This is a bugfix release. Changelog:
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli. (CVE-2022-0778)
*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
(RFC 5489) to the list of ciphersuites providing Perfect Forward
Secrecy as required by SECLEVEL >= 3.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
OpenWrt uses a lot of (b)ash scripts for initial setup. This isn't the
best solution as they almost never consider syncing files / data. Still
this is what we have and we need to try living with it.
Without proper syncing OpenWrt can easily get into an inconsistent state
on power cut. It's because:
1. Actual (flash) inode and data writes are not synchronized
2. Data writeback can take up to 30 seconds (dirty_expire_centisecs)
3. ubifs adds extra 5 seconds (dirty_writeback_centisecs) "delay"
Some possible cases (examples) for new files:
1. Power cut during 5 seconds after write() can result in all data loss
2. Power cut happening between 5 and 35 seconds after write() can result
in empty file (inode flushed after 5 seconds, data flush queued)
Above affects e.g. uci-defaults. After executing some migration script
it may get deleted (whited out) without generated data getting actually
written. Power cut will result in missing data and deleted file.
There are three ways of dealing with that:
1. Rewriting all user-space init to proper C with syncs
2. Trying bash hacks (like creating tmp files & moving them)
3. Adding sync and hoping for no power cut during critical section
This change introduces the last solution that is the simplest. It
reduces time during which things may go wrong from ~35 seconds to
probably less than a second. Of course it applies only to IO operations
performed before /etc/init.d/boot . It's probably the stage when the
most new files get created.
All later changes are usually done using smarter C apps (e.g. busybox or
uci) that creates tmp files and uses rename() that is expected to be
atomic.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
(cherry picked from commit 9851d4b6ce)
When using a non default MESON_HOST_BUILD_DIR, HOST_BUILD_DIR is not
appropriate to use. This change matches the target configure section.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 4c42e2d9dd)
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
be64enc, be16dec, and be32dec are declared on FreeBSD 13.0, in
/usr/include/sys/endian.h so we should not declare them.
Fixes the following error during feeds update:
staging_dir/host/bin/mkhash: No such file or directory
gcc scripts/mkhash.c
scripts/mkhash.c:111:1: error: redefinition of 'be64enc'
111 | be64enc(void *buf, uint64_t u)
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
Remove macOS stuff. Upstream has fixed it in the same way.
Add SOL_TCP define. Taken from elsewhere in the code.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to CMake for faster compilation and greater parallel
friendliness.
Added CMake options from the packages feed.
This release fixes various CVEs.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switched to building with meson as it's faster and does not need a
dependency on cmake, which takes a long time to build.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Refresh 2to3 patch. Upstream partially did this against some older
python version. This is still needed.
Refreshed other patches to be python3 safe.
Remove uClibc patches as only musl is present now.
Refresh others.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
<https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0>
"Mbed TLS 2.28 is a long-time support branch.
It will be supported with bug-fixes and security
fixes until end of 2024."
<https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md>
"Currently, the only supported LTS branch is: mbedtls-2.28.
For a short time we also have the previous LTS, which has
recently ended its support period, mbedtls-2.16.
This branch will move into the archive namespace around the
time of the next release."
this will also add support for uacme ualpn support.
size changes
221586 libmbedtls12_2.28.0-1_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(remark about 2.16's EOS, slightly reworded)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Release notes:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.2-relnotes.txt
```
It includes the following security fix
* In some situations the X.509 verifier would discard an error on an
unverified certificate chain, resulting in an authentication bypass.
Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 495c4f4e19)
diffconfig.sh runs ./scripts/config/conf, but it does not get built
with 'make {menu,x,n}config. Call 'make ./scripts/config/conf' to
ensure it's been built before running it, aborting in case of failure.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>[removed Fixes: due revert]
Changelog:
backend_startup_project
Add a man page backend to refman
extract_objects() supports generated sources
Python 3.6 support will be dropped in the next release
Warning if check kwarg of run_command is missing
meson rewrite can modify extra_files
meson rewrite target <target> info outputs target's extra_files
Visual Studio 2022 backend
Support for CMake <3.14 is now deprecated for CMake subprojects
Added support for sccache
install_symlink function
Signed-off-by: Rosen Penev <rosenp@gmail.com>
change meson binary to use py extension. Fixes issue with meson's
symbolextractor using the host python instead of the system one.
We intentionally use a .py extension here so that meson launches
additional python scripts with the same build host python interpreter as
itself is running under (and not the host package one once it becomes
available)
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- Call pager with original LANG environment variable
- Consistently complain early if no series file is found
- Fix handling of symbolic links by several commands
- Tighten the patch format parsing
- Reuse the shell (performance)
- Document the series file format further
- Document that quilt loads /etc/quilt.quiltrc
- configure: Make stat configurable
- series: Minor optimizations
- setup: Don't obey the settings of any englobing .pc
- setup: Default to fast mode
- quilt.el: Fix documentation of quilt-pc-directory
- quilt.el: Load /etc/quilt.quiltrc if ~/.quiltrc doesn't exist
- quilt.el: Fix quilt-editable when QUILT_PATCHES_PREFIX is set
Refresh patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[add changelog]
Signed-off-by: Paul Spooren <mail@aparcar.org>
