ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-27 22:59:53 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity
54,772 Commits 9 Branches 78 Tags 924 MiB
Commit Graph

19459 Commits

Author SHA1 Message Date
Christian Marangi
ebb3faf31f
procd: make mDNS TXT record parsing more solid 
mDNS broadcast can't accept empty TXT record and would fail
registration.

Current procd_add_mdns_service checks only if the first passed arg is
empty but don't make any verification on the other args permittins
insertion of empty values in TXT record.

Example:

	procd_add_mdns "blah" \
				"tcp" "50" \
				"1" \
				"" \
				"3"

Produce:

{ "blah_50": { "service": "_blah._tcp.local", "port": 50, "txt": [ "1", "", "3" ] } }

The middle empty TXT record should never be included as it's empty.

This can happen with scripts that make fragile parsing and include
variables even if they are empty.

Prevent this and make the TXT record more solid by checking every
provided TXT record and include only the non-empty ones.

The fixed JSON is the following:

{ "blah_50": { "service": "_blah._tcp.local", "port": 50, "txt": [ "1", "3" ] } }

Fixes: b0d9dcf84dd0 ("procd: update to latest git HEAD")
Reported-by: Paul Donald <newtwen@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15331
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 4b043047132de0b3d90619d538f103af6153fa5a)
 2024-04-29 23:30:57 +02:00
Yuu Toriyama
fef1a52bd6 wireless-regdb: update to 2024.01.23 
The maintainer and repository of wireless-regdb has changed.
    https://lore.kernel.org/all/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/

Changes:
    37dcea0 wireless-regdb: Update keys and maintainer information
    9e0aee6 wireless-regdb: Makefile: Reproducible signatures
    8c784a1 wireless-regdb: Update regulatory rules for China (CN)
    149c709 wireless-regdb: Update regulatory rules for Japan (JP) for December 2023
    bd69898 wireless-regdb: Update regulatory rules for Singapore (SG) for September 2023
    d695bf2 wireless-regdb: Update and disable 5470-5730MHz band according to TPC requirement for Singapore (SG)
    4541300 wireless-regdb: update regulatory database based on preceding changes

Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit b463737826eaa6c519eba93e13757a0cd3e09d47)
 2024-04-21 19:25:07 +02:00
Hauke Mehrtens
06ea586508 mac80211: Update to 5.15.153-1 
Update mac80211 to version based on kernel 5.15.153.
This contains multiple bugfixes.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2024-04-21 17:29:57 +02:00
John Audia
d7e5cab026 kernel: Remove dsmark support 
dsmark support was removed in kernel 5.15.150 and 6.1.80. Remove it from
the kmod package as well

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit bd6b37f463d0530b887e052860207448c82d6ee2)
 2024-03-07 20:45:49 +01:00
Hauke Mehrtens
4432454037 wifi-scripts: Support HE Iftypes with multiple entries 
With mac80211_hwsim I have seen such entries in OpenWrt 22.03:
    HE Iftypes: managed, AP
The mac80211.sh script did not detect the entry and failed. Allow
arbitrary other entries before to fix this problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5df7a78e821cbdcc3beb80150798712a4c00b00e)
 2024-02-22 22:21:39 +01:00
Hauke Mehrtens
721f02683e mac80211: Add DRIVER_11AX_SUPPORT dependency to mac80211-hwsim and iwlwifi 
The mac80211-hwsim and the Intel iwlwifi driver support ieee80211ax, add
the missing DRIVER_11AX_SUPPORT dependency too.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 576b62712fa7552f4fa30b67b47004745fee5287)
 2024-02-22 22:21:39 +01:00
Hauke Mehrtens
987275f565 hostapd: backport fix for CVE-2023-52160 
Fix a authentication bypass problem in WPA Enterprise client mode. See
here for details: https://www.top10vpn.com/research/wifi-vulnerabilities/
This problem was assigned CVE-2023-52160

This problem was fixed in upstream hostapd in June 2023. Hostapd used in
OpenWrt 23.05 and later already contains this fix..

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2024-02-22 21:50:16 +01:00
Hauke Mehrtens
2c67fff961 mac80211: Update to version 5.15.148-1 
This update mac80211 to version 5.15.148-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.

The following patch was integrated into upstream Linux:
package/kernel/mac80211/patches/subsys/352-wifi-mac80211-fix-invalid-drv_sta_pre_rcu_remove-cal.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2024-02-01 21:53:12 +01:00
orangepizza
7f64f5b11a
mbedtls: security bump to version 2.28.7 
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for following security issues:

* Timing side channel in private key RSA operations (CVE-2024-23170)

  Mbed TLS is vulnerable to a timing side channel in private key RSA
  operations. This side channel could be sufficient for an attacker to
  recover the plaintext. A local attacker or a remote attacker who is
  close to the victim on the network might have precise enough timing
  measurements to exploit this. It requires the attacker to send a large
  number of messages for decryption.

* Buffer overflow in mbedtls_x509_set_extension() (CVE-2024-23775)

  When writing x509 extensions we failed to validate inputs passed in to
  mbedtls_x509_set_extension(), which could result in an integer overflow,
  causing a zero-length buffer to be allocated to hold the extension. The
  extension would then be copied into the buffer, causing a heap buffer
  overflow.

Fixes: CVE-2024-23170, CVE-2024-23775
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
Signed-off-by: orangepizza <tjtncks@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [formal fixes]
(cherry picked from commit 920414ca8848fe1b430e436207b4f8c927819368)
(cherry picked from commit b5c728948c976f0614c85aa5418af3a44424b511)
 2024-01-29 09:45:00 +00:00
Jo-Philipp Wich
78d9e4c56f jsonfilter: update to Git HEAD (2024-01-23) 
013b75ab0598 jsonfilter: drop legacy json-c support
594cfa86469c main: fix spurious premature parse aborts in array mode

Fixes: https://bugs.openwrt.org/?task_id=3683
Fixes: https://github.com/openwrt/openwrt/issues/8703
Fixes: https://github.com/openwrt/openwrt/issues/11649
Fixes: https://github.com/openwrt/openwrt/issues/12344
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 33f15dd6d41873b02eb8895b8886763659f1390c)
 2024-01-23 09:10:03 +01:00
Christian Marangi
05f74354bd
lua5.3: fix typo calling lua53 instead of lua5.3 for Package Default 
Fix typo calling lua53 instead of lua5.3 for Package Default definition.

