Zoltan Herpai [Wed, 18 Oct 2017 05:06:21 +0000 (07:06 +0200)]
Merge pull request #561 from zx2c4/patch-2
wireguard: simple version bump [for chaos_calmer]
Jason A. Donenfeld [Tue, 17 Oct 2017 17:40:03 +0000 (19:40 +0200)]
wireguard: simple version bump
This is a simple version bump.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Zoltan Herpai [Mon, 16 Oct 2017 15:44:38 +0000 (17:44 +0200)]
Merge pull request #557 from zx2c4/for-chaos
wireguard: add wireguard to base packages [chaos branch]
Zoltan Herpai [Mon, 16 Oct 2017 15:35:00 +0000 (17:35 +0200)]
Merge pull request #555 from wigyori/cc-hostapd2
CC: upgrade hostapd to 2016-06-15, include KRACK fix
Jason A. Donenfeld [Fri, 13 Oct 2017 15:05:18 +0000 (17:05 +0200)]
wireguard: add wireguard to base packages
Move wireguard from openwrt/packages to openwrt/openwrt. This has already
been done with lede/source and has already been removed from
openwrt/packages, and so this commit brings this to parity here, so that
there isn't a regression for openwrt users. Original message follows below:
This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.
WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Zoltan Herpai [Mon, 16 Oct 2017 13:49:25 +0000 (15:49 +0200)]
Merge pull request #554 from wigyori/cc-ovpn2
CC: mbedtls fixes
Zoltan HERPAI [Mon, 16 Oct 2017 13:03:27 +0000 (15:03 +0200)]
CC: polarssl: fix incorrect md5sum
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Kevin Darbyshire-Bryant [Wed, 12 Oct 2016 10:42:15 +0000 (11:42 +0100)]
CC: mbedtls: enable NIST curves optimisation.
luci using ustream-mbedtls is extremely slow vs ustream-polarssl.
polarssl alias mbedtls v1 is configured to use NIST prime speed
optimisation, so no longer disable the default optimisation for
mbedtls v2.
Compile & run tested: Archer C7v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
[Jo-Philipp Wich: refresh patch to use common format]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Zoltan HERPAI [Mon, 16 Oct 2017 12:38:45 +0000 (14:38 +0200)]
CC: hostapd: fix WPA packet number reuse with replayed messages and key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
For more information, please refer to:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Felix Fietkau [Wed, 15 Jun 2016 15:11:43 +0000 (17:11 +0200)]
CC: hostapd: update to version 2016-06-15
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Michal Hrusecky [Thu, 12 May 2016 12:07:15 +0000 (14:07 +0200)]
CC: hostapd: Update to version 2016-05-05
Fixes CVE-2016-4476 and few possible memory leaks.
Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
Felix Fietkau [Thu, 28 Jan 2016 17:20:10 +0000 (17:20 +0000)]
CC: hostapd: fix mesh interface bridge handling
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48529
Felix Fietkau [Thu, 28 Jan 2016 17:19:48 +0000 (17:19 +0000)]
CC: hostapd: fix wpad-mesh and wpa-supplicant-mesh configuration issues
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48528
Felix Fietkau [Fri, 11 Sep 2015 16:31:18 +0000 (16:31 +0000)]
CC: hostapd: work around unconditional libopenssl build dependency
As the OpenWrt build system only resolves build dependencies per directory,
all hostapd variants were causing libopenssl to be downloaded and built,
not only wpad-mesh. Fix this by applying the same workaround as in
ustream-ssl.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46851
Felix Fietkau [Thu, 28 Jan 2016 17:19:13 +0000 (17:19 +0000)]
hostapd: update to version 2016-01-15
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
[Drop 014 - Zoltan HERPAI <wigyori@uid0.hu>]
Felix Fietkau [Mon, 2 Nov 2015 18:12:54 +0000 (18:12 +0000)]
CC: hostapd: add default value to eapol_version (#20641)
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"
Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 47361
Felix Fietkau [Fri, 11 Sep 2015 16:33:54 +0000 (16:33 +0000)]
CC: hostapd: Add eapol_version config option
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.
