Hirokazu MORIKAWA [Tue, 27 Mar 2018 08:05:45 +0000 (17:05 +0900)]
icu: fix CVE-2017-15422
[lede-17.01]
Maintainer: me
Compile tested: ar71xx, mips_24kc_gcc-5.4.0_musl-1.1.16, lede-17.01 r3863-
fad29d2
Run tested: NONE
Description:
CVE-2017-15422 : integer overflow in icu
https://security-tracker.debian.org/tracker/CVE-2017-15422
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Tony Ambardar [Mon, 8 Jan 2018 11:50:26 +0000 (03:50 -0800)]
sqm-scripts: Fix return value bug in postrm script
The script removes the UCI option ucitrack.@sqm[0] if present and then
returns success. If that UCI option is already absent however, the
script incorrectly returns failure, which blocks upgrade of the
luci-app-sqm package.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Karl Palsson [Thu, 1 Mar 2018 11:20:03 +0000 (11:20 +0000)]
mosqitto: bump to 1.4.15 for CVE fixes.
See https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
for full details.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Rafał Miłecki [Mon, 19 Feb 2018 11:43:14 +0000 (12:43 +0100)]
minidlna: exclude "po" directory to fix CONFIG_BUILD_NLS=y builds
This fixes:
*** error: gettext infrastructure mismatch: using a Makefile.in.in from gettext version 0.18 but the autoconf macros are from gettext version 0.19
Makefile of minidlna package specifies PKG_FIXUP:=autoreconf. That
results in calling autoreconf with multiple arguments, including many -I
ones. One of autoreconf steps is calling aclocal with the same set of -I
arguments.
All of that results in:
1) aclocal using staging_dir's /usr/share/aclocal and its po.m4
2) not using minidlna's po.m4
3) not updating Makefile.in.in
If staging_dir's po.m4 has different GETTEXT_MACRO_VERSION than the
minidlna's one it'll result in a mismatch in the Makefile.in. Ideally we
should take care of regenerating Makefile.in.in but this isn't
currentlly supported. As localization isn't properly supported anyway
(no shipping .mo files) it's safe to just disable building po files.
Added patch comes from the master branch commit
d5fcc972ba57d
("multimedia/minidlna: Update to 1.2.0").
Fixes: 72928442614d9 ("minidlna: backport fixes from 1.1.6 and 1.2.0 releases")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
champtar [Wed, 31 Jan 2018 15:55:37 +0000 (07:55 -0800)]
Merge pull request #5492 from micmac1/fix-sqlite3-on-uclibc
sqlite3 [lede-17.01]: fix uClibc builds
Sebastian Kemper [Tue, 23 Jan 2018 19:57:23 +0000 (20:57 +0100)]
sqlite3: fix uClibc builds
When compiling against uClibc on lede-17.01 it's detected in the linking
phase that '__isnan' is nowhere to be found:
sqlite3-sqlite3.o: In function `serialGet':
sqlite3.c:(.text+0x6364): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_result_double':
sqlite3.c:(.text+0x10faa): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VXPrintf':
sqlite3.c:(.text+0x175ca): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_bind_double':
sqlite3.c:(.text+0x1b0ac): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VdbeExec':
sqlite3.c:(.text+0x3b77e): undefined reference to `__isnan'
collect2: error: ld returned 1 exit status
To fix this libm needs to be linked in as well in the uClibc case. So
add libm ('-lm') to the TARGET_LDFLAGS accordingly.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Nikos Mavrogiannopoulos [Tue, 30 Jan 2018 19:34:14 +0000 (20:34 +0100)]
p11-kit: disable trust module
This allows prevents build error due to trust-paths not being
specified. The trust module was not being used in openwrt.
Resolves #5528
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Jiri Slachta [Tue, 30 Jan 2018 18:57:37 +0000 (19:57 +0100)]
Merge pull request #5541 from micmac1/jiri-lede-17.01
libssh2, libxslt, tiff: security bumps + fix (for lede-17.01)
Sebastian Kemper [Tue, 30 Jan 2018 14:13:05 +0000 (15:13 +0100)]
tiff: version bump to address open CVEs
- Version bump to 4.0.9, as otherwise ca. a dozen patches would need
to be added to fix the open CVEs. There have been no API/ABI
changes between 4.0.6 and 4.0.9, so this is OK.
- Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935
on top.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Sebastian Kemper [Tue, 30 Jan 2018 14:09:01 +0000 (15:09 +0100)]
libxslt: add patches copied from Debian to fix CVEs
- there are multiple open CVEs, this adds patches for them
- adds --disable-silent-rules for verbose build output
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Sebastian Kemper [Tue, 30 Jan 2018 14:06:06 +0000 (15:06 +0100)]
libssh: fix zlib detection
- currently zlib is never detected, although there is a dependency on
it, fix that.
- change links from http to https
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
tripolar [Sat, 27 Jan 2018 12:24:29 +0000 (13:24 +0100)]
Merge pull request #5493 from micmac1/fix-alsa-lib-on-uclibc
alsa-lib [lede-17.01]: fix build on uclibc
Sebastian Kemper [Tue, 23 Jan 2018 20:54:07 +0000 (21:54 +0100)]
alsa-lib: fix uClibc builds
Currently alsa-lib fails to build on uClibc:
parser.c: In function 'snd_tplg_build_file':
parser.c:262:35: error: 'S_IRUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c:262:35: note: each undeclared identifier is reported only once for each function it appears in
parser.c:262:45: error: 'S_IWUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c: In function 'snd_tplg_build':
parser.c:330:35: error: 'S_IRUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
parser.c:330:45: error: 'S_IWUSR' undeclared (first use in this function)
open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
^
Makefile:390: recipe for target 'parser.lo' failed
Fix this by adding an upstream fix as a backport.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Hannu Nyman [Fri, 26 Jan 2018 14:29:20 +0000 (16:29 +0200)]
Merge pull request #5497 from daztucker/lede-17.01
net/https-dns-proxy: Update to 2018-01-24.
Darren Tucker [Wed, 24 Jan 2018 05:50:19 +0000 (16:50 +1100)]
net/https-dns-proxy: Update to 2018-01-24.
Add dependency on ca-bundle without which the HTTPS fetches fail.
Add "-x" option to force HTTP/1.1 instead of HTTP/2.0
Add a workaround for bug in libcurl <7.530 that prevents it from
working at all when built with mbedtls.
Signed-off-by: Darren Tucker <dtucker@dtucker.net>
Acked-by: Aaron Drew <aarond10@gmail.com>
Luiz Angelo Daros de Luca [Mon, 22 Jan 2018 10:43:03 +0000 (08:43 -0200)]
Merge pull request #5317 from luizluca/17.01/ruby-2.4.3
[17.01] ruby: bump to 2.4.3
Hannu Nyman [Sat, 20 Jan 2018 08:03:35 +0000 (10:03 +0200)]
Merge pull request #5479 from EricLuehrsen/lede-17.01-unbound-168
[lede-17.01] unbound: update to 1.6.8 for CVE-2017-15105
Eric Luehrsen [Sat, 20 Jan 2018 02:24:54 +0000 (21:24 -0500)]
unbound: update to 1.6.8 for CVE-2017-15105
A vulnerability was discovered in the processing of wildcard synthesized
NSEC records. While synthesis of NSEC records is allowed by RFC4592,
these synthesized owner names should not be used in the NSEC processing.
This does, however, happen in Unbound 1.6.7 and earlier versions.
(see https://unbound.net/downloads/CVE-2017-15105.txt)
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Hannu Nyman [Fri, 19 Jan 2018 13:10:12 +0000 (15:10 +0200)]
Merge pull request #5477 from dibdot/travelmate-17.01
[17.01] travelmate: release 1.0.2
Hannu Nyman [Fri, 19 Jan 2018 13:10:02 +0000 (15:10 +0200)]
Merge pull request #5476 from dibdot/adblock-17.01
[17.01] adblock: release 3.4.3
Dirk Brenken [Fri, 19 Jan 2018 09:02:23 +0000 (10:02 +0100)]
[17.01] travelmate: release 1.0.2
* bump travelmate version in stable tree
Signed-off-by: Dirk Brenken <dev@brenken.org>
Dirk Brenken [Fri, 19 Jan 2018 08:50:39 +0000 (09:50 +0100)]
[17.01] adblock: release 3.4.3
* bump adblock version in stable tree
Signed-off-by: Dirk Brenken <dev@brenken.org>
Yousong Zhou [Fri, 19 Jan 2018 03:14:32 +0000 (11:14 +0800)]
vpnc: fix using proto_add_host_dependency
Fixes #4343
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Alexandru Ardelean [Thu, 16 Mar 2017 19:33:41 +0000 (21:33 +0200)]
ulogd: use strncpy instead of memcpy
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit
953f951c5eb3841e619a18b3aeb95a652dbb9a93)
Hannu Nyman [Sat, 6 Jan 2018 10:20:47 +0000 (12:20 +0200)]
wget: backport 1.19.2 from master
Backport the update to 1.19.2 from master.
