Commit Graph

38202 Commits

Author SHA1 Message Date
Mathias Kresin
94aa2b8af0 ar71xx: add rssileds to WA850RE v1 image
A default rssileds config exists for the TP-Link WA850RE v1 but the
rssiled package is not included by default.

The compressed 17.01.3 image size increases by 3302 bytes which should
be tolerable even for a 4MB flash board.

Fixes: FS#1043

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-07 17:05:57 +02:00
Ryan Mounce
f67c22e0c2 toolchain/gdb: update to version 8.0.1
Fixes CVE-2017-9778.

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
[reference fixed CVE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-05 21:38:54 +02:00
Felix Fietkau
067221360e cmake: fix build error with Xcode 9 on macOS 12
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-05 21:16:25 +02:00
Felix Fietkau
a999f91ca3 gcc: fix build error with macOS + Xcode 9
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-05 21:16:25 +02:00
Felix Fietkau
2ce9c84a92 build: add a darwin sitefile to deal with macOS 10.12 + Xcode 9 build errors
Certain functions are available in system headers, but only work on
macOS 10.13

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-05 21:16:25 +02:00
Thibaut VARENE
f9a849ca84 ramips: mt7620: do not pad sysupgrade Archer images
The current makefile unnecessarily pads sysupgrade image for Archer devices.

This has three implications:
1. higher risk of OOM when uploading the binary image to the device
2. much slower upgrade due to time wasted erasing and writing padding
3. grows image beyond available flash size if metadata are appended

This is already fixed in master, albeit in a completely different way (the
whole target have been reworked)

Fixes: FS#1025, FS#1039

Signed-off-by: Thibaut VARENE <hacks@slashdirt.org>
2017-10-04 22:22:56 +02:00
Stijn Tintel
ee32de4426 LEDE v17.01.3: revert to branch defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-03 15:10:55 +03:00
Stijn Tintel
df54a8f583 LEDE v17.01.3: adjust config defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-03 15:10:53 +03:00
Adrian Panella
d0bf257c46 uhttp: update to latest version
3fd58e9 2017-08-19 uhttpd: add manifest support
88c0b4b 2017-07-09 file: fix basic auth regression
99957f6 2017-07-02 file: remove unused "auth" member from struct
path_info
c0a569d 2017-07-02 proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS
ad93be7 2017-07-02 auth: store parsed username and password
fa51d7f 2017-07-02 proc: do not declare empty process variables
a8bf9c0 2017-01-26 uhttpd: Add TCP_FASTOPEN support
e6cfc91 2016-10-25 lua: ensure that PATH_INFO starts with a slash

Signed-off-by: Adrian Panella <ianchi74@outlook.com>
2017-10-03 13:03:27 +02:00
Karl Palsson
783465d783 odhcpd: don't enable server mode on non-static lan port
Instead of blindly enabling the odhcpd v6 server and RA server on the
lan port, only do that if the lan port protocol is "static"

This prevents the unhelpful case of a device being a dhcpv4 client and
v6 server on the same ethernet port.

Signed-off-by: Karl Palsson <karlp@etactica.com>
[PKG_SOURCE_DATE increase; odhcpd.defaults script cleanup]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-02 18:51:17 +02:00
Hans Dedecker
c92c1894a5 odhcpd: backport fixes from master branch (FS#402, FS#524)
336212c config: fix dhcpv4 server being started
336212c dhcpv6: assign all viable DHCPv6 addresses by default (FS#402, FS#524)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-02 18:46:24 +02:00
Kevin Darbyshire-Bryant
4b4a4af814 dnsmasq: bump to v2.78
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-10-02 18:36:21 +02:00
Hauke Mehrtens
b8357e87d7 base-files: create /etc/config/ directory
The /bin/config_generate script and some other scripts are assuming the
/etc/config directory exists in the image. This is true in case for
example the package firewall, dropbear or dnsmasq are included, which
are adding the files under /etc/config/. Without any of these package
the system will not boot up fully because the /etc/config/ directory is
missing and some init scripts just fail.

Make sure all images with the base-files contain a /etc/config/
directory.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: John Crispin <john@phrozen.org>
2017-10-01 10:52:14 +02:00
Matthias Schiffer
3350137bd3 sunxi: clean up modules definitions
Module definitions for kmod-wdt-sunxi and kmod-eeprom-sunxi are removed
(wdt-sunxi was builtin anyways; nvmem-sunxi, which is the new name of
eeprom-sunxi is changed to builtin). As kmod-eeprom-sunxi was specified
in DEFAULT_PACKAGES, but not available on kernel 4.4, it was breaking the
image builder.

Support for kmod-sunxi-ir is added for kernel 4.4 (it is unclear why it
was disable before, it builds fine with with kernel 4.4).

Condtionals only relevant for pre-4.4 kernels are removed from modules.mk,
as sunxi does't support older kernels anymore.

Fixes FS#755.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-10-01 10:04:12 +02:00
Mathias Kresin
a881323cb2 ltq-vdsl-mei: revert disable optimized firmware download
This reverts commit b428f45c06.

