Sven Eckelmann [Sun, 22 Nov 2020 00:17:35 +0000 (01:17 +0100)]
kernel: mtd: parser: cmdline: Fix parsing of part-names with colons
Some devices (especially QCA ones) are already using hardcoded partition
names with colons in it. The OpenMesh A62 for example provides following
mtd relevant information via cmdline:
Such a partition list cannot be parsed and thus the device fails to boot.
Avoid this behavior by making sure that the start of the first part-name
("(") will also be the last byte the mtd-id split algorithm is using for
its colon search.
Fixes: 5d01d0560893 ("kernel: Update kernel 4.14 to version 4.14.202") Fixes: edda06c7b41d ("kernel: Update kernel 4.9 to version 4.9.240") Signed-off-by: Sven Eckelmann <sven@narfation.org>
(backported from commit 223eec7e81f8506592fc89cf79a2f14360f5c57b)
Adrian Schmutzler [Wed, 11 Nov 2020 12:57:25 +0000 (13:57 +0100)]
layerscape: update kernel patch to fix build
The target heavily modifies caamalg.c, so changes introduced in
kernel commit 7b930def8ef6 ("crypto: caam - limit output IV to CBC
to work around CTR mode DMA issue") have broken build.
This adjusts the upstream changes to match the rest of our local
patch.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Thibaut VARÈNE [Fri, 2 Oct 2020 21:37:05 +0000 (23:37 +0200)]
ar71xx: mikrotik: bypass id check in __rb_get_wlan_data()
The id parameter in __rb_get_wlan_data() was incorrectly used on the
assumption that id "0" would always be tied to ath9k with RLE encoding
and positive id (in fact, only id "1" was valid) would always be tied to
("external") ath10k with LZO encoding.
Newer hardware revisions of supported devices prove this assumption to
be invalid, with ath9k caldata being now wrapped in MAGIC_ERD and LZO
compressed, so disable this check to allow newer hardware to correctly
decode caldata for ath9k.
Note: this patch assumes that ath9k caldata is never stored with the new
"LZOR" encoding scheme found on some ath10k devices.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
(cherry picked from commit 1c6990fe6d198718850b6a37998416cac69f6f53)
[keep publishing ath10k caldata in sysfs: it's the way it's done on 18.06] Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> Tested-by: Baptiste Jonglez <git@bitsofnetworks.org> [Mikrotik RB941-2nD r3]
firewall: options: fix parsing of boolean attributes
Boolean attributes were parsed the same way as string attributes,
so a value of { "bool_attr": "true" } would be parsed correctly, but
{ "bool_attr": true } (without quotes) was parsed as false.
The number of local commits (1154 in this case) is wrong because it is
computed against master. As a result, it wrongly counts *all* commits
since the beginning of the openwrt-18.06 branch as local commits.
The fix is to compare to the openwrt-18.06 branch instead, which gives the
expected result such as:
Magnus Kroken [Tue, 1 Sep 2020 20:28:25 +0000 (22:28 +0200)]
mbedtls: update to 2.16.8
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.
* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8
It's caused by two issues fixed in this patch, first issue is caused by
unhadled strtoul overflow and second one is caused by the cast of
unsigned to signed Lua integer when parsing from hex literal.
Run tested on:
* Zidoo Z9S with RTD1296 CPU (aarch64_cortex-a53)
* qemu/x86_64
* qemu/armvirt_64
* ath79
Signed-off-by: Liangbin Lian <jjm2473@gmail.com>
[commit subject/message touches, fixed From to match SOB, fixed another
unhandled case in luaO_str2i, host Lua, package bump] Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 4bb9af48ca36605424c57b6af27dd5e5c827395f)
Magnus Kroken [Sat, 25 Jul 2020 12:19:28 +0000 (14:19 +0200)]
mbedtls: update to 2.16.7
Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).
Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[Use https://codeload.github.com and new tar.gz file] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de
(cherry picked from commit 201d6776a0b5858b8ce43a2392c9fe48aa1c4dd7)
Christoph Krapp [Sun, 9 Aug 2020 11:39:05 +0000 (13:39 +0200)]
uboot-envtools: ar71xx: add ZyXEL NBG6616 uboot env support
This adds support for ZyXEL NBG6616 uboot-env access
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[add "ar71xx" to commit title] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit eb95ca3b5c8b33e3212896f906922eba5f72abb3)
Christoph Krapp [Sun, 9 Aug 2020 11:40:26 +0000 (13:40 +0200)]
ar71xx: change u-boot-env to read-write for ZyXEL NBG6616
As the ath79 port of this device uses a combined kernel + root
partition the uboot bootcmd variable needs to be changed. As using
cli/luci is more convenient than opening up the case and using a uart
connection, lets unlock the uboot-env partition for write access.
