feed/packages.git
8 months agoocserv: updated to 1.3.0
Nikos Mavrogiannopoulos [Mon, 6 May 2024 06:30:19 +0000 (08:30 +0200)]
ocserv: updated to 1.3.0

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
8 months agobanip: update 0.9.5-5
Dirk Brenken [Sun, 5 May 2024 19:57:28 +0000 (21:57 +0200)]
banip: update 0.9.5-5

* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 083554094b169ad79ce4d4054e227f0829722de7)

8 months agodocker: Update to 26.1.0
Gerard Ryan [Wed, 1 May 2024 11:51:07 +0000 (21:51 +1000)]
docker: Update to 26.1.0
* Removed unnecessary GO lang variables

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
8 months agodockerd: Update to 26.1.0
Gerard Ryan [Wed, 1 May 2024 11:50:47 +0000 (21:50 +1000)]
dockerd: Update to 26.1.0
* Removed unnecessary GO lang variables

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
8 months agocontainerd: Update to 1.7.15
Gerard Ryan [Wed, 1 May 2024 11:50:08 +0000 (21:50 +1000)]
containerd: Update to 1.7.15
* Explicitly list GO_PKG_INSTALL_EXTRA
* Removed unnecessary GO lang variables

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
8 months agouspot: update to Git HEAD (2024-05-03)
Thibaut VARÈNE [Sat, 4 May 2024 08:55:42 +0000 (10:55 +0200)]
uspot: update to Git HEAD (2024-05-03)

5e2d15a110bb treewide: remove tip_mode
e2dbdef4cf1e treewide: rename spotfilter -> uspotfilter
ef0f5291365b uspot/uspotfilter: implement disconnect_delay
92d3356d3fb3 update README

Update the package Makefile to reflect the changes from the following
above-listed commit:

e2dbdef4cf1e treewide: rename spotfilter -> uspotfilter

(cherry picked from commit 5181ce4a483711791329a13e07d29f9321d85178)
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
8 months agoxray-core: Update to 1.8.11
Tianling Shen [Fri, 3 May 2024 05:42:35 +0000 (13:42 +0800)]
xray-core: Update to 1.8.11

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 0db33e866b108b9d0768f6b9f488c2d99c2363bf)
[added a patch to fix build with go 1.21]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
8 months agoxray-core: Update to 1.8.10
Tianling Shen [Mon, 1 Apr 2024 07:59:40 +0000 (15:59 +0800)]
xray-core: Update to 1.8.10

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 1b59556d06059cc87945ad52bdbccbfc06f93d9e)

8 months agoxray-core: Update to 1.8.9
Tianling Shen [Thu, 21 Mar 2024 07:02:50 +0000 (15:02 +0800)]
xray-core: Update to 1.8.9

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 09c4a4b1bab44a4d15a38907e4c48a9a09bb916d)

8 months agov2ray-core: Update to 5.16.0
Tianling Shen [Fri, 3 May 2024 05:54:50 +0000 (13:54 +0800)]
v2ray-core: Update to 5.16.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit c0608d93befc062e33fb7dc2adbb70abe262c8cf)

8 months agov2ray-geodata: Update to latest version
Tianling Shen [Fri, 3 May 2024 05:42:40 +0000 (13:42 +0800)]
v2ray-geodata: Update to latest version

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 3f7a3e4edfcd5c37abd68fdc19b25e7795589345)

8 months agoacme-acmesh: use validation_method option instead of guessing
Sergey Ponomarev [Wed, 28 Feb 2024 20:13:47 +0000 (22:13 +0200)]
acme-acmesh: use validation_method option instead of guessing

The new validation_method option can be: dns, webroot or standalone.
Previously we guessed the challenge type:
1. if the DNS provider is specified then it's dns
2. if standalone=1
3. fallback to webroot

The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner.

Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
8 months agohev-socks5-server: add new package
Ray Wang [Thu, 25 Apr 2024 13:36:14 +0000 (21:36 +0800)]
hev-socks5-server: add new package

HevSocks5Server is a high-performance socks5 server for Unix.

More details: https://github.com/heiher/hev-socks5-server

Signed-off-by: Ray Wang <r@hev.cc>
(cherry picked from commit 8d36908aead7a37416ff4ac74d7c6ff59ded505e)

8 months agonano: update to 8.0
Hannu Nyman [Fri, 3 May 2024 13:24:09 +0000 (16:24 +0300)]
nano: update to 8.0

Update nano editor to version 8.0

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 69166dbbb709625a848f327c9822c667db39744f)

8 months agobanip: update 0.9.5-4
Dirk Brenken [Wed, 1 May 2024 13:02:44 +0000 (15:02 +0200)]
banip: update 0.9.5-4

* optimized adding suspicious IPs to Sets in the log monitor
* re-added ipblackhole feed

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 4d7c38c7708110cb1d0290f50ef48129192dd76a)

8 months agonextdns: Update to version 1.43.3
Olivier Poitrey [Mon, 29 Apr 2024 21:54:23 +0000 (21:54 +0000)]
nextdns: Update to version 1.43.3

Signed-off-by: Olivier Poitrey <rs@nextdns.io>
8 months agodnsproxy: add three new features
Emily H. [Tue, 30 Apr 2024 11:03:38 +0000 (11:03 +0000)]
dnsproxy: add three new features

This commit adds the following features:
1. UCI support for local DNS over HTTPS/TLS/QUIC server.
2. UCI support for using private reverse DNS.
3. procd jail with CAP_NET_BIND_SERVICE, allowing
   dnsproxy to serve on standard ports directly.

Signed-off-by: Emily H. <battery_tag708@simplelogin.com>
(cherry picked from commit 5df794e34303ed2d1832c0626291ad392a228e8c)

8 months agomsmtp: update to version 1.8.25
Josef Schlehofer [Fri, 26 Apr 2024 13:35:52 +0000 (15:35 +0200)]
msmtp: update to version 1.8.25

Release notes:
https://marlam.de/msmtp/news/msmtp-1-8-25/

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 490866d752b41bc90661b10d2c9c41884575bf8b)

8 months agotransmission: update to version 4.0.5
Josef Schlehofer [Fri, 26 Apr 2024 08:38:20 +0000 (10:38 +0200)]
transmission: update to version 4.0.5

Release notes:
https://github.com/transmission/transmission/releases/tag/4.0.5

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 19a424aede70ddaedb1153144216db6423fa09e2)

8 months agosing-box: update to 1.8.12
Van Waholtz [Mon, 29 Apr 2024 09:08:50 +0000 (17:08 +0800)]
sing-box: update to 1.8.12

Signed-off-by: Van Waholtz <brvphoenix@gmail.com>
(cherry picked from commit 3fefdbf34bbe2601fcd677fd887e4156214b37ac)

