feed/packages.git
5 years agosqlite3: use dynamic linking for sqlite cli tool 7723/head
Sebastian Kemper [Tue, 18 Dec 2018 19:07:34 +0000 (20:07 +0100)]
sqlite3: use dynamic linking for sqlite cli tool

Otherwise it'll carry a static copy of it's own lib.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
5 years agosqlite3: security bump
Sebastian Kemper [Tue, 18 Dec 2018 19:00:33 +0000 (20:00 +0100)]
sqlite3: security bump

A remote code execution vuln has been found in sqlite. Infos available
here:

https://blade.tencent.com/magellan/index_en.html

sqlite 3.26.0 contains the fix.

This commit also changes source URL to https. It also adds a depend on
zlib, which is now required.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
5 years agoMerge pull request #7555 from micmac1/tiff-4010-17.01 7669/head
Hannu Nyman [Thu, 6 Dec 2018 08:35:45 +0000 (10:35 +0200)]
Merge pull request #7555 from micmac1/tiff-4010-17.01

(lede-17.01) tiff: security bump to 4.0.10

5 years agotiff: security bump to 4.0.10 7555/head
Sebastian Kemper [Sun, 2 Dec 2018 10:59:13 +0000 (11:59 +0100)]
tiff: security bump to 4.0.10

This bumps libtiff's minor version from 9 to 10. In addition to the CVE
fixes that we already included this fixes:

CVE-2017-17095
CVE-2018-17101
CVE-2018-18557

The update is 100% backwards compatible, no symbol changes.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agoMerge pull request #7165 from pacien/181009-1701-pkg-tinc
Hannu Nyman [Wed, 10 Oct 2018 17:28:18 +0000 (20:28 +0300)]
Merge pull request #7165 from pacien/181009-1701-pkg-tinc

tinc: update to 1.0.35 (security update) [lede-17.01]

6 years agotinc: update to 1.0.35 7165/head
Pacien TRAN-GIRARD [Mon, 8 Oct 2018 18:54:11 +0000 (20:54 +0200)]
tinc: update to 1.0.35

Critical security update for:
* CVE-2018-16737,
* CVE-2018-16738,
* CVE-2018-16758

Announcement:
https://www.tinc-vpn.org/pipermail/tinc/2018-October/005311.html

Signed-off-by: Pacien TRAN-GIRARD <pacien.trangirard@pacien.net>
6 years agosocat: Fix CRDLY, TABDLY and CSIZE shifts for PowerPC
Ted Hess [Thu, 30 Aug 2018 18:00:05 +0000 (14:00 -0400)]
socat: Fix CRDLY, TABDLY and CSIZE shifts for PowerPC

Signed-off-by: Ted Hess <thess@kitschensync.net>
6 years agoMerge pull request #6835 from micmac1/xml2-cve-17.01
Michael Heimpold [Tue, 21 Aug 2018 19:11:38 +0000 (21:11 +0200)]
Merge pull request #6835 from micmac1/xml2-cve-17.01

libxml2: add Debian patches to address CVEs

6 years agolibxml2: add Debian patches to address CVEs 6835/head
Sebastian Kemper [Tue, 21 Aug 2018 18:42:53 +0000 (20:42 +0200)]
libxml2: add Debian patches to address CVEs

Debian uses libxml2 2.9.4 in Stretch. This adds their security related
fixes from 2.9.4+dfsg1-2.2+deb9u2 to LEDE's 17.01 release.

Fixed CVEs:

CVE-2016-4658
CVE-2016-5131
CVE-2017-0663
CVE-2017-15412
CVE-2017-7375
CVE-2017-7376
CVE-2017-9047
CVE-2017-9048
CVE-2017-9049
CVE-2017-9050

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agoMerge pull request #6806 from micmac1/tiff-17.01
Jiri Slachta [Sun, 19 Aug 2018 17:12:40 +0000 (19:12 +0200)]
Merge pull request #6806 from micmac1/tiff-17.01

tiff: fix remaining CVEs

6 years agotiff: fix remaining CVEs 6806/head
Sebastian Kemper [Sun, 19 Aug 2018 08:50:58 +0000 (10:50 +0200)]
tiff: fix remaining CVEs

Backport Rosen's commit in master to 17.01 to address open CVEs. This
fixes:

CVE-2017-11613
CVE-2018-5784
CVE-2018-7456
CVE-2018-8905
CVE-2018-10963

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agoMerge pull request #6783 from EricLuehrsen/unbound_1701
Dirk Brenken [Sat, 18 Aug 2018 17:53:35 +0000 (19:53 +0200)]
Merge pull request #6783 from EricLuehrsen/unbound_1701

[lede-17.01] unbound: drop odhcpd leases with wrong field count

6 years agounbound: drop odhcpd leases with wrong field count 6783/head
Eric Luehrsen [Fri, 17 Aug 2018 01:37:43 +0000 (21:37 -0400)]
unbound: drop odhcpd leases with wrong field count

