Commit Graph

19702 Commits

Author SHA1 Message Date
Robert Marko
4f348a200b
uboot-mvebu: update to 2022.10
Update mvebu U-boot to 2022.10 to avoid backporting patches in order
to support Methode eDPU.

It also allows dropping existing patches as they are all backports.

Tested-by: Andre Heider <a.heider@gmail.com> # espressobin-v3-v5-1gb-2cs
Tested-by: Russell Morris <github@rkmorris.us> # espressobin-v3-v5-1gb-1cs
Tested-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [Turris Omnia]
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
2022-10-17 15:42:30 +02:00
Jo-Philipp Wich
cb24be47ff firewall4: update to latest Git HEAD
4fbf6d7 ruleset.uc: log forwarded traffic not matched by zone policies
c7201a3 main.uc: reintroduce set reload restriction
756f1e2 ruleset: fix emitting set_mark/set_xmark rules with masks
3db4741 ruleset: properly handle zone names starting with a digit
43d8ef5 fw4: fix formatting of default log prefix
592ba45 main.uc: remove uneeded/wrong set reload restrictions
b0a6bff tests: fix testcases
145e159 fw4: recognize `option log` and `option counter` in `config nat` sections
ce050a8 fw4: fall back to device if l3_device is not available in ifstatus

Fixes: #10639, #10965
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-10-15 00:39:48 +02:00
Jo-Philipp Wich
5110dcb1fa ucode: update to latest Git HEAD
4ae7072 fs: use `getline()` for line wise read operations
21ace5e lexer: fixes for regex literal parsing
00965fa lib: implement slice() function
76d396d main: implement print mode
7bbba78 compiler: optimize function return opcode generation
a45f2a3 lexer: improve regex literal handling
d64d5d6 vm: maintain export symbol tables per program
f4b4ded uloop: task: gracefully handle absent output callback
a58fe47 ubus: hold reference to underlying connection until deferred is concluded
e23b58a lib: uc_system(): retry waitpid() on EINTR

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-10-15 00:39:48 +02:00
Jo-Philipp Wich
db17c75271 rpcd: update to latest Git HEAD
8c852b6 ucode: write ucode runtime exceptions to stderr

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-10-15 00:39:48 +02:00
Uwe Kleine-König
63e5ba8e69 busybox: nslookup: ensure unique transaction IDs for the DNS queries
On machines with a coarse monotonic clock (here: TP-Link RE200 powered
by a MediaTek MT7620A) it can happen that the two DNS requests (for A
and AAAA) share the same transaction ID. If this happens the second
reply is wrongly dropped and nslookup reports "No answer".

Fix this by ensuring that the transaction IDs are unique.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
2022-10-14 20:51:35 +02:00
Felix Fietkau
a7ca1b2314 mac80211: use board.json provided phy names in generated default config
The phy will be automatically renamed on setup

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:13:11 +02:00
Felix Fietkau
50a03decdf mac80211: change the default config for a renamed wiphy
use option phy to reference the device instead of path/macaddr

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:13:01 +02:00
Felix Fietkau
db9c4a066a mac80211: fix detecting highest radio* config section index
Deal with gaps by iterating over existing sections instead of counting

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:49 +02:00
Felix Fietkau
4d323303e7 mac80211: rename phy according to board.json entries on bringup
This allows phy names specified in board.json to be used directly instead of
the path option

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:42 +02:00
Felix Fietkau
6603748e0c mac80211: change default ifname to <phy>-<type><index>
This makes it clear, which phy a wlan device belongs to and also helps with
telling them apart by including the mode in the ifname.
Preparation for automatically renaming PHYs

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:36 +02:00
Felix Fietkau
7f9d3a00d8 base-files: add helper functions for adding wlan device entries to board.json
These will be used to give WLAN PHYs a specific name based on path specified
in board.json. The platform board.d script can assign a specific order based
on available slots (PCIe slots, WMAC device) and device tree configuration.

This helps with maintaining config compatibility in case the device path
changes due to kernel upgrades.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:30 +02:00
Felix Fietkau
0a4a0c7193 libubox: update to the latest version
ea56013409d5 jshn.sh: add json_add_fields function for adding multiple fields at once

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:23 +02:00
Felix Fietkau
735f5f18dd iwinfo: update to the latest version
0496c722f1d7 nl80211: fix issues with renamed wiphy and multiple phy per device

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:07 +02:00
Felix Fietkau
da6b77215b mac80211: fix typo in netifd script
Reported-by: Chad Monroe <chad.monroe@smartrg.com>
Fixes: 590eaaeed5 ("mac80211: fix issues in HE capabilities")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-13 21:50:34 +02:00
Nick Hainke
e5cab973a4
hostapd: add measurement report value for beacon reports
Add the measurement report value to the beacon reports send via ubus. It
is possible to derive from the measurement report if a station refused to
do a beacon report and why. It is important to know why a station refuses
to do a beacon-report. In particular, we should not request a beacon
report from a station again that refused a beacon-report before.

