feed/packages.git
15 months agoMerge pull request #22018 from stangri/openwrt-22.03-https-dns-proxy
Stan Grishin [Mon, 4 Sep 2023 01:03:07 +0000 (18:03 -0700)]
Merge pull request #22018 from stangri/openwrt-22.03-https-dns-proxy

[22.03] https-dns-proxy: fix dns resolution not working on boot

15 months agohttps-dns-proxy: fix dns resolution not working on boot
Stan Grishin [Sun, 3 Sep 2023 20:33:17 +0000 (20:33 +0000)]
https-dns-proxy: fix dns resolution not working on boot

* fix dns resolution not working on boot
* add hotplug-online script
* reorganizes files/ and Makefile to reflect files destinations

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 9a2c5ae18c5a4bce20d1a8c572d1261b191701dc)

15 months agowget: use pcre2
Leon M. Busch-George [Sun, 11 Jun 2023 18:39:06 +0000 (20:39 +0200)]
wget: use pcre2

Pcre (1) is unmaintained and reached its end of life in 2021.
The base system provides pcre2 exclusively since May.

Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
(cherry picked from commit 379946951c22ea774e4e22b4379571da604ded4b)

15 months agoknot-resolver: update to version 5.7.0
Josef Schlehofer [Sat, 2 Sep 2023 15:23:37 +0000 (17:23 +0200)]
knot-resolver: update to version 5.7.0

Changelog:
https://www.knot-resolver.cz/2023-01-26-knot-resolver-5.6.0.html
https://www.knot-resolver.cz/2023-08-22-knot-resolver-5.7.0.html

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit a5314681149259827c1eec074ae11fe6b7a80961)

15 months agoknot: enable QUIC support
Jan Hák [Tue, 29 Aug 2023 11:36:24 +0000 (13:36 +0200)]
knot: enable QUIC support

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit dea3e7acb6b4ef4b83defc2d40ad4dfeb10d1df4)

15 months agoknot: update to version 3.3.0
Jan Hák [Tue, 29 Aug 2023 09:24:07 +0000 (11:24 +0200)]
knot: update to version 3.3.0

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit e79e4415139fd1bc475200a8e408dce9a7f89dc2)

15 months agoknot: update to version 3.2.9
Jan Hák [Tue, 1 Aug 2023 11:27:00 +0000 (13:27 +0200)]
knot: update to version 3.2.9

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit f6aa1198eb14487d57bb5cb88fcc359376bfd3ed)

15 months agoknot: update to version 3.2.8
Jan Hák [Mon, 26 Jun 2023 11:07:06 +0000 (13:07 +0200)]
knot: update to version 3.2.8

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit 9517ef080a88812b96ef55e55ddc83ada0a6a829)

15 months agoknot: update to version 3.2.7
Jan Hák [Wed, 7 Jun 2023 11:23:05 +0000 (13:23 +0200)]
knot: update to version 3.2.7

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit 439694a0128739e493d5ff2d20a8cbd4d4ca253e)

15 months agoknot: update to version 3.2.6
Jan Hák [Wed, 12 Apr 2023 09:16:04 +0000 (11:16 +0200)]
knot: update to version 3.2.6

Signed-off-by: Jan Hák <jan.hak@nic.cz>
(cherry picked from commit bb946a19cd3203e288f99db666e123c92f7e3d0d)

15 months agotmate: fix build against msgpack-c 6.0
Tianling Shen [Tue, 7 Mar 2023 02:52:37 +0000 (10:52 +0800)]
tmate: fix build against msgpack-c 6.0

This patch is taken from
https://git.alpinelinux.org/aports/commit/?id=f923597f4bdea424dc28b1d026269df060596fac

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 928710813baba4f6f5130d936f0cab44c0033b90)

15 months agomsgpack-c: Update to 6.0.0
Tianling Shen [Tue, 7 Mar 2023 02:50:02 +0000 (10:50 +0800)]
msgpack-c: Update to 6.0.0

Removed 010-no-gtest.patch as upstream no longer detects it.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 394cc366b3210924ed270c3745d37a7be3d1965b)

15 months agotmate-ssh-server: fix build against msgpack-c 6.0
Tianling Shen [Tue, 7 Mar 2023 07:44:29 +0000 (15:44 +0800)]
tmate-ssh-server: fix build against msgpack-c 6.0

This patch is taken from
https://git.alpinelinux.org/aports/commit/?id=f923597f4bdea424dc28b1d026269df060596fac

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit c49a1dad52f6556757dc93f787c84cac76629435)

15 months agotang: do not require bash and curl (backport from 23.05)
Nikos Mavrogiannopoulos [Thu, 31 Aug 2023 16:45:20 +0000 (18:45 +0200)]
tang: do not require bash and curl (backport from 23.05)

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
15 months agotang: corrected hash for v14
Nikos Mavrogiannopoulos [Wed, 30 Aug 2023 07:10:27 +0000 (09:10 +0200)]
tang: corrected hash for v14

