aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
...
* uencrypt: add package to decrypt WG4хх223 configEneas U de Queiroz2022-08-193-0/+194
| | | | | | | | | This adds a simple AES-128-CBC encryption/decryption program using either wolfSSL or OpenSSL as backend to decrypt Arcadyan WG4xx223 configuration partitions. The ipk size is 3,355 bytes. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit bc43ad88ed18722c0621fd6dfef0ff68268f4e14)
* odhcp6c: update to git HEADHans Dedecker2022-08-181-3/+3
| | | | | | | 7d21e8d dhcpv6: add option to ignore stateless advertise Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cherry picked from commit a23d132cff541210b281ac60de619e7ce7ec3ba0)
* ramips: add support for MTS WG430223Mikhail Zhilkin2022-08-161-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan WG443223). Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 128 MiB Flash: 128 MiB (Winbond W29N01HV) Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2 Wireless 5 GHz (MT7615DN): a/n/ac, 2x2 Ethernet: 3xGbE (WAN, LAN1, LAN2) USB ports: No Button: 1 (Reset/WPS) LEDs: 2 (Red, Green) Power: 12 VDC, 1 A Connector type: Barrel Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2) OEM: Arcadyan WG430223 Installation ------------ 1. Login to the router web interface (superadmin:serial number) 2. Navigate to Administration -> Miscellaneous -> Access control lists & enable telnet & enable "Remote control from any IP address" 3. Connect to the router using telnet (default admin:admin) 4. Place *factory.trx on any web server (192.168.1.2 in this example) 5. Connect to the router using telnet shell (no password required) 6. Save MAC adresses to U-Boot environment: uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \ awk '{print $5}') uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \ awk '{print $5}') uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \ awk '{print $5}') uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \ awk '{print $5}') 7. Ensure that MACs were saved correctly: uboot_env --get --name eth2macaddr uboot_env --get --name eth3macaddr uboot_env --get --name ra0macaddr uboot_env --get --name rax0macaddr 8. Download and write the OpenWrt images: cd /tmp wget http://192.168.1.2/factory.trx mtd_write erase /dev/mtd4 mtd_write write factory.trx /dev/mtd4 9. Set 1st boot partition and reboot: uboot_env --set --name bootpartition --value 0 Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv bootpartition 1 reboot 2. Optional step. Upgrade the stock firmware with any version to overwrite the OpenWrt in Slot 1. MAC addresses ------------- +-----------+-------------------+----------------+ | Interface | MAC | Source | +-----------+-------------------+----------------+ | label | A4:xx:xx:51:xx:F4 | No MACs was | | LAN | A4:xx:xx:51:xx:F6 | found on Flash | | WAN | A4:xx:xx:51:xx:F4 | [1] | | WLAN_2g | A4:xx:xx:51:xx:F5 | | | WLAN_5g | A6:xx:xx:21:xx:F5 | | +-----------+-------------------+----------------+ [1]: a. Label wasb't found neither in factory nor in other places. b. MAC addresses are stored in encrypted partition "glbcfg". Encryption key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack with saving of the MACs to u-boot-env during the installation was applied. c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in "Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM firmware also uses this MAC when initialazes ethernet driver. In OpenWrt we use it only as internal GMAC (eth0), all other MACs are unique. Therefore, there is no any barriers to the operation of several MTS WG430223 devices even within the same broadcast domain. Stock firmware image format --------------------------- The same as Beeline Smartbox Flash but with another trx magic +--------------+---------------+----------------------------------------+ | Offset | | Description | +==============+===============+========================================+ | 0x0 | 31 52 48 53 | TRX magic "1RHS" | +--------------+---------------+----------------------------------------+ Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> (cherry picked from commit 498c15376bae109bfe130cc5581f83e4cc52c0f9)
