feed/packages.git
2 years agoxtables-addons: update to 3.19
Rosen Penev [Sun, 3 Apr 2022 02:43:09 +0000 (19:43 -0700)]
xtables-addons: update to 3.19

Fixes compilation with kernel 5.15.

Fixed changed binary name.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit e5af50679587bf39fec31f4af75f7aa8efd498a0)
(cherry picked from commit 4a5633b6b5dc7663d22e317072764fbefe35877c)

2 years agoffmpeg: add conflicts and provides
Josef Schlehofer [Mon, 24 Oct 2022 12:40:11 +0000 (14:40 +0200)]
ffmpeg: add conflicts and provides

Motivation of this change is that full variants provides the mini
variant and as well audio-dec package, thus you can not install both as
it fails with the following output:

Collected errors:
 * check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavcodec.so.58
But that file is already provided by package  * libffmpeg-full
 * check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavcodec.so.58.91.100
But that file is already provided by package  * libffmpeg-full
 * check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavdevice.so.58
But that file is already provided by package  * libffmpeg-full
 * check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavdevice.so.58.10.100
But that file is already provided by package  * libffmpeg-full
 * check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavformat.so.58
But that file is already provided by package  * libffmpeg-full
 * check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavformat.so.58.45.100
But that file is already provided by package  * libffmpeg-full
 * check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavutil.so.56
But that file is already provided by package  * libffmpeg-full
 * check_data_file_clashes: Package libffmpeg-audio-dec wants to install file /usr/lib/libavutil.so.56.51.100
But that file is already provided by package  * libffmpeg-full
 * opkg_install_cmd: Cannot install package libffmpeg-audio-dec.

Let's change it to:
Installing libffmpeg-audio-dec (4.3.4-1) to root...
Collected errors:
 * check_conflicts_for: The following packages conflict with libffmpeg-audio-dec:
 * check_conflicts_for:         libffmpeg-full *
 * opkg_install_cmd: Cannot install package libffmpeg-audio-dec.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 9693bd47c5a67def43577c082d8ece34ffaf5113)

2 years agoatlas-probe: fix SIGSEGV error on 32bit system
Christian Marangi [Tue, 25 Oct 2022 08:29:42 +0000 (10:29 +0200)]
atlas-probe: fix SIGSEGV error on 32bit system

Changes to time_t cause SIGSEGV error on 32bit system and cause ripe
atlas malfunction. (registration successful but no traffic)
Also introduce minor patch to fix some compilation warning.

While at it move PKG_RELEASE to AUTORELEASE macro.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 14c5dfe4c10f6550b7c4aab4419e0f64ef1abda4)

2 years agolibwebsockets: fix recursive dependency
Josef Schlehofer [Wed, 26 Oct 2022 07:12:38 +0000 (09:12 +0200)]
libwebsockets: fix recursive dependency

While running `make menuconfig`, it was discovered then there is a
recursive dependency like this:
tmp/.config-package.in:59138:error: recursive dependency detected!
tmp/.config-package.in:59138: symbol PACKAGE_libwebsockets-openssl is selected by PACKAGE_libwebsockets-mbedtls
tmp/.config-package.in:59122: symbol PACKAGE_libwebsockets-mbedtls depends on PACKAGE_libwebsockets-openssl

It is not possible with the recently added conflicts that two packages
(OpenSSL and full variant, which uses OpenSSL as well), which are almost the same
provides the same named package libwebsockets as their conflict - Mbed
TLS.

Fixes: 676c5c72b5eeb583da2603e399fac085fa442c59 ("libwebsockets: OpenSSL
and mbedTLS variants should conflict")

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit a4e8cbb89a48729b3c3ad615765549628d495b0f)

2 years agolibwebsockets: OpenSSL and mbedTLS variants should conflict
Josef Schlehofer [Tue, 25 Oct 2022 10:14:25 +0000 (12:14 +0200)]
libwebsockets: OpenSSL and mbedTLS variants should conflict

They provide the same files, but they don't conflict to each other, this
means that users can install them side by side.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 676c5c72b5eeb583da2603e399fac085fa442c59)

2 years agolibwebsockets: full variant provides OpenSSL
Josef Schlehofer [Tue, 25 Oct 2022 05:52:15 +0000 (07:52 +0200)]
libwebsockets: full variant provides OpenSSL

For some time, it is not possible to install ttyd and mosquitto-ssl at the
same time, so let's solve it that libwebsockets-full provides
libwebsockets-openssl. This allows to install ttyd and mosquitto at
the same time.

Also, we need to add conflict, because we should not have installed
libwebsockets-openssl and libwebsockets-full at the same time as they
provides the same files.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 77e682a11c53f4dcd0e76bdea5ee82de77eaacfe)

2 years agolighttpd: backport patch to fix dummy Sec-WebSocket-Key
Josef Schlehofer [Tue, 25 Oct 2022 07:40:37 +0000 (09:40 +0200)]
lighttpd: backport patch to fix dummy Sec-WebSocket-Key

It was requested in https://gitlab.nic.cz/turris/os/packages/-/issues/873

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit de49362d35a4baaa36ca8cab3fa874f3ca8cb6ad)

2 years agomariadb: Drop unused rundir fix socket dir perms
Michal Hrusecky [Fri, 21 Oct 2022 20:43:52 +0000 (22:43 +0200)]
mariadb: Drop unused rundir fix socket dir perms

We had been creating "rundir" but it was never used, probably leftover
from some removed function. At the same time, we were setting quite
strict rights to the socket directory (while comments sugested
otherwise).

Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit 8f6831b64b89243e7c1be5948f33e6737f7ddfc3)

2 years agoMerge pull request #19667 from miska/mariadb-21.02
Josef Schlehofer [Sun, 23 Oct 2022 07:44:53 +0000 (09:44 +0200)]
Merge pull request #19667 from miska/mariadb-21.02

[21.02] mariadb: Update to the latest version 10.4.26

2 years agopython3: update to version 3.9.15
Josef Schlehofer [Thu, 20 Oct 2022 19:59:19 +0000 (21:59 +0200)]
python3: update to version 3.9.15

Release notes:
- https://www.python.org/downloads/release/python-3915/

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2 years agomariadb: Update to the latest version 10.4.26 19667/head
Michal Hrusecky [Fri, 21 Oct 2022 21:36:45 +0000 (23:36 +0200)]
mariadb: Update to the latest version 10.4.26

Keeping the major version, bumping just a minor version. It includes
various bug fixes and security fixes.  For details, see:

* https://mariadb.com/kb/en/mariadb-10426-release-notes/
* https://mariadb.com/kb/en/mariadb-10425-release-notes/
* https://mariadb.com/kb/en/mariadb-10424-release-notes/
* https://mariadb.com/kb/en/mariadb-10423-release-notes/

While at it, also switching to AUTORELEASE and refreshing patches.

Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
2 years agoddns-scripts: fix cloudflare&digitalocean provides
Michal Vasilek [Tue, 18 Oct 2022 11:43:52 +0000 (13:43 +0200)]
ddns-scripts: fix cloudflare&digitalocean provides

Fixes mistake in dbe79e409d4d772d607364b47116a108508bb466, the
cloudflare PROVIDES got mixed up with digitalocean.

