Dirk Brenken [Wed, 17 May 2017 19:28:12 +0000 (21:28 +0200)]
adblock: maintenance update 2.6.4
* made wget default parms compatible with older program versions
* shift dns detection routine to simplify dns override,
just set 'adb_dnslist' to force a particular backend priority
(default: 'dnsmasq unbound')
* reduce ubus polling during dns detection
Florian Eckert [Mon, 8 May 2017 09:43:27 +0000 (11:43 +0200)]
net/mwan3: remove pid file use pgrep to get pid
If mwan3track will not stop immediately after sending the kill signal,
the clean_up handler will delete the pid file later while the new mwan3track is
already running.
This could result in a situation that mwan3track is running
more then once because the old mwan3track service could not be killed,
because the pid file is missing.
Using pgrep to kill all mwan3track for the tracked interface and not using
pid file should fix this issue.
Noah Meyerhans [Thu, 11 May 2017 05:06:46 +0000 (22:06 -0700)]
bind: Update to bind-9.10.5
This change includes fixes for several security issues:
* CVE-2017-3138: rndc "" could trigger an assertion failure in named.
* CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to
upstream queries could trigger assertion failures.
* CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion
failure.
* CVE-2017-3135: If a server is configured with a response policy zone
(RPZ) that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read triggering a
server crash.
* CVE-2016-9444: named could mishandle authority sections with missing
RRSIGs, triggering an assertion failure.
* CVE-2016-9131: named mishandled some responses where covering RRSIG
records were returned without the requested data, resulting in an
assertion failure.
* CVE-2016-9131: named incorrectly tried to cache TKEY records which could
trigger an assertion failure when there was a class mismatch.
* CVE-2016-8864: It was possible to trigger assertions when processing
responses containing answers of type DNAME.
* CVE-2016-6170: Added the ability to specify the maximum number of
records permitted in a zone (max-records #;). This provides a mechanism
to block overly large zone transfers, which is a potential risk with
slave zones from other parties.
* CVE-2016-2776: It was possible to trigger an assertion when rendering a
message using a specially crafted request.
* CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could
trigger an infinite recursion bug in lwresd or named with lwres
configured if, when combined with a search list entry from resolv.conf,
the resulting name is too long.
Hannu Nyman [Tue, 9 May 2017 13:30:05 +0000 (16:30 +0300)]
vsftpd: create directory for extra config files
* create /etc/vsftpd directory for extra config files
like userlist, certificate and key
* modify config file to use that directory
* include that directory in conffiles for backup
Dirk Brenken [Mon, 8 May 2017 09:19:57 +0000 (11:19 +0200)]
adblock: maintenance update 2.6.3
backend:
* various small fixes & optimizations
LuCI frontend (see luci repo):
* Limit Blacklist/Whitelist Online editing to max. 512 KB, approx.
20.000 domains per list
* Automatically refresh the overview page after button onclick event,
e.g. 'Suspend/Resume' or 'Save & Apply'
* cosmetics
Notes:
- drop un-needed patches
- bump kernel support up to 4.9
- switch from git repo to release tarball
- use OVS intree kernel module ; seems that using the kernel module
from the package has certain issues due to the glue/backport code
that tries to adapt to many kernel versions and has a potential
to mess up ; not to mention, the glue code makes the kmod
a few times larger than it should be
- tested on x86_64 VM
Karl Palsson [Wed, 5 Apr 2017 13:59:29 +0000 (13:59 +0000)]
net/mosquitto: use PROVIDES for -client tools also
Earlier, PROVIDES handling was clarified for the broker and the library.
Use the same style to properly provide the -client-ssl and -client-nossl
packages.
Hannu Nyman [Thu, 4 May 2017 10:06:11 +0000 (13:06 +0300)]
irssi: remove nossl variant
Remove nossl variant as upstream has removed
the option to build irssi without SSL:
https://github.com/irssi/irssi/commit/6300dfec71d376c96351708f76a6c4ee4a187eb5
ntfs-3g: Update to 2017.3.23 version, provide single utilites package, refresh patches
Changes to NTFS-3G:
Delegated processing of special reparse points to external plugins
Allowed kernel cacheing by lowntfs-3g when not using Posix ACLs
Enabled fallback to read-only mount when the volume is hibernated
Made a full check for whether an extended attribute is allowed
Moved secaudit and usermap to ntfsprogs (now ntfssecaudit and ntfsusermap)
Enabled encoding broken UTF-16 into broken UTF-8
Autoconfigured selecting <sys/sysmacros.h> vs <sys/mkdev>
Allowed using the full library API on systems without extended attributes support
Fixed DISABLE_PLUGINS as the condition for not using plugins
Corrected validation of multi sector transfer protected records
Denied creating/removing files from $Extend
Returned the size of locale encoded target as the size of symlinks
http://www.tuxera.com/community/release-history/
Signed-off-by: BangLang Huang <redacted>
Make ntfs-3g-utils into a single package due to upstream package changes.
Maintainer: @ClaymorePT
Compile tested: Broadcom BCM2708
Run tested: None
Description:
- New header-only library -> Process
-> Process library by Klemens D. Morgenstern, that provides cross
platorm ways to allows you to:
- create child processes
- setup streams for child processes
- communicate with child processes through streams
(synchronously or asynchronously)
- wait for processes to exit (synchronously or asynchronously)
- terminate processes
Information about the 1.64.0 release (updated libraries, bug fixes,
etc), can be found here [1].
net/mwan3: add connected network regardless of mwan3 interface enable state
If netifd set an interface up/down which is not tracked by mwan3 the
connected network of that interface should regardless be added/removed to the
mwan3_connected ipset.
acme: Support running in webroot mode, detect other daemons on port 80
For configurations where another web server is running on port 80, running
acme.sh in standalone mode fails. Try to detect this and refuse to run; and
allow the user to configure a webroot directory to use the running webserver for
certificate verification.
- Moves /etc/freeradius3/sites-{enabled,available}/inner-tunnel to be part of
the freeradius3-mod-eap package. This prevents conflicts between
freeradius3-mod-eap-peap and freeradius3-mod-eap-ttls which both included the
file before. This fixes LEDE bug FS#678.
- Change the demo cert validity to be 1 year instead of 60 days. Should keep the
cert valid for the duration of the LEDE release cycle (with some slack). This
fixes #4239.