Noah Meyerhans [Mon, 24 Aug 2020 02:33:32 +0000 (19:33 -0700)]
bind: New upstream version 9.16.6
Several security issures are addressed:
- CVE-2020-8620 It was possible to trigger an assertion failure by sending
a specially crafted large TCP DNS message.
- CVE-2020-8621 named could crash after failing an assertion check in
certain query resolution scenarios where QNAME minimization and
forwarding were both enabled. To prevent such crashes, QNAME minimization is
now always disabled for a given query resolution process, if forwarders are
used at any point.
- CVE-2020-8622 It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
- CVE-2020-8623 When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code determining the
number of bits in the PKCS#11 RSA public key with a specially crafted
packet.
- CVE-2020-8624 update-policy rules of type subdomain were incorrectly
treated as zonesub rules, which allowed keys used in subdomain rules to
update names outside of the specified subdomains. The problem was fixed by
making sure subdomain rules are again processed as described in the ARM.
Full release notes are available at
https://ftp.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
Marc Egerton [Sat, 22 Aug 2020 15:09:30 +0000 (16:09 +0100)]
fakepop: new package
fakepop is a fake pop3 daemon. It returns always the same messages to all users, it does not care about usernames and passwords. All user/pass combinations are accepted.
Nick Hainke [Fri, 21 Aug 2020 21:02:03 +0000 (23:02 +0200)]
dawn: bump to latest version
Includes:
- dawn_uci: fix crashing when uci config is received
- tcpsocket: add option to add server ip
A new config option allows to add a server ip
option server_ip '10.0.0.2'
However, this server does not send anything back. Therefore it is not
possible to change the node configuration. This will probably be added
soon. The main goal of this commit is to allow monitoring of all nodes
in a network with DAWN, e.g. clients, channel utilization, ...
Also a network option (3) has been added which allows to use TCP but
not to announce your daemon in the broadcast domain. This allows you to
create a monitor-only node that holds only the local information and
forwards it to the central server.
A monitor-only node could be configured like
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '3'
Another possible config is
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '2'
Here, the node shares information with a central server, which can be
located outside the broadcast domain. Nevertheless, it also shares
information within its broadcast domain and can therefore perform
client steering.
Karl Palsson [Wed, 19 Aug 2020 14:17:36 +0000 (14:17 +0000)]
net/mosquitto: Update to 1.6.12
Security release. From the changelog:
- In some circumstances, Mosquitto could leak memory when handling PUBLISH
messages. This is limited to incoming QoS 2 messages, and is related
to the combination of the broker having persistence enabled, a clean
session=false client, which was connected prior to the broker restarting,
then has reconnected and has now sent messages at a sufficiently high rate
that the incoming queue at the broker has filled up and hence messages are
being dropped. This is more likely to have an effect where
max_queued_messages is a small value. This has now been fixed. Closes
https://github.com/eclipse/mosquitto/issues/1793
Tong Zhang [Fri, 14 Aug 2020 11:21:33 +0000 (07:21 -0400)]
nft-qos: support mac address based speed limit
This patch makes it possible to configure and limit per-client internet
speed based on MAC address and it can work with SQM.
This feature is what OpenWRT currently lacks. This patch is largely based
on static.sh and the configuration file is similar to original nft-qos.
New configuration options and examples are listed below
This commit updates Boost to version 1.74.0
In this release, there is one new libraries
- STLInterfaces [2]:
A library of CRTP bases to ease the writing of STL views,
iterators, and sequence containers, from Zach Laine.
This update also provides support to build boost with C++20 when using
GCC 10.x
More info about Boost 1.74.0 can be found at the usual place [1].
Unicode 13 & CLDR 37. Bug fixes for date and number formatting, enhanced support for user preferences in the locale identifier. LocaleMatcher code and data improved. Number skeletons have a new “concise” form that can be used in MessageFormat strings.
1) moving common startup procedures out of hotplug script when called
from mwan3 start
2) reducing calls to iptables to check status of rules
3) consolidating iptables updates and updating with iptables-restore
4) do not wait for kill if nothing was killed
5) running interface hotplug scripts in parallel
6) eliminate operations in hotplug script that check status on every
single interface unnecessarily
7) consolidate how mwan3track makes hotplug calls
8) do not restart mwan3track on connected events
This is a significant refactor, but should not result in any breaking
changes or require users to update their configurations.
Jeffery To [Sat, 15 Aug 2020 06:33:30 +0000 (14:33 +0800)]
python3: Use hash-checking mode when installing host pip packages
In hash-checking mode[1], pip will verify downloaded package archives
(source tarballs in our case) against known SHA256 hashes before
installing the packages.
As a consequence, this requires the use of requirements files[2] and
pinning packages to known versions.
The syntax for package Makefiles has changed slightly;
HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement
specifiers like "foo>=1.0", only requirements file names (which are the
same as package names in the most common case).
This also updates affected packages, in particular:
* python-zipp: "setuptools_scm[toml]" has been split into
"setuptools-scm toml" to reuse the requirements file for
setuptools-scm (the extra depends installed by "setuptools_scm[toml]"
is toml).
* python-pycparser: This previously used ply 3.10, whereas the
requirements file will now install 3.11.
Daniel Golle [Mon, 17 Aug 2020 01:13:44 +0000 (02:13 +0100)]
hs20: prepare server using uci-defaults and ship files
Setup user database if non-existent, configure uhttpd .php interpreter
and patch php scripts to work out-of-the-box.
Also ship Hotspot 2.0 SPP and OMA DM XML schema/DTD files needed at
run-time for both client and server.