Hauke Mehrtens [Sat, 30 Sep 2017 13:23:07 +0000 (15:23 +0200)]
curl: fix security problems
This fixes the following security problems:
* CVE-2017-
1000100 TFTP sends more than buffer size
* CVE-2017-
1000101 URL globbing out of bounds read
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Kevin Darbyshire-Bryant [Fri, 1 Sep 2017 18:04:29 +0000 (19:04 +0100)]
mbedtls: update to 2.6.0 CVE-2017-14032
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
Florian Fainelli [Sat, 16 Sep 2017 22:16:09 +0000 (15:16 -0700)]
generic: drop 704-phy-no-genphy-soft-reset.patch
4.4.80+ contains
71a165f6397df07a06ce643de5c2dbae29bd3cfb, 4.9.41+ contains
6c78197e4a69c19e61dfe904fdc661b2aee8ec20 which are all backports of upstream
commit
0878fff1f42c18e448ab5b8b4f6a3eb32365b5b6 ("net: phy: Do not perform
software reset for Generic PHY").
Our local patch is no longer needed, all this patch was doing was utilizing
gen10g_soft_reset which does nothing either, so just keep the code unchanged.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Hauke Mehrtens [Sat, 30 Sep 2017 11:38:39 +0000 (13:38 +0200)]
kernel: update 4.4 to 4.4.89
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Mathias Kresin [Wed, 27 Sep 2017 04:52:43 +0000 (06:52 +0200)]
ltq-vdsl-mei: disable optimized firmware download
With ltq-vdsl-mei 1.5.17.6 an optimized firmware download was added and
enabled by default. As soon as the optimized firmware download is
enabled, a watchdog based reboot is trigger between 24h to 48h of
uptime if the board isn't connected to a xdsl line.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Martin Schiller [Tue, 26 Sep 2017 05:56:55 +0000 (07:56 +0200)]
ltq-vdsl: fix PM thread suspend and resume handling
This is a backport form drv_dsl_cpe_api-4.18.10 and fixes some PM
thread handling issues which lead to high system load and watchdog
trigger within 1h of uptime for boards not connected to a xdsl line.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Sven Roederer [Tue, 5 Sep 2017 16:27:02 +0000 (18:27 +0200)]
openvpn: add "extra-certs" option
This option is used to specify a file containing PEM certs, to complete the
local certificate chain. Which is quite usefull for "split-CA" setups.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Daniel Gonzalez Cabanelas [Sat, 29 Jul 2017 12:54:15 +0000 (14:54 +0200)]
lantiq: fix missing otg_cap on danube platform
USB doesn't work in some danube boards because otg_cap
is missing since previous changes made on the USB-dwc2
lantiq driver. Fix it.
Tested on the ARV7518PW router.
Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
Stijn Tintel [Sun, 17 Sep 2017 22:26:44 +0000 (01:26 +0300)]
tcpdump: noop commit to refer CVEs fixed in 4.9.2
When bumping tcpdump from 4.9.1 to 4.9.2, I did not include the fixed
CVEs in the commit message. As the list of fixed CVEs is quite long,
we should probably mention them in the changelogs of the releases to
come. This commit will make sure this happens.
The following CVEs were fixed in
21014d9708d586becbd62da571effadb488da9fc:
CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
2375e279a7cb462d62fd6028cb3fbd56217222de)
Stijn Tintel [Sun, 10 Sep 2017 19:27:26 +0000 (21:27 +0200)]
tcpdump: bump to 4.9.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
21014d9708d586becbd62da571effadb488da9fc)
Daniel Engberg [Wed, 22 Mar 2017 07:01:04 +0000 (08:01 +0100)]
utils/tcpdump: Rework URLs
Add actual mirror and use main site as last resport
Source: http://www.tcpdump.org/mirrors.html
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit
fd95397ee33a34704771de2ab26a5910b1a88c6f)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Conflicts:
package/network/utils/tcpdump/Makefile
Hans Dedecker [Mon, 18 Sep 2017 07:18:36 +0000 (09:18 +0200)]
base-files: fix wan6 interface config generation for pppoe
Setting ipv6 to auto in case of a pppoe interface will trigger the
creation of a dynamic wan_6 interface meaning two IPv6 interfaces
(wan6 and wan_6) will be active on top of the pppoe interface.