Fixes e.g. CVE-2017-13089 and CVE-2017-13090
(tested in my own ipq806x and ar71xx lede-17.01 builds)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Banglang Huang [Sat, 6 Jan 2018 10:04:33 +0000 (12:04 +0200)]
tree: backport from master
Tree is a recursive directory listing command that
produces a depth indented listing of files, which is
colorized ala dircolors if the LS_COLORS environment
variable is set and output is to tty.
root@lede:/# tree -L 1
.
├── bin
├── dev
├── etc
├── lib
├── mnt
├── overlay
├── proc
├── rom
├── root
├── sbin
├── sys
├── tmp
├── usr
├── var -> /tmp
└── www
15 directories, 0 files
http://mama.indstate.edu/users/ice/tree/
Signed-off-by: BangLang Huang <banglang.huang@foxmail.com>
(cherry picked from commit
b6ff884d4570e5f522ad97bbd481362ee1ebeff7)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Daniel Golle [Thu, 4 Jan 2018 23:20:31 +0000 (00:20 +0100)]
postgresql: update to version 9.5.10
Contains fixes for
* CVE-2017-15099
* CVE-2017-15098
* CVE-2017-12172
* CVE-2017-7548
* CVE-2017-7547
* CVE-2017-7546
* CVE-2017-7486
* CVE-2017-7485
* CVE-2017-7484
Note that some fixes apply for newly created databases only!
To mitigate CVE-2017-7486 and CVE-2017-7547 in existing databases,
a procedure described in the the release notes of PostgreSQL 9.5.8
is necessary!
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Rosen Penev [Mon, 11 Dec 2017 03:54:14 +0000 (19:54 -0800)]
gnutls: Use HTTPS instead of FTP
While recently building asterisk, the make system stalled on gnutls. On my install of Ubuntu 16.04 on WSL, it seems curl can't download from ftp and doesn't even time out properly. Easiest solution is to switch the gnutls Makefile to use HTTPS instead.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Luiz Angelo Daros de Luca [Fri, 22 Dec 2017 05:28:56 +0000 (03:28 -0200)]
ruby: bump to 2.4.3
This release includes some bug fixes and a security fix.
CVE-2017-17405: Command injection vulnerability in Net::FTP
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit
fc0105391766404699330e455bc028d8a52a2553)
Arturo Rinaldi [Sat, 9 Dec 2017 20:39:24 +0000 (21:39 +0100)]
python: declare explicit Host/Compile to fix pgen tool installation error
Signed-off-by: Arturo Rinaldi arty.net2@gmail.com
[squash commits, fix commit title]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
champtar [Mon, 11 Dec 2017 19:43:46 +0000 (11:43 -0800)]
Merge pull request #5012 from TDT-AG/
20171025-luci-app-mwan3-fix-iface_state
net/mwan3-luci: fix iface_state on on status page for 17.01
Florian Eckert [Wed, 25 Oct 2017 11:46:15 +0000 (13:46 +0200)]
net/mwan3-luci: fix iface_state on on status page
Since commit
4739584c2434fda6c4f14b0ef3d38fa055352c0e the status of the
interface is not reported correctly anymore. To fix this issue do not test
if the routing table is presented use instead the "/var/run/iface_state/[iface]"
to get the interface state because the routing table will not get deleted
anymore if the interface is offline.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Jo-Philipp Wich [Tue, 5 Dec 2017 13:32:57 +0000 (14:32 +0100)]
Merge pull request #5228 from commodo/python-2.7.14-17.01
python: update to version 2.7.14 for branch 17.01
Alexandru Ardelean [Tue, 5 Dec 2017 13:15:09 +0000 (15:15 +0200)]
python: update to version 2.7.14 for branch 17.01
Bump version and overwrite patches from master,
since those were refreshed (at some point).
