15.05/openwrt.git
16 months agoMerge pull request #580 from wigyori/cc-libpcap master
Zoltan Herpai [Fri, 8 Dec 2017 10:07:24 +0000 (11:07 +0100)]
Merge pull request #580 from wigyori/cc-libpcap

CC: upgrade libpcap to 1.8.1
16 months agolibpcap: Fix build when PACKAGECONFIG ipv6 is not enabled
Zefir Kurtisi [Thu, 22 Dec 2016 09:39:51 +0000 (10:39 +0100)]
libpcap: Fix build when PACKAGECONFIG ipv6 is not enabled

Add patches provided upstream [1] by Fabio Berton to fix error:

> ./gencode.c: In function 'pcap_compile':
> ./gencode.c:693:8: error: 'compiler_state_t {aka struct _compiler_state}' has no member named 'ai'
>   cstate.ai = NULL;
>         ^
> ./gencode.c: In function 'gen_gateway':
> ./gencode.c:4914:13: error: 'cstate' undeclared (first use in this function)
>    bpf_error(cstate, "direction applied to 'gateway'");
>              ^

[1] https://github.com/the-tcpdump-group/libpcap/pull/541

Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
16 months agolibs/libpcap: update to 1.8.1
p-wassi [Sat, 10 Dec 2016 09:56:22 +0000 (10:56 +0100)]
libs/libpcap: update to 1.8.1

Update libpcap to upstream release 1.8.1
Change the name from libpcap.so.1.3 to libpcap.so.1
Remove parts of patch 201 which moved code among src files.
Import patch 204 from Debian to update the USB path.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [fix parallel build bug]
16 months agolibpcap: fix dependency of install-shared-so make target
Matthias Schiffer [Thu, 21 Jul 2016 15:45:26 +0000 (17:45 +0200)]
libpcap: fix dependency of install-shared-so make target

There seems to be a situation in which a rebuild of libpcap.so is triggered
in the install step of the libpcap Makefile. libpcap.so is the wrong
target, leading to the build failure reported in [1].

Fix the dependency of install-shared-so to $(SHAREDLIB) so the build can
succeed in this case.

[1] https://dev.openwrt.org/ticket/19894

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
16 months agolibpcap: remove unrecognized configure options
Dirk Neukirchen [Thu, 7 Jul 2016 12:56:43 +0000 (14:56 +0200)]
libpcap: remove unrecognized configure options

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
16 months agolibpcap: USB support by default if usbmon is enabled
John Crispin [Mon, 26 Oct 2015 09:02:03 +0000 (09:02 +0000)]
libpcap: USB support by default if usbmon is enabled

If building usbmon support then you'll likely want to have
USB support in libpcap as well.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@47265 3c298f89-4303-0410-b956-a3cf2f4a3e73

16 months agolibpcap: update to version 1.7.4
Felix Fietkau [Thu, 3 Sep 2015 13:14:56 +0000 (13:14 +0000)]
libpcap: update to version 1.7.4

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@46776 3c298f89-4303-0410-b956-a3cf2f4a3e73

16 months agolibpcap: fixup libtool
Steven Barth [Sat, 20 Jun 2015 17:37:28 +0000 (17:37 +0000)]
libpcap: fixup libtool

Signed-off-by: Steven Barth <steven@midlink.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@46074 3c298f89-4303-0410-b956-a3cf2f4a3e73

16 months agoMerge pull request #575 from nmaas87/patch-1
Zoltan Herpai [Wed, 6 Dec 2017 20:17:48 +0000 (21:17 +0100)]
Merge pull request #575 from nmaas87/patch-1

CC: brcm2708-gpu-fw: update md5sum in Makefile
16 months agokernel: bump to 3.18.84
Zoltan HERPAI [Sat, 25 Nov 2017 12:39:20 +0000 (13:39 +0100)]
kernel: bump to 3.18.84

Compile-tested: ar71xx, sunxi, mvebu, ramips/rt305x, lantiq
Runtime-tested: ar71xx, sunxi