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 001564ed8356398c0e61dec12063604127b290e7)
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Remove PKG_RELEASE version bump

2 years agoddns-scripts: add PROVIDES for old package names
Michal Vasilek [Wed, 12 Oct 2022 16:50:34 +0000 (18:50 +0200)]
ddns-scripts: add PROVIDES for old package names

* ddns-scripts-services: provide ddns-scripts_service
* ddns-scripts-cloudflare: provide ddns-scripts_digitalocean.com-v2
* ddns-scripts-freedns: provide ddns-scripts_freedns_42_pl
* ddns-scripts-godaddy: provide ddns-scripts_godaddy.com-v1
* ddns-scripts-noip: provide ddns-scripts_no-ip_com
* ddns-scripts-nsupdate: provide ddns-scripts_nsupdate
* ddns-scripts-route53: provide ddns-scripts_route53-v1
* ddns-scripts-cnkuai: provide ddns-scripts_cnkuai_cn

https://github.com/openwrt/packages/pull/13509 renamed many ddns-scripts
packages, but didn't include a PROVIDES for the old package names to
make updates work well.

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit dbe79e409d4d772d607364b47116a108508bb466)
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Remove PKG_RELEASE version bump

2 years agotailscale: fix -version
Michal Vasilek [Wed, 12 Oct 2022 17:29:55 +0000 (19:29 +0200)]
tailscale: fix -version

tailscale version, tailscaled -version and the web UI reported the wrong
version number which doesn't cause any issues, but it can be confusing.

This is fixed by specifying the version in go ldflags similar to how
it's done in many other go packages and the official tailscale Dockerfile.

version.Long version can not be specified in GO_PKG_LDFLAGS_X because it
contains a space and GO_PKG_LDFLAGS_X is always split at a space.

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 738f44be4f39191aa4640086f37ef62420442e06)

2 years agokeepalived: fix build with IPVS disabled
Stijn Tintel [Wed, 22 Sep 2021 12:59:53 +0000 (15:59 +0300)]
keepalived: fix build with IPVS disabled

The genhash binary is only built when IPVS is enabled, so make its
installation depend on IPVS being enabled.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 624d2278e7e78fd568679ad3976a6cf35ae143d1)

2 years agokeepalived: update to version 2.2.4
Florian Eckert [Wed, 18 Aug 2021 07:42:06 +0000 (09:42 +0200)]
keepalived: update to version 2.2.4

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 3f5b2d8cb3317e951f609ea20f86c5494b12fb1f)

2 years agokeepalived: update to version 2.2.2
Florian Eckert [Tue, 9 Mar 2021 08:12:37 +0000 (09:12 +0100)]
keepalived: update to version 2.2.2

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit bdcb3d590587e6cc77c231025b5ea485e134e8ad)

2 years agopostgresql: update to version 13.8
Daniel Golle [Thu, 13 Oct 2022 19:21:11 +0000 (20:21 +0100)]
postgresql: update to version 13.8

Update to 13.8 maintainance release of the PostgreSQL 13 release.
This release contains a variety of fixes from 13.7, among also a fix
addressing CVE-2022-2625.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2 years agoperl-net-dns: update to version 1.35
Daniel Golle [Fri, 18 Mar 2022 18:50:34 +0000 (18:50 +0000)]
perl-net-dns: update to version 1.35

**** 1.35 Oct 4, 2022

    Improve SVCB error reporting.

Fix rt.cpan.org #144328
    accept_reply test fails with matched consecutive "random"
    generated packet->id

Fix rt.cpan.org #144299
    Spelling errors.

**** 1.34 May 30, 2022

    Improve robustness of EDNS option compose/decompose functions.
    Simplify code in Makefile.PL.

Fix rt.cpan.org #142426
    Avoid "Useless use of a constant in void context" warning.

**** 1.33 Dec 16, 2021
Fix rt.cpan.org #137768
    Test t/05-SVCB.t on Perl 5.18.0 fails with deep recursion.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 93a7806578acbdbdf972d87631623c640de8602c)
(cherry picked from commit b9338331be79cf8d0c1f9aa0dde2acf57a75ebe8)

2 years agopcsc-lite: update to version 1.9.8
Daniel Golle [Fri, 18 Mar 2022 18:36:16 +0000 (18:36 +0000)]
pcsc-lite: update to version 1.9.8

1.9.8: Ludovic Rousseau
11 June 2022
- Install install_spy.sh & uninstall_spy.sh scripts in docdir
- SCardTransmit(): do not fail if receive buffer is "too large"
- SCardControl(): do not fail if receive buffer is "too large"
- fix some memory leaks on shutdown
- use a better random number generator
- Some other minor improvements

1.9.7: Ludovic Rousseau
13 May 2022
- disable strict compilation by default
- fix 3 warnings

1.9.6: Ludovic Rousseau
11 May 2022
- do not fail reader removal in some specific cases (USB/Thunderbolt port)
- improve documentation regarding /etc/reader.conf.d/
- SCardGetStatusChange: speedup the case DISABLE_AUTO_POWER_ON
- configure:
  . add --disable-strict option
   By default the compiler arguments are now:
   -Wall -Wextra -Wno-unused-parameter -Werror ${CFLAGS}
  . fail if flex is not found
- fix different data races
- pcscdaemon: -v displays internal constants values:
  MAX_READERNAME & PCSCLITE_MAX_READERS_CONTEXTS
- Some other minor improvements

1.9.5: Ludovic Rousseau 4 December 2021
 - pcscd: autoexit even if no client connects
 - Fix variable substitution in systemd units
 - fix potential race conditions with powerState handling
 - Add and use tag TAG_IFD_DEVICE_REMOVED
 - UnitaryTests: port code to Python 3

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 5c22f4917557bccb51a57e1b6cc0cab1d093581f)
(cherry picked from commit db667b5b0ff51a2c74f61b166f1e5700e7161090)

pcsc-lite: update to verion 1.9.9

 1.9.9: Ludovic Rousseau
 11 September 2022
  - SCardEstablishContext() may return SCARD_W_SECURITY_VIOLATION if refused by Polkit
  - Fix SCardReleaseContext() failure on orphan handles
  - Fix SCardDisconnect() on orphan handle
  - pcsc-spy: log the pioSendPci & pioRecvPci SCardTransmit() parameters
  - Improve the log from pcscd: log the return code in text instead of hex
  - Some other minor improvements

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit a8698d5ede0e00b73f95592d63be212483224ce1)

2 years agolvm2: update to 2.03.15
Daniel Golle [Fri, 18 Mar 2022 18:49:33 +0000 (18:49 +0000)]
lvm2: update to 2.03.15

Version 2.03.15 - 07th February 2022
====================================
  Remove service based autoactivation. global/event_activation = 0 is NOOP.
  Improve support for metadata profiles for --type writecache.
  Use cache or active DM device when available with new kernels.
  Introduce function to utilize UUIDs from DM_DEVICE_LIST.
  Increase some hash table size to better support large device sets.

Version 2.03.16 - 18th May 2022
===============================
  Fix segfault when handling selection with historical LVs.
  Add support --vdosettings with lvcreate, lvconvert, lvchange.
  Filtering multipath devices respects blacklist setting from multipath
  configuration.
  lvmdevices support for removing by device id using --deviceidtype and
  --deldev.
  Display writecache block size with lvs -o writecache_block_size.
  Improve cachesettings description in man lvmcache.
  Fix lossing of delete message on thin-pool extension.