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
15 months agonatmap: update to 20230820
Ray Wang [Mon, 21 Aug 2023 15:27:30 +0000 (23:27 +0800)]
natmap: update to 20230820

Signed-off-by: Ray Wang <r@hev.cc>
(cherry picked from commit d5b99f9e8a0958be7f8eef66515bd98e4a7b4d96)

15 months agotang: updated to v14
Nikos Mavrogiannopoulos [Mon, 28 Aug 2023 16:36:16 +0000 (18:36 +0200)]
tang: updated to v14

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
15 months agotang: create user tang
Nikos Mavrogiannopoulos [Thu, 1 Jun 2023 07:18:43 +0000 (09:18 +0200)]
tang: create user tang

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
15 months agotang: use sbin instead of libexec
Nikos Mavrogiannopoulos [Tue, 26 Apr 2022 07:50:08 +0000 (09:50 +0200)]
tang: use sbin instead of libexec

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
15 months agotang: remove post-installation key generation
Nikos Mavrogiannopoulos [Sun, 7 May 2023 11:35:14 +0000 (13:35 +0200)]
tang: remove post-installation key generation

The keys will be generated on startup.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
15 months agotang: updated to version 12
Nikos Mavrogiannopoulos [Wed, 12 Apr 2023 18:19:10 +0000 (20:19 +0200)]
tang: updated to version 12

This version enables standalone operation.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
15 months agostrongswan: fix compilation against updated WolfSSL 5.6.3
Jo-Philipp Wich [Fri, 25 Aug 2023 08:41:59 +0000 (10:41 +0200)]
strongswan: fix compilation against updated WolfSSL 5.6.3

After OpenWrt base updated WolfSSL to version 5.6.3, the strongswan wolfssl
plugin fails to compile due to a header conflict.

The error reported by the builders is:

    In file included from .../usr/include/wolfssl/openssl/asn1.h:27,
                     from .../usr/include/wolfssl/ssl.h:4123,
                     from wolfssl_common.h:64,
                     from wolfssl_ec_private_key.c:23:
    ../../../../src/libstrongswan/asn1/asn1.h:43:9: error: 'WOLFSSL_ASN1_STRING' redeclared as different kind of symbol
       43 |         ASN1_UTF8STRING =               0x0C,
          |         ^~~~~~~~~~~~~~~
    In file included from wolfssl_common.h:64,
                     from wolfssl_ec_private_key.c:23:
    .../usr/include/wolfssl/ssl.h:212:41: note: previous declaration of 'WOLFSSL_ASN1_STRING' with type 'WOLFSSL_ASN1_STRING'
      212 | typedef struct WOLFSSL_ASN1_STRING      WOLFSSL_ASN1_STRING;
          |                                         ^~~~~~~~~~~~~~~~~~~
    make[9]: *** [Makefile:621: wolfssl_ec_private_key.lo] Error 1

Solve this issue by adding a local path that remaps `ASN1_UTF8STRING`
during wolfssl header inclusion, like it is done already for other
conflicting defines.

Ref: https://forum.openwrt.org/t/x/169580
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
15 months agonet/mosquitto: bump to 2.0.17
Karl Palsson [Thu, 17 Aug 2023 21:59:08 +0000 (21:59 +0000)]
net/mosquitto: bump to 2.0.17

This is a security and bug fix release.

Security:
- CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2
  messages with the same message ID, but then never respond to the PUBREC
  commands.
- CVE-2023-0809: Fix excessive memory being allocated based on malicious
  initial packets that are not CONNECT packets.
- CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a
  will message that contains invalid property types.
- Broker will now reject Will messages that attempt to publish to $CONTROL/.
- Broker now validates usernames provided in a TLS certificate or TLS-PSK
  identity are valid UTF-8.
- Fix potential crash when loading invalid persistence file.
- Library will no longer allow single level wildcard certificates, e.g. *.com

Bugfixes of note or relevance to OpenWrt:
- Fix bridges with non-matching cleansession/local_cleansession being expired
  on start after restoring from persistence. Closes #2634.
Client library:
- Use CLOCK_BOOTTIME when available, to keep track of time. This solves the
  problem of the client OS sleeping and the client hence not being able to
  calculate the actual time for keepalive purposes. Closes #2760.