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
(cherry pick commit: 59617f076d7cbdd04a341bf7cfb5f3d9772b5765)

6 years agoMerge pull request #6760 from micmac1/postgresql-17.01
Daniel Golle [Wed, 15 Aug 2018 18:08:16 +0000 (20:08 +0200)]
Merge pull request #6760 from micmac1/postgresql-17.01

postgresql: security bump to 9.5.14 for 17.01

6 years agopostgresql: security bump to 9.5.14 6760/head
Sebastian Kemper [Wed, 15 Aug 2018 15:28:43 +0000 (17:28 +0200)]
postgresql: security bump to 9.5.14

This update includes fixes for the following CVEs:

- CVE-2018-1053
- CVE-2018-1058
- CVE-2018-10915
- CVE-2018-10925

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agoMerge pull request #6350 from EricLuehrsen/unbound_20180625_1701 6614/head
Hannu Nyman [Wed, 27 Jun 2018 04:18:11 +0000 (07:18 +0300)]
Merge pull request #6350 from EricLuehrsen/unbound_20180625_1701

[lede-17.01] unbound: limit outside script source to init funciton scope

6 years agounbound: limit outside script source to init funciton scope 6350/head
Eric Luehrsen [Tue, 26 Jun 2018 00:40:21 +0000 (20:40 -0400)]
unbound: limit outside script source to init funciton scope

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
6 years agoMerge pull request #6077 from MikePetullo/lede-17.01-lighttpd
Hannu Nyman [Mon, 21 May 2018 05:23:30 +0000 (08:23 +0300)]
Merge pull request #6077 from MikePetullo/lede-17.01-lighttpd

lighttpd: CONFIG_LIGHTTPD_SSL includes mod_openssl

6 years agolighttpd: CONFIG_LIGHTTPD_SSL includes mod_openssl 6077/head
Philip Prindeville [Wed, 3 Jan 2018 00:08:59 +0000 (17:08 -0700)]
lighttpd: CONFIG_LIGHTTPD_SSL includes mod_openssl

If we're built with CONFIG_LIGHTTPD_SSL then mod_openssl.so should
be included into the base package. Fixes issue #5343.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
6 years agousbip: remove upstreamed musl compatibility patch (#5983)
Hannu Nyman [Sun, 29 Apr 2018 21:22:03 +0000 (00:22 +0300)]
usbip: remove upstreamed musl compatibility patch (#5983)

Remove musl compatibility patch that is now included
in the upstream Linux kernel and backported to stable kernels.

Commit in 4.4:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/tools/usb/usbip?h=linux-4.4.y&id=6638091f1b1623db8b2338ef5a5f26d9ec870444

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
6 years agoMerge pull request #5803 from VincentRiou/lighttpd_1_4_48_with_wstunnel
Hannu Nyman [Wed, 25 Apr 2018 09:26:16 +0000 (12:26 +0300)]
Merge pull request #5803 from VincentRiou/lighttpd_1_4_48_with_wstunnel

Lighttpd 1.4.48 with wstunnel

6 years agoMerge pull request #5848 from luizluca/ruby-2.4.4
Luiz Angelo Daros de Luca [Thu, 29 Mar 2018 18:23:01 +0000 (15:23 -0300)]
Merge pull request #5848 from luizluca/ruby-2.4.4

[17.01] ruby: bump to 2.4.4

6 years agoruby: bump to 2.4.4 5848/head
Luiz Angelo Daros de Luca [Thu, 29 Mar 2018 14:37:25 +0000 (11:37 -0300)]
ruby: bump to 2.4.4

This release includes some bug fixes and some security fixes.

* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems

There are also some bug fixes

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
6 years agoMerge pull request #5839 from nxhack/lede-17_01_icu_CVE-2017-15422
Hannu Nyman [Tue, 27 Mar 2018 20:26:20 +0000 (23:26 +0300)]
Merge pull request #5839 from nxhack/lede-17_01_icu_CVE-2017-15422

icu: fix CVE-2017-15422

6 years agoicu: fix CVE-2017-15422 5839/head
Hirokazu MORIKAWA [Tue, 27 Mar 2018 08:05:45 +0000 (17:05 +0900)]
icu: fix CVE-2017-15422

[lede-17.01]

Maintainer: me

Compile tested: ar71xx, mips_24kc_gcc-5.4.0_musl-1.1.16, lede-17.01 r3863-fad29d2
Run tested: NONE

Description:
CVE-2017-15422 : integer overflow in icu
https://security-tracker.debian.org/tracker/CVE-2017-15422

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
6 years agolighttpd: add mod-wstunnel 5803/head
Vincent Riou [Fri, 23 Mar 2018 14:57:16 +0000 (14:57 +0000)]
lighttpd: add mod-wstunnel

Exposes the mod-wstunnel plugin which implements websocket proxying over http

Signed-off-by: Vincent Riou <vincent@invizbox.com>
6 years agolighttpd: update to 1.4.48
Philip Prindeville [Sat, 16 Dec 2017 19:49:22 +0000 (12:49 -0700)]
lighttpd: update to 1.4.48

