Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]
o Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Safely detect integer overflow in try_addint() and try_subint().
Old code relied on undefined behavior, and recent versions of GCC on x86
optimized away the if-statements.
This caused integer overflow in Lua code instead of falling back to
floating-point numbers.
Signed-off-by: Adam Bailey <aebailey@gmail.com>
(cherry picked from commit 3a2e7c30d3)
At least Fedora and RHEL 9 set RSAMinSize=2048, so when trying to use
failsafe, we get 'Bad server host key: Invalid key length'
To workaround the issue, we can use: ssh -o RSAMinSize=1024 ...
Generating 2048 bits RSA is extremely slow, so add ed25519.
We keep RSA 1024 to be as compatible as possible.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 6ac61dead9)
34a8a74 uhttpd/file: fix string out of buffer range on uh_defer_script
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7a6f6b8126)
47561aa mimetypes: add audio/video support for apple airplay
6341357 ucode: respect all arguments passed to send()
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d14559e9df)
It seems that DSA-based b53 driver never worked with BCM53573 SoCs and
BCM53125.
In case of swconfig-based b53 this fixes a regression. Switching bgmac
from using mdiobus_register() to of_mdiobus_register() resulted in MDIO
device (BCM53125) having of_node set (see of_mdiobus_register_phy()).
That made downstream b53 driver read invalid data from DT and broke
Ethernet support.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 79fd3e62b4)
removed redundant eeprom partition nodes from
cn7130_ubnt_edgerouter-4.dts and cn7130_ubnt_edgerouter-6p.dts
as they are identically defined in cn7130_ubnt_edgerouter-e300.dtsi.
Signed-off-by: Carsten Spieß <mail@carsten-spiess.de>
(integrated eeprom referenced node in the .dtsi)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 700f11aaad)
The MAC addresses should be read from 3rd MTD partition,
but only two MTD partitions are populated.
To fix it, a partitions node has to surround the partition
nodes in device tree.
Tested with Edgerouter 6P
Signed-off-by: Carsten Spieß <mail@carsten-spiess.de>
(fixed checkpatch complains)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 2b1d7965c7)
LEDs on Edgerouter 6P didn't work correctly:
blue /white LED swapped, on/off state inverted
Fixed in device tree:
swap the GPIO ports for power:blue and power:white LEDs
change LED activity from LOW to HIGH
Tested on Edgerouter 6P
Signed-off-by: Carsten Spieß <mail@carsten-spiess.de>
(cherry picked from commit 9009672930)
Some device recipes remove default target packages. If user tries to add
them back they will be ignored, since packages list is processed in one
go. Process the device recipe packages first and do user ones later, so
additions won't get filtered out.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit e40b9a7fa0)
'help' target fails not finding a file, so follow up on a change[2] made
as a fix for main README[1].
1. d0113711a3 ("README: port to 21st century")
2. 751486b31f ("build: fix README.md reference after rename")
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit 2d5f7035cf)
(cherry picked from commit e9911f10e4)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Instead of loading the whole image into the memory when generating the
sha256 sum, we load the file in chunks and update the hash incrementally
to avoid MemoryError in python. Also remove a stray empty line.
Fixes: #13056
Signed-off-by: Adones Pitogo <pitogo.adones@gmail.com>
(mention empty line removal, adds Fixes from PR)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit bdb4b78210)
Fixes: e17f9fd0e8 ("bcm47xx: revert bgmac back to the old limited max frame size")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 83aeb0bbd4)
Bumping max frame size has significantly affected network performance
and memory usage. It was done by upstream commit that first appeared in
the 5.7 release.
Allocating 512 (BGMAC_RX_RING_SLOTS) buffers, 10 k each, is clearly a
bad idea on 32 MiB devices. This commit fixes support for Linksys E1000
V2.1 which gives up after allocating ~346 such buffers running 5.15
kernel.
Ref: 230c9da963 ("bcm53xx: revert bgmac back to the old limited max frame size")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 4970dd027b)
The upstream board-2.bin file in the linux-firmware.git
repository for the QCA4019 contains a packed board-2.bin
for this device for both 2.4G and 5G wifis. This isn't
something that the ath10k driver supports.
Until this feature either gets implemented - which is
very unlikely -, or the upstream boardfile is mended
(both, the original submitter and ath10k-firmware
custodian have been notified). OpenWrt will go back
and use its own bespoke boardfile. This unfortunately
means that 2.4G and on some revisions the 5G WiFi is
not available in the initramfs image for this device.
qca9984 isn't affected.
Fixes: #12886
Reported-by: Christian Heuff <christian@heuff.at>
Debugged-by: Georgios Kourachanis <geo.kourachanis@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 75505c5ec7)
Removed because upstreamed:
uml/patches-5.10/001-um-Fix-build-w-o-CONFIG_PM_SLEEP.patch
All other patches automatically rebased.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fix a typo where the wrong KCONFIG was used and fix selecting the
correct kernel config option to use these packages.