Sungbo Eo [Sun, 12 Jan 2020 12:35:00 +0000 (21:35 +0900)]
ar71xx: fix sysupgrade for Arduino Yun
Commit bb46b635df48 changed its partition scheme, but sysupgrade image
validation still uses the old format. This commit fixes it so that
force flag is not needed for sysupgrade.
Fixes: bb46b635df48 ("ar71xx: move Arduino Yun to generic building code") Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 58dc1d0637425cfe023192466e6212009332b677)
In FS#2738 we can see that patch first introduced in e8ebcff ("ramips: add a explicit reset to dwc2")
breaks USB functionality since 18.06. Thus, this patch should be removed.
This fixes the following compile error:
drivers/mtd/nand/rb91x_nand.c: In function 'rb91x_nand_remove':
drivers/mtd/nand/rb91x_nand.c:445:16: error: 'rbni' undeclared (first use in this function)
nand_release(&rbni->chip);
Fixes: 0f07496f520c ("kernel: Update kernel 4.9 to version 4.9.229") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 66e04abbb6d0dec8642be5deb2fca4bba470f8ac)
This bump fixes breakage introduced by kernel commit 8ab8786f78c3fc930f9abf6d6d85e95567de4e1f,
which is part of the 4.14.181 kernel bump, and backported ip6_dst_lookup_flow to 4.14.
This breaks the older WireGuard version currently in 19.07.
For reference, the compilation error is the one below:
build_dir/target-x86_64_musl/linux-x86_64/wireguard-linux-compat-1.0.20200506/src/compat/compat.h:104:42: error: 'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 'ipv6_dst_lookup_flow'?
#define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst
Changelogs below taken from the official release announcements.
This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
pushed to net.git about 45 minutes ago.
* qemu: use newer iproute2 for gcc-10
* qemu: add -fcommon for compiling ping with gcc-10
These enable the test suite to compile with gcc-10.
* noise: read preshared key while taking lock
Matt noticed a benign data race when porting the Linux code to OpenBSD.
* queueing: preserve flow hash across packet scrubbing
* noise: separate receive counter from send counter
WireGuard now works with fq_codel, cake, and other qdiscs that make use of
skb->hash. This should significantly improve latency spikes related to
buffer bloat. Here's a before and after graph from some data Toke measured:
https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png
* compat: support RHEL 8 as 8.2, drop 8.1 support
* compat: support CentOS 8 explicitly
* compat: RHEL7 backported the skb hash renamings
The usual RHEL churn.
* compat: backport renamed/missing skb hash members
The new support for fq_codel and friends meant more backporting work.
* compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4
* qemu: always use cbuild gcc rather than system gcc
* qemu: remove -Werror in order to build ancient kernels better
* qemu: patch kernels that rely on ancient make
* qemu: force 2MB pages for binutils 2.31
* qemu: use cbuild gcc for avx512 exclusion
* qemu: add extra fill in idt handler for newer binutils
* qemu: support fetching kernels for arbitrary URLs
* qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detection
* qemu: work around broken centos8 kernel
* qemu: mark per_cpu_load_addr as static for gcc-10
Our qemu test suite can now handle more kernels and more compilers. Scroll
down to the bottom of https://www.wireguard.com/build-status/ to see the
expanded array of kernels we now test against, including some distro kernels.
* compat: widen breadth of integer constants
* compat: widen breadth of memzero_explicit backport
* compat: backport skb_scrub_packet to 3.11
* compat: widen breadth of prandom_u32_max backport
* compat: narrow the breadth of iptunnel_xmit backport
* compat: backport iptunnel_xmit to 3.11
With the expanded qemu test suite, it was possible to expand our list of
mainline kernels, so the backport compat layer is now more precise.
* compat: ubuntu appears to have backported ipv6_dst_lookup_flow
* compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flow
Ubuntu kernels changed recently, so this ensures we can compile with the
latest Ubuntu releases.
Daniel González Cabanelas [Mon, 15 Jun 2020 17:51:28 +0000 (19:51 +0200)]
bcm63xx: a226m-fwb: fix linux partition offset
The Pirelli A226M-FWB has a wrong linux partition offset, caused
by a copy-paste error. As of result of this, OpenWrt is currently
broken in this unit.
Fix it.
While at it, also use generic node names and fix the addresses
there as well.
Fixes: a27d59bb4274 ("brcm63xx: switch to new partition layout
specification")
Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
[also fix/update node names, extend commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit d64d5ed1425f4397d093c8777ca03f70ff1ee90c)
Sven Eckelmann [Tue, 9 Jun 2020 13:23:04 +0000 (15:23 +0200)]
ipq40xx: essedma: Disable TCP segmentation offload for IPv6
It was noticed that the the whole MAC can hang when transferring data from
one ar40xx port (WAN ports) to the CPU and from the CPU back to another
ar40xx port (LAN ports). The CPU was doing only NATing in that process.
