Age | Commit message (Collapse) | Author |
|
- Update microcode for 24 CPU types
- Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for:
Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake,
Coffee Lake
- Missing production updates:
- Broadwell-E/EX Xeons (sig 0x406f1)
- Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell,
Gemini Lake, Denverton
- New Microcodes:
- sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140
- sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Fixes:
CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
CVE-2016-5419: TLS session resumption client cert bypass
CVE-2016-5420: Re-using connections with wrong client cert
CVE-2016-5421: use of connection struct after free
CVE-2016-7141: Incorrect reuse of client certificates
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-9586: printf floating point buffer overflow
CVE-2017-7407: tool_writeout: fixed a buffer read overrun on --write-out
CVE-2017-1000100: tftp: reject file name lengths that don't fit
CVE-2017-1000101: glob: do not continue parsing after a strtoul() overflow range
CVE-2017-1000254: FTP: zero terminate the entry path even on bad input
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
1721453 Remove special handling of A-for-A queries.
499d8dd Fix boundary for test introduced in 3e3f1029c9ec6c63e430ff51063a6301d4b2262
6f1cbfd Fix debian/readme typo.
55ecde7 Inotify: Ignore backup files created by editors
6b54d69 Make failure to chown() pidfile a warning.
246a31c Change ownership of pid file, to keep systemd happy.
83e4b73 Remove confusion between --user and --script-user.
6340ca7 Tweak heuristic for initial DNSSEC memory allocation.
baf553d Default min-port to 1024 to avoid reserved ports.
486bcd5 Simplify and correct bindtodevice().
be9a74d Close Debian bug for CVE-2017-15107.
ffcbc0f Example config typo fixes.
a969ba6 Special case NSEC processing for root DS record, to avoid spurious BOGUS.
f178172 Add homepage to Debian control file.
cd7df61 Fix DNSSEC validation errors introduced in 4fe6744a220eddd3f1749b40cac3dfc510787de6
c1a4e25 Try to be a little more clever at falling back to smaller DNS packet sizes.
4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies.
3bd4c47 Remove limit on length of command-line options.
98196c4 Typo fix.
22cd860 Allow more than one --bridge-interface option to refer to an interface.
3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation.
faaf306 Spelling fixes.
c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was always development of iPXE core developer Michael Brown.
e541245 Handle duplicate RRs in DNSSEC validation.
84a01be Bump year in Debian copyright notice.
d1ced3a Update copyrights to 2018.
a6cee69 Fix exit code from dhcp_release6.
0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c
39d8550 Run Debian startup regex in "C" locale.
ef3d137 Fix infinite retries in strict-order mode.
8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC.
373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in answer section.
74f0f9a Commment language tweaks.
ed6bdb0 Man page typos.
c88af04 Modify doc.html to mention git-over-http is now available.
ae0187d Fix trust-anchor regexp in Debian init script.
0c50e3d Bump version in Debian package.
075366a Open inotify socket only when used.
8e8b2d6 Release notes update.
087eb76 Always return a SERVFAIL response to DNS queries with RD=0.
ebedcba Typo in printf format string added in 22dee512f3738f87539a79aeb52b9e670b3bd104
0954a97 Remove RSA/MD5 DNSSEC algorithm.
b77efc1 Tidy DNSSEC algorithm table use.
3b0cb34 Fix manpage which said ZSK but meant KSK.
aa6f832 Add a few DNS RRs to the table.
ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm.
a6004d7 Fix caching logic for validated answers.
c366717 Tidy up add_resource_record() buffer size checks.
22dee51 Log DNS server max packet size reduction.
6fd5d79 Fix logic on EDNS0 headers.
9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS.
a49c5c2 Fix search_servers() segfault with DNSSEC.
30858e3 Spaces in CNAME options break parsing.
Refresh patches.
Remove upstreamed patches:
270-dnssec-wildcards.patch
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
A DNSSEC validation error was introduced in the fix for CVE-2017-15107
Backport the upstream fix to the fix (a simple typo)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
|
CVE-2017-15107
An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org and still have it signed by the
signature for the wildcard. So, for example
!.example.org NSEC zz.example.org
is fine.
The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.
This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
|
This patch adds a parser for the uci representation of
dnsmasq's "-a | --listen-address" option.
In summary, this option forces dnsmasq to listen on the
given IP address(es). Both interface and listen-address
options may be given, in which case the set of both
interfaces and addresses is used.
Note that if no interface option is given, but listen_address is,
dnsmasq will not automatically listen on the loopback interface.
To achieve this, the loopback IP addresses, 127.0.0.1 and/or ::1
must be explicitly added.
This option is useful for ujailed dnsmasq instances, that would
otherwise fail to work properly, because listening to the
"This host on this network" address (aka 0.0.0.0 see rfc1700 page 4)
may not be allowed.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
Compiling the Intel microcode package results in a
microcode.bin and a microcode-64.bin. As we can
decide based on the subtarget which should be used,
we'll only split the required .bin file with
iucode-tool.