All of the bugs for which we had patches have been fixed upstream
in 1.4.46, so the patches can be dropped.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Conflicts:
net/lighttpd/Makefile

6 years agosqm-scripts: Fix return value bug in postrm script
Tony Ambardar [Mon, 8 Jan 2018 11:50:26 +0000 (03:50 -0800)]
sqm-scripts: Fix return value bug in postrm script

The script removes the UCI option ucitrack.@sqm[0] if present and then
returns success. If that UCI option is already absent however, the
script incorrectly returns failure, which blocks upgrade of the
luci-app-sqm package.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
6 years agomosqitto: bump to 1.4.15 for CVE fixes.
Karl Palsson [Thu, 1 Mar 2018 11:20:03 +0000 (11:20 +0000)]
mosqitto: bump to 1.4.15 for CVE fixes.

See https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
for full details.

Signed-off-by: Karl Palsson <karlp@etactica.com>
6 years agominidlna: exclude "po" directory to fix CONFIG_BUILD_NLS=y builds
Rafał Miłecki [Mon, 19 Feb 2018 11:43:14 +0000 (12:43 +0100)]
minidlna: exclude "po" directory to fix CONFIG_BUILD_NLS=y builds

This fixes:
*** error: gettext infrastructure mismatch: using a Makefile.in.in from gettext version 0.18 but the autoconf macros are from gettext version 0.19

Makefile of minidlna package specifies PKG_FIXUP:=autoreconf. That
results in calling autoreconf with multiple arguments, including many -I
ones. One of autoreconf steps is calling aclocal with the same set of -I
arguments.

All of that results in:
1) aclocal using staging_dir's /usr/share/aclocal and its po.m4
2) not using minidlna's po.m4
3) not updating Makefile.in.in

If staging_dir's po.m4 has different GETTEXT_MACRO_VERSION than the
minidlna's one it'll result in a mismatch in the Makefile.in. Ideally we
should take care of regenerating Makefile.in.in but this isn't
currentlly supported. As localization isn't properly supported anyway
(no shipping .mo files) it's safe to just disable building po files.

Added patch comes from the master branch commit d5fcc972ba57d
("multimedia/minidlna: Update to 1.2.0").

Fixes: 72928442614d9 ("minidlna: backport fixes from 1.1.6 and 1.2.0 releases")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
6 years agoMerge pull request #5492 from micmac1/fix-sqlite3-on-uclibc 5626/head
champtar [Wed, 31 Jan 2018 15:55:37 +0000 (07:55 -0800)]
Merge pull request #5492 from micmac1/fix-sqlite3-on-uclibc

sqlite3 [lede-17.01]: fix uClibc builds

6 years agosqlite3: fix uClibc builds 5492/head
Sebastian Kemper [Tue, 23 Jan 2018 19:57:23 +0000 (20:57 +0100)]
sqlite3: fix uClibc builds

When compiling against uClibc on lede-17.01 it's detected in the linking
phase that '__isnan' is nowhere to be found:

sqlite3-sqlite3.o: In function `serialGet':
sqlite3.c:(.text+0x6364): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_result_double':
sqlite3.c:(.text+0x10faa): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VXPrintf':
sqlite3.c:(.text+0x175ca): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3_bind_double':
sqlite3.c:(.text+0x1b0ac): undefined reference to `__isnan'
sqlite3-sqlite3.o: In function `sqlite3VdbeExec':
sqlite3.c:(.text+0x3b77e): undefined reference to `__isnan'
collect2: error: ld returned 1 exit status

To fix this libm needs to be linked in as well in the uClibc case. So
add libm ('-lm') to the TARGET_LDFLAGS accordingly.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agop11-kit: disable trust module
Nikos Mavrogiannopoulos [Tue, 30 Jan 2018 19:34:14 +0000 (20:34 +0100)]
p11-kit: disable trust module

This allows prevents build error due to trust-paths not being
specified. The trust module was not being used in openwrt.

Resolves #5528

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
6 years agoMerge pull request #5541 from micmac1/jiri-lede-17.01
Jiri Slachta [Tue, 30 Jan 2018 18:57:37 +0000 (19:57 +0100)]
Merge pull request #5541 from micmac1/jiri-lede-17.01

libssh2, libxslt, tiff: security bumps + fix (for lede-17.01)

6 years agotiff: version bump to address open CVEs 5541/head
Sebastian Kemper [Tue, 30 Jan 2018 14:13:05 +0000 (15:13 +0100)]
tiff: version bump to address open CVEs

- Version bump to 4.0.9, as otherwise ca. a dozen patches would need
  to be added to fix the open CVEs. There have been no API/ABI
  changes between 4.0.6 and 4.0.9, so this is OK.
- Adds patches copied from Debian for CVE-2017-18013 and CVE-2017-9935
  on top.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agolibxslt: add patches copied from Debian to fix CVEs
Sebastian Kemper [Tue, 30 Jan 2018 14:09:01 +0000 (15:09 +0100)]
libxslt: add patches copied from Debian to fix CVEs

