This fixes the folowing security problems:
CVE-2016-9586: printf floating point buffer overflow
CVE-2016-9952: Win CE schannel cert wildcard matches too much
CVE-2016-9953: Win CE schannel cert name out of buffer read
CVE-2016-9594: unititialized random
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Currently both libustream-polarssl and libustream-mbedtls
variants define themselves as the DEFAULT_VARIANT
Remove extra DEFAULT_VARIANT from libustream-polarssl.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Later OpenVPN 2.3-openssl versions only enable
TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE
cipher suites. ECDHE key exchange is not supported by
OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE
OpenVPN 2.4-mbedtls clients to connect to such servers.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reported-by: Lucian Cristian <luci@createc.ro>
Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to
make OpenVPN-mbedtls clients able to perform ECDHE key exchange
with remote OpenVPN 2.4-openssl servers that use the default
OpenVPN curve.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
We have profile for this device thanks to DEVICE_PACKAGES now.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Cc: Russell Senior <russell@personaltelco.net>
We don't use this driver since commit 741715331a ("bcm53xx: switch to
m25p80 and drop bcm53xxspiflash").
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
There was a typo in Makefile that prevented using these profiles.
Fixes: a75ce960ac ("ramips: use different board names for variants")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
depending packages have been moved to kernel-config
- kmod-xen-kbddev in 9fde361
- kmod-xen-fs, kmod-xen-evtchn, kmod-xen-netdev in 018807d
this will also fix imagebuilder
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
An external reset patch for AR955x accidentally led to external reset
being issued twice on AR913x, once before the RTC reset and once after.
This may be causing some stability issues.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit was added to improve reset time on old SoC devices that run
into chip hangs more frequently. However with the more recent addition
of full WMAC reset on these chips, it could be problematic.
Drop this patch to ensure that DMA activity is really stopped before the
chip reset is issued
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Opkg's builtin decompression code is unsuitable to process nested archives as
it uses a single shared state and relies on undefined seek behaviour for pipes.
Rework the extraction logic to use the external gzip command as I/O filter for
decompressing data and remove the builtin inflate code entirely.
This shrinks the final opkg binary by about 4KB and results in less runtime
memory consumption due to efficient use of vfork() and less copy-on-write
operations in the forked child.
Rework by Felix: create a thread that relays data to the gzip process
instead of using a fragile poll loop
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The external script used to generate the package lists for the
LEDE wiki's table of packages [1] and package indexes [2] requires
a "Source:" field in the package lists to find package makefiles.
The package makefiles are used to read the package's Category and Submenu.
The "Source:" field was removed in commit
b4aa3c899c
to reduce package list sizes and lessen opkg issues in low ram devices.
Add a separate package list file with full data to be used by the wiki's script.
It's called Packages.manifest and isn't compressed as it's not necessary.
1. https://lede-project.org/packages/start
2. https://lede-project.org/packages/index/start
Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
Backport most important fixes up to latest HEAD
- Taken post-commit reverts/fixes into account
Compile tested
Run-tested on cns3xxx & imx6 targets
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Opkg's builtin decompression code is unsuitable to process nested archives as
it uses a single shared state and relies on undefined seek behaviour for pipes.
Rework the extraction logic to use the external gzip command as I/O filter for
decompressing data and remove the builtin inflate code entirely.
This shrinks the final opkg binary by about 4KB and results in less runtime
memory consumption due to efficient use of vfork() and less copy-on-write
operations in the forked child.
Rework by Felix: create a thread that relays data to the gzip process
instead of using a fragile poll loop
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
64a655d proto: allow configuring deprecated static IPv6 addresses
c99182e remove obsolete /opt/local prefix on Mac OS X
0249d5f system-linux: Don't set gre tunnel ttl by default to 64 (#FS312)
edc15ca ubus: Display the IPv6 prefix assigned address
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
We do not have the needed platform support for VOICE_CPE_VMMC_PMC. The
vmmc driver will not compile with this option activated.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
crypto4xx_probe() is in the __init section and referenced by code form
other sections, which causes a build error. Backport a patch from
mainline kernel to fix this.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The following commit changed the build templates name but forgot to
update the TARGET_DEVICES variable properly.
commit f9226158be (lantiq: rename EASY98000 to EASY98000NOR)
Signed-off-by: John Crispin <john@phrozen.org>
These options are needed to create /dev/mem or /dev/kmem .
/dev/mem is needed by the io tool to access raw hardware memory, which
is helpful when debugging and developing drivers.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: John Crispin <john@phrozen.org>