This cause only missing description of the package and doesn't cause
any build regression.

Fixes: c52ca08d4008 ("lua5.3: build shared library")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 25e215c14ee6c9f3d54cd1da46a48d9ffe6b254e)
[ fix conflict with changed URL value ]
 2023-12-10 11:48:11 +01:00
Hauke Mehrtens
1f7ca927b7 OpenWrt v22.03.6: revert to branch defaults 
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2023-12-03 20:02:26 +01:00
Hauke Mehrtens
f372b715d4 OpenWrt v22.03.6: adjust config defaults 
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2023-12-03 20:02:20 +01:00
Alexey Bartenev
e7b3414fd5 ramips: add support for SNR-CPE-W4N-MT router 
General specification:
- SoC Type: MediaTek MT7620N (580MHz)
- ROM: 8 MB SPI-NOR (W25Q64FV)
- RAM: 64 MB DDR (M13S5121632A)
- Switch: MediaTek MT7530
- Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4)
- Wireless 2.4 GHz: b/g/n
- Buttons: 1 button (RESET)
- Bootloader: U-Boot 1.1.3, MediaTek U-Boot: 5.0.0.5
- Power: 12 VDC, 1.0 A

Flash by the native uploader in 2 stages:
1. Use the native uploader to flash an initramfs image. Choose
 openwrt-ramips-mt7620-snr_cpe-w4n-mt-initramfs-kernel.bin file by
 "Administration/Management/Firmware update/Choose File" in vendor's
 web interface (ip: 192.168.1.10, login: Admin, password: Admin).
 Wait ~160 seconds.
2. Flash a sysupgrade image via the initramfs image. Choose
 openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin
 file by "System/Backup/Flash Firmware/Flash image..." in
 LuCI web interface (ip: 192.168.1.1, login: root, no password).
 Wait ~240 seconds.

Flash by U-Boot TFTP method:
1. Configure your PC with IP 192.168.1.131
2. Set up TFTP server and put the
 openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin
 image on your PC
3. Connect serial port (57600 8N1) and turn on the router.
 Then interrupt "U-Boot Boot Menu" by hitting 2 key (select "2:
 Load system code then write to Flash via TFTP.").
Press Y key when show "Warning!! Erase Linux in Flash then burn
 new one. Are you sure? (Y/N)"
Input device IP (192.168.1.1) ==:192.168.1.1
Input server IP (192.168.1.131) ==:192.168.1.131
Input Linux Kernel filename () ==:
openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin
3. Wait ~120 seconds to complete flashing

Signed-off-by: Alexey Bartenev <41exey@proton.me>
(cherry picked from commit 7796c2d7ef5ff465c8c75ee294b0b5fb3165f4b9)
[Fix merging conflict]
Signed-off-by: Alexey Bartenev <41exey@proton.me>
 2023-11-21 00:43:17 +01:00
Nick Hainke
545807ddff wolfssl: update to 5.6.4 
Releae Notes:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.4-stable

Remove upstreamed patch:
- 001-fix-detection-of-cut-tool-in-configure.ac.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit d83231603c60a1df7d0530c8766f0b71c6553b44)
 2023-11-19 14:58:44 +01:00
Hauke Mehrtens
0c7c87a306 urngd: update to version 2023-11-01 
Fix compilation with glibc

44365eb Deactivate _FORTIFY_SOURCE in jitterentropy-base.c

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d62726b1e44f785d543e4625b19ca1f628adda6c)
 2023-11-19 14:58:44 +01:00
Hauke Mehrtens
72d940d811 mbedtls: Update to version 2.28.5 
This fixes some minor security problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
[Removed 100-x509-crt-verify-SAN-iPAddress.patch for 22.03]
(cherry picked from commit 9e1c5ad4b0c99c45927ccd44504cd8fdbbd03bb0)
 2023-11-19 14:58:44 +01:00
Hauke Mehrtens
3af93be5a1 bsdiff: Add patches for CVEs 
Add two patches from Debian fixing CVEs in the bsdiff application.
CVE-2014-9862: Heap vulnerability in bspatch
CVE-2020-14315: Memory Corruption Vulnerability in bspatch

Copied the patches from this location:
https://salsa.debian.org/debian/bsdiff/-/blob/debian/latest/debian/patches/20-CVE-2014-9862.patch
https://salsa.debian.org/debian/bsdiff/-/blob/debian/latest/debian/patches/33-CVE-2020-14315.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cac723e8b8748938b8d80603578c60189fc32b24)
 2023-11-19 14:58:44 +01:00
Yuu Toriyama
b87913e21d wireless-regdb: update to 2023.09.01 
Changes:
    9dc0800 wireless-regdb: Update regulatory rules for Philippines (PH)
    111ba89 wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidelines
    ae1421f wireless-regdb: Update regulatory info for Türkiye (TR)
    20e5b73 wireless-regdb: Update regulatory rules for Australia (AU) for June 2023
    991b1ef wireless-regdb: update regulatory database based on preceding changes

Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit 0e13363de6879a1a8b7d4d2739c92122f2df693e)
 2023-11-19 14:58:44 +01:00
Christian Marangi
fcdecb5ba4
hostapd: permit also channel 7 for 2.5GHz to be set to HT40PLUS 
Also channel 7 for 2.4GHz can be set to HT40PLUS. Permit this and add it
to the list of the channels.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b1c7b1bd67ca40289dfb7acd03e12ce43618d548)
[ rework for openwrt-22.03 ]
 2023-11-09 16:20:43 +01:00
Christian Marangi
64907f3c34
hostapd: fix broke noscan option for mesh 
noscan option for mesh was broken and actually never applied.