I got an email notification about some CVEs
for branch 17.01, so I decided to update Python.
Technically, one seems to be for SolidWorks
from what I can tell, but upgrading should be easy.
```
Hello Alexandru Ardelean,
The package python is vulnerable to the following CVEs:
CVE-2014-4616
https://nvd.nist.gov/vuln/detail/CVE-2014-4616
CVE-2017-100015
https://nvd.nist.gov/vuln/detail/CVE-2017-100015
Please consider updating or patching the package.
```
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Daniel Golle [Mon, 20 Nov 2017 16:49:34 +0000 (17:49 +0100)]
attendedsysupgrade-common: add package
This package provides the UCI config shared by both, the CLI and Web
clients used for attended-sysupgrade.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Saverio Proto [Sun, 5 Nov 2017 03:00:10 +0000 (04:00 +0100)]
tinc: version bump 1.0.33
Signed-off-by: Saverio Proto <saverio.proto@switch.ch>
Nikos Mavrogiannopoulos [Sat, 21 Oct 2017 18:24:35 +0000 (20:24 +0200)]
gnutls: updated to 3.5.16
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Matthias Schiffer [Mon, 23 Oct 2017 02:52:49 +0000 (04:52 +0200)]
jool: fix PKG_BUILD_DIR to avoid kernel ABI mismatch
As jool builds a kernel module, a PKG_BUILD_DIR under KERNEL_BUILD_DIR must
be used to avoid reusing build artifacts when switching to a different
target of the same architecture. Otherwise, kernel ABI mismatches may
result, leading to an unusuable module, or build failures like the
following:
Package kmod-jool is missing dependencies for the following libraries:
crypto_hash.ko
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Etienne Champetier [Mon, 23 Oct 2017 00:49:50 +0000 (17:49 -0700)]
monit: update to 5.24, use https download url
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Etienne Champetier [Sun, 9 Jul 2017 03:13:40 +0000 (20:13 -0700)]
monit: update to 5.23
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Mon, 23 Jan 2017 03:48:23 +0000 (19:48 -0800)]
monit: update to 5.20, use PKG_HASH
this adds zlib as dependency
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Etienne Champetier [Sun, 9 Jul 2017 03:13:27 +0000 (20:13 -0700)]
sqlite3: update to 3.19.3
fix possible database corruption
https://www.sqlite.org/releaselog/3_19_3.html
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Daniel Engberg [Wed, 31 May 2017 15:11:02 +0000 (17:11 +0200)]
libs/sqlite3: Update to
3190200
Update sqlite to
3190200
Remove obsolete tarball hash variable
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Ian Leonard [Sun, 19 Feb 2017 05:30:28 +0000 (21:30 -0800)]
sqlite: update to 3.17.0
Signed-off-by: Ian Leonard <antonlacon@gmail.com>
Karl Palsson [Wed, 25 Oct 2017 11:15:12 +0000 (11:15 +0000)]
libwebsockets: add PROVIDES to both variants
Fixed recently in master as part of upgrading, but the same issue
applies to 17.01. The two variant packages both now PROVIDE
libwebsockets, the virtual package.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Hirokazu MORIKAWA [Tue, 24 Oct 2017 06:36:29 +0000 (15:36 +0900)]
icu: fix CVE-2017-14952 Double-Free Vulnerability [lede-17.01]
http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/
https://security-tracker.debian.org/tracker/CVE-2017-14952
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Jo-Philipp Wich [Fri, 20 Oct 2017 13:08:54 +0000 (15:08 +0200)]
Revert "Provides a way to acquire the list of installed packages without the"
This reverts commit
983819f3f01ff27ba72bb0fb7ce6f1bea95bd8d1.
Jo-Philipp Wich [Fri, 20 Oct 2017 13:08:54 +0000 (15:08 +0200)]
Revert "add ubus call to perform a sysupgrade and acl file for the attended"
This reverts commit
f6c287f1ee9ce4817740d537aca024a135b6749c.