- there are multiple open CVEs, this adds patches for them
- adds --disable-silent-rules for verbose build output

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agolibssh: fix zlib detection
Sebastian Kemper [Tue, 30 Jan 2018 14:06:06 +0000 (15:06 +0100)]
libssh: fix zlib detection

- currently zlib is never detected, although there is a dependency on
  it, fix that.
- change links from http to https

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agoMerge pull request #5493 from micmac1/fix-alsa-lib-on-uclibc
tripolar [Sat, 27 Jan 2018 12:24:29 +0000 (13:24 +0100)]
Merge pull request #5493 from micmac1/fix-alsa-lib-on-uclibc

alsa-lib [lede-17.01]: fix build on uclibc

6 years agoalsa-lib: fix uClibc builds 5493/head
Sebastian Kemper [Tue, 23 Jan 2018 20:54:07 +0000 (21:54 +0100)]
alsa-lib: fix uClibc builds

Currently alsa-lib fails to build on uClibc:

parser.c: In function 'snd_tplg_build_file':
parser.c:262:35: error: 'S_IRUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                   ^
parser.c:262:35: note: each undeclared identifier is reported only once for each function it appears in
parser.c:262:45: error: 'S_IWUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                             ^
parser.c: In function 'snd_tplg_build':
parser.c:330:35: error: 'S_IRUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                   ^
parser.c:330:45: error: 'S_IWUSR' undeclared (first use in this function)
   open(outfile, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
                                             ^
Makefile:390: recipe for target 'parser.lo' failed

Fix this by adding an upstream fix as a backport.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
6 years agoMerge pull request #5497 from daztucker/lede-17.01
Hannu Nyman [Fri, 26 Jan 2018 14:29:20 +0000 (16:29 +0200)]
Merge pull request #5497 from daztucker/lede-17.01

net/https-dns-proxy: Update to 2018-01-24.

6 years agonet/https-dns-proxy: Update to 2018-01-24. 5497/head
Darren Tucker [Wed, 24 Jan 2018 05:50:19 +0000 (16:50 +1100)]
net/https-dns-proxy: Update to 2018-01-24.

Add dependency on ca-bundle without which the HTTPS fetches fail.
Add "-x" option to force HTTP/1.1 instead of HTTP/2.0
Add a workaround for bug in libcurl <7.530 that prevents it from
working at all when built with mbedtls.

Signed-off-by: Darren Tucker <dtucker@dtucker.net>
Acked-by: Aaron Drew <aarond10@gmail.com>
6 years agoMerge pull request #5317 from luizluca/17.01/ruby-2.4.3
Luiz Angelo Daros de Luca [Mon, 22 Jan 2018 10:43:03 +0000 (08:43 -0200)]
Merge pull request #5317 from luizluca/17.01/ruby-2.4.3

[17.01] ruby: bump to 2.4.3

6 years agoMerge pull request #5479 from EricLuehrsen/lede-17.01-unbound-168
Hannu Nyman [Sat, 20 Jan 2018 08:03:35 +0000 (10:03 +0200)]
Merge pull request #5479 from EricLuehrsen/lede-17.01-unbound-168

[lede-17.01] unbound: update to 1.6.8 for CVE-2017-15105

6 years agounbound: update to 1.6.8 for CVE-2017-15105 5479/head
Eric Luehrsen [Sat, 20 Jan 2018 02:24:54 +0000 (21:24 -0500)]
unbound: update to 1.6.8 for CVE-2017-15105

A vulnerability was discovered in the processing of wildcard synthesized
NSEC records. While synthesis of NSEC records is allowed by RFC4592,
these synthesized owner names should not be used in the NSEC processing.
This does, however, happen in Unbound 1.6.7 and earlier versions.
(see https://unbound.net/downloads/CVE-2017-15105.txt)

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
6 years agoMerge pull request #5477 from dibdot/travelmate-17.01
Hannu Nyman [Fri, 19 Jan 2018 13:10:12 +0000 (15:10 +0200)]
Merge pull request #5477 from dibdot/travelmate-17.01

[17.01] travelmate: release 1.0.2

6 years agoMerge pull request #5476 from dibdot/adblock-17.01
Hannu Nyman [Fri, 19 Jan 2018 13:10:02 +0000 (15:10 +0200)]
Merge pull request #5476 from dibdot/adblock-17.01

[17.01] adblock: release 3.4.3

6 years ago[17.01] travelmate: release 1.0.2 5477/head
Dirk Brenken [Fri, 19 Jan 2018 09:02:23 +0000 (10:02 +0100)]
[17.01] travelmate: release 1.0.2

* bump travelmate version in stable tree

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago[17.01] adblock: release 3.4.3 5476/head
Dirk Brenken [Fri, 19 Jan 2018 08:50:39 +0000 (09:50 +0100)]
[17.01] adblock: release 3.4.3

