Merge pull request #21397 from mhei/21.02-php8-update-to-8.0.29

[21.02] php8: update to 8.0.29

php8: update to 8.0.29

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

Merge pull request #21347 from jefferyto/python-3.9.17-openwrt-21.02

[openwrt-21.02] python3: Update to 3.9.17

python3: Update to 3.9.17

This includes an updated patch for pip, as the bundled pip was also
updated with this release.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

avahi: Import patches for security fixes

Imported patches included in debian and other package.

* 200-Fix-NULL-pointer-crashes-from-175.patch
  CVE-2021-3502
   A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.

* 201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
  CVE-2021-3468
   A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

* 202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch
   avahi_dns_packet_consume_uint32 left shifts uint8_t values by 8, 16 and 24 bits to combine them into a 32-bit value. This produces an undefined behavior warning with gcc -fsanitize when fed input values of 128 or 255 however in testing no actual unexpected behavior occurs in practice and the 32-bit uint32_t is always correctly produced as the final value is immediately stored into a uint32_t and the compiler appears to handle this "correctly".
Cast the intermediate values to uint32_t to prevent this warning and ensure the intended result is explicit.

* 203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
   This was causing timeouts to never be removed from the linked list that tracks them, resulting in both memory and CPU usage to grow larger over time.

* 204-Emit-error-if-requested-service-is-not-found.patch
   It currently just crashes instead of replying with error. Check return
value and emit error instead of passing NULL pointer to reply.

* 205-conf-file-line-lengths.patch
   Allow avahi-daemon.conf file to have lines longer than 256 characters (new limit 1024).

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit 779af4d40ccdc0f2a798ee6b6849abb37d202f1b)

net/acme: Bump acme.sh to v3.0.6

Important security fix.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>

lighttpd: update to lighttpd 1.4.71 release hash

remove patches included upstream

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 19291ee1951a79776c1b67c10fd67af5d346abc5)

syslog-ng: update to 4.2.0

Signed-off-by: W. Michael Petullo <mike@flyn.org>
(cherry picked from commit 1fcea0798110cca216676d065dd66a17d1a1f447)

Merge pull request #21185 from commodo/django-update-21.09

[21.02] django: bump to version 3.2.19

django: bump to version 3.2.19

Fixes CVE-2023-31047
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-31047
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>

wsdd2: fix stopping service

Function start_service() is called whenever service may need reloading.
If SMB server is not running it could be simply because it has been
stopped. Reloading service in such case is not an error so:
1. Don't log error as it isn't one
2. Don't exit with error code as it was confusing procd

This change fixes scenario like:
/etc/init.d/ksmbd stop
/etc/init.d/wsdd2 reload
(previously above wasn't stopping wsdd2)

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 6020ca52bf5d7b2869ef1ff8a966d15281aa56ab)

wsdd2: Remove extra comma, which breaks the key-value pair of the '-b' parameter

Signed-off-by: Li Zhang <starsunyzl@gmail.com>
(cherry picked from commit 5fc06d939fb9a37752b7665eca1355e23aa4e85f)

wsdd2: dont use fqdn

workgroups use the name of the host without domain

Signed-off-by: Fritz D. Ansel <fdansel@yandex.ru>
(cherry picked from commit 3953ff956da6d9d0f335ddba3fc347bfef4fabb2)

lxc: set --with-runtime-path to the /var/run path

The default runtime directory used by LXC is /run which doesn't exist
in OpenWrt. It causes errors like:

Failed to create lock for foo
lxc-create: foo: tools/lxc_create.c: main: 260 Failed to create lxc container

There has been workaround for that in the lxc-auto.init but it requires
installing "lxc-auto" package. Replacing that "ln -s" workaround with
Makefile specifying --with-runtime-path allows using pure "lxc" in
OpenWrt (without the "lxc-auto").

