Rodrigo B. de Sousa Martins [Wed, 25 Sep 2024 18:35:20 +0000 (15:35 -0300)]
iptables: backport "nft: track each register individually" from 1.9
From the upstream repo:
Instead of assuming only one register is used, track all 16 regs
individually.
This avoids need for the 'PREV_PAYLOAD' hack and also avoids the need to
clear out old flags:
When we see that register 'x' will be written to, that register state is
reset automatically.
Existing dissector decodes
ip saddr 1.2.3.4 meta l4proto tcp
... as
-s 6.0.0.0 -p tcp
iptables-nft -s 1.2.3.4 -p tcp is decoded correctly because the expressions
are ordered like:
meta l4proto tcp ip saddr 1.2.3.4
|
... and 'meta l4proto' did clear the PAYLOAD flag.
The simpler fix is:
ctx->flags &= ~NFT_XT_CTX_PAYLOAD;
in nft_parse_cmp(), but that breaks dissection of '1-42', because
the second compare ('cmp lte 42') will not find the
payload expression anymore.
This commit fixes #11169 and openwrt/packages#22727, and potentially anyone that uses iptables-nft legacy support.
Signed-off-by: Rodrigo B. de Sousa Martins <rodrigo.sousa.577@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16504
[Added patch header]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
44b1993f766e66c13e09d7c09a3c8f85655a446e)
Hauke Mehrtens [Fri, 22 Nov 2024 23:34:30 +0000 (00:34 +0100)]
wifi-scripts: Fix parsing of Capabilities
Fixup capabilities parsing in iw output.
In addition to the normal capabilities iw now also outputs HE MAC, HE
PHY and EHT MAC and EHT PHY capabilities. Exclude them in the parsing.
The grep returns this with mac80211-hwsim:
```
root@OpenWrt:~# iw phy phy0 info | grep 'Capabilities:'
Capabilities: 0x107e
HE PHY Capabilities: (0x02bfce0000000000000000):
EHT PHY Capabilities: (0x7c0000feffff7f01):
HE PHY Capabilities: (0x02bfce0000000000000000):
EHT PHY Capabilities: (0x7c0000feffff7f01):
HE PHY Capabilities: (0x02bf000000000000000000):
Capabilities: 0x107e
HE PHY Capabilities: (0x1cbfce0000000000000000):
EHT PHY Capabilities: (0xfc1f3ffeffff7f37):
HE PHY Capabilities: (0x1cbfce0000000000000000):
EHT PHY Capabilities: (0xfc1f3ffeffff7f37):
HE PHY Capabilities: (0x1cbf000000000000000000):
HE PHY Capabilities: (0x1cbfce0000000000000000):
EHT PHY Capabilities: (0xfefffffeffffff7f):
HE PHY Capabilities: (0x1cbfce0000000000000000):
EHT PHY Capabilities: (0xfefffffeffffff7f):
HE PHY Capabilities: (0x1cbf000000000000000000):
Capabilities: 0x107e
```
With busybox 1.36.1 the ht_cap_mask variable will be set to
-
72057598332895361. With busybox 1.37.0 it will be set to -1.
Both values are wrong, after this change it will be set to 4222
(0x107E).
Link: https://github.com/openwrt/openwrt/pull/17043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
adf958c9192d94fbeeb0ec8e16800b0071455909)
RISCi_ATOM [Fri, 29 Nov 2024 18:15:52 +0000 (13:15 -0500)]
ath79: Add back gl-x750
RISCi_ATOM [Fri, 29 Nov 2024 18:14:42 +0000 (13:14 -0500)]
kernel / mac80211: Bump to 5.15.173
Removed upstreamed patches:
target/linux/generic/pending-5.15/110-v6.3-0001-spidev-Add-Silicon-Labs-EM3581-device-compatible.patch
target/linux/generic/pending-5.15/110-v6.3-0002-spidev-Add-Silicon-Labs-SI3210-device-compatible.patch
Added to mac80211:
Fix genlmsg_multicast_allns() build error on kernel 6.6.59.
Based on kernel patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?h=v6.6.59&id=
e0f83d268974dab0361d11904dfc9acec53f96a6
package/kernel/mac80211/patches/build/236-fix-genlmsg_multicast_allns-build-error-on-kernel-6.6.59.patch
RISCi_ATOM [Sat, 23 Nov 2024 05:02:20 +0000 (00:02 -0500)]
luci: Add luci-proto-modemmanager
Sander Vanheule [Sun, 22 Sep 2024 14:46:43 +0000 (16:46 +0200)]
firmware-utils: bump to latest openwrt-23.05
This version bump contains one patch improving compatibility with recent
vendor firmware versions:
- commit
f3b636d0ee47 ("tplink-safeloader: bump EAP610-V3 compat_level")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Felix Fietkau [Fri, 20 Sep 2024 09:23:24 +0000 (11:23 +0200)]
ucode: another fix for host installation
The previous host installation fix accidentally moved the rpath settings
out of CMAKE_HOST_OPTIONS and into CMAKE_OPTIONS.
Fixes:
ae42ecaad4e7 ("ucode: fix host installation")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
2ee1392e094f9b6fdb2a759e2e29fa203b61e066)
RISCi_ATOM [Sat, 5 Oct 2024 21:27:04 +0000 (17:27 -0400)]
xl2tpd : Add xl2tpd to base, pulled from upstream feed commit
a111405eac397f4a48492e9d710cea3aeb9092c3
Hauke Mehrtens [Sat, 27 Jul 2024 17:29:04 +0000 (19:29 +0200)]
ncurses: Fix path in ncursesw.pc
The file contains the the /usr/lib path from the toolchain directory and
not from the target directory. The /usr/lib directory for the toolchain
is empty and the shared library is not in the specified paths. On RISCV
the linker of util-linux was finding the libncursesw.so in my host
system, tried to link against it and failed. Fix the .pc file.
Fixes: #15942
Co-authored-by: Thomas Weißschuh <thomas@t-8ch.de>
Link: https://github.com/openwrt/openwrt/pull/16018
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
91573ac145aa70a12b0984ec75507ac648569240)
Link: https://github.com/openwrt/openwrt/pull/16390
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Philip Prindeville [Mon, 15 Jul 2024 14:54:22 +0000 (08:54 -0600)]
build: autoconf: set ac_cv_func_setresuid=true
MUSL and eglibc provide these symbols.
