
RISCi_ATOM [Tue, 28 Nov 2017 23:17:39 +0000 (18:17 -0500)]
iw: fix build on musl host
RISCi_ATOM [Tue, 28 Nov 2017 22:38:53 +0000 (17:38 -0500)]
Update tools/cmake from upstream
RISCi_ATOM [Tue, 28 Nov 2017 19:50:47 +0000 (14:50 -0500)]
tools/mkimage: fix musl build
RISCi_ATOM [Sun, 26 Nov 2017 18:41:29 +0000 (13:41 -0500)]
Fix target/linux/ar71xx Makefile
RISCi_ATOM [Sun, 26 Nov 2017 18:38:59 +0000 (13:38 -0500)]
Package cleanup first round..
RISCi_ATOM [Sun, 26 Nov 2017 18:20:28 +0000 (13:20 -0500)]
Bump version to v1.4.2 and add small-router cat.
RISCi_ATOM [Mon, 20 Nov 2017 20:08:54 +0000 (15:08 -0500)]
Bump busybox pkg revision
RISCi_ATOM [Mon, 20 Nov 2017 16:44:51 +0000 (11:44 -0500)]
Remove mislabeled patch
RISCi_ATOM [Mon, 20 Nov 2017 16:42:40 +0000 (11:42 -0500)]
Merge branch 'master' of https://gogs.librecmc.org/libreCMC/libreCMC
RISCi_ATOM [Mon, 20 Nov 2017 16:41:06 +0000 (11:41 -0500)]
Fix Busybox CVE-2017-16544 issue
RISCi_ATOM [Mon, 20 Nov 2017 16:29:36 +0000 (11:29 -0500)]
Fix Busybox CVE-2017-16544 issue
Peter Wagner [Thu, 9 Nov 2017 23:35:35 +0000 (00:35 +0100)]
openssl: update to 1.0.2m
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:
../libssl.so: undefined reference to `SSLv3_client_method'
Fixes CVE: CVE-2017-3735, CVE-2017-3736
Signed-off-by: Peter Wagner <tripolar@gmx.at>
RISCI_ATOM [Fri, 3 Nov 2017 15:53:14 +0000 (11:53 -0400)]
Merge branch 'spi-reset' of ldpinney/GnuBee-libreCMC into master
L. D. Pinney [Fri, 3 Nov 2017 15:06:42 +0000 (23:06 +0800)]
ramips: restore the mediatek-4-byte-spi-reset.patch
patch was dropped in commit
447cf1a2b7efa3949c8562d08bddcfaba3a5d809
Signed-off-by: L. D. Pinney <ldpinney@gmail.com>
RISCi_ATOM [Fri, 27 Oct 2017 21:06:40 +0000 (17:06 -0400)]
Add GL-AR300M NAND Flash support
This was based upon commit :
333ccb0e158edaf80cb1ca696e328f9435f7d3eb in repo. github.com/domino-team/lede-ar300m
RISCi_ATOM [Fri, 27 Oct 2017 18:08:45 +0000 (14:08 -0400)]
Fix omitted gl-ar150
RISCi_ATOM [Wed, 13 Sep 2017 21:58:42 +0000 (17:58 -0400)]
Backport support for the GL-USB150 micro-router
Jason A. Donenfeld [Tue, 17 Oct 2017 17:34:20 +0000 (19:34 +0200)]
wireguard: version bump to 0.0.
20171017
This is a simple version bump. Changes:
* noise: handshake constants can be read-only after init
* noise: no need to take the RCU lock if we're not dereferencing
* send: improve dead packet control flow
* receive: improve control flow
* socket: eliminate dead code
* device: our use of queues means this check is worthless
* device: no need to take lock for integer comparison
* blake2s: modernize API and have faster _final
* compat: support READ_ONCE
* compat: just make ro_after_init read_mostly
Assorted cleanups to the module, including nice things like marking our
precomputations as const.
* Makefile: even prettier output
* Makefile: do not clean before cloc
* selftest: better test index for rate limiter
* netns: disable accept_dad for all interfaces
Fixes in our testing and build infrastructure. Now works on the 4.14 rc
series.
* qemu: add build-only target
* qemu: work on ubuntu toolchain
* qemu: add more debugging options to main makefile
* qemu: simplify shutdown
* qemu: open /dev/console if we're started early
* qemu: phase out bitbanging
* qemu: always create directory before untarring
* qemu: newer packages
* qemu: put hvc directive into configuration
This is the beginning of working out a cross building test suite, so we do
several tricks to be less platform independent.