The rejection reasons can be found by looking at the bits defined by:
- MEASUREMENT_REPORT_MODE_ACCEPT
- MEASUREMENT_REPORT_MODE_REJECT_LATE
- MEASUREMENT_REPORT_MODE_REJECT_INCAPABLE
- MEASUREMENT_REPORT_MODE_REJECT_REFUSED

Suggested-by: Ian Clowes <clowes_ian@hotmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-13 16:53:37 +02:00
Felix Fietkau
88803cb0e6 mac80211: add patch that gives the driver more control over netdev offloads
This can be used to selectively disable checksum, SG or GSO offloads

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-13 15:04:33 +02:00
Felix Fietkau
26f400210d mac80211: backport security fixes
This mainly affects scanning and beacon parsing, especially with MBSSID enabled

Fixes: CVE-2022-41674
Fixes: CVE-2022-42719
Fixes: CVE-2022-42720
Fixes: CVE-2022-42721
Fixes: CVE-2022-42722
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-13 15:00:59 +02:00
Felix Fietkau
590eaaeed5 mac80211: fix issues in HE capabilities
Enable HE SU beamformee by default
Fix spatial reuse configuration:
- he_spr_sr_control is not a bool for enabling, it contains multiple bits
  which disable features that should be disabled by default
- one of the features (PSR) can be enabled through he_spr_psr_enabled
- add option to disable bss color / spatial reuse

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-13 13:45:42 +02:00
Chukun Pan
bb212092df
uboot-mediatek: fixes defconfig typo for UniFi 6 LR
CONFIG_CMD_MTDPART does not exist, fix it.

Fixes: e9ad412 ("uboot-mediatek: add build for Ubiquiti Networks UniFi 6 LR")
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-10-11 14:34:11 +02:00
Chukun Pan
b3c81c9f21
uboot-mediatek: fixes defconfig typo for Linksys E8450
CONFIG_CMD_MTDPART does not exist, fix it.

Fixes: ed50004 ("uboot-mediatek: add support for Linksys E8450")
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-10-11 14:34:07 +02:00
Chukun Pan
ffd29a55c3 libnl-tiny: update to the latest version
c42d890 build static library
28c44ca genl_family: explicitly null terminate
                     strncpy destination buffer

This fixes the compilation with gcc 12.

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-10-09 22:52:48 +02:00
Lech Perczak
df08849c00 odhcp6c: respect 'delegate' option for 464XLAT sub-interface
dhcpv6.script contained support for disabling prefix delegation of 464XLAT
sub-interface, but netifd protocol handler was missing the required
export to disable this. Add missing export, akin to DS-Lite and MAP.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2022-10-09 19:08:36 +02:00
Felix Fietkau
f6c359a655 mac80211: sync rx STP fix with updated version
Add back skb length check and fix a minor issue in protocol detection

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-07 14:59:11 +02:00
Felix Fietkau
cec7dfa497 mac80211: fix issues with receiving small STP packets
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-07 11:30:16 +02:00
Daniel Cousens
3bd04767ba
build: prefer HTTPS if available (for packages)
Changes PKG_SOURCE_URL's for arptables, bsdiff, dnsmasq,
fortify-headers, ipset, ipset-dns, libaudit, libpcap, libressl,
lua, lua5.3, tcpdump and valgrind, to HTTPS

Signed-off-by: Daniel Cousens <github@dcousens.com>
2022-10-05 17:37:07 +02:00
Koen Vandeputte
45109f69a6 mac80211: fix compile error when mesh is disabled
This fixes following compile error seen when
building mac80211 with mesh disabled:

.../backports-5.15.58-1/net/mac80211/agg-rx.c: In function 'ieee80211_send_addba_resp':
...backports-5.15.58-1/net/mac80211/agg-rx.c:255:17: error: 'struct sta_info' has no member named 'mesh'
  255 |         if (!sta->mesh)
      |                 ^~

sta_info.h shows this item as being optional based on flags:

	struct mesh_sta *mesh;

Guard the check to fix this.

