- Fix multiple security issues. See http://freeradius.org/security/fuzzer-2017.html

 Thanks to Guido Vranken for working with us to discover the issues and test the fixes.
 - FR-GV-207 Avoid zero-length malloc() in data2vp().
 - FR-GV-206 correct decoding of option 60.
 - FR-GV-205 check for "too long" WiMAX options.
 - FR-GV-204 free VP if decoding fails, so we don't leak memory.
 - FR-GV-203 fix memory leak when using decode_tlv().
 - FR-GV-202 check for "too long" attributes.
 - FR-GV-201 check input/output length in make_secret().
 - FR-AD-001 Use strncmp() instead of memcmp() for bounded data.
 - Disable in-memory TLS session caches due to OpenSSL API issues.
 - Allow issuer_cert to be empty.
 - Look for extensions using correct index.
 - Fix types.
 - Work around OpenSSL 1.0.2 problems, which cause failures in TLS-based EAP methods.
 - Revert RedHat contributed bug which removes run-time checks for OpenSSL consistency.
 - Allow OCSP responder URL to be later in the packet Fix by Ean Pasternak.
 - Catch empty subject and non-existent issuer cert in OCSP Fix by Ean Pasternak.
 - Allow non-FIPS for MD5 Fix by Ean Pasternak.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

[For-15.05] libsodium: Fix download url

Signed-off-by: Kishan Gondaliya <kishanpgondaliya@gmail.com>

krb5: install include properly and leave libcom_err* in place

Lighttpd for 15.05

(with feedback from @hnyman and patch additions from @MikePetullo)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

This fixes upstream regression introduced in 1.4.40. It was reported &
debugged in https://redmine.lighttpd.net/issues/2793


This fix is queued for 1.4.46 in the personal/gstrauss/master upstream
branch.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

Update to 1.4.42 introduced a problem with starting lighttpd as
OpenWrt/LEDE service. It was stopping whole init process at sth like:
  783 root      1124 S    {S50lighttpd} /bin/sh /etc/rc.common /etc/rc.d/S50lighttpd boot
  799 root      1164 S    /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

It was hanging until getting random pool:
[  176.340007] random: nonblocking pool is initialized
and then immediately the rest of init process followed:
[  176.423475] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[  176.430754] jffs2_build_filesystem(): unlocking the mtd device... done.
[  176.437615] jffs2_build_filesystem(): erasing all blocks after the end marker... done.

This was fixed in 1.4.44, but bump directly to 1.4.45 while at it.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

Signed-off-by: W. Michael Petullo <mike@flyn.org>

[for-15.05] unbound: DNSSEC trust anchor roll for 2017

Carry both the 2010 and 2017 DS records until 2018.
Unbound complies with RFC5011 but fresh installs
need these anchors to get started.
https://www.icann.org/resources/pages/ksk-rollover
https://www.iana.org/domains/root



Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

[for-15.05] ddns-scripts: New update url for service duiadns.net

- new update url for service "duiadns.net" #3969
- updated public_suffix_list.dat

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

[for-15.05] ddns-scripts: backport of 2.7.6-12

- fix detecting local ip from ip command #3834 and https://forum.lede-project.org/t/bugs-in-ddns-scripts/1000


- updated public_suffix_list.dat
- minor fixes to services files

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

[For 15.05] ddns-scripts: Backport of current version 2.7.6-11

fix problem with detecting ip from nslookup

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

Backport of current version 2.7.6-10
- more services
- more functionality
- be prepared for next versions

compiled ipk-packages available at
https://github.com/chris5560/OpenWrt-Backports/tree/master/for-CC15.05.01/ddns-scripts_2.7.6-10



Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

net-snmp: [backport-15.05] add package snmp-mibs

this installs the default MIBS-files under /usr/share/snmp/mibs .
Also aligns the defines to the same sorting-scheme.

backport of daeb5fd5

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>

Apply adblock updates 1.5.3-1.5.4

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

Original commit messages:

adblock: update 1.5.3
* make wget check more flexible,
  fix for broken wget package installations

adblock: bugfix 1.5.4
* CC/uclient-fetch compatibility fix

libaudiofile: updated source url (v0.3.6)

Signed-off-by: Marek Sedlak <bodka.zavinac@gmail.com>

libsodium and dnscrypt-proxy url change for 15.05

Signed-off-by: W. Michael Petullo <mike@flyn.org>

Signed-off-by: Stephan Conrad <stephan@conrad.pics>

Signed-off-by: Stephan Conrad <stephan@conrad.pics>

CC15.05 ruby: bump to 2.2.6

[for 15.05] python: backport version 2.7.12 to CC

Fixes CVE-2016-5699
  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5699



Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

This release includes new SSL certificates for RubyGems. And, this also
includes about 80 bug fixes after the previous release. See the
http://svn.ruby-lang.org/repos/ruby/tags/v2_2_6/ChangeLog

 for details.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

Signed-off-by: Robbie Cao <robbie.cao@gmail.com>

 - Revert "package haproxy: fix typo for buildvariant nossl"
 - Revert "haproxy: bump to version 1.6.9 mainline and pending patches"

Signed-off-by: heil <heil@terminal-consulting.de>

Signed-off-by: heil <heil@terminal-consulting.de>

Signed-off-by: heil <heil@terminal-consulting.de>

This reverts commit e245e2b8.

Signed-off-by: Luka Perkov <luka@openwrt.org>