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
17 months agoCC: brcm2708-gpu-fw: update md5sum in Makefile
Nico Maas [Mon, 20 Nov 2017 09:42:22 +0000 (10:42 +0100)]
CC: brcm2708-gpu-fw: update md5sum in Makefile
Update the MD5 of the firmware for Raspberry Pi to enable build on the Chaos Calmer / 15.05.1 target again.
The checksum changed due to changes of the Github Tar Handling as described here: raspberrypi/firmware#873
After that change, builds for RPi on 15.05.1 succeed again.
Signed-off-by: Nico Maas <mail@nico-maas.de>
17 months agokernel: bump to 3.18.80
Zoltan HERPAI [Sat, 11 Nov 2017 23:49:19 +0000 (00:49 +0100)]
kernel: bump to 3.18.80

Compile-tested: ar71xx, sunxi, mvebu, ppc44x
Runtime-tested: ar71xx, sunxi

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
17 months agoCC: ca-certificates: bump to 20161130+nmu1
Zoltan HERPAI [Sun, 16 Jul 2017 11:27:54 +0000 (13:27 +0200)]
CC: ca-certificates: bump to 20161130+nmu1
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
17 months agoCC: ca-certificates: update to version 20161130
Christian Schoenebeck [Tue, 13 Dec 2016 19:10:10 +0000 (20:10 +0100)]
CC: ca-certificates: update to version 20161130
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
17 months agoCC: ca-certificates: bump to 20161102
Stanislav Izmalkov [Sat, 12 Nov 2016 21:17:47 +0000 (00:17 +0300)]
CC: ca-certificates: bump to 20161102
Signed-off-by: Stanislav Izmalkov <izstas@live.ru>
17 months agoCC: ca-certificages: Add certificate bundle for packages that need it
Daniel Dickinson [Wed, 6 Jul 2016 07:32:25 +0000 (03:32 -0400)]
CC: ca-certificages: Add certificate bundle for packages that need it
Some packages don't use /etc/ssl/certs but instead use /etc/ssl/certs/ca-certificates.crt.
For those packages add a ca-bundle package>.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
17 months agoCC: ca-certificates: update to version 20160104
Felix Fietkau [Sun, 17 Jan 2016 11:03:36 +0000 (11:03 +0000)]
CC: ca-certificates: update to version 20160104
- update to latest version 20160104
- remove cpu dependency (PKGARCH:=all)
- set myself as package maintainer

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@48271 3c298f89-4303-0410-b956-a3cf2f4a3e73

17 months agoCC: ca-certificates: update to version 20151214
John Crispin [Wed, 23 Dec 2015 19:25:33 +0000 (19:25 +0000)]
CC: ca-certificates: update to version 20151214
update to version 20151214

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@48000 3c298f89-4303-0410-b956-a3cf2f4a3e73

17 months agoCC: openssl: bump to 1.0.2m
Zoltan HERPAI [Sat, 4 Nov 2017 21:04:06 +0000 (22:04 +0100)]
CC: openssl: bump to 1.0.2m
Fixes:
CVE-2017-3735
CVE-2017-3736

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
17 months agoCC: hostapd: bump PKG_VERSION
Zoltan HERPAI [Wed, 18 Oct 2017 12:41:18 +0000 (14:41 +0200)]
CC: hostapd: bump PKG_VERSION
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
17 months agoCC: kernel: upgrade to 3.18.79
Zoltan HERPAI [Sat, 4 Nov 2017 19:39:18 +0000 (20:39 +0100)]
CC: kernel: upgrade to 3.18.79
Runtime-tested on ar71xx.

Fixes:
CVE-2016-2543
CVE-2017-12190
CVE-2017-15265
CVE-2017-15649
CVE-2017-15299
CVE-2017-12193

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
17 months agoiproute2: use URL alias
Zoltan HERPAI [Sat, 4 Nov 2017 19:33:01 +0000 (20:33 +0100)]
iproute2: use URL alias

Drop hardcoded URL and use the @KERNEL alias.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
17 months agoMerge pull request #125 from hnyman/cc_getver
Zoltan Herpai [Mon, 23 Oct 2017 09:13:58 +0000 (11:13 +0200)]
Merge pull request #125 from hnyman/cc_getver

CC15.05: scripts/getver.sh: Fix revision numbering (for Github-based repo)

17 months agoMerge pull request #564 from wigyori/cc-cdn2
Zoltan Herpai [Sun, 22 Oct 2017 20:09:54 +0000 (22:09 +0200)]
Merge pull request #564 from wigyori/cc-cdn2

CC: add download facilities
17 months agoCC: download: add @GITHUB download facility
John Crispin [Sat, 9 Apr 2016 10:25:34 +0000 (10:25 +0000)]
CC: download: add @GITHUB download facility
Define a new alias (@GITHUB) for downloading raw github repository files

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@49138 3c298f89-4303-0410-b956-a3cf2f4a3e73

17 months agoCC: build: add @APACHE download facility
Felix Fietkau [Sun, 17 Jan 2016 10:47:32 +0000 (10:47 +0000)]
CC: build: add @APACHE download facility
The Apache Software Foundation offers diverse download mirros.