This is caused by a typo where ssid->noscan value is check instead of
conf->noscan resulting in the logic swapped and broken.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 1b5ea2e199fcf391f88afd0322de449459399be4)
[ rework for openwrt-22.03 ]
 2023-11-09 16:18:58 +01:00
Christian Marangi
6e77f51b3a
mac80211: fix not set noscan option for wpa_supplicant 
noscan option was changed to hostapd_noscan but the entry in
wpa_supplicant was never updated resulting in the noscan option actually
never set.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 1070fbce6e496da2dacf17c6e842a4369c4be71b)
[ rework for openwrt-22.03 ]
 2023-11-09 16:15:51 +01:00
Josef Schlehofer
f6fa7b5d43 openssl: update to version 1.1.1w 
Fixes CVE:
CVE-2023-4807 [1]

[1]  https://mta.openssl.org/pipermail/openssl-announce/2023-September/000273.html

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
 2023-09-29 11:56:24 +02:00
Hauke Mehrtens
0a1dc007e4
treewide: Add extra CPE identifier 
This adds some Common Platform Enumerations (CPE) identifiers which I
found.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2023-09-27 22:33:09 +02:00
Alexander Couzens
3a7143fc5a packages: assign PKG_CPE_ID for all missing packages 
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has CPE id.

Related: https://github.com/openwrt/packages/issues/8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
 2023-09-27 17:29:14 +02:00
Felix Fietkau
8da4e8fb56 mt76: update to the latest version from the 22.03 branch 
bdf8ea717007 mt76: mt7921: don't assume adequate headroom for SDIO headers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
 2023-09-12 09:16:42 +02:00
Rafał Miłecki
aeb1221784 urngd: update to the latest master 
7aefb47 jitterentropy-rngd: update to the v1.2.0

What's interesting about jitterentropy-rngd v1.2.0 release is that it
bumps its copy of jitterentropy-library from v2.2.0 to the v3.0.0. That
bump includes a relevant commit 3130cd9 ("replace LSFR with SHA-3 256").

When initializing entropy jent calculates time delta. Time values are
obtained using clock_gettime() + CLOCK_REALTIME. There is no guarantee
from CLOCK_REALTIME of unique values and slow devices often return
duplicated ones.

A switch from jent_lfsr_time() to jent_hash_time() resulted in many less
cases of zero delta and avoids ECOARSETIME.

Long story short: on some system this fixes:
[    6.722725] urngd: jent-rng init failed, err: 2

This is important change for BCM53573 which doesn't include hwrng and
seems to have arch_timer running at 36,8 Hz.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c74b5e09e692839b39c8325b5f8dc5f2a3b3896c)
 2023-08-28 16:36:08 +02:00
Rafał Miłecki
687004139b uboot-bcm4908: update to the latest generic 
4435700d18 Remove redundant YYLOC global declaration

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 57a8ea6d749e5fe0e00673cc77b5f2c17b792650)
 2023-08-28 16:36:00 +02:00
Felix Fietkau
76b1e564d2 mt76: update to the latest version from the 22.03 branch 
94eb0bc1374d wifi: mt76: testmode: use random payload for tx packets
f8ece810002b wifi: mt76: add rx_check callback for usb devices
67fbdb7bed90 wifi: mt76: mt7921e: fix race issue between reset and suspend/resume
a9b09dd2715f wifi: mt76: mt7921s: fix race issue between reset and suspend/resume
ee3eb0d6d52e wifi: mt76: mt7921u: fix race issue between reset and suspend/resume
9706ccef5447 wifi: mt76: mt7921u: remove unnecessary MT76_STATE_SUSPEND
74a29eb4f714 wifi: mt76: mt7921: move mt7921_rx_check and mt7921_queue_rx_skb in mac.c
f49e06c4cfce wifi: mt76: sdio: fix the deadlock caused by sdio->stat_work
322656141fa4 wifi: mt76: sdio: poll sta stat when device transmits data
dee0a3cbfb03 wifi: mt76: mt7915: fix an uninitialized variable bug
9dd7be2c5164 wifi: mt76: mt7921: fix use after free in mt7921_acpi_read()
0ad02c9a4512 wifi: mt76: sdio: add rx_check callback for sdio devices
fe85e5ccbaca wifi: mt76: sdio: fix transmitting packet hangs
206c7ebd7464 wifi: mt76: mt7615: add mt7615_mutex_acquire/release in mt7615_sta_set_decap_offload
bf79f5d73e4f wifi: mt76: mt7915: fix possible unaligned access in mt7915_mac_add_twt_setup
c4132ab0bea2 wifi: mt76: connac: fix possible unaligned access in mt76_connac_mcu_add_nested_tlv
52eec74986cf wifi: mt76: mt7663s: add rx_check callback
019ef069e754 wifi: mt76: mt76_usb.mt76u_mcu.burst is always false remove related code
0a392ca03db8 wifi: mt76: mt7921: add mt7921_mutex_acquire at mt7921_[start, stop]_ap
fbb3554b6236 wifi: mt76: mt7921: add mt7921_mutex_acquire at mt7921_sta_set_decap_offload
b55a4eb2ee21 wifi: mt76: mt7921: fix the firmware version report
2d72c9a74011 wifi: mt76: move move mt76_sta_stats to mt76_wcid
873365b06c5c wifi: mt76: add PPDU based TxS support for WED device
0c64a80a61c2 wifi: mt76: connac: fix in comment
d11f971a452e wifi: mt76: mt7921: get rid of the false positive reset
2ac22300c7ac wifi: mt76: mt7915: fix mcs value in ht mode
5e45533e4ba2 wifi: mt76: fix uninitialized pointer in mt7921_mac_fill_rx
e06376af21dd wifi: mt76: mt7915: do not check state before configuring implicit beamform
0c0bda4aea05 wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value
cddc4b43ea93 wifi: mt76: mt7921e: fix rmmod crash in driver reload test
ebbd68842ee0 wifi: mt76: mt7921: introduce Country Location Control support
763a1d90133b wifi: mt76: mt7921e: fix random fw download fail
e4fa68a9b3b3 linux-firmware: update firmware for MT7921 WiFi device
60fcf08fe659 linux-firmware: update firmware for MT7921 WiFi device
9d601f4eee8f linux-firmware: update firmware for MT7922 WiFi device
e49b6063fb4b wifi: mt76: move mt76_rate_power from core to mt76x02 driver code
3f27f6adb1ab wifi: mt76: mt76x02: simplify struct mt76x02_rate_power
c07f3d2d5ede wifi: mt76: mt7921: fix antenna signal are way off in monitor mode
9059a5de3bd0 wifi: mt76: Remove unused inline function mt76_wcid_mask_test()
d75f15ddeb90 wifi: mt76: mt7915: fix bounds checking for tx-free-done command
06df7e689294 wifi: mt76: mt7915: reserve 8 bits for the index of rf registers
ad3d0f8db00b wifi: mt76: mt7915: rework eeprom tx paths and streams init
66065073177b wifi: mt76: mt7915: deal with special variant of mt7916
b0114a0abb57 wifi: mt76: mt7915: rework testmode tx antenna setting
6dee964e1f36 wifi: mt76: connac: introduce mt76_connac_spe_idx()
48c116d92939 wifi: mt76: mt7915: add spatial extension index support
db6db4ded0fd wifi: mt76: mt7915: set correct antenna for radar detection on MT7915D
2b8f56a72d76 wifi: mt76: mt7915: fix mt7915_mac_set_timing()
d554a02554db wifi: mt76: mt7915: move wed init routines in mmio.c
676b10bb203f mt76: mt76x02: fix vht rate power array overrun
7df5b4514721 Revert "mt76: use IEEE80211_OFFLOAD_ENCAP_ENABLED instead of MT_DRV_AMSDU_OFFLOAD"
1b80532eb55f wifi: mt76: mt7921: set MT_DRV_AMSDU_OFFLOAD for USB/SDIO
843955920e19 wifi: mt76: fix receiving LLC packets on mt7615/mt7915
148b7fa2329d wifi: mt76: fix rx checksum offload on mt7615/mt7915/mt7921
9dda9f709c7b wifi: mt76: mt7603: fix beacon interval after disabling a single vif
2cbd5df8cfd8 wifi: mt76: mt7603: fix tx filter/flush function
780ea78ba0ca wifi: mt76: mt7603: rework/fix rx pse hang check
283c46fd1d4f wifi: mt76: mt7603: improve watchdog reset reliablity
aa309b5c2a0a wifi: mt76: mt7603: improve stuck beacon handling
eb57b7e35f9b wifi: mt76: mt7603: add missing register initialization for MT7628
11f2efecb141 wifi: mt76: mt7603: disable A-MSDU tx support on MT7628
b144bd200519 ieee80211: add EHT 1K aggregation definitions
f27ff9a8fb63 mt76: adjust for ieee80211_is_bufferable_mmpdu API change
de38fe7d4cb3 wifi: mt76: ignore key disable commands

