* prevent superflous etag function calls during start action (on start backups will be used anyway)
* changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)
* added HTTP ETag or entity tag support to download only ressources that have been updated on the server side,
to save bandwith and speed up banIP reloads
* added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
* updated the readme
We currently have a more or less circular dependency with nginx ssl and
full variant.
FULL variant depends on every nginx module. Every nginx module depends
on nginx-ssl.
Since nginx-full depends on an nginx module, nginx-ssl is installed as
module depends on it and then the installation fails as nginx-full
conflicts with nginx-ssl.
nginx-full in it's meaning is nginx built with every config selected and
it should not have module as dependency. In fact an user should always
install them separetly as while other things, local modification to the
nginx config file are required to include the just installed module.
To fix this circular dependency problem, drop the dependency of every
nginx module for FULL variant.
Fixes: #21300 Signed-off-by: Christian Marangi <redacted>
This commit adds support for http/3. This is an experimental version
and isn't fully supported because nginx is being built with the regular
OpenSSL and the regular one doesn't support quic.
Javier Marcet [Sat, 1 Jul 2023 18:51:17 +0000 (20:51 +0200)]
python-dotenv: update to v1.0.0
- 1.0.0:
- What's Changed:
- Handle situations where the cwd does not exist.
- Add python-decouple as a related project
- Drop support for python 3.7, add python 3.12-dev
- 0.21.1:
- Added:
- Use Python 3.11 non-beta in CI
- Modernize variables code
- Modernize main.py and parser.py code
- Improve conciseness of cli.py and init.py
- Improve error message for get and list commands when env file
can't be opened
- Updated Licence to align with BSD OSI template
Javier Marcet [Sat, 1 Jul 2023 18:43:28 +0000 (20:43 +0200)]
python-websocket-client: update to 1.6.1
- 1.6.1
- Fix Dispatcher keyboard interrupt. Should solve reconnect loop
with rel
- 1.6.0
- Fix teardown issue when ping thread is not properly ended
- Fix double ping wait time on first ping
- Minor typehints improvements
- 1.5.3
- Add logic to avoid error in the case where content-length header
does not exist, bug introduced in 1.5.2
- Fix wsdump.py script typing, bug introduced in 1.5.2
- 1.5.2
- Add typehints
- Fix pytype errors
- Fix args passed to logging function
- Standardize PEP 3101 formatting
- Add more verbose exception for unsuccessful handshake
Oskari Rauta [Sun, 28 May 2023 06:33:08 +0000 (09:33 +0300)]
libwebsockets: Fix -Werror=enum-int-mismatch in lws_tls_server_abort_connection()
with gcc 13 libwebsockets fails with -Werror=enum-int-mismatch with both
SSL variants. These 2 patches work out that issue. Problem is mentioned
as a issue in openwrt/packages#20949 and instead of overriding issue
with appropriate CFLAGS, this approach was suggested for me as it's
been made as a PR (for openssl) at warmcat/libwebsockets#2824
Second patch for mbedtls, was made by me using same approach
as was used of openssl.
Eventually these propably will be merged into libwebsockets mainstream.
There is an apparent bug in pkgconf 1.9 that broke building the OpenWrt
Vala package. This adds a patch to circumvent the bug. For the related
discussion, see:
https://github.com/openwrt/packages/issues/21359
The pkgconf bug appears similar to the one discussed here:
Robert Högberg [Sun, 11 Jun 2023 21:55:23 +0000 (23:55 +0200)]
minidlna: update to 1.3.3
Fixes CVE-2023-33476:
ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable
to Buffer Overflow. The vulnerability is caused by incorrect
validation logic when handling HTTP requests using chunked transport
encoding. This results in other code later using attacker-controlled
chunk values that exceed the length of the allocated buffer,
resulting in out-of-bounds read/write.
netsniff-ng: backport patch fixing wrong args handling with musl
Backport a patch from upstream fixing wrong args handling with musl.
