Karl Palsson authored 3 years ago and Andreas Gnau committed 4 months ago

Changelog: https://lists.haxx.se/pipermail/c-ares/2021-October/000002.html

This includes the update to the domain name, made upstream, ref: https://lists.haxx.se/pipermail/c-ares/2021-September/000001.html



Signed-off-by: Karl Palsson <karlp@etactica.com>
(cherry picked from commit 60e60fc3)
Signed-off-by: Andreas Gnau <andreas.gnau@iopsys.eu>

Fix CVE-2023-38545 SOCKS5 heap buffer overflow

Signed-off-by: Andreas Gnau <andreas.gnau@iopsys.eu>

Signed-off-by: Andreas Gnau <andreas.gnau@iopsys.eu>

This fixes CVE-2022-40284.

Security release 2022.10.3 (Oct 31, 2022)

 * Rejected zero-sized runs
 * Avoided merging runlists with no runs

Security version 2022.5.17 (May 26, 2022)

 * Improved defence against maliciously tampered NTFS partitions
 * Improved defence against improper use of options
 * Updated the documentation

Signed-off-by: Andreas Gnau <andreas.gnau@iopsys.eu>

This reverts commit 9766c9ea.

This fixes CVE-2022-40284.

Security release 2022.10.3 (Oct 31, 2022)

 * Rejected zero-sized runs
 * Avoided merging runlists with no runs

Security version 2022.5.17 (May 26, 2022)

 * Improved defence against maliciously tampered NTFS partitions
 * Improved defence against improper use of options
 * Updated the documentation

Signed-off-by: Andreas Gnau <andreas.gnau@iopsys.eu>
(cherry picked from commit 0417df60)

Eneas U de Queiroz authored 3 years ago and Andreas Gnau committed 2 years ago

Change ---help--- to plain 'help' in Package/ntfs-3g/config, as newer
versions of kconfig have removed the command's older name.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit d5226e1e)

Sebastian Kemper authored 3 years ago and Andreas Gnau committed 2 years ago

Upstream announced new release which includes fixes for 21 CVEs (see
[1]).

Upstream changed the symlink "mkfs.ntfs" to respect "--sbin-dir". So
this commit adjusts this likewise in the Makefile.

[1] https://www.openwall.com/lists/oss-security/2021/08/30/1



Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
(cherry picked from commit 555546e3)

This reverts commit 40b7ea60. Will be
added by future cherry-picked version bumps.

Lucian Cristian authored 3 years ago and Andreas Gnau committed 2 years ago

this update also fixes a CVE

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit ec252c20)
(cherry picked from commit baad17e96f87999a10df94cac05ca4e9526de60c)

Lucian Cristian authored 3 years ago and Andreas Gnau committed 2 years ago

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit b2efa063)
(cherry picked from commit f47ecdc42f9487a8b14e16d6d44d9b427722be26)

Lucian Cristian authored 3 years ago and Andreas Gnau committed 2 years ago

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit b8c2ab47)
(cherry picked from commit 883fded23d6774d28774e6240e715b4abde2ad40)

Lucian Cristian authored 4 years ago and Andreas Gnau committed 2 years ago

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit 7087177b)
(cherry picked from commit e9130a712f3b342ff6645942d238eaf7e734d53b)

Petr Štetiar authored 2 years ago and Andreas Gnau committed 2 years ago

When we explicitly declare, that we would like to have curl built with
wolfSSL support using `--with-wolfssl` configure option, then we should
make sure, that we either endup with curl having that support, or it
shouldn't be available at all, otherwise we risk, that we end up with
regressions like following:

  configure:25299: checking for wolfSSL_Init in -lwolfssl
  configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
  In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33,
                   from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35,
                  from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
                   from conftest.c:47:
  target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory
       #include <wolfssl/wolfcrypt/sp_int.h>
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
  compilation terminated.

and in the end thus produce curl without https support:

 curl: (1) Protocol "https" not supported or disabled in libcurl

So fix it, by making the working wolfSSL mandatory and error out in
configure step when that's not the case:

 checking for wolfSSL_Init in -lwolfssl... no
 configure: error: --with-wolfssl but wolfSSL was not found or doesn't work

References: #19005, #19547
Upstream-Status: Accepted [https://github.com/curl/curl/pull/9682

]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 9140f366)
(cherry picked from commit a1d76d41c3c1bdcca67e076d4a8fd5688c92ae97)

Rosen Penev authored 2 years ago and Andreas Gnau committed 2 years ago

options.h header is needed after bump of libwolfssl to version 5.5.1,
otherwise libcurl autodetection for libwolfssl availability fails and
libcurl is then compiled without https support.

