- 28 4月, 2023 1 次提交
-
-
由 Hauke Mehrtens 提交于
Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
- 17 4月, 2023 1 次提交
-
-
由 Eneas U de Queiroz 提交于
Apply two patches fixing low-severity vulnerabilities related to certificate policies validation: - Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. - Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Note: OpenSSL also released a fix for low-severity security advisory CVE-2023-466. It is not included here because the fix only changes the documentation, which is not built nor included in any OpenWrt package. Due to the low-severity of these issues, there will be not be an immediate new release of OpenSSL. Signed-off-by: NEneas U de Queiroz <cotequeiroz@gmail.com>
-
- 15 4月, 2023 1 次提交
-
-
由 Daniel Golle 提交于
Import commit "ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size" which did not yet make it to stable upstream Linux trees. Fixes: #12232 Fixes: #12339 Signed-off-by: NDaniel Golle <daniel@makrotopia.org> (cherry picked from commit aad34818)
-
- 14 4月, 2023 1 次提交
-
-
由 Matthias Schiffer 提交于
007d94546749 uclient: cancel state change timeout in uclient_disconnect() 644d3c7e13c6 ci: improve wolfSSL test coverage dc54d2b544a1 tests: add certificate check against letsencrypt.org Signed-off-by: NMatthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit 4f1c2e8d)
-
- 10 4月, 2023 2 次提交
-
-
由 Daniel Golle 提交于
Signed-off-by: NDaniel Golle <daniel@makrotopia.org>
-
由 Daniel Golle 提交于
Signed-off-by: NDaniel Golle <daniel@makrotopia.org>
-
- 09 4月, 2023 1 次提交
-
-
由 Paul Spooren 提交于
Setting this options modifies the rootfs size of created images. When installing a large number of packages it may become necessary to increase the size to have enough storage. This option is only useful for supported devices, i.e. with an attached SD Card or installed on a hard drive. Signed-off-by: NPaul Spooren <mail@aparcar.org> (cherry picked from commit 7b7edd25)
-
- 30 3月, 2023 3 次提交
-
-
由 Felix Fietkau 提交于
On any currently supported hardware, the performance impact should not matter anymore. Signed-off-by: NFelix Fietkau <nbd@nbd.name> (cherry picked from commit 75e78bca)
-
由 Felix Fietkau 提交于
Fixes CVE-2022-47522 Signed-off-by: NFelix Fietkau <nbd@nbd.name> (cherry picked from commit d54c91bd)
-
The USB port on the MR8300 randomly fails to feed bus-powered devices. This is caused by a misconfigured pinmux. The GPIO68 should be used to enable the USB power (active low), but it's inside the NAND pinmux. This GPIO pin was found in the original firmware at a startup script in both MR8300 and EA8300. Therefore apply the fix for both boards. Signed-off-by: NDaniel González Cabanelas <dgcbueu@gmail.com> Reviewed-by: NRobert Marko <robimarko@gmail.com> (cherry picked from commit ed64c332) Signed-off-by: NSteffen Scheib <steffen@scheib.me>
-
- 29 3月, 2023 2 次提交
-
-
由 Hauke Mehrtens 提交于
Compile-tested: armvirt/64, lantiq/xrx200 Run-tested: armvirt/64, lantiq/xrx200 Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
由 Mathias Kresin 提交于
Due to SCHED_FIFO being a broken scheduler model, all users of sched_setscheduler() are converted to sched_set_fifo_low() upstream and sched_setscheduler() is no longer exported. The callback handling of the tasklet API was redesigned and the macros using the old syntax renamed to _OLD. Signed-off-by: NMathias Kresin <dev@kresin.me> (cherry picked from commit 31f3f797) [Add DECLARE_TASKLET handling for kernel 5.4.235 too] Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
- 28 3月, 2023 3 次提交
-
-
由 Mathias Kresin 提交于
The callback handling of the tasklet API was redesigned and the macros using the old syntax renamed to _OLD. The stuck queue is now passed to ndo_tx_timeout callback but not used so far. Signed-off-by: NMathias Kresin <dev@kresin.me> (cherry picked from commit 804c5414) [Add DECLARE_TASKLET handling for kernel 5.4.235 too] Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
由 John Audia 提交于
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sched?h=v5.4.235&id=7a6fb69bbcb21e9ce13bdf18c008c268874f0480Signed-off-by: NJohn Audia <therealgraysky@proton.me> (cherry picked from commit fbfec328)
-