Fixes: f96744ba6b ("mac80211: mask nested A-MSDU support for mesh")
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
2022-10-04 11:22:29 +02:00
Petr Štetiar
f1b7e1434f treewide: fix security issues by bumping all packages using libwolfssl
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-03 17:52:06 +02:00
David Bauer
f96744ba6b mac80211: mask nested A-MSDU support for mesh
mac80211 incorrectly processes A-MSDUs contained in A-MPDU frames. This
results in dropped packets and severely impacted throughput.

As a workaround, don't indicate support for A-MSDUs contained in
A-MPDUs. This improves throughput over mesh links by factor 10.

Ref: https://github.com/openwrt/mt76/issues/450

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-10-02 23:04:38 +02:00
Josef Schlehofer
185541f50f uboot-mvebu: backport LibreSSL patches for older version of LibreSSL
If you would like to compile the newest version of U-boot together with the stable
OpenWrt version, which does not have LibreSSL >= 3.5, which was updated
in the master branch by commit 5451b03b7c
("tools/libressl: bump to v3.5.3"), then you need these two patches to
fix it. They are backported from U-boot repository.

This should be backported to stable OpenWrt versions.

Reported-by: Michal Vasilek <michal.vasilek@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-10-02 20:22:54 +02:00
Josef Schlehofer
9c7472950b uboot-mvebu: backport patch to fix compilation on non glibc system
This issue was reported by @paper42, who is using Void Linux with musl
to compile OpenWrt and its packages and found out it is not possible to
compile U-boot for Turris Omnia (neither any other).

It fixes following output:
```
  HOSTCC  tools/kwboot
tools/kwboot.c: In function 'kwboot_tty_change_baudrate':
tools/kwboot.c:662:6: error: 'struct termios' has no member named 'c_ospeed'
  662 |   tio.c_ospeed = tio.c_ispeed = baudrate;
      |      ^
tools/kwboot.c:662:21: error: 'struct termios' has no member named 'c_ispeed'
  662 |   tio.c_ospeed = tio.c_ispeed = baudrate;
      |                     ^
tools/kwboot.c:690:31: error: 'struct termios' has no member named 'c_ospeed'
  690 |  if (!_is_within_tolerance(tio.c_ospeed, baudrate, 3))
      |                               ^
tools/kwboot.c:693:31: error: 'struct termios' has no member named 'c_ispeed'
  693 |  if (!_is_within_tolerance(tio.c_ispeed, baudrate, 3))
      |
```

Tested-by: Michal Vasilek <michal.vasilek@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-10-02 20:22:54 +02:00
Nick Hainke
17c1bf7e6c trace-cmd: update to v3.1.3
Remove upstremed patch:
- 100-tracecmd-add-NO_LIBZSTD-option-to-disable-libzstd.patch

Changes:
c65c02c trace-cmd: Version 3.1.3
14a7aca trace-cmd library: Add API for mapping between host and guests
9191b8e tracecmd extract: Allow using --compression.
d63ae35 trace-cmd report: Add callback for kvm plugin to show guest functions
0c7ef72 trace-cmd library: Add man pages for iterator functions
3cd1b55 trace-cmd library: Add tracecmd_follow_event()
27ea9e1 libtracecmd: Add documentation on tracecmd_set/get_private()
3c544ad libtracecmd: Add a man pages for handling of time stamps
5baf7a3 libtracecmd: Add check-manpages.sh
ee007a1 trace-cmd library: Make tracecmd_filter_match() local
cb04105 tracecmd library documentation: Use star and not underscore for function names
54931be trace-cmd: Do not return zero length name for guest by name
43ffa27 trace-cmd: Close socket descriptor on failed connection
4744ca3 trace-cmd record/agent: Add --notimeout option
e512b22 trace-cmd: Add compile time overrides for libraries
a6fe935 trace-cmd: README: Add note on installing libtracecmd
067f45f trace-cmd: libtracecmd: Fixing linking to C++ code
689a0d4 tracecmd: Add NO_LIBZSTD option to disable libzstd
6bbcd3e trace-cmd report: Use library tracecmd_filter_*() logic
955d05f trace-cmd report: Make filter arguments match their files
82ed4a9 trace-cmd library: Add filtering logic for iterating events
dbd8777 trace-cmd report: Use tracecmd_iterate_events_multi()
78a74b1 trace-cmd library: Allow callers to save private data in tracecmd_input handlers
b37903a tracecmd library: Add tracecmd_iterate_events_multi()
d83b662 tracecmd utest: Add test to test using the libraries to read
2cb6cc2 tracecmd library: Add tracecmd_iterate_events()
762839a tracecmd: Use make variable instead of if statement for zlib test
1504f3f trace-cmd: Document new proxy args for {agent,record}
9a1c5d7 trace-cmd record: Keep --proxy from being passed to agents
ef8a8d7 trace-cmd libs: Initialize msg to NULL tracecmd_msg_read_data()
39ec10a trace-cmd: Do not use instance from trace context

