Commit Graph

57570 Commits

Author SHA1 Message Date
Daniel Golle
703a5519cb mediatek: use DEVICE_DTC_FLAGS for BPi-R64
Make sure there is an extra 4kb of padding to apply device tree overlays
on the BPi-R64.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 7b536c4ec9)
2023-06-09 19:23:03 +01:00
Daniel Golle
4bb75f6f40 image: introduce DEVICE_DTC_FLAGS and DEVICE_DTCO_FLAGS
Handle compiling device tree overlay blobs separate to allow for
overlays being compiled with different parameters, mostly to safe
space.
Allow defining DEVICE_DTC_FLAGS and DEVICE_DTCO_FLAGS as per-device
parameters to be passed to dtc. Previously some boards directly used
DTC_FLAGS in their build recipe which then also affected other boards.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 56f409c4e4)
2023-06-09 19:23:03 +01:00
Daniel Golle
49bd38f01a mediatek: set new compat version if booted on R64 and R3
If the board comes up with OpenWrt that means that the bootloader is
recent enough and knows about the new device tree overlays.

Using /etc/board.d/ is not enough in this case because it doesn't
overwrite existing configuration which may exist (and is fine to exist)
if the user updated with 'sysupgrade -F *.itb' and has kept
configuration. They would still need to manually set compat_version
even though the fact that the bootloader env has been updated can be
implied by the fact that the system has started.

Hence we can always set compat_version=1.1 for those two boards using
uci-defaults.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 25e27c4af3)
2023-06-09 19:23:03 +01:00
Daniel Golle
a65ec9fea7 mediatek: sync MT7986 device trees with upstream
Sync device tree files for MT7986 boards with what landed in upstream
Linux tree to easy maintainance and also allow for a smooth update to
Linux 6.1.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 7a0ec001ff)
2023-06-09 19:23:03 +01:00
Daniel Golle
bca04036ff mediatek: use updated device tree overlay mechanism for BPi-R64
Use new device tree overlay mechanism for the BananaPi BPi-R64 board.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 34bb33094a)
2023-06-09 19:23:03 +01:00
Daniel Golle
5f3c5848e3 uboot-mediatek: adapt BPi-R3 and BPi-R64 to new device tree overlay
Update bootloader environment for BPi-R3 and BPi-R64 to adapt to new
device tree overlay mechanism now that support for multiple device
tree overlays has been added.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ec50d2d366)
2023-06-09 19:23:03 +01:00
Daniel Golle
dc778190bc generic: use only first element in bootconf for uImage.FIT
Now that it is possible to load several device tree overlays by
appending their config names to bootconf the uImage.FIT partition
parser need to discard everything after the first '#' character in
bootconf when looking up the config node to be used.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 07bca1adaa)
2023-06-09 19:23:03 +01:00
Daniel Golle
d05d886d22 image: improve uImage.FIT device tree overlay support
Instead of generating full config nodes incl. kernel, generate minimal
config nodes for device tree overlays to be applied to the main config.
In this way, multiple device tree overlays can be applied more easily.
While at it change filenames to upstream style, ie. use dtso and dtbo
suffix for device tree overlays.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 6b01d40bfe)
2023-06-09 19:23:03 +01:00
Daniel Golle
d46e13d864 mediatek: convert mt7986a-zyxel-ex5601-t0-stock.dts to UNIX
The device tree file was in DOS format (CR-LF). Convert it to UNIX style.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d28534545e)
2023-06-09 19:23:03 +01:00
Daniel Golle
4494791fc7 mediatek: use existing I2C clock names
PCK and MCK should really be P=PMIC and M=MEM, which means that they
should effectively be CLK_PMIC and CLK_ARB.

Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0580747ada)
2023-06-09 19:23:03 +01:00
Daniel Golle
c4c14e9ce8 mediatek: use cpufreq fix suggested by MediaTek
Use suggested fix for mediatek-cpufreq, patch will also be sent
upstream.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 7e93f520d6)
2023-06-09 19:23:03 +01:00
Ivan Pavlov
e1d59497e9 openssl: update to 3.0.9
CVE-2023-2650 fix
Remove upstreamed patches

Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
 * Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255)
 * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
 * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
 * Limited the number of nodes created in a policy tree (CVE-2023-0464)

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit 6348850f10)
2023-06-09 13:36:21 +02:00
Hauke Mehrtens
c78ba8a695 valgrind: update to 3.21.0
Release Notes:
https://valgrind.org/docs/manual/dist.news.html

This improves support for the memory allocator used in musl libc 1.2.2
and later which is currently used by OpenWrt.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d85013460d)
2023-06-09 13:25:34 +02:00
Tony Ambardar
436e477430 kselftests-bpf: add kernel BPF tests
Build and package kernel self-tests used for BPF testing, program and JIT
development. This package, together with the existing 'kmod-bpf-test', was
extensively used for past upstream Linux JIT submissions [1].

Currently this includes only 'test_verifier'; building 'test_progs' will
fail due to known endian limitations with bpftool skeletons.

[1]:https://lore.kernel.org/bpf/cover.1633392335.git.Tony.Ambardar@gmail.com

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 3886ea9b87)
2023-06-09 13:20:44 +02:00
Tony Ambardar
11677aa44c kernel: backport libcap workaround for BPF selftests
Recent libcap versions (>= 2.60) cause problems with BPF kselftests, so
backport an upstream patch that replaces libcap and drops the dependency.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 04981c716a)
2023-06-09 13:20:44 +02:00
Tony Ambardar
081dfcfb0f base-files: enable BPF JIT kallsyms by default
Set net.core.bpf_jit_kallsyms=1 in /etc/sysctl.d/10-default.conf.

For privileged users, this exports addresses of JIT-compiled programs to
appear in /proc/kallsyms when present, allowing their use for debugging
and in traces.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit b3aaede2a7)
2023-06-09 13:20:05 +02:00
Tianling Shen
3f3586a06d rockchip: add Orange Pi R1 Plus LTS support
The OrangePi R1 Plus LTS is a minor variant of OrangePi R1 Plus with
the on-board NIC chip changed from rtl8211e to yt8531c, and otherwise
identical to OrangePi R1 Plus.

Tested-by: Volkan Yetik <no3iverson@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 32d5921b8b)
[Removed patches for kernel 6.1]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-06-09 13:15:19 +02:00
Tianling Shen
3b8564f9aa uboot-rockchip: add Orange Pi R1 Plus LTS support
Add support for the Xunlong Orange Pi R1 Plus LTS.
Manually generated of-platdata files to avoid swig dependency.

Tested-by: Volkan Yetik <no3iverson@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 37fed89166)
2023-06-09 13:15:19 +02:00
Tianling Shen
c11115b5cf rockchip: add Orange Pi R1 Plus support
Orange Pi R1 Plus is a Rockchip RK3328 based SBC by Xunlong.

This device is similar to the NanoPi R2S, and has a 16MB
SPI NOR (mx25l12805d). The reset button is changed to
directly reset the power supply, another detail is that
both network ports have independent MAC addresses.

Note: booting from SPI is currently unsupported, you have to install
the image on a SD card.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit ab641efe69)
[Removed patches for kernel 6.1]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-06-09 13:15:19 +02:00
Tianling Shen
ecfcc47f0c uboot-rockchip: add Orange Pi R1 Plus support
Add support for the Xunlong Orange Pi R1 Plus.
Manually generated of-platdata files to avoid swig dependency.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 043f8a4f5e)
2023-06-09 13:15:19 +02:00
Christian Marangi
417b76b1f1
generic: drop useless binfmt patch fixing compilation warning
The compilation warning was triggered by wrongly set FRAME_WARN to 1024
even for 64bit. This was recently fix by correctly setting the
FRAME_WARN to 2048 for 64bit systems.

The compilation warning would still be triggered on 32bit system but the
actual code is never reached as ARCH_USE_GNU_PROPERTY is only set on
arm64 arch.

