Commit Graph

16316 Commits

Author SHA1 Message Date
Petr Štetiar
f49eec6335 wolfssl: fix API breakage of SSL_get_verify_result
Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable.  In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:

 $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
 Downloading 'https://letsencrypt.org'
 Connecting to 18.159.128.50:443
 Connection error: Invalid SSL certificate

Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b9251e3b40)
(cherry picked from commit b99d7aecc8)
2022-02-22 20:32:11 +01:00
Petr Štetiar
cc344f1513 ubus: backport fixes for UAF and other issues
Backporting following fixes:

 a72457b61df0 libubus: increase stack depth for processing obj msgs
 ef038488edc3 libubus: process pending messages in data handler if stack depth is 0
 2099bb3ad997 libubus: use list_empty/list_first_entry in ubus_process_pending_msg

where at least commit 2099bb3ad997 ("libubus: use
list_empty/list_first_entry in ubus_process_pending_msg") fixes UAF
issue I've introduced in commit c5f2053dfcfd ("workaround possibly false
positive uses of memory after it is freed") while fixing another false
positive UAF reported[1] by clang's static analyzer.

Those fixes are being used in master/21.02 for about 6 months, so should
be tested enough and considered for backporting. I've runtested those
fixes on mvebu/turris-omnia and ipq40xx/glinet-b1300 devices.

1. https://openwrt.gitlab.io/-/project/ubus/-/jobs/2096090992/artifacts/build/scan/2022-02-15-150310-70-1/index.html

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-21 07:41:05 +01:00
Petr Štetiar
31bb27f35b wolfssl: bump to 5.1.1-stable
This is amalgamation of backported changes since 4.7.0-stable release:

 Sergey V. Lobanov (2):

  5b13b0b02c wolfssl: update to 5.1.1-stable
  7d376e6e52 libs/wolfssl: add SAN (Subject Alternative Name) support

 Andre Heider (3):

  3f8adcb215 wolfssl: remove --enable-sha512 configure switch
  249478ec48 wolfssl: always build with --enable-reproducible-build
  4b212b1306 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

 Ivan Pavlov (1):

  16414718f9 wolfssl: update to 4.8.1-stable

 David Bauer (1):

  f6d8c0cf2b wolfssl: always export wc_ecc_set_rng

 Christian Lamparter (1):

  86801bd3d8 wolfssl: fix Ed25519 typo in config prompt

The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:

 * OCSP request/response verification issue. (fixed in 4.8.0)
 * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1)
 * Issue with incorrectly validating a certificate (fixed in 5.0.0)
 * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0)
 * Client side session resumption issue (fixed in 5.1.0)
 * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
 * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)

Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-21 07:37:57 +01:00
Hauke Mehrtens
a2482fc3a5 OpenWrt v19.07.9: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-17 19:43:38 +01:00
Hauke Mehrtens
106382c27c OpenWrt v19.07.9: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-17 19:43:34 +01:00
Hauke Mehrtens
e7596ce0b0 hostapd: Apply SAE/EAP-pwd side-channel attack update 2
This fixes some recent security problems in hostapd.
See here for details: https://w1.fi/security/2022-1
* CVE-2022-23303
* CVE-2022-23304

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-13 19:14:38 +01:00
Hauke Mehrtens
1691c1168d mbedtls: Update to version 2.16.12
This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice. CVE-2021-44732

The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 57f38e2c82)
2022-02-13 18:27:18 +01:00
Rosen Penev
419b9f4c45 mbedtls: update to 2.16.11
Switched to AUTORELEASE to avoid manual increments.

Release notes:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit fcfd741eb8)
2022-02-13 18:26:55 +01:00
Hauke Mehrtens
bfa4cccd46 tcpdump: libpcap: Remove http://www.us.tcpdump.org mirror
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.

Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 18bdfc803b)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[rebased for OpenWrt 21.02 branch]
(cherry picked from commit 4dddb7ca36)
2022-02-13 10:51:47 +01:00
Hauke Mehrtens
e92a4e5458 tcpdump: Fix CVE-2018-16301
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8f5875c4e2)
(cherry picked from commit 59e7ae8d65)
2022-02-13 08:55:02 +01:00
Eneas U de Queiroz
b50eb70e01 openssl: bump to 1.1.1m
This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 5beaa75d94)
2022-01-16 18:52:58 +01:00
Hauke Mehrtens
cc8c1be438 mac80211: Update to version 4.19.221
The following patch was backported from upstream before and is not
needed any more:
  package/kernel/mac80211/patches/ath/980-ath10k-fix-max-antenna-gain-unit.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-14 23:38:30 +01:00
Roman Yeryomin
554f1b89aa iproute2: m_xt.so depends on dynsyms.list
When doing parallel build on a fast machine with bottleneck in i/o,
m_xt.so may start linking faster than dynsyms.list gets populated,
resulting in error:

ld:dynsyms.list:0: syntax error in dynamic list

Fix this by adding dynsyms.list as make dependency to m_xt.so
Described also here:
https://bugs.openwrt.org/index.php?do=details&task_id=3353

Change from v1:
- add dynsysms.list dependancy only when shared libs are enabled

Signed-off-by: Roman Yeryomin <roman@advem.lv>
Fixes: FS#3353
(cherry-picked from commit edd53df168)
2021-12-14 23:38:30 +01:00
Mathias Kresin
f14bc5cf56 uboot-lantiq: danube: fix hanging lzma kernel uncompression #2
Follow up to commit 8fb714edd6. Managed to
hit the very same issue again while playing with the NOR SPL builds.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2021-11-27 22:55:25 +01:00
Mathias Kresin
8fb714edd6 uboot-lantiq: danube: fix hanging lzma kernel uncompression
At least since gcc 7.3.0 (OpenWrt 18.06) lwr/lwl are used in the
assembly of LzmaProps_Decode. While the decission made by the compiler
looks perfect fine, it triggers some obscure hang on lantiq danube-s
v1.5 with MX29LV640EB NOR flash chips.

Only if the offset 1 is used, the hang can be observed. Using any other
offset works fine:

  lwl s0,0(a1) - s0 == 0x6d000080
  lwl s0,1(a1) - hangs
  lwl s0,2(a1) - s0 == 0x0080xxxx
  lwl s0,3(a1) - s0 == 0x80xxxxxx

It isn't clear whether it is a limitation of the flash chip, the EBU or
something else.

Force 8bit reads to prevent gcc optimizing the read with lwr/lwl
instructions.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2021-11-14 21:36:15 +01:00
Christian Lamparter
b5b526285a wireless-regdb: update to version 2021.08.28
e983a25 Update regulatory rules for Ecuador (EC)
a0bcb88 wireless-regdb: Update regulatory rules for Norway (NO) on 6 and 60 GHz
cdf854d wireless-regdb: Update regulatory rules for Germany (DE) on 6GHz
86cba52 wireless-regdb: reduce bandwidth for 5730-5850 and 5850-5895 MHz in US
6fa2384 wireless-regdb: remove PTMP-ONLY from 5850-5895 MHz for US
9839e1e wireless-regdb: recent FCC report and order allows 5850-5895 immediately
42dfaf4 wireless-regdb: update 5725-5850 MHz rule for GB

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit dbb4c47798)
2021-11-07 19:49:57 +01:00
Felix Fietkau
a5c479a200 wireless-regdb: update to version 2021.04.21
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit d76535c45e)
2021-11-07 19:49:57 +01:00
Alan Swanson
c72ea2a6c7 uboot-lantiq: fix sha1.h header clash when system libmd installed
Backport of u-boot commit "includes: move openssl headers to include/u-boot"
2b9912e6a7

Fixes: FS#3955
Signed-off-by: Alan Swanson <reiver@improbability.net>
(cherry picked from commit 8db6410492)
2021-10-02 17:41:26 +02:00
Hauke Mehrtens
123d12eada mac80211: Update to backports-4.19.207-1
Refresh all patches.

This contains fixes for CVE-2020-3702

1. These patches (ath, ath9k, mac80211)  were included in kernel
versions since 4.14.245 and 4.19.205. They fix security vulnerability
CVE-2020-3702 [1] similar to KrØØk, which was found by ESET [2].

Thank you Josef Schlehofer for reporting this problem.

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-3702
[2] https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-09-22 23:23:57 +02:00
Luis Araneda
556d165dda uboot-zynq: fix dtc compilation on host gcc 10
gcc 10 defaults to -fno-common, which causes an error
when linking.