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 90fef036fe465262d5915489d45f430b313f22ab)

lxc-auto: made init script compatible with image builder

Signed-off-by: Marc Benoit <marcb62185@gmail.com>
(cherry picked from commit e70844a9ca327b98eb33d1c9a3cce987cc91a190)

lxc: update to 4.10.12

Bump to latest upstream release and rebase:
  010-Remove-distro-check.patch
  025-remove-unsupported-option.patch

After updating ran `make package/lxc/refresh` to clean dirty patches

Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B

Signed-off-by: John Audia <graysky@archlinux.us>
(cherry picked from commit 115bf07f6c449a17bf12a3e7e065ff252a772e6f)

lxc-auto: step by 1 sec up to $max_timeout

If the user defines a $max_timeout of 30, the service will wait 30 seconds
before it considers lxc-stop complete even though lxc-stop might actually
finish much sooner.  This introduces an unneeded delay.

This commit changes the behavior to check once per second to see when lxc-stop
actually stops doing so up to $max_timeout.  It also slightly simplifies the
code with logic to append the -t $max_timeout to the script.

Signed-off-by: John Audia <graysky@archlinux.us>
(cherry picked from commit 7984d2d74a2fd83f036310888ad7486bff655c5a)

knot: update to version 3.2.6

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit bb946a19cd3203e288f99db666e123c92f7e3d0d)

knot: update to version 3.2.5

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit 94512aba16e9bf4bc4a6dbc18bf67cbd97e035a6)

syslog-ng: update to version 4.1.1

- Release notes:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.1.1

- Updated version in config

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 7de98324c73c8c680d05ef06bf2bf313d54bda83)

lighttpd: QUILT patches; fix build patches

QUILT patches; fix build patches to re-merge deprecated modules

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

lighttpd: include mod_h2 in base package

The next version of lighttpd will move HTTP/2 support from the lighttpd
base executable into a separate module: mod_h2

Include patch to do so now, and update packaging to handle it.

HTTP/2 support is enabled by default since lighttpd 1.4.59, but if
HTTP/2 support is explicitly disabled in the configuration, then mod_h2
will not be loaded, thereby reducing lighttpd memory use.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit f4152fccadc021b016b341526ddf83ddcf593ca1)

lighttpd: update to lighttpd 1.4.70 release hash

remove patches included upstream

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 0d5b110077d4c51a12d797a844495ce63071a205)

lighttpd: adjust packages for built-in modules

(.so is no longer built, but package still contains config files)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 7fda9563de92e58f0ae5c388e66de1d66e3df7f0)

lighttpd: fix package DEPENDS syntax

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Co-authored-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit ae5135a9139425455e39b1030928786b5c0e37a9)

librespeed-go: update file permissions for ujail

This fixes "permission denied" error when access files as a normal user.

Reported-by: Anya Lin <hukk1996@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 42d340bce0106538888f9e942dc3dd6f7f9e62ff)

bind: disable geoip

Signed-off-by: Javier Marcet <javier@marcet.info>
[modified also PKG_RELEASE]
(cherry picked from commit 073ee02500ca5bd0b5b530efcc662690c55ca2ac)

Merge pull request #20799 from gstrauss/lighttpd-1.4.69-1-openwrt-21.02

lighttpd: update to lighttpd 1.4.69 release hash - backport to openwrt 21.02

lighttpd: patch to restore removed modules

patch to restore removed modules to preserve state for 21.02

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

ocserv: disable libmaxminddb detection

Disable libmaxminddb detection to fix a build error
due to missing dependency.
(the libmaxminddb library is now detected, but is unncessary.)

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 508c4548dc7c73d6e824bd5a9b1dcb8fb7132ab3)

knot: disable libmaxminddb detection

Disable libmaxminddb detection to fix a build error due to
missing dependency.
(the libmaxminddb library is now detected, but is unncessary.)

