Commit Graph

54804 Commits

Author SHA1 Message Date
Hauke Mehrtens
4e1d1b7df0 OpenWrt v22.03.7: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-23 00:56:41 +02:00
Hauke Mehrtens
b5dc35c8bb OpenWrt v22.03.7: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-23 00:56:37 +02:00
Hauke Mehrtens
591b7e93d3 wolfssl: Update to version 5.7.2
This fixes multiple security problems:
 * [Medium] CVE-2024-1544
   Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.

 * [Medium] CVE-2024-5288
   A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.

 * [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.

 * [Low] CVE-2024-5991
   In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.

 * [Medium] CVE-2024-5814
   A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.

 * [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.

 * [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.

Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.

Link: https://github.com/openwrt/openwrt/pull/15948
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3a0232ffd3)
2024-07-16 00:25:54 +02:00
Hauke Mehrtens
d5ba3ca35c ksmbd: Update to version 3.5.0
Changelogs:
https://github.com/cifsd-team/ksmbd/releases/tag/3.4.9
https://github.com/cifsd-team/ksmbd/releases/tag/3.5.0

This fixes some security problems.

Link: https://github.com/openwrt/openwrt/pull/15871
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-15 01:24:06 +02:00
Andrew Sim
466198c9eb ksmbd: update to latest 3.4.8 release
Changelog: https://github.com/cifsd-team/ksmbd/releases/tag/3.4.8

Signed-off-by: Andrew Sim <andrewsimz@gmail.com>
(cherry picked from commit a247f49794)
Link: https://github.com/openwrt/openwrt/pull/15871
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-15 01:24:06 +02:00
Hauke Mehrtens
456fd63e8f wireless-regdb: Update to version 2024.07.04
Changes:
  2a768c4 wireless-regdb: Update regulatory rules for Mongolia (MN) on 6GHz
  04875d9 wireless-regdb: Update regulatory rules for Saudi Arabia (SA) on 6GHz
  b7bced8 wireless-regdb: Update regulatory rules for South Africa (ZA) on 6GHz
  7bc8615 wireless-regdb: Update regulatory info for Thailand (TH) on 6GHz
  f901fa9 wireless-regdb: Update regulatory info for Malaysia (MY) for 2022
  d72d288 wireless-regdb: Update regulatory info for Morocco (MA) on 6GHz
  414face wireless-regdb: Update regulatory info for Chile (CL) on 6GHz
  1156a08 wireless-regdb: Update regulatory info for Mexico (MX) on 6GHz
  cc6cf7c wireless-regdb: Update regulatory info for Iceland (IS) on 6GHz
  ce03cc0 wireless-regdb: Update regulatory info for Mauritius(MU) on 6GHz
  7e37778 wireless-regdb: Update regulatory info for Argentina (AR) on 6GHz
  56f3a43 wireless-regdb: Update regulatory info for United Arab Emirates (AE) on 6GHz
  3cb8b91 wireless-regdb: Update regulatory info for Colombia (CO) on 6GHz
  3682ce5 wireless-regdb: Update regulatory info for Costa Rica (CR) for 2021
  dd4ffe7 wireless-regdb: Update regulatory info for Dominican Republic (DO) on 6GHz
  f8ef7da wireless-regdb: Update regulatory info for Liechtenstein (LI) on 6GHz
  a9ecabe wireless-regdb: Update regulatory info for Jordan (JO) for 2022
  5a9fdad wireless-regdb: Update regulatory info for Kenya (KE) for 2022
  19326c3 wireless-regdb: Update regulatory info for Macao (MO) for 2024
  4838054 wireless-regdb: update regulatory database based on preceding changes

Link: https://github.com/openwrt/openwrt/pull/15921
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 0a24fd9155)
2024-07-11 00:24:39 +02:00
Hauke Mehrtens
94a605dbe6 mac80211: Update to version 5.15.162-1
This updates mac80211 to version 5.15.162-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.

Link: https://github.com/openwrt/openwrt/pull/15900
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-10 22:41:31 +02:00
Chad Monroe
47c917313d ucode: add libjson-c/host dependency
ensure host libjson-c is built prior to ucode

Signed-off-by: Chad Monroe <chad@monroe.io>
(cherry picked from commit 5a3f6c50ef)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Jesus Fernandez Manzano
7e31d2ad40 hostapd: fix 11r defaults when using WPA
802.11r can not be used when selecting WPA. It needs at least WPA2.

This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.

Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
(cherry picked from commit cdc4c55175)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Jesus Fernandez Manzano
6681c0285d hostapd: fix 11r defaults when using SAE
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
(cherry picked from commit e2f6bfb833)
Fixes: https://github.com/openwrt/luci/issues/6930
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Konstantin Demin
38cea0bea1 dropbear: cherry-pick upstream patches
critical fixes:
- libtommath: possible integer overflow (CVE-2023-36328)
- implement Strict KEX mode (CVE-2023-48795)

various fixes:
- fix DROPBEAR_DSS and DROPBEAR_RSA config options
- y2038 issues
- remove SO_LINGER socket option
- make banner reading failure non-fatal
- fix "noremotetcp" behavior
- don't try to shutdown a pty
- fix test for multiuser kernels

adds new features:
- option to bind to interface
- allow inetd with non-syslog
- ignore unsupported command line options with dropbearkey

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit b5cde26048)
[Only add the patches fixing security problems]
Tested-by: Stijn Segers <foss@volatilesystems.org>
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Christian Lamparter
bd91384589 firmware: intel-microcode: update to 20240531
Debian changelog:

intel-microcode (3.20240531.1) unstable; urgency=medium

  * New upstream microcode datafile 20240531
    * Fix unspecified functional issues on Pentium Silver N/J5xxx,
      Celeron N/J4xxx
    * Updated Microcodes:
      sig 0x000706a1, pf_mask 0x01, 2024-04-19, rev 0x0042, size 76800
  * source: update symlinks to reflect id of the latest release, 20240531

 -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 01 Jun 2024 11:49:47 -0300

intel-microcode (3.20240514.1) unstable; urgency=medium

  * New upstream microcode datafile 20240514
    * Mitigations for INTEL-SA-01051 (CVE-2023-45733)
      Hardware logic contains race conditions in some Intel Processors may
      allow an authenticated user to potentially enable partial information
      disclosure via local access.
    * Mitigations for INTEL-SA-01052 (CVE-2023-46103)
      Sequence of processor instructions leads to unexpected behavior in
      Intel Core Ultra Processors may allow an authenticated user to
      potentially enable denial of service via local access.
    * Mitigations for INTEL-SA-01036 (CVE-2023-45745,  CVE-2023-47855)
      Improper input validation in some Intel TDX module software before
      version 1.5.05.46.698 may allow a privileged user to potentially enable
      escalation of privilege via local access.
    * Fix for unspecified functional issues on 4th gen and 5th gen Xeon
      Scalable, 12th, 13th and 14th gen Intel Core processors, as well as for
      Core i3 N-series processors.
    * Updated microcodes:
      sig 0x000806f8, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0, size 581632
      sig 0x000806f7, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
      sig 0x000806f6, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
      sig 0x000806f5, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
      sig 0x000806f4, pf_mask 0x87, 2024-02-05, rev 0x2b0005c0
      sig 0x000806f8, pf_mask 0x10, 2024-02-05, rev 0x2c000390, size 614400
      sig 0x000806f6, pf_mask 0x10, 2024-02-05, rev 0x2c000390
      sig 0x000806f5, pf_mask 0x10, 2024-02-05, rev 0x2c000390
      sig 0x000806f4, pf_mask 0x10, 2024-02-05, rev 0x2c000390
      sig 0x00090672, pf_mask 0x07, 2023-12-05, rev 0x0035, size 224256
      sig 0x00090675, pf_mask 0x07, 2023-12-05, rev 0x0035
      sig 0x000b06f2, pf_mask 0x07, 2023-12-05, rev 0x0035
      sig 0x000b06f5, pf_mask 0x07, 2023-12-05, rev 0x0035
      sig 0x000906a3, pf_mask 0x80, 2023-12-05, rev 0x0433, size 222208
      sig 0x000906a4, pf_mask 0x80, 2023-12-05, rev 0x0433
      sig 0x000906a4, pf_mask 0x40, 2023-12-07, rev 0x0007, size 119808
      sig 0x000b0671, pf_mask 0x32, 2024-01-25, rev 0x0123, size 215040
      sig 0x000b06e0, pf_mask 0x11, 2023-12-07, rev 0x0017, size 138240
      sig 0x000c06f2, pf_mask 0x87, 2024-02-05, rev 0x21000230, size 552960
      sig 0x000c06f1, pf_mask 0x87, 2024-02-05, rev 0x21000230
  * source: update symlinks to reflect id of the latest release, 20240514