* iwinfo: update to latest HEADHauke Mehrtens2022-08-141-3/+3
| | | | | | | 705d3b5 iwinfo: Add missing auth_suites mappings for WPA3 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit cc2dfc5e4dc2e480203b826749186c73021795df)
* kernel: kmod-phy-smsc: Add new PHYHauke Mehrtens2022-08-142-1/+17
| | | | | | | | This adds the SMSC PHY which is needed by the kmod-usb-net-smsc95xx driver. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 5b016a88f92f25dd7d32438bce3a469f343f4009)
* kernel: kmod-phy-ax88796b: Add new PHYHauke Mehrtens2022-08-142-1/+18
| | | | | | | | This adds the AX88796B PHY which is needed by the kmod-usb-net-asix driver. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 712ff388bcd0811256c07e8e1f4b92a007adaa7f)
* kernel: kmod-ipt-ulog: Remove packageHauke Mehrtens2022-08-142-31/+0
| | | | | | | | The ulog iptables target was removed with kernel 3.17, remove the kernel and also the iptables package in OpenWrt too. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 2a0284fb0325f07e79b9b4c58a7d280ba9999a39)
* kernel: kmod-nft-nat6: Remove packageHauke Mehrtens2022-08-142-12/+1
| | | | | | | | | | | | The nft NAT packages for IPv4 and IPv6 were merged into the common packages with kernel 5.1. The kmod-nft-nat6 package was empty in our build, remove it. Multiple kernel configuration options were also removed, remove them from our generic kernel configuration too. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit b75425370d8de747457c137463bc4d15f6f44d00)
* kernel: ipt-ipset: Add ipset/ip_set_hash_ipmac.koHauke Mehrtens2022-08-141-0/+1
| | | | | | | | Add the ipset/ip_set_hash_ipmac.ko file. The CONFIG_IP_SET_HASH_IPMAC KConfig option is already set by the package. Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com> (cherry picked from commit 6a2e9f3da6d0f0f3ae382db1e77a65c2f0e67d24)
* kernel: netsupport: kmod-sched: explicitly define included modulesThomas Langer2022-08-141-6/+5
| | | | | | | | | | | Change SCHED_MODULES_EXTRA to an explicit list of modules instead of taking everything that is not filtered out. This removes the need of updating the filter each time an extra sch_*, act_* or similar is added with an own kmod definition. Signed-off-by: Thomas Langer <tlanger@maxlinear.com> Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com> (cherry picked from commit 1b956e66ccafc962033260567c2f1e845f71683f)
* kernel: netsupport: kmod-sched: Add kmod-lib-textsearch dependencyHauke Mehrtens2022-08-141-1/+1
| | | | | | | | The CONFIG_NET_EMATCH_TEXT configuration option depends on the kmod-lib-textsearch package. Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com> (cherry picked from commit 3cc878a8d3e4d2d445bf2ee34883e9326bfa0bb2)
* kernel: netsupport: kmod-sched: Remove sch_fq_codel and sch_fifoHauke Mehrtens2022-08-141-3/+1
| | | | | | | | | | The sch_fq_codel.ko and the sch_fifo.ko are always compiled into the kernel, they are activated in the generic kernel configuration. There is no need to activate the build of these kernel modules in the kmod-sched* packages. Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com> (cherry picked from commit 606e357bf824a314a0c6a147539974e99e8aabe1)
* arm-trusted-firmware-mediatek: skip bad blocks on SPI-NAND (SNFI)Daniel Golle2022-08-121-0/+40
| | | | | | | | | | Add patch to skip bad blocks when reading from SPI-NAND. This is needed in case erase block(s) early in the flash inside the FIP area are bad and hence need to be skipped in order to be able to boot on such damaged chips. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit c0109537d13650e3cfd4d4840c571a0d557b303a)