* tools: encoding: be more paranoid
* tools: retry resolution except when fatal
* tools: don't insist on having a private key
* tools: add pass example to wg-quick man page
* tools: style
* tools: newline after warning
* tools: account for padding being in zero attribute
Several important tools fixes, one of which suppresses a needless warning.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit
f6c4a9c045797d9be12310eebc6341050fd260ce)
Jason A. Donenfeld [Fri, 13 Oct 2017 15:05:18 +0000 (17:05 +0200)]
wireguard: add wireguard to base packages
Move wireguard from openwrt/packages to base a package.
This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.
WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
699c6fcc314225f79156a26db418e15bbc6bf10f)
Stijn Tintel [Tue, 17 Oct 2017 13:35:03 +0000 (16:35 +0300)]
hostapd: add wpa_disable_eapol_key_retries option
Commit
b6c3931ad6554357a108127797c8d7097a93f18f introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.
Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
c5f97c9372da3229350184fb263c97d9ea8944c5)
Stijn Tintel [Tue, 17 Oct 2017 14:54:59 +0000 (17:54 +0300)]
hostapd: backport extra changes related to KRACK
While these changes are not included in the advisory, upstream
encourages users to merge them.
See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html
Added 013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch so
that 016-Optional-AP-side-workaround-for-key-reinstallation-a.patch
applies without having to rework it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Stijn Tintel [Mon, 16 Oct 2017 22:49:58 +0000 (01:49 +0300)]
mac80211: backport kernel fix for CVE-2017-13080
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
2f701194c29da50bfda968a83c6609843f74a7f4)
RISCi_ATOM [Mon, 16 Oct 2017 13:47:20 +0000 (09:47 -0400)]
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Pulled from upstream
L. D. Pinney [Sat, 7 Oct 2017 11:06:10 +0000 (19:06 +0800)]
ramips: restore support for the GnuBee Personal Cloud One
Restore support for the GnuBee Personal Cloud One.
Signed-off-by: L. D. Pinney <ldpinney@gmail.com>
NYNEX [Thu, 5 Oct 2017 18:43:04 +0000 (14:43 -0400)]
Fix repository default link
RISCi_ATOM [Thu, 5 Oct 2017 17:31:51 +0000 (13:31 -0400)]
Fix TPE-R1100 bug
RISCi_ATOM [Thu, 5 Oct 2017 14:18:53 +0000 (10:18 -0400)]
Add updated curl patches and ap121f reference board
RISCi_ATOM [Thu, 5 Oct 2017 14:12:49 +0000 (10:12 -0400)]
Fresh pull from upstream lede-17.01 branch to fix several outstanding
bugs. Some support may have regressed as a result.
RISCi_ATOM [Mon, 2 Oct 2017 17:22:32 +0000 (13:22 -0400)]
Bump dnsmasq version to v2.78 to fix several CVEs Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496
NYNEX [Sat, 30 Sep 2017 13:00:42 +0000 (09:00 -0400)]
Update luci
RISCi_ATOM [Fri, 29 Sep 2017 19:47:05 +0000 (15:47 -0400)]
Bump OpenVPN version to 2.4.4 (pulled from upstream)
RISCi_ATOM [Wed, 27 Sep 2017 15:59:09 +0000 (11:59 -0400)]
Merge remote-tracking branch 'personal/v1.4.1' into v1.4.1
RISCi_ATOM [Thu, 14 Sep 2017 02:21:24 +0000 (22:21 -0400)]
refresh ramips patches from upstream for new kernel
RISCi_ATOM [Wed, 13 Sep 2017 21:59:23 +0000 (17:59 -0400)]
Bump version to v1.4.1
RISCi_ATOM [Wed, 13 Sep 2017 21:58:42 +0000 (17:58 -0400)]
Add updtream support for GL USB150 (needs a lot of work). Might revert back to ver. in libreCMC master
RISCi_ATOM [Wed, 13 Sep 2017 17:10:04 +0000 (13:10 -0400)]
update opkg
RISCi_ATOM [Wed, 13 Sep 2017 08:33:52 +0000 (04:33 -0400)]
v1.4.1 refesh based upon upstrea 17.01 branch
libreCMC [Sat, 19 Aug 2017 05:20:34 +0000 (01:20 -0400)]
Merge branch 'master' of RISCI_ATOM/libreCMC into master
RISCi_ATOM [Sat, 19 Aug 2017 05:18:25 +0000 (01:18 -0400)]
Update toolchain/gdb to 7.12.1
libreCMC [Sat, 19 Aug 2017 04:58:53 +0000 (00:58 -0400)]
Merge branch 'master' of ldpinney/GnuBee-libreCMC into master
L. D. Pinney [Fri, 18 Aug 2017 02:31:52 +0000 (10:31 +0800)]
automake: Perl-5.22-and-later.patch
Import patch from upstream to fix build issues with Perl 5.22 and later.
