Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.
Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The fritz 7312 does not support 1000 gbit. Advertising it makes it
worse. Some NIC will change to 1000 gibt and turn off and on again for
ever.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
This commit really removes packages in geode profiles already enabled
in kernel config.
Fixes: 9c23ecee57 ("x86: move packages selection to profiles")
Reported-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This can be rather confusing for contributors, since there are three
layers in which they can be added. As for now there are none profiles
other than generic (exception: geos) let's move them to these profiles.
Being here this commit also removes packages in geode profiles already
enabled in kernel config.
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
There's no such package as forcedeth, threfore the driver is never
selected. Fix it by properly specifying package name.
Fixes: 35f208d ("x86: add nforce eth to default packages")
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
Commit 7975060116 ("uboot-rockchip: add new package") has added
`OpenWRT` ident string, fix it to proper `OpenWrt`.
Fixes: 7975060116 ("uboot-rockchip: add new package")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This adds the new rockchip target and support for RockPro64 RK3399
Flash: 16 MiB SPI NOR
RAM: 2 GiB/4 GiB LPDDR4
SoC: RK3399
USB: 2x USB 2.0, 1x USB 3.0, 1x USB-C
Ethernet: 1x GbE
PCIe: PCIe 2.0, 4 lanes
Storage: eMMC or SD card
Optional SDIO wifi/bt module
The Pine64 RockPro64 is a single-board-computer with a 4x PCIe connector,
6 ARM64 cores (4 little, 2 big), plenty of RAM and storage.
By default the single Gigabit-Ethernet port is configured as the
LAN port.
Installation of the firware is possible by dd'ing the image
to an SD card or the eMMC flash.
Serial: 3v3 1500000 8n1
U-boot is build from the mainline tree and
integrated into the images. Required ATF to build u-boot
is downloaded from a CI build bot.
Signed-off-by: Tobias Mädel <t.maedel@alfeld.de>
Tested-by: Tobias Schramm <t.schramm@manjaro.org>
This is needed to build the uboot-rockchip, needed for the rockchip target
Signed-off-by: Tobias Mädel <t.maedel@alfeld.de>
Tested-by: Tobias Schramm <t.schramm@manjaro.org>
[replaced `mkdir -p` with INSTALL_DIR variable]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Update U-Boot to current 2020.04 release for kirkwood platform.
Catch up with upstream and move some configuration options from
the header files to the corresponding defconfig files.
Compile tested: all devices
Run tested: nsa310, pogoplugv4
Tested-by: Cezary Jackiewicz <cezary@eko.one.pl> [nsa310]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
xt_MASQUERADE.ko is picked up by both kmod-ipt-nat and kmod-ipt-nat6, causing
conflict
As kmod-ipt-nat6 already depends on kmod-ipt-nat, remove xt_MASQUERADE from it
Fixes: FS#2924
Fixes: 0fad8af851 ("kernel: Include xt_MASQUERADE for kernel 5.2 and later")
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
Netgear R7200 is another clone of Netgear R6700v2, introduced in:
6e80df5 ("ramips: add support for NETGEAR R6700v2/AC2400")
Reported-by: Joel Pinsker, github user @joelp64
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
SOC: Qualcomm QCA9556 (Scorpion) 560MHz MIPS74Kc
RAM: 64MB Zentel A3R12E40CBF DDR2
FLASH: 16MiB Winbond W25Q128 SPI NOR
WLAN1: QCA9556 2.4 GHz 802.11b/g/n 3x3
INPUT: WPS button
LED: Power, WiFi, LAN, RSSI indicator
Serial: Header Next to Black metal shield
Pinout is 3.3V - RX - TX - GND (Square Pad is 3.3V)
The Serial setting is 115200-8-N-1.
Installation via EVA:
In the first seconds after Power is connected, the bootloader will
listen for FTP connections on 192.168.178.1. Firmware can be uploaded
like following:
ftp> quote USER adam2
ftp> quote PASS adam2
ftp> binary
ftp> debug
ftp> passive
ftp> quote MEDIA FLSH
ftp> put openwrt-sysupgrade.bin mtd1
Note that this procedure might take up to two minutes.
You need to powercycle the device afterwards to boot OpenWRT.
Tested-by: Andreas Ziegler <dev@andreas-ziegler.de>
Signed-off-by: David Bauer <mail@david-bauer.net>
The pinctrl driver had been replaced with the upstream one in b756ea2a90
("ramips: replace pinctrl property names"), but the initial A1004ns support
patch did not reflect the changes. This commit updates its pinctrl property
names.
Fixes: 9169482f64 ("ramips: add support for ipTIME A1004ns")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
This will compile glibc in a way that it will only support kernel 4.14
and later. Compatibility code for older kernel versions will be removed.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This updates glibc to the most recent version 2.31.
001-regex-read-overrun.patch was a backport from a more recent version
and is integrated in glibc 2.31.
050-Revert-Disallow-use-of-DES-encryption-functions-in-n.patch is needed
to add the DES crypto functions back again. They were removed in glibc
2.28, but we still use them in ppp.
musl lib also provides these DES crypto functions. Without them we would
have to link ppp against openssl or an other crypto library.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
When compiled with glibc the config_scan.c wants to use the
cpupolicy2numeric() function which is only available when
HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here.