8 months agoMerge pull request #24023 from rs/nextdns-1.43.0-openwrt-23.05
Stan Grishin [Mon, 29 Apr 2024 00:33:38 +0000 (17:33 -0700)]
Merge pull request #24023 from rs/nextdns-1.43.0-openwrt-23.05

[23.05] nextdns: Update to version 1.43.0

8 months agonextdns: Update to version 1.43.0
Olivier Poitrey [Sun, 28 Apr 2024 00:47:37 +0000 (00:47 +0000)]
nextdns: Update to version 1.43.0

Signed-off-by: Olivier Poitrey <rs@nextdns.io>
8 months agolibndpi: backport patch for PCRE2 support
Christian Marangi [Wed, 1 Nov 2023 00:43:36 +0000 (01:43 +0100)]
libndpi: backport patch for PCRE2 support

Backport patch for PCRE2 support as PCRE is EOL and won't receive any
support updates anymore.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit baa0d5127062929fd26671adb5388f9b30b61a36)

8 months agoopenssh: bump to 9.7p1
John Audia [Tue, 12 Mar 2024 12:13:02 +0000 (08:13 -0400)]
openssh: bump to 9.7p1

Release notes: https://www.openssh.com/txt/release-9.7

Removed upstreamed patch: 010-better_fzero-call-detection.patch

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 6be0617c00bdf5e9309ad3738d09fe498cb9fb0a)

8 months agolibrespeed-go: improve the description
Nathan Friedly [Thu, 25 Apr 2024 17:19:33 +0000 (13:19 -0400)]
librespeed-go: improve the description

This swaps the order of the lines in the description so that when LuCI displays only the first line, it still offers some helpful information.

Signed-off-by: Nathan Friedly <nathan@nfriedly.com>
(cherry picked from commit 06ea66c55866aa409ab567a593a22bd24e727f04)

8 months agolibrespeed-go: Reload the daemon after modifying the tls certificate
Anya Lin [Tue, 10 Oct 2023 01:13:14 +0000 (09:13 +0800)]
librespeed-go: Reload the daemon after modifying the tls certificate

Make the daemon reload after the tls certificate is updated

Signed-off-by: Anya Lin <hukk1996@gmail.com>
(cherry picked from commit fd1d506fff9462b3329585bdd148a6fd78cbd27a)

8 months agov2ray-core: Update to 5.15.3
Tianling Shen [Mon, 22 Apr 2024 07:26:22 +0000 (15:26 +0800)]
v2ray-core: Update to 5.15.3

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit ebed42fcb0e7e9bffee3c47b93244494377595ee)

8 months agobanip: update 0.9.5-3
Dirk Brenken [Fri, 26 Apr 2024 15:03:14 +0000 (17:03 +0200)]
banip: update 0.9.5-3

* allow multiple protocol/port definitions per feed, e.g. 'tcp udp 80 443 50000'
* removed the default protocol/port limitation from asn feed

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 2c6d5adac049a55ca067255da90dc938b5604249)

8 months agobanip: update 0.9.5-2
Dirk Brenken [Sun, 21 Apr 2024 19:57:17 +0000 (21:57 +0200)]
banip: update 0.9.5-2

* fixed possible Set search race condition (initiated from LuCI frontend)
* fixed the "no result" Set search problem in LuCI
* removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit ad755e0c4ddb63f8b8ed2204043ce750a4d4b928)

8 months agobanip: release 0.9.5-1
Dirk Brenken [Fri, 19 Apr 2024 20:09:29 +0000 (22:09 +0200)]
banip: release 0.9.5-1

* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit fa80fefe22d0c7ca1c1e34deb52683b54af1ed17)

8 months agosyslog-ng: update to version 4.7.1
Josef Schlehofer [Fri, 26 Apr 2024 09:24:57 +0000 (11:24 +0200)]
syslog-ng: update to version 4.7.1

Release notes:
- https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.7.0
- https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.7.1

Also bump version in the config file to avoid warning

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 9d49df0dabcdd9135bf0b86374695b69cb4bf5b6)

8 months agoCI: remove CircleCI for now
Paul Spooren [Sat, 10 Oct 2020 01:31:01 +0000 (15:31 -1000)]
CI: remove CircleCI for now

The GitHub CI offers currenlty more architecture and the Signed-of-by
test is covered via the DOC CI test. In case GitHub ever changes
policies, we can simply switch back.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 26c101edc3e918be4fbfe76b3514d1c8398f7d31)

8 months agoMerge pull request #24014 from stangri/openwrt-23.05-adblock-fast
Stan Grishin [Thu, 25 Apr 2024 22:09:43 +0000 (15:09 -0700)]
Merge pull request #24014 from stangri/openwrt-23.05-adblock-fast

[23.05] adblock-fast: bugfix: unbound-related fixes

8 months agoadblock-fast: bugfix: unbound-related fixes
Stan Grishin [Sun, 21 Apr 2024 14:06:52 +0000 (14:06 +0000)]
adblock-fast: bugfix: unbound-related fixes

* include `server:` directive at the top of unbound file
* update unbound-related outputGzip variable to include full path
* return always_nxdomain for blocked domains
* also update copyright stamp/license

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 474587a1f44db8b66caca8bdde9c2dd64b480638)

8 months agoMerge pull request #24006 from stangri/openwrt-23.05-nebula
Stan Grishin [Thu, 25 Apr 2024 21:33:12 +0000 (14:33 -0700)]
Merge pull request #24006 from stangri/openwrt-23.05-nebula

[23.05] nebula: Use APK style release number

8 months agonebula: Use APK style release number
Sean Khan [Fri, 12 Apr 2024 16:09:59 +0000 (12:09 -0400)]
nebula: Use APK style release number

Maintainer: Stan Grishin <stangri@melmac.ca>

Run tested: aarch64, Dynalink DL-WRX36, Master Branch

Signed-off-by: Sean Khan <datapronix@protonmail.com>
(cherry picked from commit 3cbb7474c3fad4b01f8ee065b1c045c4b7fb523f)

8 months agonatmap: add log_std{out,err} options
Ray Wang [Sat, 20 Apr 2024 14:53:03 +0000 (22:53 +0800)]
natmap: add log_std{out,err} options

Introduce `log_stdout` and `log_stderr` options for managing logging output.

Signed-off-by: Ray Wang <r@hev.cc>
(cherry picked from commit 5abbd3bcb2362963a2cc49c0a9de78dd5c5af185)

8 months agonode: bump to v18.20.2
Hirokazu MORIKAWA [Wed, 24 Apr 2024 01:42:09 +0000 (10:42 +0900)]
node: bump to v18.20.2

This is a security release.