For packaging Apache software a new alias @APACHE is defined.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@48270 3c298f89-4303-0410-b956-a3cf2f4a3e73

17 months agoCC: scripts/download.pl: Use CDN for kernel downloads
Petr Štetiar [Sun, 22 Oct 2017 18:17:42 +0000 (20:17 +0200)]
CC: scripts/download.pl: Use CDN for kernel downloads
More info at https://www.kernel.org/introducing-fastly-cdn.html

Signed-off-by: Petr Štetiar <ynezz@true.cz>
18 months agoMerge pull request #559 from wigyori/cc-misc2
Zoltan Herpai [Wed, 18 Oct 2017 07:12:35 +0000 (09:12 +0200)]
Merge pull request #559 from wigyori/cc-misc2

CC: upgrade openssl, fix ugps compilation
18 months agoMerge pull request #561 from zx2c4/patch-2
Zoltan Herpai [Wed, 18 Oct 2017 05:06:21 +0000 (07:06 +0200)]
Merge pull request #561 from zx2c4/patch-2

wireguard: simple version bump [for chaos_calmer]

18 months agowireguard: simple version bump
Jason A. Donenfeld [Tue, 17 Oct 2017 17:40:03 +0000 (19:40 +0200)]
wireguard: simple version bump

This is a simple version bump.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
18 months agoCC: openssl: bump to 1.0.2l
Zoltan HERPAI [Mon, 16 Oct 2017 19:59:35 +0000 (21:59 +0200)]
CC: openssl: bump to 1.0.2l
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
18 months agoCC: ugps: fix PKG_SOURCE path
Zoltan HERPAI [Mon, 16 Oct 2017 20:14:32 +0000 (22:14 +0200)]
CC: ugps: fix PKG_SOURCE path
Thanks to alex <peterwillcn@gmail.com> for reporting a fix.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
18 months agoMerge pull request #557 from zx2c4/for-chaos
Zoltan Herpai [Mon, 16 Oct 2017 15:44:38 +0000 (17:44 +0200)]
Merge pull request #557 from zx2c4/for-chaos

wireguard: add wireguard to base packages [chaos branch]

18 months agoMerge pull request #555 from wigyori/cc-hostapd2
Zoltan Herpai [Mon, 16 Oct 2017 15:35:00 +0000 (17:35 +0200)]
Merge pull request #555 from wigyori/cc-hostapd2

CC: upgrade hostapd to 2016-06-15, include KRACK fix
18 months agowireguard: add wireguard to base packages
Jason A. Donenfeld [Fri, 13 Oct 2017 15:05:18 +0000 (17:05 +0200)]
wireguard: add wireguard to base packages

Move wireguard from openwrt/packages to openwrt/openwrt. This has already
been done with lede/source and has already been removed from
openwrt/packages, and so this commit brings this to parity here, so that
there isn't a regression for openwrt users. Original message follows below:

This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.

WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
18 months agoMerge pull request #554 from wigyori/cc-ovpn2
Zoltan Herpai [Mon, 16 Oct 2017 13:49:25 +0000 (15:49 +0200)]
Merge pull request #554 from wigyori/cc-ovpn2

CC: mbedtls fixes
18 months agoCC: polarssl: fix incorrect md5sum
Zoltan HERPAI [Mon, 16 Oct 2017 13:03:27 +0000 (15:03 +0200)]
CC: polarssl: fix incorrect md5sum
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
18 months agoCC: mbedtls: enable NIST curves optimisation.
Kevin Darbyshire-Bryant [Wed, 12 Oct 2016 10:42:15 +0000 (11:42 +0100)]
CC: mbedtls: enable NIST curves optimisation.
luci using ustream-mbedtls is extremely slow vs ustream-polarssl.
polarssl alias mbedtls v1 is configured to use NIST prime speed
optimisation, so no longer disable the default optimisation for
mbedtls v2.