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit ce46bf8a4307ae2e0ec6d3f517cad05666eb7a22)

lighttpd: fix package DEPENDS syntax

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Co-authored-by: Tianling Shen <cnsztl@immortalwrt.org>

libmaxminddb: install pkgconfig file

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit fe018482f83d51b9005c44d25652ea323aa338a2)

(cherry pick reduced for backport)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>

lighttpd: update to lighttpd 1.4.69 release hash

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 8f2fbf093a42040dcc226dee4fcd493a215645ed)

lighttpd: add lighttpd-mod-webdav_min package

add lighttpd-mod-webdav_min package alternative to lighttpd-mod-webdav

lighttpd-mod-webdav_min is more minimal than full lighttpd-mod-webdav.
lighttpd-mod-webdav_min does not support PROPPATCH, LOCK, UNLOCK, and
by not supporting those methods, removes dependencies on libxml2,
libsqlite3, and libuuid.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit ed6fe528c1efc549891144967eefe51a73999511)

lighttpd: collect mods now built into lighttpd exe

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 85279b49ceeb411f98623e6febef48b83f04813b)

lighttpd: remove patch included upstream

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 66001d5a91087dec6ff9e620b995beaff60506d7)

lighttpd: update to lighttpd 1.4.68 release hash

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 6383ae9407280df7f2ac29065bfe22d7bca73ed7)

lighttpd: modify build cmd for type: feature opts

modify build command for meson type: feature options

remove -Dwith_libev=disabled (option no longer has any effect)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 4a3b62a92ab21bb6ae373dbbbfc1c5eb16ebc3f5)

lighttpd: add lighttpd-mod-rrdtool dep on rrdtool1

add lighttpd-mod-rrdtool dependency on rrdtool1

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 9f299e881ba7ae665d5251d1e4c8a9585b039911)

lighttpd: lighttpd-1.4.67-4

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit a09dbfcf976f8d0c0247f068945dbd321e314bf8)

lighttpd: document crypto lib options in Makefile

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 43741e748f8569be4aaf3ba3a99867eef32c74e4)

v2raya: Update to 2.0.5

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 23e134816688793d42cc52ad78a9fc65f4e6d3bc)

rrdtool: update PKG_SOURCE_URL

Signed-off-by: Ryan Shi <qweaszxcdf@users.noreply.github.com>
(cherry picked from commit 164e0257e7c079b06e5d862cbc31e1f11ac651cb)

yq: Update to 4.33.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 0b255830e9b33c4848c4ee65419ca3755baf883f)

yq: Update to 4.33.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit e2cf4fa9a119076d23f26e3803247b5d83c71547)

nano: make nanorc world readable

If file /etc/nanorc is readable by everyone, "default" settings
are available for users as well without necessarily requiring
their own customized .nanorc in their home directory. Or if
they want one, but want it to be based on system's default
nanorc, they can copy it from /etc - without chmodding
file, it is in-accessible for users.

Suggested-by: Oskari Rauta <oskari.rauta@gmail.com>
[switched approach to use INSTALL_DATA]
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 76d02f933f006fb854c03fa1738ed795acc32e50)

zoneinfo: Updated to the latest release

Signed-off-by: Vladimir Ulrich <admin@evl.su>
(cherry picked from commit 7259eea63fcbeb0955c8f390562c88590a3e1ae7)
(cherry picked from commit 00f1c78a647c5b1ddc8347d0bacbfdec3c743536)
(cherry picked from commit 453be8f179e78a00048deff746e74244b39f7ad8)
(cherry picked from commit 3185feda499ab68ca463696c0e673d8056ec4429)
(cherry picked from commit b15721d6d64686933cf982c9fe303845565a1bc0)
(cherry picked from commit cb5bf2b007940c14825dc734814bfe5ceae5b09f)
(cherry picked from commit 89c2fa9d9b5cd8f6e1cf9859965de04b3707fa5a)
(cherry picked from commit 8d693a79bedd8a4bf00c2e14f43b0c95ec950155)
(cherry picked from commit 5a9e8698c94fcfa14ab6a0c314881eb4be1d47c7)