The microcodes will be updated from preinit via a common
script - that's the earliest place where we can do it.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Add tool to "compile" Intel microcode files. The tool will be
compiled for host (to split the microcode.dat) and for target
(to forcibly reload the microcode if required).
Instead of using the large microcode.bin/microcode-64.bin, the
splitted ucode files (separate for CPU families) will be
installed.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Use the Debian repository for sourcing the ucode files.
Current (20171205) includes support for fam17h CPUs already.
The microcodes will be updated from preinit via a common
script - that's the earliest place where we can do it.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
CC: update kernel and openssl to latest versions
|
|
Newer kernels treat differing signatures an error, not just a warning,
so fix the signatures to match.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
|
|
They were incomplete, so fix them to properly update the function signatures
to what is expected.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
|
|
Minimum supported kernel is 3.18, so we don't need to test for anything
older. In addition, the API hasn't changed since then, so we don't need
to check for any kernel version at all. This helps to keeps the amount
of changes more managable.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
|
|
Add the required changes to make it compile for 4.1 again.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46306
|
|
ar7-atm will require modifications to build on 4.1.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46185
|
|
Remove the usage of the __TIME__ and __DATE__ macro.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 47797
|
|
Update to "latest" HEAD and update it to match latest API changes.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46305
|
|
Fixes:
CVE-2017-3737
CVE-2017-3738
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
CC: upgrade libpcap to 1.8.1
|
|
Add patches provided upstream [1] by Fabio Berton to fix error:
> ./gencode.c: In function 'pcap_compile':
> ./gencode.c:693:8: error: 'compiler_state_t {aka struct _compiler_state}' has no member named 'ai'
> cstate.ai = NULL;
> ^
> ./gencode.c: In function 'gen_gateway':
> ./gencode.c:4914:13: error: 'cstate' undeclared (first use in this function)
> bpf_error(cstate, "direction applied to 'gateway'");
> ^
[1] https://github.com/the-tcpdump-group/libpcap/pull/541
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
|
|
Update libpcap to upstream release 1.8.1
Change the name from libpcap.so.1.3 to libpcap.so.1
Remove parts of patch 201 which moved code among src files.
Import patch 204 from Debian to update the USB path.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [fix parallel build bug]
|
|
There seems to be a situation in which a rebuild of libpcap.so is triggered
in the install step of the libpcap Makefile. libpcap.so is the wrong
target, leading to the build failure reported in [1].
Fix the dependency of install-shared-so to $(SHAREDLIB) so the build can
succeed in this case.
[1] https://dev.openwrt.org/ticket/19894
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
|
|
If building usbmon support then you'll likely want to have
USB support in libpcap as well.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@47265 3c298f89-4303-0410-b956-a3cf2f4a3e73
|
|
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@46776 3c298f89-4303-0410-b956-a3cf2f4a3e73
|
|
Signed-off-by: Steven Barth <steven@midlink.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@46074 3c298f89-4303-0410-b956-a3cf2f4a3e73
|
|
Update the MD5 of the firmware for Raspberry Pi to enable build on the Chaos Calmer / 15.05.1 target again.
The checksum changed due to changes of the Github Tar Handling as described here: raspberrypi/firmware#873
After that change, builds for RPi on 15.05.1 succeed again.
Signed-off-by: Nico Maas <mail@nico-maas.de>
|
|
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
|
|
Signed-off-by: Stanislav Izmalkov <izstas@live.ru>
|
|
Some packages don't use /etc/ssl/certs but instead use /etc/ssl/certs/ca-certificates.crt.
For those packages add a ca-bundle package>.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
|
|
- update to latest version 20160104
- remove cpu dependency (PKGARCH:=all)
- set myself as package maintainer
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@48271 3c298f89-4303-0410-b956-a3cf2f4a3e73
|
|
update to version 20151214
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@48000 3c298f89-4303-0410-b956-a3cf2f4a3e73
|
|
Fixes:
CVE-2017-3735
CVE-2017-3736
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Drop hardcoded URL and use the @KERNEL alias.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
CC: upgrade openssl, fix ugps compilation
|
|
This is a simple version bump.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Thanks to alex <peterwillcn@gmail.com> for reporting a fix.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
wireguard: add wireguard to base packages [chaos branch]
|
|
CC: upgrade hostapd to 2016-06-15, include KRACK fix
|
|
Move wireguard from openwrt/packages to openwrt/openwrt. This has already
been done with lede/source and has already been removed from
openwrt/packages, and so this commit brings this to parity here, so that
there isn't a regression for openwrt users. Original message follows below:
This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.
WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
CC: mbedtls fixes
|
|
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
luci using ustream-mbedtls is extremely slow vs ustream-polarssl.
polarssl alias mbedtls v1 is configured to use NIST prime speed
optimisation, so no longer disable the default optimisation for
mbedtls v2.
Compile & run tested: Archer C7v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
[Jo-Philipp Wich: refresh patch to use common format]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
|
reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
For more information, please refer to:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
Fixes CVE-2016-4476 and few possible memory leaks.
Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
|