This leads to unpredictable behavior in the network; therefore set
ipv6 to 1 which will prevent the dynamic creation of the wan_6
interface.
Further alias the wan6 interface on top of the wan interface for pppoe
as the wan6 interface can only be started when the link local address is
ready. In case of pppoe the link local address is negotiated during the
Internet Protocol Control Protocol when the PPP link is setup meaning
all the IP address info is only available when the wan interface is up.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Baptiste Jonglez [Wed, 23 Aug 2017 21:44:52 +0000 (23:44 +0200)]
ipq806x: Archer C2600: fix switch ports numbering
The order of LAN ports shown in Luci is reversed compared to what is
written on the case of the device. Fix the order so that they match.
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Lorenzo Santina [Mon, 11 Sep 2017 13:27:53 +0000 (15:27 +0200)]
treewide: fix shellscript syntax errors/typos
Fix multiple syntax errors in shelscripts (of packages only)
These errors were causing many conditions to not working properly
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[increase PKG_RELEASE, drop command substitution from directip.sh]
Signed-off-by: Mathias Kresin <dev@kresin.em>
David Yang [Sat, 9 Sep 2017 13:16:11 +0000 (21:16 +0800)]
ramips: fix hg255d LED status support
Use the green power LED for boot status indication.
Source: https://my.oschina.net/osbin/blog/278782 Para 3
Signed-off-by: David Yang <mmyangfl@gmail.com>
Matthias Schiffer [Mon, 11 Sep 2017 17:41:41 +0000 (19:41 +0200)]
ar71xx: fix MAC addresses on TP-Link TL-WR1043ND v4
The addresses were read from the 'config' partition, which would not always
contain the addresses at the same offsets, depending on the stock firmware
version used before flashing LEDE. Change this to get the addresses from
the 'product-info' partition, which is read-only.
Reported-and-tested-by: Andreas Ziegler <ml@andreas-ziegler.de>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Lorenzo Santina [Sat, 9 Sep 2017 14:40:57 +0000 (16:40 +0200)]
hostapd: fix iapp_interface option
ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option
Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
Kevin Darbyshire-Bryant [Thu, 7 Sep 2017 14:47:21 +0000 (15:47 +0100)]
kernel: update 4.4 to 4.4.87
Fixes CVE-2017-11600
No patch refresh required
Compile & run tested: ar71xx - Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Fri, 8 Sep 2017 07:56:34 +0000 (08:56 +0100)]
dnsmasq: backport arcount edns0 fix
Don't return arcount=1 if EDNS0 RR won't fit in the packet.
Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Thu, 7 Sep 2017 02:58:23 +0000 (03:58 +0100)]
dnsmasq: backport official fix for CVE-2017-13704
Remove LEDE partial fix for CVE-2017-13704.
Backport official fix from upstream.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
Matthias Schiffer [Wed, 6 Sep 2017 13:44:14 +0000 (15:44 +0200)]
uclient: update to 2017-09-06
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Kevin Darbyshire-Bryant [Mon, 4 Sep 2017 11:50:01 +0000 (12:50 +0100)]
kernel: update 4.4 to 4.4.86
Refresh patches
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Rafał Miłecki [Mon, 4 Sep 2017 06:07:10 +0000 (08:07 +0200)]
brcm47xx: refresh Linux 4.4 config
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Stijn Tintel [Thu, 24 Aug 2017 07:04:15 +0000 (10:04 +0300)]
f2fs-tools: fix mkfs.f2fs on big-endian systems
Fixes: FS#749
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
cdb494fdc2d3399e698893ff0cfd06d3c802364f)
Stijn Tintel [Thu, 24 Aug 2017 06:56:49 +0000 (09:56 +0300)]
f2fs-tools: drop musl compat patch
It is no longer needed since version 1.4.1.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
252c8ddf146f196faaa34cf7af9b3eacb79e6add)
Stijn Tintel [Thu, 24 Aug 2017 06:23:32 +0000 (09:23 +0300)]
f2fs-tools: drop patch in favour of CONFIGURE_VARS
Override the failing check in configure with CONFIGURE_VARS instead of
carrying a patch that's unlikely to be accepted by upstream.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
(cherry picked from commit
d87f27af54e7c122c8f320f7266dd5061bb47a8b)
Daniel Engberg [Wed, 10 May 2017 09:04:26 +0000 (11:04 +0200)]
f2fs-tools: Switch to gz tarball
At some point kernel.org decided to drop xz generated tarballs, switch to gz which they still provide.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Kevin Darbyshire-Bryant [Tue, 29 Aug 2017 13:29:18 +0000 (14:29 +0100)]
dnsmasq: forward.c: fix CVE-2017-13704
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.