Compile & run tested: Archer C7v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
[Jo-Philipp Wich: refresh patch to use common format]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
18 months agoCC: hostapd: fix WPA packet number reuse with replayed messages and key reinstallation
Zoltan HERPAI [Mon, 16 Oct 2017 12:38:45 +0000 (14:38 +0200)]
CC: hostapd: fix WPA packet number reuse with replayed messages and key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088

For more information, please refer to:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
18 months agoCC: hostapd: update to version 2016-06-15
Felix Fietkau [Wed, 15 Jun 2016 15:11:43 +0000 (17:11 +0200)]
CC: hostapd: update to version 2016-06-15
Signed-off-by: Felix Fietkau <nbd@nbd.name>
18 months agoCC: hostapd: Update to version 2016-05-05
Michal Hrusecky [Thu, 12 May 2016 12:07:15 +0000 (14:07 +0200)]
CC: hostapd: Update to version 2016-05-05
Fixes CVE-2016-4476 and few possible memory leaks.

Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
18 months agoCC: hostapd: fix mesh interface bridge handling
Felix Fietkau [Thu, 28 Jan 2016 17:20:10 +0000 (17:20 +0000)]
CC: hostapd: fix mesh interface bridge handling
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48529

18 months agoCC: hostapd: fix wpad-mesh and wpa-supplicant-mesh configuration issues
Felix Fietkau [Thu, 28 Jan 2016 17:19:48 +0000 (17:19 +0000)]
CC: hostapd: fix wpad-mesh and wpa-supplicant-mesh configuration issues
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48528

18 months agoCC: hostapd: work around unconditional libopenssl build dependency
Felix Fietkau [Fri, 11 Sep 2015 16:31:18 +0000 (16:31 +0000)]
CC: hostapd: work around unconditional libopenssl build dependency
As the OpenWrt build system only resolves build dependencies per directory,
all hostapd variants were causing libopenssl to be downloaded and built,
not only wpad-mesh. Fix this by applying the same workaround as in
ustream-ssl.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46851

18 months agohostapd: update to version 2016-01-15
Felix Fietkau [Thu, 28 Jan 2016 17:19:13 +0000 (17:19 +0000)]
hostapd: update to version 2016-01-15

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
[Drop 014 - Zoltan HERPAI <wigyori@uid0.hu>]

18 months agoCC: hostapd: add default value to eapol_version (#20641)
Felix Fietkau [Mon, 2 Nov 2015 18:12:54 +0000 (18:12 +0000)]
CC: hostapd: add default value to eapol_version (#20641)
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"

Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 47361

18 months agoCC: hostapd: Add eapol_version config option
Felix Fietkau [Fri, 11 Sep 2015 16:33:54 +0000 (16:33 +0000)]
CC: hostapd: Add eapol_version config option
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.

This is only useful for really old client devices that don't
accept eapol_version=2.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 46861

18 months agoMerge pull request #550 from wigyori/cc-ovpn2
Zoltan Herpai [Mon, 16 Oct 2017 07:27:54 +0000 (09:27 +0200)]
Merge pull request #550 from wigyori/cc-ovpn2

CC: sec upgrade for openvpn, polarssl, lzo
18 months agoMerge pull request #549 from wigyori/cc-sec
Zoltan Herpai [Thu, 12 Oct 2017 15:54:18 +0000 (17:54 +0200)]
Merge pull request #549 from wigyori/cc-sec

CC: kernel: upgrade to 3.18.75
18 months agoCC: polarssl: update to version 1.3.17
Hauke Mehrtens [Wed, 13 Jul 2016 15:44:26 +0000 (17:44 +0200)]
CC: polarssl: update to version 1.3.17
This fixes 3 minor security problems.
SSLv3 is deactivated by default now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
18 months agoCC: polarssl: enable AES-GCM and CAMELLIA-GCM ciphersuites
Jo-Philipp Wich [Sat, 11 Jun 2016 01:18:07 +0000 (03:18 +0200)]
CC: polarssl: enable AES-GCM and CAMELLIA-GCM ciphersuites
Recent versions of Chrome require this ciphers to successfully handshake with
a TLS enabled uhttpd server using the ustream-polarssl backend.