* bump adblock version in stable tree

Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years agovpnc: fix using proto_add_host_dependency
Yousong Zhou [Fri, 19 Jan 2018 03:14:32 +0000 (11:14 +0800)]
vpnc: fix using proto_add_host_dependency

Fixes #4343

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
6 years agoulogd: use strncpy instead of memcpy
Alexandru Ardelean [Thu, 16 Mar 2017 19:33:41 +0000 (21:33 +0200)]
ulogd: use strncpy instead of memcpy

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry picked from commit 953f951c5eb3841e619a18b3aeb95a652dbb9a93)

6 years agowget: backport 1.19.2 from master
Hannu Nyman [Sat, 6 Jan 2018 10:20:47 +0000 (12:20 +0200)]
wget: backport 1.19.2 from master

Backport the update to 1.19.2 from master.
Fixes e.g. CVE-2017-13089 and CVE-2017-13090

(tested in my own ipq806x and ar71xx lede-17.01 builds)

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
6 years agotree: backport from master
Banglang Huang [Sat, 6 Jan 2018 10:04:33 +0000 (12:04 +0200)]
tree: backport from master

Tree is a recursive directory listing command that
produces a depth indented listing of files, which is
colorized ala dircolors if the LS_COLORS environment
variable is set and output is to tty.

root@lede:/# tree -L 1
.
├── bin
├── dev
├── etc
├── lib
├── mnt
├── overlay
├── proc
├── rom
├── root
├── sbin
├── sys
├── tmp
├── usr
├── var -> /tmp
└── www

15 directories, 0 files

http://mama.indstate.edu/users/ice/tree/

Signed-off-by: BangLang Huang <banglang.huang@foxmail.com>
(cherry picked from commit b6ff884d4570e5f522ad97bbd481362ee1ebeff7)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
6 years agopostgresql: update to version 9.5.10
Daniel Golle [Thu, 4 Jan 2018 23:20:31 +0000 (00:20 +0100)]
postgresql: update to version 9.5.10

Contains fixes for
 * CVE-2017-15099
 * CVE-2017-15098
 * CVE-2017-12172
 * CVE-2017-7548
 * CVE-2017-7547
 * CVE-2017-7546
 * CVE-2017-7486
 * CVE-2017-7485
 * CVE-2017-7484

Note that some fixes apply for newly created databases only!
To mitigate CVE-2017-7486 and CVE-2017-7547 in existing databases,
a procedure described in the the release notes of PostgreSQL 9.5.8
is necessary!

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6 years agognutls: Use HTTPS instead of FTP
Rosen Penev [Mon, 11 Dec 2017 03:54:14 +0000 (19:54 -0800)]
gnutls: Use HTTPS instead of FTP

While recently building asterisk, the make system stalled on gnutls. On my install of Ubuntu 16.04 on WSL, it seems curl can't download from ftp and doesn't even time out properly. Easiest solution is to switch the gnutls Makefile to use HTTPS instead.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
6 years agoruby: bump to 2.4.3 5317/head
Luiz Angelo Daros de Luca [Fri, 22 Dec 2017 05:28:56 +0000 (03:28 -0200)]
ruby: bump to 2.4.3

This release includes some bug fixes and a security fix.

CVE-2017-17405: Command injection vulnerability in Net::FTP

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit fc0105391766404699330e455bc028d8a52a2553)

6 years agopython: declare explicit Host/Compile to fix pgen tool installation error
Arturo Rinaldi [Sat, 9 Dec 2017 20:39:24 +0000 (21:39 +0100)]
python: declare explicit Host/Compile to fix pgen tool installation error

Signed-off-by: Arturo Rinaldi arty.net2@gmail.com
[squash commits, fix commit title]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
6 years agoMerge pull request #5012 from TDT-AG/20171025-luci-app-mwan3-fix-iface_state
champtar [Mon, 11 Dec 2017 19:43:46 +0000 (11:43 -0800)]
Merge pull request #5012 from TDT-AG/20171025-luci-app-mwan3-fix-iface_state

net/mwan3-luci: fix iface_state on on status page for 17.01

6 years agonet/mwan3-luci: fix iface_state on on status page 5012/head
Florian Eckert [Wed, 25 Oct 2017 11:46:15 +0000 (13:46 +0200)]
net/mwan3-luci: fix iface_state on on status page

Since commit 4739584c2434fda6c4f14b0ef3d38fa055352c0e the status of the
interface is not reported correctly anymore. To fix this issue do not test
if the routing table is presented use instead the "/var/run/iface_state/[iface]"
to get the interface state because the routing table will not get deleted
anymore if the interface is offline.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
6 years agoMerge pull request #5228 from commodo/python-2.7.14-17.01
Jo-Philipp Wich [Tue, 5 Dec 2017 13:32:57 +0000 (14:32 +0100)]
Merge pull request #5228 from commodo/python-2.7.14-17.01

python: update to version 2.7.14 for branch 17.01

6 years agopython: update to version 2.7.14 for branch 17.01 5228/head
Alexandru Ardelean [Tue, 5 Dec 2017 13:15:09 +0000 (15:15 +0200)]
python: update to version 2.7.14 for branch 17.01

Bump version and overwrite patches from master,
since those were refreshed (at some point).