answer_request() is called with an invalid edns packet size provided by
the client. Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"
The client that exposed the problem provided a payload udp size of 0.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Rafał Miłecki [Wed, 28 Jun 2017 09:31:14 +0000 (11:31 +0200)]
kernel: backport usbport LED trigger driver support for DT
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Wed, 8 Mar 2017 11:38:43 +0000 (12:38 +0100)]
kernel: fix of_node handling in LEDs core code
This backports fixes for setting of_node and making it possible to read
extra info from DT. This was partially fixed by:
[PATCH] leds: leds-gpio: Set of_node for created LED devices
but it didn't work during initialization.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Kevin Darbyshire-Bryant [Thu, 17 Aug 2017 16:58:24 +0000 (17:58 +0100)]
kernel: update 4.4 to 4.4.83
Refresh patches.
Minor update 704-phy-no-genphy-soft-reset.patch which was partially
accepted upstream.
Compile-tested on ar71xx.
Runtime-tested on ar71xx.
Fixes the following vulnerabilities:
- CVE-2017-7533 (4.4.80)
- CVE-2017-
1000111 (4.4.82)
- CVE-2017-
1000112 (4.4.82)
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Rafał Miłecki [Thu, 17 Aug 2017 07:43:37 +0000 (09:43 +0200)]
bcm53xx: backport DTS commits that setup USB LEDs
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Daniel Engberg [Mon, 24 Jul 2017 22:10:58 +0000 (00:10 +0200)]
tcpdump: Update to 4.9.1
Fixes:
* CVE-2017-11108: Fix bounds checking for STP.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Baptiste Jonglez [Sun, 30 Jul 2017 15:57:37 +0000 (17:57 +0200)]
mbedtls: Re-allow SHA1-signed certificates
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.
Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
Fixes: FS#942
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Mathias Kresin [Wed, 9 Aug 2017 18:17:43 +0000 (20:17 +0200)]
ramips: fix WHR-1166D WAN port
By adding the ICPlus IP1001 phy driver an already set RGMII delay mode
is reset during driver load.
Set the rgmii rx delay to fix corrupt/no packages in case the WAN port
negotiates to 1000MBit.
Fixes: FS#670
Signed-off-by: Mathias Kresin <dev@kresin.me>
Rafał Miłecki [Mon, 7 Aug 2017 09:09:33 +0000 (11:09 +0200)]
base-files: don't setup network in preinit if failsafe is disabled
With failsafe disabled there is no point in early network setup. We
don't send announcement over UDP and there is no way to ssh to the
device.
A side effect of this is avoiding a possibly incorrect network config
(only with failsafe disabled). This problem is related to possible
changes made by user in /etc/config/network.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Hans Dedecker [Tue, 18 Jul 2017 20:55:29 +0000 (22:55 +0200)]
dnsmasq: backport remove ping check of configured dhcp address
Remove ping check in DHCPDISCOVER case as too many buggy clients leave
an interface in configured state causing the ping check to fail.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Hans Dedecker [Tue, 8 Aug 2017 12:40:21 +0000 (14:40 +0200)]
procd: update to the latest git HEAD
66be6a2 watchdog: fix inline watchdog_get_magicclose function prototype
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Thibaut VARENE [Fri, 4 Aug 2017 15:22:03 +0000 (17:22 +0200)]
ramips: ArcherC50v1: fix wlan2g MAC address
By default the wlan eprom contains the generic ralink MAC which is not
the vendor (TP-Link) one. Based on OFW bootlog, it appears that addresses
are decremented from the ethernet MAC.