* fstools: add uci fstab section to conffiles for package block-mountFlorian Eckert2022-08-121-0/+4
| | | | | | | | | | | The command 'opkg search /etc/config/fstab' does not return a package name for this config file. In order to know to which package this config file belongs to, a 'conffiles' entry was made for this file to package 'block-mount'. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (cherry picked from commit 885f04b30556edddb9378c5e9eb561334e44ac7a) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* kernel: scale nf_conntrack_max more reasonablyVincent Pelletier2022-08-111-1/+0
| | | | | | | | | | | | | | | | | | | | Use the kernel's built-in formula for computing this value. The value applied by OpenWRT's sysctl configuration file does not scale with the available memory, under-using hardware capabilities. Also, that formula also influences net.netfilter.nf_conntrack_buckets, which should improve conntrack performance in average (fewer connections per hashtable bucket). Backport upstream commit for its effect on the number of connections per hashtable bucket. Apply a hack patch to set the RAM size divisor to a more reasonable value (2048, down from 16384) for our use case, a typical router handling several thousands of connections. Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com> Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> (cherry picked from commit 15fbb916669dcdfcc706e9e75263ab63f9f27c00)
* dnsmasq: fix jail_mount for serversfileBruno Victal2022-08-101-1/+8
| | | | | | | | Fix 'serversfile' option not being jail_mounted by the init script. Signed-off-by: Bruno Victal <brunovictal@outlook.com> (cherry picked from commit 0276fab64933dc42bad865974dc224e2672f99fe) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* zlib: backport null dereference fixPetr Štetiar2022-08-092-1/+30
| | | | | | | | | | | | | The curl developers found test case that crashed in their testing when using zlib patched against CVE-2022-37434, same patch we've backported in commit 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)"). So we need to backport following patch in order to fix issue introduced in that previous CVE-2022-37434 fix. References: https://github.com/curl/curl/issues/9271 Fixes: 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)") Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit f443e9de7003c00a935b9ea12f168e09e83b48cd)
* zlib: bump PKG_RELEASE after CVE fixPetr Štetiar2022-08-081-1/+1
| | | | | | | | | Fixing missed bump of PKG_RELEASE while backporting commit 7561eab8e86e ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)") as package in master is using AUTORELEASE. Fixes: 7561eab8e86e ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)Petr Štetiar2022-08-081-0/+32
| | | | | | | | | | | | | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader. Fixes: CVE-2022-37434 References: https://github.com/ivd38/zlib_overflow Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 7df6795d4c25447683fd4b4a4813bebcddaea547)
* odhcpd: update to git HEADHans Dedecker2022-08-071-3/+3
| | | | | | | | 860ca90 odhcpd: Support for Option NTP and SNTP 83e14f4 router: advertise removed addresses as invalid in 3 consecutive RAs Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cherry picked from commit 73c6d8fd046298face0e8aea8e52cc0faca67324)
* uboot-mvebu: update to v2022.07Andre Heider2022-08-063-33/+22
| | | | | | | | | | | | | | | | | - Release announcement: https://lore.kernel.org/u-boot/20220711134339.GV1146598@bill-the-cat/ - Changes between 2022.04 and 2022.07: https://source.denx.de/u-boot/u-boot/-/compare/v2022.04...v2022.07?from_project_id=531 Remove one upstreamed patch and add patch to fix issue with sunxi tool as it uses function from newer version libressl (3.5.0). Signed-off-by: Andre Heider <a.heider@gmail.com> Tested-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [Turris Omnia] (cherry picked from commit 24bf6813bad98a8eba5430ed5e4da89d54797274) Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [Improve commit message]