Notable Changes
* CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
8 months agontpd: update to version 4.2.8p17
Paul Donald [Fri, 1 Mar 2024 20:49:30 +0000 (21:49 +0100)]
ntpd: update to version 4.2.8p17

Also some spell fixes for README.md

Drop patch-0001 - ntpd >= 4.2.8p16 patched this behaviour. See:

https://bugs.ntp.org/show_bug.cgi?id=3741 (and the linked diff there)
https://git.nwtime.org/websites/ntpwww/commit/d2a7faef2fea5f10b28cc2ee1d842e4b241f414f

Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit b2742ed05d5404d1c2cada7c51607126d19fa3f6)

8 months agouwsgi: bump to latest 2.0.25.1 release
Christian Marangi [Sun, 21 Apr 2024 15:38:24 +0000 (17:38 +0200)]
uwsgi: bump to latest 2.0.25.1 release

Bump to latest 2.0.25.1 release

Drop upstream PCRE2 patch and alarm memory leak fix.
Rework and refresh patch due to release bump.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit a9371952c916423876d3d380837b7b47ef08eb69)

8 months agouwsgi: add experimental pcre2 patch and drop pcre
Christian Marangi [Fri, 22 Sep 2023 13:39:23 +0000 (15:39 +0200)]
uwsgi: add experimental pcre2 patch and drop pcre

Add experimental pcre2 patch and drop pcre in favor of pcre2 library.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 4374c3250f424f1e57b175961adb41f24489510d)

8 months agouwsgi: bump to release 2.0.22
Christian Marangi [Fri, 22 Sep 2023 13:38:27 +0000 (15:38 +0200)]
uwsgi: bump to release 2.0.22

Bump to release 2.0.22 to make it easier to apply patch for pcre2
support.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 94ded8ff315be664a806153a94913e7fbdcd3a49)

8 months agov2ray-geodata: Update to latest version
Tianling Shen [Mon, 15 Apr 2024 07:18:04 +0000 (15:18 +0800)]
v2ray-geodata: Update to latest version

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit c1e6fbbcb06786c7f78f7a12f9bf7337e94b2160)

8 months agov2ray-geodata: Update to latest version
Tianling Shen [Thu, 4 Apr 2024 04:17:22 +0000 (12:17 +0800)]
v2ray-geodata: Update to latest version

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 06332b022937714fe465c572d7ae0c7665e7552b)

8 months agocloudflared: Update to 2024.4.0
Tianling Shen [Mon, 15 Apr 2024 05:22:56 +0000 (13:22 +0800)]
cloudflared: Update to 2024.4.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit d9419aeabd74f5d170483691d8a2ab0c68620fce)

8 months agotor: update to 0.4.8.10 stable
Rui Salvaterra [Tue, 7 Nov 2023 12:27:24 +0000 (12:27 +0000)]
tor: update to 0.4.8.10 stable

Bugfix release, see the changelog [1] for what's new.

[1] https://gitlab.torproject.org/tpo/core/tor/-/raw/tor-0.4.8.10/ChangeLog

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
(cherry picked from commit ee8b29de2c42ffc7796cd825f38b19e56f838cd4)

8 months agoMerge pull request #23947 from mhei/23.05-php8-update-to-8.2.18
Michael Heimpold [Wed, 17 Apr 2024 18:22:55 +0000 (20:22 +0200)]
Merge pull request #23947 from mhei/23.05-php8-update-to-8.2.18

[23.05] php8: update to 8.2.18

8 months agoMerge pull request #23871 from graysky2/snort-backport-fix
Josef Schlehofer [Wed, 17 Apr 2024 11:27:41 +0000 (13:27 +0200)]
Merge pull request #23871 from graysky2/snort-backport-fix

snort3 and libdaq3: sync with master and remove symbol @HAS_LUAJIT_ARCH

8 months agoexim: update to 4.97.1
Daniel Golle [Thu, 4 Apr 2024 02:36:39 +0000 (03:36 +0100)]
exim: update to 4.97.1

IPv6 has accidentally been disabled in all Exim builds since the
package was introduced in OpenWrt due to a faulty `sed` script. This
has now been fixed, so beware that IPv6 is now enabled when updating
from previous releases.

Upstream changes since version 4.96.2 (bottom up):

JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
      LF-only mode (as detected from the first header line).  Previously we did
      accept that in (normal) CRLF mode; this has been raised as a possible
      attack scenario (under the name "smtp smuggling", CVE-2023-51766).

JH/01 The hosts_connection_nolog main option now also controls "no MAIL in
      SMTP connection" log lines.

JH/02 Option default value updates:
        - queue_fast_ramp (main)        true (was false)
        - remote_max_parallel (main)    4 (was 2)

JH/03 Cache static regex pattern compilations, for use by ACLs.

JH/04 Bug 2903: avoid exit on an attempt to rewrite a malformed address.
      Make the rewrite never match and keep the logging.  Trust the
      admin to be using verify=header-syntax (to actually reject the message).

JH/05 Follow symlinks for placing a watch on TLS creds files.  This means
      (under Linux) we watch the dir containing the final file; previously
      it would be the dir with the first symlink.  We still do not monitor
      the entire path.

JH/06 Check for bad chars in rDNS for sender_host_name.  The OpenBSD (at least)
      dn_expand() is happy to pass them through.

JH/07 OpenSSL Fix auto-reload of changed server OCSP proof.  Previously, if
      the file with the proof had an unchanged name, the new proof(s) were
      loaded on top of the old ones (and nover used; the old ones were stapled).

JH/08 Bug 2915: Fix use-after-free for $regex<n> variables. Previously when
      more than one message arrived in a single connection a reference from
      the earlier message could be re-used.  Often a sigsegv resulted.
      These variables were introduced in Exim 4.87.
      Debug help from Graeme Fowler.

JH/09 Fix ${filter } for conditions that modify $value.  Previously the
      modified version would be used in construction the result, and a memory
      error would occur.

JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all.
      Find and fix by Jasen Betts.

JH/11 OpenSSL: fix for ancient clients needing TLS support for versions earlier
      than TLSv1,2,  Previously, more-recent versions of OpenSSL were permitting
      the systemwide configuration to override the Exim config.

HS/01 Bug 2728: Introduce EDITME option "DMARC_API" to work around incompatible
      API changes in libopendmarc.

JH/12 Bug 2930: Fix daemon startup.  When started from any process apart from
      pid 1, in the normal "background daemon" mode, having to drop process-
      group leadership also lost track of needing to create listener sockets.

JH/13 Bug 2929: Fix using $recipients after ${run...}.  A change made for 4.96
      resulted in the variable appearing empty.  Find and fix by Ruben Jenster.

JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96
      a capture group which obtained no text (eg. "(abc)*" matching zero
      occurrences) could cause a segfault if the corresponding $<n> was
      expanded.

JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument
      included a close-brace character (eg. it itself used an expansion) an
      error occurred.

JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports,
      starting TLS.  Previously it was after, meaning that attackers on such
      ports had to be screened using the host_reject_connection main config
      option. The new sequence aligns better with the STARTTLS behaviour, and
      permits defences against crypto-processing load attacks, even though it
      is strictly an incompatible change.
      Also, avoid sending any SMTP fail response for either the connect ACL
      or host_reject_connection, for TLS-on-connect ports.

JH/17 Permit the ACL "encrypted" condition to be used in a HELO/EHLO ACL,
      Previously this was not permitted, but it makes reasonable sense.
      While there, restore a restriction on using it from a connect ACL; given
      the change JH/16 it could only return false (and before 4.91 was not
      permitted).

JH/18 Fix a fencepost error in logging.  Previously (since 4.92) when a log line
      was exactly sized compared to the log buffer, a crash occurred with the
      misleading message "bad memory reference; pool not found".
      Found and traced by Jasen Betts.

JH/19 Bug 2911: Fix a recursion in DNS lookups.  Previously, if the main option
      dns_again_means_nonexist included an element causing a DNS lookup which
      itself returned DNS_AGAIN, unbounded recursion occurred.  Possible results
      included (though probably not limited to) a process crash from stack
      memory limit, or from excessive open files.  Replace this with a paniclog
      whine (as this is likely a configuration error), and returning
      DNS_NOMATCH.

JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group.  Previously
      this always failed, probably leading to the usual downgrade to in-clear
      connections.

JH/21 Fix TLSA lookups.  Previously dns_again_means_nonexist would affect
      SERVFAIL results, which breaks the downgrade resistance of DANE.  Change
      to not checking that list for these lookups.

JH/22 Bug 2434: Add connection-elapsed "D=" element to more connection
      closure log lines.

JH/23 Fix crash in string expansions. Previously, if an empty variable was
      immediately followed by an expansion operator, a null-indirection read
      was done, killing the process.

JH/24 Bug 2997: When built with EXPERIMENTAL_DSN_INFO, bounce messages can
      include an SMTP response string which is longer than that supported
      by the delivering transport.  Alleviate by wrapping such lines before
      column 80.

JH/25 Bug 2827: Restrict size of References: header in bounce messages to 998
      chars (RFC limit).  Previously a limit of 12 items was made, which with
      a not-impossible References: in the message being bounced could still
      be over-large and get stopped in the transport.

JH/26 For a ${readsocket } in TLS mode, send a TLS Close Alert before the TCP
      close.  Previously a bare socket close was done.

JH/27 Fix ${srs_encode ..}.  Previously it would give a bad result for one day
      every 1024 days.

JH/28 Bug 2996: Fix a crash in the smtp transport.  When finding that the
      message being considered for delivery was already being handled by
      another process, and having an SMTP connection already open, the function
      to close it tried to use an uninitialized variable.  This would afftect
      high-volume sites more, especially when running mailing-list-style loads.
      Pollution of logs was the major effect, as the other process delivered
      the message.  Found and partly investigated by Graeme Fowler.

JH/29 Change format of the internal ID used for message identification. The old
      version only supported 31 bits for a PID element; the new 64 (on systems
      which can use Base-62 encoding, which is all currently supported ones
      but not Darwin (MacOS) or Cygwin, which have case-insensitive filesystems
      and must use Base-36).  The new ID is 23 characters rather than 16, and is
      visible in various places - notably logs, message headers, and spool file
      names.  Various of the ancillary utilities also have to know the format.
        As well as the expanded PID portion, the sub-second part of the time
      recorded in the ID is expanded to support finer precision.  Theoretically
      this permits a receive rate from a single comms channel of better than the
      previous 2000/sec.
        The major timestamp part of the ID is not changed; at 6 characters it is
      usable until about year 3700.
        Updating from previously releases is fully supported: old-format spool
      files are still usable, and the utilities support both formats.  New
      message will use the new format.  The one hints-DB file type which uses
      message-IDs (the transport wait- DB) will be discarded if an old-format ID
      is seen; new ones will be built with only new-format IDs.
      Optionally, a utility can be used to convert spool files from old to new,
      but this is only an efficiency measure not a requirement for operation
        Downgrading from new to old requires running a provided utility, having
      first stopped all operations.  This will convert any spool files from new
      back to old (losing time-precision and PID information) and remove any
      wait- hints databases.

JH/30 Bug 3006: Fix handling of JSON strings having embedded commas. Previously
      we treated them as item separators when parsing for a list item, but they
      need to be protected by the doublequotes.  While there, add handling for
      backslashes.

JH/31 Bug 2998: Fix ${utf8clean:...} to disallow UTF-16 surrogate codepoints.
      Found and fixed by Jasen Betts. No testcase for this as my usual text
      editor insists on emitting only valid UTF-8.

JH/32 Fix "tls_dhparam = none" under GnuTLS.  At least with 3.7.9 this gave
      a null-indirection SIGSEGV for the receive process.

JH/33 Fix free for live variable $value created by a ${run ...} expansion during
      -bh use.  Internal checking would spot this and take a panic.

JH/34 Bug 3013: Fix use of $recipients within arguments for ${run...}.
      In 4.96 this would expand to empty.

JH/35 Bug 3014: GnuTLS: fix expiry date for an auto-generated server
      certificate.  Find and fix by Andreas Metzler.

JH/36 Add ARC info to DMARC hostory records.

JH/37 Bug 3016: Avoid sending DSN when message was accepted under fakereject
      or fakedefer.  Previously the sender could discover that the message
      had in fact been accepted.

JH/38 Taint-track intermediate values from the peer in multi-stage authentation
      sequences.  Previously the input was not noted as being tainted; notably
      this resulted in behaviour of LOGIN vs. PLAIN being inconsistent under
      bad coding of authenticators.

JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
      and ${tr...}.  Found and diagnosed by Heiko Schlichting.

JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
      CVE-2023-42115

JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
      be triggered by externally-controlled input.  Found by Trend Micro.
      CVE-2023-42116

JH/42 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could
      be triggered by externally-controlled input.  Found by Trend Micro.
      CVE-2023-42114

JH/43 Bug 2903: avoid exit on an attempt to rewrite a malformed address.
      Make the rewrite never match and keep the logging.  Trust the
      admin to be using verify=header-syntax (to actually reject the message).

JH/44 Bug 3033: Harden dnsdb lookups against crafted DNS responses.
      CVE-2023-42219
      could be triggered by externally-supplied input.  Found by Trend Micro.
      CVE-2023-42115

JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
      be triggered by externally-controlled input.  Found by Trend Micro.
      CVE-2023-42116

JH/42 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could
      be triggered by externally-controlled input.  Found by Trend Micro.
      CVE-2023-42114

JH/43 Bug 2903: avoid exit on an attempt to rewrite a malformed address.
      Make the rewrite never match and keep the logging.  Trust the
      admin to be using verify=header-syntax (to actually reject the message).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit e8600462c735db5d635b872db949f2b98337de95)

8 months agocryptsetup: update to version 2.7.1
Daniel Golle [Thu, 4 Apr 2024 02:01:39 +0000 (03:01 +0100)]
cryptsetup: update to version 2.7.1

The most notable change is the introduction of (optional) support for
hardware OPAL disk encryption. However, as this requires Linux 6.4 or
later, support for OPAL is implicitely disabled until targets used for
the package build have been updated to Linux 6.6.