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
4f70380ff1 libtracefs: update to 1.5.0
Changes:
93f4d52 libtracefs: version 1.5
bc857db libtracefs: Add tracefs_u{ret}probe_alloc to generic man page
db55441 libtracefs: Add tracefs_debug_dir() to generic libtracefs man page
d2d5924 libtracefs: Add test instructions for openSUSE
4a7b475 libtracefs: Fix test suite typo
ee8c644 libtracefs: Add tracefs_tracer_available() helper
799d88e libtracefs: Add API to set custom tracing directory
1bb00d1 libtracefs: allow pthread inclusion overrideable in Makefile
04651d0 libtracefs sqlhist: Allow pointers to match longs
9de59a0 libtracefs: Remove double free attempt of new_event in tracefs_synth_echo_cmd()
0aaa86a libtracefs: Fix use after free in tracefs_synth_alloc()
d2d5340 libtracefs: Add missed_events to record
9aaa8b0 libtracefs: Set the number of CPUs in tracefs_local_events_system()
56a0ba0 libtracefs: Return negative number when tracefs_filter_string_append() fails
c5f849f libtracefs: Set the long size of the tep handle in tracefs_local_events_system()
5c8103e revert: 0de961e74f96 ("libtracefs: Set visibility of parser symbols as 'internal'")

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
cef2ec62ab libtraceevent: update to 1.6.3
Changes:
fda4ad9 libtraceevent: version 1.6.3
d02a61e libtraceevent: Add man pages for tep_plugin_kvm_get/put_func()
6643bf9 libtraceevent: Have kvm_exit/enter be able to show guest function
a596299 libtraceevent: Add tep_print_field() to check-manpages.sh deprecated
065c9cd libtraceevent: Add man page documentation of tep_get_sub_buffer_size()
6e18ecc libtraceevent: Add man page for tep_plugin_add_option()
6738713 libtraceevent: Add some missing functions to generic libtraceevent man page
deefe29 libtraceevent: Include meta data functions in libtraceevent man pages
cf6dd2d libtraceevent: Add tep_get_function_count() to libtraceevent man page
5bfc11e libtraceevent: Add printk documentation to libtraceevent man page
65c767b libtraceevent: Update man page to reflect tep_is_pid_registered() rename
7cd173f libtraceevent: Add check-manpages.sh
fd6efc9 libtraceevent: Documentation: Correct typo in example
5c375b0 libtraceevent: Fixing linking to C++ code
7839fc2 libtraceevent: Makefile - set LIBS as conditional assignment
c5493e7 libtraceevent: Remove double assignment of val in eval_num_arg()
efd3289 libtraceevent: Add warnings if fields are outside the event

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
d327466149 popt: update to 1.19
Add patch to fix compilation:
- 100-configure.ac-remove-require-gettext-version.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
04119d7cce libcap: update to 2.66
4f96e67 Up the release version to 2.66
60ff008 Fix typos in the cap_from_text.3 man page.
281b6e4 Add captrace to .gitignore file
09a2c1d Add an example of using BPF kprobing to trace capability use.
26e3a09 Clean up getpcaps code.
fc804ac getpcaps: catch PID parsing errors.
fc437fd Fix an issue with bash displaying an error.
7db9589 Some more simplifications for building
27e801b Fix for "make clean ; make -j48 test"