This patch fixes the MAC address for wlan2g in line with OFW.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
Mathias Kresin [Mon, 31 Jul 2017 18:21:12 +0000 (20:21 +0200)]
ramips: fix Omnima MiniEMBWiFi image
Reference the Omnima MiniEMBWiFi device tree source file in the image
build code. Otherwise the dts of the image processed before is used.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Mathias Kresin [Mon, 31 Jul 2017 18:19:14 +0000 (20:19 +0200)]
ramips: build HuaWei HG255D image
The code to build an image was disabled some time ago for unknown
reasons albeit the image looks fine.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Mathias Kresin [Mon, 31 Jul 2017 16:00:35 +0000 (18:00 +0200)]
ramips: add missing partitions
The partitions were lost during migration to device tree.
Signed-off-by: Mathias Kresin <dev@kresin.me>
John Crispin [Tue, 1 Aug 2017 05:02:26 +0000 (07:02 +0200)]
procd: update to latest git HEAD
3e68cdf procd: Do not leak pipe file descriptors to children
Signed-off-by: John Crispin <john@phrozen.org>
John Crispin [Tue, 1 Aug 2017 04:53:38 +0000 (06:53 +0200)]
ralink: fix rcu_sched stalls on mt7621
there were 2 bugs
*) core1 came up with a bad bogo mips, looks like the clock needed time to stabilize
*) HPT frequency was not set making r4k timers not come up properly
Backport of
9551d91b1d6 "ralink: fix rcu_sched stalls on mt7621".
Signed-off-by: John Crispin <john@phrozen.org>
Thibaut VARENE [Sat, 29 Jul 2017 09:32:44 +0000 (11:32 +0200)]
ramips: Archer C50v1: fix power led
01_leds had a workaround for the power led to compensate for the
inverted GPIO state. This patch was missing from my previous commit.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
[add the power led default-state which was omitted in the last commit
by me]
Signed-off-by: Mathias Kresin <dev@kresin.me>
Thibaut VARENE [Fri, 28 Jul 2017 20:36:52 +0000 (22:36 +0200)]
ramips: Archer C50v1: fix switch port numbering
Luci shows switch ports in wrong order on that device.
This patch fixes switch port numbering and matches them to the device
silkscreen.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
Thibaut VARENE [Fri, 28 Jul 2017 21:26:40 +0000 (23:26 +0200)]
ramips: Archer C50v1: fix LEDs active levels
All LEDs GPIOs are active low on this device.
WAN and POWER states were inverted. Add default state for power.
Tested on Archer C50v1.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
Mathias Kresin [Fri, 28 Jul 2017 17:22:55 +0000 (19:22 +0200)]
ramips: fix Mercury MAC1200R v2.0 board name
With
d2b6bf141662 ("ramips: fix image validation errors") the board
name was changed to fix an image validation error. But this change
wasn't applied to all other files using the board name, which broke
sysupgrade.
Revert this change and use the former board name in the metadata
instead.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Mathias Kresin [Fri, 28 Jul 2017 18:09:53 +0000 (20:09 +0200)]
brcm63xx: add NULL clock fix send upstream
Make the behaviour of clk_get_rate consistent with common clk's
clk_get_rate by accepting NULL clocks as parameter. Some device
drivers rely on this, and will cause an OOPS otherwise.
Fixes: FS#735
Signed-off-by: Mathias Kresin <dev@kresin.me>
Mathias Kresin [Fri, 28 Jul 2017 17:38:04 +0000 (19:38 +0200)]
ramips: add NULL clock fix send upstream
Make the behaviour of clk_get_rate consistent with common clk's
clk_get_rate by accepting NULL clocks as parameter. Some device
drivers rely on this, and will cause an OOPS otherwise.