Bind needs setresuid() to build properly in recent versions.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Link: https://github.com/openwrt/openwrt/pull/15952
(cherry picked from commit
0bd129a5d3b298340e1f6351942a8ccc2ba6eaea)
Link: https://github.com/openwrt/openwrt/pull/16390
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Wed, 11 Sep 2024 21:03:50 +0000 (23:03 +0200)]
mbedtls: Update to 2.28.9
This contains a fix for:
CVE-2024-45157:
Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Link: https://github.com/openwrt/openwrt/pull/16367
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Ivan Pavlov [Thu, 5 Sep 2024 08:21:57 +0000 (11:21 +0300)]
openssl: update to 3.0.15
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
* Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535)
Added github releases url as source mirror
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16332
(cherry picked from commit
62d3773bf19a3e2f39935c08a8b5b2186777f314)
Link: https://github.com/openwrt/openwrt/pull/16346
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
David Bauer [Sun, 15 Sep 2024 01:26:58 +0000 (03:26 +0200)]
ucode: fix missing backslash
Fixes:
ae42ecaad4e7 ("ucode: fix host installation")
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
9d663c7435752bf17ecec4bfc66c73cde55ed04c)
David Bauer [Mon, 19 Aug 2024 13:25:10 +0000 (15:25 +0200)]
ucode: fix host installation
The path for linking libucode.so was not specified for the ucode binary.
This breaks execution of ucode in the host context.
Signed-off-by: David Bauer <david.bauer@uniberg.com>
(cherry picked from commit
ae42ecaad4e7b4878083f08a2cba6ce511ac6c43)
Matthias Schiffer [Thu, 29 Aug 2024 18:24:02 +0000 (20:24 +0200)]
base-files: fix merge of passwd/shadow/group lines with trailing colons
Empty trailing fields get lost when the lines are split and merged again
at colons, resulting in unparsable entries. Only use the split fields for
matching against the other file, but emit the original line unchanged
to fix the issue.
Fixes:
de7ca7dafadf ("base-files: merge /etc/passwd et al at sysupgrade config restore")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit
9bbaa6f2c0419739fb85d48d0f527cb1622946ee)
Matthias Schiffer [Thu, 29 Aug 2024 18:04:02 +0000 (20:04 +0200)]
tools: libtool: do not symlink files in bootstrap
Another instance of files in build_dir symlinking to staging_dir. While
the symlinks do not currently cause any bugs in the libtool package,
such symlinks were found to make the build more fragile, as writing to
the symlink may accidentally modify the shared file in staging_dir. Pass
--copy to bootstrap to disable the symlinking.
Link: https://github.com/openwrt/openwrt/pull/15825
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit
d6e54593198851235906c6ab77c20c6209ab19f5)
Matthias Schiffer [Thu, 29 Aug 2024 18:04:02 +0000 (20:04 +0200)]
include: autotools: do not symlink files in autoreconf
In Gluon's Github Actions CI, we were occasionally seeing bizarre build
errors that looked like a config.sub file had been corrupted, or changed
while it was being executed.
The cause turned out to be an interaction of the symlinks created by
autoreconf (pointing from individual tools' build dirs into
`staging_dir/host/share/automake-1.16`) and OpenWrt's host-build.mk,
which replaced config.guess and config.sub *after* autoreconf. The
result was that the replacement of these files ended up following the
symlinks and writing the files in `staging_dir/host/share/automake-1.16`
instead of a package's build dir. This could cause other packages' builds
to fail if they were currently executing the scripts while they were
being written.
To fix this, disable autoreconf's symlinking feature, so that modifying
these files in a package's build directory can't accidentally affect the
staged versions.
Link: https://github.com/openwrt/openwrt/pull/15825
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit
c364cb8e469f9a7de1ed8960163c90e26b2df1ad)
Sarah Maedel [Wed, 28 Aug 2024 09:27:05 +0000 (11:27 +0200)]
hostapd: fix anqp_3gpp_cell_net list delimiter
This patch fixes the list delimiter between 3GPP networks
passed to hostapd.
> list iw_anqp_3gpp_cell_net '262,001'
> list iw_anqp_3gpp_cell_net '262,002'
When passing a list of "iw_anqp_3gpp_cell_net" parameters via UCI,
hostapd would crash at startup:
> daemon.err hostapd: Line 73: Invalid anqp_3gpp_cell_net: 262,001:262,002
Using a semicolon as a delimiter, hostapd will start as expected.
Signed-off-by: Sarah Maedel <git@tbspace.de>
(cherry picked from commit
8de185a176079e738984ab0fc89841bc2e613fb1)
RISCi_ATOM [Sun, 11 Aug 2024 20:46:41 +0000 (16:46 -0400)]
https-dns-proxy: Adds https-dns-proxy to base
This commit adds https-dns-proxy. The default DNS providers, Google
/ Cloudflare, have been replaced with Quad9.
RISCi_ATOM [Sun, 11 Aug 2024 20:45:06 +0000 (16:45 -0400)]
uhttpd: Make https redirect the default in luci
RISCi_ATOM [Sun, 11 Aug 2024 18:57:15 +0000 (14:57 -0400)]
librecmc: fix default ntp pool, use upstream.
Hauke Mehrtens [Thu, 25 Jul 2024 20:05:11 +0000 (22:05 +0200)]
ath79: Fix PHY access over ag71xx driver
.ndo_do_ioctl is not called any more. For PHY MII ioctl handling, the
kernel calls .ndo_eth_ioctl now.
The SIOCSIFHWADDR and SIOCGIFHWADDR operation are handled in the generic
code in the same way just with more input validation.
See upstream Linux kernel commit:
https://git.kernel.org/linus/
a76053707dbf0dc020a73b4d90cd952409ef3691
Reported-by: Cthulhu88 in https://forum.openwrt.org/t/ethernet-leds-control-for-tp-link-tl-wr1043nd-v2-v3/202378
Link: https://github.com/openwrt/openwrt/pull/16005
(cherry picked from commit
f86273e742b9f01565018494733d38438e7f0098)
Link: https://github.com/openwrt/openwrt/pull/16023
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
RISCi_ATOM [Thu, 8 Aug 2024 20:57:55 +0000 (16:57 -0400)]
kernel: Bump to 5.15.164
Rany Hany [Wed, 31 Jul 2024 17:16:55 +0000 (17:16 +0000)]
hostapd: fix SAE H2E security vulnerability
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.
As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].
An explanation of the impact of the vulnerability is provided from the
advisory[1]:
This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.
[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
db7f70fe6140e99ae709c7bf2a25eb983cb725ed)
Hauke Mehrtens [Sun, 21 Jul 2024 23:02:41 +0000 (01:02 +0200)]
mac80211: Update to version 6.1.102-1
Upstream removed SSB and BCMA, the drivers are now compiled against the
in kernel versions. No need to patch this for OpenWrt.