If `CONFIG_GCM` is disabled, `ssl_ciphersuite_from_id()` will return `NULL`
when cipher `0x9d` is looked up, causing the calling `ssl_ciphersuite_match()`
to fail with `POLARSSL_ERR_SSL_INTERNAL_ERROR`.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
18 months agoCC: polarssl: update to 1.3.16, fixes intermediate certificate validation
Felix Fietkau [Sat, 16 Jan 2016 00:20:05 +0000 (00:20 +0000)]
CC: polarssl: update to 1.3.16, fixes intermediate certificate validation
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48257

18 months agoCC: polarssl: update to version 1.3.15
Hauke Mehrtens [Thu, 3 Dec 2015 21:00:45 +0000 (21:00 +0000)]
CC: polarssl: update to version 1.3.15
This is a minor version update which fixes some small bugs. None of
these bugs were exploitable according to the release notes.

Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
SVN-Revision: 47724

18 months agoCC: lzo: update to 2.10
Zoltan HERPAI [Thu, 12 Oct 2017 15:12:05 +0000 (17:12 +0200)]
CC: lzo: update to 2.10
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
18 months agoCC: package/libs/lzo: update version to 2.09
John Crispin [Fri, 1 Apr 2016 07:12:11 +0000 (07:12 +0000)]
CC: package/libs/lzo: update version to 2.09
Updates lzo to version 2.09 and changes copyright to 2016.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
SVN-Revision: 49110

18 months agoCC: openvpn: bump to 2.3.18
Zoltan HERPAI [Thu, 12 Oct 2017 15:07:59 +0000 (17:07 +0200)]
CC: openvpn: bump to 2.3.18
Fixes (above various bugs):
CVE-2017-7478
CVE-2017-7479
CVE-2017-7521

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
18 months agoCC: openvpn: quote parameters to --push in openvpn config file
Magnus Kroken [Sat, 10 Dec 2016 11:02:03 +0000 (12:02 +0100)]
CC: openvpn: quote parameters to --push in openvpn config file
OpenVPN requires arguments to --push to be enclosed in double quotes.
One set of quotes is stripped when the UCI config is parsed.
Change append_params() of openvpn.init to enclose push parameters in
double quotes.

Unquoted push parameters do not cause errors in OpenVPN 2.3,
but OpenVPN 2.4 fails to start with unquoted push parameters.

Fixes: FS#290.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
18 months agoCC: openvpn: update to 2.3.13
Magnus Kroken [Thu, 17 Nov 2016 17:43:25 +0000 (18:43 +0100)]
CC: openvpn: update to 2.3.13
Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
18 months agoCC: openvpn: cacert does not exist
John Crispin [Thu, 27 Oct 2016 17:52:33 +0000 (19:52 +0200)]
CC: openvpn: cacert does not exist
cacert is really called ca and already in the script

Signed-off-by: John Crispin <john@phrozen.org>
18 months agoCC: openvpn: add handling for capath and cafile
John Crispin [Thu, 27 Oct 2016 13:19:59 +0000 (15:19 +0200)]
CC: openvpn: add handling for capath and cafile
Signed-off-by: John Crispin <john@phrozen.org>
18 months agoCC: openvpn: update to 2.3.12
Magnus Kroken [Tue, 23 Aug 2016 22:14:46 +0000 (00:14 +0200)]
CC: openvpn: update to 2.3.12
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.

Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
18 months agoCC: openvpn: fix missing cipher list for polarssl in v2.3.11
Jo-Philipp Wich [Tue, 28 Jun 2016 08:47:22 +0000 (10:47 +0200)]
CC: openvpn: fix missing cipher list for polarssl in v2.3.11
Upstream OpenSSL hardening work introduced a change in shared code that
causes polarssl / mbedtls builds to break when no --tls-cipher is specified.

Import the upstream fix commit as patch until the next OpenVPN release gets
released and packaged.

Reported-by: Sebastian Koch <seb@metafly.info>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
18 months agoCC: openvpn: update to 2.3.11
Magnus Kroken [Sun, 12 Jun 2016 21:49:42 +0000 (23:49 +0200)]
CC: openvpn: update to 2.3.11
Security fixes:
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data

Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
18 months agoCC: openvpn: add support for tls-version-min
Matteo Panella [Sat, 4 Jun 2016 13:15:03 +0000 (15:15 +0200)]
CC: openvpn: add support for tls-version-min
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).

This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.