 -- Henrique de Moraes Holschuh <hmh@debian.org>  Thu, 16 May 2024 21:40:52 -0300

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 7d9b9762c9)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Christian Lamparter
b550f7b302 firmware: intel-microcode: update to 20240312
Debian changelog:

intel-microcode (3.20240312.1) unstable; urgency=medium

  * New upstream microcode datafile 20240312 (closes: #1066108)
    - Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368):
      Protection mechanism failure of bus lock regulator for some Intel
      Processors may allow an unauthenticated user to potentially enable
      denial of service via network access.
    - Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575):
      Non-transparent sharing of return predictor targets between contexts in
      some Intel Processors may allow an authorized user to potentially
      enable information disclosure via local access.  Affects SGX as well.
    - Mitigations for INTEL-SA-INTEL-SA-00898 (CVE-2023-28746), aka RFDS:
      Information exposure through microarchitectural state after transient
      execution from some register files for some Intel Atom Processors and
      E-cores of Intel Core Processors may allow an authenticated user to
      potentially enable information disclosure via local access.  Enhances
      VERW instruction to clear stale register buffers.  Affects SGX as well.
      Requires kernel update to be effective.
    - Mitigations for INTEL-SA-INTEL-SA-00960 (CVE-2023-22655), aka TECRA:
      Protection mechanism failure in some 3rd and 4th Generation Intel Xeon
      Processors when using Intel SGX or Intel TDX may allow a privileged
      user to potentially enable escalation of privilege via local access.
      NOTE: effective only when loaded by firmware.  Allows SMM firmware to
      attack SGX/TDX.
    - Mitigations for INTEL-SA-INTEL-SA-01045 (CVE-2023-43490):
      Incorrect calculation in microcode keying mechanism for some Intel
      Xeon D Processors with Intel SGX may allow a privileged user to
      potentially enable information disclosure via local access.
  * Fixes for other unspecified functional issues on many processors
  * Updated microcodes:
    sig 0x00050653, pf_mask 0x97, 2023-07-28, rev 0x1000191, size 36864
    sig 0x00050656, pf_mask 0xbf, 2023-07-28, rev 0x4003605, size 38912
    sig 0x00050657, pf_mask 0xbf, 2023-07-28, rev 0x5003605, size 37888
    sig 0x0005065b, pf_mask 0xbf, 2023-08-03, rev 0x7002802, size 30720
    sig 0x00050665, pf_mask 0x10, 2023-08-03, rev 0xe000015, size 23552
    sig 0x000506f1, pf_mask 0x01, 2023-10-05, rev 0x003e, size 11264
    sig 0x000606a6, pf_mask 0x87, 2023-09-14, rev 0xd0003d1, size 307200
    sig 0x000606c1, pf_mask 0x10, 2023-12-05, rev 0x1000290, size 299008
    sig 0x000706a1, pf_mask 0x01, 2023-08-25, rev 0x0040, size 76800
    sig 0x000706a8, pf_mask 0x01, 2023-08-25, rev 0x0024, size 76800
    sig 0x000706e5, pf_mask 0x80, 2023-09-14, rev 0x00c4, size 114688
    sig 0x000806c1, pf_mask 0x80, 2023-09-13, rev 0x00b6, size 111616
    sig 0x000806c2, pf_mask 0xc2, 2023-09-13, rev 0x0036, size 98304
    sig 0x000806d1, pf_mask 0xc2, 2023-09-13, rev 0x0050, size 104448
    sig 0x000806ec, pf_mask 0x94, 2023-07-16, rev 0x00fa, size 106496
    sig 0x000806f8, pf_mask 0x87, 2024-01-03, rev 0x2b000590, size 579584
    sig 0x000806f7, pf_mask 0x87, 2024-01-03, rev 0x2b000590
    sig 0x000806f6, pf_mask 0x87, 2024-01-03, rev 0x2b000590
    sig 0x000806f5, pf_mask 0x87, 2024-01-03, rev 0x2b000590
    sig 0x000806f4, pf_mask 0x87, 2024-01-03, rev 0x2b000590
    sig 0x00090661, pf_mask 0x01, 2023-09-26, rev 0x0019, size 20480
    sig 0x00090672, pf_mask 0x07, 2023-09-19, rev 0x0034, size 224256
    sig 0x00090675, pf_mask 0x07, 2023-09-19, rev 0x0034
    sig 0x000b06f2, pf_mask 0x07, 2023-09-19, rev 0x0034
    sig 0x000b06f5, pf_mask 0x07, 2023-09-19, rev 0x0034
    sig 0x000906a3, pf_mask 0x80, 2023-09-19, rev 0x0432, size 222208
    sig 0x000906a4, pf_mask 0x80, 2023-09-19, rev 0x0432
    sig 0x000906c0, pf_mask 0x01, 2023-09-26, rev 0x24000026, size 20480
    sig 0x000906e9, pf_mask 0x2a, 2023-09-28, rev 0x00f8, size 108544
    sig 0x000906ea, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 105472
    sig 0x000906ec, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 106496
    sig 0x000906ed, pf_mask 0x22, 2023-07-27, rev 0x00fc, size 106496
    sig 0x000a0652, pf_mask 0x20, 2023-07-16, rev 0x00fa, size 97280
    sig 0x000a0653, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280
    sig 0x000a0655, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280
    sig 0x000a0660, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 97280
    sig 0x000a0661, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 96256
    sig 0x000a0671, pf_mask 0x02, 2023-09-14, rev 0x005e, size 108544
    sig 0x000b0671, pf_mask 0x32, 2023-12-14, rev 0x0122, size 215040
    sig 0x000b06a2, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160
    sig 0x000b06a3, pf_mask 0xe0, 2023-12-07, rev 0x4121
    sig 0x000b06e0, pf_mask 0x11, 2023-09-25, rev 0x0015, size 138240
  * New microcodes:
    sig 0x000a06a4, pf_mask 0xe6, 2024-01-03, rev 0x001c, size 136192
    sig 0x000b06a8, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160
    sig 0x000c06f2, pf_mask 0x87, 2023-11-20, rev 0x21000200, size 549888
    sig 0x000c06f1, pf_mask 0x87, 2023-11-20, rev 0x21000200
  * source: update symlinks to reflect id of the latest release, 20240312
  * changelog, debian/changelog: fix typos