Link: https://github.com/openwrt/openwrt/pull/15983
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Thu, 25 Jul 2024 23:13:51 +0000 (01:13 +0200)]
mac80211: Fix wifi throughput
Backport 2 patches from upstream Linux to fix a Wifi throughput
problem.
Fixes:
323e249ce8ed ("mac80211: Update to version 6.1.97-1")
Link: https://github.com/openwrt/openwrt/pull/16007
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
RISCi_ATOM [Sun, 21 Jul 2024 17:05:01 +0000 (13:05 -0400)]
targets : wpad-basic-wolfssl is now the default
The libreCMC project uses wolfssl as the default
ssl library and has for a while. This changed was
staged a while ago but never committed.
RISCi_ATOM [Tue, 16 Jul 2024 15:32:21 +0000 (11:32 -0400)]
openssh: bump to 9.8p1
Release notes: https://www.openssh.com/txt/release-9.8
* 9.8p1 fixes CVE-2024-6387
* Adjusted Makefile to provide /usr/lib/sshd-session
* Given the troubles with -fzero-call-used-regs and all the
broken checks, makes sense to skip it
(From upstream pkg feed @ :
a9ee98f9efeb10e047abaa5233a2eae6878ce9cc)
Hauke Mehrtens [Sun, 14 Jul 2024 23:06:38 +0000 (01:06 +0200)]
wolfssl: Update to version 5.7.2
This fixes multiple security problems:
* [Medium] CVE-2024-1544
Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.
* [Medium] CVE-2024-5288
A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.
* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.
* [Low] CVE-2024-5991
In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.
* [Medium] CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.
* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.
* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.
Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.
Link: https://github.com/openwrt/openwrt/pull/15948
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
3a0232ffd33f2dc894c671d90de6b2766399f4dc)
Paweł Owoc [Mon, 18 Mar 2024 20:53:51 +0000 (21:53 +0100)]
mac80211: add missing config for third 160MHz width for 5GHz radio
Without this configuration it is not possible to run the radio using HE160 on channels 149-177.
Fixes: #14906
Signed-off-by: Paweł Owoc <frut3k7@gmail.com>
(cherry picked from commit
a91b79fd04d58e711273d08e0b1246942b2eec98)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Wed, 10 Jul 2024 21:52:41 +0000 (23:52 +0200)]
wireless-regdb: Update to version 2024.07.04
Changes:
2a768c4 wireless-regdb: Update regulatory rules for Mongolia (MN) on 6GHz
04875d9 wireless-regdb: Update regulatory rules for Saudi Arabia (SA) on 6GHz
b7bced8 wireless-regdb: Update regulatory rules for South Africa (ZA) on 6GHz
7bc8615 wireless-regdb: Update regulatory info for Thailand (TH) on 6GHz
f901fa9 wireless-regdb: Update regulatory info for Malaysia (MY) for 2022
d72d288 wireless-regdb: Update regulatory info for Morocco (MA) on 6GHz
414face wireless-regdb: Update regulatory info for Chile (CL) on 6GHz
1156a08 wireless-regdb: Update regulatory info for Mexico (MX) on 6GHz
cc6cf7c wireless-regdb: Update regulatory info for Iceland (IS) on 6GHz
ce03cc0 wireless-regdb: Update regulatory info for Mauritius(MU) on 6GHz
7e37778 wireless-regdb: Update regulatory info for Argentina (AR) on 6GHz
56f3a43 wireless-regdb: Update regulatory info for United Arab Emirates (AE) on 6GHz
3cb8b91 wireless-regdb: Update regulatory info for Colombia (CO) on 6GHz
3682ce5 wireless-regdb: Update regulatory info for Costa Rica (CR) for 2021
dd4ffe7 wireless-regdb: Update regulatory info for Dominican Republic (DO) on 6GHz
f8ef7da wireless-regdb: Update regulatory info for Liechtenstein (LI) on 6GHz
a9ecabe wireless-regdb: Update regulatory info for Jordan (JO) for 2022
5a9fdad wireless-regdb: Update regulatory info for Kenya (KE) for 2022
19326c3 wireless-regdb: Update regulatory info for Macao (MO) for 2024
4838054 wireless-regdb: update regulatory database based on preceding changes
Link: https://github.com/openwrt/openwrt/pull/15921
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit
0a24fd91556e7bd4751676b5ce6324193b7a4aca)
Florian Eckert [Thu, 21 Mar 2024 11:55:01 +0000 (12:55 +0100)]
kernel: update deprecated license information
Update the deprecated license information from GPL-2.0 to GPL-2.0-only
as written in the COPYING file of the linux source tree.
Also add the 'COPYING' file to the PKG_LICENSE_FILES variable.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
879826154fd3e5ec353117a9c00cecf5e38c4a16)
Link: https://github.com/openwrt/openwrt/pull/15918
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Florian Eckert [Fri, 15 Mar 2024 10:57:14 +0000 (11:57 +0100)]
mac80211: add missing license information
The lincense information for the packages mac80211 are missing.
This commit adds the missing information.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [backport]
(cherry picked from commit
3128157ec71c7be5c2e26a04b1f4b5080ebf870a)
Link: https://github.com/openwrt/openwrt/pull/15918
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Florian Eckert [Wed, 13 Mar 2024 11:41:38 +0000 (12:41 +0100)]
ca-certificates: add missing license information
The package has no licence information. So let's fix it.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
0da116f25b1a80ac9429fd7d13ee30130494f19e)
Link: https://github.com/openwrt/openwrt/pull/15918
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Florian Eckert [Tue, 19 Mar 2024 14:44:44 +0000 (15:44 +0100)]
wireless-regdb: add missing license information
Add the missing license information PKG_LICENSE and PKG_LICENSE_FILES.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
7a3deadf91a356b6b0ac25771854f8fa1c3e6980)
Link: https://github.com/openwrt/openwrt/pull/15918
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Christian Marangi [Tue, 9 Jul 2024 02:41:21 +0000 (04:41 +0200)]
image: exclude initramfs-images dependency with IB
Exclude initramfs-images dependency with IB as the target is not defined
in such context.
Fixes:
cc6a0abcabf7 ("image: make images and artifacts dependent of initramfs")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
e5d23b5aa5346de30befc2b05000a3967ca5b460)
Christian Marangi [Mon, 8 Jul 2024 11:10:52 +0000 (13:10 +0200)]
image: make images and artifacts dependent of initramfs
There is currently a BIG bug in how the images dependency is handled and
recent Per Device Rootfs made this more clear and less statistical.