See release notes for 2.7.0 and 2.7.1 for more details:

https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes
https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.1-ReleaseNotes

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 54a2534cb2b7b7f53ea21d07d0c56a3e577bcf96)

8 months agolvm2: update to LVM2 2.03.17 and libdm Version 1.02.187
Daniel Golle [Thu, 4 Apr 2024 01:59:17 +0000 (02:59 +0100)]
lvm2: update to LVM2 2.03.17 and libdm Version 1.02.187

LVM2 Version 2.03.17 - 10th November 2022
=========================================
  Add new options (--fs, --fsmode) for FS handling when resizing LVs.
  Fix 'lvremove -S|--select LV' to not also remove its historical LV right away.
  Fix lv_active field type to binary so --select and --binary applies properly.
  Switch to use mallinfo2 and use it only with glibc.
  Error out in lvm shell if using a cmd argument not supported in the shell.
  Fix lvm shell's lastlog command to report previous pre-command failures.
  Extend VDO and VDOPOOL without flushing and locking fs.
  Add --valuesonly option to lvmconfig to print only values without keys.
  Updates configure with recent autoconf tooling.
  Fix lvconvert --test --type vdo-pool execution.
  Add json_std output format for more JSON standard compliant version of output.
  Fix vdo_slab_size_mb value for converted VDO volume.
  Fix many corner cases in device_id, including handling of S/N duplicates.
  Fix various issues in lvmdbusd.

DM Version 1.02.187 - 10th November 2022
========================================
  Add DM_REPORT_GROUP_JSON_STD for more JSON standard compliant output format.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 20cc530004d84c631a6d11fde0cf3dd8f55d34a3)

8 months agognunet: update to version v0.21.0
Daniel Golle [Fri, 8 Mar 2024 23:26:56 +0000 (23:26 +0000)]
gnunet: update to version v0.21.0

This release marks a noteworthy milestone in that it includes a
completely new transport layer. It lays the groundwork for fixing some
major design issues and may also already alleviate a variety of issues
seen in previous releases related to connectivity. This change also
deprecates our testbed and ATS subsystem.

This is a new major release. It breaks protocol compatibility with the
0.20.x versions. Please be aware that Git master is thus henceforth
(and has been for a while) INCOMPATIBLE with the 0.20.x GNUnet
network, and interactions between old and new peers will result in
issues. In terms of usability, users should be aware that there are
still a number of known open issues in particular with respect to ease
of use, but also some critical privacy issues especially for mobile
users. Also, the nascent network is tiny and thus unlikely to provide
good anonymity or extensive amounts of interesting information. As a
result, the 0.21.0 release is still only suitable for early adopters
with some reasonable pain tolerance.

v0.21.0:

- Reworked PEERSTORE API

- Added record flag for maintenance records

- ensure traits can be generated with subsystem-specific prefixes for
  the symbols

- libgnunettesting first major testing NG refactor towards getting
  dependency structure streamlined

- Remove single-use API macro GNUNET_VA_ARG_ENUM

- major revision of blind signature API

- Introduced closure to hold store context when caling function to add
  hello in peerstore.

- Added DDLs for handling GNUNET_PEERSTORE_StoreHelloContext

- Removed old hello functionality.

- Refactoring components under src/ into lib/, plugin/, cli/ and
  service/

- add support for encoding/decoding double values as part of JSON to
  libgnunetjson

- Changed method GNUNET_HELLO_builder_get_expiration_time to not need
  parameter GNUNET_HELLO_Builder.

- Code moved to the core package to get rid of circular dependencies.

- Moved code to testing to have more generic test setup, which can be
  used not only from within transport.

- The old hello design replaced by the new hello design.

- Added api to get notified when hellos are stored with peerstore
  service.

- Added api to store hellos with peerstore service.

- Changed new hello uri api to allow to change the expiration time

- Moved start peer command to testing subsystem.

- Removed all usage of old transport api, beside peerinfo tool,
  gnunet-transport cli and usage in transport layer itself.

- Added __attribute__((deprecated)) to the old transport API

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 31e9aea1b659b34f9cc4e11ef4811f9e773ac036)

8 months agognunet: update to version 0.20.0
Daniel Golle [Wed, 20 Dec 2023 05:01:15 +0000 (05:01 +0000)]
gnunet: update to version 0.20.0

v0.20.0:
  - GNUNET_TESTING_get_testname_from_underscore renamed to GNUNET_STRINGS_get_suffix_from_binary_name and moved from libgnunettesting to libgnuneutil
  - Move GNUNET_s into libgnunetutil.
  - re-introduce compiler annotation for array size in signature
  - function-signature adjustment due to compiler error
  - GNUNET_PQ_get_oid removed, GNUNET_PQ_get_oid_by_name improved
  - Added GNUNET_PQ_get_oid_by_name
  - added GNUNET_PQ_get_oid()
  - Added new CCA-secure KEM and use in IDENTITY encryption
  - Add KEM API to avoid ephemeral private key management
  - Add new GNUNET_PQ_event_do_poll() API to gnunet_pq_lib.h
  - Added API to support arrays in query results
  - Improve PQ API documentation.
  - API for array types extended for times
  - API extended for array query types
  - relevant array-types in queries (not results) in postgresql added
  - just style fixes, int to enum
  - initial steps towards support of array-types in posgresql
  - adds GNUNET_JSON_spec_object_const() and GNUNET_JSON_spec_array_const()

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit dbae7f9493620c6047ac53a37a1690a6041e40f7)

8 months agognunet: update to version 0.19.4
Daniel Golle [Sat, 8 Jul 2023 11:29:30 +0000 (12:29 +0100)]
gnunet: update to version 0.19.4

v0.19.4:
  - No changes

v0.19.3:
  - We now detect MySQL's strange, version-dependent my_bool type on configure.
  - Add pkg-config definitions for gnunet messenger.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit bef5da553f40eb406e84be6c2738943c0c80e461)

8 months agolibcurl-gnutls: update to verison 8.7.1
Daniel Golle [Thu, 4 Apr 2024 02:35:48 +0000 (03:35 +0100)]
libcurl-gnutls: update to verison 8.7.1

See https://curl.se/changes.html#8_7_1

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 428e9da9df4358f6893012cd60d9bd267db43ae5)