* ramips: support fw_printenv for Netgear WAX202Wenli Looi2022-08-061-1/+2
| | | | | | | | | Config partition contains uboot env for the first 0x20000 bytes. The rest of the partition contains other data including the device MAC address and the password printed on the label. Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> (cherry picked from commit 0bfe1cfbb13c58d909951cab9fac8910ccbe74f3)
* umdns: add missing syscall to seccomp filterChen Minqiang2022-08-061-0/+4
| | | | | | | | | | | | | | There is some syscall missing: 'getdents64' 'getrandom' 'statx' 'newfstatat' Found with: 'mkdir /etc/umdns; ln -s /tmp/1.json /etc/umdns/; utrace /usr/sbin/umdns' Signed-off-by: Chen Minqiang <ptpt52@gmail.com> (cherry picked from commit 31cca8f8d3f6218965812c46de35ba30c4ba83ab)
* ramips: Add support command fw_setsys for Xiaomi routersOleg S2022-08-061-4/+10
| | | | | | | | | | | | | The system parameters are contained in the Bdata partition. To use the fw_setsys command, you need to create a file fw_sys.config. This file is created after calling the functions ubootenv_add_uci_sys_config and ubootenv_add_app_config. Signed-off-by: Oleg S <remittor@gmail.com> [ wrapped commit description to 72 char ] Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> (cherry picked from commit 6c7e337c80f92693c2ca628a4a56aeaec4cc3ca8)
* ltq-vdsl-app: Fix counter overflow resulting in negative valuesRoland Barenbrug2022-08-061-1/+1
| | | | | | | | | | | | | The re-transmit counters can overflow the 32 bit representation resulting in negative values being displayed. Background being that the numbers are treated at some point as signed INT rather than unsigned INT. Change the counters from 32 bit to 64 bit, should provide sufficient room to avoid any overflow. Not the nicest solution but it works Fixes: #10077 Signed-off-by: Roland Barenbrug <roland@treslong.com> Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> (cherry picked from commit 456b9029d764e69f390ee26bca24883b12eb83c2)
* libmnl: fix build when bash is not located at /bin/bashMark Mentovai2022-08-051-0/+11
| | | | | | | | | | | | | This fixes the libmnl build on macOS, which ships with an outdated bash at /bin/bash. During the OpenWrt build, a modern host bash is built and made available at staging_dir/host/bin/bash, which is present before /bin/bash in the build's PATH. This is similar to 8f7ce3aa6dda, presently appearing at package/kernel/mac80211/patches/build/001-fix_build.patch. Signed-off-by: Mark Mentovai <mark@mentovai.com> (cherry picked from commit beeb49740bb4f68aadf92095984a2d1f9a488956)
* OpenWrt v22.03.0-rc6: revert to branch defaultsHauke Mehrtens2022-08-011-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* OpenWrt v22.03.0-rc6: adjust config defaultsv22.03.0-rc6Hauke Mehrtens2022-08-011-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mac80211: Update to version 5.15.58-1Hauke Mehrtens2022-07-3128-206/+70
| | | | | | | | | This updates mac80211 to version 5.15.58-1 which is based on kernel 5.15.58. The removed patches were applied upstream. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 3aa18f71f9c8a5447bdd2deda4e681175338164f)
* wolfssl: fix math library buildJohn Audia2022-07-311-0/+23
| | | | | | | | | | | | | | Apply upstream patch[1] to fix breakage around math libraries. This can likely be removed when 5.5.0-stable is tagged and released. Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B 1. https://github.com/wolfSSL/wolfssl/pull/5390 Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit c2aa816f28e0fe2f6f77d0c6da4eba19ea8db4ea)
* odhcp6c: update to latest git HEADDávid Benko2022-07-311-3/+3
