Go to file
Kevin Darbyshire-Bryant a3198061f8 dnsmasq: backport dnssec security fix
CVE-2017-15107

An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org  and still have it signed by the
signature for the wildcard. So, for example

!.example.org NSEC zz.example.org

is fine.

The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.

This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-19 22:11:16 +01:00
.github merge: github: use OpenWrt in issue/pr templates 2018-01-03 20:36:57 +01:00
config config: support new symbol intro'd in kernel 4.12 2018-01-13 16:27:45 +01:00
include config: don't define the same symbol twice 2018-01-17 11:07:17 +01:00
package dnsmasq: backport dnssec security fix 2018-01-19 22:11:16 +01:00
scripts metadata: do not emit broken kconfig dependency statements 2018-01-14 19:00:06 +01:00
target ipq806x: remove merged ipq4019 patch 2018-01-18 21:21:11 +01:00
toolchain toolchain: musl: update to current HEAD 2017-12-08 19:54:21 +01:00
tools ramips: tl-wr840n-v5: increase firmware partition for 4Mmtk layot 2018-01-18 08:04:18 +01:00
.gitattributes add .gitattributes to prevent the git autocrlf option from messing with CRLF/LF in files 2012-05-08 13:30:49 +00:00
.gitignore .gitignore: add .project & .cproject for eclipse users 2018-01-17 11:07:17 +01:00
BSDmakefile add missing copyright header 2007-02-26 01:05:09 +00:00
Config.in merge: base: update base-files and basic config 2017-12-08 19:41:18 +01:00
LICENSE finally move buildroot-ng to trunk 2016-03-20 17:29:15 +01:00
Makefile merge: base: update base-files and basic config 2017-12-08 19:41:18 +01:00
README merge: base: update base-files and basic config 2017-12-08 19:41:18 +01:00
feeds.conf.default feeds: switch git.lede-project.org URLs to git.openwrt.org 2018-01-16 16:59:22 +01:00
rules.mk build: remove use of STAGING_DIR_HOST/usr (fixes cmake build error on macOS) 2018-01-17 12:16:27 +01:00

README

This is the buildsystem for the OpenWrt Linux distribution.

Please use "make menuconfig" to choose your preferred
configuration for the toolchain and firmware.

You need to have installed gcc, binutils, bzip2, flex, python, perl, make,
find, grep, diff, unzip, gawk, getopt, subversion, libz-dev and libc headers.

Run "./scripts/feeds update -a" to get all the latest package definitions
defined in feeds.conf / feeds.conf.default respectively
and "./scripts/feeds install -a" to install symlinks of all of them into
package/feeds/.

Use "make menuconfig" to configure your image.

Simply running "make" will build your firmware.
It will download all sources, build the cross-compile toolchain, 
the kernel and all choosen applications.

To build your own firmware you need to have access to a Linux, BSD or MacOSX system
(case-sensitive filesystem required). Cygwin will not be supported because of
the lack of case sensitiveness in the file system.


Sunshine!
	Your OpenWrt Community
	http://www.openwrt.org