Full changelog available at: https://github.com/eclipse/mosquitto/blob/v2.0.16/ChangeLog.txt
plus: https://github.com/eclipse/mosquitto/blob/v2.0.17/ChangeLog.txt
(2.0.17 fixes regressions from the 2.0.16 release)

Signed-off-by: Karl Palsson <karlp@tweak.au>
15 months agotunneldigger-broker: update to v0.4.0
Perry Melange [Sun, 6 Aug 2023 15:05:41 +0000 (17:05 +0200)]
tunneldigger-broker: update to v0.4.0

Include new hook script to build

Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
(cherry picked from commit 93a102e21a8a80bf98957531c96ac06474ac089f)

15 months agotunneldigger-broker: add rate-limit hook
Perry Melange [Thu, 17 Aug 2023 20:45:19 +0000 (22:45 +0200)]
tunneldigger-broker: add rate-limit hook

Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
(cherry picked from commit 0d1085fe9eae61d96ae69c80d3e44a9f36e21cb7)

15 months agotunneldigger-broker: add option to isolate bridge ports
Perry Melange [Sat, 29 Jul 2023 19:50:28 +0000 (21:50 +0200)]
tunneldigger-broker: add option to isolate bridge ports

Add new option to a config bridge section to indicate
if a bridge port added to the bridge should be isolated
or not.  The default is 0 (no isolation).

example

config bridge
     option interface 'br-mybridge1446'
     option mtu '1446'
     option isolate '1' # default '0'

Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
(cherry picked from commit 49cdf15da458c384d6c0cd19b228e2d84ba205f4)

15 months agotunneldigger-broker: update lib functions
Perry Melange [Sat, 29 Jul 2023 19:35:46 +0000 (21:35 +0200)]
tunneldigger-broker: update lib functions

Use config_foreach instead of config_cb

Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
(cherry picked from commit ab2b1ade2792c4218725ff5f0851141197ac0188)

15 months agotunneldigger-broker: update config file and init for v0.4.0
Perry Melange [Thu, 17 Aug 2023 20:46:11 +0000 (22:46 +0200)]
tunneldigger-broker: update config file and init for v0.4.0

Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
(cherry picked from commit 99dfea773019fc8fb194a22e7beba4e94ed8df66)

16 months agoMerge pull request #21829 from stangri/openwrt-22.03-simple-adblock
Stan Grishin [Wed, 16 Aug 2023 20:42:42 +0000 (13:42 -0700)]
Merge pull request #21829 from stangri/openwrt-22.03-simple-adblock

[22.03] simple-adblock: bugfixes for uci_load_validate

16 months agosimple-adblock: bugfixes for uci_load_validate
Stan Grishin [Tue, 15 Aug 2023 16:31:21 +0000 (16:31 +0000)]
simple-adblock: bugfixes for uci_load_validate

* fix validation for force_dns_port when missing in config
* fix validation for dns_instance when * or - are used

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit ad8aa084c18af6fd878e578453d7077deb5c223e)

16 months agoMerge pull request #21818 from mhei/22.03-php8-update-to-8.1.22
Michael Heimpold [Tue, 15 Aug 2023 05:40:12 +0000 (07:40 +0200)]
Merge pull request #21818 from mhei/22.03-php8-update-to-8.1.22

[22.03] php8: update to 8.1.22

16 months agophp8: update to 8.1.22
Michael Heimpold [Sun, 13 Aug 2023 09:41:56 +0000 (11:41 +0200)]
php8: update to 8.1.22

This fixes:
    - CVE-2023-3823
    - CVE-2023-3824

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
16 months agonode: August 2023 Security Releases
Hirokazu MORIKAWA [Thu, 10 Aug 2023 05:23:46 +0000 (14:23 +0900)]
node: August 2023 Security Releases

Update to v16.20.2
This is a security release.

Notable Changes
The following CVEs are fixed in this release:
* CVE-2023-32002: Policies can be bypassed via Module._load (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* OpenSSL Security Releases  (Depends on shared library provided by OpenWrt)
    * OpenSSL security advisory 14th July.
    * OpenSSL security advisory 19th July.
    * OpenSSL security advisory 31st July

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
16 months agoMerge pull request #21762 from stangri/openwrt-22.03-simple-adblock
Stan Grishin [Tue, 8 Aug 2023 20:15:40 +0000 (13:15 -0700)]
Merge pull request #21762 from stangri/openwrt-22.03-simple-adblock

[22.03] simple-adblock: force_dns_port validation bugfix

16 months agoMerge pull request #21694 from stangri/openwrt-22.03-curl
Stan Grishin [Tue, 8 Aug 2023 20:15:23 +0000 (13:15 -0700)]
Merge pull request #21694 from stangri/openwrt-22.03-curl

[22.03] curl: update to 8.2.1

16 months agosimple-adblock: force_dns_port validation bugfix
Stan Grishin [Tue, 8 Aug 2023 09:28:31 +0000 (09:28 +0000)]
simple-adblock: force_dns_port validation bugfix

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 173d163f0935bd21e667fcd9a895718112d71718)

16 months agov2fly-geodata: Update to latest version
Tianling Shen [Sun, 6 Aug 2023 01:38:03 +0000 (09:38 +0800)]
v2fly-geodata: Update to latest version

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 1003f84ead4ccd1b99c07392ad7542debe82e332)

16 months agov2raya: Update to 2.1.0
Tianling Shen [Sun, 6 Aug 2023 01:38:02 +0000 (09:38 +0800)]
v2raya: Update to 2.1.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 4faa0e88fe78deaa9d4c4f8149f9f6f1dcbba8a0)