Signed-off-by: L. D. Pinney <ldpinney@gmail.com>
RISCI_ATOM [Tue, 8 Aug 2017 11:41:32 +0000 (07:41 -0400)]
Merge branch 'master' of ldpinney/GnuBee-libreCMC into master
RISCI_ATOM [Tue, 8 Aug 2017 00:25:36 +0000 (20:25 -0400)]
Merge branch 'master' of RISCI_ATOM/libreCMC into master
RISCi_ATOM [Tue, 8 Aug 2017 00:22:37 +0000 (20:22 -0400)]
Add basic support for the GL-USB150 microuter
L. D. Pinney [Mon, 7 Aug 2017 03:34:10 +0000 (11:34 +0800)]
ramips: Update GB-PC1 device tree source file
Signed-off-by: L. D. Pinney <ldpinney@gmail.com>
libreCMC [Mon, 31 Jul 2017 23:13:23 +0000 (19:13 -0400)]
Merge branch 'master' of ldpinney/GnuBee-libreCMC into master
L. D. Pinney [Sat, 22 Jul 2017 08:04:12 +0000 (16:04 +0800)]
ramips: GnuBee Personal Cloud One updates.
The GnuBee Personal Cloud One crowdfunded on https://www.crowdsupply.com
It is a low-cost, low-power, network-attached storage device.
Specifications:
- SoC: MediaTek MT7621AT
- RAM: DDR3 512 MB
- Flash: 32 MB
- Six SATA ports for 2.5" Drives
- One USB 3.0
- Two USB 2.0
- One micro SDcard
- Gigabit Ethernet: 1 x WAN and 1 x LAN
- UART 3.5mm Audio Jack or 3 pins on PCB - 57600 8N1
- Four GPIOs available on a pin header
Flash instructions:
The GnuBee Personal Cloud One ships with libreCMC installed.
One can upgrade using the webinterface or sysupgrade.
Das U-Boot has multiple options for recovery or updates including :
- USB
- http
- tftp
Signed-off-by: L. D. Pinney
RISCi_ATOM [Sat, 15 Jul 2017 15:09:05 +0000 (11:09 -0400)]
Remove http mirrors and --no-check-certificate / --insecure flags from scripts/download.pl
RISCi_ATOM [Wed, 5 Jul 2017 16:50:03 +0000 (12:50 -0400)]
Add libreCMC keyring
RISCi_ATOM [Fri, 30 Jun 2017 21:22:17 +0000 (17:22 -0400)]
Change repository links to reflect different versions of libreCMC {,core,legacy}
RISCi_ATOM [Tue, 27 Jun 2017 02:19:59 +0000 (22:19 -0400)]
Bump OpenSSL to 1.0.2l
RISCi_ATOM [Wed, 21 Jun 2017 17:46:47 +0000 (13:46 -0400)]
Bump'ed openvpn to 2.4.3 to fix various sec. issues
RISCi_ATOM [Mon, 29 May 2017 18:34:06 +0000 (14:34 -0400)]
Fix u-boot in tools/mkimage
RISCi_ATOM [Mon, 29 May 2017 07:38:46 +0000 (03:38 -0400)]
Enable wifi by default w/ default password
RISCi_ATOM [Mon, 29 May 2017 07:29:39 +0000 (03:29 -0400)]
Change libreCMC status from RC* to release
RISCi_ATOM [Wed, 24 May 2017 16:32:55 +0000 (12:32 -0400)]
Remove upstrem references for pulling sources from download.pl
RISCi_ATOM [Wed, 24 May 2017 16:26:59 +0000 (12:26 -0400)]
Fix Ben Nanonote support
RISCi_ATOM [Wed, 24 May 2017 14:45:32 +0000 (10:45 -0400)]
samba: fix CVE-2017-7494 (Pulled from upstream)
RISCi_ATOM [Sat, 20 May 2017 22:11:05 +0000 (18:11 -0400)]
Update OpenVPN from upstream
RISCi_ATOM [Fri, 12 May 2017 19:49:07 +0000 (15:49 -0400)]
Add v1.4 package feed
RISCi_ATOM [Wed, 26 Apr 2017 11:17:39 +0000 (07:17 -0400)]
Remove FTP mirrors from libreCMC core (Makefiles and download.pl)