Signed-off-by: Matteo Panella <morpheus@level28.org>
[Jo-Philipp Wich: shorten commit title, bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
18 months agoCC: openvpn: remove unrecognized option
Dirk Neukirchen [Tue, 31 May 2016 07:23:53 +0000 (09:23 +0200)]
CC: openvpn: remove unrecognized option
removed upstream in
https://github.com/OpenVPN/openvpn/commit/9ffd00e7541d83571b9eec087c6b3545ff68441f
now its always on

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
18 months agoCC: openvpn: add support for X.509 name options
John Crispin [Tue, 8 Mar 2016 18:12:02 +0000 (18:12 +0000)]
CC: openvpn: add support for X.509 name options
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 48969

18 months agoCC: openvpn: update to version 2.3.10
Felix Fietkau [Mon, 11 Jan 2016 18:37:28 +0000 (18:37 +0000)]
CC: openvpn: update to version 2.3.10
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48201

18 months agoCC: openvpn: added service_triggers() to init script
Felix Fietkau [Thu, 7 Jan 2016 21:08:05 +0000 (21:08 +0000)]
CC: openvpn: added service_triggers() to init script
Follow up of #21469
This patch enables autoreloading openvpn via procd.

Signed-off-by: Federico Capoano <nemesis@ninux.org>
SVN-Revision: 48150

18 months agoCC: openvpn: fix configure options
John Crispin [Wed, 23 Dec 2015 14:44:24 +0000 (14:44 +0000)]
CC: openvpn: fix configure options
- eurephia:
commit: Remove the --disable-eurephia configure option

- fix option name:
http proxy option is now called http-proxy (see configure.ac)

fixes:
configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 47979

18 months agoCC: openvpn: enable options consistency check even in the small build
Felix Fietkau [Tue, 10 Nov 2015 12:04:04 +0000 (12:04 +0000)]
CC: openvpn: enable options consistency check even in the small build
Only costs about 3k compressed, but significantly improves handling of
configuration mismatch

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 47439

18 months agoCC: openvpn: add handling for route-pre-down option
John Crispin [Mon, 5 Oct 2015 10:28:47 +0000 (10:28 +0000)]
CC: openvpn: add handling for route-pre-down option
OpenVPN 2.3 added a route-pre-down option, to run a command before
routes are removed upon disconnection.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 47134

18 months agoCC: openvpn: bump to 2.3.7.
Felix Fietkau [Thu, 18 Jun 2015 06:41:49 +0000 (06:41 +0000)]
CC: openvpn: bump to 2.3.7.
Two patches are dropped as they were already applied upstream.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 46027

18 months agokernel: upgrade to 3.18.75
Zoltan HERPAI [Thu, 12 Oct 2017 12:13:56 +0000 (14:13 +0200)]
kernel: upgrade to 3.18.75

Runtime-tested on ar71xx.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
18 months agoMerge pull request #543 from wigyori/cc-sec
Zoltan Herpai [Thu, 5 Oct 2017 13:38:43 +0000 (15:38 +0200)]
Merge pull request #543 from wigyori/cc-sec

CC: dnsmasq: bump to v2.78
18 months agoCC: dnsmasq: bump to v2.78
Kevin Darbyshire-Bryant [Thu, 5 Oct 2017 12:47:30 +0000 (14:47 +0200)]
CC: dnsmasq: bump to v2.78
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
18 months agoMerge pull request #536 from wigyori/cc-sec
Zoltan Herpai [Wed, 4 Oct 2017 21:53:57 +0000 (23:53 +0200)]
Merge pull request #536 from wigyori/cc-sec

Security upgrade for CC

19 months agoCC: tcpdump: upgrade to 4.9.2
Zoltan HERPAI [Mon, 18 Sep 2017 18:11:38 +0000 (20:11 +0200)]
CC: tcpdump: upgrade to 4.9.2
Fixes:
CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725
[thanks to Stijn Tintel for listing the CVEs in LEDE 2375e27.]

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
19 months agotcpdump: fix tcpdump-mini build on glibc 2.25
Felix Fietkau [Mon, 18 Sep 2017 17:55:11 +0000 (19:55 +0200)]
tcpdump: fix tcpdump-mini build on glibc 2.25

Signed-off-by: Felix Fietkau <nbd@nbd.name>
19 months agotcpdump: Update to 4.9.1
Daniel Engberg [Mon, 18 Sep 2017 13:28:54 +0000 (15:28 +0200)]
tcpdump: Update to 4.9.1