Fixes: #19547
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 31757575)
(cherry picked from commit ef545e03)
Signed-off-by: Petr Štetiar <ynezz@true.cz> [commit verbosity]
(cherry picked from commit f4cc6adcfeedce8090c735e6d1fff6123c72bd01)

Petr Štetiar authored 2 years ago and Andreas Gnau committed 2 years ago

As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.

Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 845d81ca)
(cherry picked from commit f624e41f)
(cherry picked from commit c8447b8a3829349822c9d26c978959042d697d0a)

Stan Grishin authored 2 years ago and Andreas Gnau committed 2 years ago

* https://curl.se/changes.html#7_83_1



Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit b0f213a7)
(cherry picked from commit baaa3ef00adf82253b6028984ffb44bc478797fd)

Chris Osgood authored 2 years ago and Andreas Gnau committed 2 years ago

Fixes #18082

Signed-off-by: Chris Osgood <chris_github@functionalfuture.com>
(cherry picked from commit 4eb08bac)
(cherry picked from commit f01cf663b68e04196963c339e1ab7202b6afdc57)

Stan Grishin authored 3 years ago and Andreas Gnau committed 2 years ago

* changelog: https://curl.se/changes.html#7_82_0



Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 38b3a5f8)
(cherry picked from commit 1a0cb5ce4ab88b764600429c7687b66d7ed91401)

Amin Ben Romdhane authored 2 years ago and Vivek Dutta committed 2 years ago

(cherry picked from commit 75b1208a)

Michael Heimpold authored 2 years ago and Andreas Gnau committed 2 years ago

This fixes CVE-2022-29824.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit c12e1cfc)

Michael Heimpold authored 3 years ago and Andreas Gnau committed 2 years ago

This fixes CVE-2022-23308.

Also switch to GNOME as download source and xz tarball.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 81fd836f)

Vivek Dutta authored 2 years ago and Vivek Dutta committed 2 years ago

- use include conf.d for listener conf


(cherry picked from commit 7f899cbd)

This reverts commit adf9c249.

Unconditionally setting the default algorithm to bcrypt will make the
rest of the system such as dropbear and also busybox in its default
config not work with the hashes written by the passwd utility.

See also:
    https://github.com/openwrt/packages/commit/adf9c249498fe526e2d6afd19bf7985f116c8531



Fixes IOP-7508. IOP-7697 to investigate proper fix.

Signed-off-by: Andreas Gnau <andreas.gnau@iopsys.eu>

[21.02] ksmbd: update to 3.44

This includes fixes for:

* CVE-2022-23772: math/big: Rat.SetString may consume large amount of
  RAM and crash

* CVE-2022-23806: crypto/elliptic: IsOnCurve returns true for invalid
  field elements

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 69c53fcb)

The first-run command should create a new tvheadend configuration including an admin account with no name and no password, but it aborts (-A) too early without saving the files. I reported the bug here: https://tvheadend.org/issues/6140


This workaround fixes the problem by removing the tvheadend -A switch and replacing it with a 10s delay and a kill signal. That should be enough even for slow routers to generate and save the configuration. It is meant to be a temporary fix until tvheadend bug is resolved.

Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 3ffd540b)

The configuration for the ksmbd service is auto-generated when
the OpenWRT configuration changes, and also during startup,
hence ksmbd.init has to reload the kernel module. It does that by
calling kill_server, which does not perform cleanup. This results
in ksmbd being killed but not restarted properly during boot.
This patch resolves the issue by using stop_service, which performs
proper cleanup.

https://forum.openwrt.org/t/ksmbd-samba3-4-alternative-ex-cifsd-smbd-package-support-thread/51695/68



Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
(cherry picked from commit 4af04cdc)

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 4adeed48)

Signed-off-by: Marcos Del Sol Vives <marcos@orca.pet>
(cherry picked from commit 2b48a695)

Add AUTORELEASE as 19.07 compatibility is not needed.

Add dependency hacks and add comments.

Add upstream patch to get rid of FS_POSIX_ACL requirement.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit c732305a)

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 4454f8bb)

It has been imported as core package into OpenWrt repository. Its fdtget
is required by sysupgrade on U-Boot devices so it couldn't live in an
extra feed.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c8d4c89d)