Mostly bug fixes and minor improvements.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 63408123dfb4eaaccd0e5c1ba02a300779e629f5)
(cherry picked from commit 4e70f5caef0e80d75bb0c50c1819b9ded6923adc)

2 years agolibudev-zero: update to version 1.0.1
Florian Eckert [Tue, 15 Mar 2022 14:04:55 +0000 (15:04 +0100)]
libudev-zero: update to version 1.0.1

The new version includes all previously locally backported patches.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 669e4a9542e5e6cb82a7b775733637e031260f62)

2 years agolibp11: update to version 0.4.12
Daniel Golle [Wed, 7 Sep 2022 18:49:34 +0000 (19:49 +0100)]
libp11: update to version 0.4.12

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d3b50744769fe954b6713cca98c45325cc477df1)

2 years agolibksba: update to version 1.6.1
Daniel Golle [Thu, 6 Oct 2022 14:24:28 +0000 (15:24 +0100)]
libksba: update to version 1.6.1

Update to stable release 1.6.1.
See commit log since version 1.6.0 for changes[1].

[1]: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=shortlog;h=d3c1e063d708a46ef39152256f8b1ea466b61be0
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit df589ce880bef12a297bfa39738deae84710ed4c)

2 years agolibinput: update to version 1.19.4
Daniel Golle [Fri, 18 Mar 2022 18:46:53 +0000 (18:46 +0000)]
libinput: update to version 1.19.4

This release includes a fix for CVE-2022-1215, a format string
vulnerabilty in the evdev device handling. For details, see
https://gitlab.freedesktop.org/libinput/libinput/-/issues/752

Peter Hutterer (2):
      evdev: strip the device name of format directives
      libinput 1.19.4

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 23638c7ffb104de7bea476726d42974cc42fb893)
(cherry picked from commit b95dbe4187a7a21f7cf13f578a81fa0337706190)

2 years agolibevdev: update to version 1.13.0
Daniel Golle [Wed, 7 Sep 2022 18:33:14 +0000 (19:33 +0100)]
libevdev: update to version 1.13.0

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 630f5b1608550bbe3dc204a50d873b3e54ad17af)

2 years agogpgme: update to version 1.18.0
Daniel Golle [Thu, 24 Mar 2022 22:30:03 +0000 (22:30 +0000)]
gpgme: update to version 1.18.0

 Noteworthy changes in version 1.17.0 (2022-02-07)
 -------------------------------------------------

 * New context flag "key-origin".  [#5733]
 * New context flag "import-filter".  [#5739]
 * New export mode to export secret subkeys.  [#5757]
 * Detect errors during the export of secret keys.  [#5766]
 * New function gpgme_op_receive_keys to import keys from a keyserver
   without first running a key listing.  [#5808]
 * Detect bad passphrase error in certificate import.  [T5713]
 * Allow setting --key-origin when importing keys.  [T5733]
 * Support components "keyboxd", "gpg-agent", "scdaemon", "dirmngr",
   "pinentry", and "socketdir" in gpgme_get_dirinfo.  [T5727,T5613]
 * Under Unix use poll(2) instead of select(2), when available.
   [T2385]
 * Do not use --flat_namespace when linking for macOS.  [T5610]
 * Fix results returned by gpgme_data_* functions.  [T5481]
 * Support closefrom also for glibc.  [rM4b64774b6d]
 * cpp,qt: Add support for export of secret keys and secret subkeys.
   [#5757]
 * cpp,qt: Support for adding existing subkeys to other keys.  [#5770]
 * qt: Extend ChangeExpiryJob to change expiration of primary key
   and of subkeys at the same time. [#4717]
 * qt: Expect UTF-8 on stderr on Windows.  [rM8fe1546282]
 * qt: Allow retrieving the default value of a config entry.  [T5515]

 Noteworthy changes in version 1.17.1 (2022-03-06)
 -------------------------------------------------

 * qt: Fix a bug in the ABI compatibility of 1.17.0.  [T5834]

 Noteworthy changes in version 1.18.0 (2022-08-10)
 -------------------------------------------------

 * New keylist mode to force refresh via external methods.  [T5951]
 * The keylist operations now create an import result to report the
   result of the locate keylist modes.  [T5951]
 * core: Return BAD_PASSPHRASE error code on symmetric decryption
   failure.  [T5939]
 * cpp, qt: Do not export internal symbols anymore.  [T5906]
 * cpp, qt: Support revocation of own OpenPGP keys.  [T5904]
 * qt: The file name of (signed and) encrypted data can now be set.  [T6056]
 * cpp, qt: Support setting the primary user ID.  [T5938]
 * python: Fix segv(NULL) when inspecting contect after exeception.  [T6060]

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d7799595bd74992145172706b5e65f71658e0e63)
(cherry picked from commit 00bfb4f151d80e8e6f7b860d423ef1fa8c926251)

2 years agogpgme: Fix compile with glibc 2.34
Hauke Mehrtens [Sun, 9 Jan 2022 18:45:49 +0000 (18:45 +0000)]
gpgme: Fix compile with glibc 2.34

This backports a patch from upstream gpgme to fix compilation with glibc 2.34.

It fixes the following build problem:
posix-io.c: In function '_gpgme_io_spawn':
posix-io.c:577:23: error: void value not ignored as it ought to be
  577 |             while ((i = closefrom (fd)) && errno == EINTR)
      |                       ^
make[5]: *** [Makefile:947: posix-io.lo] Error 1

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit dafb96c14837bf133e5215cf65fc7ed1439a375a)

2 years agogawk: update to version 5.2.0
Daniel Golle [Thu, 6 Oct 2022 15:27:31 +0000 (16:27 +0100)]
gawk: update to version 5.2.0

For changes see ChangeLog file[1].

[1]: https://git.savannah.gnu.org/cgit/gawk.git/plain/ChangeLog?h=gawk-5.2.0
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit cd20631bc7db1faf7b543656a265734adad0a6e2)

2 years agoexfatprogs: update to 1.1.3
Daniel Golle [Thu, 25 Mar 2021 22:50:23 +0000 (22:50 +0000)]
exfatprogs: update to 1.1.3

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 54b8e21fe7ba61fdd5fd60b6d9c211e27b7cd740)
(cherry picked from commit 97e87c471c4a8e03ff218f842ae37cbfd240cc96)
(cherry picked from commit b1585a53756fac2dcc08b7ecec9260c29714bf5a)
(cherry picked from commit 3caf9ce16be0ce305acc289023b74c88abb16b01)

2 years agoexim: update to version 4.96
Daniel Golle [Wed, 7 Sep 2022 17:24:22 +0000 (18:24 +0100)]
exim: update to version 4.96

Exim version 4.96
-----------------

JH/01 Move the wait-for-next-tick (needed for unique message IDs) from
      after reception to before a subsequent reception.  This should
      mean slightly faster delivery, and also confirmation of reception
      to senders.

JH/02 Move from using the pcre library to pcre2.  The former is no longer
      being developed or supported (by the original developer).

JH/03 Constification work in the filters module required a major version
      bump for the local-scan API.  Specifically, the "headers_charset"
      global which is visible via the API is now const and may therefore
      not be modified by local-scan code.

JH/04 Fix ClamAV TCP use under FreeBSD. Previously the OS-specific shim for
      sendfile() didi not account for the way the ClamAV driver code called it.