 -- Henrique de Moraes Holschuh <hmh@debian.org>  Tue, 12 Mar 2024 20:28:17 -0300

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 7b911a9c49)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Christian Lamparter
a086650550 firmware: intel-microcode: update to 20231114
Debian changelog:

intel-microcode (3.20231114.1) unstable; urgency=medium

  * New upstream microcode datafile 20231114 (closes: #1055962)
    Mitigations for "reptar", INTEL-SA-00950 (CVE-2023-23583)
    Sequence of processor instructions leads to unexpected behavior for some
    Intel(R) Processors, may allow an authenticated user to potentially enable
    escalation of privilege and/or information disclosure and/or denial of
    service via local access.
    Note: "retvar" on 4th gen Xeon Scalable (sig 0x806f8 pfm 0x87), 12th gen
    Core mobile (sig 0x906a4 pfm 0x80), 13th gen Core desktop (sig 0xb0671 pfm
    0x01) were already mitigated by a previous microcode update.
  * Fixes for unspecified functional issues
  * Updated microcodes:
    sig 0x000606a6, pf_mask 0x87, 2023-09-01, rev 0xd0003b9, size 299008
    sig 0x000606c1, pf_mask 0x10, 2023-09-08, rev 0x1000268, size 290816
    sig 0x000706e5, pf_mask 0x80, 2023-09-03, rev 0x00c2, size 113664
    sig 0x000806c1, pf_mask 0x80, 2023-09-07, rev 0x00b4, size 111616
    sig 0x000806c2, pf_mask 0xc2, 2023-09-07, rev 0x0034, size 98304
    sig 0x000806d1, pf_mask 0xc2, 2023-09-07, rev 0x004e, size 104448
    sig 0x000806f8, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0, size 572416
    sig 0x000806f8, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
    sig 0x000806f7, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
    sig 0x000806f6, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
    sig 0x000806f5, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
    sig 0x000806f4, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
    sig 0x000806f8, pf_mask 0x10, 2023-06-26, rev 0x2c000290, size 605184
    sig 0x000806f8, pf_mask 0x10, 2023-06-26, rev 0x2c000290
    sig 0x000806f6, pf_mask 0x10, 2023-06-26, rev 0x2c000290
    sig 0x000806f5, pf_mask 0x10, 2023-06-26, rev 0x2c000290
    sig 0x000806f4, pf_mask 0x10, 2023-06-26, rev 0x2c000290
    sig 0x00090672, pf_mask 0x07, 2023-06-07, rev 0x0032, size 222208
    sig 0x00090672, pf_mask 0x07, 2023-06-07, rev 0x0032
    sig 0x00090675, pf_mask 0x07, 2023-06-07, rev 0x0032
    sig 0x000b06f2, pf_mask 0x07, 2023-06-07, rev 0x0032
    sig 0x000b06f5, pf_mask 0x07, 2023-06-07, rev 0x0032
    sig 0x000906a3, pf_mask 0x80, 2023-06-07, rev 0x0430, size 220160
    sig 0x000906a3, pf_mask 0x80, 2023-06-07, rev 0x0430
    sig 0x000906a4, pf_mask 0x80, 2023-06-07, rev 0x0430
    sig 0x000906a4, pf_mask 0x40, 2023-05-05, rev 0x0005, size 117760
    sig 0x000a0671, pf_mask 0x02, 2023-09-03, rev 0x005d, size 104448
    sig 0x000b0671, pf_mask 0x32, 2023-08-29, rev 0x011d, size 210944
    sig 0x000b06a2, pf_mask 0xe0, 2023-08-30, rev 0x411c, size 216064
    sig 0x000b06a2, pf_mask 0xe0, 2023-08-30, rev 0x411c
    sig 0x000b06a3, pf_mask 0xe0, 2023-08-30, rev 0x411c
    sig 0x000b06e0, pf_mask 0x11, 2023-06-26, rev 0x0012, size 136192
  * Updated 2023-08-08 changelog entry:
    Mitigations for "retvar" on a few processors, refer to the 2023-11-14
    entry for details.  This information was disclosed in 2023-11-14.
  * source: update symlinks to reflect id of the latest release, 20231114