If the optimized firmware download is disabled, the xdsl subsystem
hangs in the "idle request" state after physically disconnecting and
reconnecting the xdsl modem from the line.

It might fix the failing line init on boot as well.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-09-30 20:37:33 +02:00
Hauke Mehrtens
f483a35f08 curl: fix security problems
This fixes the following security problems:
 * CVE-2017-1000100 TFTP sends more than buffer size
 * CVE-2017-1000101 URL globbing out of bounds read

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-09-30 15:27:29 +02:00
Kevin Darbyshire-Bryant
e232c6754d mbedtls: update to 2.6.0 CVE-2017-14032
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
2017-09-30 15:24:52 +02:00
Florian Fainelli
37e1bd27d0 generic: drop 704-phy-no-genphy-soft-reset.patch
4.4.80+ contains 71a165f6397df07a06ce643de5c2dbae29bd3cfb, 4.9.41+ contains
6c78197e4a69c19e61dfe904fdc661b2aee8ec20 which are all backports of upstream
commit 0878fff1f42c18e448ab5b8b4f6a3eb32365b5b6 ("net: phy: Do not perform
software reset for Generic PHY").

Our local patch is no longer needed, all this patch was doing was utilizing
gen10g_soft_reset which does nothing either, so just keep the code unchanged.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-09-30 13:58:03 +02:00
Hauke Mehrtens
720b0e2e2d kernel: update 4.4 to 4.4.89
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-09-30 13:58:00 +02:00
Mathias Kresin
b428f45c06 ltq-vdsl-mei: disable optimized firmware download
With ltq-vdsl-mei 1.5.17.6 an optimized firmware download was added and
enabled by default. As soon as the optimized firmware download is
enabled, a watchdog based reboot is trigger between 24h to 48h of
uptime if the board isn't connected to a xdsl line.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-09-28 07:22:58 +02:00
Martin Schiller
39e5cd9556 ltq-vdsl: fix PM thread suspend and resume handling
This is a backport form drv_dsl_cpe_api-4.18.10 and fixes some PM
thread handling issues which lead to high system load and watchdog
trigger within 1h of uptime for boards not connected to a xdsl line.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-09-28 07:22:58 +02:00
Sven Roederer
86f0e8b091 openvpn: add "extra-certs" option
This option is used to specify a file containing PEM certs, to complete the
local certificate chain. Which is quite usefull for "split-CA" setups.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-09-25 09:32:00 +02:00
Daniel Gonzalez Cabanelas
af802bc687 lantiq: fix missing otg_cap on danube platform
USB doesn't work in some danube boards because otg_cap
is missing since previous changes made on the USB-dwc2
lantiq driver. Fix it.

Tested on the ARV7518PW router.

Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
2017-09-20 21:45:39 +02:00
Stijn Tintel
12a0da6315 tcpdump: noop commit to refer CVEs fixed in 4.9.2
When bumping tcpdump from 4.9.1 to 4.9.2, I did not include the fixed
CVEs in the commit message. As the list of fixed CVEs is quite long,
we should probably mention them in the changelogs of the releases to
come. This commit will make sure this happens.

The following CVEs were fixed in 21014d9708:

CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2375e279a7)
2017-09-18 16:50:07 +03:00
Stijn Tintel
f66c6e1d8a tcpdump: bump to 4.9.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 21014d9708)
2017-09-18 16:50:07 +03:00
Daniel Engberg
a131f7cb69 utils/tcpdump: Rework URLs
Add actual mirror and use main site as last resport
Source: http://www.tcpdump.org/mirrors.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit fd95397ee3)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

Conflicts:
	package/network/utils/tcpdump/Makefile
2017-09-18 16:50:07 +03:00
Hans Dedecker
7f1359c14e base-files: fix wan6 interface config generation for pppoe
Setting ipv6 to auto in case of a pppoe interface will trigger the
creation of a dynamic wan_6 interface meaning two IPv6 interfaces
(wan6 and wan_6) will be active on top of the pppoe interface.
This leads to unpredictable behavior in the network; therefore set
ipv6 to 1 which will prevent the dynamic creation of the wan_6
interface.
Further alias the wan6 interface on top of the wan interface for pppoe
as the wan6 interface can only be started when the link local address is
ready. In case of pppoe the link local address is negotiated during the
Internet Protocol Control Protocol when the PPP link is setup meaning
all the IP address info is only available when the wan interface is up.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-18 13:22:58 +02:00
Baptiste Jonglez
97ebdf93a3 ipq806x: Archer C2600: fix switch ports numbering
The order of LAN ports shown in Luci is reversed compared to what is
written on the case of the device.  Fix the order so that they match.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-09-14 20:47:54 +02:00
Lorenzo Santina
d33f7905df treewide: fix shellscript syntax errors/typos
Fix multiple syntax errors in shelscripts (of packages only)
These errors were causing many conditions to not working properly

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[increase PKG_RELEASE, drop command substitution from directip.sh]
Signed-off-by: Mathias Kresin <dev@kresin.em>
2017-09-13 08:07:39 +02:00
David Yang
4f162ac3ce ramips: fix hg255d LED status support
Use the green power LED for boot status indication.