Usually, the problem first starts with a simple data corruption:
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.4.0-amd64-netinst.iso -O /dev/null
...
Connecting to saimei.ftp.acc.umu.se (saimei.ftp.acc.umu.se)|2001:6b0:19::138|:443... connected.
...
Read error at byte 48807936/352321536 (Decryption has failed.). Retrying.
But after a short while, the whole MAC will stop to react. No traffic can
be transported anymore from the CPU port from/to the AR40xx PHY/switch and
the MAC has to be resetted.
The whole problem can be avoided by disabling the TSO for IPv6 for this
ethernet MAC driver.
Signed-off-by: Sven Eckelmann <sven@narfation.org> Acked-by: John Crispin <john@phrozen.org>
(backported from commit 678569505623e50bbbbc344c7e820fb315b79ede,
with updated commit message) Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This patch updates the ca-certificates and ca-bundle package.
This version changed the files directory again, to work/, so
PKG_BUILD_DIR was brought back.
A list of changes from Debian's change-log entry for 20200601 [0]:
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.40. Closes: #956411, #955038
* mozilla/blacklist.txt
Add distrusted Symantec CA list to blacklist for explicit removal. Closes: #911289
Blacklist expired root certificate, "AddTrust External Root" Closes: #961907
The following certificate authorities were added (+):
+ "Certigna Root CA"
+ "emSign ECC Root CA - C3"
+ "emSign ECC Root CA - G3"
+ "emSign Root CA - C1"
+ "emSign Root CA - G1"
+ "Entrust Root Certification Authority - G4"
+ "GTS Root R1"
+ "GTS Root R2"
+ "GTS Root R3"
+ "GTS Root R4"
+ "Hongkong Post Root CA 3"
+ "UCA Extended Validation Root"
+ "UCA Global G2 Root"
The following certificate authorities were removed (-):
- "AddTrust External Root"
- "Certinomis - Root CA"
- "Certplus Class 2 Primary CA"
- "Deutsche Telekom Root CA 2"
- "GeoTrust Global CA"
- "GeoTrust Primary Certification Authority"
- "GeoTrust Primary Certification Authority - G2"
- "GeoTrust Primary Certification Authority - G3"
- "GeoTrust Universal CA"
- "thawte Primary Root CA"
- "thawte Primary Root CA - G2"
- "thawte Primary Root CA - G3"
- "VeriSign Class 3 Public Primary Certification Authority - G4"
- "VeriSign Class 3 Public Primary Certification Authority - G5"
- "VeriSign Universal Root Certification Authority"
Hauke Mehrtens [Sun, 24 May 2020 10:23:31 +0000 (12:23 +0200)]
squashfs: Fix compile with GCC 10
Fixes the following build error with GCC 10:
/usr/bin/ld: read_fs.o:(.bss+0x0): multiple definition of `swap'; mksquashfs.o:(.bss+0x1b2a88): first defined here
And a compile warning.
Kevin Darbyshire-Bryant [Tue, 24 Mar 2020 11:05:27 +0000 (11:05 +0000)]
build: prereq: tidy gcc version checks
There is a restriction in the number of parameters(10) that may be passed to
the SetupHostCommand macro so continually adding explicit gcc'n' version
checks ends up breaking the compiler check for the later versions and
oddballs like Darwin as was done in 835d1c68a0 which added gcc10.
Drop all the explicitly specified gcc version checks. If a suitable gcc
compiler is not found, it may be specified at the dependency checking
stage after which that version will be symlinked into the build staging
host directory.
eg. 'CC=gccfoo CXX=g++foo make prereq'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Acked-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 1fb3c003d68d3feaf797e8b64edccc9fa622d250)
Robert Marko [Wed, 18 Mar 2020 18:39:43 +0000 (19:39 +0100)]
build: add GCC 10 version detection
Lets add GCC 10 detection to the build system as distributions like Fedora 32 have started shipping with it.
Some tools like mtd-utils need work to compile under GCC10, but that will be next step.
Adrian Schmutzler [Thu, 14 May 2020 14:00:14 +0000 (16:00 +0200)]
ramips: drop non-existant ralink,port-map for Ravpower WD03
The property "ralink,port-map" has been obsolete long before
this device was added, and the device is a one-port anyway.
Just remove it.