Update tcpdump to 4.9.1

Fixes:
 * CVE-2017-11108: Fix bounds checking for STP.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
19 months agotcpdump: update to version 4.9.0
Hauke Mehrtens [Mon, 18 Sep 2017 13:26:45 +0000 (15:26 +0200)]
tcpdump: update to version 4.9.0

This fixes the following 41 security problems:
 + CVE-2016-7922: buffer overflow in print-ah.c:ah_print().
 + CVE-2016-7923: buffer overflow in print-arp.c:arp_print().
 + CVE-2016-7924: buffer overflow in print-atm.c:oam_print().
 + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print().
 + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print().
 + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print().
 + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print().
 + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header().
 + CVE-2016-7930: buffer overflow in print-llc.c:llc_print().
 + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print().
 + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum().
 + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print().
 + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print().
 + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print().
 + CVE-2016-7936: buffer overflow in print-udp.c:udp_print().
 + CVE-2016-7937: buffer overflow in print-udp.c:vat_print().
 + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame().
 + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions.
 + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions.
 + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions.
 + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions.
 + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print().
 + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print().
 + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print().
 + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print().
 + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions.
 + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print().
 + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a
      buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP,
      lightweight resolver protocol, PIM).
 + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print().
 + CVE-2016-8575: buffer overflow in print-fr.c:q933_print().
 + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print().
 + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print().
 + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print().
 + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print().
 + CVE-2017-5341: buffer overflow in print-otv.c:otv_print().
 + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH,
      OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in
      print-ether.c:ether_print().
 + CVE-2017-5482: buffer overflow in print-fr.c:q933_print().
 + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse().
 + CVE-2017-5484: buffer overflow in print-atm.c:sig_print().
 + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap().
 + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print().

The size of the package is only incread very little:
new size:
306430 tcpdump_4.9.0-1_mips_24kc.ipk
130324 tcpdump-mini_4.9.0-1_mips_24kc.ipk

old size:
302782 tcpdump_4.8.1-1_mips_24kc.ipk
129033 tcpdump-mini_4.8.1-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
19 months agotcpdump: reduce size of -mini by removing more infrequently used protocols
Felix Fietkau [Mon, 18 Sep 2017 13:24:13 +0000 (15:24 +0200)]
tcpdump: reduce size of -mini by removing more infrequently used protocols

This removes:
- BGP
- CDP
- SCTP

MIPS binary .ipk size is reduced from ~150k to ~130k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
19 months agoCC: net/utils/tcpdump: update to 4.8.1
Paul Wassi [Mon, 18 Sep 2017 12:51:15 +0000 (14:51 +0200)]
CC: net/utils/tcpdump: update to 4.8.1
Update tcpdump to upstream release 4.8.1

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
19 months agoCC: kernel: upgrade to 3.18.71
Zoltan HERPAI [Mon, 18 Sep 2017 11:28:31 +0000 (13:28 +0200)]
CC: kernel: upgrade to 3.18.71
 - refresh patches
 - fix patches for UML
 - runtime-tested on ar71xx, imx6, sunxi

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
19 months agoCC: upgrade kernel to 3.18.68
Zoltan HERPAI [Sun, 17 Sep 2017 00:00:14 +0000 (02:00 +0200)]
CC: upgrade kernel to 3.18.68
 - compile tested on sunxi, imx6
 - runtime tested on sunxi, imx6
 - refresh patches
 - remove unnecessary patches

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
19 months agoCC: samba: fix CVE-2017-7494
Stijn Tintel [Fri, 1 Sep 2017 11:38:13 +0000 (13:38 +0200)]
CC: samba: fix CVE-2017-7494
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
19 months agodropbear: bump to 2017.75
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 12:35:11 +0000 (14:35 +0200)]
dropbear: bump to 2017.75

- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodropbear: enable SHA256 HMACs
Joseph C. Sible [Thu, 31 Aug 2017 12:33:16 +0000 (14:33 +0200)]
dropbear: enable SHA256 HMACs

The only HMACs currently available use MD5 and SHA1, both of which have known
weaknesses. We already compile in the SHA256 code since we use Curve25519
by default, so there's no significant size penalty to enabling this.