16 months agocloudreve: Update to 3.8.1
Tianling Shen [Sun, 6 Aug 2023 01:38:02 +0000 (09:38 +0800)]
cloudreve: Update to 3.8.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit d1f4f875fa14fffc268fcd9167f2b6f284a7620e)

16 months agoi2pd: update to version 2.48.0
R4SAS I2P [Sat, 5 Aug 2023 20:13:21 +0000 (20:13 +0000)]
i2pd: update to version 2.48.0

Signed-off-by: R4SAS I2P <r4sas@i2pmail.org>
(cherry picked from commit d7b0d3f83d61ce117db0a3e5899624e77a4f5555)

16 months agoMerge pull request #21740 from jefferyto/golang-1.19.12-openwrt-22.03
Tianling Shen [Mon, 7 Aug 2023 00:40:23 +0000 (08:40 +0800)]
Merge pull request #21740 from jefferyto/golang-1.19.12-openwrt-22.03

[openwrt-22.03] golang: Update to 1.19.12

16 months agogolang: Update to 1.19.12
Jeffery To [Sun, 6 Aug 2023 18:43:20 +0000 (02:43 +0800)]
golang: Update to 1.19.12

Includes fix for CVE-2023-29409 (crypto/tls: verifying certificate
chains containing large RSA keys is slow).

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
16 months agocurl: update to 8.2.1
Stan Grishin [Mon, 31 Jul 2023 04:11:02 +0000 (04:11 +0000)]
curl: update to 8.2.1

* https://curl.se/changes.html#8_2_1

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 82dbc1c4d519c3ec93220247f3ffb2ac354c89fd)

16 months agoMerge pull request #21639 from stangri/openwrt-22.03-curl
Stan Grishin [Tue, 1 Aug 2023 05:28:17 +0000 (22:28 -0700)]
Merge pull request #21639 from stangri/openwrt-22.03-curl

[22.03] curl: update to 8.2.0

16 months agomg: bump to 7.3
Hirokazu MORIKAWA [Thu, 27 Jul 2023 01:39:44 +0000 (10:39 +0900)]
mg: bump to 7.3

Description:
Sync to OpenBSD 7.3

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit e25f57b60273a6fa4515367e82b379c09c483e55)

16 months agoMerge pull request #21632 from stangri/openwrt-22.03-https-dns-proxy
Stan Grishin [Sun, 23 Jul 2023 15:52:57 +0000 (08:52 -0700)]
Merge pull request #21632 from stangri/openwrt-22.03-https-dns-proxy

[22.03] https-dns-proxy: improve CLI messaging

16 months agocurl: update to 8.2.0
Stan Grishin [Sun, 23 Jul 2023 15:48:18 +0000 (15:48 +0000)]
curl: update to 8.2.0

* https://curl.se/changes.html#8_2_0

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit a276cebd9ee8bd5f63b9693fb885529f951375b8)

16 months agoMerge pull request #21629 from stangri/openwrt-22.03-simple-adblock
Stan Grishin [Sun, 23 Jul 2023 15:14:15 +0000 (08:14 -0700)]
Merge pull request #21629 from stangri/openwrt-22.03-simple-adblock

[22.03] simple-adblock: dnsmasq access bugfix & misc improvements

16 months agohttps-dns-proxy: improve CLI messaging
Stan Grishin [Sun, 23 Jul 2023 05:22:04 +0000 (05:22 +0000)]
https-dns-proxy: improve CLI messaging

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 649fbcf9fcab34df3d39b0642cd5b566eefb569e)

16 months agosimple-adblock: dnsmasq access bugfix & misc improvements
Stan Grishin [Sun, 23 Jul 2023 05:06:40 +0000 (05:06 +0000)]
simple-adblock: dnsmasq access bugfix & misc improvements

* fix permission to dnsmasq files for ad-blocking
* add pause function to pause the ad-blocking temporarily
* introduce pause_timeout option to control default pause time
* update default config and config-update file
* use $param instead of $1 in adb_start()

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit dea274cc333ab99e42b569bf412c23e0dfd8a87a)

16 months agorclone: Update to 1.63.1
Tianling Shen [Fri, 21 Jul 2023 19:01:19 +0000 (03:01 +0800)]
rclone: Update to 1.63.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 34d1c310b36ce0473a457ee1f82414ff994cd92c)

16 months agodnsproxy: Update to 0.52.0
Tianling Shen [Wed, 19 Jul 2023 07:46:15 +0000 (15:46 +0800)]
dnsproxy: Update to 0.52.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit dc3af571d7c7328d3013b52812bc9e22d14676df)

16 months agocloudflared: Update to 2023.7.1
Tianling Shen [Wed, 19 Jul 2023 07:46:07 +0000 (15:46 +0800)]
cloudflared: Update to 2023.7.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 498343e2c0b21383c9ebb77fbfd1b6a0dbe1acf6)