Jo-Philipp Wich [Fri, 20 Oct 2017 13:08:54 +0000 (15:08 +0200)]
Revert "due to renaming .rpcd was forgotten in the Makefile"
This reverts commit
04cbc70c52fea176b524a5959a24a75701a21a27.
Paul Spooren [Thu, 27 Jul 2017 17:14:24 +0000 (19:14 +0200)]
due to renaming .rpcd was forgotten in the Makefile
Signed-off-by: Paul Spooren <paul@spooren.de>
(cherry picked from commit
c98e9f3b18ed0cdc67f5e92efc2210d9d9d160f8)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Paul Spooren [Tue, 18 Jul 2017 22:47:40 +0000 (00:47 +0200)]
add ubus call to perform a sysupgrade and acl file for the attended
sysupgrade use case as well uci defaults.
Package is a part of the GSoC 17 project implementing easy
sysupgrade functionality.
Signed-off-by: Paul Spooren <paul@spooren.de>
(cherry picked from commit
f9a6c81c116e462e4abfd3973385f426eba70f7b)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Paul Spooren [Tue, 18 Jul 2017 22:47:40 +0000 (00:47 +0200)]
Provides a way to acquire the list of installed packages without the
need to have opkg available. It is being used for the GSoC 17 project
implementing easy sysupgrade functionality.
Signed-off-by: Paul Spooren <paul@spooren.de>
(cherry picked from commit
0d2e674aa1c17163a0011090123321ea91bc13e9)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Stijn Tintel [Mon, 16 Oct 2017 11:08:26 +0000 (14:08 +0300)]
wireguard: drop package
WireGuard was added to LEDE core. See discussion at
https://github.com/lede-project/source/pull/1409
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Hannu Nyman [Tue, 10 Oct 2017 14:54:20 +0000 (17:54 +0300)]
Merge pull request #4914 from zx2c4/lede-17.01
wireguard: bump to release 0.0.
20171005 for 17.01
champtar [Sun, 8 Oct 2017 15:45:34 +0000 (08:45 -0700)]
Merge pull request #4916 from StevenHessing/noddos-lede-17.01
noddos: new backport of noddos from master branch
Steven Hessing [Sun, 8 Oct 2017 04:24:43 +0000 (21:24 -0700)]
noddos: new backport of noddos from master branch
Signed-off-by: Steven Hessing <steven.hessing@gmail.com>
Jason A. Donenfeld [Sat, 7 Oct 2017 23:20:15 +0000 (01:20 +0200)]
wireguard: bump to release 0.0.
20171005 for 17.01
WireGuard is well documented for being an experimental project, not
currently ready to be stabilized. As such, it's important for packagers
to always keep the project up to date in all contexts.
However, it is common for some projects, such as LEDE/OpenWrt to have
stable branches, which don't expect a lot of churn or modification.
The WireGuard that happened to ship with 17.01 is broken and crufty and
shouldn't be used at all. It's highly unlikely that there's anybody out
there even using it; it won't work with anything else.
So, this commit updates the 17.01 package to the latest upstream
version. Because the 17.01 stable branch can't be updated all the time,
it's important that this bump here in this commit is a stable one.
I believe 0.0.
20171005 to be a fairly stable snapshot, which should be
suitable for the 17.01 branch. As stated earlier, the 0.0.
20170115
currently in this branch is highly problematic. 0.0.
20171005 offers
extremely important changes.
I'll continue to send package bumps for 17.01, but only for snapshot
releases that I think fix an important bug or provide a noted increase
in stability, or have similar goals to this commit.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Hauke Mehrtens [Tue, 3 Oct 2017 09:24:11 +0000 (11:24 +0200)]
Merge pull request #4879 from nxhack/17_01-CVE-2017-
1000250
[lede-17.01] bluez: fix CVE-2017-
1000250
Hirokazu MORIKAWA [Wed, 27 Sep 2017 05:09:45 +0000 (14:09 +0900)]
bluez: fix CVE-2017-
1000250
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
bluez: fix CVE-2017-
1000250
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Hauke Mehrtens [Wed, 20 Sep 2017 18:27:34 +0000 (20:27 +0200)]
tor: update to version 0.2.9.12
This fixes the TROVE-2017-008 (CVE-2017-0380) security problem.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Mon, 3 Jul 2017 21:00:29 +0000 (23:00 +0200)]
tor: update to version 0.2.9.11
This fixes CVE-2017-0376
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
champtar [Sat, 23 Sep 2017 23:52:04 +0000 (16:52 -0700)]
Merge pull request #4862 from luizluca/17.01/ruby-2.4.2
[17.01] ruby: bump to 2.4.2 (backported from master)
Luiz Angelo Daros de Luca [Mon, 18 Sep 2017 04:41:53 +0000 (01:41 -0300)]
ruby: bump to 2.4.2
This release contains some security fixes.