Updated zoneinfo-all meta-package to fix warnings on build
Removed zoneinfo-simple from dependencies of zoneinfo-all as its contents are included in other packages.
(cherry picked from commit 1d88250815b5efe623bb01a591c4ca651c8f5600)

(cherry picked from commit 23e6200e4d0a435915ab4ef9700a7297e89b68b3)
(cherry picked from commit 0ff1a8666be7cc3ebde5838c4b166a2438f87567)

unbound: update to version 1.17.1

- Refreshed one patch

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 97e69ec89c8bdb1c6d092eb5e8491467a06a9963)
[Use AUTORELEASE]

ffmpeg: update to version 4.3.5

Fixes: CVE-2020-21041
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>

v2raya: Update to 2.0.4

- Added TproxyNotSkipBr flag for OpenWrt.
- Removed all upstreamed patches.
- Removed deprecated option.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 5062779dc79091d63929d44b6354e1cbefa2e8f5)
[removed nftables-related changes]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

yq: Update to 4.32.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 65dc683efe329a13afdc632150f886b88d7f5edf)

Merge pull request #20671 from TDT-AG/pr/20220415-openwrt-21.2-strongswan-cves

strongswan: backport CVE fixes

strongswan: bump PKG_RELEASE because of CVEs backports

CVE-2022-40617 45774858e8c99d4486aae384d32fb41837618c73
CVE-2021-41990 05836ef6685fea058fa91b5c0fd17abb77b72469
CVE-2021-45079 e4d4e9dc4844e3f05858c7e2bf7ba0787587518c
CVE-2021-41991 d1bc776958b2d4297bbdf92531d092c3bb0f093f

Signed-off-by: Florian Eckert <fe@dev.tdt.de>

strongswan: add fix for CVE-2022-40617

Full details of the CVE can be found at the following link:
https://www.strongswan.org/blog/2022/10/03/strongswan-vulnerability-(cve-2022-40617).html

Signed-off-by: Florian Eckert <fe@dev.tdt.de>

strongswan: add fix for CVE-2021-41990

Full details of the CVE can be found at the following link:
https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41990).html

Signed-off-by: Florian Eckert <fe@dev.tdt.de>

strongswan: add fix for CVE-2021-45079

Full details of the CVE can be found at the following link:
https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html

Signed-off-by: Florian Eckert <fe@dev.tdt.de>

strongswan: add fix for CVE-2021-41991

Full details of the CVE can be found at the following link:
https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41991).html

Signed-off-by: Florian Eckert <fe@dev.tdt.de>

Merge pull request #20667 from mhei/21.02-php8-update-to-8.0.28

[21.02] php8: update to 8.0.28

php8: update to 8.0.28

This fixes:
    - CVE-2023-0567
    - CVE-2023-0568
    - CVE-2023-0662

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

mv88e6xxx_dump: update to 2023.03.08

This fixes 2 issues where mv88e6xxx_dump was displaying
data incorrectly for --vtu and --global2

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 2bf3832193fdfe86e948f35fcc08b3ea5a341562)

mv88e6xxx_dump: add new packages to debug switch issues

Reviewed-by: Chris Healy cphealy@gmail.com
Reviewed-by: Robert Marko <robimarko@gmail.com>
Reviewed-by: Andre Heider <a.heider@gmail.com>
Tested-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 167c6234d01e72da447e47e2c1b3f7a3195aab83)

ci: update github actions to v3

Update checkout and upload-artifact action to v3 to mute nodejs
deprecation warning.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 52570d4242822e3db678f5484c2ca3e72f485d52)

ci: Use openwrt/gh-action-sdk@v5

The previous build errors with v5 have been fixed. This version builds
packages as a normal user instead of as root.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 37f9b77b01fd148c946dc313869602fb8203eaea)

golang: Fix conditionals not stripped

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 86fd1ebbe44e5c0747b8429493257e9317eacb07)

haproxy: update to v2.2.29

- Update haproxy download URL and hash
- This release fixes a critial flaw known as CVE-2023-25725. See:
  http://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=4a4c90c2b04444d92c58873cfb19052f20280bc2

Signed-off-by: Christian Lachner <gladiac@gmail.com>

v2raya: drop wrong patches

These patches should not be backported to OpenWrt, otherwise tproxy
won't work for devices connected to br-lan (bypassed by the fw rules).