17 months agosnowflake: update to 2.6.0
Nick Hainke [Tue, 27 Jun 2023 07:58:08 +0000 (09:58 +0200)]
snowflake: update to 2.6.0

Tor projects tries to migrate away from git.torproject.org [0,1]. We
need to adjust PKG_SOURCE and GO_PKG name. Further, we need to backport
patches to fix compiling on riscv64, so add:
- 0001-Bump-minimum-required-version-of-go.patch
- 0002-Update-dependencies.patch

Changelog:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/commit/2fa8fd9188078eaa169f1edd16815deae4004c6c

[0] - https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/86
[1] - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/commit/82cc0f38f73c4ca4e12d22173562a092ebd4dea0

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 0281f7594b31a5a947c26b895343daedc8a808e8)

17 months agoMerge pull request #21591 from jefferyto/golang-1.19.11-openwrt-22.03
Tianling Shen [Mon, 17 Jul 2023 13:18:42 +0000 (21:18 +0800)]
Merge pull request #21591 from jefferyto/golang-1.19.11-openwrt-22.03

[openwrt-22.03] golang: Update to 1.19.11

17 months agogolang: Update to 1.19.11
Jeffery To [Mon, 17 Jul 2023 07:32:40 +0000 (15:32 +0800)]
golang: Update to 1.19.11

Includes fix for CVE-2023-29406 (net/http: insufficient sanitization of
Host header).

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
17 months agobanip: release 0.9.0-1
Dirk Brenken [Sun, 16 Jul 2023 05:32:24 +0000 (07:32 +0200)]
banip: release 0.9.0-1

* supports allowing / blocking of certain VLAN forwards in segregated network environments,
   set 'ban_vlanallow', ''ban_vlanblock' accordingly
* simplified the code/JSON to generate/parse the banIP status
* enclose nft related devices in quotation marks , e.g. to handle devices which starts with a number '10g-1'
* made the new vlan options available to LuCI (separate commit)

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 1c14eb6d8ced8bc49825bc109984a8b6715c1a08)

17 months agoyq: Update to 4.34.2
Tianling Shen [Fri, 14 Jul 2023 06:13:46 +0000 (14:13 +0800)]
yq: Update to 4.34.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 1cb2590c1743eeb4c357b1f0d7e3fb47b3640ae6)

17 months agocloudflared: Update to 2023.7.0
Tianling Shen [Fri, 14 Jul 2023 06:13:35 +0000 (14:13 +0800)]
cloudflared: Update to 2023.7.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 5e0c715a51cd146867d0ca9efd5158307410f042)

17 months agoMerge pull request #21559 from mhei/22.03-php8-update-to-8.1.21
Michael Heimpold [Fri, 14 Jul 2023 05:57:36 +0000 (07:57 +0200)]
Merge pull request #21559 from mhei/22.03-php8-update-to-8.1.21

[22.03] php8: update to 8.1.21

17 months agophp8: update to 8.1.21
Michael Heimpold [Wed, 12 Jul 2023 20:53:59 +0000 (22:53 +0200)]
php8: update to 8.1.21

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
17 months agorclone: Update to 1.63.0
Tianling Shen [Tue, 4 Jul 2023 08:04:54 +0000 (16:04 +0800)]
rclone: Update to 1.63.0

While at it fixed a typo error of license files variable.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 952844c976bae289c603f9c93662a08f6ff49290)

17 months agorclone: Update to 1.62.2
Tianling Shen [Fri, 17 Mar 2023 05:17:38 +0000 (13:17 +0800)]
rclone: Update to 1.62.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 392a68e24774294590abf9c08ea1832f2cee190d)

17 months agodnsproxy: Update to 0.51.0
Tianling Shen [Mon, 3 Jul 2023 14:05:28 +0000 (22:05 +0800)]
dnsproxy: Update to 0.51.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 9cf533dffe8363349530e808a2dedf5d7ee4685f)

17 months agobanip: update 0.8.9-4
Dirk Brenken [Sun, 9 Jul 2023 05:01:17 +0000 (07:01 +0200)]
banip: update 0.8.9-4

* made the etag id parsing more bulletproof (to catch unverified etags as well)

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 5e2a9f082aa271dd2b7c2bd7f884bc2aef0b9be6)

17 months agobanip: update 0.8.9-3
Dirk Brenken [Sat, 8 Jul 2023 17:51:52 +0000 (19:51 +0200)]
banip: update 0.8.9-3

* prevent superflous etag function calls during start action (on start backups will be used anyway)
* changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 88e64a2ae488e1cd8d4d539c6d976c9ccc728d2f)

17 months agobanip: update 0.8.9-2
Dirk Brenken [Fri, 7 Jul 2023 18:03:08 +0000 (20:03 +0200)]
banip: update 0.8.9-2