Back-port the following Linux kernel commit to fix it:
e33a814e772c (scripts/dtc: Remove redundant YYLOC global declaration)

Tested on an Arch Linux host with gcc 10.1.0

Signed-off-by: Luis Araneda <luaraneda@gmail.com>
(cherry picked from commit 8b870418f1)
2021-09-13 13:06:02 +02:00
Sven Eckelmann
f33dc315cb uboot-tegra: Fix build with GCC-10 as host compiler
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:

  HOSTLD  scripts/dtc/dtc
  /usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
  collect2: error: ld returned 1 exit status

The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2021-09-13 13:06:02 +02:00
Sven Eckelmann
f31bb35b63 uboot-mvebu: Fix build with GCC-10 as host compiler
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:

  HOSTLD  scripts/dtc/dtc
  /usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
  collect2: error: ld returned 1 exit status

The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2021-09-13 13:06:02 +02:00
Hauke Mehrtens
e8cf46ebba uboot-layerscape: fix dtc compilation on host gcc 10
Backport a patch from upstream U-Boot to fix the compile with host GCC 10.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8d143784cb)
2021-09-13 13:06:02 +02:00
Sven Eckelmann
d059ce28f5 uboot-kirkwood: Fix build with GCC-10 as host compiler
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:

  HOSTLD  scripts/dtc/dtc
  /usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
  collect2: error: ld returned 1 exit status

The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2021-09-13 13:06:02 +02:00
Sven Eckelmann
af5c8856f8 uboot-sunxi: Fix build with GCC-10 as host compiler
The package uses the host compiler to build the dtc binary. With gcc-10,
the option -fno-common is now the default behavior. Thus multiple
definitions of the same variable are now forbidden and results in following
error during linking:

  HOSTLD  scripts/dtc/dtc
  /usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
  collect2: error: ld returned 1 exit status

The easiest workaround is to add the upstream commit 018921ee79d3 ("Remove
redundant YYLOC global declaration").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2021-09-13 13:06:02 +02:00
Eneas U de Queiroz
fdea0036a2 openssl: bump to 1.1.1l
This version fixes two vulnerabilities:
  - SM2 Decryption Buffer Overflow (CVE-2021-3711)
    Severity: High

  - Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
    Severity: Medium

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-08-30 17:15:37 +02:00
Eneas U de Queiroz
40c03b101c openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so
that that it will not use the host gcc to figure out, among other
things, compiler defines.  It avoids errors, if the host 'gcc' is
handled by clang:

mips-openwrt-linux-musl-gcc: error: unrecognized command-line option
'-Qunused-arguments'

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 2f75348923)
2021-08-30 17:15:37 +02:00
Hauke Mehrtens
cfc1602a1e OpenWrt v19.07.8: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-08-01 18:46:20 +02:00
Hauke Mehrtens
31f2f76cd5 OpenWrt v19.07.8: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-08-01 18:45:59 +02:00
Petr Štetiar
ef56c85848 ubus: update to version 2021-07-01
This update cherry picks following fix:

 * ubusd: fix tx_queue linked list usage

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-07-29 21:50:28 +02:00
Petr Štetiar
796bf50e8e ubus: update to version 2021-06-03
This update cherry picks following changes:

 * cmake: add a possibility to set library version
 * ubusd: protect against too-short messages
 * ubusd: add per-client tx queue limit
 * ubusd: convert tx_queue to linked list
 * lua: avoid truncation of large numeric values

Fixes: FS#1525
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-07-29 21:50:28 +02:00
Petr Štetiar
92e341d632 ubus: backport SOVERSION support
Add a support for setting of new `ABIVERSION` CMake define which allows
to control the SOVERSION used for the built shared library. This is
needed for downstream packaging to properly track breaking ABI changes
when updating to newer versions of the library.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(backported from commit 8edb1797d5)
2021-07-29 21:50:28 +02:00
Michael Yartys
ceb8821a3d ath10k-ct: add security fixes
This rebases -ct changes on top of upstream stable kernel's latest code.
Including the wifi security fixes that recently went in.

Removed upstreamed 203-ath10k-Limit-available-channels-via-DT-ieee80211-fre.patch
and refreshed patches.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [backport]
(backported from commit 2e10ed925e)
2021-07-02 17:15:44 +02:00
Paul Spooren
71fa524e1b base-files: fix /tmp/TZ when zoneinfo not installed
The zoneinfo packages are not installed per default so neither
/tmp/localtime nor /tmp/TZ is generated.

This patch mostly reverts the previous fix and instead incooperates a
solution suggested by Jo.