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure in generating JSON
Multiple vulnerabilities in RubyGems
Update bundled libyaml to version 0.1.7.
And many other bugfix.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit
699d9bef30df17272b834a6c6bd8d0c5f8bbf1c9)
Hannu Nyman [Fri, 15 Sep 2017 16:10:37 +0000 (19:10 +0300)]
collectd: uptime plugin: apply fix from upstream
Backport from master the fix for uptime plugin.
Adjust it for 5.5.3
Uptime plugin fails to adjust for system time changes after boot.
As Openwrt/LEDE routers usually do not have a RTC, the system time
gets adjusted with NTP possibly after collectd has already started.
But collectd continues to use the initial time set by 'sysfixtime',
which can lead to incorrect uptime calculations.
Apply a proposed fix from upstream that uses /proc/uptime
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Hannu Nyman [Fri, 15 Sep 2017 12:49:40 +0000 (15:49 +0300)]
Merge pull request #4834 from marcin1j/pr/
20170911-mwan3-backport-lede17.01-
66406f9
mwan3: fix interface-bound traffic when interface is offline
Marcin Jurkowski [Sat, 2 Sep 2017 22:56:09 +0000 (00:56 +0200)]
mwan3: fix interface-bound traffic when interface is offline
This is a backport of
66406f9 to LEDE 17.01 and replaces hotfix
282e900.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
Thomas Heil [Wed, 16 Aug 2017 23:07:49 +0000 (01:07 +0200)]
haproxy: update to 1.7.8 and pending patches
- fixes reload issue with hanging process
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
Thomas Heil [Sun, 3 Sep 2017 13:03:56 +0000 (15:03 +0200)]
pcre: Added fix for CVE-2017-11164 by adding stack recursion limit
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
Thomas Heil [Wed, 16 Aug 2017 23:18:45 +0000 (01:18 +0200)]
pcre: upgrade to version 8.41
- fixes security issues
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
Stijn Tintel [Tue, 30 May 2017 17:25:04 +0000 (19:25 +0200)]
strongswan: fix typo
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
4660504c610cc1f4d3d8ef77e7f7fbc6b2fc3d54)
Stijn Tintel [Tue, 30 May 2017 13:12:08 +0000 (15:12 +0200)]
strongswan: add curve25519 plugin
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
a268689adca731fe9c500ddf43ba41b5a502a593)
Stijn Tintel [Tue, 30 May 2017 12:32:01 +0000 (14:32 +0200)]
strongswan: bump to 5.5.3
Fixes CVE-2017-9022, CVE-2017-9023.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
960006be50203ebeaa136ec49229eb286e9de785)
Stijn Tintel [Thu, 20 Apr 2017 14:55:51 +0000 (16:55 +0200)]
strongswan: bump to 5.5.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit
18b076ab9359d56ff1fc5b89bda378f2e4723e2d)
Conflicts:
net/strongswan/Makefile
champtar [Fri, 25 Aug 2017 21:10:45 +0000 (14:10 -0700)]
Merge pull request #4722 from TDT-GmbH/mwan3-fixes
net/mwan3: fixes for mwan3 (lede-17.01)
Florian Eckert [Fri, 18 Aug 2017 06:54:13 +0000 (08:54 +0200)]
net/mwan3: update Makefile
- Update version
- Update maintainer to me
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Hannu Nyman [Tue, 22 Aug 2017 14:43:53 +0000 (17:43 +0300)]
Merge pull request #4741 from EricLuehrsen/unbound_1_6_5
[LEDE-17.01] unbound: update to 1.6.5
Eric Luehrsen [Tue, 22 Aug 2017 02:39:28 +0000 (22:39 -0400)]
unbound: update to 1.6.5
This fixes the root.key file if created when unbound is installed between sep11 and oct11 2017
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Florian Eckert [Thu, 17 Aug 2017 09:57:17 +0000 (11:57 +0200)]
net/mwan3: remove lock file on mwan3 stop
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
5e123852bc2fc6970e9502ca01a697b2fb394e23)
Florian Eckert [Mon, 31 Jul 2017 10:04:18 +0000 (12:04 +0200)]
net/mwan3: fix ping issue if last interface recovers from failure
Even though error was fixed the interface checks still fails, if last_resort
was set to blackhole or unreachable.