Fixes: FS#735
Signed-off-by: Mathias Kresin <dev@kresin.me>
Mathias Kresin [Fri, 28 Jul 2017 17:05:33 +0000 (19:05 +0200)]
ar7: add NULL clock fix send upstream
Make the behaviour of clk_get_rate consistent with common clk's
clk_get_rate by accepting NULL clocks as parameter. Some device
drivers rely on this, and will cause an OOPS otherwise.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Hauke Mehrtens [Sun, 23 Jul 2017 14:08:47 +0000 (16:08 +0200)]
curl: fix CVE-2017-7407 and CVE-2017-7468
This fixes the following security problems:
* CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html
* CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Sun, 23 Jul 2017 13:00:22 +0000 (15:00 +0200)]
kernel: update kernel 4.4 to version 4.4.79
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Thibaut VARENE [Tue, 25 Jul 2017 10:29:14 +0000 (12:29 +0200)]
ramips: DIR-860L-B1 fix switch port numbering
Luci shows switch ports in inverted order on that device.
This patch fixes switch port numbering and matches them to the device
silkscreen.
Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
Uwe Arnold [Thu, 20 Jul 2017 18:04:26 +0000 (20:04 +0200)]
kernel: netfilter: fix nf-nathelper(-extra) description
The tftp and irc netfilter modules are provided by nf-nathelper-extra
and not by nf-nathelper.
Signed-off-by: Uwe Arnold <donvipre@gmail.com>
[move the irc module as well]
Signed-off-by: Mathias Kresin <dev@kresin.me>
Giuseppe Lippolis [Tue, 18 Jul 2017 20:55:53 +0000 (22:55 +0200)]
ramips: fix wps button gpio for DWR-512
The WPS button is at GPIO#7.
Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
Paul Wassi [Sat, 22 Jul 2017 09:15:55 +0000 (11:15 +0200)]
ramips: DTS: VoCore2 improvements/fixes
The VoCore2 features 128MB of RAM, therefore set
memory in DTS to 128*1024*1024 = 0x8000000
The board's LED is connected to GND, set it to
ACTIVE_HIGH here.
Make serial console working again on kernel 4.9 by
change of pinmux configuration.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
Piotr Dymacz [Fri, 14 Jul 2017 13:14:29 +0000 (15:14 +0200)]
ar71xx: fix switch port mapping for TP-Link TL-WR74xN/D series
Backport of
ad8c315: "ar71xx: fix switch port mapping for TP-Link
TL-WR74xN/D series".
Fixes FS#843
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Piotr Dymacz [Fri, 31 Mar 2017 11:43:06 +0000 (13:43 +0200)]
uboot-envtools: add support for ALFA Network AP121F
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Piotr Dymacz [Fri, 31 Mar 2017 11:37:31 +0000 (13:37 +0200)]
ar71xx: add support for ALFA Network AP121F
ALFA Network AP121F is a pocket-size router dedicated for VPN/TOR users.
Device is based on Atheros AR9331 WiSoC and is running a custom version
(updated from OpenWrt CC to LEDE 17.01 release) of NetAidKit firmware.
Specification:
- 400/400/200 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR1)
- 16 MB of FLASH (SPI NOR)
- 1x 10/100 Mbps Ethernet
- 1T1R 2.4 GHz
- 1x microSD (optional, on separate PCB)
- 3x LED, 1x button, 1x switch
- UART header on PCB
Flash instruction (under U-Boot web recovery mode):
1. Configure PC with static IP 192.168.1.2/24.
2. Connect PC with RJ45 port, press the reset button, power up device,
wait for first blink of all LEDs (indicates network setup), then keep
button for 3 following blinks and release it.
3. Open 192.168.1.1 address in your browser and upload sysupgrade image.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Mathias Kresin [Fri, 14 Jul 2017 17:35:02 +0000 (19:35 +0200)]
image: fix ar71xx legacy images
If TARGET_PER_DEVICE_ROOTFS and DEVICE_PACKAGES are used for ar71xx
legacy images:
- an already jffs2 padded squashfs rootfs is overwritten
with an unpadded/raw one.
- the squashfs-raw and squashfs-64k rootfs are not replaced by the
ones including the DEVICE_PACKAGES
Call Image/Build/squashfs after the DEVICE_PACKAGES are added to the
base squashfs rootfs to fix the issues.