Drop the patch as kmalloc cause perf regression as suggested by upstream
maintainers.

Fixes: fa79baf4a6 ("generic: copy backport, hack, pending patch and config from 5.15 to 6.1")
Fixes: 5913ea1ba2 ("generic: 5.15: add pending patch fixing binfmt compilation warning")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 62338f4162)
2023-06-08 03:34:39 +02:00
Jitao Lu
2804fff57f oxnas: Enable CONFIG_CRYPTO_LZ4
Previously, CONFIG_LZ4_DECOMPRESS=y was selected by CONFIG_RD_LZ4 only.

When building kernel for initramfs, CONFIG_RD_LZ4 will be unset by
Kernel/SetInitramfs if the chosen compression method is not lz4, then
CONFIG_LZ4_DECOMPRESS will become a *module* in the newly generated
kernel config.

However, the newly added module won't be built after
38c150612c, so packaging kmod-lib-lz4
fails due to missing lz4_decompress.ko.

CONFIG_CRYPTO_LZ4=y makes CONFIG_LZ4_DECOMPRESS=y being selected w/o
CONFIG_RD_LZ4, so that the modules of the default kernel and initramfs
kernel are consistent.

Fixes: #12766
Fixes: 38c150612c ("build: revert 54070a1 (all kernels are >= 5.10)")
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
(cherry picked from commit cc87f6629b)
2023-06-08 17:28:11 +02:00
Mikhail Zhilkin
91221d9e74 ramips: enable LED button for TP-Link EC330-G5u v1
The device already has LED push button (KEY_LIGHTS_TOGGLE)
and exported GPIO control "led-light". This commit adds
button handler script for switching on/off all device LEDs.

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit d955b41275)
2023-06-08 17:28:03 +02:00
Tianling Shen
a48d0bdb77 openssl: fix uci config for built-in engines
Built-in engine configs are added in libopenssl-conf/install stage
already, postinst/add_engine_config is just duplicating them, and
due to the lack of `config` header it results a broken uci config:

> uci: Parse error (invalid command) at line 3, byte 0

```
config engine 'devcrypto'
        option enabled '1'
engine 'devcrypto'
        option enabled '1'
        option builtin '1'
```

Add `builtin` option in libopenssl-conf/install stage and remove
duplicate engine configuration in postinst/add_engine_config to
fix this issue.

Fixes: 0b70d55a64 ("openssl: make UCI config aware of built-in engines")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit a0d7193425)
2023-06-08 15:33:14 +02:00
Kevin Darbyshire-Bryant
b99b89da52 netfilter: fix typo in kmod-nft-dup-inet
Fix typo of 'family' in a7e9445975

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 191742eb8d)
2023-06-08 15:33:14 +02:00
Philip Prindeville
ef1effdefc x86/64: Enable IOMMU_V2 support for later CPUs
Support newer IOMMU_V2 on AMD platforms, useful for DPDK and KVM.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit 1eb02ce325)
2023-06-08 15:33:14 +02:00
Marek Behún
76cabb95da kernel: Backport mvneta crash fix to 5.15
Backport Russell King's series [1]
  net: mvneta: reduce size of TSO header allocation
to pending-5.15 to fix random crashes on Turris Omnia.

This also backports two patches that are dependencies to this series:
  net: mvneta: Delete unused variable
  net: mvneta: fix potential double-frees in mvneta_txq_sw_deinit()

[1] https://lore.kernel.org/netdev/ZCsbJ4nG+So%2Fn9qY@shell.armlinux.org.uk/

Signed-off-by: Marek Behún <kabel@kernel.org>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (squashed)
(cherry picked from commit 7b31c2e9ed)
2023-06-08 15:33:14 +02:00
Christian Lamparter
47437563aa apm821xx: mx60: drop nand-is-boot-medium
it was reported that this flag caused the mx60
not to boot anymore.

Fixes: f095822699 ("apm821xx: convert legacy nand partition layou")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2023-06-08 15:33:14 +02:00
Yanase Yuki
0c15f45fa7 ipq40xx: convert Buffalo WTR-M2133HP to DSA
This commit convert WTR-M2133HP to DSA setup.

Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
(cherry picked from commit edb3a4162c)
2023-06-08 15:33:14 +02:00
Yanase Yuki
ea11b6ea03 ipq806x: use new package name for NEC WG2600HP3
commit 0c45ad41e1 changes ipq806x usb kmod name
from usb-phy-qcom-dwc3 to phy-qcom-ipq806x-usb, so
use new name.

Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
(cherry picked from commit 9314744350)
2023-06-08 15:33:14 +02:00
Tomasz Maciej Nowak
1e4f9db138 ubnt-ledbar: depend on mediatek and ramips subtargets
It's only used on devices in mt7621 and mt7622 subtargets, so no reason
to compile it for others.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit e81298463e)
2023-06-08 15:33:14 +02:00
Andreas Böhler
0c885c1542 ramips: tplink,mr600v2: fix image generation for sysupgrade image
The MR600v2 does not find its rootfs if it is neither directly after the
kernel or aligned to an erase block boundary (64k).

This aligns the rootfs to 0x10000 allowing the device to boot again. Based
on investigation by forum user relghuar.

Signed-off-by: Andreas Böhler <dev@aboehler.at>
(cherry picked from commit 46b51e9e99)
2023-06-08 15:33:14 +02:00
Felix Fietkau
bb03069691
netifd: update to the latest version
ec9dba721245 system-linux: fix memory leak in system_bridge_vlan_check

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 20ce21866e)
2023-06-07 09:11:31 +02:00
Hauke Mehrtens
3bdefae5f8
netifd: Fix PKG_MIRROR_HASH
Fix the PKG_MIRROR_HASH value for netifd.

Fixes: d2ecaaca34 ("netifd: update to version 2023-05-31")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 21f713d5ab)
2023-06-07 09:10:51 +02:00
Petr Štetiar
42976b1c97
netifd: update to version 2023-05-31
Contains following changes:

 * bridge: bridge_dump_info: add dumping of bridge attributes
 * bridge: make it more clear why the config was applied
 * cmake: fix build by reordering the cflags definitions
 * treewide: fix multiple compiler warnings

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit d2ecaaca34)
2023-06-07 09:10:17 +02:00
Daniel Danzberger
b42ee4df5d
ramips: fix lzma-loader for ASIARF boards
This fixes a well known "LZMA ERROR 1" error, reported previously on
numerous of similar devices.

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
(cherry picked from commit 29a5cb7a8b)
2023-06-07 09:07:06 +02:00
Jeffery To
38f8f56c7a
sdk: Expose CCACHE_DIR option
As the CCACHE option is already exposed, it would be helpful to also
make the ccache directory easily customizable.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 897691fdce)
2023-06-07 09:06:55 +02:00
Jeffery To
b059aaf039
build: export GIT_CEILING_DIRECTORIES for package builds
A package may run git as part of its build process, and if the package
source code is not from a git checkout, then git may traverse up the
directory tree to find buildroot's repository directory (.git).

For instance, Poetry Core, a Python build backend, will read the
contents of .gitignore for paths to exclude when creating a Python
package. If it finds buildroot's .gitignore file, then Poetry Core will
exclude all of the package's files[1].

This exports GIT_CEILING_DIRECTORIES for both package and host builds so
that git will not traverse beyond $(BUILD_DIR)/$(BUILD_DIR_HOST).

[1]: https://github.com/python-poetry/poetry/issues/5547

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit f597f34f3a)
2023-06-07 09:04:23 +02:00
Hauke Mehrtens
5db2d6d009 OpenWrt v23.05.0-rc1: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-06-07 01:06:59 +02:00
Hauke Mehrtens
f29f876bfa OpenWrt v23.05.0-rc1: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-06-07 01:06:48 +02:00
John Audia
e2701e0f33 kernel: bump 5.15 to 5.15.114
All patches automatically rebased.