This is only useful for really old client devices that don't
accept eapol_version=2.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 46861
Zoltan Herpai [Mon, 16 Oct 2017 07:27:54 +0000 (09:27 +0200)]
Merge pull request #550 from wigyori/cc-ovpn2
CC: sec upgrade for openvpn, polarssl, lzo
Zoltan Herpai [Thu, 12 Oct 2017 15:54:18 +0000 (17:54 +0200)]
Merge pull request #549 from wigyori/cc-sec
CC: kernel: upgrade to 3.18.75
Hauke Mehrtens [Wed, 13 Jul 2016 15:44:26 +0000 (17:44 +0200)]
CC: polarssl: update to version 1.3.17
This fixes 3 minor security problems.
SSLv3 is deactivated by default now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Jo-Philipp Wich [Sat, 11 Jun 2016 01:18:07 +0000 (03:18 +0200)]
CC: polarssl: enable AES-GCM and CAMELLIA-GCM ciphersuites
Recent versions of Chrome require this ciphers to successfully handshake with
a TLS enabled uhttpd server using the ustream-polarssl backend.
If `CONFIG_GCM` is disabled, `ssl_ciphersuite_from_id()` will return `NULL`
when cipher `0x9d` is looked up, causing the calling `ssl_ciphersuite_match()`
to fail with `POLARSSL_ERR_SSL_INTERNAL_ERROR`.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Felix Fietkau [Sat, 16 Jan 2016 00:20:05 +0000 (00:20 +0000)]
CC: polarssl: update to 1.3.16, fixes intermediate certificate validation
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48257
Hauke Mehrtens [Thu, 3 Dec 2015 21:00:45 +0000 (21:00 +0000)]
CC: polarssl: update to version 1.3.15
This is a minor version update which fixes some small bugs. None of
these bugs were exploitable according to the release notes.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
SVN-Revision: 47724
Zoltan HERPAI [Thu, 12 Oct 2017 15:12:05 +0000 (17:12 +0200)]
CC: lzo: update to 2.10
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
John Crispin [Fri, 1 Apr 2016 07:12:11 +0000 (07:12 +0000)]
CC: package/libs/lzo: update version to 2.09
Updates lzo to version 2.09 and changes copyright to 2016.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
SVN-Revision: 49110
Zoltan HERPAI [Thu, 12 Oct 2017 15:07:59 +0000 (17:07 +0200)]
CC: openvpn: bump to 2.3.18
Fixes (above various bugs):
CVE-2017-7478
CVE-2017-7479
CVE-2017-7521
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Magnus Kroken [Sat, 10 Dec 2016 11:02:03 +0000 (12:02 +0100)]
CC: openvpn: quote parameters to --push in openvpn config file
OpenVPN requires arguments to --push to be enclosed in double quotes.
One set of quotes is stripped when the UCI config is parsed.
Change append_params() of openvpn.init to enclose push parameters in
double quotes.
Unquoted push parameters do not cause errors in OpenVPN 2.3,
but OpenVPN 2.4 fails to start with unquoted push parameters.
Fixes: FS#290.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Magnus Kroken [Thu, 17 Nov 2016 17:43:25 +0000 (18:43 +0100)]
CC: openvpn: update to 2.3.13
Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
John Crispin [Thu, 27 Oct 2016 17:52:33 +0000 (19:52 +0200)]
CC: openvpn: cacert does not exist
cacert is really called ca and already in the script
Signed-off-by: John Crispin <john@phrozen.org>
John Crispin [Thu, 27 Oct 2016 13:19:59 +0000 (15:19 +0200)]
CC: openvpn: add handling for capath and cafile
Signed-off-by: John Crispin <john@phrozen.org>
Magnus Kroken [Tue, 23 Aug 2016 22:14:46 +0000 (00:14 +0200)]
CC: openvpn: update to 2.3.12
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.
Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Jo-Philipp Wich [Tue, 28 Jun 2016 08:47:22 +0000 (10:47 +0200)]
CC: openvpn: fix missing cipher list for polarssl in v2.3.11
Upstream OpenSSL hardening work introduced a change in shared code that
causes polarssl / mbedtls builds to break when no --tls-cipher is specified.
Import the upstream fix commit as patch until the next OpenVPN release gets
released and packaged.
Reported-by: Sebastian Koch <seb@metafly.info>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Magnus Kroken [Sun, 12 Jun 2016 21:49:42 +0000 (23:49 +0200)]
CC: openvpn: update to 2.3.11
Security fixes:
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data
Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Matteo Panella [Sat, 4 Jun 2016 13:15:03 +0000 (15:15 +0200)]
CC: openvpn: add support for tls-version-min
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).