JH/05 Bug 2819: speed up command-line messages being read in.  Previously a
      time check was being done for every character; replace that with one
      per buffer.

JH/06 Bug 2815: Fix ALPN sent by server under OpenSSL.  Previously the string
      sent was prefixed with a length byte.

JH/07 Change the SMTP feature name for pipelining connect to be compliant with
      RFC 5321.  Previously Dovecot (at least) would log errors during
      submission.

JH/08 Remove stripping of the binaries from the FreeBSD build.  This was added
      in 4.61 without a reason logged. Binaries will be bigger, which might
      matter on diskspace-constrained systems, but debug is easier.

JH/09 Fix macro-definition during "-be" expansion testing.  The move to
      write-protected store for macros had not accounted for these runtime
      additions; fix by removing this protection for "-be" mode.

JH/10 Convert all uses of select() to poll().  FreeBSD 12.2 was found to be
      handing out large-numbered file descriptors, violating the usual Unix
      assumption (and required by Posix) that the lowest possible number will be
      allocated by the kernel when a new one is needed.  In the daemon, and any
      child procesees, values higher than 1024 (being bigger than FD_SETSIZE)
      are not useable for FD_SET() [and hence select()] and overwrite the stack.
      Assorted crashes happen.

JH/11 Fix use of $sender_host_name in daemon process.  When used in certain
      main-section options or in a connect ACL, the value from the first ever
      connection was never replaced for subsequent connections.  Found by
      Wakko Warner.

JH/12 Bug 2838: Fix for i32lp64 hard-align platforms. Found for SPARC Linux,
      though only once PCRE2 was introduced: the memory accounting used under
      debug offset allocations by an int, giving a hard trap in early startup.
      Change to using a size_t.  Debug and fix by John Paul Adrian Glaubitz.

JH/13 Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value
      with underbars is given.  The write-protection of configuration introduced
      in 4.95 trapped when normalisation was applied to an option not needing
      expansion action.

JH/14 Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters.

JH/15 Fix a resource leak in *BSD.  An off-by-one error resulted in the daemon
      failing to close the certificates directory, every hour or any time it
      was touched.

JH/16 Debugging initiated by an ACL control now continues through into routing
      and transport processes.  Previously debugging stopped any time Exim
      re-execs, or for processing a queued message.

JH/17 The "expand" debug selector now gives more detail, specifically on the
      result of expansion operators and items.

JH/18 Bug 2751: Fix include_directory in redirect routers.  Previously a
      bad comparison between the option value and the name of the file to
      be included was done, and a mismatch was wrongly identified.
      4.88 to 4.95 are affected.

JH/19 Support for Berkeley DB versions 1 and 2 is withdrawn.

JH/20 When built with NDBM for hints DB's check for nonexistence of a name
      supplied as the db file-pair basename.  Previously, if a directory
      path was given, for example via the autoreply "once" option, the DB
      file.pag and file.dir files would be created in that directory's
      parent.

JH/21 Remove the "allow_insecure_tainted_data" main config option and the
      "taint" log_selector.  These were previously deprecated.

JH/22 Fix static address-list lookups to properly return the matched item.
      Previously only the domain part was returned.

JH/23 Bug 2864: FreeBSD: fix transport hang after 4xx/5xx response. Previously
      the call into OpenSSL to send a TLS Close was being repeated; this
      resulted in the library waiting for the peer's Close.  If that was never
      sent we waited forever.  Fix by tracking send calls.

JH/24 The ${run} expansion item now expands its command string elements after
      splitting.  Previously it was before; the new ordering makes handling
      zero-length arguments simpler.  The old ordering can be obtained by
      appending a new option "preexpand", after a comma, to the "run".

JH/25 Taint-check exec arguments for transport-initiated external processes.
      Previously, tainted values could be used.  This affects "pipe", "lmtp" and
      "queryprogram" transport, transport-filter, and ETRN commands.
      The ${run} expansion is also affected: in "preexpand" mode no part of
      the command line may be tainted, in default mode the executable name
      may not be tainted.

JH/26 Fix CHUNKING on a continued-transport.  Previously the usabliility of
      the the facility was not passed across execs, and only the first message
      passed over a connection could use BDAT; any further ones using DATA.

JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data
      uses $sending_ip_address and an interface is specified.
      Previously any use of the local address in the EHLO name disabled
      PIPECONNECT, the common case being to use the rDNS of it.

JH/28 OpenSSL: fix transport-required OCSP stapling verification under session
      resumption. Previously verify failed because no certificate status is
      passed on the wire for the restarted session. Fix by using the recorded
      ocsp status of the stored session for the new connection.

JH/29 TLS resumption: the key for session lookup in the client now includes
      more info that a server could potentially use in configuring a TLS
      session, avoiding oferring mismatching sessions to such a server.
      Previously only the server IP was used.

JH/30 Fix string_copyn() for limit greater than actual string length.
      Previously the copied amount was the limit, which could result in a
      overlapping memcpy for newly allocated destination soon after a
      source string shorter than the limit.  Found/investigated  by KM.

JH/31 Bug 2886: GnuTLS: Do not free the cached creds on transport connection
      close; it may be needed for a subsequent connection.  This caused a
      SEGV on primary-MX defer.  Found/investigated by Gedalya & Andreas.

JH/32 Fix CHUNKING for a second message on a connection when the first was
      rejected.  Previously we did not reset the chunking-offered state, and
      erroneously rejected the BDAT command.  Investigation help from
      Jesse Hathaway.

JH/33 Fis ${srs_encode ...} to handle an empty sender address, now returning
      an empty address.  Previously the expansion returned an error.

HS/01 Bug 2855: Handle a v4mapped sender address given us by a frontending
      proxy.  Previously these were misparsed, leading to paniclog entries.

Also contains commit 51be321b27 "Fix PAM auth. Bug 2813" addressing
CVE-2022-37451.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f2763b95afc57b88dc9d494b3fbf3841ba38a314)

2 years agocryptsetup: update to version 2.5.0
Daniel Golle [Wed, 7 Sep 2022 17:39:46 +0000 (18:39 +0100)]
cryptsetup: update to version 2.5.0

Update to new major release of cryptsetup. For details, please see
the release notes[1].

[1]: https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.5/v2.5.0-ReleaseNotes
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 80439f802cc61e826277851aaeb30ba7a221195c)

2 years agocryptsetup: fix library paths by calling autoreconf
Daniel Golle [Sat, 23 Jul 2022 08:37:28 +0000 (09:37 +0100)]
cryptsetup: fix library paths by calling autoreconf

Use PKG_FIXUP:=autoreconf when building cryptsetup to prevent
accidental linkage against host libraries.