Signed-off-by: Felix Fietkau <nbd@nbd.name>
 2023-08-26 15:59:52 +02:00
Hauke Mehrtens
de29f15af1 openssl: bump to 1.1.1v 
Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]

    o Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
    o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2023-08-12 11:46:51 +02:00
Hauke Mehrtens
8c7b03a2e1 firmware: intel-microcode: update to 20230808 
Debian changelog:

intel-microcode (3.20230808.1) unstable; urgency=high

  * New upstream microcode datafile 20230808 (closes: #1043305)
    Mitigations for "Downfall" INTEL-SA-00828 (CVE-2022-40982),
    INTEL-SA-00836 (CVE-2023-23908) and INTEL-SA-00837 (CVE-2022-41804)
    * Updated microcodes:
      sig 0x00050653, pf_mask 0x97, 2023-03-23, rev 0x1000181, size 36864
      sig 0x00050654, pf_mask 0xb7, 2023-03-06, rev 0x2007006, size 44032
      sig 0x00050656, pf_mask 0xbf, 2023-03-17, rev 0x4003604, size 38912
      sig 0x00050657, pf_mask 0xbf, 2023-03-17, rev 0x5003604, size 38912
      sig 0x0005065b, pf_mask 0xbf, 2023-03-21, rev 0x7002703, size 30720
      sig 0x000606a6, pf_mask 0x87, 2023-03-30, rev 0xd0003a5, size 297984
      sig 0x000706e5, pf_mask 0x80, 2023-02-26, rev 0x00bc, size 113664
      sig 0x000806c1, pf_mask 0x80, 2023-02-27, rev 0x00ac, size 111616
      sig 0x000806c2, pf_mask 0xc2, 2023-02-27, rev 0x002c, size 98304
      sig 0x000806d1, pf_mask 0xc2, 2023-02-27, rev 0x0046, size 103424
      sig 0x000806e9, pf_mask 0xc0, 2023-02-22, rev 0x00f4, size 106496
      sig 0x000806e9, pf_mask 0x10, 2023-02-23, rev 0x00f4, size 105472
      sig 0x000806ea, pf_mask 0xc0, 2023-02-23, rev 0x00f4, size 105472
      sig 0x000806eb, pf_mask 0xd0, 2023-02-23, rev 0x00f4, size 106496
      sig 0x000806ec, pf_mask 0x94, 2023-02-26, rev 0x00f8, size 106496
      sig 0x000806f8, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1, size 572416
      sig 0x000806f7, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1
      sig 0x000806f6, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1
      sig 0x000806f5, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1
      sig 0x000806f4, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1
      sig 0x000806f8, pf_mask 0x10, 2023-05-15, rev 0x2c000271, size 605184
      sig 0x000806f6, pf_mask 0x10, 2023-05-15, rev 0x2c000271
      sig 0x000806f5, pf_mask 0x10, 2023-05-15, rev 0x2c000271
      sig 0x000806f4, pf_mask 0x10, 2023-05-15, rev 0x2c000271
      sig 0x00090672, pf_mask 0x07, 2023-04-18, rev 0x002e, size 220160
      sig 0x00090675, pf_mask 0x07, 2023-04-18, rev 0x002e
      sig 0x000b06f2, pf_mask 0x07, 2023-04-18, rev 0x002e
      sig 0x000b06f5, pf_mask 0x07, 2023-04-18, rev 0x002e
      sig 0x000906a3, pf_mask 0x80, 2023-04-18, rev 0x042c, size 219136
      sig 0x000906a4, pf_mask 0x80, 2023-04-18, rev 0x042c
      sig 0x000906e9, pf_mask 0x2a, 2023-02-23, rev 0x00f4, size 108544
      sig 0x000906ea, pf_mask 0x22, 2023-02-23, rev 0x00f4, size 104448
      sig 0x000906eb, pf_mask 0x02, 2023-02-23, rev 0x00f4, size 106496
      sig 0x000906ec, pf_mask 0x22, 2023-02-23, rev 0x00f4, size 105472
      sig 0x000906ed, pf_mask 0x22, 2023-02-27, rev 0x00fa, size 106496
      sig 0x000a0652, pf_mask 0x20, 2023-02-23, rev 0x00f8, size 97280
      sig 0x000a0653, pf_mask 0x22, 2023-02-23, rev 0x00f8, size 97280
      sig 0x000a0655, pf_mask 0x22, 2023-02-23, rev 0x00f8, size 97280
      sig 0x000a0660, pf_mask 0x80, 2023-02-23, rev 0x00f8, size 97280
      sig 0x000a0661, pf_mask 0x80, 2023-02-23, rev 0x00f8, size 96256
      sig 0x000a0671, pf_mask 0x02, 2023-02-26, rev 0x0059, size 104448
      sig 0x000b0671, pf_mask 0x32, 2023-06-06, rev 0x0119, size 210944
      sig 0x000b06a2, pf_mask 0xe0, 2023-06-06, rev 0x4119, size 216064
      sig 0x000b06a3, pf_mask 0xe0, 2023-06-06, rev 0x4119
      sig 0x000b06e0, pf_mask 0x11, 2023-04-12, rev 0x0011, size 136192
  * source: update symlinks to reflect id of the latest release, 20230808