We have introduced a new compile-time flag for new version (which
is not released yet), but it's unnecessray to backport redudant
patches as here is still at the old version.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 40669c4135d829254ba66b0f1a6827f94d229c96)

yq: Update to 4.31.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 1343bb585607295d2e466dfed0dd596a14570c54)

yq: Update to 4.31.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b76bd94605c9c53b64935c78bba6ff98e2847e16)

msgpack-c: Update to 5.0.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 5890d2f2d76c31de85ae54a586c445a936cc4c14)

sed: remove old libpcre dependency

Signed-off-by: Alan Swanson <reiver@improbability.net>
(cherry picked from commit 0a00f0f2a582bc11979ecef2c60a68584fe4e935)

xfrpc: update to version 2.1.606

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit db243b31c81a817c565feba7553c3b02d460d959)

xfrpc: Update to 1.11.587

refactor tcp mux

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit 419c4340026b585bfc558c3027d4308e862c795c)

xfrpc: allow server_addr ip and domain

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit a7e3f28c3761de6e7eed5423fbd116eeeec38491)

xfrpc: Update to 1.07.582

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit 9fbd26f1709d3fbabf043c110cb46922f2eb6750)

xfrpc: update to 1.06.579

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit 5615ce33fa8c18944771c4aef0ce285bb3b60d47)

xfrpc: set xfrpc's disabled default value to 0

change this to satisfy luci-app-xfrpc's need

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit 10a24d4cad196b790b322bb4132086b1e350fde8)

xfrpc: fix bug of xfrpc.init

replace xfrpc with xfrp

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit b3bd24f1afde9c1071b253959061ce4adc259d41)

xfrpc: update to 1.05.561

support tcp mux and default to turn it on

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit d4430d2e89cd289807b4a9e21583cae245c1e81c)

xfrpc: Update to 1.05.548

deprecated xfrps, compatible with frps

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit 2cb01429b198702decc2744fc470270b3b328c63)

xfrpc: fast reverve proxy client in c language

Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit 9af01c87bfb3007e0a169b57bf9762c88098dff9)

git: update to 2.34.7

Fixes CVE-2023-22490, CVE-2023-23946

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 06f466cc61ce5e5c98d1147c165d3e96c31e41cc)

CI: do not crash during PKG-INFO generation if there are no packages

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
(cherry picked from commit b5132de5cf4f7d0562445cf3c65f9f1a4bcb1bbf)

CI: add PKG-INFO metadata file

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
(cherry picked from commit a40c1b3e442eccbf0619f06b473705f4a4a0ac6d)

CI: use git commit sha in name

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
(cherry picked from commit bbf983721cf41fd94388b16ce90f018d6c0496f5)

Merge pull request #20526 from nxhack/2102_node_14213

[21.02] node: bump to v14.21.3

Merge pull request #20518 from commodo/django-21.02

[21.02] django: bump to version 3.2.18

node: bump to v14.21.3

Thursday February 16 2023 Security Releases

Notable Changes
The following CVEs are fixed in this release:
* CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
* CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>

snowflake: update to v2.5.1

Changes in version v2.4.3 - 2023-01-16
- Fix version number in version.go

(Changes for v2.5.1 are missing)