This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.
Signed-off-by: Matteo Panella <morpheus@level28.org>
[Jo-Philipp Wich: shorten commit title, bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Dirk Neukirchen [Tue, 31 May 2016 07:23:53 +0000 (09:23 +0200)]
CC: openvpn: remove unrecognized option
removed upstream in
https://github.com/OpenVPN/openvpn/commit/
9ffd00e7541d83571b9eec087c6b3545ff68441f
now its always on
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
John Crispin [Tue, 8 Mar 2016 18:12:02 +0000 (18:12 +0000)]
CC: openvpn: add support for X.509 name options
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 48969
Felix Fietkau [Mon, 11 Jan 2016 18:37:28 +0000 (18:37 +0000)]
CC: openvpn: update to version 2.3.10
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48201
Felix Fietkau [Thu, 7 Jan 2016 21:08:05 +0000 (21:08 +0000)]
CC: openvpn: added service_triggers() to init script
Follow up of #21469
This patch enables autoreloading openvpn via procd.
Signed-off-by: Federico Capoano <nemesis@ninux.org>
SVN-Revision: 48150
John Crispin [Wed, 23 Dec 2015 14:44:24 +0000 (14:44 +0000)]
CC: openvpn: fix configure options
- eurephia:
commit: Remove the --disable-eurephia configure option
- fix option name:
http proxy option is now called http-proxy (see configure.ac)
fixes:
configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 47979
Felix Fietkau [Tue, 10 Nov 2015 12:04:04 +0000 (12:04 +0000)]
CC: openvpn: enable options consistency check even in the small build
Only costs about 3k compressed, but significantly improves handling of
configuration mismatch
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 47439
John Crispin [Mon, 5 Oct 2015 10:28:47 +0000 (10:28 +0000)]
CC: openvpn: add handling for route-pre-down option
OpenVPN 2.3 added a route-pre-down option, to run a command before
routes are removed upon disconnection.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 47134
Felix Fietkau [Thu, 18 Jun 2015 06:41:49 +0000 (06:41 +0000)]
CC: openvpn: bump to 2.3.7.
Two patches are dropped as they were already applied upstream.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 46027
Zoltan HERPAI [Thu, 12 Oct 2017 12:13:56 +0000 (14:13 +0200)]
kernel: upgrade to 3.18.75
Runtime-tested on ar71xx.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Zoltan Herpai [Thu, 5 Oct 2017 13:38:43 +0000 (15:38 +0200)]
Merge pull request #543 from wigyori/cc-sec
CC: dnsmasq: bump to v2.78
Kevin Darbyshire-Bryant [Thu, 5 Oct 2017 12:47:30 +0000 (14:47 +0200)]
CC: dnsmasq: bump to v2.78
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Zoltan Herpai [Wed, 4 Oct 2017 21:53:57 +0000 (23:53 +0200)]
Merge pull request #536 from wigyori/cc-sec
Security upgrade for CC
Zoltan HERPAI [Mon, 18 Sep 2017 18:11:38 +0000 (20:11 +0200)]
CC: tcpdump: upgrade to 4.9.2
Fixes:
CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725
[thanks to Stijn Tintel for listing the CVEs in LEDE
2375e27.]
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Felix Fietkau [Mon, 18 Sep 2017 17:55:11 +0000 (19:55 +0200)]
tcpdump: fix tcpdump-mini build on glibc 2.25
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Daniel Engberg [Mon, 18 Sep 2017 13:28:54 +0000 (15:28 +0200)]
tcpdump: Update to 4.9.1
Update tcpdump to 4.9.1
Fixes:
* CVE-2017-11108: Fix bounds checking for STP.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Hauke Mehrtens [Mon, 18 Sep 2017 13:26:45 +0000 (15:26 +0200)]
tcpdump: update to version 4.9.0
This fixes the following 41 security problems:
+ CVE-2016-7922: buffer overflow in print-ah.c:ah_print().
+ CVE-2016-7923: buffer overflow in print-arp.c:arp_print().
+ CVE-2016-7924: buffer overflow in print-atm.c:oam_print().
+ CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print().
+ CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print().
+ CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print().
+ CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print().
+ CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header().
+ CVE-2016-7930: buffer overflow in print-llc.c:llc_print().
+ CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print().
+ CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum().
+ CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print().
+ CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print().
+ CVE-2016-7935: buffer overflow in print-udp.c:rtp_print().
+ CVE-2016-7936: buffer overflow in print-udp.c:udp_print().
+ CVE-2016-7937: buffer overflow in print-udp.c:vat_print().
+ CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame().
+ CVE-2016-7939: buffer overflow in print-gre.c, multiple functions.
+ CVE-2016-7940: buffer overflow in print-stp.c, multiple functions.
+ CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions.
+ CVE-2016-7974: buffer overflow in print-ip.c, multiple functions.
+ CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print().
+ CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print().
+ CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print().
+ CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print().
+ CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions.
+ CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print().
+ CVE-2016-7993: a bug in util-print.c:relts_print() could cause a
buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP,
lightweight resolver protocol, PIM).
+ CVE-2016-8574: buffer overflow in print-fr.c:frf15_print().
+ CVE-2016-8575: buffer overflow in print-fr.c:q933_print().
+ CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print().
+ CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print().
+ CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print().
+ CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print().
+ CVE-2017-5341: buffer overflow in print-otv.c:otv_print().
+ CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH,
OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in
print-ether.c:ether_print().
+ CVE-2017-5482: buffer overflow in print-fr.c:q933_print().
+ CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse().
+ CVE-2017-5484: buffer overflow in print-atm.c:sig_print().
+ CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap().
+ CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print().
The size of the package is only incread very little:
new size:
306430 tcpdump_4.9.0-1_mips_24kc.ipk
130324 tcpdump-mini_4.9.0-1_mips_24kc.ipk
old size:
302782 tcpdump_4.8.1-1_mips_24kc.ipk
129033 tcpdump-mini_4.8.1-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Felix Fietkau [Mon, 18 Sep 2017 13:24:13 +0000 (15:24 +0200)]
tcpdump: reduce size of -mini by removing more infrequently used protocols
This removes:
- BGP
- CDP
- SCTP
MIPS binary .ipk size is reduced from ~150k to ~130k
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Paul Wassi [Mon, 18 Sep 2017 12:51:15 +0000 (14:51 +0200)]
CC: net/utils/tcpdump: update to 4.8.1
Update tcpdump to upstream release 4.8.1
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
Zoltan HERPAI [Mon, 18 Sep 2017 11:28:31 +0000 (13:28 +0200)]
CC: kernel: upgrade to 3.18.71
- refresh patches
- fix patches for UML
- runtime-tested on ar71xx, imx6, sunxi
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Zoltan HERPAI [Sun, 17 Sep 2017 00:00:14 +0000 (02:00 +0200)]
CC: upgrade kernel to 3.18.68
- compile tested on sunxi, imx6
- runtime tested on sunxi, imx6
- refresh patches
- remove unnecessary patches
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Stijn Tintel [Fri, 1 Sep 2017 11:38:13 +0000 (13:38 +0200)]
CC: samba: fix CVE-2017-7494
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 12:35:11 +0000 (14:35 +0200)]
dropbear: bump to 2017.75
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/
c8114a48837c
- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink. Dropbear parsed authorized_keys as root, even if it were a
symlink. The fix is to switch to user permissions when opening
authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/
0d889b068123
Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Joseph C. Sible [Thu, 31 Aug 2017 12:33:16 +0000 (14:33 +0200)]
dropbear: enable SHA256 HMACs
The only HMACs currently available use MD5 and SHA1, both of which have known
weaknesses. We already compile in the SHA256 code since we use Curve25519
by default, so there's no significant size penalty to enabling this.
Signed-off-by: Joseph C. Sible <josephcsible@users.noreply.github.com>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 12:32:39 +0000 (14:32 +0200)]
dropbear: hide dropbear version
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'
Based on a patch by Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 11:57:02 +0000 (13:57 +0200)]
dnsmasq: forward.c: fix CVE-2017-13704
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.
answer_request() is called with an invalid edns packet size provided by
the client. Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"
The client that exposed the problem provided a payload udp size of 0.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 11:50:12 +0000 (13:50 +0200)]
dnsmasq: bump to 2.77
Bump to the 2.77 release after quite a few test & release candidates.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Hans Dedecker [Thu, 31 Aug 2017 11:49:18 +0000 (13:49 +0200)]
dnsmasq: bump to 2.77rc5
Some small tweaks and improvements :
9828ab1 Fix compiler warning.
f77700a Fix compiler warning.