intel-microcode (3.20230512.1) unstable; urgency=medium

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit ced285487144e1138e3d2b986b3e070a9b4fd412)
 2023-08-12 11:46:51 +02:00
Hauke Mehrtens
08a78203a8 linux-firmware: update to 20230804 
7be2766 (tag: 20230804) Merge branch 'rb3-update' of https://github.com/lumag/linux-firmware
66c1db8 Merge https://github.com/pkshih/linux-firmware
5046942 Mellanox: Add new mlxsw_spectrum firmware xx.2012.1012
5c7b67f linux-firmware: Add URL for latest FW binaries for NXP BT chipsets
29f185d rtw89: 8851b: update firmware to v0.29.41.1
742bf57 qcom: sdm845: add RB3 sensors DSP firmware
253cc17 amdgpu: Update DMCUB for DCN314 & Yellow Carp
07f05b0 Merge branch 'dmc-adlp_2.20-mtl_2.13' of git://anongit.freedesktop.org/drm/drm-firmware
5a251ed Merge branch 'for-upstream' of https://github.com/CirrusLogic/linux-firmware
6c8ce49 ice: add LAG-supporting DDP package
fd6e13c i915: Update MTL DMC to v2.13
41e615c i915: Update ADLP DMC to v2.20
c8424cf cirrus: Add CS35L41 firmware for Dell Oasis Models
b6ea35f copy-firmware: Fix linking directories when using compression
0a51959 copy-firmware: Fix test: unexpected operator
b602d43 qcom: sc8280xp: LENOVO: remove directory sym link
e0bad5e qcom: sc8280xp: LENOVO: Remove execute bits
59fbffa amdgpu: update VCN 4.0.0 firmware
22fb12f amdgpu: add initial SMU 13.0.10 firmware
b3f512f amdgpu: add initial SDMA 6.0.3 firmware
b1a7d76 amdgpu: add initial PSP 13.0.10 firmware
d6d655a amdgpu: add initial GC 11.0.3 firmware
c782458 Merge branch 'v2.0.21961' of https://github.com/yunfei-mtk/linux_fw_10bit
ca9086f Merge branch 'dg2_mtl_guc_70.8' of git://anongit.freedesktop.org/drm/drm-firmware
0bc3126 linux-firmware: Update AMD fam17h cpu microcode
b250b32 linux-firmware: Update AMD cpu microcode
9dfcace amdgpu: update green sardine VCN firmware
b519832 amdgpu: update renoir VCN firmware
5f569aa amdgpu: update raven VCN firmware
868bb36 amdgpu: update raven2 VCN firmware
6fa9a17 amdgpu: update Picasso VCN firmware
cd52460 amdgpu: update DMCUB to v0.0.175.0 for various AMDGPU ASICs
4ef7581 Updated NXP SR150 UWB firmware
2514504 Merge branch 'for-upstream' of https://github.com/CirrusLogic/linux-firmware
45f5ebf wfx: update to firmware 3.16.1
f41d890 mediatek: Update mt8195 SCP firmware to support 10bit mode
6f3a37f i915: update DG2 GuC to v70.8.0
0ee23bd i915: update to GuC 70.8.0 and HuC 8.5.1 for MTL
1a76e8b cirrus: Add CS35L41 firmware for ASUS ROG 2023 Models
d3f6606 Partially revert "amdgpu: DMCUB updates for DCN 3.1.4 and 3.1.5"
8917650 linux-firmware: update firmware for mediatek bluetooth chip (MT7922)
7d9af09 linux-firmware: update firmware for MT7922 WiFi device
0bab5df Merge tag 'iwlwifi-fw-2023-06-29' of http://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/linux-firmware
3ec3817 linux-firmware: Update firmware file for Intel Bluetooth AX203
7db3ef9 linux-firmware: Update firmware file for Intel Bluetooth AX203
5684048 linux-firmware: Update firmware file for Intel Bluetooth AX211
3f7a24e linux-firmware: Update firmware file for Intel Bluetooth AX211
eb2c745 linux-firmware: Update firmware file for Intel Bluetooth AX210
4a3ff0a linux-firmware: Update firmware file for Intel Bluetooth AX200
1d1bad4 linux-firmware: Update firmware file for Intel Bluetooth AX201
db39dff Fix qcom ASoC tglp WHENCE entry
a687f89 Merge branch 'sc8280xp-audio-fw' of git://git.kernel.org/pub/scm/linux/kernel/git/srini/linux-firmware
9e0343c check_whence: Check link targets are valid
b255f5b iwlwifi: add new FWs from core80-39 release
fa5d30b iwlwifi: update cc/Qu/QuZ firmwares for core80-39 release
f9a35b3 qcom: Add Audio firmware for SC8280XP X13s

