This package is not needed in base. It will be imported in the packages
feed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
This package is not needed in base. It will be imported in the packages
feed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
overflow in sort_rrset() when DNSSEC is used. This can allow a remote
attacker to write arbitrary data into target device's memory that can
lead to memory corruption and other unexpected behaviors on the target
device.
* CVE-2020-25682:
Dnsmasq versions before 2.83 is susceptible to buffer overflow in
extract_name() function due to missing length check, when DNSSEC is
enabled. This can allow a remote attacker to cause memory corruption
on the target device.
* CVE-2020-25683:
Dnsmasq version before 2.83 is susceptible to a heap-based buffer
overflow when DNSSEC is enabled. A remote attacker, who can create
valid DNS replies, could use this flaw to cause an overflow in a heap-
allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code
execute memcpy() with a negative size in get_rdata() and cause a crash
in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
A lack of proper address/port check implemented in Dnsmasq version <
2.83 reply_query function makes forging replies easier to an off-path
attacker.
* CVE-2020-25685:
A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
versions before 2.83 reply_query function allows remote attackers to
spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
Multiple DNS query requests for the same resource name (RRNAME) by
Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
traffic, using a birthday attack (RFC 5452), that can lead to DNS
cache poisoning.
* CVE-2020-25687:
Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
remote attacker, who can create valid DNS replies, could use this flaw
to cause an overflow in a heap-allocated memory. This flaw is caused
by the lack of length checks in rtc1035.c:extract_name(), which could
be abused to make the code execute memcpy() with a negative size in
sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
Service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
The "cidr_contains6" functions clones the given cidr. The contains4
does not clone the cidr. Both functions do not behave the same.
I see no reason to push the cidr. I think that we get only a negligible
performance gain, but it makes ipv4 and ipv6 equal again.
Signed-off-by: Nick Hainke <vincent@systemli.org>
The cidr_parse6 function parses a string to an ipv6-address.
The cidr struct contains a union called buf for the ipv4 and ipv6
address. Since it is a char pointer and the struct is initialized with
the maximum size (so ipv6 string) it does not make any difference.
However, we should access the buffer using the v6 name, since it could
be confusing otherwise.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This patch was already applied upstream and not needed here.
Fixes: 06403981e1 ("ppp: update to version 2.4.7.git-2019-05-06")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
By setting 'auto', the zero address or the empty string as source
address (option ipaddr, option ip6addr), vxlan will choose one
dynamically. This helps in setups where a wan ip or prefix changes.
This corresponse to setting up an vxlan tunnel with:
proto vxlan6:
# ip link add vx0 type vxlan id ID local :: ...
proto vxlan:
# ip link add vx0 type vxlan id ID local 0.0.0.0 ...
While it is possible to not specify a source ip at all, the kernel will
default to setting up a ipv4 tunnel. The kernel will take any hint from
source and peer ips to figure out, what tunnel type to use. To make sure
we setup an ipv6 tunnel for proto vxlan6, this workaround is needed.
This will not change the behaviour of currently working configurations.
However this will allow former broken configurations, namely those not
specifying both a source address and tunnel interface, to setup a
tunnel interface. Previously those configurations weren't reporting an
error and were stueck in a setup loop like in Bug FS#3426.
This change lifts the currently very strict behaviour and should fix the
following bug:
Fixes: FS#3426
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3426
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
The patch removes a libpcap check to avoid a problem with libpcap. Fix
libpcap instead.
Modernize Makefile:
Use a normal autoconf bool instead of checking for CONFIG_IPV6.
Remove old configure and MAKE_FLAGS hacks. Removing them results in
compilation continuing to work without a problem.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
You shouldn't need the overhead of GRE just to add multicast
capability on a point-to-point interface (for instance, you might
want to run mDNS over IPsec transport connections, and Avahi
requires IFF_MULTICAST be set on interfaces, even point-to-point
ones).
Borrowed heavily from:
b3c9321b9e gre: Support multicast configurable gre interfaces
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Bump package version after previous changes.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
binary size cost is much less than 1k.
tested on ath79/generic:
bin: 215128 -> 215132 (+4b)
ipk: 111183 -> 111494 (+311b)
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
this commit removes manual recipes for options and introduces mapping lists:
- DB_OPT_COMMON holds option mappings which are common for all builds;
- DB_OPT_CONFIG holds option mappings which are depend on config settings.
DB_OPT_COMMON is space-separated list of 'words', each of them is in format:
'header_option|value'
'header_option' is added with value 'value' to 'localoptions.h'.
if 'header_option' is preceded by two exclamation marks ('!!')
then option is not added to 'localoptions.h' but replaced in 'sysoptions.h'.
in short:
option|value - add option to localoptions.h
!!option|value - replace option in sysoptions.h
DB_OPT_CONFIG is space-separated list of 'words', each of them is in format:
'header_option|config_variable|value_enabled|value_disabled'
'header_option' is handled likewise in DB_OPT_COMMON.
if 'config_variable' is enabled (technically: not disabled)
then 'header_option' is set to 'value_enabled' and 'value_disabled' otherwise.
in short:
option|config|enabled|disabled = add option to localoptions.h
!!option|config|enabled|disabled = replace option in sysoptions.h
option := (config) ? enabled : disabled
If you're not sure that option's value doesn't have '|' within - add your recipe
manually right after '$(Build/Configure/dropbear_headers)' and write some words
about your decision.
PS about two exclamation marks:
early idea was to use one exclamation mark to denote such header options
but then i thought single exclamation mark may be overlooked by mistake.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- add two helper functions to avoid mistakes with
choice of correct header file to work with
- update rules accordingly
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
put static options at first place, then place configurable options.
also put DROPBEAR_ECC right before DROPBEAR_ECC_FULL to ease maintainance.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
this option was disabled in 2011 and these long nine years showed us that change was definitely wrong.
binary size cost is much less than 1k.
tested on ath79/generic:
bin: 215128 -> 215128 (no change)
ipk: 111108 -> 111183 (+75b)
Fixes: 3c801b3dc0 ("tune some more options by default to decrease size")
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
The package has no reason to be in openwrt.git. Move it to packages.git.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Acked-by: Jo-Philipp Wich <jo@mein.io>
The lldpd sources ship a modified local AX_LIB_READLINE M4 macro which
conflicts with the official macro shipped by autoconf-archive.
Due to the official macro having the same name and a higher serial
number, autoconf will prefer including that one instead of the local
copy, preventing the substitution of @READLINE_LIBS@ in Makefile.in
templates, ultimately leading to the following build failure when
linking lldpcli:
...-gcc: error: READLINE_LIBS@: No such file or directory
Avoid this problem by renaming the locally shipped macro to not clash
with the official implementation anymore.
Ref: lldpd/lldpd/pull/423
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
faed29a dhcpv6: only refresh timers when reconfigure is valid
9c50975 dhcpv6: fix printing identity association id
a7b2221 dhcpv6: avoid sending continuous renew/rebind messages
d7afa2b dhcpv6: add extra syslog info traces
f5728e4 odhcp6c_find_entry: exclude priority from the list of fields that must match
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
d6bd1047d004 vlandev: dump vlan id in device status
e0c838bd06a6 vlandev: support bridge-vlan aliases in the vid config parameter
574dc4a17105 system-dummy: print configured mac address
14f0e8ff928f system-linux: simplify mask check in system_if_apply_settings
524310276f20 system-linux: move device settings handling to device.c
42c48866f1c1 config: parse default mac address from board.json
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This PR backports upstream fix for CVE-2020-8037. This fix is only
relevant for tcpdump package, tcpdump-mini is not affeted by this issue.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