* fix a corner case backup issue with empty feed downloads

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 137045faa904fd826be9e82b22aa2ee1d65229b7)

17 months agobanip: release 0.8.9-1
Dirk Brenken [Fri, 7 Jul 2023 16:28:21 +0000 (18:28 +0200)]
banip: release 0.8.9-1

* added HTTP ETag or entity tag support to download only ressources that have been updated on the server side,
  to save bandwith and speed up banIP reloads
* added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
* updated the readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 68cdc3952dd7adf6fb1ed4b8138ec5478ac18b9a)

17 months agodnslookup: Update to 1.9.1
Tianling Shen [Wed, 22 Mar 2023 07:19:24 +0000 (15:19 +0800)]
dnslookup: Update to 1.9.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 65c9414e166c0bf97a47a388ecbd18e93df29fd2)

17 months agoadblock: update to 4.1.5-8
Dirk Brenken [Fri, 30 Jun 2023 05:28:16 +0000 (07:28 +0200)]
adblock: update to 4.1.5-8

* adapt adguard_tracking source changes

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit e1fa285f325543cc96dcfe2beb17fe83cc1a76e3)

17 months agobind: bump to 9.18.16
Noah Meyerhans [Mon, 26 Jun 2023 03:02:35 +0000 (20:02 -0700)]
bind: bump to 9.18.16

Fixes CVEs:

- CVE-2023-2828: The overmem cleaning process has been improved, to
  prevent the cache from significantly exceeding the configured
  max-cache-size limit.
- CVE-2023-2911: A query that prioritizes stale data over lookup
  triggers a fetch to refresh the stale data in cache. If the fetch is
  aborted for exceeding the recursion quota, it was possible for named
  to enter an infinite callback loop and crash due to stack overflow.

The complete list of changes is available in the upstream release
notes at
https://ftp.isc.org/isc/bind9/cur/9.18/doc/arm/html/notes.html#notes-for-bind-9-18-16

Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit 9ac79ad46966908d2ceb64c0e0d8a0bff435767a)

17 months agobanip: update 0.8.8-2
Dirk Brenken [Sat, 24 Jun 2023 11:09:40 +0000 (13:09 +0200)]
banip: update 0.8.8-2

* process local lists in strict sequential order to prevent possible race conditions
* support ranges in the IP search, too
* fix some minor search issues

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit c3084be415f5c701a319342c85ca626996b5b463)

17 months agobanip: release 0.8.8-1
Dirk Brenken [Wed, 21 Jun 2023 08:53:19 +0000 (10:53 +0200)]
banip: release 0.8.8-1

* Support MAC-/IPv4/IPv6 ranges in CIDR notation
* Support  concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
* small fixes & cosmetics
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit b9bd6cdb0dcd85b30999b162a06a10c5229908e7)

17 months agobanip: release 0.8.7-1
Dirk Brenken [Mon, 5 Jun 2023 15:20:12 +0000 (17:20 +0200)]
banip: release 0.8.7-1

* Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the
   monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default).
   For more information regarding RDAP see
   https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference.
* small fixes & cosmetics
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 767d1ec663b980f86f31354ceaee07c6184656eb)

17 months agoc-ares: bump to 1.19.1
Hirokazu MORIKAWA [Thu, 15 Jun 2023 06:49:25 +0000 (15:49 +0900)]
c-ares: bump to 1.19.1

This is a security and bugfix release.

Security
o CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
o CVE-2023-31147. Moderate. Insufficient randomness in generation of DNS
query IDs
o CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton()
o CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross
compilation

Fixing libcares.pc
 The pkg-config file libcares.pc in version 1.19.1 has been changed to be unsuitable for OpenWrt
 and causes build errors with Openwrt packages that use libcares.
 For this reason, libcares.pc was replaced.

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit 4c4d3b900197785292ef92055effcccd7f3b805b)

17 months agocloudflared: Update to 2023.6.1
Tianling Shen [Wed, 21 Jun 2023 12:47:19 +0000 (20:47 +0800)]
cloudflared: Update to 2023.6.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 1aa41e92ac8733be9a25b77eddea7cdac3bedc34)

17 months agov2ray-geodata: Update to latest version
Tianling Shen [Tue, 20 Jun 2023 05:11:16 +0000 (13:11 +0800)]
v2ray-geodata: Update to latest version

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit e4a22284cb5ddbcaccdea1ad850a573f9d783026)

17 months agoxray-core: update to 1.8.3
Tianling Shen [Tue, 20 Jun 2023 05:11:04 +0000 (13:11 +0800)]
xray-core: update to 1.8.3

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit c912e2bcedfcfb50c1ee02d0fa120f0b0025ac2c)

17 months agocloudflared: Update to 2023.6.0
Tianling Shen [Mon, 19 Jun 2023 06:44:12 +0000 (14:44 +0800)]
cloudflared: Update to 2023.6.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 194cf52a82df2bdf98d52687762287ae689b6fc6)

17 months agocloudflared: support setting tunnel token
Scott McKenzie [Fri, 19 May 2023 17:38:27 +0000 (03:38 +1000)]
cloudflared: support setting tunnel token

Allows user to provide a token for Cloudflare tunnel.
When provided along with credentials, this will take precedence.