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit bfbb5ccf7a55ed2cc574405f7f83da5e48811401)
 2023-08-12 11:46:51 +02:00
John Audia
68c6608c2d linux-firmware: update to 20230625 
Change from git log --oneline:

ee91452d (tag: 20230625) Makefile, copy-firmware: support xz/zstd compressed firmware
ad2ce8be copy-firmware: silence the last shellcheck warnings
67bf50e7 copy-firmware: drop obsolete backticks, quote
77f31a80 copy-firmware: tweak sed invocation
40fa2b20 copy-firmware: quote deskdir and dirname
77f92e0b check_whence: error if symlinks are in-tree
f2671b1f check_whence: error if File: is actually a link
4b539e7a check_whence: strip quotation marks
32693d3b linux-firmware: wilc1000: update WILC1000 firmware to v16.0
109b23c5 ice: update ice DDP wireless_edge package to 1.3.10.0
ade163aa amdgpu: DMCUB updates for DCN 3.1.4 and 3.1.5
045b2136 amdgpu: update DMCUB to v0.0.172.0 for various AMDGPU ASICs
5a1842ce Merge branch 'rb3-update' of https://github.com/lumag/linux-firmware
2f81bd9f fix broken cirrus firmware symlinks
01a7a844 qcom: Update the microcode files for Adreno a630 GPUs.
94120467 qcom: sdm845: rename the modem firmware
1c599488 qcom: sdm845: update remoteproc firmware
1cd1c871 rtl_bt: Update RTL8852A BT USB firmware to 0xDAC7_480D
55e74485 rtl_bt: Update RTL8852C BT USB firmware to 0x040D_7225
9dbd8ec2 amdgpu: DMCUB updates for various AMDGPU asics
9a47adc7 Merge branch 'mtl_huc_v8.5.0' of git://anongit.freedesktop.org/drm/drm-firmware
eb3ae841 linux-firmware: update firmware for MT7922 WiFi device
5ce06b9e linux-firmware: update firmware for MT7921 WiFi device
2c50361c linux-firmware: update firmware for mediatek bluetooth chip (MT7922)
185f49df linux-firmware: update firmware for mediatek bluetooth chip (MT7921)
05f94af7 Merge branch 'v2.0.21478' of https://github.com/yunfei-mtk/linux_fw_scp
5de33fb4 i915: Add HuC v8.5.0 for MTL
795aea91 mediatek: Update mt8195 SCP firmware to support hevc
fc90c59b Merge branch 'db410c' of https://github.com/lumag/linux-firmware
9d4c9a52 qcom: apq8016: add Dragonboard 410c WiFi and modem firmware
1f9667eb Merge branch 'for-upstream' of http://git.chelsio.net/pub/git/linux-firmware
b544e2b0 Merge branch 'for-upstream' of https://github.com/CirrusLogic/linux-firmware
244d6b5c cirrus: Add firmware for new Asus ROG Laptops
d11ae984 brcm: Add symlinks from Pine64 devices to AW-CM256SM.txt
1c513ec7 amdgpu: Update GC 11.0.1 and 11.0.4
8449fcd0 Merge https://github.com/pkshih/linux-firmware
c10facaf rtw89: 8851b: add firmware v0.29.41.0
1ba3519e Merge branch 'dev-queue' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/firmware
2e775450 amdgpu: update yellow carp firmware for amd.5.5 release
5eccb3c1 amdgpu: update navi14 firmware for amd.5.5 release
c70d3c3b amdgpu: update navi12 firmware for amd.5.5 release
0e4f17cc amdgpu: update vega20 firmware for amd.5.5 release
413348f3 amdgpu: update vega12 firmware for amd.5.5 release
c167587d amdgpu: update navi10 firmware for amd.5.5 release
3c98630a amdgpu: update vega10 firmware for amd.5.5 release
d13ef0cb amdgpu: update PSP 13.0.11 firmware for amd.5.5 release
31f8f526 amdgpu: update GC 11.0.4 firmware for amd.5.5 release
f0ce7026 amdgpu: update SDMA 6.0.1 firmware for amd.5.5 release
47424464 amdgpu: update PSP 13.0.4 firmware for amd.5.5 release
60dc78a7 amdgpu: update GC 11.0.1 firmware for amd.5.5 release
ba70041c amdgpu: update 13.0.8 firmware for amd.5.5 release
9c48881f amdgpu: update GC 10.3.7 firmware for amd.5.5 release
bb4d7250 amdgpu: update vangogh firmware for amd.5.5 release
102a4138 amdgpu: update VCN 4.0.4 firmware for amd.5.5 release
a7fe4aa1 amdgpu: update SMU 13.0.7 firmware for amd.5.5 release
80b2d561 amdgpu: update PSP 13.0.7 firmware for amd.5.5 release
a5d7b4df amdgpu: update GC 11.0.2 firmware for amd.5.5 release
c1db00c5 amdgpu: update renoir firmware for amd.5.5 release
683c91f7 amdgpu: update VCN 4.0.0 firmware for amd.5.5 release
39d6fcc7 amdgpu: update SMU 13.0.0 firmware for amd.5.5 release
56832557 amdgpu: update PSP 13.0.0 firmware for amd.5.5 release
ffe1a41e amdgpu: update GC 11.0.0 firmware for amd.5.5 release
72d525d7 amdgpu: update green sardine firmware for amd.5.5 release
ceba765d amdgpu: update beige goby firmware for amd.5.5 release
95eb53c9 amdgpu: update dimgrey cavefish firmware for amd.5.5 release
909cef98 amdgpu: update arcturus firmware for amd.5.5 release
91251d16 amdgpu: update vcn 3.1.2 firmware for amd.5.5 release
9eaff866 amdgpu: update psp 13.0.5 firmware for amd.5.5 release
44772528 amdgpu: update GC 10.3.6 firmware for amd.5.5 release
3bffc9f8 amdgpu: update navy flounder firmware for amd.5.5 release
3b920773 amdgpu: update sienna cichlid firmware for amd.5.5 release
84d5550e amdgpu: update aldebaran firmware for amd.5.5 release
dcd30473 amdgpu: DMCUB updates for various AMDGPU asics
c9e4034a ice: update ice DDP comms package to 1.3.40.0
601c1813 Merge https://github.com/pkshih/linux-firmware
08b854f0 rtlwifi: Add firmware v6.0 for RTL8192FU
b72c69dd rtlwifi: Update firmware for RTL8188EU to v28.0
51290942 (tag: 20230515) Merge branch 'main' of https://github.com/CirrusLogic/linux-firmware