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Felix Fietkau
3968529285 mt76: update to the latest version
e4fa68a9b3b3 linux-firmware: update firmware for MT7921 WiFi device
60fcf08fe659 linux-firmware: update firmware for MT7921 WiFi device
9d601f4eee8f linux-firmware: update firmware for MT7922 WiFi device
e49b6063fb4b wifi: mt76: move mt76_rate_power from core to mt76x02 driver code
3f27f6adb1ab wifi: mt76: mt76x02: simplify struct mt76x02_rate_power
c07f3d2d5ede wifi: mt76: mt7921: fix antenna signal are way off in monitor mode
9059a5de3bd0 wifi: mt76: Remove unused inline function mt76_wcid_mask_test()
d75f15ddeb90 wifi: mt76: mt7915: fix bounds checking for tx-free-done command
06df7e689294 wifi: mt76: mt7915: reserve 8 bits for the index of rf registers
ad3d0f8db00b wifi: mt76: mt7915: rework eeprom tx paths and streams init
66065073177b wifi: mt76: mt7915: deal with special variant of mt7916
b0114a0abb57 wifi: mt76: mt7915: rework testmode tx antenna setting
6dee964e1f36 wifi: mt76: connac: introduce mt76_connac_spe_idx()
48c116d92939 wifi: mt76: mt7915: add spatial extension index support
db6db4ded0fd wifi: mt76: mt7915: set correct antenna for radar detection on MT7915D
2b8f56a72d76 wifi: mt76: mt7915: fix mt7915_mac_set_timing()
d554a02554db wifi: mt76: mt7915: move wed init routines in mmio.c
61ce40e65852 wifi: mt76: mt7915: enable wed for mt7986 chipset
584a96ec4a0f wifi: mt76: mt7915: enable wed for mt7986-wmac chipset
172d68b6253d mt76: mt76x02: fix vht rate power array overrun
72b87836d368 Revert "mt76: use IEEE80211_OFFLOAD_ENCAP_ENABLED instead of MT_DRV_AMSDU_OFFLOAD"

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-01 17:22:26 +02:00
Daniel Golle
7bba6b6f63 ubnt-ledbar: make package available on other targets
As also ramips/mt7621 now has a user of the ubnt-ledbar driver, make
the package available on all targets by removing the dependency on
@TARGET_mediatek_mt7622.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-09-30 13:29:58 +01:00
Felix Fietkau
2e375e9b31 kernel: remove hack patch, move kirkwood specific kmods to target modules.mk
Tweaking the KCONFIG line of kmod-ata-marvell-sata makes the hack patch
unnecessary

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-30 12:59:19 +02:00
Felix Fietkau
4363faef8a kernel: move ubnt ledbar driver to a separate package
Simplifies the tree by removing a non-upstream kernel patch and related kconfig
symbols

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-30 11:28:51 +02:00
Felix Fietkau
eb07020de2 mac80211: fix decap offload for stations on AP_VLAN interfaces
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-30 11:28:51 +02:00
Petr Štetiar
ec8fb542ec wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:53:56 +02:00
Petr Štetiar
a0cd133fde Revert "wolfssl: fix TLSv1.3 RCE in uhttpd by using latest 5.5.1-stable release"
This reverts commit a596a8396b as I've
just discovered private email, that the issue has CVE-2022-39173
assigned so I'm going to reword the commit and push it again.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:53:12 +02:00
Petr Štetiar
8ad9a72cbe wolfssl: refresh patches
So they're tidy and apply cleanly.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:36:19 +02:00
Petr Štetiar
a596a8396b wolfssl: fix TLSv1.3 RCE in uhttpd by using latest 5.5.1-stable release
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:36:19 +02:00
Manas Sambhus
3e2ea10e5e
qos-scripts: fix trailing whitespace in config files
Signed-off-by: Manas Sambhus <manas.sambhus+github@gmail.com>
2022-09-27 17:16:46 +02:00
Manas Sambhus
0ca634e9ef
qos-scripts: replace modprobe by rmmod
modprobe -r is not available on all platforms, hence use rmmod

Signed-off-by: Manas Sambhus <manas.sambhus+github@gmail.com>
2022-09-27 17:16:45 +02:00
Manas Sambhus
4cc7011da0
kernel: netsupport: replace insmod by modprobe
Replace insmod by modprobe in TEQL hotplug script

Signed-off-by: Manas Sambhus <manas.sambhus+github@gmail.com>
2022-09-27 17:16:45 +02:00
Manas Sambhus
db0c0a31d8
ppp: use modprobe in place of insmod
This will prevent `module is already loaded` lines from
appearing in the logs when a PPP connection is reconnecting

Signed-off-by: Manas Sambhus <manas.sambhus+github@gmail.com>
2022-09-27 17:16:42 +02:00
Felix Fietkau
3a8825ad6a build: fix issues with targets installed via feeds
- fix including modules.mk when a target is being replaced
- fix calling make targets from target/linux

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-27 13:41:12 +02:00
Kevin Darbyshire-Bryant
582c098c09 nftables: backport fix to interval based rules
'rule inet dscpclassify dscp_match  meta l4proto { udp }  th dport { 3478 }
 th sport { 3478-3497, 16384-16387 } goto ct_set_ef' works with
'nft add', but not 'nft insert', the latter yields:
"BUG: unhandled op 4".

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-09-26 18:02:15 +01:00