Commit Graph

5977 Commits

Author SHA1 Message Date
Alexey Dobrovolsky 93360e6256 freeradius3: add meta-package for default modules
This meta-package contains only dependencies for modules needed in
FreeRADIUS default configuration.

This commit adds missing description and install sections.

(backported from commit 7737abf)
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
2020-10-14 21:35:07 +03:00
Olivier Poitrey 50a67ed74b nextdns: Update to version 1.8.6
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
2020-10-11 21:19:41 +00:00
Josef Schlehofer 2ad15b0375 Merge pull request #13624 from mlichvar/chrony-update-3.5.1
[19.07] chrony: update to 3.5.1
2020-10-10 23:50:30 +02:00
Miroslav Lichvar b48575ef4d chrony: update to 3.5.1
Fixes CVE-2020-14367.

Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
2020-10-10 16:45:15 +02:00
Josef Schlehofer 35e6986a09 nextdns: mark /etc/config/nextdns as configuration file
Conffile was set for OpenWrt master, but it is not present in OpenWrt
19.07. When /etc/config/nextdns is not set as conffile, it gets
overwritten by each update of nextdns and the user needs to set up it again.

This can be simply reproduced by these steps:
opkg update
opkg install nextdns
edit or add smth to /etc/config/nextdns, save it
then do: opkg install nextdns --force-reinstall
And /etc/config/nextdns gets overwritten by default values

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-10-10 10:12:53 +02:00
Stan Grishin 418e3b2948 simple-adblock: config update file fix
Signed-off-by: Stan Grishin <stangri@melmac.net>
2020-10-09 17:30:45 -10:00
Dirk Brenken f3b424139f adblock: refresh blocklist sources
* rename 'smarttv' to 'smarttv_tracking'
* added 'firetv_tracking' and 'android_tracking' (thanks @panache67)
* added 'gaming' (thanks @hasanlo in openwrt forum)
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit c01beb0679)
2020-10-04 19:41:50 +02:00
Christian Lachner 2976a5a0ea haproxy: Update HAProxy to v2.0.18
- Update haproxy download URL and hash

Signed-off-by: Christian Lachner <gladiac@gmail.com>
2020-10-02 09:20:06 +02:00
Rosen Penev 6ab6a7a897 Merge pull request #13468 from ja-pa/tor-update-0.4.4.5-19.07
[OpenWrt 19.07]tor: update to version 0.4.4.5
2020-10-01 14:43:22 -07:00
Jan Pavlinec eec7bd6468 tor: update to version 0.4.4.5
Disable ac_cv_func_mallinfo because of arc arch.

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2020-10-01 13:17:18 +02:00
Olivier Poitrey 05ea7dfc63 nextdns: Update to version 1.8.5
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
2020-09-29 18:19:36 +00:00
Olivier Poitrey 826fc8921a nextdns: Update to version 1.8.4
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
2020-09-26 10:52:41 -10:00
Nikos Mavrogiannopoulos ac7f782850 openconnect: updated to 8.10 to address CVE-2020-12823
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
2020-09-23 18:09:07 +02:00
Florian Eckert 925dfc1d1a Merge pull request #13466 from aaronjg/openwrt-19.07
mwan3: fix typo in mwan3_set_sticky_iptables [19.07] [bugfix]
2020-09-23 08:30:52 +02:00
Aaron Goodman 49459505e7 mwan3: fix typo in mwan3_set_sticky_iptables
fixes #13443

Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
2020-09-22 19:18:19 -04:00
Nikos Mavrogiannopoulos cae961784e ocserv: include ocserv-worker
Resolves: #13465

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
2020-09-22 21:24:56 +02:00
Stan Grishin 2af61c9a40 vpnbypass: README update, code cleanup
Signed-off-by: Stan Grishin <stangri@melmac.net>

update

Signed-off-by: Stan Grishin <stangri@melmac.net>
2020-09-21 23:03:13 -10:00
Nikos Mavrogiannopoulos b00feac4b5 ocserv: updated to 1.1.1 2020-09-21 23:11:21 +02:00
Alexey Kuznetsov c614914da0 miniupnpd: add miniupnpd ipv6_disable option, #11971 close
Signed-off-by: Alexey Kuznetsov <axet@me.com>
(cherry picked from commit 9b6537b487)
2020-09-20 17:56:12 -07:00
Stan Grishin 70e57317b7 simple-adblock: add config auto-update feature
Signed-off-by: Stan Grishin <stangri@melmac.net>
2020-09-20 00:16:50 +00:00
Karl Palsson 207660987c net/u2pnpd: convert init to procd
Drops pid files, no longer needed with procd management.
Now properly reloads on reload_config after UCI changes.