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit a5005508f069c9bd0c1d33970e9b3ecbe5040380)
 2023-08-12 11:46:51 +02:00
Hauke Mehrtens
b62dacea14 mbedtls: Update to version 2.28.4 
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d773fe5411cd4fdd8e107cfe338ed731001a1ade)
 2023-08-12 11:46:51 +02:00
Hauke Mehrtens
df994cce96 mbedtls: Update to version 2.28.3 
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3

The 100-fix-compile.patch patch was merged upstream, see:
https://github.com/Mbed-TLS/mbedtls/issues/6243
https://github.com/Mbed-TLS/mbedtls/pull/7013

The code style of all files in mbedtls 2.28.3 was changed. I took a new
version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this
pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d679b15d31bd0b68dd88c3cf4d084cce02903627)
 2023-08-12 11:46:51 +02:00
Adam Bailey
c29390b0f3 lua: fix integer overflow in LNUM patch 
Safely detect integer overflow in try_addint() and try_subint().
Old code relied on undefined behavior, and recent versions of GCC on x86
optimized away the if-statements.
This caused integer overflow in Lua code instead of falling back to
floating-point numbers.

Signed-off-by: Adam Bailey <aebailey@gmail.com>
(cherry picked from commit 3a2e7c30d3e6a187ba1df740cdb24c8ad84dfe48)
 2023-08-12 11:46:51 +02:00
Etienne Champetier
503aa7f9fb dropbear: add ed25519 for failsafe key 
At least Fedora and RHEL 9 set RSAMinSize=2048, so when trying to use
failsafe, we get 'Bad server host key: Invalid key length'
To workaround the issue, we can use: ssh -o RSAMinSize=1024 ...

Generating 2048 bits RSA is extremely slow, so add ed25519.
We keep RSA 1024 to be as compatible as possible.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 6ac61dead99ff6b9df00c29b7a858772449718b2)
 2023-08-12 11:46:51 +02:00
Nick Hainke
681baab5a7 wolfssl: update to 5.6.3 
Release Notes:
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.0-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.2-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.3-stable

Refresh patch:
- 100-disable-hardening-check.patch

Backport patch:
- 001-fix-detection-of-cut-tool-in-configure.ac.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 0e83b5e6cc8e2970905a2b32c990fa7491ff733c)
 2023-08-12 11:46:51 +02:00
Hauke Mehrtens
1dbbd0fcf2 uhttpd: update to latest git HEAD 
34a8a74 uhttpd/file: fix string out of buffer range on uh_defer_script

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7a6f6b812632a5983cd34ab5c41271d5d4de5fbf)
 2023-08-12 11:46:51 +02:00
Hauke Mehrtens
c1181a54b0 uhttpd: update to latest Git HEAD 
47561aa mimetypes: add audio/video support for apple airplay
6341357 ucode: respect all arguments passed to send()

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d14559e9df4052cfaecd016c2afd2353ce18c455)
 2023-08-12 11:46:51 +02:00
Hauke Mehrtens
419218af13 kernel: bump 5.10 to 5.10.190 
All patches automatically rebased.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2023-08-11 23:17:31 +02:00
Christian Lamparter
80a6b0a917 ipq-wifi: fix upstream board-2.bin ZTE M289F snafu 
The upstream board-2.bin file in the linux-firmware.git
repository for the QCA4019 contains a packed board-2.bin
for this device for both 2.4G and 5G wifis. This isn't
something that the ath10k driver supports.

Until this feature either gets implemented - which is
very unlikely -, or the upstream boardfile is mended
(both, the original submitter and ath10k-firmware
custodian have been notified). OpenWrt will go back
and use its own bespoke boardfile. This unfortunately
means that 2.4G and on some revisions the 5G WiFi is
not available in the initramfs image for this device.

qca9984 isn't affected.

Fixes: #12886
Reported-by: Christian Heuff <christian@heuff.at>
Debugged-by: Georgios Kourachanis <geo.kourachanis@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 75505c5ec724b9b961dcb411bac1d4b9aede3e1d)
 2023-07-04 22:11:53 +02:00
Christian Marangi
2034387af4
netfilter: fix typo in nf-socket and nf-tproxy kconfig 
Fix a typo where the wrong KCONFIG was used and fix selecting the
correct kernel config option to use these packages.

Fixes: 4f443c885ded ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 3ebebf08be950a8a0f3bf5b2c3db910621f2cc21)
 2023-06-23 17:47:53 +02:00
Jitao Lu
70e3f4e94d openssl: passing cflags to configure 
openssl sets additional cflags in its configuration script. We need to
make it aware of our custom cflags to avoid adding conflicting cflags.

