January 10th 2022 Security Releases:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Prototype pollution via console.table properties (Low)(CVE-2022-21824)
Josef Schlehofer [Mon, 24 Jan 2022 22:04:13 +0000 (23:04 +0100)]
tvheadend: fix conffiles section
The previous one was wrong, and it did not work. It could be checked
inside compiled package in control.tar.gz that there was missing
``conffiles`` file with content `/etc/config/tvheadend`
It is also possible to verify that the config is not overwritten on the router
by running ``opkg install tvheadend --force-reinstall``
This patch adds KERNEL=Linux to MAKE_FLAGS to avod Darwin detection.
If Makefile detects Darwin, it removes -lbsd from build flags, but
this flag is required due to target is always Linux, not bsd-like.
Tiago Gaspar [Sat, 22 Jan 2022 01:49:31 +0000 (01:49 +0000)]
jool: remove iptables support and update templates
This commit removes iptables backend support and leaves only the
netfilter backend support. This means that:
- iptables and nftables firewall based systems (firewall3 and firewall
4) are supported trough the netfilter instance mode
- the iptables/xtables mode support is disabled
For more information on the modes and how to use the new netfilter
instance checkout https://www.jool.mx/en/intro-jool.html
This move is made out of the commit upstream that sets firewall4 as the
default for new default buils and based on the conversation in #16818
and was decided that the netfilter interface is the priority since
iptables support will be dropped in the foreseeable future.
Kerma Gérald [Sat, 15 Jan 2022 07:33:46 +0000 (08:33 +0100)]
crowdsec-firewall-bouncer: fix name in initd to start the process
crowdsec rename the binary from crowdsec-firewall-bouncer to cs-firewall-bouncer
the initd need the correct binary name to start the process
the link for github source need also to be fixed (only the information one)
fix the BuildDate
updated copyright
tcsh requires host-tool (gethost) to generate tc.defs.c file.
To build this tool on macos, it is required to run ./configure
script wihout target vars/flags, but this package is not
splitted to host and target build.
This patch splits build to host and target builds to compile
host-tool(gethost) first, then compile tsch.
Due to lack of support of separate building host and target,
OpenWrt Makefile is modified to do it in the order below:
1. build host-tool (gethost)
2. build sh.err.h header for target
3. build tc.const.h header for target
4. copy gethost tool from host staging dir to target build dir
5. touch (make -t) gethost to protect it from recompiling
6. build tsch for target
It is required to do step 2 and 3 because 'make -t' generates
empty files but these files required to build tcsh
Patch 020-cross.patch has been removed due to not required
anymore (gethost build is separated and not affected by
target configure flags and vars)
./configure script detects macos specific system headers
(IOKit/serial/ioss.h and sys/ttycom.h) that are not available
during compile time. There is no way to pass ac_cv_* vars to
./configure script due to perl wrappers
To fix this issue, fake(empty) headers provided during compile
time if build host is MacOS
- mdio: The mvls subcommand now supports flushing the ATU
- mdio-netlink: Plug some glaring holes around integer overflows of
the PC.
- mdio-netlink: Release reference to MDIO bus after a transaction
completes.
So, update to the latest version and switch the kernel module back
to fetching tarballs like the userspace tool does.
luaossl detects OS and changes compilation flags depends on OS.
If Darwin is detected then it adds GCC non-compatible flags.
OpenWrt is always Linux so build OS detection is disabled
hwinfo host-compile builds hwinfo entirely that is not really
required. It is required to build only some host tools to
generate ids and isdn related C-code
This patch changes host build to build only required host tools
Added patch to remove malloc.h using as deprecated, not required
and not supported on macos system (stdlib.h has required functions
on Linux and MacOS systems)
neon detects Darwin on target build and fails due to darwin-specific
build behaviour. OS detection is disable (as non required) via
ne_cv_os_uname=Linux as a part of CONFIGURE_VARS
Michal Hrusecky [Thu, 13 Jan 2022 14:11:01 +0000 (15:11 +0100)]
mariadb: Add sudo dependency
During update we use sudo to start an instance. It probably could be
workarounded, but given the MariaDB size, dependency on sudo shouldn't
be an issue.
Michal Hrusecky [Thu, 13 Jan 2022 14:04:57 +0000 (15:04 +0100)]
mariadb: Check and fix datadir owner issues during upgrade
If you are migrating to MariaDB package, you might have old datadir
stored somewhere using different setup with different users. If you
trust us enough to enable autoupgrade, you probably trust us enough to
chown your datadir as well. This can prevent some potential issues.
R4SAS I2P [Sun, 26 Dec 2021 04:29:58 +0000 (04:29 +0000)]
i2pd: Update to 2.40.0 and update package sources
* Updating i2pd package to 2.40.0
* Rewrite Makefile
* Remove usage of PKG_INSTALL (package's make install)
* Rewrite init.rc configuration and script
* Remove '--service' option from init, which only sets datadir to /var/lib/i2pd
* Use '--datadir' option in init, otherwise datadir changing via uci is not works
* Update patch for i2pd.conf
modemmanager: remove 2s timeout before reporting cached events
When ModemManager is started on boot we may end up with hotplug events
reported directly to the daemon, plus some others already cached in
the cache file before the daemon was started.