This fixes a build problem with glibc in combination with the force
ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS.
This fixes the following compile error with glibc:
----------------------------------------------------------------------
/bin/ld: config_scan.o: in function `socks_yylex':
dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric'
collect2: error: ld returned 1 exit status
make[5]: *** [Makefile:522: sockd] Error 1
Fixes: aaf46a8fe2 ("dante: disable sched_getscheduler() - not implemented in musl")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
When open() is called with O_CREAT a 3. parameter has to be given with
the file system permissions of the new file.
Not giving this is an error, which results in a compile error with glibc.
This fixes the following compile error with glibc:
----------------------------------------------------------------------
In file included from /include/fcntl.h:329,
from main.c:18:
In function 'open',
inlined from 'rbcfg_update' at main.c:501:7:
/include/bits/fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
__open_missing_mode ();
^~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This extra _DEFAULT_SOURCE definition results in a double definition
which is a compile error.
This fixes the following compile error with glibc:
----------------------------------------------------------------------
ugps-2019-06-25-cd7eabcd/nmea.c:19: error: "_DEFAULT_SOURCE" redefined [-Werror]
#define _DEFAULT_SOURCE
<command-line>: note: this is the location of the previous definition
cc1: all warnings being treated as errors
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
glibc 2.31 does not provide stime() any more, backport a fix from
current busybox master to avoid using this function.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Seems stable after 6 days of testing on some of my devices.
Let's switch to 5.4 in order to get more feedback.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810) which allows
disrupting service of a freshly connected client that has not yet
negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.
Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Don't move strings anymore to /bin/strings to avoid clash with
busybox /usr/bin/strings but move it to /usr/bin/binutils-strings.
Use ALTERNATIVES support to install it as /usr/bin/strings
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
mt7621 overrides KERNEL_DTB to limit dictionary size, which isn't needed
for our lzma loader.
This saves 15KB on mt7621 devices using uimage-lzma-loader.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
This commit increases the hardware SPI frequency from 24.2MHz to 48.3MHz.
[ 5.314163] m25p80 spi0.0: speed: 24166666/40000000, rate: 8, prescal: 2, loops: 226
[ 5.076323] m25p80 spi0.0: speed: 48333333/50000000, rate: 4, prescal: 1, loops: 162
`time cat /dev/mtd2 >/dev/null` is reduced from 5.64s to 4.36s on A104ns,
and from 11.39s to 8.81s on A1004ns.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
With v5.4 kernel a new gpio driver is used.
GPIO numbering has changed so update 03_gpio_switches too.
Signed-off-by: René van Dorst <opensource@vdorst.com>
With v5.4 kernel a new gpio driver is used.
GPIO numbering has changed so update 03_gpio_switches too.
Signed-off-by: René van Dorst <opensource@vdorst.com>
These stock partitons: "backup", "hw_panic", "overly", firmware_backup", "opt"
do not contain any device-specific data and can be used for /overlay, resulting in
121M space
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
Increase kernel partition because 2M is insufficient for 5.4
Because the partition changes, previous version of OpenWrt cannot upgrade
to this version, and requires a new installation
Recovery to stock instruction:
1. Download stock firmware at
http://ur.ikcd.net/HC5962-sysupgrade-20171221-b00a04d1.bin
2. Power off the router
3. Press and hold the reset button for 4~6 sec while power it back on
4. Connect a PC to router's LAN
5. Visit http://192.168.2.1 and upload the firmware
Then repeat the instruction in edae3479e6 to install OpenWrt
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
There are 2 different chips (w25q256fv and w25q256jv) that share
the same JEDEC ID. Only w25q256jv fully supports 4-byte opcodes.
Use SFDP header version to differentiate between them.
Fixes broken reboot on 8devices Habanero since f0f35fdac
Signed-off-by: Mantas Pucka <mantas@8devices.com>
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters
Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Some FullMAC cfg80211 wireless devices do not support virtual
interfaces, hence there is script logic to keep the existing network
device. Improve this to support renaming the interface if needed and
make sure the existing interface actually belongs to the right phy.
Change calls to 'iw' to avoid outputing warnings and errors to not
confuse users of such devices.
Also bump PKG_RELEASE which has been forgotten in the previous two
mac80211 changes.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Refreshed all patches, run tested on apalis.
Cc: Vladimir Vid <vladimir.vid@sartura.hr>
Cc: Tim Harvey <tharvey@gateworks.com>
Cc: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
If we know that we have an encrypted link (based on having had
a key configured for TX in the past) then drop all data frames
in the key selection handler if there's no key anymore.
This fixes an issue with mac80211 internal TXQs - there we can
buffer frames for an encrypted link, but then if the key is no
longer there when they're dequeued, the frames are sent without
encryption. This happens if a station is disconnected while the
frames are still on the TXQ.
Detecting that a link should be encrypted based on a first key
having been configured for TX is fine as there are no use cases
for a connection going from with encryption to no encryption.
With extended key IDs, however, there is a case of having a key
configured for only decryption, so we can't just trigger this
behaviour on a key being configured.
Cc: stable@vger.kernel.org
Reported-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: David Bauer <mail@david-bauer.net>