There is currently no dependency between images/artifacts build with
initramfs build. This cause whatever additional image that depends on an
initramfs image to fail as it might happen that image and initramfs
build are called at the same time and the additional image is called
before initramfs build has finished.
Each image-command assume the source image to be taken from the /bin
directory but that is only copied from the /tmp directory only at the
end of the process.
Artifacts currently depends on image with the use of the
BOARD-NAME-images Makefile target, but this is not the case for
initramfs that also define a -images Makefile target but that is not
accounted in images (that might depend on some initramfs images)
To actually fix this, introduce a new Makefile target, -initramfs-images
and make image and artifacts build to depend on this. Since initramfs
images are optional, this dependency is actived only when initramfs
image are built.
With this change we correctly enforce the build order:
- Initramfs Images (optional)
- Images
- Artifacts
(cherry picked from commit
cc6a0abcabf718df872c0f6876d1121d3dd09953)
[ rebased on openwrt-23.05 ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Jordan Woyak [Tue, 26 Mar 2024 01:56:06 +0000 (20:56 -0500)]
config: Enable ext4 journaling by default.
Not having a journal by default is a major "gotcha".
Because openwrt does not fsck on boot, a power loss without journaling
can result in a dirty filesystem that openwrt will mount as read-only
which requires intervention to restore the router to working order.
Signed-off-by: Jordan Woyak <jordan.woyak@gmail.com>
(cherry picked from commit
f9f2426e398cf74d1098ae40317bfba677ac7560)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Felix Fietkau [Thu, 4 Apr 2024 11:45:33 +0000 (13:45 +0200)]
libxml2: add host build dependency on libiconv-full
Fixes build on macOS
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
4ef13c4a49708d361df663a6e42e6e114a71c020)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Felix Fietkau [Wed, 10 Apr 2024 11:46:40 +0000 (13:46 +0200)]
hostapd: fix a crash corner case
On some setup failures, iface->bss can be NULL
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
1ee5b7e506f937e16737472eed02bc5409716304)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sun, 21 Apr 2024 15:40:09 +0000 (17:40 +0200)]
mbedtls: Update to 2.28.8
This contains a fix for:
CVE-2024-28960: An issue was discovered in Mbed TLS 2.18.0 through 2.28.x
before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto
API mishandles shared memory.
(cherry picked from commit
360ac07eb933feaf29bb031f788f0bf81c473be7)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sun, 7 Apr 2024 20:46:13 +0000 (22:46 +0200)]
uencrypt: Fix compile warnings
keylen and ivlen are of type long and not size_t.
(cherry picked from commit
0fd9acb47165e9ef07b3fa0e4f381ebe5365464c)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Thomas Winkler [Fri, 10 Nov 2023 21:48:59 +0000 (22:48 +0100)]
base-files: fix uid/gid auto-enumeration to avoid 16-bit limit
uid/gid range should be limited to 16bit unsigned integer range to
avoid "wraparound" issues with permissions where jffs2
is employed for storage and chown 65536 (first auto-created user)
becomes equivalent to chown 0
Fixes: #13927
Signed-off-by: Thomas Winkler <tewinkler86@gmail.com>
(cherry picked from commit
140b48a9e93909873bee777ca5bdf49fe4f01271)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Sahil Dhiman [Sat, 25 May 2024 09:57:12 +0000 (15:27 +0530)]
scripts: Add GNU ftp mirror redirector for GNU and Savannah
Add GNU's redirector which automatically redirect user to nearby online
mirror.
Signed-off-by: Sahil Dhiman <sahil@hopbox.in>
Link: https://github.com/openwrt/openwrt/pull/15557
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
6510eb3b5d612ea7a70c4a8d9b83639e3b46e221)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Qingfang Deng [Fri, 7 Jun 2024 09:55:38 +0000 (17:55 +0800)]
config: kernel: remove KASAN_EXTRA
The option has been removed from the kernel since 5.1.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
(cherry picked from commit
60ea3d6d46954553b7b50460dfe6b86878fe5990)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Rosen Penev [Fri, 14 Jun 2024 23:01:34 +0000 (16:01 -0700)]
tools/sparse: fix compilation with GCC14
Upstream backport.
Get rid of PKG_RELEASE as it's irrelevant to tools.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit
253d777c968b8fd74e857bec4cd74267daae0010)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Christian Marangi [Mon, 17 Jun 2024 11:19:52 +0000 (13:19 +0200)]
scripts/ext-toolchain: add missing libc library specs
Add missing libc library spec that weren't added to the ext-toolchain
script when the library were introduced in the packages libs toolchain
Makefile.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
8cad52a267bffe384a119f3e5ae1892e8580a981)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Felix Fietkau [Fri, 14 Jun 2024 12:43:39 +0000 (14:43 +0200)]
hostapd: fix crash on interface setup failure
Add a missing NULL pointer check when deleting beacons
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
3984fb0582083c5c0f511ed3a33eb17908eccb08)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Felix Fietkau [Fri, 14 Jun 2024 12:17:57 +0000 (14:17 +0200)]
hostapd: use strdup on string passed to hostapd_add_iface
The data is modified within hostapd_add_iface
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit
032d3fcf7a861b140435b6507b2b0b66361c92f8)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Nathaniel Wesley Filardo [Thu, 20 Jun 2024 14:15:50 +0000 (15:15 +0100)]
kernel: crypto: remove FCRYPT from miscellany
It has its own dedicated knob
Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15761
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
7d71c03ab188a58d74d6cdbeabb38b70ead2c74b)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 29 Jun 2024 16:23:13 +0000 (18:23 +0200)]
kernel: Add kmod-mfd
Package the mfd-core.ko kernel module. It is selected by the
kmod-hwmon-gsc already.
Link: https://github.com/openwrt/openwrt/pull/15833
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
8b4fd1c0dece936dc2c79f2a17d824512e7e7df3)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 29 Jun 2024 16:14:47 +0000 (18:14 +0200)]
kernel: Add kmod-crypto-xxhash
kxxhash_generic.ko is a soft dependency of kmod-fs-btrfs, but we did not
package it. Extract the kmod-lib-xxhash and then package
xxhash_generic.ko.
Link: https://github.com/openwrt/openwrt/pull/15833
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
2ebeda029490e308cc0e8f475e63280f960e74c4)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 29 Jun 2024 15:38:46 +0000 (17:38 +0200)]
kernel: Add kmod-crypto-blake2b
The kmod-fs-btrfs package has a soft dependency to kmod-crypto-blake2b
The CONFIG_BTRFS_FS kernel build option selects CONFIG_CRYPTO_BLAKE2B,
but we did not package it before.