8 months agolibcurl-gnutls: fix build
Aleksey Vasilenko [Wed, 21 Feb 2024 07:34:19 +0000 (09:34 +0200)]
libcurl-gnutls: fix build

- Missing --without-nghttp3 was leaking host includes and breaking the build
- Remove or rename deprecated configure options
- Add --disable-libcurl-option to reduce package size
- Use .xz instead of .bz2 for PKG_SOURCE

Signed-off-by: Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 30fe2d99ab0c4826b06890c18ea34415b6820b44)

8 months agolibcurl-gnutls: update to version 8.6.0
Konstantin Demin [Thu, 1 Feb 2024 00:29:58 +0000 (03:29 +0300)]
libcurl-gnutls: update to version 8.6.0

https://curl.se/changes.html#8_6_0

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit af748ea6915e16e91bcd8b5402e474cf745eea55)

8 months agolibcurl-gnutls: update to version 8.5.0
Daniel Golle [Wed, 20 Dec 2023 03:42:41 +0000 (03:42 +0000)]
libcurl-gnutls: update to version 8.5.0

https://curl.se/changes.html#8_5_0

Pick upstream patch to fix build with gnuTLS and verbose strings removed.
The patch should be removed with the next version bump.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit cbdd619c23d4ccaf3bca229a659f70b2bcf7ab82)

8 months agolibcurl-gnutls: update to version 8.2.1
Daniel Golle [Sat, 8 Jul 2023 11:29:13 +0000 (12:29 +0100)]
libcurl-gnutls: update to version 8.2.1

See cURL changes for details:
https://curl.se/changes.html

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 7eaa2cd28454a2ef82fad49f26c7207ecf3f7db7)

8 months agophp8: update to 8.2.18
Michael Heimpold [Mon, 15 Apr 2024 20:05:44 +0000 (22:05 +0200)]
php8: update to 8.2.18

This fixes:
      - CVE-2024-1874
      - CVE-2024-2756
      - CVE-2024-3096

While at, switch to https download URL.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
8 months agogolang: Update to 1.21.9
Tianling Shen [Mon, 8 Apr 2024 13:12:57 +0000 (21:12 +0800)]
golang: Update to 1.21.9

go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
8 months agolighttpd: update to lighttpd 1.4.76 release hash
Glenn Strauss [Sat, 13 Apr 2024 03:06:24 +0000 (23:06 -0400)]
lighttpd: update to lighttpd 1.4.76 release hash

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit a5557a2a47f57c651dd5dc97eac40de26617de91)

8 months agoMerge pull request #23874 from stangri/openwrt-23.05-adblock-fast
Stan Grishin [Fri, 12 Apr 2024 20:39:55 +0000 (13:39 -0700)]
Merge pull request #23874 from stangri/openwrt-23.05-adblock-fast

[23.05] adblock-fast: improve Makefile's prerm

8 months agoMerge pull request #23815 from stangri/openwrt-23.05-curl
Stan Grishin [Fri, 12 Apr 2024 20:39:22 +0000 (13:39 -0700)]
Merge pull request #23815 from stangri/openwrt-23.05-curl

[23.05] curl: update to 8.7.1

8 months agolualanes: update to version 3.16.3 and use tarball
Josef Schlehofer [Tue, 5 Mar 2024 17:03:13 +0000 (18:03 +0100)]
lualanes: update to version 3.16.3 and use tarball

1. Update it to version 3.16.3
Release notes: https://github.com/LuaLanes/lanes/releases/tag/v3.16.3

2. Change to download tarball instead of checking out Git sources
In the previous commit (in the Fixes tag), it was changed to Git sources without any reason. Let's revert it back. Let's use again tagged release.

Fixes: b93e5b45b1daac827d429b51d8763226268f2b9a ("lualanes: Version bump to v3.16.2")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 8b7040b6de0d485fa3867ff315cd30f873c49a55)

8 months agolualanes: Version bump to v3.16.2
Mark Baker [Thu, 18 Jan 2024 18:52:58 +0000 (13:52 -0500)]
lualanes: Version bump to v3.16.2

Update the PKG_VERSION and PKG_SOURCE_VERSION to pull version 3.16.2
from upstream. The upstream version includes fixes for the
`pthread_yield: symbol not found` issue.

Removed patches 100-musl-compat.patch and 200-fix-redef-error.patch
as fixes were implemented upstream.

Build tested on aarch64, arm_cortex_a15/a9, i386, mips[el]_24kc,
powerpc_464fp/8548, riscv64, x86_64. Confirmed on x86_64.

Signed-off-by: Mark Baker <mark@vpost.net>
(cherry picked from commit 08e51ab50a452d1c6217f3a6767f66146814878b)

8 months agohwdata: update to 0.379
krant [Wed, 7 Feb 2024 13:35:30 +0000 (15:35 +0200)]
hwdata: update to 0.379

Signed-off-by: krant <aleksey.vasilenko@gmail.com>
(cherry picked from commit 9f45bfd3d5233284095a7bbe789c1f947138048c)

8 months agolibs/libdaq3: assign PKG_LICENSE_FILES
Fabrice Fontaine [Tue, 30 Jan 2024 20:13:59 +0000 (21:13 +0100)]
libs/libdaq3: assign PKG_LICENSE_FILES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit b2c548975de4ab3d917c78d5d405a9993965b8ad)

8 months agolibdaq3: update to 3.0.14
John Audia [Thu, 18 Jan 2024 19:13:43 +0000 (14:13 -0500)]
libdaq3: update to 3.0.14

Update to latest version.

Changelog: https://github.com/snort3/libdaq/releases/tag/v3.0.14

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 651b7e1f92f0733c1d128a7fe3869def9f065954)

8 months agolibdaq3: update to 3.0.13
John Audia [Wed, 8 Nov 2023 21:09:27 +0000 (16:09 -0500)]
libdaq3: update to 3.0.13

Upstream bump

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 4c05ae5f6c4e64f404fa435a63e94de381504f42)

8 months agolibdaq3: update to 3.0.11
John Audia [Wed, 28 Jun 2023 16:30:13 +0000 (12:30 -0400)]
libdaq3: update to 3.0.11

Upstream bump

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 9f2d3c5bf855773d5e5756652b640e2c0565d1a9)

8 months agosnort3: remove symbol @HAS_LUAJIT_ARCH
John Audia [Thu, 11 Apr 2024 18:10:31 +0000 (14:10 -0400)]
snort3: remove symbol @HAS_LUAJIT_ARCH

Remove symbol introduced in master to allow building.
Closes #23861

Signed-off-by: John Audia <therealgraysky@proton.me>
8 months agosnort3: update to 3.1.82.0
John Audia [Thu, 14 Mar 2024 19:14:45 +0000 (15:14 -0400)]
snort3: update to 3.1.82.0