Fixes: FS#904
Signed-off-by: Mathias Kresin <dev@kresin.me>
Mathias Kresin [Mon, 15 May 2017 16:21:39 +0000 (18:21 +0200)]
imx6: fix DualLite/Solo GW551X board detection
The model name is a different one in the device tree source file.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Hans Dedecker [Thu, 13 Jul 2017 19:54:59 +0000 (21:54 +0200)]
procd: backport kernel watchdog start/stop support
4dbf57a watchdog: add support for starting/stopping kernel watchdog
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Jo-Philipp Wich [Wed, 12 Jul 2017 23:25:10 +0000 (01:25 +0200)]
x86: add missing kernel config symbols to Geode target
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 12 Jul 2017 20:38:39 +0000 (22:38 +0200)]
x86: enable ACPI support for the Geode subtarget
Backport of
9b940fe "x86: enable ACPI support for the Geode subtarget".
Fixes FS#577.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Hans Dedecker [Wed, 28 Jun 2017 08:15:38 +0000 (10:15 +0200)]
dnsmasq: backport patch fixing DNS failover (FS#841)
Backport upstream dnsmasq patch fixing DNS failover when first servers
returns REFUSED in strict mode; fixes issue FS#841.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Matthias Schiffer [Wed, 12 Jul 2017 17:22:51 +0000 (19:22 +0200)]
ar71xx: set US region code for TP-Link TL-WR710N v1 image
Non-US versions of the TP-Link TL-WR710N v1 don't have a region code so
far, so we can just set US unconditionally.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Daniel Golle [Tue, 11 Jul 2017 21:30:10 +0000 (23:30 +0200)]
fstools: backport fixes from master branch
The following changes are backported from the master branch
bdcb075 libfstools: fix matching device name
(
f038a61 on master)
ef2d438 fstools: use -Wno-format-truncation instead of -Wno-error=format-truncation
(
c43ae11 on master)
d361923 build: disable the format-truncation warning error to fix gcc 7 build errors
(
a19f2b3 on master)
cddc830 libfstools: silence mkfs.{ext4,f2fs}
(
88d48d5 on master)
be5004c libfstools: add basic documentation of mount functions
(
92b4c2c on master)
34d36c2 add missing includes
(
7d78836 on master)
A previously added hotfix was replaced by a git commit, hence the patch
file is removed and we got instead
45c2a6f libfstools: fix multiple volume_identify usages with the same volume
(
633a8d0 on master)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Matthias Schiffer [Sat, 8 Jul 2017 20:51:34 +0000 (22:51 +0200)]
mtd-utils: use source package name for lzo in PKG_BUILD_DEPENDS
PKG_BUILD_DEPENDS should always refer to source package names.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Mathias Kresin [Thu, 23 Mar 2017 19:30:25 +0000 (20:30 +0100)]
ramips: fix Xiaomi MiWiFi Nano firmware partition size
Even the commit message of the patch adding support for the MiWiFi Nano
says that a 16 MB flash chip is used. Extend the firmware partition to
make use of all available flash space.
Fixes: FS#622
Signed-off-by: Mathias Kresin <dev@kresin.me>
Felix Fietkau [Mon, 29 May 2017 12:26:36 +0000 (14:26 +0200)]
build: fix kmod package build on non-GNU systems
BSD paste requires a filename argument, and it accepts - to use stdin as
intended.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sergey Sergeev [Wed, 31 May 2017 08:00:01 +0000 (11:00 +0300)]
ar71xx: Fix UBIFS work on Mikrotik RB95x devices
If nand chip has no NAND_NO_SUBPAGE_WRITE flag on its options
ubifs can't use it mtd devices and the kernel crashes with error:
__nand_correct_data: uncorrectable ECC error
Signed-off-by: Sergey Sergeev <adron@yapic.net>
Mathias Kresin [Wed, 28 Jun 2017 21:36:37 +0000 (23:36 +0200)]
lantiq: use img file extension for DGN3500 factory images
The Netgear UI in basic mode refuses the upgrade file if the the
fileextension is not img. The expert/advanced mode accepts any
fileextension. Use img to make it work in any case.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Hans Dedecker [Mon, 26 Jun 2017 08:23:08 +0000 (10:23 +0200)]
dnsmasq: backport tweak ICMP ping logic for DHCPv4