To fix this issue do not remove failure interface from iptables change on
down event.
Reported-by: Colby Whitney <colby.whitney@luxul.com>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
6d99b602fd3425df7b9a3f8d583a2092bb5e1b94)
Florian Eckert [Wed, 2 Aug 2017 12:53:18 +0000 (14:53 +0200)]
net/mwan3: fix ipset generation in hotplug script with an lock
Fix critical section during hotplug events.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
a4fbc7eba670c2622c47ee9fe3d60d89909ea559)
Florian Eckert [Thu, 22 Jun 2017 09:48:01 +0000 (11:48 +0200)]
net/mwan3: add lock for mwan3 hotplug script
If more then one interface get up/down at once mwan3 could be in a
undefined state, because more then one mwan3 hotplug script are running
and editing the iptables.
Lock the critical section should solve this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
b6e9debc1b97f9e4be70fb51404831ed870d844a)
Florian Eckert [Thu, 27 Apr 2017 07:22:27 +0000 (09:22 +0200)]
net/mwan3: add connected network regardless of mwan3 interface enable state
If netifd set an interface up/down which is not tracked by mwan3 the
connected network of that interface should regardless be added/removed to the
mwan3_connected ipset.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
f94975b71fc80912dd84feb845c2d86aeb82e7b1)
Florian Eckert [Thu, 6 Apr 2017 14:36:46 +0000 (16:36 +0200)]
net/mwan3: mwan3track interrupt sleep on signal (trap) event
Sleep will be aborted if a signal is send to this process.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
7e80e83dfdbfd1408244399ef6af580fff218d4f)
Florian Eckert [Fri, 17 Mar 2017 10:06:24 +0000 (11:06 +0100)]
net/mwan3: fix hotplug on ACTION ifdown
On dynamic interface proto (dhcp/pppoe) the hotplug will not execude (exit 9)
because the gateway is already released. The check will now only be made
on a ifup ACTION event.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit
28c8b664e471df9adbba5f2b8598b4e95ae36f4b)
Karl Palsson [Wed, 16 Aug 2017 14:54:08 +0000 (14:54 +0000)]
mosquitto: properly use localhost instead of ipv4
On some environments, connecting to localhost was resolving to ::1,
which didn't match the bind to the explicit 127.0.0.1.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Karl Palsson [Wed, 7 Jun 2017 16:44:36 +0000 (16:44 +0000)]
mosquitto: support more config options in UCI
Added many more UCI config options, particularly for bridge connections
The recently introduced username/password options for bridges are kept,
even though they have been deprecated upstream for a while. In keeping
with this, while support is kept in UCI, the generated mosquitto.conf
file will always generate the "modern" remote_username/remote_password
options preferred by mosquitto instead.
Likewise for bridge clientid and remote_clientid options.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Toke Høiland-Jørgensen [Tue, 15 Aug 2017 23:10:55 +0000 (01:10 +0200)]
acme: Make sure postrm script doesn't fail
Fixes #4716.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Daniel H [Wed, 12 Apr 2017 20:51:58 +0000 (22:51 +0200)]
acme: Fix for curl linked against mbed TLS. (#4254)
Use newest acme.sh release (2.6.8).
Remove dependency on ca-certificates and add dependency on ca-bundle.
Update environment variable.
Signed-off-by: Daniel Halmschlager <da@halms.at>
Backport to 17.01 for compatibility with 17.01.2, but keep the old envvar so
it'll hopefully keep working for users who haven't upgraded.