 -- Henrique de Moraes Holschuh <hmh@debian.org>  Thu, 16 Nov 2023 08:09:43 -0300

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 7241a91c94)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Florian Eckert
f457cd6f31 .gitignore: ignore link if target is included from feed
If an out of tree target is included via a feed, then there is a link with
the name 'feed' in the target directory. Do not show this link in git.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 13e7a2d19f)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Rosen Penev
bf3ea23f5a lua: fix CVE-2014-5461
Patch taken from Debian.

Refresh patches

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 78b0106f7d)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Yuu Toriyama
c0280da8ac wireless-regdb: update to 2024.05.08
Changes:
  73529a8 Revert "wireless-regdb: Update and disable 5470-5730MHz band according to TPC requirement for Singapore (SG)"
  87941e4 wireless-regdb: Update regulatory rules for Taiwan (TW) on 6GHz
  33797ae wireless-regdb: update regulatory database based on preceding changes

Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit 65c1f0d433)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Paweł Owoc
3122bb60ad mac80211: add missing config for third 160MHz width for 5GHz radio
Without this configuration it is not possible to run the radio using HE160 on channels 149-177.

Fixes: #14906
Signed-off-by: Paweł Owoc <frut3k7@gmail.com>
(cherry picked from commit a91b79fd04)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Hauke Mehrtens
6ea1e214e7 mbedtls: Update to 2.28.8
This contains a fix for:
CVE-2024-28960: An issue was discovered in Mbed TLS 2.18.0 through 2.28.x
before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto
API mishandles shared memory.

(cherry picked from commit 360ac07eb9)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:27:11 +02:00
Hauke Mehrtens
eb9eaeb60d kernel: bump 5.10 to 5.10.221
No manual changes needed.

Link: https://github.com/openwrt/openwrt/pull/15902
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-08 22:25:19 +02:00
Hauke Mehrtens
86e290e1b6 wolfssl: Update to 5.7.0
This fixes multiple security problems:
 * [High] CVE-2024-0901 Potential denial of service and out of bounds
   read. Affects TLS 1.3 on the server side when accepting a connection
   from a malicious TLS 1.3 client. If using TLS 1.3 on the server side
   it is recommended to update the version of wolfSSL used.

 * [Med] CVE-2024-1545 Fault Injection vulnerability in
   RsaPrivateDecryption function that potentially allows an attacker
   that has access to the same system with a victims process to perform
   a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin
   Zhang, Qingni Shen for the report (Peking University, The University
   of Western Australia)."

 * [Med] Fault injection attack with EdDSA signature operations. This
   affects ed25519 sign operations where the system could be susceptible
   to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang,
   Qingni Shen for the report (Peking University, The University of
   Western Australia).

Size increased a little:
wolfssl 5.6.6:
516880 bin/packages/mips_24kc/base/libwolfssl5.6.6.e624513f_5.6.6-stable-r1_mips_24kc.ipk
wolfssl: 5.7.0:
519429 bin/packages/mips_24kc/base/libwolfssl5.7.0.e624513f_5.7.0-stable-r1_mips_24kc.ipk

(cherry picked from commit f475a44c03)
Link: https://github.com/openwrt/openwrt/pull/15874
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-07 22:24:07 +02:00
Nick Hainke
ea430dd6c8 wolfssl: update to 5.6.6
Release Notes:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable

Refresh patches:
- 100-disable-hardening-check.patch

Fixes: CVE-2023-6935 CVE-2023-6936 CVE-2023-6937
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 511578c128)
Link: https://github.com/openwrt/openwrt/pull/15874
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-07 22:24:07 +02:00
Hauke Mehrtens
e72b58a78c kernel: bump 5.10 to 5.10.220
No manual changes needed.

Link: https://github.com/openwrt/openwrt/pull/15843
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-07 22:22:32 +02:00
Hauke Mehrtens
b9aeaf778c ksmbd: Support kernel 5.10.220
In kernel 5.10.220 many file system related patches were backported. One
of them changed the signature of vfs_rename(). Extend the version check
for 5.10.220.