Changelog: https://github.com/snort3/snort3/releases/tag/3.1.82.0

Removed patches/010-gcc13.patch

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.82.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.14
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 3.0.13 30 Jan 2024
           Using libpcap version 1.10.4 (with TPACKET_V3)
           Using PCRE version 8.45 2021-06-15
           Using ZLIB version 1.3.1
           Using Hyperscan version 5.4.2 2024-03-06
           Using LZMA version 5.4.6

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit fdebb16619b84831c2624f8fd8b9b38d732bc6df)

8 months agoadblock-fast: improve Makefile's prerm
Stan Grishin [Wed, 10 Apr 2024 23:56:43 +0000 (23:56 +0000)]
adblock-fast: improve Makefile's prerm

* improve output of Makefile's prerm routines

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 9eb61fe02da9085f1c211919af38e3c504098f61)

9 months agonode: April 3, 2024 Security Releases
Hirokazu MORIKAWA [Sun, 7 Apr 2024 02:47:53 +0000 (11:47 +0900)]
node: April 3, 2024 Security Releases

Notable Changes
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
* llhttp version 9.2.1
* undici version 5.28.4

Changed to use gz according to main-snapshot

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
9 months agoirqbalance: update to version 1.9.4
Hannu Nyman [Fri, 5 Apr 2024 14:35:42 +0000 (17:35 +0300)]
irqbalance: update to version 1.9.4

Update irqbalance to version 1.9.4.

* refresh version in meson patch
* remove EINVAL handling patch as upstream seems to have silenced
  the log spam for unmanageable IRQs

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit b8d0049e7cb5ab5aaeb1c5517008dab4404faf6a)

9 months agoirqbalance Update init script to remove duplicate spaces
krant [Fri, 5 Apr 2024 14:35:26 +0000 (17:35 +0300)]
irqbalance Update init script to remove duplicate spaces

I have some strange issues with irqbalance sometimes overwritin
smp_affinity values for banned/ignored IRQs. The issue is reproduceable
and is mitigated when I change theway how the irqbalance command line is
built. The only difference between the resulting command is that there
is only one space between the -t parameter and the first -i parameter
value.

Also see https://github.com/Irqbalance/irqbalance/issues/297

Signed-off-by: Carsten Schuette <schuettecarsten@googlemail.com>
(cherry picked from commit 41e5b979f583ed29a6cafa33ef9b5825f5165a43)

9 months agonano: fix syntax highlighting for raw ucode scripts
Jo-Philipp Wich [Thu, 4 Apr 2024 23:33:50 +0000 (01:33 +0200)]
nano: fix syntax highlighting for raw ucode scripts

Text between interpreter line and start of first directive should only
highlighted as uninterpreted when running in template mode, so adjust
the match rule accordingly.

Fixes: #23761
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 8f9564387d136c2a09c763b4c4ac7e4aa16baeb5)

9 months agonano: add syntax highlighting for ucode scripts
Jo-Philipp Wich [Wed, 8 Nov 2023 13:53:37 +0000 (14:53 +0100)]
nano: add syntax highlighting for ucode scripts

Introduce local syntax highlighting support for ucode scripts, like
it is done already for uci configuration files.

Ref: https://github.com/jow-/ucode/issues/178
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit d8a574f7f0eb2f5970119a2b0527048583054180)

9 months agocurl: update to 8.7.1
Stan Grishin [Sun, 31 Mar 2024 16:36:19 +0000 (16:36 +0000)]
curl: update to 8.7.1

* update to 8.7.1: https://curl.se/changes.html#8_7_1
* use the new --disable-docs flag for configure
* update 200-no_docs_tests.patch
* switch to APK-compatible revision

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 227c8daa159acdc84aad9e06a6a33f7d07263130)

9 months agokmsbd-tools: switch to use tagged release
Andrea Pesaresi [Sat, 30 Mar 2024 08:41:35 +0000 (09:41 +0100)]
kmsbd-tools: switch to use tagged release

Instead of checking Git sources, we will use now tagged releases.

This solve the strange version 0~3.5.1-r1, now will be 3.5.2-r2

Signed-off-by: Andrea Pesaresi <andreapesaresi82@gmail.com>
(cherry picked from commit f8a7ee7f4757bc12e081deb3296ddbdbcd5f33b4)

9 months agoksmbd-tools: update to 3.5.1
Rosen Penev [Sat, 13 Jan 2024 03:13:29 +0000 (19:13 -0800)]
ksmbd-tools: update to 3.5.1

Various fixes for ksmbd, most notably a visibility fix for the latest
ksmbd code.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit e9e1ae23862ceeaa95939b2a7cfa9156c5338f89)

9 months agodocker-compose: add PKG_NAME to PKG_SOURCE
Javier Marcet [Sat, 30 Mar 2024 15:59:10 +0000 (16:59 +0100)]
docker-compose: add PKG_NAME to PKG_SOURCE

Before this change, the tarball was downloaded as vVERSION.tar.gz.
For example, it was v2.26.1.tar.gz and that file was put into the dl folder
within the OpenWrt build system.

After this change, the tarball is properly downloaded as NAME-vVERSION.tar.gz.
In this case, it will look like this: docker-compose-v.2.26.1.tar.gz

The advantages of using this:
- Users, developers will know that what they downloaded (it has name and version)
- The tarball will not be overwritten by another package with the same version.

Signed-off-by: Javier Marcet <javier@marcet.info>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[added commit message]
(cherry picked from commit 261b38c14bed7865d244f24d0adb1bb33e963b88)

9 months agoacme: standardize key_type
Glen Huang [Wed, 17 May 2023 09:53:51 +0000 (17:53 +0800)]
acme: standardize key_type

keylength, being an acme.sh value type, uses pure numbers for rsa keys.
This can be disorienting for other acme clients. This change introduces
a new option "key_type" that aims to remove this ambiguity, and makes
all key type names follow the same pattern, making acme-common more
client agnostic.

Signed-off-by: Glen Huang <me@glenhuang.com>
(cherry picked from commit 6d61014e51266f1cb083d9f31491f9c5fb73eeb0)

9 months agosing-box: update to 1.8.10
Van Waholtz [Mon, 25 Mar 2024 12:40:46 +0000 (20:40 +0800)]
sing-box: update to 1.8.10

Signed-off-by: Van Waholtz <brvphoenix@gmail.com>
(cherry picked from commit 1ca47e0ed4eecd56befc3516739b2cbcdb2aa702)

9 months agosing-box: restart if the specified interfaces start up
Van Waholtz [Mon, 25 Mar 2024 12:40:46 +0000 (20:40 +0800)]
sing-box: restart if the specified interfaces start up

Signed-off-by: Van Waholtz <brvphoenix@gmail.com>
(cherry picked from commit da03a29cda0898e1a3e46e242b73a7795bbef492)

9 months agosing-box: update to 1.8.7
Van Waholtz [Wed, 28 Feb 2024 13:32:53 +0000 (21:32 +0800)]
sing-box: update to 1.8.7

Signed-off-by: Van Waholtz <brvphoenix@gmail.com>
(cherry picked from commit 3917a0af5878eb7ce76feff9affd06902806f370)

9 months agoacme-common: backport config fixes from master
Toke Høiland-Jørgensen [Wed, 27 Mar 2024 20:51:49 +0000 (21:51 +0100)]
acme-common: backport config fixes from master

Backport config changes from commit 04ac8c177d9a ("acme-common: simplify config
example") from master, and apply the subsequent fixup. This should fix the issue
with ACME not working in Luci (resolving #23756).