Source: https://my.oschina.net/osbin/blog/278782 Para 3

Signed-off-by: David Yang <mmyangfl@gmail.com>
2017-09-13 08:07:39 +02:00
Matthias Schiffer
415175246e
ar71xx: fix MAC addresses on TP-Link TL-WR1043ND v4
The addresses were read from the 'config' partition, which would not always
contain the addresses at the same offsets, depending on the stock firmware
version used before flashing LEDE. Change this to get the addresses from
the 'product-info' partition, which is read-only.

Reported-and-tested-by: Andreas Ziegler <ml@andreas-ziegler.de>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-09-11 19:48:28 +02:00
Lorenzo Santina
082e6215b7 hostapd: fix iapp_interface option
ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option

Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
2017-09-10 08:31:05 +02:00
Kevin Darbyshire-Bryant
ab305e147e kernel: update 4.4 to 4.4.87
Fixes CVE-2017-11600

No patch refresh required

Compile & run tested: ar71xx - Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-08 21:53:16 +02:00
Kevin Darbyshire-Bryant
1d15a03050 dnsmasq: backport arcount edns0 fix
Don't return arcount=1 if EDNS0 RR won't fit in the packet.

Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-08 10:09:48 +02:00
Kevin Darbyshire-Bryant
a7506c0e2b dnsmasq: backport official fix for CVE-2017-13704
Remove LEDE partial fix for CVE-2017-13704.

Backport official fix from upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
2017-09-07 08:11:49 +02:00
Matthias Schiffer
bb6a8b2cbf
uclient: update to 2017-09-06
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-09-06 15:48:05 +02:00
Kevin Darbyshire-Bryant
ca53effdd6 kernel: update 4.4 to 4.4.86
Refresh patches

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-04 14:41:56 +02:00
Rafał Miłecki
1100bbf833 brcm47xx: refresh Linux 4.4 config
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-09-04 08:07:42 +02:00
Stijn Tintel
f62a31d0e9 f2fs-tools: fix mkfs.f2fs on big-endian systems
Fixes: FS#749

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit cdb494fdc2)
2017-09-03 10:14:09 +03:00
Stijn Tintel
c3bddb49ff f2fs-tools: drop musl compat patch
It is no longer needed since version 1.4.1.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 252c8ddf14)
2017-09-03 10:14:09 +03:00
Stijn Tintel
707a4b459d f2fs-tools: drop patch in favour of CONFIGURE_VARS
Override the failing check in configure with CONFIGURE_VARS instead of
carrying a patch that's unlikely to be accepted by upstream.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
(cherry picked from commit d87f27af54)
2017-09-03 10:14:09 +03:00
Daniel Engberg
bd29aa1ba1 f2fs-tools: Switch to gz tarball
At some point kernel.org decided to drop xz generated tarballs, switch to gz which they still provide.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-09-03 10:14:09 +03:00
Kevin Darbyshire-Bryant
a006b48c04 dnsmasq: forward.c: fix CVE-2017-13704
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.

answer_request() is called with an invalid edns packet size provided by
the client.  Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"

The client that exposed the problem provided a payload udp size of 0.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-30 21:12:49 +02:00
Rafał Miłecki
dc8392f6a1 kernel: backport usbport LED trigger driver support for DT
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-08-21 16:46:18 +02:00
Rafał Miłecki
86722ab0bb kernel: fix of_node handling in LEDs core code
This backports fixes for setting of_node and making it possible to read
extra info from DT. This was partially fixed by:
[PATCH] leds: leds-gpio: Set of_node for created LED devices
but it didn't work during initialization.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-08-21 16:45:30 +02:00
Kevin Darbyshire-Bryant
4a1b87aba4 kernel: update 4.4 to 4.4.83
Refresh patches.
Minor update 704-phy-no-genphy-soft-reset.patch which was partially
accepted upstream.
Compile-tested on ar71xx.
Runtime-tested on ar71xx.

Fixes the following vulnerabilities:
- CVE-2017-7533 (4.4.80)
- CVE-2017-1000111 (4.4.82)
- CVE-2017-1000112 (4.4.82)

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-08-17 19:47:27 +02:00
Rafał Miłecki
cae20f64b5 bcm53xx: backport DTS commits that setup USB LEDs
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-08-17 10:33:37 +02:00
Daniel Engberg
ae3c55666d tcpdump: Update to 4.9.1
Fixes:
 * CVE-2017-11108: Fix bounds checking for STP.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-08-15 18:31:10 +02:00
Baptiste Jonglez
3e35eb13ad mbedtls: Re-allow SHA1-signed certificates
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.

Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.

Fixes: FS#942

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-08-11 20:45:28 +02:00
Mathias Kresin
ff414fb575 ramips: fix WHR-1166D WAN port
By adding the ICPlus IP1001 phy driver an already set RGMII delay mode
is reset during driver load.

Set the rgmii rx delay to fix corrupt/no packages in case the WAN port
negotiates to 1000MBit.

Fixes: FS#670

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-08-11 18:13:38 +02:00