由 Hauke Mehrtens 提交于
Compile-tested: armvirt/64, lantiq/xrx200 Run-tested: armvirt/64 Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
- 27 3月, 2023 2 次提交
-
-
由 Rafał Miłecki 提交于
Signed-off-by: NRafał Miłecki <rafal@milecki.pl> (cherry picked from commit cb266184)
-
由 Rafał Miłecki 提交于
Signed-off-by: NRafał Miłecki <rafal@milecki.pl> (cherry picked from commit ffaabee9)
-
- 04 3月, 2023 2 次提交
-
-
由 Christian Lamparter 提交于
This patch is a revert of the upstream patch to Debian's ca-certificate commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.") The reason is, that this change broke builds with the popular Ubuntu 20.04 LTS (focal) releases which are shipping with an older version of the python3-cryptography package that is not compatible. |Traceback (most recent call last): | File "certdata2pem.py", line 125, in <module> | cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) |TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend' |make[5]: *** [Makefile:6: all] Error 1 ...or if the python3-cryptography was missing all together: |Traceback (most recent call last): | File "/certdata2pem.py", line 31, in <module> | from cryptography import x509 |ModuleNotFoundError: No module named 'cryptography' More concerns were raised by Jo-Philipp Wich: "We don't want the build to depend on the local system time anyway. Right now it seems to be just a warning but I could imagine that eventually certs are simply omitted of found to be expired at build time which would break reproducibility." Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697> Reported-by: NChen Minqiang <ptpt52@gmail.com> Reported-by: NShane Synan <digitalcircuit36939@gmail.com> Signed-off-by: NChristian Lamparter <chunkeey@gmail.com> (cherry picked from commit 25bc66eb)
-
由 Christian Lamparter 提交于
Update the ca-certificates and ca-bundle package from version 20210119 to version 20211016. Debian change-log entry [1]: |[...] |[ Julien Cristau ] |* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority | bundle to version 2.50 | The following certificate authorities were added (+): | + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" | + "GlobalSign Root R46" | + "GlobalSign Root E46" | + "GLOBALTRUST 2020" | + "ANF Secure Server Root CA" | + "Certum EC-384 CA" | + "Certum Trusted Root CA" | The following certificate authorities were removed (-): | - "QuoVadis Root CA" | - "Sonera Class 2 Root CA" | - "GeoTrust Primary Certification Authority - G2" | - "VeriSign Universal Root Certification Authority" | - "Chambers of Commerce Root - 2008" | - "Global Chambersign Root - 2008" | - "Trustis FPS Root CA" | - "Staat der Nederlanden Root CA - G3" | * Blacklist expired root certificate "DST Root CA X3" (closes: #995432) |[...] [1] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20211016_changelog> Signed-off-by: NChristian Lamparter <chunkeey@gmail.com> (cherry picked from commit 7c99085b)
-
- 01 3月, 2023 1 次提交
-
-
由 Rafał Miłecki 提交于
This driver is backported from the v6.0 which deals with "linux,default-trigger" in leds core. For kernel 5.4 we need leds-bcm63138 to read trigger on its own. Signed-off-by: NRafał Miłecki <rafal@milecki.pl>
-
- 19 2月, 2023 2 次提交
-
-
由 Hauke Mehrtens 提交于
This update mac80211 to version 5.10.168-1. This includes multiple bugfixes. Some of these bugfixes are fixing security relevant bugs. Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
由 Hauke Mehrtens 提交于
Compile-tested: x86/64 Run-tested: x86/64 Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
- 18 2月, 2023 2 次提交
-
-
由 John Audia 提交于
Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario] Signed-off-by: NJohn Audia <therealgraysky@proton.me> (cherry picked from commit 4ae86b33) The original commit removed the upstreamed patch 010-padlock.patch, but it's not on OpenWrt 21.02, so it doesn't have to be removed. Signed-off-by: NMichal Vasilek <michal.vasilek@nic.cz>
-
由 Josef Schlehofer 提交于
fixes the problem that the banana pi m2 berry cannot connect to wifi and cannot be used as an access point Signed-off-by: NJosef Schlehofer <pepe.schlehofer@gmail.com> (cherry picked from commit ff2bb167) Signed-off-by: NLizenzFass78851 <82592556+LizenzFass78851@users.noreply.github.com>