Link: https://github.com/openwrt/openwrt/pull/15833
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
f89091bba6be483e66c5ac14c477621f74aef203)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 29 Jun 2024 15:54:49 +0000 (17:54 +0200)]
kernel: Fix kmod-lib-lz4 packaging
The kernel provides two variants of the lz4 compression a normal version
and a high compression mode version. The old kmod-lib-lz4 package
contained the normal version plus one part of the lz4hc version. There
was already code which selected the kmod-lib-lz4hc package which did
not exists.
I split this into 3 packages. kmod-lib-lz4 and kmod-lib-lz4hc for the
normal the and high compression algorithm which contain the specific
code and the kmod-lib-lz4-decompress which contains the common
decompressor.
New we are also packaging lz4hc.ko
Link: https://github.com/openwrt/openwrt/pull/15833
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
fac507606d75eec04762013582273468eea7ed92)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sat, 29 Jun 2024 15:24:09 +0000 (17:24 +0200)]
kernel: Extract kmod-nf-dup-inet
The nf_dup_ipv4.ko and nf_dup_ipv6.ko kernel module were packaged by
kmod-ipt-tee and kmod-nft-dup-inet at the same time. Extract them into a
separate package used by both.
Link: https://github.com/openwrt/openwrt/pull/15833
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
b0953c4fbf1bb0ad0844febe991636d05884c194)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Thu, 27 Jun 2024 23:32:46 +0000 (01:32 +0200)]
mac80211: Update to version 6.1.97-1
This updates mac80211 to version 6.1.97-1. This code is based on Linux
6.1.97 and contains all fixes included in the upstream wireless
subsystem from that kernel version. This includes many bugfixes and also
some security fixes.
The removed patches are already integrated in upstream Linux 6.1.97 or
in backports.
The following patches were integrated in upstream Linux:
ath11k/0013-wifi-ath11k-synchronize-ath11k_mac_he_gi_to_nl80211_.patch
ath11k/0035-wifi-ath11k-Use-platform_get_irq-to-get-the-interrup.patch
ath11k/0036-wifi-ath11k-fix-SAC-bug-on-peer-addition-with-sta-ba.patch
ath11k/0047-wifi-ath11k-fix-deinitialization-of-firmware-resourc.patch
ath11k/0053-wifi-ath11k-fix-writing-to-unintended-memory-region.patch
ath11k/0060-wifi-ath11k-Ignore-frags-from-uninitialized-peer-in-.patch
ath11k/0065-wifi-ath11k-fix-tx-status-reporting-in-encap-offload.patch
ath11k/0067-wifi-ath11k-Fix-SKB-corruption-in-REO-destination-ri.patch
ath11k/0069-wifi-ath11k-fix-registration-of-6Ghz-only-phy-withou.patch
ath11k/0080-wifi-ath11k-add-support-default-regdb-while-searchin.patch
ath11k/0085-wifi-ath11k-fix-memory-leak-in-WMI-firmware-stats.patch
ath11k/0086-wifi-ath11k-Add-missing-check-for-ioremap.patch
ath11k/0096-wifi-ath11k-fix-boot-failure-with-one-MSI-vector.patch
subsys/337-wifi-mac80211-fix-race-condition-on-enabling-fast-xm.patch
The following patches were integrated in upstream backports:
ath11k/901-wifi-ath11k-pci-fix-compilation-in-5.16-and-older.patch
build/080-resv_start_op.patch
build/110-backport_napi_build_skb.patch
The following files are missing in backports, we do not have to remove
them any more. Some were already missing before some were removed in
this update:
include/linux/cordic.h
include/linux/crc8.h
include/linux/eeprom_93cx6.h
include/linux/wl12xx.h
include/net/ieee80211.h
backport-include/linux/bcm47xx_nvram.h
include/linux/ath9k_platform.h
include/net/bluetooth/
backports ships a dummy Mediatek wed header for older kernel versions.
We backported the feature in our kernel, remove the dummy header:
backport-include/linux/soc/mediatek/mtk_wed.h
Remove header files for subsystems used form the mainline kernel:
include/trace/events/qrtr.h
include/net/rsi_91x.h
backport-include/linux/platform_data/brcmnand.h
Link: https://github.com/openwrt/openwrt/pull/15827
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
RISCi_ATOM [Tue, 9 Jul 2024 16:57:51 +0000 (12:57 -0400)]
kernel: mac80211 Remove patches for non-free devices we don't use / support.
Hauke Mehrtens [Mon, 1 Jul 2024 21:55:03 +0000 (23:55 +0200)]
iw: sync nl80211.h
Update the nl80211.h file in iw with the version from backports.
The files were out of sync already before the mac80211 update. If iw set
the NL80211_ATTR_WIPHY_ANTENNA_GAIN attribute the kernel assumed it set
the NL80211_ATTR_PUNCT_BITMAP attribute because the id was the same.
Link: https://github.com/openwrt/openwrt/pull/15827
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Lu jicong [Tue, 2 Jul 2024 13:01:49 +0000 (21:01 +0800)]
target.mk: fix arm architecture level detection
Now kernel configs of armv6k CPUs don't include CONFIG_CPU_V6.
So armv6k CPUs cannot be detected as arm_v6.
Fix this by adding detection for CONFIG_CPU_V6K.