Fixes: #19011
Reported-by: @dreirund
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ad0ac5198decbc15c57801509a3005c1608ecbce)

2 years agoccid: update to version 1.5.0
Daniel Golle [Fri, 18 Mar 2022 18:40:15 +0000 (18:40 +0000)]
ccid: update to version 1.5.0

1.5.0 - 27 January 2022, Ludovic Rousseau
   - Add support of
     - ACS ACR1281U
     - Circle CCR7125 ICC
     - Circle CIR125 ICC
     - Circle CIR125-DOT ICC
     - Circle CIR215 CL with iProduct 0x2100
     - Circle CIR315 DI
     - Circle CIR315 with idProduct: 0x0324
     - Circle CIR315 with idProduct: 0x7004
     - Circle CIR415 CL
     - Circle CIR515 ICC
     - Circle CIR615 CL
     - Circle CIR615 CL & 1S
     - ELYCTIS CL reader
     - Nitrokey Nitrokey 3
     - Thales Shield M4 Reader
   - Add support of simultaneous slot access on multi slots readers
   - Use FeliCa instead of Felica on SONY request
   - Fix SafeNet eToken 5110 SC issue
   - Allow vendor control commands for Omnikey 5427 CK
   - always compute readTimeout to use a value greater than default 3 seconds
   - Check the bSeq value when receiving a CCID frame
   - Avoid logging errors when a reader is removed
   - Some other minor improvements

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0dd218a2fb4a569ad61324ad6d57336453e1ef96)

2 years agoauc: update to 0.3.1
Daniel Golle [Mon, 21 Mar 2022 10:53:25 +0000 (10:53 +0000)]
auc: update to 0.3.1

Sync auc with main branch.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 6c9ab0e426466ca3bb18a76f2f6b4645015a31e0)
(cherry picked from commit f1969ab5849095dbfe85f34e9415988357ed53bf)
(cherry picked from commit 36525086ce468ba5f062f41be231be9f43d9488f)
(cherry picked from commit fd36c91db869544df882de6812cf57dd5056c976)

2 years agopython3: update to 3.9.14
Michal Vasilek [Mon, 10 Oct 2022 13:18:24 +0000 (15:18 +0200)]
python3: update to 3.9.14

* fixes CVE-2021-28861
* refresh patches

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
2 years agoMerge pull request #19581 from stangri/openwrt-21.02-curl
Stan Grishin [Mon, 10 Oct 2022 15:20:16 +0000 (08:20 -0700)]
Merge pull request #19581 from stangri/openwrt-21.02-curl

[21.02] curl: error out if wolfSSL is not usable

2 years agocurl: error out if wolfSSL is not usable 19581/head
Petr Štetiar [Mon, 10 Oct 2022 08:47:55 +0000 (10:47 +0200)]
curl: error out if wolfSSL is not usable

When we explicitly declare, that we would like to have curl built with
wolfSSL support using `--with-wolfssl` configure option, then we should
make sure, that we either endup with curl having that support, or it
shouldn't be available at all, otherwise we risk, that we end up with
regressions like following:

  configure:25299: checking for wolfSSL_Init in -lwolfssl
  configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
  In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33,
                   from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35,
                  from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
                   from conftest.c:47:
  target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory
       #include <wolfssl/wolfcrypt/sp_int.h>
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
  compilation terminated.

and in the end thus produce curl without https support:

 curl: (1) Protocol "https" not supported or disabled in libcurl

So fix it, by making the working wolfSSL mandatory and error out in
configure step when that's not the case:

 checking for wolfSSL_Init in -lwolfssl... no
 configure: error: --with-wolfssl but wolfSSL was not found or doesn't work

References: #19005, #19547
Upstream-Status: Accepted [https://github.com/curl/curl/pull/9682]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 9140f366ef91c6eeb04ca39347c40deecaf56419)

2 years agoMerge pull request #19569 from 1715173329/y2
Josef Schlehofer [Sun, 9 Oct 2022 19:37:09 +0000 (21:37 +0200)]
Merge pull request #19569 from 1715173329/y2

[openwrt-21.02] yq: Update to 4.28.1

2 years agoyq: Update to 4.28.1 19569/head
Tianling Shen [Sat, 8 Oct 2022 06:25:38 +0000 (14:25 +0800)]
yq: Update to 4.28.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 40f0e263bf63068ff8c4e1adeaf4e807498d95f5)

2 years agonode: bump to v14.20.1
Hirokazu MORIKAWA [Fri, 7 Oct 2022 07:18:29 +0000 (16:18 +0900)]
node: bump to v14.20.1

The following CVEs are fixed in this release:
* CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
* CVE-2022-32213: bypass via obs-fold mechanic (Medium)
* CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)
More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
2 years agoMerge pull request #19548 from ynezz/ynezz/openwrt-21.02-fix-broken-libcurl
Stan Grishin [Sat, 8 Oct 2022 00:33:43 +0000 (17:33 -0700)]
Merge pull request #19548 from ynezz/ynezz/openwrt-21.02-fix-broken-libcurl

[21.02] fix broken libcurl by backporting curl: fix compilation with wolfSSL

2 years agocurl: fix compilation with wolfSSL 19548/head
Rosen Penev [Wed, 20 Jul 2022 02:24:19 +0000 (19:24 -0700)]
curl: fix compilation with wolfSSL

options.h header is needed after bump of libwolfssl to version 5.5.1,
otherwise libcurl autodetection for libwolfssl availability fails and
libcurl is then compiled without https support.

Fixes: #19547
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 317575755a83fe21888439f1fd9adccca9e0f36e)
(cherry picked from commit ef545e0317e06cb388eec33c9dc4292f09473fdb)
Signed-off-by: Petr Štetiar <ynezz@true.cz> [commit verbosity]
2 years agoMerge pull request #19536 from ynezz/ynezz/openwrt-21.02-wolfssl-CVE-2022-39173
Petr Štetiar [Thu, 6 Oct 2022 11:34:38 +0000 (13:34 +0200)]
Merge pull request #19536 from ynezz/ynezz/openwrt-21.02-wolfssl-CVE-2022-39173

[21.02] treewide: fix security issues by bumping all packages using libwolfssl

2 years agolibgd: avoid recursive and redundant dependencies
Eneas U de Queiroz [Wed, 14 Sep 2022 21:32:47 +0000 (18:32 -0300)]
libgd: avoid recursive and redundant dependencies

Change the CONFLICTS line from the libgd-full to libgd to fix a
recursive dependency.

While at it, remove the redundant +LIBGD_TIFF:libtiff
+LIBGD_FREETYPE:libfreetype dependencies from Package/libgd/default.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 085eb34fbf7c7aaa20da35ebe2f493601c5f19b2)

2 years agotor: update to 0.4.7.10
Nick Hainke [Sat, 24 Sep 2022 15:59:40 +0000 (17:59 +0200)]
tor: update to 0.4.7.10

Release Notes:
https://forum.torproject.net/t/urgent-stable-release-0-4-5-14-0-4-6-12-and-0-4-7-10

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit b9cf0cdce6ee56778a0b7ecd3d5ed520b3e2dbac)
[fix commit title]
Signed-off-by: Nick Hainke <vincent@systemli.org>
2 years agotreewide: fix security issues by bumping all packages using libwolfssl 19536/head
Petr Štetiar [Mon, 3 Oct 2022 17:03:15 +0000 (19:03 +0200)]
treewide: fix security issues by bumping all packages using libwolfssl

As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.

Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 845d81ca0976c82829addc23e9e8b95885c910ee)
(cherry picked from commit f624e41f38e82e3b2df83e309e7bb00b68ad0091)

2 years agoMerge pull request #19518 from mhei/21.02-php8-update-8.0.24
Michael Heimpold [Tue, 4 Oct 2022 15:35:32 +0000 (17:35 +0200)]
Merge pull request #19518 from mhei/21.02-php8-update-8.0.24

[21.02] php8: update to 8.0.24

2 years agoMerge pull request #19517 from mhei/21.02-php7-update-7.4.32
Michael Heimpold [Tue, 4 Oct 2022 15:35:16 +0000 (17:35 +0200)]
Merge pull request #19517 from mhei/21.02-php7-update-7.4.32

[21.02] php7: update to 7.4.32

2 years agophp8: update to 8.0.24 19518/head
Michael Heimpold [Tue, 4 Oct 2022 05:45:10 +0000 (07:45 +0200)]
php8: update to 8.0.24

This fixes:
    - CVE-2022-31629
    - CVE-2022-31628

Also refresh patch to apply cleanly.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2 years agophp7: update to 7.4.32 19517/head
Michael Heimpold [Tue, 4 Oct 2022 05:41:38 +0000 (07:41 +0200)]
php7: update to 7.4.32

This fixes:
    - CVE-2022-31628
    - CVE-2022-31629

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2 years agolibs/cjson: bump to 1.7.15
Karl Palsson [Fri, 23 Sep 2022 12:01:25 +0000 (12:01 +0000)]
libs/cjson: bump to 1.7.15

This is a bugfix release.
Full release notes available at: https://github.com/DaveGamble/cJSON/releases/tag/v1.7.15

Signed-off-by: Karl Palsson <karlp@etactica.com>
2 years agomosquitto: bump to 2.0.15
Karl Palsson [Mon, 19 Sep 2022 11:45:13 +0000 (11:45 +0000)]
mosquitto: bump to 2.0.15

Changelog: https://mosquitto.org/blog/2022/08/version-2-0-15-released/
Changelog: https://mosquitto.org/blog/2021/11/version-2-0-14-released/

2.0.15 is bigger security and bugfix release.  2.0.14 had a couple of
  minor changes and was skipped for OpenWrt.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2 years agomosquitto: add missing 'persistence' section in config
Ptilopsis Leucotis [Sun, 15 May 2022 04:02:40 +0000 (07:02 +0300)]
mosquitto: add missing 'persistence' section in config

Section 'Persistence' in 'luci-app-mosquitto' is unusable without 'persistence'
section in config file.

Signed-off-by: Ptilopsis Leucotis <PtilopsisLeucotis@yandex.com>
2 years agobind: bump to 9.18.7
Noah Meyerhans [Wed, 21 Sep 2022 18:57:50 +0000 (11:57 -0700)]
bind: bump to 9.18.7

Fixes multiple security issues:

CVE-2022-38178 - Fix memory leak in EdDSA verify processing

CVE-2022-3080 - Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query

CVE-2022-2906 - Fix memory leaks in the DH code when using OpenSSL 3.0.0
and later versions. The openssldh_compare(),
openssldh_paramcompare(), and openssldh_todns()
functions were affected

CVE-2022-2881 - When an HTTP connection was reused to get
statistics from the stats channel, and zlib
compression was in use, each successive
response sent larger and larger blocks of memory,
potentially reading past the end of the allocated
buffer

CVE-2022-2795 - Prevent excessive resource use while processing large
delegations

Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit 58bcd3fad37eaf56d4dbeecc0c73abe464e7e987)

2 years agoyq: Update to 4.27.5
Tianling Shen [Mon, 19 Sep 2022 02:33:32 +0000 (10:33 +0800)]
yq: Update to 4.27.5

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit fca4f1b8301917cb4eb64d0f5e9bfb4836d3d8e8)

2 years agolighttpd: update to lighttpd 1.4.67 release hash
Glenn Strauss [Sun, 18 Sep 2022 07:02:40 +0000 (03:02 -0400)]
lighttpd: update to lighttpd 1.4.67 release hash

* update to lighttpd 1.4.67 release hash

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit f750089d26422557280ddfda1788f2491d15f701)

2 years agolighttpd: update to lighttpd 1.4.66 release hash
Glenn Strauss [Mon, 8 Aug 2022 06:04:22 +0000 (02:04 -0400)]
lighttpd: update to lighttpd 1.4.66 release hash

* update to lighttpd 1.4.66 release hash

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 5eaf000c837612df72c9207e225a2911a190f86f)

2 years agoknot-resolver: update to 5.5.3
Michal Vasilek [Thu, 22 Sep 2022 17:47:41 +0000 (19:47 +0200)]
knot-resolver: update to 5.5.3

* fixes CVE-2022-40188

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 5d2fd886930a95d14df02ca8fbaf6f3814df3c01)

2 years agolibtorrent-rasterbar: Update to 2.0.7
Tianling Shen [Sat, 3 Sep 2022 09:34:58 +0000 (17:34 +0800)]
libtorrent-rasterbar: Update to 2.0.7

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit c741bf64cdac2ac1059c0e545e1afd842820c8c1)

2 years agoMerge pull request #19408 from paper42/knot-3.2.1-21
Josef Schlehofer [Wed, 21 Sep 2022 07:38:56 +0000 (09:38 +0200)]
Merge pull request #19408 from paper42/knot-3.2.1-21

[21.02] knot: update to version 3.2.1

2 years agoknot: update to version 3.2.1 19408/head
Jan Hák [Tue, 13 Sep 2022 12:46:11 +0000 (14:46 +0200)]
knot: update to version 3.2.1

Signed-off-by: Jan Hák <jan.hak@nic.cz>
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 023df0992a8b3fff97eb9dd8c36708114ac0f1a7)

2 years agopython-flask-socketio: update to 5.3.1
Michal Vasilek [Fri, 16 Sep 2022 10:48:19 +0000 (12:48 +0200)]
python-flask-socketio: update to 5.3.1

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 7fd9d010a29173705241e2ade2172a28429234ca)

2 years agoksmbd-tools: add package with hotplug.d script for auto sharing
Rafał Miłecki [Wed, 10 Aug 2022 12:23:44 +0000 (14:23 +0200)]
ksmbd-tools: add package with hotplug.d script for auto sharing

One of common use cases for SMB3 server in routers is sharing hotplugged
drives. Users make many attempts setting that up which often are not
optimal.

This script handles it in the cleanest way by using:
1. hotplug.d mount subsystem
2. runtime config in the /var/run/config/

It provides a working basic solution that can be later adjusted by
modifying provided hotplug script.

A pretty much idential solution was part of the samba36 package. It was
added in the OpenWrt commit ef1efa756e0d0 ("samba36: add package with
hotplug.d script for auto sharing") as an answer for feature required by
the Rosinson company.

Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit d0406d4c956e92f979802640832180eedd1a6efe)

2 years agoksmbd-tools: append config from /var/run/config/ for runtime shares
Rafał Miłecki [Wed, 10 Aug 2022 12:23:40 +0000 (14:23 +0200)]
ksmbd-tools: append config from /var/run/config/ for runtime shares

Dynamically created shares shouldn't be stored in the /etc/config/
because of:
1. Flash wearing
2. Risk of inconsistent state on reboots

With this change all automation/hotplug.d scripts can store runtime in
the /var/run/config/samba. It's useful e.g. for USB drives that user
wants to be automatically shared.

Also: automated scripts should never call "uci [foo] commit" as that
could flush incomplete config. This problem also gets solved.

Identical feature was added to samba36 in the OpenWrt commit
5a59e2c059866 ("samba36: append config from /var/run/config/ for runtime
shares") but wasn't ported to ksmbd until now.

Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c9cba619898d7bf87fc8277e57b473923d912c32)

2 years agosyslog-ng: update to version 3.38.1
Josef Schlehofer [Wed, 7 Sep 2022 10:00:59 +0000 (12:00 +0200)]
syslog-ng: update to version 3.38.1

- Release notes:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.38.1

- Update the configuration file to use version 4.0 as mentioned in the
  release notes to try the latest changes

Fixes: CVE-2022-38725
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 34b7af9e0859418bb85e7d3ca131101dd912ae53)

2 years agoyq: Update to 4.27.3
Tianling Shen [Tue, 30 Aug 2022 06:48:07 +0000 (14:48 +0800)]
yq: Update to 4.27.3

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 90a76f6467c85157fabf1b614958f873b2169690)

2 years agoMerge pull request #19219 from ErwanMAS/backport_modifications_master
Josef Schlehofer [Tue, 30 Aug 2022 14:17:20 +0000 (16:17 +0200)]
Merge pull request #19219 from ErwanMAS/backport_modifications_master

tinc: backport  from master modifications

2 years agotinc: add creation of hosts directory for each network configuration 19219/head
Erwan MAS [Sat, 5 Mar 2022 21:00:21 +0000 (16:00 -0500)]
tinc: add creation  of hosts directory for each network configuration

Signed-off-by: Erwan MAS <erwan@mas.nom.fr>
(cherry picked from commit fb99d50c1edd4be765bef6d55bee26bfb90576b6)

2 years agotinc: use 'uci_get_state' instead of 'uci -P /var/state get'
Etienne Champetier [Thu, 12 Aug 2021 20:41:05 +0000 (16:41 -0400)]
tinc: use 'uci_get_state' instead of 'uci -P /var/state get'

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 440d3c04505719df09e39706e6af7c470a49d458)

2 years agosyslog-ng: fix OOM issues by adding support for logrotate
Petr Štetiar [Tue, 9 Aug 2022 08:28:43 +0000 (10:28 +0200)]
syslog-ng: fix OOM issues by adding support for logrotate

With heavy system logging which goes by default into `/var/log/messages`
log file which is usually placed in tmpfs/RAM one can trigger OOM killer
fairly easily, thus killing random processes and in some cases making
system unusable.

This is likely happening due to the fact, that Linux by default uses 1/2
of available RAM for tmpfs, which might be for example an issue on low
RAM devices with ath10k wireless.

So let's fix it by adding logrotate functionality which should limit the
size of `/var/log/messages` log file to 1M by default, but could be
tweaked by config knob if needed be.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 660fa63faf2881d69f903a589568b72fbd4d61f5)

2 years agopython-uci: update to version 0.9.0
Josef Schlehofer [Thu, 25 Aug 2022 14:45:53 +0000 (16:45 +0200)]
python-uci: update to version 0.9.0

- Release notes:
https://gitlab.nic.cz/turris/pyuci/-/tags/v0.9.0
- Update copyright while at it.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit e340fe8a124d1dcda2768ce3dfbcbaaf30fac44e)

2 years agoMerge pull request #19223 from commodo/django-21.02
Alexandru Ardelean [Wed, 24 Aug 2022 09:27:40 +0000 (12:27 +0300)]
Merge pull request #19223 from commodo/django-21.02

[21.02] django: bump to version 3.2.15

2 years agolibgd: add conflicts to each other
Josef Schlehofer [Mon, 22 Aug 2022 12:58:19 +0000 (14:58 +0200)]
libgd: add conflicts to each other

The full variant should conflict with the default variant. This prevents that
libgd and libgd-full could be installed side by side, and also, the full
variant should provide the libgd. Otherwise, if you install libgd-full,
you can not install vnstat.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 42b36b7180a1859502d72a42dcd6e9ef80519c55)

2 years agovim: variants conflict with each other
Karel Kočí [Mon, 22 Aug 2022 12:31:21 +0000 (14:31 +0200)]
vim: variants conflict with each other

This adds conflicts between the variants,
because they provide the same files, and it should not be
possible to install them side by side. Otherwise, it might happen that
half files would be from one variant and the other half from the
other.

Also, adds provides as if you request to install ``vim`` and
``vim-full``, then the request could be satisfied even they collide,
because ``vim-full`` provides ``vim`` package.

Signed-off-by: Karel Kočí <cynerd@email.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[add commit message]
(cherry picked from commit 46c058468aeaf7747c2e94e579020aa7f595c649)

2 years agopciutils: backport patch to fix compilation with older binutils
Josef Schlehofer [Sun, 21 Aug 2022 08:44:33 +0000 (10:44 +0200)]
pciutils: backport patch to fix compilation with older binutils

While building pciutils 3.8.0 for OpenWrt 21.02 includes target
mvebu/cortex-a9, mvebu/cortex-a53 and powerpc/8540, it fails because of
this error:

-I<turris1x/ws/build/staging_dir/toolchain-powerpc_8548_gcc-8.4.0_musl/include>   -c -o filter.o filter.c
{standard input}: Assembler messages:
{standard input}:6: Error: multiple versions [`pci_filter_init@@LIBPCI_3.8'|`pci_filter_init@LIBPCI_3.3'] for symbol `pci_filter_init_v38'
{standard input}:8: Error: multiple versions [`pci_filter_parse_slot@@LIBPCI_3.8'|`pci_filter_parse_slot@LIBPCI_3.3'] for symbol `pci_filter_parse_slot_v38'
{standard input}:10: Error: multiple versions [`pci_filter_parse_id@@LIBPCI_3.8'|`pci_filter_parse_id@LIBPCI_3.3'] for symbol `pci_filter_parse_id_v38'
{standard input}:12: Error: multiple versions [`pci_filter_match@@LIBPCI_3.8'|`pci_filter_match@LIBPCI_3.3'] for symbol `pci_filter_match_v38'
make[4]: *** [<builtin>: filter.o] Error 1
make[4]: Leaving directory '<turris1x/ws/build/build_dir/target-powerpc_8548_musl/pciutils-3.8.0/lib'>
make[3]: *** [Makefile:70: lib/libpci.so.3.8.0] Error 2
make[3]: Leaving directory '<turris1x/ws/build/build_dir/target-powerpc_8548_musl/pciutils-3.8.0'>
make[2]: *** [Makefile:88: <turris1x/ws/build/build_dir/target-powerpc_8548_musl/pciutils-3.8.0/.built]> Error 2
make[2]: Leaving directory '<turris1x/ws/build/feeds/packages/utils/pciutils'>

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit f08dadd517e4ecd5c15d4016dd6261d9fee3d41b)

2 years agoliburcu: update to version 0.13.2
Jan Hák [Mon, 22 Aug 2022 08:51:40 +0000 (10:51 +0200)]
liburcu: update to version 0.13.2

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit 754ba8920b1d5a61250897e146d1ad50778a7567)

2 years agoknot: update to version 3.2.0
Jan Hák [Mon, 22 Aug 2022 08:56:18 +0000 (10:56 +0200)]
knot: update to version 3.2.0

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit 74e2bfdd27bbf3625498ede40e357c8d409fbe91)

2 years agodjango: bump to version 3.2.15 19223/head
Alexandru Ardelean [Mon, 22 Aug 2022 06:27:39 +0000 (09:27 +0300)]
django: bump to version 3.2.15

Fixes: https://nvd.nist.gov/vuln/detail/CVE-2022-36359
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2 years agoCI: checkout HEAD commit rather than merge commit
Paul Spooren [Fri, 5 Mar 2021 09:16:00 +0000 (23:16 -1000)]
CI: checkout HEAD commit rather than merge commit