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit ac9027aebb5b9ed01cf9db28abec6bb4d0025afe)

django: bump to version 3.2.18

Fixes:
  https://nvd.nist.gov/vuln/detail/CVE-2023-23969

Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>

xray-core: Update to 1.7.5

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b4c4b17308d8ca742c4522810b3a8134049f3810)
[Updated geodata to latest version, based on 669357351c1625]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>

bind: update to 9.18.11

Fixes CVEs:
      - CVE-2022-3924: Fix serve-stale crash when recursive clients
      soft quota is reached.
      - CVE-2022-3736: Handle RRSIG lookups when serve-stale is
      active.
      - CVE-2022-3094: An UPDATE message flood could cause named to
      exhaust all available memory. This flaw was addressed by adding
      a new "update-quota" statement that controls the number of
      simultaneous UPDATE messages that can be processed or
      forwarded. The default is 100. A stats counter has been added to
      record events when the update quota is exceeded, and the XML and
      JSON statistics version numbers have been updated.

Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit 47fcec43abedab5c409259db1ac14c1ccc86bd02)

crun: update to 1.3

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit 7034d3cbba813f8b19294667f058513e5745056e)

crun: update to version 1.2

release notes:

0.20.1
 - container: ignore error when resetting the SELinux label for the keyring.

0.21
 - when compiled with krun, automatically use it if the current executable file is called "krun"
 - cgroup: lookup pids controller as well when the memory controller is not available
 - status: add fields for owner and created timestamp
 - honor memory swappiness set to 0

1.0
 - Fix symlink target mangling for tmpcopyup targets.
 - Makefile.am: fix link error when using directly libcrun.
 - cgroup: add support for setting memory.use_hierarchy on cgroup v1.
 - linux: treat pidfd_open failures EINVAL as ESRCH.
 - cgroup: chown the current container cgroup to root in the container.

1.1
 - utils: retry openat2 on EAGAIN. If the openat2 syscall is interrupted, try again.
 - criu: fix save of external descriptors. Now restored containers attach correctly their standard streams.
 - criu: Add support for external PID namespace.
 - container: Set primary process to 1 via LISTEN_PID by default if user configuration is missing.
 - exec: refuse to exec in a paused container/cgroup.
 - cgroup: use cgroup.kill when available. It is faster to kill a container through its cgroup as there is no need to recurse over the cgroup pids and terminate each one of them.

1.2
 - criu: add support for external ipc, uts and time namespaces.
 - exec: fix regression in 1.1 where containers are being wrongly reported as paused.

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit 3873a850a5219bfb3143594843964a15860f3235)

podman: update to v3.4.4

list of changes: https://github.com/containers/podman/releases

Added patch for compiling with musl. Patch can be removed on next
release as it is already merged to podman git but not on this release.
Patch moves definition in source so definition is available before it
is being used.

Patch source: https://github.com/containers/podman/pull/12564

Patch re-created with quilt.

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit 5ff3b25509c9c1e5d1d43044fcc22dd19a10d779)

podman: update to 3.4.2

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
(cherry picked from commit b011f3faf8f84d398c197773d711ac0cdde31aa3)

nextdns: Update to version 1.39.4

Signed-off-by: Olivier Poitrey <rs@nextdns.io>

ksmbd: select ASN1 explicitly to reduce dependencies

ksmbd requires ASN.1 grammar compiler so it depends on CONFIG_ASN1. It
should select kmod-asn1-decoder for above reason.

Due to some problems with kmod-asn1-decoder in the past ksmbd was
selecting kmod-nf-nathelper-extra instead. That was affecting network
performance in kernel as each loaded conntrack module adds some overhead
to packets processing.

Fix this unwanted side effect by depending on kmod-asn1-decoder
directly.

Link: http://lists.openwrt.org/pipermail/openwrt-devel/2023-January/040298.html
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

Merge pull request #20406 from realizelol/openwrt-21.02

[21.02] banip: renew tor urls

banip: renew tor urls as previous ones were death.

Signed-off-by: Chris Schulten <bsw.bsw@gmx.de>