Link: https://github.com/openwrt/openwrt/pull/15843
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-07 22:22:32 +02:00
Hauke Mehrtens
1f69203081 cryptodev-linux: Support kernel 5.10.220
In kernel 5.10.220 many file system related patches were backported. One
of them removed ksys_close(). Extend the version check for 5.10.220.

Link: https://github.com/openwrt/openwrt/pull/15843
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-07 22:22:32 +02:00
Daniel Golle
b4188634f8 kernel: 5.15: add missing Kconfig symbols for NFS
Add new Kconfig symbols for NFSv4.1 and NFSv4.2 to kmod-nfs-common and
kmod-nfsd.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f667277dd0)
Link: https://github.com/openwrt/openwrt/pull/15843
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-07 22:19:10 +02:00
Hauke Mehrtens
c54d411ca6 kernel: bump 5.10 to 5.10.219
Removed upstreamed:
   bcm27xx/patches-5.10/950-0006-smsx95xx-fix-crimes-against-truesize.patch
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=c3dc80f63326261fc991ac87a79d82a2e138bbb9

Link: https://github.com/openwrt/openwrt/pull/15843
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-07 22:19:10 +02:00
Ryan Castellucci
7b8ccbd37c ipq40xx: eap1300: add eap1300ext as alt model
The EnGenius EAP1300 and EAP1300EXT use identical boards and firmware
(as flashed) from the vendor.

As with the EAP1300, the EAP1300EXT requires a specific firmware version
to flash OpenWRT. Unfortunately, the required firmware is truncated on
the vendor's website.

A working file can be created as follows:

```
curl \
https://www.engeniustech.com/wp_firmware/eap1300-all-v3.5.3.5_c1.9.04.bin \
| perl -pe 's/\x09EAP1300_A/\x0cEAP1300EXT_A/' \
> eap1300ext-all-v3.5.3.5_c1.9.04.bin
```

The file should have sha256:
`58a1197a426139a12b03fd432334e677124cbe3384349bd7337f2ee71f1dcfd4`.

Please see commit 2b4ac79 for further
details.

The vendor firmware must be decrypted before it can be flashed from
OpenWRT. A tool able to do that is available from:

https://github.com/ryancdotorg/enfringement/blob/main/decrypt.py

Signed-off-by: Ryan Castellucci <code@ryanc.org>
(cherry picked from commit 85f6f88223)
2024-07-01 07:44:05 +02:00
Hauke Mehrtens
13b9be317e kernel: bump 5.10 to 5.10.218
No manual changes needed.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-05-26 20:25:09 +02:00
Hauke Mehrtens
7c2c6555eb kernel: bump 5.10 to 5.10.217
Removed because they are upstream:
   bcm27xx/patches-5.10/950-0334-net-bcmgenet-Reset-RBUF-on-first-open.patch
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=1fb7ab9a6e3eb4ea71a02b8b27fe2a95cc1213af

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-05-26 20:25:09 +02:00
Rany Hany
3f1b60ad40 mediatek: fix broken PCIe caused by update to 5.15.158
The patch "710-pci-pcie-mediatek-add-support-for-coherent-DMA.patch"
makes use of "syscon_regmap_lookup_by_phandle" which requires that
"syscon" be in the compatible list.

Without this patch, PCIe probe will fail with the following error:

[    1.287467] mtk-pcie 1a143000.pcie: host bridge /pcie@1a143000 ranges:
[    1.294019] mtk-pcie 1a143000.pcie: Parsing ranges property...
[    1.299901] mtk-pcie 1a143000.pcie:      MEM 0x0020000000..0x0027ffffff -> 0x0020000000
[    1.307954] mtk-pcie 1a143000.pcie: missing hifsys node
[    1.313185] mtk-pcie: probe of 1a143000.pcie failed with error -22

Fixes: 01c58a0d2a ("kernel: bump 5.15 to 5.15.158")
Signed-off-by: Rany Hany <rany_hany@riseup.net>
(cherry picked from commit 8607372b41)
2024-05-26 20:25:05 +02:00
Hauke Mehrtens
0621d89c62 kernel: bump 5.10 to 5.10.216
Removed because they are upstream:
   generic/backport-5.10/702-v5.19-01-arm64-dts-mediatek-mt7622-add-support-for-coherent-D.patch
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=57ff09043fa1e5ed53c7bb33da595a84a1b7d4c5

   generic/backport-5.10/702-v5.19-04-arm64-dts-mediatek-mt7622-introduce-nodes-for-Wirele.patch
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=136c8e0169dfda05dc1b882aba88f89c0c2fa169

Manually adapted:
   generic/pending-5.10/680-NET-skip-GRO-for-foreign-MAC-addresses.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-05-26 20:21:04 +02:00
Christian Marangi
ebb3faf31f
procd: make mDNS TXT record parsing more solid
mDNS broadcast can't accept empty TXT record and would fail
registration.