0fbd980 Fix compiler warning.
43cdf1c Remove automatic IDN support when building i18n.
ff19b1a Fix &/&& confusion.
2aaea18 Add .gitattributes to substitute VERSION on export.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 11:48:22 +0000 (13:48 +0200)]
dnsmasq: make NO_ID optional in full variant
Permit users of the full variant to disable the NO_ID *.bind pseudo
domain masking.
Defaulted 'on' in all variants.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:43:46 +0000 (12:43 +0200)]
dnsmasq: Don't expose *.bind data incl version
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain. This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.
This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'
Run time tested with & without NO_ID on Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:40:49 +0000 (12:40 +0200)]
dnsmasq: bump to 2.77rc3
Fix [FS#766] Intermittent SIGSEGV crash of dnsmasq-full
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:37:35 +0000 (12:37 +0200)]
dnsmasq: bump to 2.77test5
A number of small tweaks & improvements on the way to a final release.
Most notable:
Improve DHCPv4 address-in-use check.
Remove the recently introduced RFC-6842 (Client-ids in DHCP replies)
support as it turns out some clients are getting upset.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:36:33 +0000 (12:36 +0200)]
dnsmasq: bump to dnsmasq v2.77test4
--bogus-priv now applies to IPv6 prefixes as specified in RFC6303 - this
is significantly friendlier to upstream servers.
CNAME fix in auth mode - A domain can only have a CNAME if it has no
other records
Drop 2 patches now included upstream.
Compile & run tested Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:35:12 +0000 (12:35 +0200)]
dnsmasq: bump to dnsmasq v2.77test3
New test release (since test1) includes 2 LEDE patches that are
upstream and may be dropped, along with many spelling fixes.
Add forthcoming 2017 root zone trust anchor to trust-anchors.conf.
Backport 2 patches that just missed test3:
Reduce logspam of those domains handled locally 'local addresses only'
Implement RFC-6842 (Client-ids in DHCP replies)
Compile & run tested Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant [Thu, 31 Aug 2017 10:32:32 +0000 (12:32 +0200)]
dnsmasq: update to dnsmasq 2.77test1
Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76
and allows dropping of 2 LEDE carried patches.
Notable fix in rrfilter code when talking to Nominum's DNS servers
especially with DNSSEC.
A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses
from dns servers is also included. This mean dnsmasq tries all
configured servers before giving up.
A 'localise queries' enhancement has also been backported (it will
appear in test2/rc'n') this is especially important if using the
recently imported to LEDE 'use dnsmasq standalone' feature
9525743c
I have been following dnsmasq HEAD ever since 2.76 release.
Compile & Run tested: ar71xx, Archer C7 v2
Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Hauke Mehrtens [Thu, 31 Aug 2017 09:09:48 +0000 (11:09 +0200)]
dnsmasq: Bump to dnsmasq2.75
Fixes a 100% cpu usage issue if using dhcp-script.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Steven Barth [Thu, 31 Aug 2017 09:09:05 +0000 (11:09 +0200)]
dnsmasq: Bump to dnsmasq2.74
Bump to dnsmasq2.74 & refresh patches to fix fuzz
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Jo-Philipp Wich [Thu, 31 Aug 2017 06:52:10 +0000 (08:52 +0200)]
rules.mk: add TARGET_INIT_PATH toplevel variables
Add a new variable TARGET_INIT_PATH which holds the default $PATH variable
value configured in menuconfig.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Jo-Philipp Wich [Thu, 31 Aug 2017 06:51:44 +0000 (08:51 +0200)]
CC: dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.
If specific usernames including "%" symbols can be created on a system
(validated by getpwnam()) then an attacker could run arbitrary code as root
when connecting to Dropbear server.
A dbclient user who can control username or host arguments could potentially
run arbitrary code as the dbclient user. This could be a problem if scripts
or webpages pass untrusted input to the dbclient program.
- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
the local dropbearconvert user when parsing malicious key files
- Security: dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided. This could be an issue where
dbclient is used in scripts.