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Hans Dedecker [Thu, 29 Jun 2017 07:41:59 +0000 (09:41 +0200)]
dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Daniel Golle [Wed, 28 Jun 2017 00:01:07 +0000 (02:01 +0200)]
procd: backport fixes from master branch
The following commits have been cherry-picked into the lede-17.01
branch of procd, listed here in git-log-order ie. with head first:
89918c8 system: introduce new attribute board_name
(
79bbe6d and
453116e on master branch)
8297c38 preinit: define _GNU_SOURCE
(
e5b963a on master branch)
8fd57dd upgraded: cmake: Find and include uloop.h
(
e5ff8ca on master branch)
6b0da20 hotplug: fix a memory leak in handle_button_complete()
(
f367ec6 on master branch)
558ffb5 service/service_stopped(): fix a use-after-free
(
796ba3b on master branch)
22f89e1 upgraded: define __GNU_SOURCE
(
e7bb2c8 on master branch)
6e8ea8b rcS: add missing fcntl.h include
(
992b796 on master branch)
cd5225d procd/rcS: Use /dev/null as stdin
(
d42b21e on master branch)
5131bec procd: Log initscript output prefixed with script name
(
1247db1 on master branch)
225b18d procd: Don't use syslog before its initialization
(
8d720b2 on master branch)
889442c procd: Add missing \n in debug message
(
2555474 on master branch)
2716228 procd: service gets deleted when its last instance is freed
(
8f218f5 on master branch)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Stijn Tintel [Tue, 27 Jun 2017 08:26:38 +0000 (10:26 +0200)]
kernel: update kernel 4.4 to 4.4.74
Refresh patches.
Compile-tested on ar71xx, octeon.
Runtime-tested on ar71xx, octeon.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Stijn Tintel [Tue, 27 Jun 2017 08:05:04 +0000 (10:05 +0200)]
ipq806x: fixup thermal patches
Fix conflict with thermal patches added in
c03d4317a6bc891cb4a5e89cbdd77f37c23aff86.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Rafał Miłecki [Fri, 16 Jun 2017 11:23:22 +0000 (13:23 +0200)]
base-files: fix PKG_CONFIG_DEPENDS to include version.mk entries
Including version.mk sets PKG_CONFIG_DEPENDS to config entries used for
VERSION_SED command. We should keep these configs to make sure package
gets refreshed when needed.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Mon, 22 May 2017 10:50:53 +0000 (12:50 +0200)]
bcm53xx: include wpad-mini only on devices with (supported) wireless
Don't include wpad-mini when it's useless just like we don't include
useless wireless drivers.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Mathias Kresin [Mon, 26 Jun 2017 17:22:52 +0000 (19:22 +0200)]
firmware-utils: fix dgn3500sum compiler warnings
The sum variable need to be initialised, otherwise it will points to
random stack memory and a bogus image checksum might be calculated.
While at it, fix the segfault in case the product region code isn't
specified and enable compiler warnings which had revealed all the code
issues.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Christian Schoenebeck [Mon, 19 Jun 2017 18:56:17 +0000 (20:56 +0200)]
ca-certificates: Update to version
20161130+nmu1
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Magnus Kroken [Thu, 22 Jun 2017 21:01:01 +0000 (23:01 +0200)]
openvpn: update to 2.4.3
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Magnus Kroken [Wed, 21 Jun 2017 19:05:09 +0000 (21:05 +0200)]
mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released
* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Rafał Miłecki [Thu, 20 Apr 2017 20:27:19 +0000 (22:27 +0200)]
bcm53xx: enable Northstar thermal driver
It allows monitoring CPU temp and will shutdown system on critical
value.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rafał Miłecki [Fri, 14 Apr 2017 16:18:36 +0000 (18:18 +0200)]
kernel: backport Broadcom thermal drivers
This includes driver for Northstar and for Raspberry Pi.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Hans Dedecker [Mon, 19 Jun 2017 20:05:21 +0000 (22:05 +0200)]
Revert "dnsmasq: don't point --resolv-file to default location unconditionally"
This reverts commit
78edfff5303533dc52a1ac64ad745acc0a8a743e.