Fixes: 4f443c885d ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 3ebebf08be)
openssl sets additional cflags in its configuration script. We need to
make it aware of our custom cflags to avoid adding conflicting cflags.
Fixes: #12866
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
(cherry picked from commit 51f57e7c2d)
The DGND3700v2 renames the cferam bootloader from cferam to cfeXXX, where XXX
is the number of firmware upgrades performed by the bootloader. Other bcm63xx
devices rename cferam.000 to cferam.XXX, but this device is special because
the cferam name isn't changed on the first firmware flashing but it's changed
on the subsequent ones.
Therefore, we need to look for "cfe" instead of "cferam" to properly detect
the cferam partition and fix the bootlop.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit cdfcac6e24)
The DGND3700v2 renames the cferam bootloader from cferam to cfeXXX, where XXX
is the number of firmware upgrades performed by the bootloader. Other bcm63xx
devices rename cferam.000 to cferam.XXX, but this device is special because
the cferam name isn't changed on the first firmware flashing but it's changed
on the subsequent ones.
Therefore, we need to look for "cfe" instead of "cferam" to properly detect
the cferam partition and fix the bootlop.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit 915e914cfa)
Some devices rename cferam bootloader using specific patterns and don't follow
broadcom standards for renaming cferam files. This requires supporting
different cferam file names.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit 8813edd8d9)
source.codeaurora.org project has been shut down and the nxp
repositories has been moved to github. Update the repository
link to the new location.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 0a1ee53235)
source.codeaurora.org project has been shut down and the nxp
repositories has been moved to github. Update the repository
link to the new location.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 52fd8d8ba3)
Linux 5.10.178 includes backported commits that break the compilation
of bpf-headers, as the compilation gets confused which assembler to use.
Caused by Linux upstream commits just before the .178 tag:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=v5.10.178
2023-04-20 kbuild: check CONFIG_AS_IS_LLVM instead of LLVM_IAS
2023-04-20 kbuild: Switch to 'f' variants of integrated assembler flag
2023-04-20 kbuild: check the minimum assembler version in Kconfig
Explicitly use LLVM_IAS=1 to fix things.
Fixes#12748
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]
o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
o Fixed handling of invalid certificate policies in leaf certificates
(CVE-2023-0465)
o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Deleted because it was applied upstream
ipq806x/patches-5.10/103-ARM-dts-qcom-reduce-pci-IO-size-to-64K.patch
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
General specification:
SoC Type: MediaTek MT7620N (580MHz)
ROM: 8 MB SPI-NOR (W25Q64FV)
RAM: 64 MB DDR (EM6AB160TSD-5G)
Switch: MediaTek MT7530
Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4)
Wireless: 2.4 GHz (MediaTek RT5390): b/g/n
Buttons: 3 button (POWER, RESET, WPS)
Slide switch: 4 position (BASE, ADAPTER, BOOSTER, ACCESS POINT)
Bootloader: U-Boot 1.1.3
Power: 9 VDC, 0.6 A
MAC in stock:
|- + |
| LAN | RF-EEPROM + 0x04 |
| WLAN | RF-EEPROM + 0x04 |
| WAN | RF-EEPROM + 0x28 |
OEM easy installation
1. Use a PC to browse to http://my.keenetic.net.
2. Go to the System section and open the Files tab.
3. Under the Files tab, there will be a list of system
files. Click on the Firmware file.
4. When a modal window appears, click on the Choose File
button and upload the firmware image.
5. Wait for the router to flash and reboot.
OEM installation using the TFTP method
1. Download the latest firmware image and rename it to
klite3_recovery.bin.
2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the
firmware image to the root directory of the server.
3. Power off the router and use a twisted pair cable to connect
the PC to any of the router's LAN ports.
4. Configure the network adapter of the PC to use IP address
192.168.1.2 and subnet mask 255.255.255.0.
5. Power up the router while holding the reset button pressed.
6. Wait approximately for 5 seconds and then release the
reset button.
7. The router should download the firmware via TFTP and
complete flashing in a few minutes.
After flashing is complete, use the PC to browse to
http://192.168.1.1 or ssh to proceed with the configuration.
Signed-off-by: Alexey Bartenev <41exey@proton.me>
(cherry picked from commit dc79b51533)
The BDFs for all boards were upstreamed to the ath10k-firmware
repository and linux-firmware.git.
We switched to the upstream board-2.bin, hence the files can be removed
here.
Keep the ipq-wifi package in case new boards are added. It might take
some time till board-2.bins send upstream are merged.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Hauke Mehrtens