Before this patch non args must be passed at the end of the command due
to a musl limitation.
Stan Grishin [Sun, 25 Jun 2023 18:15:19 +0000 (18:15 +0000)]
nebula: update to 1.7.2 (and cosmetic fixes)
* update binaries to 1.7.2
* move sharedMemoryOutput variable declaration into output function as it doesn't
need to be global
* rename parse_yaml function to yaml_parse
* add TODOs for future development
* update copyright datestamps
Noah Meyerhans [Mon, 26 Jun 2023 03:02:35 +0000 (20:02 -0700)]
bind: bump to 9.18.16
Fixes CVEs:
- CVE-2023-2828: The overmem cleaning process has been improved, to
prevent the cache from significantly exceeding the configured
max-cache-size limit.
- CVE-2023-2911: A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for named
to enter an infinite callback loop and crash due to stack overflow.
The complete list of changes is available in the upstream release
notes at
https://ftp.isc.org/isc/bind9/cur/9.18/doc/arm/html/notes.html#notes-for-bind-9-18-16
Dirk Brenken [Sat, 24 Jun 2023 11:09:40 +0000 (13:09 +0200)]
banip: update 0.8.8-2
* process local lists in strict sequential order to prevent possible race conditions
* support ranges in the IP search, too
* fix some minor search issues
Remi Gacogne [Tue, 13 Jun 2023 15:48:27 +0000 (17:48 +0200)]
dnsdist: Split in two packages `dnsdist` and `dnsdist-full`
`dnsdist-full` has all optional features enabled, but is a big package
in term of both flash and memory footprint.
`dnsdist` only keeps the features that make the most sense
on embeded devices, but can also be customised to match the
user's needs, up to the point where it matches `dnsdist-full`.
Tianling Shen [Mon, 19 Jun 2023 09:25:04 +0000 (17:25 +0800)]
gitlab-runner: Update to 16.0.2
* Added test.sh script
* Fixed build with riscv64
* Passed package version via go ldflags
* Refreshed patches
* Removed useless test binaries from package
Remi Gacogne [Wed, 14 Jun 2023 13:22:03 +0000 (15:22 +0200)]
h2o: Reduce the size of the default HTTP2 buffer
The initial value takes 80kB of memory for each HTTP/2 connection
which is a lot on small devices. Using 8kB instead saves a fair
amount of memory without sacrificing performance.
Wojciech Dubowik [Thu, 15 Jun 2023 14:08:16 +0000 (16:08 +0200)]
linuxptp: Update to 4.0
Major changes since version 3.1.1:
* Officially supports the 2019 version of IEEE 1588
* Improved unicast messaging
* Enhanced G.8275.2 profile
* More flexible Pulse Per Second (PPS) handling
* Virtual clock support
* Power profile support
* VLAN over bond support.
* Parallel Redundancy Protocol (PRP) trailer handling.
* Non-privileged read-only monitoring port.
* New statistics reporting.
[V2]
* reset package release
* adapt license name to the new format
Marius Dinu [Fri, 16 Jun 2023 12:59:44 +0000 (15:59 +0300)]
tvheadend: add dependency on gettext (host)
Gettext is a prerequisite to build OpenWrt according to:
https://openwrt.org/docs/guide-developer/toolchain/install-buildsystem
but github automated tests fail without this explicit dependency:
2023-06-19T08:02:45.1940511Z checking for py module gzip ... ok
2023-06-19T08:02:45.1968662Z checking for /builder/staging_dir/host/bin/pkg-config ...ok
2023-06-19T08:02:45.1998491Z ERROR: no gettext binaries found
2023-06-19T08:02:45.1999746Z checking for xgettext ... fail
2023-06-19T08:02:45.2008403Z make[2]: *** [Makefile:263: /builder/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/tvheadend-2023-06-05/.configured_a17fb5ef857664f03cd0ce37cc5ea591] Error 1
Security
o CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
o CVE-2023-31147. Moderate. Insufficient randomness in generation of DNS query IDs
o CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton()
o CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation
Fixing libcares.pc
The pkg-config file libcares.pc in version 1.19.1 has been changed to be unsuitable for OpenWrt
and causes build errors with Openwrt packages that use libcares.