I got an email notification about some CVEs
for branch 17.01, so I decided to update Python.

Technically, one seems to be for SolidWorks
from what I can tell, but upgrading should be easy.

```
Hello Alexandru Ardelean,

The package python is vulnerable to the following CVEs:
CVE-2014-4616
  https://nvd.nist.gov/vuln/detail/CVE-2014-4616

CVE-2017-100015
  https://nvd.nist.gov/vuln/detail/CVE-2017-100015

Please consider updating or patching the package.
```

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
7 years agoattendedsysupgrade-common: add package
Daniel Golle [Mon, 20 Nov 2017 16:49:34 +0000 (17:49 +0100)]
attendedsysupgrade-common: add package

This package provides the UCI config shared by both, the CLI and Web
clients used for attended-sysupgrade.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
7 years agotinc: version bump 1.0.33
Saverio Proto [Sun, 5 Nov 2017 03:00:10 +0000 (04:00 +0100)]
tinc: version bump 1.0.33

Signed-off-by: Saverio Proto <saverio.proto@switch.ch>
7 years agognutls: updated to 3.5.16
Nikos Mavrogiannopoulos [Sat, 21 Oct 2017 18:24:35 +0000 (20:24 +0200)]
gnutls: updated to 3.5.16

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
7 years agojool: fix PKG_BUILD_DIR to avoid kernel ABI mismatch
Matthias Schiffer [Mon, 23 Oct 2017 02:52:49 +0000 (04:52 +0200)]
jool: fix PKG_BUILD_DIR to avoid kernel ABI mismatch

As jool builds a kernel module, a PKG_BUILD_DIR under KERNEL_BUILD_DIR must
be used to avoid reusing build artifacts when switching to a different
target of the same architecture. Otherwise, kernel ABI mismatches may
result, leading to an unusuable module, or build failures like the
following:

    Package kmod-jool is missing dependencies for the following libraries:
    crypto_hash.ko

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
7 years agomonit: update to 5.24, use https download url
Etienne Champetier [Mon, 23 Oct 2017 00:49:50 +0000 (17:49 -0700)]
monit: update to 5.24, use https download url

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
7 years agomonit: update to 5.23
Etienne Champetier [Sun, 9 Jul 2017 03:13:40 +0000 (20:13 -0700)]
monit: update to 5.23

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
7 years agomonit: update to 5.20, use PKG_HASH
Etienne CHAMPETIER [Mon, 23 Jan 2017 03:48:23 +0000 (19:48 -0800)]
monit: update to 5.20, use PKG_HASH

this adds zlib as dependency

Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
7 years agosqlite3: update to 3.19.3
Etienne Champetier [Sun, 9 Jul 2017 03:13:27 +0000 (20:13 -0700)]
sqlite3: update to 3.19.3

fix possible database corruption
https://www.sqlite.org/releaselog/3_19_3.html

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
7 years agolibs/sqlite3: Update to 3190200
Daniel Engberg [Wed, 31 May 2017 15:11:02 +0000 (17:11 +0200)]
libs/sqlite3: Update to 3190200

Update sqlite to 3190200
Remove obsolete tarball hash variable

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
7 years agosqlite: update to 3.17.0
Ian Leonard [Sun, 19 Feb 2017 05:30:28 +0000 (21:30 -0800)]
sqlite: update to 3.17.0

Signed-off-by: Ian Leonard <antonlacon@gmail.com>
7 years agolibwebsockets: add PROVIDES to both variants
Karl Palsson [Wed, 25 Oct 2017 11:15:12 +0000 (11:15 +0000)]
libwebsockets: add PROVIDES to both variants

Fixed recently in master as part of upgrading, but the same issue
applies to 17.01.  The two variant packages both now PROVIDE
libwebsockets, the virtual package.

Signed-off-by: Karl Palsson <karlp@etactica.com>
7 years agoicu: fix CVE-2017-14952 Double-Free Vulnerability [lede-17.01]
Hirokazu MORIKAWA [Tue, 24 Oct 2017 06:36:29 +0000 (15:36 +0900)]
icu: fix CVE-2017-14952 Double-Free Vulnerability [lede-17.01]

http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/

https://security-tracker.debian.org/tracker/CVE-2017-14952

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
7 years agoRevert "Provides a way to acquire the list of installed packages without the"
Jo-Philipp Wich [Fri, 20 Oct 2017 13:08:54 +0000 (15:08 +0200)]
Revert "Provides a way to acquire the list of installed packages without the"

This reverts commit 983819f3f01ff27ba72bb0fb7ce6f1bea95bd8d1.

7 years agoRevert "add ubus call to perform a sysupgrade and acl file for the attended"
Jo-Philipp Wich [Fri, 20 Oct 2017 13:08:54 +0000 (15:08 +0200)]
Revert "add ubus call to perform a sysupgrade and acl file for the attended"

This reverts commit f6c287f1ee9ce4817740d537aca024a135b6749c.