Closes #4579, closes #4699.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Jo-Philipp Wich [Wed, 2 Aug 2017 15:11:30 +0000 (17:11 +0200)]
nlbwmon: update to latest version
Changes since last update:
32fc092 build: remove extraneous _GNU_SOURCE defines
096aaa3 build: compile with -D_GNU_SOURCE
76487b5 transform to source-only repository
Fixes build with uClibc and eglibc toolchains.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Fri, 28 Jul 2017 13:30:06 +0000 (15:30 +0200)]
nlbwmon: add package
This commit introduces nlbwmon, the lightweight NetLink BandWidth Montor.
The nlbwmon daemon gathers per-host traffic statistics by querying netlink
accounting data. Due to this approach, the executable is very small and does
not rely on libpcap and CPU intensive raw sockets to monitor traffic.
Besides raw per-host traffic counters, nlbwmon also support rudimentary
traffic classification by observing IP protocols and used port numbers.
Gathered accounting data is stored into a series of database files which
are regularily committed to persistent storage.
Refresh, commit and accounting intervals are freely configurable as well
as the layer7 protocol mapping rules and observed source subnets.
This package also bundles a cli client which can be used to dump the
gathered traffic data as JSON, CSV or plaintext data. A pull request to
add a graphical LuCI frontend for nlbwmon is pending.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Karl Palsson [Tue, 11 Jul 2017 10:12:06 +0000 (10:12 +0000)]
mosquitto: update to 1.4.14
Fixes a regression due to the CVE fix in the recently released 1.4.13.
https://mosquitto.org/2017/07/version-1-4-14-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
Karl Palsson [Mon, 10 Jul 2017 14:29:13 +0000 (14:29 +0000)]
mosquitto: update to 1.4.13
Primarily a bugfix release for a CVE that doesn't affect lede/openwrt,
but also includes some websockets perfomance fixes.
Release notes at https://mosquitto.org/2017/07/version-1-4-13-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
Etienne Champetier [Sat, 8 Jul 2017 18:56:26 +0000 (11:56 -0700)]
zabbix: update to 3.2.6
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Etienne Champetier [Sat, 8 Jul 2017 15:30:14 +0000 (08:30 -0700)]
zabbix: partially fix zabbix-extra-mac80211
In kernel commit
f1160434c7658af3f7b0926b88df49a66cb3c3e0 many stats
that we read with zabbix-extra-mac80211 have been renamed
One commit after (
c206ca670974cefec7ac3732db5c8156e8081a8d) those renamed
stats have been hidden behind MAC80211_DEBUG_COUNTERS compile flag
For now you have to edit mac80211 Makefile / do a custom build to access
most of these stats
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Etienne CHAMPETIER [Mon, 23 Jan 2017 03:48:30 +0000 (19:48 -0800)]
zabbix: update to 3.2.4, use PKG_HASH
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Rafał Miłecki [Thu, 29 Jun 2017 07:24:37 +0000 (09:24 +0200)]
lighttpd: backport more mod_cgi fixes queued for 1.4.46
The most important change is local redirects being disabled by default.
There is an option called cgi.local-redir that allows enabling this
optimization manually back if needed.
Local redirects were initially introduced in 1.4.40 but caused many
problems for *some* web services.
One of problems is breaking Post/Redirect/Get design pattern. With
redirects handled on server side there is no browser redirection making
it "lose" the POST data.
Another possible issue are HTML forms with action="". With CGI local
redirects browser may be sending form data to the wrong URL (the one
that was supposed to redirect the browser).
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Yousong Zhou [Mon, 19 Jun 2017 01:47:00 +0000 (09:47 +0800)]
coreutils: stdbuf: fix missing libstdbuf.so
Fixes #1674
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Nikos Mavrogiannopoulos [Sun, 18 Jun 2017 11:18:44 +0000 (13:18 +0200)]
gnutls: updated to 3.5.13
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Nikos Mavrogiannopoulos [Sun, 18 Jun 2017 11:20:40 +0000 (13:20 +0200)]
libtasn1: updated to 4.12
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Yousong Zhou [Mon, 8 May 2017 05:07:23 +0000 (13:07 +0800)]
openconnect: new option mtu
According to openconnect --help output:
-m, --mtu=MTU Request MTU from server
--base-mtu=MTU Indicate path MTU to/from server
Fixes #2099 by allowing setting tunnel mtu
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>