Signed-off-by: Scott McKenzie <scott@noizyland.net>
(cherry picked from commit 61106a8df299de5297e816d1f75fbb602382b60c)

17 months agonode: June 20 2023 Security Releases
Hirokazu MORIKAWA [Wed, 21 Jun 2023 02:41:11 +0000 (11:41 +0900)]
node: June 20 2023 Security Releases

Update to v16.20.1

The following CVEs are fixed in this release:
* CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
* CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
* CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
* CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)

* OpenSSL Security Releases  (Depends on shared library provided by OpenWrt)
    * OpenSSL security advisory 28th March.
    * OpenSSL security advisory 20th April.
    * OpenSSL security advisory 30th May

* c-ares vulnerabilities:  (Depends on shared library provided by OpenWrt)
    * GHSA-9g78-jv2r-p7vc
    * GHSA-8r8p-23f3-64c2
    * GHSA-54xr-f67r-4pc4
    * GHSA-x6mf-cxr9-8q6v

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
17 months agonmap: fix ncat proxy mode with upstream patches
ValdikSS ValdikSS [Fri, 16 Jun 2023 14:53:08 +0000 (17:53 +0300)]
nmap: fix ncat proxy mode with upstream patches

ncat utility from nmap package has a bug in 7.90 and 7.91 version which
prevent it from working via proxy.

Signed-off-by: ValdikSS ValdikSS <iam@valdikss.org.ru>
17 months agoMerge pull request #21412 from stangri/openwrt-22.03-https-dns-proxy
Stan Grishin [Tue, 20 Jun 2023 15:58:09 +0000 (09:58 -0600)]
Merge pull request #21412 from stangri/openwrt-22.03-https-dns-proxy

[22.03] https-dns-proxy: update to 2023-05-25-2

17 months agoMerge pull request #21283 from stangri/openwrt-22.03-curl
Stan Grishin [Tue, 20 Jun 2023 02:59:57 +0000 (20:59 -0600)]
Merge pull request #21283 from stangri/openwrt-22.03-curl

[22.03] curl: update to 8.1.2

18 months agohttps-dns-proxy: update to 2023-05-25-2
Stan Grishin [Tue, 20 Jun 2023 02:02:45 +0000 (02:02 +0000)]
https-dns-proxy: update to 2023-05-25-2

bugfix: proper mdns object creation
bugfix: prevent fw errors by allowing custom interfaces in config

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit a31640ac7cfab78c75808e22fc7fc2da48bd8e7f)

18 months agomhz: add new package
Robert Marko [Sat, 17 Jun 2023 06:47:39 +0000 (08:47 +0200)]
mhz: add new package

mhz is a tool for mathematically calculating the current CPU frequency, it
has proven to be a really good help while developing CPU frequency scaling
solutions as it allows to independently prove that scaling actually works.

Now that the author has added a license we can package it for the all to
use.

Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 89123b308f98de6e6e77a1bf21586c8fafc83413)

18 months agoMerge pull request #21382 from mhei/22.03-php8-update-to-8.1.20
Michael Heimpold [Fri, 16 Jun 2023 06:07:26 +0000 (08:07 +0200)]
Merge pull request #21382 from mhei/22.03-php8-update-to-8.1.20

[22.03] php8: update to 8.1.20

18 months agophp8: update to 8.1.20
Michael Heimpold [Thu, 15 Jun 2023 19:24:26 +0000 (21:24 +0200)]
php8: update to 8.1.20

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
18 months agocloudreve: Update to 3.8.0
Tianling Shen [Mon, 12 Jun 2023 19:36:41 +0000 (03:36 +0800)]
cloudreve: Update to 3.8.0

- Fixed packing web frontend assets
- Enabled build for riscv64

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 27e6796a832e76ac4eee30de2347ad47c085c7ed)
[removed unavailable riscv64 from supported arches]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
18 months agodnsproxy: Update to 0.50.2
Tianling Shen [Sun, 11 Jun 2023 16:55:32 +0000 (00:55 +0800)]
dnsproxy: Update to 0.50.2

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit eda669c819fcd6ea2cf1f50ad3a21ea5b52fdeba)

18 months agoMerge pull request #21346 from jefferyto/python-3.10.12-openwrt-22.03
Tianling Shen [Tue, 13 Jun 2023 03:00:35 +0000 (11:00 +0800)]
Merge pull request #21346 from jefferyto/python-3.10.12-openwrt-22.03

[openwrt-22.03] python3: Update to 3.10.12

18 months agotunneldigger: add package for establishing L2TPv3 tunnels over UDP
Nick Hainke [Thu, 8 Jun 2023 12:34:09 +0000 (14:34 +0200)]
tunneldigger: add package for establishing L2TPv3 tunnels over UDP

In the previous commit we already added tunneldigger-broker. Add the
corresponding client.