Signed-off-by: Lu jicong <jiconglu58@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15855
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
d55083fbcaea9cdd2ebc10a2d38989ad485a5357)
Fabrice Fontaine [Sat, 27 Apr 2024 15:50:05 +0000 (17:50 +0200)]
package/utils/secilc: drop PKG_CPE_ID
cpe:/a:selinuxproject:secilc is not a correct CPE ID for secilc:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:selinuxproject:secilc
Fixes:
9ee7c1ec60e23f25f5d275c6439ce93aec914e1c (secilc: adds new package)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15298
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
58a5877846e2913bed4fd982386797d7751f58f0)
Link: https://github.com/openwrt/openwrt/pull/15881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fabrice Fontaine [Sat, 27 Apr 2024 15:25:58 +0000 (17:25 +0200)]
package/network/utils/iptables: fix PKG_CPE_ID
cpe:/a:netfilter:iptables is the correct CPE ID for iptables:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:netfilter:iptables
Fixes:
c61a2395140d92cdd37d3d6ee43a765427e8e318 (add PKG_CPE_ID ids to package and tools)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15297
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
6e5edec159e2dc468607a5b9179f722857a38421)
Link: https://github.com/openwrt/openwrt/pull/15881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fabrice Fontaine [Fri, 26 Apr 2024 15:47:24 +0000 (17:47 +0200)]
package/libs/libjson-c: fix PKG_CPE_ID
cpe:/a:json-c:json-c is the correct CPE ID for libjson-c:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:json-c:json-c
Fixes:
c61a2395140d92cdd37d3d6ee43a765427e8e318 (add PKG_CPE_ID ids to package and tools)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15292
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
a4f723e04ed245819fe320f472a4ff2b4eda00fb)
Link: https://github.com/openwrt/openwrt/pull/15881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fabrice Fontaine [Fri, 26 Apr 2024 14:09:32 +0000 (16:09 +0200)]
package/network/services/dropbear: fix PKG_CPE_ID
cpe:/a:dropbear_ssh_project:dropbear_ssh is the correct CPE ID for dropbear:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:dropbear_ssh_project:dropbear_ssh
Fixes:
c61a2395140d92cdd37d3d6ee43a765427e8e318 (add PKG_CPE_ID ids to package and tools)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15290
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
289f811abb4ace7aa08ae7bf85c0d4f9460f0802)
Link: https://github.com/openwrt/openwrt/pull/15881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fabrice Fontaine [Fri, 26 Apr 2024 08:41:15 +0000 (10:41 +0200)]
toolchain/nasm: fix PKG_CPE_ID
cpe:/a:nasm:netwide_assembler is the correct CPE ID for nasm:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:nasm:netwide_assembler
Fixes:
bcf02c5d3123a99c717ca33f1d7c6250acf0f33f (toolchain: assign PKG_CPE_ID)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit
e1ca08518e96ccf088119fbc9930c5e4beef86cc)
Link: https://github.com/openwrt/openwrt/pull/15881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fabrice Fontaine [Fri, 26 Apr 2024 08:51:16 +0000 (10:51 +0200)]
tools/flex: fix PKG_CPE_ID
cpe:/a:westes:flex is the correct CPE ID for flex:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:westes:flex
Fixes:
c61a2395140d92cdd37d3d6ee43a765427e8e318 (add PKG_CPE_ID ids to package and tools)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit
832460b452d840451adf44713e90515fc61c88ab)
Link: https://github.com/openwrt/openwrt/pull/15881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fabrice Fontaine [Fri, 26 Apr 2024 08:59:58 +0000 (10:59 +0200)]
tools/zlib: fix PKG_CPE_ID
cpe:/a:zlib:zlib is the correct CPE ID for zlib:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:zlib:zlib
Fixes:
c61a2395140d92cdd37d3d6ee43a765427e8e318 (add PKG_CPE_ID ids to package and tools)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit
e9ecaade6f1f9bd821523a3b731bfaaf5ab5ca35)
Link: https://github.com/openwrt/openwrt/pull/15881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fabrice Fontaine [Fri, 26 Apr 2024 13:09:50 +0000 (15:09 +0200)]
package/libs/pcre2: fix PKG_CPE_ID
cpe:/a:pcre:pcre2 is the correct CPE ID for pcre2:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:pcre:pcre2
Fixes:
c39b0646f3f2d96d40f601209859175af8537b6d (pcre2: import pcre2 from packages feed)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit
27d1ebb46adfd58db9a8034336c2d85b41f617f9)
Link: https://github.com/openwrt/openwrt/pull/15881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Sean Khan [Sun, 9 Jun 2024 01:02:30 +0000 (21:02 -0400)]
openssl: conditionally disable engine section
Currently, the build option to enable/disable engine support isn't
reflected in the final '/etc/ssl/openssl.cnf' config. It assumes `engines`
is always enabled, producing an error whenever running any
commands in openssl util or programs that explicitly use settings
from '/etc/ssl/openssl.cnf'.
```
➤ openssl version
FATAL: Startup failure (dev note: apps_startup()) for openssl
307D1EA97F000000:error:
12800067:lib(37):dlfcn_load:reason(103):crypto/dso/dso_dlfcn.c:118:filename(libengines.so):
Error loading shared library libengines.so: No such file or directory
307D1EA97F000000:error:
12800067:lib(37):DSO_load:reason(103):crypto/dso/dso_lib.c:152:
307D1EA97F000000:error:
0700006E:lib(14):module_load_dso:reason(110):crypto/conf/conf_mod.c:321:module=engines, path=engines
307D1EA97F000000:error:
07000071:lib(14):module_run:reason(113):crypto/conf/conf_mod.c:266:module=engines
```
Build should check for the `CONFIG_OPENSSL_ENGINE` option, and comment out `engines`
if not explicitly enabled.
Example:
```
[openssl_init]
providers = provider_sect
```
After this change, openssl util works correctly.
```
➤ openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/15661
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit
31ec4515c3c14704d669156d87e2af5eeb5420e4)
Link: https://github.com/openwrt/openwrt/pull/15873
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sun, 21 Apr 2024 15:46:55 +0000 (17:46 +0200)]
wolfssl: Update to 5.7.0
This fixes multiple security problems:
* [High] CVE-2024-0901 Potential denial of service and out of bounds
read. Affects TLS 1.3 on the server side when accepting a connection
from a malicious TLS 1.3 client. If using TLS 1.3 on the server side
it is recommended to update the version of wolfSSL used.
* [Med] CVE-2024-1545 Fault Injection vulnerability in
RsaPrivateDecryption function that potentially allows an attacker
that has access to the same system with a victims process to perform
a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin
Zhang, Qingni Shen for the report (Peking University, The University
of Western Australia)."
* [Med] Fault injection attack with EdDSA signature operations. This
affects
ed25519 sign operations where the system could be susceptible
to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang,
Qingni Shen for the report (Peking University, The University of
Western Australia).
Size increased a little:
wolfssl 5.6.6:
516880 bin/packages/mips_24kc/base/libwolfssl5.6.6.e624513f_5.6.6-stable-r1_mips_24kc.ipk
wolfssl: 5.7.0:
519429 bin/packages/mips_24kc/base/libwolfssl5.7.0.e624513f_5.7.0-stable-r1_mips_24kc.ipk
(cherry picked from commit
f475a44c03a303851959930030ab9e6acebb81a7)
Link: https://github.com/openwrt/openwrt/pull/15872
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Rodrigo Balerdi [Sat, 6 Apr 2024 06:18:00 +0000 (03:18 -0300)]
base-files: minor fix to mmc_get_mac_ascii function
This is mostly a cosmetic cleanup. The absence of
the return statement was not causing any problems.
