Staging tree of Stijn Tintel https://git.openwrt.org/openwrt/staging/stintel/atom?h=master 2026-04-20T03:58:37Z 2026-04-20T03:58:37Z Paul Spooren 2026-04-18T13:26:39Z urn:sha1:7a991c8d88b8946db94059f1f34885c8bf74c124 Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https:// across tools/ and package/. PKG_HASH alone does not protect against an attacker tampering with insecure downloads when a maintainer regenerates the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the captured hash reflects real upstream content. In-place http -> https (HTTPS reachability verified per host): - tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools, tools/libressl, tools/xz - package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink Replaced with @OPENWRT (HTTPS-only mirror) where the upstream HTTPS host is dead or has a broken certificate: - package/libs/popt (ftp.rpm.org cert mismatch) - package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org) - package/boot/imx-bootlets (trabant.uid0.hu cert mismatch) - package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root) Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is already listed): - package/boot/uboot-tools, tools/mkimage Signed-off-by: Paul Spooren <mail@aparcar.org> 2026-04-06T13:58:13Z Shiji Yang 2026-04-05T01:06:23Z urn:sha1:105750c673929ae77946fd1f42bbf75b185fca3a This includes a fix for (CVE-2026-34743). Release Notes: https://github.com/tukaani-project/xz/releases/tag/v5.8.3 Signed-off-by: Shiji Yang <yangshiji66@outlook.com> Link: https://github.com/openwrt/openwrt/pull/22790 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2025-12-21T19:49:22Z Shiji Yang 2025-12-18T13:26:36Z urn:sha1:def7548867741206f6788d55e58d7417d859e106 Release Notes: https://github.com/tukaani-project/xz/releases/tag/v5.8.2 Signed-off-by: Shiji Yang <yangshiji66@outlook.com> Link: https://github.com/openwrt/openwrt/pull/21208 Signed-off-by: Robert Marko <robimarko@gmail.com> 2025-04-22T11:20:05Z Robert Marko 2025-04-21T11:23:20Z urn:sha1:269f251ba6eae8981e3dbc13f355fc1f53b955ba 5.8.1 (2025-04-03) * Multithreaded .xz decoder (lzma_stream_decoder_mt()): - Fix a bug that could at least result in a crash with invalid input. (CVE-2025-31115) - Fix a performance bug: Only one thread was used if the whole input file was provided at once to lzma_code(), the output buffer was big enough, timeout was disabled, and LZMA_FINISH was used. There are no bug reports about this, thus it's possible that no real-world application was affected. * Avoid <stdalign.h> even with C11/C17 compilers. This fixes the build with Oracle Developer Studio 12.6 on Solaris 10 when the compiler is in C11 mode (the header doesn't exist). * Autotools: Restore compatibility with GNU make versions older than 4.0 by creating the package using GNU gettext 0.23.1 infrastructure instead of 0.24. * Update Croatian translation. Link: https://github.com/openwrt/openwrt/pull/18558 Signed-off-by: Robert Marko <robimarko@gmail.com> 2025-04-01T19:47:15Z Shiji Yang 2025-03-28T16:10:25Z urn:sha1:e37ad78539d410368de2e5b95388b3acf8686126 Changelogs: https://github.com/tukaani-project/xz/releases/tag/v5.8.0 Signed-off-by: Shiji Yang <yangshiji66@outlook.com> Link: https://github.com/openwrt/openwrt/pull/18367 Signed-off-by: Nick Hainke <vincent@systemli.org> 2025-02-23T11:21:26Z Shiji Yang 2025-02-21T13:18:22Z urn:sha1:3ffe54a1e19fa0f26c158e8fc7d2af2b8e409ba4 The serious liblzma backdoor vulnerability (CVE-2024-3094) has been fixed since v5.6.2. It's time to bump this tool to the latest version. This patch also added a new