- Security: dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
The security issues were reported by an anonymous researcher working with
Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Thu, 31 Aug 2017 06:51:05 +0000 (08:51 +0200)]
CC: dropbear: update to 2016.73
Update the dropbear package to version 2016.73, refresh patches.
The measured .ipk sizes on an x86_64 build are:
94588 dropbear_2015.71-3_x86_64.ipk
95316 dropbear_2016.73-1_x86_64.ipk
This is an increase of roughly 700 bytes after compression.
Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Hans Dedecker [Thu, 31 Aug 2017 06:50:09 +0000 (08:50 +0200)]
CC: dropbear: Make utmp and putuline support configurable via seperate config options
Utmp support tracks who is currenlty logged in by logging info to the file /var/run/utmp (supported by busybox)
Putuline support will use the utmp structure to write to the utmp file
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Hans Dedecker [Thu, 31 Aug 2017 06:49:25 +0000 (08:49 +0200)]
CC: dropbear: Add procd interface triggers when interface config is specified
A dropbear instance having an interface config won't start if the interface is down as no
IP address is available.
Adding interface triggers for each configured interface executing the dropbear reload script
will start the dropbear instance when the interface is up.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Jo-Philipp Wich [Thu, 31 Aug 2017 06:48:55 +0000 (08:48 +0200)]
dropbear: honor CONFIG_TARGET_INIT_PATH
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Hannu Nyman [Thu, 31 Aug 2017 06:47:30 +0000 (08:47 +0200)]
CC: dropbear: update version to 2015.71
Update dropbear to version 2015.71, released on 3 Dec 2015.
Refresh patches.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Felix Fietkau [Thu, 31 Aug 2017 06:46:43 +0000 (08:46 +0200)]
dropbear: enable curve25519 support by default, increases compressed binary size by ~5 kb
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Thu, 31 Aug 2017 06:46:10 +0000 (08:46 +0200)]
CC: dropbear: split out curve25519 support into a separate config option
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Alexandru Ardelean [Thu, 31 Aug 2017 06:45:39 +0000 (08:45 +0200)]
CC: dropbear: add respawn param in case dropbear crashes
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Steven Barth [Thu, 31 Aug 2017 06:44:40 +0000 (08:44 +0200)]
CC: dropbear: remove generation and configuration of DSS keys
Signed-off-by: Steven Barth <steven@midlink.org>
Felix Fietkau [Thu, 31 Aug 2017 06:43:58 +0000 (08:43 +0200)]
dropbear: disable 3des, cbc mode, dss support, saves about 5k gzipped
While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Steven Barth [Thu, 31 Aug 2017 06:43:09 +0000 (08:43 +0200)]
CC: dropbear: Disable telnet in favor of passwordless SSH
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.
Signed-off-by: Steven Barth <steven@midlink.org>
Steven Barth [Thu, 31 Aug 2017 06:42:03 +0000 (08:42 +0200)]
CC: dropbear: bump to 2015.68
Signed-off-by: Steven Barth <steven@midlink.org>
Hauke Mehrtens [Thu, 9 Mar 2017 16:17:41 +0000 (17:17 +0100)]
CC: script: downlaod: change mirror for kernel.org
kernel.org now suggests a different mirror address. this one also
support IPv6 connections and was faster for me.
Backport from trunk's
1f9e25d.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Zoltan Herpai [Thu, 2 Feb 2017 14:12:22 +0000 (15:12 +0100)]
Merge pull request #339 from seragh/owrt-cc-mvebu-usb2-port
CC: mvebu: linksys: fix usb2 port address
Zoltan Herpai [Thu, 2 Feb 2017 14:11:48 +0000 (15:11 +0100)]
Merge pull request #341 from mattsm/backport_ubus_system_reboot
CC: procd: backport ability to reboot board via ubus
Matthew McClintock [Tue, 17 Jan 2017 17:04:46 +0000 (11:04 -0600)]
CC: procd: backport ability to reboot board via ubus
02d56c03115276aa4e2203ddbd411c3e587cf08f from procd git
Signed-off-by: Matthew McClintock <msm-oss@mcclintock.net>
Ralph Sennhauser [Tue, 17 Jan 2017 13:43:54 +0000 (14:43 +0100)]
CC: mvebu: linksys: fix usb2 port address
A copy paste error that got fixed in Linux 4.6 and backported to stable
kernels. As armada-385-linksys.dtsi wasn't upstreamed yet for 3.18 fix
the local copy to enable the usb2 portion of the combo port for
armada-385 based Linksys devices.