Fixes: 5ef79af4f80f ("ramips: add support for Ravpower WD03") Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit c00b2df6c8e421ea7aa96f53178dc85db99f2305)
In file included from ./arch/mips/include/asm/io.h:34,
from ./arch/mips/include/asm/mmiowb.h:5,
from ./include/linux/spinlock.h:60,
from ./include/linux/irq.h:14,
from drivers/irqchip/irq-bcm6345-ext.c:10:
drivers/irqchip/irq-bcm6345-ext.c: In function 'bcm6345_ext_intc_of_init':
./arch/mips/include/asm/mach-bcm63xx/ioremap.h:48:9: warning: 'base' may be used uninitialized in this function [-Wmaybe-uninitialized]
return is_bcm63xx_internal_registers((unsigned long)addr);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/irqchip/irq-bcm6345-ext.c:255:16: note: 'base' was declared here
void __iomem *base;
^~~~
drivers/irqchip/irq-bcm6345-periph.c: In function 'bcm6345_periph_irq_handle':
drivers/irqchip/irq-bcm6345-periph.c:55:21: warning: 'block' may be used uninitialized in this function [-Wmaybe-uninitialized]
struct intc_block *block;
^~~~~
drivers/mtd/parsers/redboot.c: In function 'parse_redboot_partitions':
drivers/mtd/parsers/redboot.c:194:59: warning: suggest parentheses around '-' in operand of '&' [-Wparentheses]
fis_origin = (buf[i].flash_base & (master->size << 1) - 1);
~~~~~~~~~~~~~~~~~~~~^~~
Magnus Kroken [Thu, 16 Apr 2020 15:47:47 +0000 (17:47 +0200)]
mbedtls: update to 2.16.6
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters
Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
Robert Marko [Tue, 12 May 2020 20:18:33 +0000 (22:18 +0200)]
libjson-c: backport security fixes
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592
Addresses CVE-2020-12762
Signed-off-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE, rebase patches on top of json-c 0.12] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit bc0288b76816578f5aeccb2abd679f82bfc5738e)
Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.
* compat: use bash instead of bc for HZ-->USEC calculation
This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.
* socket: remove errant restriction on looping to self
It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.
* send: cond_resched() when processing tx ringbuffers
Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.
* selftests: initalize ipv6 members to NULL to squelch clang warning
This fixes a worthless warning from clang.
* send/receive: use explicit unlikely branch instead of implicit coalescing
As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.
Kevin Darbyshire-Bryant [Sat, 4 Apr 2020 08:20:08 +0000 (09:20 +0100)]
umdns: suppress address-of-packed-member warning
gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:
dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]
261 | uint16_t *swap = (uint16_t *) q;
Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.
Sungbo Eo [Sun, 22 Mar 2020 17:41:08 +0000 (02:41 +0900)]
oxnas: move service file to correct place
This service file has been misplaced from the very beginning.
Fixes: dcc34574efba ("oxnas: bring in new oxnas target") Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 01961f163d927d6b44097f48a67bbc5b4c63eaf7)
Jan Alexander [Tue, 24 Mar 2020 12:36:57 +0000 (13:36 +0100)]
ar71xx: use status led for GL.iNet GL-AR750S
Use power led for device status.
The status led behavior has already been fixed in af28d8a539fe
("ath79: add support for GL.iNet GL-AR750S") when porting the
device to ath79. This fixes it for ar71xx as well.
Signed-off-by: Jan Alexander <jan@nalx.net>
[minor commit title/message adjustments] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit d394c354ee0e8660f876889f6293803c581cbf85)
Adrian Schmutzler [Wed, 11 Mar 2020 14:52:41 +0000 (15:52 +0100)]
ar71xx: remove wrong MAC address adjustment for Archer C60 v2
The adjustment of the MAC address for Archer C60 v2 in 10_fix_wifi_mac
is broken since a "mac" partition is not set up for this device on
ar71xx. Instead, the MAC address is already patched correctly in
11-ath10k-caldata.
Catrinel Catrinescu [Wed, 11 Mar 2020 09:10:00 +0000 (10:10 +0100)]
ar71xx: ew-dorin, fix the trigger level for WPS button
Because the WPS button had the wrong trigger level,
the failsafe mode was triggered quite often,
after this commit:
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=27f3f493de
Petr Štetiar [Thu, 20 Feb 2020 08:03:54 +0000 (09:03 +0100)]
ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid()
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03899c19a9cd26266221269dd5ec8cee) Fixes: CVE-2020-8597 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jo-Philipp Wich [Wed, 26 Feb 2020 15:41:45 +0000 (16:41 +0100)]
Revert "ppp: backport security fixes"
This reverts commit cc78f934a9466a0ef404bb169cc42680c7501d02 since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.
Petr Štetiar [Thu, 20 Feb 2020 08:03:54 +0000 (09:03 +0100)]
ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid()
projects / users / dwmw2 / openwrt.git / log