staging/pepe2k, branch v21.02.7 Staging tree of Piotr Dymacz https://git.openwrt.org/openwrt/staging/pepe2k/atom?h=v21.02.7 2023-04-27T21:08:10Z OpenWrt v21.02.7: adjust config defaults 2023-04-27T21:08:10Z Hauke Mehrtens 2023-04-27T21:08:10Z urn:sha1:57a6d97ddf8f6541a52e0f8fad8c6f47685a1bc3 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> openssl: fix CVE-2023-464 and CVE-2023-465 2023-04-17T13:15:36Z Eneas U de Queiroz 2023-04-04T18:39:56Z urn:sha1:f8282da11ee77c36acb1bd94c99b76ce13257ab9 Apply two patches fixing low-severity vulnerabilities related to certificate policies validation: - Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. - Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Note: OpenSSL also released a fix for low-severity security advisory CVE-2023-466. It is not included here because the fix only changes the documentation, which is not built nor included in any OpenWrt package. Due to the low-severity of these issues, there will be not be an immediate new release of OpenSSL. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> kernel: backport fix for recently introduced UBI bug 2023-04-15T02:34:22Z Daniel Golle 2023-04-15T00:35:17Z urn:sha1:34d2883b9d6fd4a3b3eb39d3fa90e8c281d36448 Import commit "ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size" which did not yet make it to stable upstream Linux trees. Fixes: #12232 Fixes: #12339 Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit aad34818b50029e07ed9221ae46f9770d6e29785) uclient: update to Git version 2023-04-13 2023-04-13T18:55:09Z Matthias Schiffer 2023-04-13T18:51:05Z urn:sha1:e63b8443ab9f5edeba5b29c27f59015526cac0fd 007d94546749 uclient: cancel state change timeout in uclient_disconnect() 644d3c7e13c6 ci: improve wolfSSL test coverage dc54d2b544a1 tests: add certificate check against letsencrypt.org Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit 4f1c2e8deef10e9ca34ceff5a096e62aaa668e90) OpenWrt v21.02.6: revert to branch defaults 2023-04-09T22:38:42Z Daniel Golle 2023-04-09T22:38:42Z urn:sha1:f6a41570a5f6abb6ca74b957e4d226cf6c3f0c9a Signed-off-by: Daniel Golle <daniel@makrotopia.org> OpenWrt v21.02.6: adjust config defaults 2023-04-09T22:38:36Z Daniel Golle 2023-04-09T22:38:36Z urn:sha1:9f213a85e219c94c45c15c9aa5feffadb00689ea Signed-off-by: Daniel Golle <daniel@makrotopia.org> imagebuilder: allow to specific ROOTFS_PARTSIZE 2023-04-09T12:28:16Z Paul Spooren 2023-03-12T15:56:41Z urn:sha1:bc99ce5b22963c22661b3e549c3cdc86bf52756c Setting this options modifies the rootfs size of created images. When installing a large number of packages it may become necessary to increase the size to have enough storage. This option is only useful for supported devices, i.e. with an attached SD Card or installed on a hard drive. Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit 7b7edd25a571568438c886529d3443054e02f55f) kernel: remove obsolete netfilter tcp window size check bypass patch 2023-03-30T12:18:04Z Felix Fietkau 2023-03-30T12:18:04Z urn:sha1:cbe73ea33d027dbb4b2cf1eca947ae746119e7d2 On any currently supported hardware, the performance impact should not matter anymore. Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 75e78bcaab847557ce1782eb2dea9dff9a029171) mac80211, mt76: add fixes for recently discovered security issues 2023-03-30T10:24:52Z Felix Fietkau 2023-03-29T15:54:19Z urn:sha1:32621086c3b0c641609580bdf83d4c731caa7f5e Fixes CVE-2022-47522 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit d54c91bd9ab3c54ee06923eafbd67047816a37e4) ipq40xx: Linksys MR8300: fix the USB port power 2023-03-29T20:19:27Z Daniel González Cabanelas 2023-02-16T22:04:20Z urn:sha1:2541ca616da8357b766130ed2f40dfc2d9e31f1c The USB port on the MR8300 randomly fails to feed bus-powered devices. This is caused by a misconfigured pinmux. The GPIO68 should be used to enable the USB power (active low), but it's inside the NAND pinmux. This GPIO pin was found in the original firmware at a startup script in both MR8300 and EA8300. Therefore apply the fix for both boards. Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com> Reviewed-by: Robert Marko <robimarko@gmail.com> (cherry picked from commit ed64c3323590e3c9fa8b423bf37689023a7a101f) Signed-off-by: Steffen Scheib <steffen@scheib.me>