Staging tree of Stijn Tintel https://git.openwrt.org/openwrt/staging/stintel/atom?h=master 2026-05-07T16:20:24Z 2026-05-07T16:20:24Z Michael Pfeifroth 2026-04-30T12:00:47Z urn:sha1:ab8cebbc97d0ad7e3ec3d1c5d507428a4f2bc870 PCRE2 10.47 renamed LICENCE to LICENCE.md. Update PKG_LICENSE_FILES to match the actual filename in the source tarball. Signed-off-by: Michael Pfeifroth <michael.pfeifroth@westermo.com> Link: https://github.com/openwrt/openwrt/pull/23164 Signed-off-by: Robert Marko <robimarko@gmail.com> 2026-05-07T08:58:47Z Andre Heider 2025-04-23T11:04:15Z urn:sha1:e3271a6786524008b7135228145d0540df7c1451 These are all unused by the current targets, clean up and stop irritating the user with irrelevant grep results. Signed-off-by: Andre Heider <a.heider@gmail.com> Link: https://github.com/openwrt/openwrt/pull/23240 Signed-off-by: Robert Marko <robimarko@gmail.com> 2026-05-04T22:27:58Z Magnus Kroken 2026-04-23T18:12:51Z urn:sha1:e65001e3e7ce8509ab937f339d92409668c4af9c Fix a TLS 1.2 regression that caused clients to reject valid ServerKeyExchange signatures using RSA-PSS signature algorithms. The TLS 1.2 regression resulted in errors like: $ curl https://api.domeneshop.no/v0/ curl: (35) ssl_handshake returned: (-0x6600) SSL - A field in a message was incorrect or inconsistent with other fields Fixes: https://github.com/openwrt/openwrt/issues/22874 Fixes: https://github.com/openwrt/openwrt/issues/23116 Fixes: f48ef0040b7e ("mbedtls: update to 3.6.6") Signed-off-by: Magnus Kroken <mkroken@gmail.com> Link: https://github.com/openwrt/openwrt/pull/23066 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2026-04-27T08:50:53Z Alexandru Ardelean 2026-04-24T11:05:00Z urn:sha1:589ad78db1edd946d0023fac399682781369409d Release Notes: https://github.com/SELinuxProject/selinux/wiki/Releases#release-310 Signed-off-by: Alexandru Ardelean <alex@shruggie.ro> Link: https://github.com/openwrt/openwrt/pull/23082 Signed-off-by: Robert Marko <robimarko@gmail.com> 2026-04-27T08:50:53Z Alexandru Ardelean 2026-04-24T11:04:55Z urn:sha1:50d79fdb3b9dba4b06f6097fd3d146e7266b559a Release Notes: https://github.com/SELinuxProject/selinux/wiki/Releases#release-310 Signed-off-by: Alexandru Ardelean <alex@shruggie.ro> Link: https://github.com/openwrt/openwrt/pull/23082 Signed-off-by: Robert Marko <robimarko@gmail.com> 2026-04-27T08:50:53Z Alexandru Ardelean 2026-04-24T11:04:52Z urn:sha1:36870b804dbac69b24a3271d508355bf2c67f8e6 Release Notes: https://github.com/SELinuxProject/selinux/wiki/Releases#release-310 Signed-off-by: Alexandru Ardelean <alex@shruggie.ro> Link: https://github.com/openwrt/openwrt/pull/23082 Signed-off-by: Robert Marko <robimarko@gmail.com> 2026-04-24T19:08:24Z Sander van Deijck 2026-04-24T00:43:03Z urn:sha1:8ef7b4ee4ba77a8d58e734753d1c87b1d4d332d7 For changes, see: https://github.com/wolfSSL/wolfssl/releases/tag/v5.9.1-stable This includes a fix for a critical (CVSS 9.3) vulnerability: https://github.com/advisories/GHSA-f5h9-5q52-qrx7 Signed-off-by: Sander van Deijck <sander@vandeijck.com> Link: https://github.com/openwrt/openwrt/pull/23072 Signed-off-by: Nick Hainke <vincent@systemli.org> 2026-04-20T03:58:37Z Paul Spooren 2026-04-18T13:26:39Z urn:sha1:7a991c8d88b8946db94059f1f34885c8bf74c124 Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https:// across tools/ and package/. PKG_HASH alone does not protect against an attacker tampering with insecure downloads when a maintainer regenerates the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the captured hash reflects real upstream content. In-place http -> https (HTTPS reachability verified per host): - tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools, tools/libressl, tools/xz - package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink Replaced with @OPENWRT (HTTPS-only mirror) where the upstream HTTPS host is dead or has a broken certificate: - package/libs/popt (ftp.rpm.org cert mismatch) - package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org) - package/boot/imx-bootlets (trabant.uid0.hu cert mismatch) - package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root) Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is already listed): - package/boot/uboot-tools, tools/mkimage Signed-off-by: Paul Spooren <mail@aparcar.org> 2026-04-18T07:21:00Z Nick Hainke 2026-04-17T14:50:37Z urn:sha1:02e14b7278c3c571255ac0e9c636d56d8737acbe Release Notes: - https://github.com/libbpf/libbpf/releases/tag/v1.6.3 - https://github.com/libbpf/libbpf/releases/tag/v1.7.0 Link: https://github.com/openwrt/openwrt/pull/22971 Signed-off-by: Nick Hainke <vincent@systemli.org> 2026-04-11T10:18:54Z Jack Sun 2026-04-08T13:15:24Z urn:sha1:62ea6aad4705e88acb26f26803bfd20e17e9c8b3 This release incorporates the following bug fixes and mitigations: Fixed incorrect failure handling in RSA KEM RSASVE encapsulation. (CVE-2026-31790) Fixed loss of key agreement group tuple structure when the DEFAULT keyword is used in the server-side configuration of the key-agreement group list. (CVE-2026-2673) Fixed potential use-after-free in DANE client code. (CVE-2026-28387) Fixed NULL pointer dereference when processing a delta CRL. (CVE-2026-28388) Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo. (CVE-2026-28389) Fixed possible NULL dereference when processing CMS KeyTransportRecipientInfo. (CVE-2026-28390) Fixed heap buffer overflow in hexadecimal conversion. (CVE-2026-31789) No need refresh patches Signed-off-by: Jack Sun <sunjiazheng321521@gmail.com> Link: https://github.com/openwrt/openwrt/pull/22847 Signed-off-by: Robert Marko <robimarko@gmail.com>