For this reason, libcares.pc was replaced.
Dirk Brenken [Wed, 21 Jun 2023 08:53:19 +0000 (10:53 +0200)]
banip: release 0.8.8-1
* Support MAC-/IPv4/IPv6 ranges in CIDR notation
* Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
* small fixes & cosmetics
* update readme
The following CVEs are fixed in this release:
* CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
* CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
* CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
* CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
* OpenSSL Security Releases (Depends on shared library provided by OpenWrt)
* OpenSSL security advisory 28th March.
* OpenSSL security advisory 20th April.
* OpenSSL security advisory 30th May
* c-ares vulnerabilities: (Depends on shared library provided by OpenWrt)
* GHSA-9g78-jv2r-p7vc
* GHSA-8r8p-23f3-64c2
* GHSA-54xr-f67r-4pc4
* GHSA-x6mf-cxr9-8q6v
Scott K Logan [Tue, 23 May 2023 20:14:13 +0000 (13:14 -0700)]
openelp: Add new package
OpenELP is an open source EchoLink proxy for Linux and Windows. It aims
to be efficient and maintain a small footprint, while still implementing
all of the features present in the official EchoLink proxy.
Jeffery To [Fri, 9 Jun 2023 04:41:13 +0000 (12:41 +0800)]
selinux-python: Update to 3.5, reorganize package
* Added packages:
* python3-seobject
Contains the seobject.py library file which was previously included
in selinux-semanage
* selinux-sepolicy
Contains the sepolicy and sepolgen tools which were previously
included in python3-sepolicy
* selinux-sepolgen-ifgen
Contains the sepolgen-ifgen tool which was previously included in
selinux-audit2allow
* selinux-python
A meta-package to install all tools
* Change the python3-sepolgen data_dir from /usr/share/sepolgen to
/etc/sepolgen (updated 0001-sepolgen-adjust-data_dir.patch), and add
the directory to conffiles
By default, the sepolgen-ifgen tool writes to a file named
"interface_info" in the data directory, to be read by the audit2allow
tool. The header comment in the perm_map file also suggests that the
file is customizable.
The best place for these files would be in /var/lib, but /etc is more
appropriate than /usr.
* Remove gui files from python3-sepolicy (0003-sepolicy-no-gui.patch)
* Fix ModuleNotFoundError raised by sepolicy
(0004-sepolicy-fix-get_os_version-except.patch)
Patch has been submitted upstream:
https://lore.kernel.org/selinux/20230619063217.3165462-1-jeffery.to@gmail.com/
* Update package titles, descriptions, and dependencies
* Use Py3Package to build Python bytecode and source packages
Parallel build does not work because it may reach a point where OSTYPE
might be needed before it is actually built. They appear to run
parallel to each other:
echo slx > OSTYPE
[...]
cat: OSTYPE: No such file or directory
sh: line 1: test: too many arguments
cat: OSTYPE: No such file or directory
Already built for -- you must do "make clean" first
make[6]: *** [Makefile:706: rebuild] Error 1
make[6]: *** Waiting for unfinished jobs....
1.45.0
* linux: introduce io_uring support
* src: add new metrics APIs
* unix,win: give thread pool threads an 8 MB stack
* win,unix: change execution order of timers
1.44.2
* loop: better align order-of-events behavior between platforms
* zos: fix fs event not fired if the watched file is moved/removed/recreated
* win: Fix pipe resource leak if closed during connect (and other bugs)
* zos: don't error when killing a zombie process
* macos: avoid posix_spawnp() cwd bug
* kqueue: skip EVFILT_PROC events when invalidating events for an fd.
git.99rst.org / openwrt-packages.git / log