7 years agoRevert "due to renaming .rpcd was forgotten in the Makefile"
Jo-Philipp Wich [Fri, 20 Oct 2017 13:08:54 +0000 (15:08 +0200)]
Revert "due to renaming .rpcd was forgotten in the Makefile"

This reverts commit 04cbc70c52fea176b524a5959a24a75701a21a27.

7 years agodue to renaming .rpcd was forgotten in the Makefile
Paul Spooren [Thu, 27 Jul 2017 17:14:24 +0000 (19:14 +0200)]
due to renaming .rpcd was forgotten in the Makefile

Signed-off-by: Paul Spooren <paul@spooren.de>
(cherry picked from commit c98e9f3b18ed0cdc67f5e92efc2210d9d9d160f8)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoadd ubus call to perform a sysupgrade and acl file for the attended
Paul Spooren [Tue, 18 Jul 2017 22:47:40 +0000 (00:47 +0200)]
add ubus call to perform a sysupgrade and acl file for the attended
sysupgrade use case as well uci defaults.
Package is a part of the GSoC 17 project implementing easy
sysupgrade functionality.

Signed-off-by: Paul Spooren <paul@spooren.de>
(cherry picked from commit f9a6c81c116e462e4abfd3973385f426eba70f7b)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agoProvides a way to acquire the list of installed packages without the
Paul Spooren [Tue, 18 Jul 2017 22:47:40 +0000 (00:47 +0200)]
Provides a way to acquire the list of installed packages without the
need to have opkg available. It is being used for the GSoC 17 project
implementing easy sysupgrade functionality.

Signed-off-by: Paul Spooren <paul@spooren.de>
(cherry picked from commit 0d2e674aa1c17163a0011090123321ea91bc13e9)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
7 years agowireguard: drop package
Stijn Tintel [Mon, 16 Oct 2017 11:08:26 +0000 (14:08 +0300)]
wireguard: drop package

WireGuard was added to LEDE core. See discussion at
https://github.com/lede-project/source/pull/1409

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7 years agoMerge pull request #4914 from zx2c4/lede-17.01
Hannu Nyman [Tue, 10 Oct 2017 14:54:20 +0000 (17:54 +0300)]
Merge pull request #4914 from zx2c4/lede-17.01

wireguard: bump to release 0.0.20171005 for 17.01

7 years agoMerge pull request #4916 from StevenHessing/noddos-lede-17.01
champtar [Sun, 8 Oct 2017 15:45:34 +0000 (08:45 -0700)]
Merge pull request #4916 from StevenHessing/noddos-lede-17.01

noddos: new backport of noddos from master branch

7 years agonoddos: new backport of noddos from master branch 4916/head
Steven Hessing [Sun, 8 Oct 2017 04:24:43 +0000 (21:24 -0700)]
noddos: new backport of noddos from master branch

Signed-off-by: Steven Hessing <steven.hessing@gmail.com>
7 years agowireguard: bump to release 0.0.20171005 for 17.01 4914/head
Jason A. Donenfeld [Sat, 7 Oct 2017 23:20:15 +0000 (01:20 +0200)]
wireguard: bump to release 0.0.20171005 for 17.01

WireGuard is well documented for being an experimental project, not
currently ready to be stabilized. As such, it's important for packagers
to always keep the project up to date in all contexts.

However, it is common for some projects, such as LEDE/OpenWrt to have
stable branches, which don't expect a lot of churn or modification.

The WireGuard that happened to ship with 17.01 is broken and crufty and
shouldn't be used at all. It's highly unlikely that there's anybody out
there even using it; it won't work with anything else.

So, this commit updates the 17.01 package to the latest upstream
version. Because the 17.01 stable branch can't be updated all the time,
it's important that this bump here in this commit is a stable one.

I believe 0.0.20171005 to be a fairly stable snapshot, which should be
suitable for the 17.01 branch. As stated earlier, the 0.0.20170115
currently in this branch is highly problematic. 0.0.20171005 offers
extremely important changes.

I'll continue to send package bumps for 17.01, but only for snapshot
releases that I think fix an important bug or provide a noted increase
in stability, or have similar goals to this commit.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
7 years agoMerge pull request #4879 from nxhack/17_01-CVE-2017-1000250
Hauke Mehrtens [Tue, 3 Oct 2017 09:24:11 +0000 (11:24 +0200)]
Merge pull request #4879 from nxhack/17_01-CVE-2017-1000250

[lede-17.01] bluez: fix CVE-2017-1000250

7 years agobluez: fix CVE-2017-1000250 4879/head
Hirokazu MORIKAWA [Wed, 27 Sep 2017 05:09:45 +0000 (14:09 +0900)]
bluez: fix CVE-2017-1000250

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
bluez: fix CVE-2017-1000250