Build system: x86_64
Build-tested: bcm2711/RPi4B, ramips/tplink_archer-a6-v3, filogic/xiaomi_redmi-router-ax6000-ubootmod
Run-tested: bcm2711/RPi4B, ramips/tplink_archer-a6-v3, filogic/xiaomi_redmi-router-ax6000-ubootmod

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 223004b4d6)
2023-06-03 11:42:00 +02:00
Hauke Mehrtens
f949dd5c90 kernel: Set CONFIG_FRAME_WARN depending on target
This set the CONFIG_FRAME_WARN option depending on some target settings.
It will use the default from the upstream kernel and not the hard coded
value of 1024 now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 16a20512d8)
2023-06-02 21:18:41 +02:00
张 鹏
d4d94a1ff3 ipq40xx: e2600ac-c1 remove KERNEL_SIZE
Currently, e2600ac-c1 cannot be built as the kernel is larger than the defined KERNEL_SIZE,
however, there is no bootloader limit for the kernel size so remove KERNEL_SIZE completely.

Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ improve commit title, fix merge conflict ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b764268acb)
2023-05-31 23:14:37 +02:00
张 鹏
dd97954772 ipq40xx: add e2600ac c2 to dsa
Convert E2600ac c2 to DSA and enable it.

Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ rename port to more generic name ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 0dca52cf59)
2023-05-31 23:14:32 +02:00
张 鹏
f2a13cf10e ipq40xx: add e2600ac c1 to dsa
Convert E2600ac c1 to DSA and enable it.

Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ rename port to more generic name ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 7f2ecab0f4)
2023-05-31 23:14:25 +02:00
Hauke Mehrtens
c734a399cc airoha: spi-en7523: Fix compile warning
The set_spi_clock_speed() function is not used, this causes a compile
warning which results in a build error with -WError.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2d5f3b3c4c)
2023-05-31 23:10:11 +02:00
Linhui Liu
65b5b72cb7 selinux-policy: update to 1.2.5
30d503a uci jsonfilter: pipe and leak
e13cb64 rpcd leds
144781f jsonfilter, luci, ubus
1210762 rpcd and all agents get fd's leaked
ab9227c rpcd
2f99e0e luci rpcd
b43aaf3 rpcd (enable/disable services) luci peeraddr
f20f03e rpcd
7bc74f6 rpcd reads all subj state and luci-bwc leaks
9634b17 adds inotify perms to anon_inode
3d3c17c adds bare anon_inode (linux 5.15)
7104b20 dnsmasq and luci
0de2c66 luci,rpcd, ucode, wpad
14f5cf9 luci and ucode
e3ce84c rpcd, ucode and cgiio loose ends
96a2401 misc updates
9fe0490 initscript: remove redundant rules
71bd77e allow all init scripts to log to logd
f697331 sandbox: make ttydev handling more robust
a471877 simplify pty tty console access
f738984 sandbox: also remove TIOSCTI from all ttydevs

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
(cherry picked from commit 4c5a9da869)
2023-05-31 23:10:06 +02:00
Tianling Shen
14cbf041ea ca-certificates: Update to version 20230311
Update the ca-certificates and ca-bundle package from version 20211016 to
version 20230311.

Use TAR_OPTIONS instead of hacking Build/Prepare, refresh patches.