GitHub CI actions/checkout uses a merge commit which isn't compatible
with our formality checks. Instead checkout the pull request HEAD.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 13c1f2bcda33ab8fc17ede1f43f60e0aac8b7cab)

2 years agoCI: migrate formal checks from CircleCI to GitHub
Paul Spooren [Fri, 5 Mar 2021 02:52:35 +0000 (16:52 -1000)]
CI: migrate formal checks from CircleCI to GitHub

Run the formal checks like SoB message via the GitHub CI.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 1b46af0e594858c7df17f00ee8c3a42e32a76215)

2 years agosquid: bump to 4.17
Marko Ratkaj [Wed, 30 Mar 2022 13:29:13 +0000 (15:29 +0200)]
squid: bump to 4.17

Signed-off-by: Marko Ratkaj <markoratkaj@gmail.com>
(cherry picked from commit 15132b85b76409108c441470998c79d1b8d37814)

2 years agosquid: update to 4.16
Rosen Penev [Wed, 7 Jul 2021 03:37:25 +0000 (20:37 -0700)]
squid: update to 4.16

Fixes compilation with GCC11.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit ad4c04283ec55f307db5fa5931157385315cafb7)

2 years agodnscrypt-proxy2: update to version 2.1.2
Fabian Lipken [Tue, 16 Aug 2022 07:34:23 +0000 (09:34 +0200)]
dnscrypt-proxy2: update to version 2.1.2

Signed-off-by: Fabian Lipken <dynasticorpheus@gmail.com>
(cherry picked from commit 2c617bbe224ab2e6878e86c5cd61dbfa59440500)

2 years agopciutils: update to 3.8.0
Lucian Cristian [Wed, 1 Jun 2022 14:55:00 +0000 (14:55 +0000)]
pciutils: update to 3.8.0

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit c5ec5c70b3bcb053fea8441f028dfac0c3a18d56)

2 years agorclone: Update to 1.59.1
Tianling Shen [Wed, 10 Aug 2022 09:03:25 +0000 (17:03 +0800)]
rclone: Update to 1.59.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 5c4b54de567847f05d25260d4991bfa4ebe97c6e)

2 years agotelegraf: Update to version 1.23.4
Jonathan Pagel [Thu, 18 Aug 2022 05:14:35 +0000 (07:14 +0200)]
telegraf: Update to version 1.23.4

Signed-off-by: Jonathan Pagel <jonny_tischbein@systemli.org>
(cherry picked from commit e4555e03ee86ef62cf09ce1436c865d5eb472960)
Signed-off-by: Jonathan Pagel <jonny_tischbein@systemli.org>
2 years agotelegraf: Add influxdb2 output plugin to package version small
Jonathan Pagel [Tue, 9 Aug 2022 05:27:45 +0000 (07:27 +0200)]
telegraf: Add influxdb2 output plugin to package version small

Signed-off-by: Jonathan Pagel <jonny_tischbein@systemli.org>
(cherry picked from commit a5e96189c3dadabb3e20d8139638bbb6da6773bf)
Signed-off-by: Jonathan Pagel <jonny_tischbein@systemli.org>
2 years agoknot: update to 3.1.9
Jan Hák [Mon, 15 Aug 2022 12:50:23 +0000 (14:50 +0200)]
knot: update to 3.1.9

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit 39a08a7aaf18a7b4a4a12f46006238336bd5dba3)

2 years agonumpy: bump to version 1.20.2
Alexandru Ardelean [Mon, 29 Mar 2021 06:51:56 +0000 (09:51 +0300)]
numpy: bump to version 1.20.2

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 731bb0265da381b49e23fff9b1879a0a1d40f47e)

2 years agorclone: fix init script on CIDR format ipaddr
Liangbin Lian [Fri, 5 Aug 2022 08:20:32 +0000 (16:20 +0800)]
rclone: fix init script on CIDR format ipaddr

Signed-off-by: Liangbin Lian <jjm2473@gmail.com>
(cherry picked from commit 7af716f12d7aeaef48ccc3f025927808af0bf461)

2 years agoMerge pull request #19140 from BKPepe/gcc-21.02
Josef Schlehofer [Sat, 13 Aug 2022 08:08:32 +0000 (10:08 +0200)]
Merge pull request #19140 from BKPepe/gcc-21.02

gcc: update to allow compiling different versions

2 years agopython-websockets: update to version 10.3
Josef Schlehofer [Fri, 12 Aug 2022 19:35:25 +0000 (21:35 +0200)]
python-websockets: update to version 10.3

- Update copyright

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit ce1679a07fab643b85217b35f8c7857a9e3199c1)

2 years agolibreswan: update to 4.6
Lucian Cristian [Tue, 18 Jan 2022 03:20:34 +0000 (05:20 +0200)]
libreswan: update to 4.6

this update also fixes a CVE

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit ec252c20cc635fb65f972facfcdc8756099a21dd)

2 years agolibreswan: update to 4.5
Lucian Cristian [Sun, 12 Sep 2021 10:00:42 +0000 (13:00 +0300)]
libreswan: update to 4.5

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit b2efa063d2c244fcf4f1defb635ece6e6460a8b3)

2 years agonss: update to 3.67
Rosen Penev [Wed, 7 Jul 2021 03:02:49 +0000 (20:02 -0700)]
nss: update to 3.67

Switch to AUTORELEASE for simplicity.

Disable parallel compilation as there's something wrong with NSS' build
system. Reliably fails with make -j 12 on a ryzen 3600.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 1b9e2047007b675d8f40565f3586589f3bedc29c)

2 years agonss: update to 3.65
Lucian Cristian [Thu, 20 May 2021 21:06:23 +0000 (00:06 +0300)]
nss: update to 3.65

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit 0f5eadf362ab3cbd3c89a5aa6828265bcc3bc1cd)

2 years agocgi-io: update to latest Git HEAD
Jo-Philipp Wich [Wed, 10 Aug 2022 21:52:19 +0000 (23:52 +0200)]
cgi-io: update to latest Git HEAD

901b0f0 main: fix two one-byte overreads in header_value()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 443c6c1c17e29466cc81f44504602d66d993bf86)

2 years agogcc: update to allow compiling different versions 19140/head
W. Michael Petullo [Wed, 18 May 2022 22:06:25 +0000 (17:06 -0500)]
gcc: update to allow compiling different versions

This is based on the toolchain GCC, and aims to share as much of its
Makefile and patches with that definition. The package requires one
additional patch:

(1) 003-dont-choke-when-building-32bit-on-64bit.patch, which fixes the
`error: size of array 'test_real_width' is negative` error that occurs
when building a 32-bit GCC on a 64-bit host. (Search the Internet for
examples of this error appearing.)

Signed-off-by: W. Michael Petullo <mike@flyn.org>
(cherry picked from commit ceaa6e840e0b57c1b47c784997187044e3311d23)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[added gcc version 9.3.0, downgraded gcc to 10.2.0, removed gcc version
11.3.0 as it is now in sync with OpenWrt 21.02]

2 years agoyq: Update to 4.27.2
Tianling Shen [Sat, 6 Aug 2022 16:29:35 +0000 (00:29 +0800)]
yq: Update to 4.27.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 82a45b28b736642d263038e0b596c620fa5102e7)