GitHub package URL. Changelogs: https://github.com/tukaani-project/xz/releases/tag/v5.6.2 https://github.com/tukaani-project/xz/releases/tag/v5.6.3 https://github.com/tukaani-project/xz/releases/tag/v5.6.4 Signed-off-by: Shiji Yang <yangshiji66@qq.com> Link: https://github.com/openwrt/openwrt/pull/18063 Signed-off-by: Nick Hainke <vincent@systemli.org> 2024-03-29T16:59:56Z Petr Štetiar 2024-03-29T16:59:01Z urn:sha1:d4b6b76443207103d3a7c0eae5c0085317fb584f This reverts commit 714c91d1a63f29650abaa9cf69ffa47cf2c70297 as probably the upstream xz repository and the xz tarballs have been backdoored. References: https://www.openwall.com/lists/oss-security/2024/03/29/4. Signed-off-by: Petr Štetiar <ynezz@true.cz> 2024-03-29T05:56:43Z Nick Hainke 2024-03-28T20:36:29Z urn:sha1:714c91d1a63f29650abaa9cf69ffa47cf2c70297 Change mirror to github. Signed-off-by: Nick Hainke <vincent@systemli.org> 2024-01-30T09:37:34Z Nick Hainke 2024-01-29T18:15:28Z urn:sha1:dfb4babfdfcede65ab373a1ef7fa57a17b0f7a4f Changelog: https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;h=d271dad2d3f1ec54e56ef8fa60275a88697a24aa;hb=0ef8192e8d5af4e6200d5d4aee22d1f177f7a2df Signed-off-by: Nick Hainke <vincent@systemli.org> 2023-12-04T12:18:35Z Nick Hainke 2023-11-11T07:54:17Z urn:sha1:39bdcec0113984fd9087379ae3937daefe04e077 * liblzma: - Use __attribute__((__no_sanitize_address__)) to avoid address sanitization with CRC64 CLMUL. It uses 16-byte-aligned reads which can extend past the bounds of the input buffer and inherently trigger address sanitization errors. This isn't a bug. - Fixed an assertion failure that could be triggered by a large unpadded_size argument. It was verified that there was no other bug than the assertion failure. - Fixed a bug that prevented building with Windows Vista threading when __attribute__((__constructor__)) is not supported. * xz now properly handles special files such as "con" or "nul" on Windows. Before this fix, the following wrote "foo" to the console and deleted the input file "con_xz": echo foo | xz > con_xz xz --suffix=_xz --decompress con_xz * Build systems: - Allow builds with Windows win95 threading and small mode when __attribute__((__constructor__)) is supported. - Added a new line to liblzma.pc for MSYS2 (Windows): Cflags.private: -DLZMA_API_STATIC When compiling code that will link against static liblzma, the LZMA_API_STATIC macro needs to be defined on Windows. - CMake specific changes: * Fixed a bug that allowed CLOCK_MONOTONIC to be used even if the check for it failed. * Fixed a bug where configuring CMake multiple times resulted in HAVE_CLOCK_GETTIME and HAVE_CLOCK_MONOTONIC not being set. * Fixed the build with MinGW-w64-based Clang/LLVM 17. llvm-windres now has more accurate GNU windres emulation so the GNU windres workaround from 5.4.1 is needed with llvm-windres version 17 too. * The import library on Windows is now properly named "liblzma.dll.a" instead of "libliblzma.dll.a" * Fixed a bug causing the Ninja Generator to fail on UNIX-like systems. This bug was introduced in 5.4.0. * Added a new option to disable CLMUL CRC64. * A module-definition (.def) file is now created when building liblzma.dll with MinGW-w64. * The pkg-config liblzma.pc file is now installed on all builds except when using MSVC on Windows. * Added large file support by default for platforms that need it to handle files larger than 2 GiB. This includes MinGW-w64, even 64-bit builds. * Small fixes and improvements to the tests. * Updated translations: Chinese (simplified) and Esperanto. Signed-off-by: Nick Hainke <vincent@systemli.org>