Current procd_add_mdns_service checks only if the first passed arg is
empty but don't make any verification on the other args permittins
insertion of empty values in TXT record.

Example:

	procd_add_mdns "blah" \
				"tcp" "50" \
				"1" \
				"" \
				"3"

Produce:

{ "blah_50": { "service": "_blah._tcp.local", "port": 50, "txt": [ "1", "", "3" ] } }

The middle empty TXT record should never be included as it's empty.

This can happen with scripts that make fragile parsing and include
variables even if they are empty.

Prevent this and make the TXT record more solid by checking every
provided TXT record and include only the non-empty ones.

The fixed JSON is the following:

{ "blah_50": { "service": "_blah._tcp.local", "port": 50, "txt": [ "1", "3" ] } }

Fixes: b0d9dcf84d ("procd: update to latest git HEAD")
Reported-by: Paul Donald <newtwen@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15331
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 4b04304713)
2024-04-29 23:30:57 +02:00
Robert Marko
5f07510cdc tools: b43-tools: fix compilation with GCC14
GCC14 no longer treats integer types and pointer types as equivalent in
assignments (including implied assignments of function arguments and return
values), and instead fails the compilation with a type error.

So, as a workaround lets disable the newly introduced error
-Werror=int-conversion and just make it print a warning to enable compiling
with GCC14 as Fedora 40 now defaults to it.

(cherry picked from commit 0c96d20bf9)
Link: https://github.com/openwrt/openwrt/pull/15309
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-04-28 11:31:02 +02:00
Robert Marko
eede9b1bc4 tools/coreutils: fix compilation on macOS 14
Current coreutils 8.32 in 22.03 will fail to compile when using macOS 14 with:
depbase=`echo lib/obstack.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc  -I. -I./lib  -Ilib -I./lib -Isrc -I./src -I/Volumes/OpenWrt/openwrt/staging_dir/host/include    -O2 -I/Volumes/OpenWrt/openwrt/staging_dir/host/include  -MT lib/obstack.o -MD -MP -MF $depbase.Tpo -c -o lib/obstack.o lib/obstack.c &&\
mv -f $depbase.Tpo $depbase.Po
lib/obstack.c:351:31: error: incompatible function pointer types initializing 'void (*)(void) __attribute__((noreturn))' with an expression of type 'void (void)' [-Wincompatible-function-pointer-types]
__attribute_noreturn__ void (*obstack_alloc_failed_handler) (void)
                              ^
1 error generated.

Backporting gnulib commit ("obstack: Fix a clang warning") fixes this.

Fixes: #15270
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-04-27 15:14:06 +02:00
Robert Marko
8d65f02087 tools/cpio: fix compilation on macOS 14
Current cpio 2.13 in 22.03 will fail to compile when using macOS 14 with:
gcc -DHAVE_CONFIG_H -I. -I..   -I/Volumes/OpenWrt/openwrt/staging_dir/host/include   -O2 -I/Volumes/OpenWrt/openwrt/staging_dir/host/include  -MT obstack.o -MD -MP -MF .deps/obstack.Tpo -c -o obstack.o obstack.c
obstack.c:351:31: error: incompatible function pointer types initializing 'void (*)(void) __attribute__((noreturn))' with an expression of type 'void (void)' [-Wincompatible-function-pointer-types]
__attribute_noreturn__ void (*obstack_alloc_failed_handler) (void)
                              ^
1 error generated.
make[7]: *** [Makefile:1586: obstack.o] Error 1

Backporting gnulib commit ("obstack: Fix a clang warning") fixes this.

Fixes: #15270
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-04-27 15:14:06 +02:00
Robert Marko
4a6911fe79 tools/sed: fix compilation on macOS 14
Current sed 4.8 in 22.03 will fail to compile when using macOS 14 with:
depbase=`echo lib/obstack.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -DHAVE_CONFIG_H -I.  -I. -I./lib -I./lib -I./sed -I/Volumes/OpenWrt/openwrt/staging_dir/host/include   -O2 -I/Volumes/OpenWrt/openwrt/staging_dir/host/include  -MT lib/obstack.o -MD -MP -MF $depbase.Tpo -c -o lib/obstack.o lib/obstack.c &&\
mv -f $depbase.Tpo $depbase.Po
lib/obstack.c:351:31: error: incompatible function pointer types initializing 'void (*)(void) __attribute__((noreturn))' with an expression of type 'void (void)' [-Wincompatible-function-pointer-types]
__attribute_noreturn__ void (*obstack_alloc_failed_handler) (void)
                              ^
1 error generated.
make[5]: *** [Makefile:2781: lib/obstack.o] Error 1

Backporting gnulib commit ("obstack: Fix a clang warning") fixes this.