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
(cherry picked from commit
8cf4ac5195476356a14678ae72897e563881b15e)
Daniel Golle [Fri, 17 Nov 2023 00:02:05 +0000 (00:02 +0000)]
base-files: add mmc_get_mac_ascii function
Similar to the *_get_mac_binary function, also split the common parts
off mtd_get_mac_ascii into new get_mac_ascii function and introduce
mmc_get_mac_ascii which uses it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit
45c85c1827d45f8041b8f270d80bf6fff328069c)
David Bauer [Thu, 27 Jun 2024 20:59:50 +0000 (22:59 +0200)]
hostapd: bump PKG_RELEASE
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
89d705148553a19a9dc32191cc85aff7616cf536)
David Bauer [Thu, 27 Jun 2024 20:58:56 +0000 (22:58 +0200)]
hostapd: don't ignore probe-requests with invalid DSSS params
Don't ignore probe requests which contain an invalid DS parameter for the
current operating channel.
As the comment outlines, the drop shall only apply if
dot11RadioMeasurementActivated is set to 1.
However, it was observed Linux clients (Debian 12 / NixOS 23.11)
with an Intel 8265 NIC may generate a probe request frame with
dot11RadioMeasurementActivated set to false and an invalid DSSS
parameter.
These were also dropped even though they should not have been. They
however should not have contained this parameter in the first place.
Don't drop Probe Requests which contain such an invalid field. This may
lead to more probe responses being sent, however it does fix very
frequent connection issues for these clients on 2.4 GHz.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
68e4cc9be5f6f485c2d3b00cf4e2f14e98aecee2)
RISCi_ATOM [Tue, 9 Jul 2024 16:10:50 +0000 (12:10 -0400)]
kernel: Bump to 5.15.162
RISCi_ATOM [Mon, 1 Jul 2024 05:16:38 +0000 (01:16 -0400)]
librecmc: Remove package feed
Packages that were commonly found in the package feed have been moved
into the base repo.
RISCi_ATOM [Mon, 1 Jul 2024 05:12:46 +0000 (01:12 -0400)]
librecmc: Remove targets with < 16M of flash
The intent is to add these targets back in the future.. but time
will tell.
RISCi_ATOM [Sat, 29 Jun 2024 18:25:36 +0000 (14:25 -0400)]
luci: Remove lemon binary from tree
RISCi_ATOM [Sat, 29 Jun 2024 18:18:54 +0000 (14:18 -0400)]
librecmc: Bump version of v6.1
RISCi_ATOM [Sat, 29 Jun 2024 18:16:16 +0000 (14:16 -0400)]
librecmc: Bring in packages from feed
Add in (most) packages that were traditionally found in
the package feed.
Pulled in from upstream *23.05 branch with the exception of avahi and
netatalk.
Rosen Penev [Sat, 18 May 2024 00:28:29 +0000 (17:28 -0700)]
mdadm: update to 4.3
Backport three patches, add one for GCC14, and add Alpine time_t patch for
musl.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
John Audia [Wed, 5 Jun 2024 19:55:29 +0000 (15:55 -0400)]
openssl: update to 3.0.14
Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [04-Jun-2024]
* Fixed potential use after free after SSL_free_buffers() is called.
[CVE-2024-4741]
* Fixed checking excessively long DSA keys or parameters may be very slow.
[CVE-2024-4603]
* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
would lead to a Denial of Service. [CVE-2024-2511]
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded. This can be used on platforms
where using atexit() from shared libraries causes crashes on exit
Signed-off-by: John Audia <therealgraysky@proton.me>
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Christian Marangi [Wed, 12 Jun 2024 13:11:48 +0000 (15:11 +0200)]
tools: tar: backport patch for paxlib shipped in tar
Tar 1.34 ship an old version of paxlib with rtapelib.c that produce some
compilation warning. This library got updated in 1.35 but we still can't
use the new Tar version.
GCC 14 then made these compilarion warning errors.
Manually backport the fixes to rtapelib.c and patch the version shipped
in 1.34 to fix these compilation warning.
Fixes: #15692
Fixes:
2951e0a80e9f ("tools: tar: backport patches fixing broken --delete")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
RISCi_ATOM [Thu, 6 Jun 2024 15:33:33 +0000 (11:33 -0400)]
tools/bzip2: Add cmake patch missing from commit
676bfcc813
RISCi_ATOM [Wed, 5 Jun 2024 22:16:30 +0000 (18:16 -0400)]
adblock-fast: update to 1.1.2-1
* move extra_command and EXTRA_HELP to the top of the init file
* add packageCompat variable for compatibility check with WebUI
* add OutputFilter variables for supported resolvers
* simplify adb_check with the use of OutputFilter variables
* add show_blocklist command to display currently blocked domains
RISCi_ATOM [Wed, 5 Jun 2024 22:15:18 +0000 (18:15 -0400)]
adblock: update 4.1.5-9
RISCi_ATOM [Wed, 5 Jun 2024 22:08:39 +0000 (18:08 -0400)]
tor: update to 0.4.8.11
RISCi_ATOM [Wed, 5 Jun 2024 22:04:11 +0000 (18:04 -0400)]
tools/bzip2: switch to cmake
Fixes portability issues
CMakeLists.txt is a stripped-down backport from bzip2 upstream
RISCi_ATOM [Wed, 5 Jun 2024 19:46:21 +0000 (15:46 -0400)]
libxslt: update to 1.1.39
Christian Marangi [Wed, 18 Jan 2023 19:44:56 +0000 (20:44 +0100)]
bpf-headers: fix use of netlink.h header
netlink.h header have NL_SET_ERR_MSG_MOD that is tied to kmods. We don't
need kmods on bpf tools and this cause compilation error if the header
is included. Fix it by dropping NL_SET_ERR_MSG_MOD.
Link: https://github.com/openwrt/openwrt/pull/11825
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Christian Marangi [Wed, 18 Jan 2023 19:50:58 +0000 (20:50 +0100)]
xdp-tools: fix compilation wrongly using host header
Currently it's needed to have gcc-multilib on the host to correctly
compile xdp-tools. This is wrong and means that we are using host header
to compile a tool.
By some searching in how the makefile works it was discovered that
BPF_CFLAGS were not used and required to be appended to config.mk
Only one single header was added but we should include each BPF_CFLAGS
from bpf.mk. To make this some patching to bpf-header were required and
some patches to xdp-tools were required.
Also it's needed to pass the correct target to BPF_CFLAGS.
With the following changes xdp-tools can correctly compile with each
header from bpf-headers and should not use any host header.