Keep the version number bump as a bugfix (1.0.4) since we have not backported
all the ACME changes to 23.05.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
9 months agorust: update to 1.77.0
krant [Sun, 24 Mar 2024 09:47:43 +0000 (11:47 +0200)]
rust: update to 1.77.0

- Restore patch hunk mis-deleted in dccb910
- Refresh patches
- Remove --enable-missing-tools configure option deleted in the upstream

Signed-off-by: krant <aleksey.vasilenko@gmail.com>
(cherry picked from commit 7f01006f96190947a799621970bfdc719af732ec)

9 months agorust: update to 1.76.0
krant [Sat, 24 Feb 2024 16:47:34 +0000 (18:47 +0200)]
rust: update to 1.76.0

- Use .xz for source archive
- Refresh patches

Signed-off-by: krant <aleksey.vasilenko@gmail.com>
(cherry picked from commit dccb910ae0cb3d654a6432f7b82cd44d46db75e2)

9 months agouspot: update to Git HEAD (2024-03-25)
Thibaut VARÈNE [Mon, 25 Mar 2024 10:33:51 +0000 (11:33 +0100)]
uspot: update to Git HEAD (2024-03-25)

56eebdad085e uspot: wrap spotfilter device under tip_mode
1a96d57e5fe0 uspot: client_enable() wrap spotfilter data in tip_mode
fe12f9a7abde uspot: clear ratelimit state on startup/shutdown
976badc4d0b6 update README
53b8cb88a94a Makefile: require minimum ucode version
ff6163190d5a uspot/portal: report client_enable() failure
8601d9199233 include sample radcli dictionaries
c670f6c4b48f update README
094f0df88150 uspot: work around ucode#191 missing in 23.05

Update the package Makefile to reflect the changes from the following
above-listed commit:

53b8cb88a94a Makefile: require minimum ucode version

Fixes: https://github.com/f00b4r0/uspot/issues/4
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
(cherry picked from commit bc33522715342e04461000fc119ec71df12514a1)

9 months agodnsproxy: Update to 0.66.0
Tianling Shen [Thu, 21 Mar 2024 07:03:35 +0000 (15:03 +0800)]
dnsproxy: Update to 0.66.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 4448d9f4a10bdfb3f86105f974f61db7e4f483fb)

9 months agocloudflared: Update to 2024.3.0
Tianling Shen [Thu, 21 Mar 2024 07:03:30 +0000 (15:03 +0800)]
cloudflared: Update to 2024.3.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit bcb75533851c51bff4628d4273d2388d7007f6c8)

9 months agov2ray-geodata: Update to latest version
Tianling Shen [Thu, 21 Mar 2024 07:03:14 +0000 (15:03 +0800)]
v2ray-geodata: Update to latest version

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 7cb8ac09661aebec6b125ad494411d9804055708)

9 months agov2ray-core: Update to 5.15.1
Tianling Shen [Thu, 21 Mar 2024 07:03:07 +0000 (15:03 +0800)]
v2ray-core: Update to 5.15.1

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit b62792868216259b76b5dd11ea2c1fe583d91a3b)

9 months agorclone: Update to 1.66.0
Tianling Shen [Tue, 19 Mar 2024 04:37:49 +0000 (12:37 +0800)]
rclone: Update to 1.66.0

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 7ce54fa9127c280af48d9f3cde9c2ef6b89e3f29)

9 months agop910nd: fix running multiple instances
Peca Nesovanovic [Wed, 20 Mar 2024 20:21:36 +0000 (21:21 +0100)]
p910nd: fix running multiple instances

Compile tested: (ramips, rb760igs, 23.05 snapshot)
Run tested: (ramips, rb760igs, 23.05 snapshot, tests done)

Description:
In case we have multiple device defined in /etc/config/p910nd then init script will try to start multiple instance with same instance name
drop instance name as resolution

tested on 23.05 snapshot with 2 USB printers

Signed-off-by: Peca Nesovanovic <peca.nesovanovic@sattrakt.com>
(cherry picked from commit 152d80ce1326d0b1fee8e324ec8e68dd9f44cf4a)

9 months agogolang: Update to 1.21.8
Tianling Shen [Thu, 21 Mar 2024 06:53:59 +0000 (14:53 +0800)]
golang: Update to 1.21.8

go1.21.8 (released 2024-03-05) includes security fixes to the crypto/x509,
html/template, net/http, net/http/cookiejar, and net/mail packages,
as well as bug fixes to the go command and the runtime.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
9 months agosyslog-ng: enable http module based on zlib support in curl
Josef Schlehofer [Tue, 5 Mar 2024 19:44:47 +0000 (20:44 +0100)]
syslog-ng: enable http module based on zlib support in curl

Since version 4.4.0, syslog-ng added compression to http() destination
using zlib from curl. [1] However, zlib is currently disabled in curl [2]
and it prevented syslog-ng to start.

This commit changes the configuration opinion to enable http module only if
zlib support is enabled for curl and as well it adds dependency for zlib (in that case).
If the zlib is disabled, then it disables http module, so syslog-ng can start
and thus zlib dependency is not required.

[1] https://gitlab.nic.cz/turris/os/packages/-/issues/932
[2] https://github.com/openwrt/packages/blob/93cbaacbfb13048ad378520a7afea7c9027dd1d6/net/curl/Config.in#L134
Fixes: 4dd49d7c3cd571107958154f1ed1ec8d8dba7464 ("syslog-ng: update to version 4.4.0")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 1e14d95d78d03ab163653166652972ca3e8c366e)

9 months agoci: set correct arch for rootfs tests
Paul Spooren [Thu, 14 Mar 2024 13:46:15 +0000 (14:46 +0100)]
ci: set correct arch for rootfs tests

With the commit 01e5cfc "CI: Add target/arch tags (no suffix) for
snapshot images"[1] the os/platform is set for all images, which is usually
different from what the GitHub action runner uses (x86). The Docker
deamon still tries to fetch the x86 version and fails.

This commit explicitly sets the fitting arch.

[1]: https://github.com/openwrt/docker/commit/01e5cfccd73a72ecab730496607c7c22b904f366

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit d359fa04eda29638b9326c194490685c1177fd49)