-
- 08 2月, 2023 1 次提交
-
-
由 Martin Kennedy 提交于
As of upstream Linux commit 0fe1e96fef0a ("powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias"), the PCIe domain address is no longer numbered by the lowest 16 bits of the PCI register address after a fallthrough. Instead of the fallthrough, the enumeration process accepts the alias ID (as determined by `of_alias_scan()`). This causes e.g.: 9000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11) 9000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ... to become 0000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11) 0000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ... ... which then causes the sysfs path of the netdev to change, invalidating the `wifi_device.path`s enumerated in `/etc/config/wireless`. One other solution might be to migrate the uci configuration, as was done for mvebu in commit 0bd5aa89 ("mvebu: Migrate uci config to new PCIe path"). However, there are concerns that the sysfs path will change once again once some upstream patches[^2][^3] are merged and backported (and `CONFIG_PPC_PCI_BUS_NUM_DOMAIN_DEPENDENT` is enabled). Instead, remove the aliases and allow the fallthrough to continue for now. We will provide a migration in a later release. This was first reported as a Github issue[^1]. [^1]: https://github.com/openwrt/openwrt/issues/10530 [^2]: https://lore.kernel.org/linuxppc-dev/20220706104308.5390-1-pali@kernel.org/t/#u [^3]: https://lore.kernel.org/linuxppc-dev/20220706101043.4867-1-pali@kernel.org/ Fixes: #10530 Tested-by: NMartin Kennedy <hurricos@gmail.com> [Tested on the Aerohive HiveAP 330 and Extreme Networks WS-AP3825i] Signed-off-by: NMartin Kennedy <hurricos@gmail.com> (cherry picked from commit 7f4b4c29) Signed-off-by: NFabian Bläse <fabian@blaese.de>
-
- 29 1月, 2023 2 次提交
-
-
由 Hauke Mehrtens 提交于
Compile-tested: x86/64 Run-tested: x86/64 Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
由 Hauke Mehrtens 提交于
This was done by running these commands: ./scripts/kconfig.pl '+' target/linux/generic/config-5.4 /dev/null > target/linux/generic/config-5.4-new mv target/linux/generic/config-5.4-new target/linux/generic/config-5.4 Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
-
- 25 1月, 2023 1 次提交
-
-
由 Rafał Miłecki 提交于
OpenWrt provides kmod-asn1-decoder for CONFIG_ASN1 but selecting it doesn't really work as expected. Kernel symbol is hidden and can be actually selected only as a dependency. That works well for in-kernel stuff but fails for external modules requiring ASN1 like ksmbd. Modify kernel Kconfig to make CONFIG_ASN1 always selectable. It's required to satisfy ksmbd dependencies cleanly (without hack like selecting unrelated modules). Link: http://lists.openwrt.org/pipermail/openwrt-devel/2023-January/040298.htmlSigned-off-by: NRafał Miłecki <rafal@milecki.pl>
-
- 12 1月, 2023 1 次提交
-
-
由 Christian Marangi 提交于
Allign dl_github_archieve.py to 8252511d change. On supported system the sigid bit is applied to files and tar archieve that on tar creation. This cause unreproducible tar for these system and these bit should be dropped to produce reproducible tar. Add the missing option following the command options used in other scripts. Fixes: 75ab064d ("build: download code from github using archive API") Suggested-by: NEneas U de Queiroz <cotequeiroz@gmail.com> Tested-by: NRobert Marko <robimarko@gmail.com> Signed-off-by: NChristian Marangi <ansuelsmth@gmail.com> (cherry picked from commit 5f1758ef)
-
- 07 1月, 2023 9 次提交
-
-
由 Josef Schlehofer 提交于
This patch was taken from the OpenWrt-devel mailing list: https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg59794.html It is included already in OpenWrt master branch and OpenWrt 22.03 release as it was included in opkg-lede repository: https://git.openwrt.org/?p=project/opkg-lede.git;a=commit;h=9c44557a776da993c2ab80cfac4dbd8d59807d01 However, it is not included in OpenWrt 21.02, where the same issue is happening. Fixes: CI for https://github.com/openwrt/packages/pull/20074Signed-off-by: NJosef Schlehofer <pepe.schlehofer@gmail.com>
-
由 Daniel Golle 提交于