Signed-off-by: Karl Palsson <karlp@etactica.com>

[ Fixed two shellcheck warnings and bump PKG_RELEASE ]
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2020-09-14 17:00:17 +00:00
Josef Schlehofer f99f60d7b7 Merge pull request #13385 from odmdas/odmdas-freeradius3-radtest-19.07
[19.07] freeradius3: enable radtest utility and adapt it to OpenWrt
2020-09-14 04:52:37 +02:00
Alexey Dobrovolsky 2d410422c5 freeradius3: fix hostname invocation in radtest
Canonical radtest start results in an error:

$ radtest bob hello localhost 0 testing123
/usr/bin/radtest: line 1: hostname: not found
(0) Error parsing "stdin": Failed to get value

hostname command is not present in OpenWrt.
Instead, hostname can be obtained from file /proc/sys/kernel/hostname.

added: 005-get-hostname-from-proc-in-radtest.patch

(backported from commit 8b2792a)
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
2020-09-14 01:36:30 +03:00
Alexey Dobrovolsky 066ac03921 freeradius3: enable radtest utility
radtest utility is used in many manuals to check the operation of
radius server.

At the moment all parameters must be specified at startup, for example:

$ radtest bob hello localhost 0 testing123 0 localhost

(backported from commit 6480acd)
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
2020-09-14 00:32:08 +03:00
Andy Walsh 338fa663ca samba4: update to 4.11.12
* update to 4.11.12
* fix optional modules not included on module build (vfs_btrfs, vfs_linux_xfs_sgid)

Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
2020-09-13 18:22:21 +02:00
Olivier Poitrey 62171036b2 nextdns: Update to version 1.8.3
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
2020-09-10 17:25:37 +00:00
Olivier Poitrey a2634c2646 nextdns: Update to version 1.8.2
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
2020-09-08 10:33:53 +00:00
Eric Luehrsen 54847cc7c1 unbound: improve odhcpd rapid update robustness
cherry-pick: bce5f44f5af6510db484389b8cc0636f6de08877
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
2020-09-05 10:19:38 -04:00
Jan Hak 8b0457c55e knot: update to version 2.9.6
Signed-off-by: Jan Hak <jan.hak@nic.cz>
(cherry picked from commit 60a35cd1c6)
2020-09-02 13:27:44 +02:00
Jan Pavlinec f2edf8c537 git: update to version 2.26.2 (security fix)
Fixes CVE-2020-11008

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2020-09-01 14:09:32 +02:00
Jan Pavlinec 3c6b45ab38 clamav: update to version 0.102.4 (security fix)
Fixes
CVE-2020-3481

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
(cherry picked from commit 5d7164aaba)
2020-08-24 13:28:58 +02:00
Jan Pavlinec 0202fdc277 clamav: update to version 0.102.3 (security fix)
Fixes:
CVE-2020-3341
CVE-2020-3327

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
(cherry picked from commit 168efe753d)
2020-08-24 13:28:40 +02:00
Lucian Cristian c5c0e2e337 clamav: update to 0.102.2
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(cherry picked from commit 24eeea366d)
2020-08-24 13:27:55 +02:00
Noah Meyerhans 9700cea704 bind: New upstream version 9.16.6
Several security issures are addressed:

 - CVE-2020-8620 It was possible to trigger an assertion failure by sending
   a specially crafted large TCP DNS message.
 - CVE-2020-8621 named could crash after failing an assertion check in
   certain query resolution scenarios where QNAME minimization and
   forwarding were both enabled. To prevent such crashes, QNAME minimization is
   now always disabled for a given query resolution process, if forwarders are
   used at any point.
 - CVE-2020-8622 It was possible to trigger an assertion failure when
   verifying the response to a TSIG-signed request.
 - CVE-2020-8623 When BIND 9 was compiled with native PKCS#11 support, it
   was possible to trigger an assertion failure in code determining the
   number of bits in the PKCS#11 RSA public key with a specially crafted
   packet.
 - CVE-2020-8624 update-policy rules of type subdomain were incorrectly
   treated as zonesub rules, which allowed keys used in subdomain rules to
   update names outside of the specified subdomains. The problem was fixed by
   making sure subdomain rules are again processed as described in the ARM.