| | | | | | | 9212bfc odhcp6c: fix IA discard when T1 > 0 and T2 = 0 Signed-off-by: Dávid Benko <davidbenko@davidbenko.dev> (cherry picked from commit f9209086264a5c5c55f1eb3cbd2399cf47e29f22)
* firewall3: update file hashMichael Pratt2022-07-311-1/+1
| | | | | | | | | the hash and timestamp of the remote copy of the archive has changed since last bump meaning the remote archive copy was recreated Signed-off-by: Michael Pratt <mcpratt@pm.me> (cherry picked from commit ba7da7368086d0721da7cd4d627209dffda5c1d6)
* uboot-at91: fix build on buildbotsClaudiu Beznea2022-07-311-1/+2
| | | | | | | | | | | | | | | | Buidbots are throwing the following compile error: In file included from tools/aisimage.c:9: include/image.h:1133:12: fatal error: openssl/evp.h: No such file or directory ^~~~~~~~~~~~~~~ compilation terminated. Fix it by passing `UBOOT_MAKE_FLAGS` variable to make. Suggested-by: Petr Štetiar <ynezz@true.cz> Fixes: 6d5611af2813 ("uboot-at91: update to linux4sam-2022.04") Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com> (cherry picked from commit 95a24b54792ccf072c029edad495deb529383478)
* uboot-at91: update to linux4sam-2022.04Claudiu Beznea2022-07-312-16/+6
| | | | | | | | | | Update uboot-at91 to linux4sam-2022.04. As linux4sam-2022.04 is based on U-Boot v2022.01 which contains commit 93b196532254 ("Makefile: Only build dtc if needed") removed also the DTC variable passed to MAKE to force the compilation of DTC. Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com> (cherry picked from commit 6d5611af2813e5f06fbf9b400ef0fe642f16c566)
* at91bootstrap: update at91bootstrap v4 targets to v4.0.3Claudiu Beznea2022-07-311-3/+3
| | | | | | | Update AT91Bootstrap v4 capable targets to v4.0.3. Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com> (cherry picked from commit 859f5f9aec23c96ec3151175c349ffdbe6b108ef)
* wolfssl: make shared againJo-Philipp Wich2022-07-302-2/+0
| | | | | | | | | | | | | | | Disable the usage of target specific CPU crypto instructions by default to allow the package being shared again. Since WolfSSL does not offer a stable ABI or a long term support version suitable for OpenWrt release timeframes, we're forced to frequently update it which is greatly complicated by the package being nonshared. People who want or need CPU crypto instruction support can enable it in menuconfig while building custom images for the few platforms that support them. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 0063e3421de4575e088bb428e758751931bbe6fd)
* uboot-bcm4908: include SoC in output filesRafał Miłecki2022-07-281-2/+4
| | | | | | | | | This fixes problem of overwriting BCM4908 U-Boot and DTB files by BCM4912 ones. That bug didn't allow booting BCM4908 devices. Fixes: f4c2dab544ec2 ("uboot-bcm4908: add BCM4912 build") Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit a8e1e30543239e85ff5dc220368164b66cf73fba)
* layerscape: update PKG_HASH / PKG_MIRROR_HASHChristian Lamparter2022-07-239-9/+9
| | | | | | | | | | | The change of the PKG_VERSION caused the hash of the package to change. This is because the PKG_VERSION is present in the internal directory structure of the archive. Fixes: 038d5bdab117 ("layerscape: use semantic versions for LSDK") Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit e879cccaa21563a7cdf47797b18fb86723720158) (cherry picked from commit d4391ef073825f5817cdbcc3fc215311f1bbb461)
* sdk: add spidev-test to the bundle of userspace sourcesChristian Lamparter2022-07-221-2/+3
| | | | | | | | | | | | | | moves and extends the current facilities, which have been added some time ago for the the usbip utility, to support more utilites that are shipped with the Linux kernel tree to the SDK. this allows to drop all the hand-waving and code for failed previous attempts to mitigate the SDK build failures. Fixes: bdaaf66e28bd ("utils/spidev_test: build package directly from Linux") Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit b479db9062b721776be44b976961a1031c1344ea)