Add driver for NVM Express block devices, ie. PCIe connected SSDs. Targets which allow booting from NVMe (x86, maybe some mvebu boards come to mind) should have it built-in, so rootfs can be mounted from there. For targets without NVMe support in bootloader or BIOS/firmware it's sufficient to provide the kernel module package. On targets having the NVMe driver built-in the resulting kmod package is an empty dummy. In any case, depending on or installing kmod-nvme results in driver support being available (either because it was already built-in or because the relevant kernel modules are added and loaded). Signed-off-by: NDaniel Golle <daniel@makrotopia.org> (cherry picked from commit dbe53352)
-
由 Rui Salvaterra 提交于
These have long been obsolete. For reference, here's the Linux version where each symbol has been dropped: CONFIG_IP6_NF_QUEUE - 3.5 CONFIG_IP6_NF_TARGET_LOG - 3.4 CONFIG_IP_NF_MATCH_DSCP - 2.6.19 CONFIG_NF_CONNTRACK_IPV4 - 4.19 CONFIG_NF_CONNTRACK_IPV6 - 4.19 CONFIG_NF_CONNTRACK_RTCACHE - out-of-tree, superseded by flow offloading Signed-off-by: NRui Salvaterra <rsalvaterra@gmail.com> (cherry picked from commit d7956c57)
-
由 Hauke Mehrtens 提交于
The isdn4linux drivers and subsystem was removed in kernel 5.3, remove the kernel package also from OpenWrt. Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit db55dea5)
-
由 Hauke Mehrtens 提交于
The ulog iptables target was removed with kernel 3.17, remove the kernel and also the iptables package in OpenWrt too. Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 2a0284fb)
-
由 Hauke Mehrtens 提交于
The w1_ds2760.ko driver was merged into the ds2760_battery.ko driver. The driver was removed and this package was never build any more. This happened with kernel 4.19. Remove this unused package. Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 5808973d)
-
由 Hauke Mehrtens 提交于
The rtc-pt7c4338.ko was never upstream under this name, the driver was removed from OpenWrt some years ago, remove the kmod-rtc-pt7c4338 package too. Fixes: 74d00a8c ("kernel: split patches folder up into backport, pending and hack folders") Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 5ccf4dcf)
-
由 Josef Schlehofer 提交于
This builds and enables kernel optimized modules for mpc85xx target: - CONFIG_CRYPTO_MD5_PPC [1] - CONFIG_CRYPTO_SHA1_PPC_SPE [2] - CONFIG_CRYPTO_SHA256_PPC_SPE [3] Where it was possible, then use Signal Processing Engine, because CONFIG_SPE is already enabled in mpc85xx config. [1] https://cateee.net/lkddb/web-lkddb/CRYPTO_MD5_PPC.html [2] https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA1_PPC.html [3] https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA256_PPC_SPE.htmlSigned-off-by: NJosef Schlehofer <pepe.schlehofer@gmail.com> (cherry picked from commit 3a702f87)
-
由 Josef Schlehofer 提交于
Fixes: e889489b ("kernel: build arm/neon-optimized sha1/512 modules") Signed-off-by: NJosef Schlehofer <pepe.schlehofer@gmail.com> (cherry picked from commit f8f9d690)
-
- 05 1月, 2023 1 次提交
-
-
由 Christian Marangi 提交于
When a new tag for a release is created, the just checkout repo from github actions will already have such tag locally created. This will result in git fetch --tags failing with error rejecting the remote tag with (would clobber existing tag). Add -f option to overwrite any local tags and always fetch them from remote. Fixes: e24a1e6f ("CI: build: add support for external toolchains from stable branch") Signed-off-by: NChristian Marangi <ansuelsmth@gmail.com> (cherry picked from commit f655923b)
-
- 03 1月, 2023 1 次提交
-
-
由 Rafał Miłecki 提交于
It isn't used at the moment but let's fix it anyway. This fixes: CC drivers/net/dsa/ocelot/felix.o drivers/net/dsa/ocelot/felix.c:646:22: error: initialization of 'enum dsa_tag_protocol (*)(struct dsa_switch *, int, enum dsa_tag_protocol)' from incompatible pointer type 'enum dsa_tag_protocol (*)(struct dsa_switch *, int)' [-Werror=incompatible-pointer-types] .get_tag_protocol = felix_get_tag_protocol, ^~~~~~~~~~~~~~~~~~~~~~ for users enabling CONFIG_NET_DSA_MSCC_FELIX. Fixes: 1f5024aa ("kernel: backport b53/bcm_sf2 changes from v5.6") Signed-off-by: NRafał Miłecki <rafal@milecki.pl>
-