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
7 years agotor: update to version 0.2.9.12
Hauke Mehrtens [Wed, 20 Sep 2017 18:27:34 +0000 (20:27 +0200)]
tor: update to version 0.2.9.12

This fixes the TROVE-2017-008 (CVE-2017-0380) security problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
7 years agotor: update to version 0.2.9.11
Hauke Mehrtens [Mon, 3 Jul 2017 21:00:29 +0000 (23:00 +0200)]
tor: update to version 0.2.9.11

This fixes CVE-2017-0376

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
7 years agoMerge pull request #4862 from luizluca/17.01/ruby-2.4.2
champtar [Sat, 23 Sep 2017 23:52:04 +0000 (16:52 -0700)]
Merge pull request #4862 from luizluca/17.01/ruby-2.4.2

[17.01] ruby: bump to 2.4.2 (backported from master)

7 years agoruby: bump to 2.4.2 4862/head
Luiz Angelo Daros de Luca [Mon, 18 Sep 2017 04:41:53 +0000 (01:41 -0300)]
ruby: bump to 2.4.2

This release contains some security fixes.

 CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
 CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
 CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
 CVE-2017-14064: Heap exposure in generating JSON
 Multiple vulnerabilities in RubyGems
 Update bundled libyaml to version 0.1.7.

And many other bugfix.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit 699d9bef30df17272b834a6c6bd8d0c5f8bbf1c9)

7 years agocollectd: uptime plugin: apply fix from upstream
Hannu Nyman [Fri, 15 Sep 2017 16:10:37 +0000 (19:10 +0300)]
collectd: uptime plugin: apply fix from upstream

Backport from master the fix for uptime plugin.
Adjust it for 5.5.3

  Uptime plugin fails to adjust for system time changes after boot.
  As Openwrt/LEDE routers usually do not have a RTC, the system time
  gets adjusted with NTP possibly after collectd has already started.
  But collectd continues to use the initial time set by 'sysfixtime',
  which can lead to incorrect uptime calculations.

  Apply a proposed fix from upstream that uses /proc/uptime

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
7 years agoMerge pull request #4834 from marcin1j/pr/20170911-mwan3-backport-lede17.01-66406f9
Hannu Nyman [Fri, 15 Sep 2017 12:49:40 +0000 (15:49 +0300)]
Merge pull request #4834 from marcin1j/pr/20170911-mwan3-backport-lede17.01-66406f9

mwan3: fix interface-bound traffic when interface is offline

7 years agomwan3: fix interface-bound traffic when interface is offline 4834/head
Marcin Jurkowski [Sat, 2 Sep 2017 22:56:09 +0000 (00:56 +0200)]
mwan3: fix interface-bound traffic when interface is offline

This is a backport of 66406f9 to LEDE 17.01 and replaces hotfix 282e900.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
7 years agohaproxy: update to 1.7.8 and pending patches
Thomas Heil [Wed, 16 Aug 2017 23:07:49 +0000 (01:07 +0200)]
haproxy: update to 1.7.8 and pending patches
 - fixes reload issue with hanging process

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
7 years agopcre: Added fix for CVE-2017-11164 by adding stack recursion limit
Thomas Heil [Sun, 3 Sep 2017 13:03:56 +0000 (15:03 +0200)]
pcre: Added fix for CVE-2017-11164 by adding stack recursion limit

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
7 years agopcre: upgrade to version 8.41
Thomas Heil [Wed, 16 Aug 2017 23:18:45 +0000 (01:18 +0200)]
pcre: upgrade to version 8.41
 - fixes security issues

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
7 years agostrongswan: fix typo
Stijn Tintel [Tue, 30 May 2017 17:25:04 +0000 (19:25 +0200)]
strongswan: fix typo

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 4660504c610cc1f4d3d8ef77e7f7fbc6b2fc3d54)

7 years agostrongswan: add curve25519 plugin
Stijn Tintel [Tue, 30 May 2017 13:12:08 +0000 (15:12 +0200)]
strongswan: add curve25519 plugin

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit a268689adca731fe9c500ddf43ba41b5a502a593)

7 years agostrongswan: bump to 5.5.3
Stijn Tintel [Tue, 30 May 2017 12:32:01 +0000 (14:32 +0200)]
strongswan: bump to 5.5.3

Fixes CVE-2017-9022, CVE-2017-9023.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 960006be50203ebeaa136ec49229eb286e9de785)

7 years agostrongswan: bump to 5.5.2
Stijn Tintel [Thu, 20 Apr 2017 14:55:51 +0000 (16:55 +0200)]
strongswan: bump to 5.5.2

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 18b076ab9359d56ff1fc5b89bda378f2e4723e2d)

Conflicts:
net/strongswan/Makefile

7 years agoMerge pull request #4722 from TDT-GmbH/mwan3-fixes
champtar [Fri, 25 Aug 2017 21:10:45 +0000 (14:10 -0700)]
Merge pull request #4722 from TDT-GmbH/mwan3-fixes

net/mwan3: fixes for mwan3 (lede-17.01)