* wolfssl: Do not activate HW acceleration on armvirt by defaultHauke Mehrtens2022-07-201-1/+1
| | | | | | | | | | | | | | The armvirt target is also used to run OpenWrt in lxc on other targets like a Raspberry Pi. If we set WOLFSSL_HAS_CPU_CRYPTO by default the wolfssl binray is only working when the CPU supports the hardware crypto extension. Some targets like the Raspberry Pi do not support the ARM CPU crypto extension, compile wolfssl without it by default. It is still possible to activate it in custom builds. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit d1b5d17d03c844ad578bb53b90ea17377bdc5eee)
* libpcap: fix PKG_CONFIG_DEPENDS for rpcapdJianhui Zhao2022-07-201-0/+2
| | | | | | | | This fix allows trigger a rerun of Build/Configure when rpcapd was selected. Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com> (cherry picked from commit 6902af4f3075154b5d1de207452a8a5668f95203)
* wolfssl: WOLFSSL_HAS_WPAS requires WOLFSSL_HAS_DHPascal Ernster2022-07-201-0/+1
| | | | | | | | | | Without this, WOLFSSL_HAS_DH can be disabled even if WOLFSSL_HAS_WPAS is enabled, resulting in an "Anonymous suite requires DH" error when trying to compile wolfssl. Signed-off-by: Pascal Ernster <git@hardfalcon.net> Reviewed-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 21825af2dad0070affc2444ff56dc84a976945a2)
* firewall3: bump to latest git HEADRui Salvaterra2022-07-191-3/+3
| | | | | | | | | 4cd7d4f Revert "firewall3: support table load on access on Linux 5.15+" 50979cc firewall3: remove unnecessary fw3_has_table Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> (cherry-picked from commit 435d7a052bf1b6a3a01cb3ad6cda6ba4b25b1879) Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
* opkg: update to 2022-02-24Josef Schlehofer2022-07-171-3/+3
| | | | | | | | | | | Changes: 9c44557 opkg_remove: avoid remove pkg repeatly with option --force-removal-of-dependent-packages 2edcfad libopkg: set 'const' attribute for argv This should fix the CI error in the packages repository, which happens with perl. Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> (cherry picked from commit e21fea92891fbdfb4eb14e9fe836530b6225cb1f)
* firmware: intel-microcode: update to 20220510Christian Lamparter2022-07-171-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Debians' changelog by Henrique de Moraes Holschuh <hmh@debian.org>: * New upstream microcode datafile 20220419 * Fixes errata APLI-11 in Atom E3900 series processors * Updated Microcodes: sig 0x000506ca, pf_mask 0x03, 2021-11-16, rev 0x0028, size 16384 * New upstream microcode datafile 20220510 * Fixes INTEL-SA-000617, CVE-2022-21151: Processor optimization removal or modification of security-critical code may allow an authenticated user to potentially enable information disclosure via local access (closes: #1010947) * Fixes several errata (functional issues) on Xeon Scalable, Atom C3000, Atom E3900 * New Microcodes: sig 0x00090672, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992 sig 0x00090675, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992 sig 0x000906a3, pf_mask 0x80, 2022-03-24, rev 0x041c, size 212992 sig 0x000906a4, pf_mask 0x80, 2022-03-24, rev 0x041c, size 212992 sig 0x000b06f2, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992 sig 0x000b06f5, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992 * Updated Microcodes: sig 0x00030679, pf_mask 0x0f, 2019-07-10, rev 0x090d, size 52224 sig 0x000406e3, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 106496 sig 0x00050653, pf_mask 0x97, 2021-11-13, rev 0x100015d, size 34816 sig 0x00050654, pf_mask 0xb7, 2021-11-13, rev 0x2006d05, size 43008 sig 0x00050656, pf_mask 0xbf, 2021-12-10, rev 0x4003302, size 37888 sig 0x00050657, pf_mask 