Debian change-log entry [1]:
|[...]
|[ Đoàn Trần Công Danh ]
|* ca-certificates: compat with non-GNU mktemp (closes: #1000847)
|
|[ Ilya Lipnitskiy ]
|* certdata2pem.py: use UTC time when checking cert validity
|
|[ Julien Cristau ]
|* Update Mozilla certificate authority bundle to version 2.60
|   The following certificate authorities were added (+):
|   + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|   + "Certainly Root E1"
|   + "Certainly Root R1"
|   + "D-TRUST BR Root CA 1 2020"
|   + "D-TRUST EV Root CA 1 2020"
|   + "DigiCert TLS ECC P384 Root G5"
|   + "DigiCert TLS RSA4096 Root G5"
|   + "E-Tugra Global Root CA ECC v3"
|   + "E-Tugra Global Root CA RSA v3"
|   + "HARICA TLS ECC Root CA 2021"
|   + "HARICA TLS RSA Root CA 2021"
|   + "HiPKI Root CA - G1"
|   + "ISRG Root X2"
|   + "Security Communication ECC RootCA1"
|   + "Security Communication RootCA3"
|   + "Telia Root CA v2"
|   + "TunTrust Root CA"
|   + "vTrus ECC Root CA"
|   + "vTrus Root CA"
|  The following certificate authorities were removed (-):
|  - "Cybertrust Global Root" (expired)
|  - "EC-ACC"
|  - "GlobalSign Root CA - R2" (expired)
|  - "Hellenic Academic and Research Institutions RootCA 2011"
|  - "Network Solutions Certificate Authority"
|  - "Staat der Nederlanden EV Root CA" (expired)
|* Drop trailing space from debconf template causing misformatting
|  (closes: #980821)
|
|[ Wataru Ashihara ]
|* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244)
|[...]

[1]: https://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/ca-certificates_20230311_changelog

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 7c83b6ac86)
2023-05-31 23:10:06 +02:00
Petr Štetiar
20295c071a pcre2: fix host compilation of libselinux by enabling PIC
libselinux-3.5 fails to compile in Fedora 38 container due to the
following:

 cc -O2 -I/openwrt/staging_dir/host/include -I/openwrt/staging_dir/hostpkg/include -I/openwrt/staging_dir/target-x86_64_musl/host/include -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -I/openwrt/staging_dir/hostpkg/include -L/openwrt/staging_dir/host/lib -L/openwrt/staging_dir/hostpkg/lib -L/openwrt/staging_dir/target-x86_64_musl/host/lib -Wl,-rpath=/openwrt/staging_dir/hostpkg/lib -shared -o libselinux.so.1 avc.lo avc_internal.lo avc_sidtab.lo booleans.lo callbacks.lo canonicalize_context.lo checkAccess.lo check_context.lo checkreqprot.lo compute_av.lo compute_create.lo compute_member.lo compute_relabel.lo compute_user.lo context.lo deny_unknown.lo disable.lo enabled.lo fgetfilecon.lo freecon.lo freeconary.lo fsetfilecon.lo get_context_list.lo get_default_type.lo get_initial_context.lo getenforce.lo getfilecon.lo getpeercon.lo init.lo is_customizable_type.lo label.lo label_db.lo label_file.lo label_media.lo label_support.lo label_x.lo lgetfilecon.lo load_policy.lo lsetfilecon.lo mapping.lo matchmediacon.lo matchpathcon.lo policyvers.lo procattr.lo query_user_context.lo regex.lo reject_unknown.lo selinux_check_securetty_context.lo selinux_config.lo selinux_internal.lo selinux_restorecon.lo sestatus.lo setenforce.lo setexecfilecon.lo setfilecon.lo setrans_client.lo seusers.lo sha1.lo stringrep.lo validatetrans.lo -L/openwrt/staging_dir/hostpkg/lib -lpcre2-8 -lfts -ldl -Wl,-soname,libselinux.so.1,--version-script=libselinux.map,-z,defs,-z,relro
 /usr/bin/ld: /openwrt/staging_dir/hostpkg/lib/libpcre2-8.a(pcre2_compile.c.o): relocation R_X86_64_32S against symbol `_pcre2_ucd_stage1_8' can not be used when making a shared object; recompile with -fPIC
 /usr/bin/ld: failed to set dynamic section sizes: bad value

So lets fix it by enabling build of host static library with the
position independent code option enabled.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 12494f5b8a)
2023-05-31 23:10:06 +02:00
Michał Kwiatek
9c45c58c7c netfilter: add kmod-nft-dup-inet
Add kmod-nft-dup-inet package to allow packet duplication in ip/ip6/inet nftables family

Signed-off-by: Michał Kwiatek <michal@kwiatek.it>
(cherry picked from commit a7e9445975)
2023-05-31 23:07:55 +02:00