This PR is just a refactoring of the already existing opkg package from
wlanslovenija [0].

[0] - https://github.com/wlanslovenija/firmware-packages-opkg/tree/master/net/tunneldigger

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit bd2b4f311a95b64e019ef29f7c01326a3dfee7d1)

18 months agotunneldigger-broker: add broker for tunneldigger
Nick Hainke [Thu, 8 Jun 2023 10:36:33 +0000 (12:36 +0200)]
tunneldigger-broker: add broker for tunneldigger

In mesh communities, tunneldigger is widely used to create L2TPv3 tunnels
and mesh via them. Since the broker is typically installed on other
distributions, the openwrt broker package has not received any
maintenance in recent years [0]. I  take now care of the further maintaince
of this package. Furthermore, I consulted with the maintainers to ensure
that they were comfortable with the change [1].

This PR is just a refactoring of the already existing opkg package from
wlanslovenija. It fixes config parsing and in general the config, adapts
to the new python syntax and fixes dependency handling.

- [0] https://github.com/wlanslovenija/firmware-packages-opkg/tree/master/net/tunneldigger-broker
- [1] https://github.com/wlanslovenija/firmware-packages-opkg/issues/24

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 8298ce82346817c09cfb6ace2f991bacf79a6071)

18 months agoMerge pull request #21343 from jefferyto/golang-1.19.10-openwrt-22.03
Tianling Shen [Mon, 12 Jun 2023 10:21:13 +0000 (18:21 +0800)]
Merge pull request #21343 from jefferyto/golang-1.19.10-openwrt-22.03

[openwrt-22.03] golang: Update to 1.19.10

18 months agopython3: Update to 3.10.12
Jeffery To [Mon, 12 Jun 2023 07:17:41 +0000 (15:17 +0800)]
python3: Update to 3.10.12

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
18 months agogolang: Update to 1.19.10
Jeffery To [Mon, 12 Jun 2023 04:25:43 +0000 (12:25 +0800)]
golang: Update to 1.19.10

Includes fixes for:

* CVE-2023-29402: cmd/go: cgo code injection
* CVE-2023-29403: runtime: unexpected behavior of setuid/setgid binaries
* CVE-2023-29404: cmd/go: improper sanitization of LDFLAGS
* CVE-2023-29405: cmd/go: improper sanitization of LDFLAGS

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
18 months agoavahi: Import patches for security fixes
Hirokazu MORIKAWA [Thu, 8 Jun 2023 05:37:38 +0000 (14:37 +0900)]
avahi: Import patches for security fixes

Imported patches included in debian and other package.

* 200-Fix-NULL-pointer-crashes-from-175.patch
  CVE-2021-3502
   A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.

* 201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
  CVE-2021-3468
   A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

* 202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch
   avahi_dns_packet_consume_uint32 left shifts uint8_t values by 8, 16 and 24 bits to combine them into a 32-bit value. This produces an undefined behavior warning with gcc -fsanitize when fed input values of 128 or 255 however in testing no actual unexpected behavior occurs in practice and the 32-bit uint32_t is always correctly produced as the final value is immediately stored into a uint32_t and the compiler appears to handle this "correctly".
Cast the intermediate values to uint32_t to prevent this warning and ensure the intended result is explicit.

* 203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
   This was causing timeouts to never be removed from the linked list that tracks them, resulting in both memory and CPU usage to grow larger over time.

* 204-Emit-error-if-requested-service-is-not-found.patch
   It currently just crashes instead of replying with error. Check return
value and emit error instead of passing NULL pointer to reply.

* 205-conf-file-line-lengths.patch
   Allow avahi-daemon.conf file to have lines longer than 256 characters (new limit 1024).

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit 779af4d40ccdc0f2a798ee6b6849abb37d202f1b)

18 months agonet/acme: Bump acme.sh to v3.0.6
Toke Høiland-Jørgensen [Fri, 9 Jun 2023 13:23:45 +0000 (15:23 +0200)]
net/acme: Bump acme.sh to v3.0.6

Important security fix.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
18 months agocrowdsec: new upstream release version 1.5.2
S. Brusch [Wed, 7 Jun 2023 19:10:03 +0000 (21:10 +0200)]
crowdsec: new upstream release version 1.5.2

Update crowdsec to latest upstream release version 1.5.2

Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.5

Description: update to latest version of upstream
(cherry picked from commit 1813bf2c6e2f4cbf17af582d1626698fe8da5821)

18 months agocurl: update to 8.1.2
Stan Grishin [Mon, 5 Jun 2023 19:35:08 +0000 (19:35 +0000)]
curl: update to 8.1.2

* https://curl.se/changes.html#8_1_2

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 5afd8e088a1ad0b9b1074ac61460101a48e7e551)