RISCi_ATOM [Fri, 14 Apr 2017 19:51:43 +0000 (15:51 -0400)]
Fix branding on imagebuilder in target/imagebuilder/Config.in
RISCi_ATOM [Fri, 14 Apr 2017 16:23:13 +0000 (12:23 -0400)]
Add support for the GnuBee Personal Cloud One from master
RISCi_ATOM [Thu, 13 Apr 2017 18:17:40 +0000 (14:17 -0400)]
Remove kmod-r8169 from x86 target default selection
RISCi_ATOM [Wed, 29 Mar 2017 15:57:26 +0000 (11:57 -0400)]
Change version to reflect RC1 status
RISCi_ATOM [Wed, 29 Mar 2017 15:11:45 +0000 (11:11 -0400)]
Add partial support for tpe-r1100
RISCi_ATOM [Tue, 28 Mar 2017 08:38:34 +0000 (04:38 -0400)]
Removed targets with dependencies on ath10k (support was was stripped before committing upstream pull)
RISCi_ATOM [Thu, 23 Mar 2017 22:07:42 +0000 (18:07 -0400)]
Update commit commit hash in scripts/getver.sh
RISCi_ATOM [Thu, 23 Mar 2017 22:03:15 +0000 (18:03 -0400)]
Fresh pull from upstream 17.01 branch
RISCi_ATOM [Thu, 23 Mar 2017 22:02:30 +0000 (18:02 -0400)]
update .gitignore
RISCi_ATOM [Thu, 23 Mar 2017 17:47:12 +0000 (13:47 -0400)]
Revert "Second attempt at pull from upstream package/{luci,system,utils}"
This reverts commit
7872e94f9e17b314d88efa980d7c86632187633a.
RISCi_ATOM [Thu, 23 Mar 2017 17:10:04 +0000 (13:10 -0400)]
Second attempt at pull from upstream package/{luci,system,utils}
RISCi_ATOM [Thu, 23 Mar 2017 17:00:46 +0000 (13:00 -0400)]
Revert "Pull package/{luci,system,network} from upstream"
This reverts commit
e836e894693e13d83e3078feab6787e194a260fa.
RISCi_ATOM [Thu, 23 Mar 2017 16:09:30 +0000 (12:09 -0400)]
Pull package/{luci,system,network} from upstream
RISCi_ATOM [Thu, 23 Mar 2017 16:01:02 +0000 (12:01 -0400)]
Fix branding in base-files/image-config.in
RISCi_ATOM [Mon, 13 Mar 2017 05:10:50 +0000 (01:10 -0400)]
add libreCMC src repository to scripts/download.pl
RISCi_ATOM [Mon, 13 Mar 2017 05:06:48 +0000 (01:06 -0400)]
changed kernel sha256 hash. Upstream broke kernel
RISCi_ATOM [Sun, 26 Feb 2017 05:45:25 +0000 (00:45 -0500)]
Resolve issue #2 https://gogs.librecmc.org/libreCMC/libreCMC/issues/2
RISCI_ATOM [Sun, 26 Feb 2017 02:49:41 +0000 (21:49 -0500)]
Merge branch 'v1.4-stage' of ldpinney/GnuBee-libreCMC into v1.4-stage
L. D. Pinney [Sat, 25 Feb 2017 04:01:44 +0000 (22:01 -0600)]
Merge remote-tracking branch 'upstream/v1.4-stage' into v1.4-stage
RISCi_ATOM [Mon, 20 Feb 2017 04:31:04 +0000 (23:31 -0500)]
Removed u-boot omap and fixed luci-ssl collection
L. D. Pinney [Tue, 7 Feb 2017 11:30:34 +0000 (05:30 -0600)]
Add support for the GnuBee Personal Cloud One
L. D. Pinney [Tue, 7 Feb 2017 11:25:12 +0000 (05:25 -0600)]
Revert "Add support for the GnuBee Personal Cloud One"
This reverts commit
c6b3499a021c04e9ed7be3cf88e87a016903d66d.
black [Tue, 7 Feb 2017 11:06:28 +0000 (05:06 -0600)]
Add support for the GnuBee Personal Cloud One
RISCi_ATOM [Mon, 16 Jan 2017 11:57:19 +0000 (06:57 -0500)]
added support for omap (BeagleBone Black)