0xbf, 2021-12-10, rev 0x5003302, size 37888 sig 0x0005065b, pf_mask 0xbf, 2021-11-19, rev 0x7002501, size 29696 sig 0x000506c9, pf_mask 0x03, 2021-11-16, rev 0x0048, size 17408 sig 0x000506e3, pf_mask 0x36, 2021-11-12, rev 0x00f0, size 109568 sig 0x000506f1, pf_mask 0x01, 2021-12-02, rev 0x0038, size 11264 sig 0x000606a6, pf_mask 0x87, 2022-03-30, rev 0xd000363, size 294912 sig 0x000706a1, pf_mask 0x01, 2021-11-22, rev 0x003a, size 75776 sig 0x000706a8, pf_mask 0x01, 2021-11-22, rev 0x001e, size 75776 sig 0x000706e5, pf_mask 0x80, 2022-03-09, rev 0x00b0, size 112640 sig 0x000806a1, pf_mask 0x10, 2022-03-26, rev 0x0031, size 34816 sig 0x000806c1, pf_mask 0x80, 2022-02-01, rev 0x00a4, size 109568 sig 0x000806c2, pf_mask 0xc2, 2021-12-07, rev 0x0026, size 97280 sig 0x000806d1, pf_mask 0xc2, 2021-12-07, rev 0x003e, size 102400 sig 0x000806e9, pf_mask 0x10, 2021-11-12, rev 0x00f0, size 105472 sig 0x000806e9, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 105472 sig 0x000806ea, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 105472 sig 0x000806eb, pf_mask 0xd0, 2021-11-15, rev 0x00f0, size 105472 sig 0x000806ec, pf_mask 0x94, 2021-11-17, rev 0x00f0, size 105472 sig 0x00090661, pf_mask 0x01, 2022-02-03, rev 0x0016, size 20480 sig 0x000906c0, pf_mask 0x01, 2022-02-19, rev 0x24000023, size 20480 sig 0x000906e9, pf_mask 0x2a, 2021-11-12, rev 0x00f0, size 108544 sig 0x000906ea, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 104448 sig 0x000906eb, pf_mask 0x02, 2021-11-12, rev 0x00f0, size 105472 sig 0x000906ec, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 104448 sig 0x000906ed, pf_mask 0x22, 2021-11-16, rev 0x00f0, size 104448 sig 0x000a0652, pf_mask 0x20, 2021-11-16, rev 0x00f0, size 96256 sig 0x000a0653, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 97280 sig 0x000a0655, pf_mask 0x22, 2021-11-16, rev 0x00f0, size 96256 sig 0x000a0660, pf_mask 0x80, 2021-11-15, rev 0x00f0, size 96256 sig 0x000a0661, pf_mask 0x80, 2021-11-16, rev 0x00f0, size 96256 sig 0x000a0671, pf_mask 0x02, 2022-03-09, rev 0x0053, size 103424 Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit 2747a94f0977b36c4c29cc4596879b9127cfaf5f)
* openssl: bump to 1.1.1qDustin Lundquist2022-07-171-2/+2
| | | | | | | | | | | | | | | | | | Changes between 1.1.1p and 1.1.1q [5 Jul 2022] *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation would not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. (CVE-2022-2097) [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] Signed-off-by: Dustin Lundquist <dustin@null-ptr.net> (cherry picked from commit 3899f68b54b31de4b4fef4f575f7ea56dc93d965)
* wolfssl: bump to 5.4.0Eneas U de Queiroz2022-07-164-48/+4
| | | | | | | | | | | | This version fixes two vulnerabilities: -CVE-2022-34293[high]: Potential for DTLS DoS attack -[medium]: Ciphertext side channel attack on ECC and DH operations. The patch fixing x86 aesni build has been merged upstream. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 9710fe70a68e0a004b1906db192d7a6c8f810ac5) Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* wolfssl: re-enable AES-NI by default for x86_64Eneas U de Queiroz2022-07-152-6/+45
| | | | | | | | | | | Apply an upstream patch that removes unnecessary CFLAGs, avoiding generation of incompatible code. Commit 0bd536723303ccd178e289690d073740c928bb34 is reverted so the accelerated version builds by default on x86_64. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 639419ec4fd1501a9b9857cea96474271ef737b1)
* mac80211: fix AQL issue with multicast trafficFelix Fietkau2022-07-131-0/+30
| | | | | | | Exclude multicast from pending AQL budget Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 9f1d6223289b5571ddc77c0e5327ab51137199d9)
* OpenWrt v22.03.0-rc5: revert to branch defaultsHauke Mehrtens2022-07-061-2/+2
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>