Signed-off-by: Joseph C. Sible <josephcsible@users.noreply.github.com>
19 months agodropbear: hide dropbear version
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 12:32:39 +0000 (14:32 +0200)]
dropbear: hide dropbear version

As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'

Based on a patch by Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
19 months agodnsmasq: forward.c: fix CVE-2017-13704
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 11:57:02 +0000 (13:57 +0200)]
dnsmasq: forward.c: fix CVE-2017-13704

Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.

answer_request() is called with an invalid edns packet size provided by
the client.  Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"

The client that exposed the problem provided a payload udp size of 0.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
19 months agodnsmasq: bump to 2.77
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 11:50:12 +0000 (13:50 +0200)]
dnsmasq: bump to 2.77

Bump to the 2.77 release after quite a few test & release candidates.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodnsmasq: bump to 2.77rc5
Hans Dedecker [Thu, 31 Aug 2017 11:49:18 +0000 (13:49 +0200)]
dnsmasq: bump to 2.77rc5

Some small tweaks and improvements :

9828ab1 Fix compiler warning.
f77700a Fix compiler warning.
0fbd980 Fix compiler warning.
43cdf1c Remove automatic IDN support when building i18n.
ff19b1a Fix &/&& confusion.
2aaea18 Add .gitattributes to substitute VERSION on export.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
19 months agodnsmasq: make NO_ID optional in full variant
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 11:48:22 +0000 (13:48 +0200)]
dnsmasq: make NO_ID optional in full variant

Permit users of the full variant to disable the NO_ID *.bind pseudo
domain masking.

Defaulted 'on' in all variants.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodnsmasq: Don't expose *.bind data incl version
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:43:46 +0000 (12:43 +0200)]
dnsmasq: Don't expose *.bind data incl version

Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain.  This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.

This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'

Run time tested with & without NO_ID on Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodnsmasq: bump to 2.77rc3
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:40:49 +0000 (12:40 +0200)]
dnsmasq: bump to 2.77rc3

Fix [FS#766] Intermittent SIGSEGV crash of dnsmasq-full

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodnsmasq: bump to 2.77test5
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:37:35 +0000 (12:37 +0200)]
dnsmasq: bump to 2.77test5

A number of small tweaks & improvements on the way to a final release.
Most notable:

Improve DHCPv4 address-in-use check.
Remove the recently introduced RFC-6842 (Client-ids in DHCP replies)
support as it turns out some clients are getting upset.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodnsmasq: bump to dnsmasq v2.77test4
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:36:33 +0000 (12:36 +0200)]
dnsmasq: bump to dnsmasq v2.77test4

--bogus-priv now applies to IPv6 prefixes as specified in RFC6303 - this
is significantly friendlier to upstream servers.

CNAME fix in auth mode - A domain can only have a CNAME if it has no
other records

Drop 2 patches now included upstream.

Compile & run tested Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodnsmasq: bump to dnsmasq v2.77test3
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:35:12 +0000 (12:35 +0200)]
dnsmasq: bump to dnsmasq v2.77test3

New test release (since test1) includes 2 LEDE patches that are
upstream and may be dropped, along with many spelling fixes.

Add forthcoming 2017 root zone trust anchor to trust-anchors.conf.

Backport 2 patches that just missed test3:

Reduce logspam of those domains handled locally 'local addresses only'
Implement RFC-6842 (Client-ids in DHCP replies)

Compile & run tested Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodnsmasq: update to dnsmasq 2.77test1
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:32:32 +0000 (12:32 +0200)]
dnsmasq: update to dnsmasq 2.77test1

Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76
and allows dropping of 2 LEDE carried patches.

Notable fix in rrfilter code when talking to Nominum's DNS servers
especially with DNSSEC.

A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses
from dns servers is also included.  This mean dnsmasq tries all
configured servers before giving up.

A 'localise queries' enhancement has also been backported (it will
appear in test2/rc'n') this is especially important if using the
recently imported to LEDE 'use dnsmasq standalone' feature 9525743c

I have been following dnsmasq HEAD ever since 2.76 release.
Compile & Run tested: ar71xx, Archer C7 v2

Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
19 months agodnsmasq: Bump to dnsmasq2.75
Hauke Mehrtens [Thu, 31 Aug 2017 09:09:48 +0000 (11:09 +0200)]
dnsmasq: Bump to dnsmasq2.75

Fixes a 100% cpu usage issue if using dhcp-script.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
19 months agodnsmasq: Bump to dnsmasq2.74
Steven Barth [Thu, 31 Aug 2017 09:09:05 +0000 (11:09 +0200)]
dnsmasq: Bump to dnsmasq2.74

Bump to dnsmasq2.74 & refresh patches to fix fuzz

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>