If the cached events correspond to the same device that is still
notifying ports directly, we may end up with a modem object created
before the cached events have been emitted, so the modem may not
handle all control/data ports it should.
E.g.:
- modem detected
- hotplug event for wwan0 port, cached as MM not running
- hotplug event for cdc-wdm0 port, cached as MM not running
- hotplug event for ttyUSB0, cached as MM not running
- MM starts
- hotplug event for ttyUSB1, directly processed as MM is running
- hotplug event for ttyUSB2, directly processed as MM is running
- modem object created with ttyUSB1 and ttyUSB2
- 2s after MM starts, cached events for wwan0, cdc-wdm0 and ttyUSB0
happen, but are ignored because the modem object has already been
created
MM expects that ports of the same device are reported with less than
1500ms in between ports. In other words, if ports are reported more
than 1500ms after the last reported port, they may get ignored.
If we remove the 2s timeout, the report of the cached events will
happen as soon as MM starts, which makes it much more likely to happen
in the timeslot that MM expects for ports of the same device reported.
The logic is still not perfect, and we may also need to increase that
1500ms timeout inside MM, but removing the 2s timeout right away here
makes sense.
This 2s timeout was introduced along with the new wrapper launcher for
the daemon, it didn't exist before.
Michal Vasilek [Fri, 12 Nov 2021 16:02:51 +0000 (17:02 +0100)]
apparmor: cleanup
* replace 020-fix-ss-path.patch with an upstream patch 020-remove-which-dep.patch
* remove 030-remove-pynotify2-dep.patch and do not install aa-notify
* simplify 060-openwrt-dnsmasq-profile.patch
* add two upstream patches for Python 3.10 compatibility
* add an upstream patch to move from deprecated distutils which broke
the build with Python 3.10+
Hauke Mehrtens [Sun, 9 Jan 2022 18:45:49 +0000 (18:45 +0000)]
gpgme: Fix compile with glibc 2.34
This backports a patch from upstream gpgme to fix compilation with glibc 2.34.
It fixes the following build problem:
posix-io.c: In function '_gpgme_io_spawn':
posix-io.c:577:23: error: void value not ignored as it ought to be
577 | while ((i = closefrom (fd)) && errno == EINTR)
| ^
make[5]: *** [Makefile:947: posix-io.lo] Error 1
./configure script detects if serdisplib is built on non-linux build
host and disables framebuffer driver. It blocks touchscreen_tool
compilation. This detection is not required on cross-compile build
so it is disabled via ac_cv_build=$(GNU_TARGET_NAME) in Makefile
./configure script detects mtab file and fails build if mtab is not
found on build host. It is not required for OpenWrt build due to
mtab is always /etc/mtab on OpenWrt
MacOS doesn't have mtab file so disable it via ac_cv_mtab_file var
Add checks not to overwrite defaultnotify options in the nut-sendmail-notify fashion.
Use lists for defaultnotify instead of option.
Add check not to overwrite notifycmd if already defined.
upssched-cmd script must not be called directly, it is called by the upssched binary with needed arguments.
Convert notifyflags options to lists as supported by the init script, so multiple options can be chosen.
Add SYSLOG default option to individuals notifyflags instead of deprecated flag 1|0.
Add comment for defaultnotify and individuals notifyflags about possible values.
luasql ./config scripts checks `uname -s` output and changes
LIB_OPTION from '-static' to macos specific if detected OS is
Darwin. These flags are not compatible with GCC
OpenWrt is always Linux, this patch removes Darwin
specific stuff from compilation flags
Jeffery To [Tue, 11 Jan 2022 09:33:40 +0000 (17:33 +0800)]
micropython: Update to 1.17, reorganize package
Previous versions used a bundled version of the axTLS library. The
MicroPython project maintains their own fork[1], as development of the
library appears to have stopped (the last release was version 2.1.5 in
2019[2]).
This replaces the use of axTLS with two variants, one using mbedTLS and
one with no TLS support (and no upip, as it uses the ussl module). The
external mbedTLS patch (040-extmod-use-external-mbedtls.patch) comes
from Debian[3].
lynx uses host C-compiler to build internal utility that is used to
generate files required for target build. On MacOS it uses internal
clang with MacOS system headers so host build fails due to MacOS is
not Linux
Forced to use OpenWrt host C compiler using --with-build-*
./configure flags
Hauke Mehrtens [Sun, 9 Jan 2022 18:49:05 +0000 (18:49 +0000)]
ntpd: Fix compile with glibc 2.34
This adds a patch from Open embedded to fix compilation with glibc 2.34.
This patch was taken from here:
https://github.com/openembedded/meta-openembedded/blob/master/meta-networking/recipes-support/ntp/ntp/0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
It fixes the following build problem:
work_thread.c:45:57: error: missing binary operator before token "("
45 | #if defined(PTHREAD_STACK_MIN) && THREAD_MINSTACKSIZE < PTHREAD_STACK_MIN
| ^~~~~~~~~~~~~~~~~
make[7]: *** [Makefile:892: work_thread.o] Error 1
Rui Salvaterra [Mon, 3 Jan 2022 23:13:09 +0000 (23:13 +0000)]
stubby: explicitly disable static linking
Although undocumented, there's a way to explicitly disable static linking in
Stubby, setting the CMake build option ENABLE_GETDNS_STATIC_LINK to OFF (ON by
default). Make it so.