Fixes: #15270
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-04-27 15:14:06 +02:00
Robert Marko
f5e20dd430 CI: tools: macOS: sync with shared-actions for macOS 14
Now that GH has changed their runner to macOS 14 current recipe will fail
so lets sync the required changes for macOS 14.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-04-27 15:12:14 +02:00
Zoltan HERPAI
abc1245ec5 sunxi: fix network bringup on Olinuxino Micro boards
It's the A13-based Olinuxino Micro which has only wireless interfaces. The
A20-based board is a fully-fledged one which has an ethernet interface.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
(cherry picked from commit 3ed8927cf5)
2024-04-21 23:39:24 +02:00
Yuu Toriyama
fef1a52bd6 wireless-regdb: update to 2024.01.23
The maintainer and repository of wireless-regdb has changed.
    https://lore.kernel.org/all/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/

Changes:
    37dcea0 wireless-regdb: Update keys and maintainer information
    9e0aee6 wireless-regdb: Makefile: Reproducible signatures
    8c784a1 wireless-regdb: Update regulatory rules for China (CN)
    149c709 wireless-regdb: Update regulatory rules for Japan (JP) for December 2023
    bd69898 wireless-regdb: Update regulatory rules for Singapore (SG) for September 2023
    d695bf2 wireless-regdb: Update and disable 5470-5730MHz band according to TPC requirement for Singapore (SG)
    4541300 wireless-regdb: update regulatory database based on preceding changes

Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit b463737826)
2024-04-21 19:25:07 +02:00
Hauke Mehrtens
06ea586508 mac80211: Update to 5.15.153-1
Update mac80211 to version based on kernel 5.15.153.
This contains multiple bugfixes.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-04-21 17:29:57 +02:00
Hauke Mehrtens
bc7585b93c kernel: bump 5.10 to 5.10.215
Manually adapted the following patch:
   octeontx/patches-5.10/0004-PCI-add-quirk-for-Gateworks-PLX-PEX860x-switch-with-.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-04-16 00:44:46 +02:00
Hauke Mehrtens
ce37d2c690 kernel: bump 5.10 to 5.10.214
Removed because similar version is upstream:
x86/patches-5.10/020-x86-Fix-compile-problem.patch
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=cc6ddd6fa93eb59ac6f63158a6466e45ad0ca94c

Manually adapted the following patch:
mediatek/patches-5.10/100-dts-update-mt7622-rfb1.patch

Add new configuration symbols for tegra target.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-03-30 12:09:05 +01:00
Zoltan HERPAI
3547565f24 bcm47xx: fix switch setup for Linksys WRT320N v1
WRT320N V1 is not detected by the initial network configuration script.
The switch remains unconfigured and WAN/LAN VLANs are not created.

This adds the correct setup for the device.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2024-03-29 16:30:58 +01:00
Hauke Mehrtens
61c6bc2eaa kernel: bump 5.10 to 5.10.213
Removed because it is upstream:
generic/backport-5.10/081-net-next-regmap-allow-to-define-reg_update_bits-for-no-bus.patch
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=915848be2f1b24d8043aace414bc5f8174a13c0e

Manual changes needed:
bcm27xx/patches-5.10/950-0030-lan78xx-Enable-LEDs-and-auto-negotiation.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-03-26 20:43:44 +01:00
Hauke Mehrtens
4895ab23a7 x86: Fix compile problem with kernel 5.10.211
Fix a compile problem in upstream kernel.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-03-07 20:45:49 +01:00
Hauke Mehrtens
f60a5f2dd3 kernel: Remove unused schedulers
These schedulers were removed in kernel 5.15.150 and 6.1.180.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cd450923ab)
2024-03-07 20:45:49 +01:00
Hauke Mehrtens
a352312f0d kernel: bump 5.10 to 5.10.211
Removed because it is upstream:
bcm53xx/patches-5.15/037-v6.6-0004-ARM-dts-BCM53573-Drop-nonexistent-default-off-LED-tr.patch
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ef6128a1bafe90ceb14d71cd0e69f44f00ec8b0a

Manually adapted the following patch:
bcm53xx/patches-5.10/038-v6.2-0004-ARM-dts-broadcom-align-LED-node-names-with-dtschema.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-03-07 20:45:49 +01:00
John Audia
d7e5cab026 kernel: Remove dsmark support
dsmark support was removed in kernel 5.15.150 and 6.1.80. Remove it from
the kmod package as well

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit bd6b37f463)
2024-03-07 20:45:49 +01:00
Hauke Mehrtens
f2e8d5974c kernel: bump 5.10 to 5.10.210
All patches refreshed automatically.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-03-03 13:16:30 +01:00