This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Kevin Darbyshire-Bryant [Thu, 15 Jun 2017 11:58:25 +0000 (12:58 +0100)]
dropbear: fix service trigger syntax error
The classic single '&' when double '&&' conditional was meant.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
小桥 [Sun, 5 Mar 2017 07:53:40 +0000 (15:53 +0800)]
ramips: fix Phicomm K1S(PSG1208) pinmux
Use gpio function for pins with LEDs.
Signed-off-by: 小桥 <29551030@qq.com>
Alexander Couzens [Sat, 10 Jun 2017 11:08:07 +0000 (13:08 +0200)]
LEDE v17.01.2: revert to branch defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Alexander Couzens [Sat, 10 Jun 2017 11:08:02 +0000 (13:08 +0200)]
LEDE v17.01.2: adjust config defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Felix Fietkau [Thu, 8 Jun 2017 09:05:05 +0000 (11:05 +0200)]
build: ensure that flock is available for make download
It ensures that make download can parallelize downloads, even when some
packages download the same files (e.g. gcc/initial, gcc/final)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Alexander Couzens [Wed, 7 Jun 2017 21:56:19 +0000 (23:56 +0200)]
include/toplevel: set env GIT_ASKPASS=/bin/true
When git-https request a service (e.g. github) which ask for credentials
git will pass this request to the user resulting download.pl to wait for
user input. Set GIT_ASKPASS to stop asking.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Jo-Philipp Wich [Thu, 8 Jun 2017 17:27:46 +0000 (19:27 +0200)]
base-files: network.sh: fix a number of IPv6 logic flaws
* Change network_get_subnet6() to sensibly guess a suitable prefix
Attempt to return the first non-linklocal, non-ula range, then attempt
to return the first non-linklocal range and finally fall back to the
previous behaviour of simply returning the first found item.
* Fix network_get_ipaddrs_all()
Instead of replicating the flawed logic appending a fixed ":1" suffix
to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6()
to build a single list of all interface addresses.
* Fix network_get_subnets6()
Instead of replicating the flawed logic appending a fixed ":1" suffix
to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address
field to figure out the proper network address.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 8 Jun 2017 17:54:53 +0000 (19:54 +0200)]
mwlwifi: update to version 10.3.4.0 / 2017-06-06
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Daniel Golle [Wed, 7 Jun 2017 17:39:33 +0000 (19:39 +0200)]
automake: import upstream fix for perl 5.26
Build broke as distributions now include Perl 5.26 and automake
triggered an "Unescaped left brace in regex" error.
Import upstream commit
13f00eb449 to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Jo-Philipp Wich [Thu, 8 Jun 2017 10:02:36 +0000 (12:02 +0200)]
base-files: network.sh: properly report local IPv6 addresses
Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to
fetch the effective local IPv6 address of delegated prefix from the
"local-address" field instead of naively hardcoding ":1" as static suffix.
Fixes FS#829.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 7 Jun 2017 19:24:41 +0000 (21:24 +0200)]
kernel: update kernel 4.4 to 4.4.71
Fixes the following security vulnerabilities:
CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.
CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.
CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.
CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Kristian Evensen [Mon, 5 Jun 2017 08:24:02 +0000 (10:24 +0200)]
Add missing APU1 reference to x86 board.d
x86 board.d only contains a case for the APU2, not the APU1. This
causes, for example, network configuration not to be created correctly.
Even though the APU1 seems to reaching EOL, there a still a lot of them
out there.
The APU1 and APU2 is configured in the same way and this patch should
also be considered for stable, as the error also exists there.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Mathias Kresin [Wed, 15 Feb 2017 07:39:05 +0000 (08:39 +0100)]
base-files: always set proto passed to _ucidef_set_interface()
Overwrite an already set proto if a new one is passed to
_ucidef_set_interface() similar to what is done for the interface.
It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'"
after some initial wan interface configuration is already done by
ucidef_add_switch.
The "json_is_a protocol string" guard is meant to not reset an earlier
set interface proto in case something like
"ucidef_set_interface_lan 'eth0'" is used afterwards.
Signed-off-by: Mathias Kresin <dev@kresin.me>