Fixes "base-files: fix zoneinfo support " 8af62ed

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 56bdb6bb97)
2021-06-25 14:56:48 -10:00
Rosen Penev
c88bdb8294 base-files: fix zoneinfo support
The system init script currently sets /tmp/localinfo when zoneinfo is
populated. However, zoneinfo has spaces in it whereas the actual files
have _ instead of spaces. This made the if condition never return true.

Example failure when removing the if condition:

/tmp/localtime -> /usr/share/zoneinfo/America/Los Angeles

This file does not exist. America/Los_Angeles does.

Ran through shfmt -w -ci -bn -sr -s

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 8af62ede18)
2021-06-23 15:44:30 -10:00
Ali MJ Al-Nasrawy
15612706c9 mac80211: distance config: allow "auto" as a value
The user can now enable the ACK timeout estimation algorithm (dynack)
for drivers that support it.
It is also expected that the distance config accepts the same values as:
$ iw phyX set distance XXX

Signed-off-by: Ali MJ Al-Nasrawy <alimjalnasrawy@gmail.com>
(cherry picked from commit a8a1ef8568)
2021-06-23 12:10:41 -10:00
Hauke Mehrtens
ffd4452f8b mac80211: Update to backports version 4.19.193-test1
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-06-06 17:57:56 +02:00
Jo-Philipp Wich
1153773c78 ubox: fix init script validation of log_ip option
The underlying logread process uses usock() to handle remote connections
which is able to handle both hostnames and IP addresses.

Ref: https://github.com/openwrt/luci/issues/5077
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit ec83fb9ced)
2021-05-28 15:26:31 +02:00
Hauke Mehrtens
84c5dbcf2a openwrt-keyring: Only copy sign key for 19.07 and 21.02
Instead of adding all public signature keys from the openwrt-keyring
repository only add the key which is used to sign the OpenWrt 19.07
feeds and the 21.02 feeds to allow checking the next release.

If one of the other keys would be compromised this would not affect
users of 19.07 release builds.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-05-16 15:34:49 +02:00
Petr Štetiar
c07c98d28e openwrt-keyring: add OpenWrt 21.02 GPG/usign keys
49283916005d usign: add 21.02 release build pubkey
bc4d80f064f2 gpg: add OpenWrt 21.02 signing key

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 1bf6d70e60)
2021-05-16 15:34:20 +02:00
Hauke Mehrtens
1b5a45a4a7 mac80211: Update to backports version 4.19.189-1
The removed patches were applied upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-05-04 01:07:17 +02:00
Hauke Mehrtens
a883e3af38 dropbear: Fix CVE-2020-36254
This backports a fix from dropbear 2020.81.
CVE-2020-36254 description:
scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-05-03 20:08:53 +02:00
Magnus Kroken
7198ae4cf3 openvpn: update to 2.4.11
Fixes two related security vulnerabilities (CVE-2020-15078) which under
very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.

This release also includes other bug fixes and improvements.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2021-05-02 14:43:52 +02:00
Magnus Kroken
a8beddcd34 openvpn: update to 2.4.9
This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810) which allows
disrupting service of a freshly connected client that has not yet
negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.

Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry-picked from commit d7e98bd7c5)
2021-05-02 14:43:52 +02:00
Magnus Kroken
f82ddf9024 openvpn: update to 2.4.8
Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry-picked from commit bf43e5bbf9)
2021-05-02 14:43:52 +02:00
Martin Schiller
8788e86245 ppp/pppoe-discovery: fix -W option
This patch is already included in ppp-2.4.9 which is used in openwrt
master.

Backport this patch to openwrt-19.07.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2021-05-02 14:43:09 +02:00
Koen Vandeputte
cc0b70467d mac80211: backport upstream fixes
Refreshed all patches.
Includes all fixes up to 4.19.184

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
2021-04-09 15:43:38 +02:00
Eneas U de Queiroz
81266d9001 openssl: bump to 1.1.1k
This version fixes 2 security vulnerabilities, among other changes:

 - CVE-2021-3450: problem with verifying a certificate chain when using
   the X509_V_FLAG_X509_STRICT flag.

 - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
   crafted renegotiation ClientHello message from a client.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 0bd0de7d43)
2021-03-27 07:44:43 +01:00
Petr Štetiar
6165bb0d60 openssl: sync package download URLs with master
Apparently it fixes some broken URLs and as a bonus it makes
cherry-picking of fixes easier.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-03-27 07:42:14 +01:00
Magnus Kroken
c336db7a78 mbedtls: update to 2.16.10
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit dbde2bcf60)
2021-03-27 07:35:25 +01:00