Fixes: #12866
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
(cherry picked from commit 51f57e7c2dd2799e34036ec74b3436bf490fade0)
 2023-06-17 12:56:58 +02:00
Christian Marangi
17f6001853
restool: update source.codeaurora.org repository link 
source.codeaurora.org project has been shut down and the nxp
repositories has been moved to github. Update the repository
link to the new location.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 0a1ee5323549bfce30b4d42be2dcc461f694881c)
 2023-06-11 18:58:49 +02:00
Christian Marangi
ca669b7c07
ls-dpl: update source.codeaurora.org repository link 
source.codeaurora.org project has been shut down and the nxp
repositories has been moved to github. Update the repository
link to the new location.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 52fd8d8ba3ed4d34ed1dbc9d14fc7754960a576d)
 2023-06-11 18:58:43 +02:00
Hannu Nyman
4a9eb94b5f bpf-headers: fix compilation with LLVM_IAS=1 
Linux 5.10.178 includes backported commits that break the compilation
of bpf-headers, as the compilation gets confused which assembler to use.
Caused by Linux upstream commits just before the .178 tag:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=v5.10.178

2023-04-20	kbuild: check CONFIG_AS_IS_LLVM instead of LLVM_IAS
2023-04-20	kbuild: Switch to 'f' variants of integrated assembler flag
2023-04-20	kbuild: check the minimum assembler version in Kconfig

Explicitly use LLVM_IAS=1 to fix things.

Fixes #12748

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
 2023-06-10 15:52:19 +02:00
Hauke Mehrtens
afb4422702 openssl: bump to 1.1.1u 
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]

    o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
      OBJECT IDENTIFIER sub-identities.  (CVE-2023-2650)
    o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
    o Fixed handling of invalid certificate policies in leaf certificates
      (CVE-2023-0465)
    o Limited the number of nodes created in a policy tree ([CVE-2023-0464])

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2023-06-07 22:40:46 +02:00
Alexey Bartenev
656e411454 ramips: add support for Keenetic Lite III rev. A 
General specification:
SoC Type: MediaTek MT7620N (580MHz)
ROM: 8 MB SPI-NOR (W25Q64FV)
RAM: 64 MB DDR (EM6AB160TSD-5G)
Switch: MediaTek MT7530
Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4)
Wireless: 2.4 GHz (MediaTek RT5390): b/g/n
Buttons: 3 button (POWER, RESET, WPS)
Slide switch: 4 position (BASE, ADAPTER, BOOSTER, ACCESS POINT)
Bootloader: U-Boot 1.1.3
Power: 9 VDC, 0.6 A

MAC in stock:
|-	+			|
| LAN 	| RF-EEPROM + 0x04	|
| WLAN	| RF-EEPROM + 0x04	|
| WAN 	| RF-EEPROM + 0x28	|

OEM easy installation
1. Use a PC to browse to http://my.keenetic.net.
2. Go to the System section and open the Files tab.
3. Under the Files tab, there will be a list of system
files. Click on the Firmware file.
4. When a modal window appears, click on the Choose File
button and upload the firmware image.
5. Wait for the router to flash and reboot.

OEM installation using the TFTP method
1. Download the latest firmware image and rename it to
klite3_recovery.bin.
2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the
firmware image to the root directory of the server.
3. Power off the router and use a twisted pair cable to connect
the PC to any of the router's LAN ports.
4. Configure the network adapter of the PC to use IP address
192.168.1.2 and subnet mask 255.255.255.0.
5. Power up the router while holding the reset button pressed.
6. Wait approximately for 5 seconds and then release the
reset button.
7. The router should download the firmware via TFTP and
complete flashing in a few minutes.
After flashing is complete, use the PC to browse to
http://192.168.1.1 or ssh to proceed with the configuration.

Signed-off-by: Alexey Bartenev <41exey@proton.me>
(cherry picked from commit dc79b51533cfe9a7806353f6c6fd6b22cd80d536)
 2023-06-03 11:49:04 +02:00
Tianling Shen
ce32068bf2 ca-certificates: Update to version 20230311 
Update the ca-certificates and ca-bundle package from version 20211016 to
version 20230311.

Use TAR_OPTIONS instead of hacking Build/Prepare, refresh patches.

Debian change-log entry [1]:
|[...]
|[ Đoàn Trần Công Danh ]
|* ca-certificates: compat with non-GNU mktemp (closes: #1000847)
|
|[ Ilya Lipnitskiy ]
|* certdata2pem.py: use UTC time when checking cert validity
|
|[ Julien Cristau ]
|* Update Mozilla certificate authority bundle to version 2.60
|   The following certificate authorities were added (+):
|   + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|   + "Certainly Root E1"
|   + "Certainly Root R1"
|   + "D-TRUST BR Root CA 1 2020"
|   + "D-TRUST EV Root CA 1 2020"
|   + "DigiCert TLS ECC P384 Root G5"
|   + "DigiCert TLS RSA4096 Root G5"
|   + "E-Tugra Global Root CA ECC v3"
|   + "E-Tugra Global Root CA RSA v3"
|   + "HARICA TLS ECC Root CA 2021"
|   + "HARICA TLS RSA Root CA 2021"
|   + "HiPKI Root CA - G1"
|   + "ISRG Root X2"
|   + "Security Communication ECC RootCA1"
|   + "Security Communication RootCA3"
|   + "Telia Root CA v2"
|   + "TunTrust Root CA"
|   + "vTrus ECC Root CA"
|   + "vTrus Root CA"
|  The following certificate authorities were removed (-):
|  - "Cybertrust Global Root" (expired)
|  - "EC-ACC"
|  - "GlobalSign Root CA - R2" (expired)
|  - "Hellenic Academic and Research Institutions RootCA 2011"
|  - "Network Solutions Certificate Authority"
|  - "Staat der Nederlanden EV Root CA" (expired)
|* Drop trailing space from debconf template causing misformatting
|  (closes: #980821)
|
|[ Wataru Ashihara ]
|* Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244)
|[...]

[1]: https://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/ca-certificates_20230311_changelog

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 7c83b6ac8656f9a3b005554d25857e8ed5faf3f6)
 2023-05-28 19:51:52 +02:00