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
Zoltan HERPAI [Mon, 19 Dec 2016 12:57:31 +0000 (13:57 +0100)]
CC: kernel: update to 3.18.45, refresh targets
Compile-tested on ar71xx, imx6, lantiq, mvebu
Runtime-tested on sunxi.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
Zoltan Herpai [Sun, 18 Dec 2016 11:36:52 +0000 (12:36 +0100)]
Merge pull request #264 from wigyori/cc-dm9601
CC: brcm2708: Fix Kernel Panic: DM9601 Fast Ethernet Adapter
Marian Hello [Wed, 7 Dec 2016 16:06:47 +0000 (17:06 +0100)]
CC: brcm2708: Fix Kernel Panic: DM9601 Fast Ethernet Adapter
The dm9601 driver expects to receive a single encapsulated ethernet
frame from the device in one URB transfer, and it provides an URB
buffer of length 1,522 to receive it. This is not a round multiple
of USB transfer packets.
The device in question [1] provides a stream of such frames and it
does not conveniently slice them up as the dm9601 driver expects. We
can end up with 1,536 (0x600) bytes returned by the device in response
to the URB request. This may include several encapsulated ethernet
frames, and/or fragments thereof.
It seems to me that the kernel 'Oops' arises because the dwc_otg driver
does not notice that the destination buffer is too small to receive the
full 1,536 bytes. Comparing dwc_otg's update_urb_state_xfer_comp with
dwc2's dwc2_update_urb_state is suggestive.
More details: https://github.com/raspberrypi/linux/issues/1045
All Credits to: https://github.com/mw9
Signed-off-by: Marian Hello <marian.hello@gmail.com>
Reviewed-by: Zoltan HERPAI <wigyori@uid0.hu>
Zoltan Herpai [Wed, 30 Nov 2016 20:19:52 +0000 (21:19 +0100)]
Merge pull request #247 from gadkrumholz/chaos_calmer-e2100l
CC: ar71xx: Added missing support for Linksys E2100L
Gad Krumholz [Sun, 27 Nov 2016 06:52:53 +0000 (00:52 -0600)]
CC: ar71xx: Added missing support for Linksys E2100L
It's based on the WRT160NL according to https://wiki.openwrt.org/toh/linksys/e2100l
Based on research done here: https://forum.openwrt.org/viewtopic.php?id=24244 and here: https://forum.openwrt.org/viewtopic.php?pid=120791#p120791 this patch was conceived.
Signed-off-by: Gad Krumholz <gad.krumholz@gmail.com>
Zoltan Herpai [Tue, 8 Nov 2016 11:16:36 +0000 (12:16 +0100)]
Merge pull request #189 from NeoRaider/fix-leds
CC: ar71xx: fix syntax error in /etc/uci-defaults/01_leds
Matthias Schiffer [Sat, 5 Nov 2016 03:31:47 +0000 (04:31 +0100)]
CC: ar71xx: fix syntax error in /etc/uci-defaults/01_leds
Fixes
f98117a "CC: ar71xx: backport LED fix for TL-WR841N-v11".
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Zoltan Herpai [Fri, 28 Oct 2016 22:32:16 +0000 (00:32 +0200)]
Merge pull request #158 from Shalzz/chaos_calmer
CC: ar71xx: backport LED fix for TL-WR841N-v11
Shaleen Jain [Fri, 28 Oct 2016 05:30:16 +0000 (11:00 +0530)]
CC: ar71xx: backport LED fix for TL-WR841N-v11
Signed-off-by: Shaleen Jain <shaleen.jain95@gmail.com>
Zoltan Herpai [Fri, 28 Oct 2016 15:27:07 +0000 (17:27 +0200)]
Merge pull request #141 from mumuqz/chaos_calmer
CC: ar71xx: Add support to DomyWifi DW33D
Jing Lin [Thu, 20 Oct 2016 12:19:59 +0000 (20:19 +0800)]
CC: ar71xx: Add support to DomyWifi DW33D
Signed-off-by: Jing Lin <mumuqz@163.com>
projects / 15.05 / openwrt.git / log