Co-Developed-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Andre Heider <a.heider@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/11825
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
RISCi_ATOM [Tue, 4 Jun 2024 16:06:15 +0000 (12:06 -0400)]
gettext-full: Fixup host build configuration args
RISCi_ATOM [Tue, 4 Jun 2024 15:58:46 +0000 (11:58 -0400)]
libxml2: update to 2.12.5
Release Notes:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5
Remove patch:
- 010-iconv.patch
Fixes: CVE-2024-25062
Alexandru Gagniuc [Wed, 3 Apr 2024 19:32:08 +0000 (14:32 -0500)]
wifi-scripts: fix creation of IBSS in legacy (non-HT) mode
When an IBBS interface is configured for IBSS legacy mode, wdev.htmode
is empty. This is empty string results in an empty positional argument
to the "ibbs join" command, for example:
iw dev phy0-ibss0 ibss join crymesh 2412 '' fixed-freq beacon-interval 100
This empty argument is interpreted as an invalid HT mode by 'iw',
causing the entire command to fail and print a "usage" message:
daemon.notice netifd: radio0 (4527): Usage: iw [options] \
dev <devname> ibss join <SSID> <freq in MHz> ...
Although nobody will ever need more than 640K of IBSS, explicitly use
"NOHT" if an HT mode is not given. This fixes the problem.
Fixes:
e56c5f7b276a ("hostapd: add ucode support, use ucode for the main ubus object")
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [extend to cover more cases]
(cherry picked from commit
cee9fcdb7350911f474544189817d25fd4070111)
Christian Marangi [Wed, 22 May 2024 10:41:10 +0000 (12:41 +0200)]
tools: refresh all patches
Refresh all tools patches now that tools/refresh correctly works.
CI now checks for them and actively complain if tools have unrefreshed
patches.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Christian Marangi [Mon, 25 Sep 2023 00:29:31 +0000 (02:29 +0200)]
quilt.mk: don't error on refresh/update if patches doesn't exist
The current code fails if we have package or host tools with no patches
to apply. The error printend is the following: (taking ubus as an
example)
make[2]: Entering directory '/home/ansuel/openwrt-ansuel/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/ansuel/openwrt-ansuel/openwrt/scripts/config'
make[1]: Entering directory '/home/ansuel/openwrt-ansuel/openwrt'
make[2]: Entering directory '/home/ansuel/openwrt-ansuel/openwrt/package/system/ubus'
The source directory contains no quilt patches.
make[2]: *** [Makefile:81: quilt-check] Error 1
make[2]: Leaving directory '/home/ansuel/openwrt-ansuel/openwrt/package/system/ubus'
time: package/system/ubus/refresh#0.06#0.00#0.07
ERROR: package/system/ubus failed to build.
make[1]: *** [package/Makefile:120: package/system/ubus/refresh] Error 1
make[1]: Leaving directory '/home/ansuel/openwrt-ansuel/openwrt'
make: *** [/home/ansuel/openwrt-ansuel/openwrt/include/toplevel.mk:232: package/ubus/refresh] Error 2
We exit 1 after saying that there are no patches because later in the
function quilt pop fails to execute.
Having no patches for a package and calling refresh should not be
a critical error and the function should just do nothing.
To handle this improve quilt.mk with the following addition.
- If we don't have any patch for the package, we print a warning and we
create an empty series. This is useful to trick quilt and make it do
nothing.
We also create a status file .quilt_no_patch to detect in the other
function that we don't have patches to handle.
- In refresh makefile target, we check if .quilt_no_patch exist and
we skip quilt cleanup if this exist.
- In RefreshDir function we change the logic and now we delete the
patches directory and not only the content. This is done as a cleanup
to clean case with empty patches directory.
- In RefreshDir we check if .quilt_no_patch exist and we skip creating
the patches directory and copying the refreshed patches.
- In RefreshDir we delete at the end any trace of .quilt_no_patch if
present.
This is needed to support run like package/refresh that will run the
refresh process on any package present in the buildroot.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
9536446965e853231e34c4e5dc4cf13f838b9e90)
Christian Marangi [Mon, 25 Sep 2023 00:26:43 +0000 (02:26 +0200)]
quilt.mk: use CURDIR instead of ./ for PATCH_DIR and FILES_DIR
To better reference them for diagnostic use, reference the PATCH_DIR and
FILES_DIR with the absolute path instead of using ./ and reference by
the relative location.
No behaviour change intended.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
bb1bfb46020b38179ef97d30333c90ab00b71c97)
Christian Marangi [Wed, 22 May 2024 09:56:45 +0000 (11:56 +0200)]
tools/padjffs2: use Host/Prepare/Default instead of raw commands
Now that Host/Prepare/Default is always defined, we can use that instead
of using raw commands to move files from the src directory to
HOST_BUILD_DIR.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
01048c7456785bc4a45452c84d8f31635e1fa60b)
Christian Marangi [Wed, 22 May 2024 09:53:52 +0000 (11:53 +0200)]
tools/missing-macros: install files from HOST_BUILD_DIR instead of src
Install files from HOST_BUILD_DIR instead of src. These files are now
correctly copied to HOST_BUILD_DIR and can be referenced from there.
(cherry picked from commit
46bcbe42236bbe058eaeb89a0d1a4f22926cfdf9)
[ rebased on top of openwrt-23.05 ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Christian Marangi [Wed, 22 May 2024 09:38:49 +0000 (11:38 +0200)]
host-build: always define Host/Prepare/Default
We currently skip defining Host/Prepare/Default if HOST_UNPACK is not
defined.
This is mostly the case for Host packages that just provide files with
the src directory and don't need to be downloaded/extracted.
This was probably done lots of times ago due to quilt causing error as
the patches directory wasn't present.
This has changed now and quilt can correctly detect if no patches needs
to be applied (instead of terminating with error)
Always define Host/Prepare/Default to make tools/refresh correctly works
as HOST_QUILT is hardcoded enabled for this make target and will
complain for tool not prepared for quilt patches.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit
725389b7c745b0fa68426986c9bca14171f16887)
Yuu Toriyama [Sat, 18 May 2024 22:08:37 +0000 (07:08 +0900)]
wireless-regdb: update to 2024.05.08
Changes:
73529a8 Revert "wireless-regdb: Update and disable 5470-5730MHz band according to TPC requirement for Singapore (SG)"
87941e4 wireless-regdb: Update regulatory rules for Taiwan (TW) on 6GHz
33797ae wireless-regdb: update regulatory database based on preceding changes
Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit
65c1f0d433e89c794a6d22dbe474666c241f9e7b)