Full release notes are available at
https://ftp.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6

Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit cf61f7f8ef)
2020-08-24 10:33:04 +02:00
Tiago Gaspar 256a631d9c bind: update to 9.16.4
This update fixes the following CVE's:
- CVE-2020-8618
- CVE-2020-8619

More info on bug fixes and feature changes in:
https://downloads.isc.org/isc/bind9/9.16.4/doc/arm/html/notes.html

Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
(cherry picked from commit b8f8af8a30)
2020-08-24 10:32:59 +02:00
Stan Grishin ac79fde24b simple-adblock: bugfix: update config; use command -v
Signed-off-by: Stan Grishin <stangri@melmac.net>
2020-08-21 23:29:18 +00:00
Karl Palsson 9ec9bea25b net/mosquitto: Update to 1.6.12
Security release.  From the changelog:

- In some circumstances, Mosquitto could leak memory when handling PUBLISH
  messages. This is limited to incoming QoS 2 messages, and is related
  to the combination of the broker having persistence enabled, a clean
  session=false client, which was connected prior to the broker restarting,
  then has reconnected and has now sent messages at a sufficiently high rate
  that the incoming queue at the broker has filled up and hence messages are
  being dropped. This is more likely to have an effect where
  max_queued_messages is a small value. This has now been fixed. Closes
  https://github.com/eclipse/mosquitto/issues/1793

Changelog: https://mosquitto.org/blog/2020/08/version-1-6-12-released/

Signed-off-by: Karl Palsson <karlp@etactica.com>
2020-08-19 15:29:30 +00:00
Matthias Schiffer 59d39c09d8 openvswitch: backport patch to fix build against kernel 4.14.193
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-08-15 09:20:04 +08:00
Dirk Brenken 03e8f0e0c5 adblock: refresh blocklist sources
* remove 'dshield' and 'sysctl' (discontinued)
* switch 'malwaredomains', 'shallalist' and 'winhelp' to https
* add a second regional list for poland (provided by matx1002)
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 5ba498f7c8)
2020-08-14 19:53:12 +02:00
Karl Palsson 58e39c4b25 mosquitto: update to 1.6.11
Full release notes: https://mosquitto.org/blog/2020/08/version-1-6-11-released/

Variety of generally minor bugfixes, mostly in the broker.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2020-08-12 14:01:39 +00:00
Hannu Nyman f91521f756 nlbwmon: add hotplug script to reload after interface ifup
Add a hotplug script to reload nlbwmon's config after interface
ifup actions.

That should improve the detection of the IPv6 LAN address
that can get enabled a bit later in the boot process.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 25dfa20780)
2020-08-09 19:43:59 +03:00
Hannu Nyman b6185d4026 nlbwmon: add conffiles
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>

Adapted from treewide commit 0ec746ccb6 for just nlbwmon.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2020-08-09 19:42:37 +03:00
Rosen Penev e6cad65f09 Merge pull request #13054 from micmac1/apa2446-19.07
[19.07] apache: security bump to 2.4.46
2020-08-08 12:42:02 -07:00
Rosen Penev 92aff96a2f Merge pull request #13056 from odmdas/odmdas-freeradius3-Makefile-19.07
[19.07] freeradius3: add missing conffiles to Makefile
2020-08-08 12:40:46 -07:00
Alexey Dobrovolsky 3fb559e8b0 freeradius3: add missing conffiles to Makefile
Config files
/etc/freeradius3/policy.d/accounting
/etc/freeradius3/policy.d/filter
/etc/freeradius3/proxy.conf
/etc/freeradius3/sites-available/default
and link
/etc/freeradius3/sites-enabled/default
are in the freeradius3 package and are mentioned in the main config file
/etc/freeradius3/radiusd.conf
Thus, they must be explicitly specified in the Makefile.

File
/etc/freeradius3/sites/default
is not included in the package, is not created during installation,
is not mentioned in the main config file and should therefore be excluded
from the Makefile.

Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
(cherry picked from commit f6974b8f3c)
2020-08-08 18:51:24 +03:00
Sebastian Kemper f5a57e42ca apache: security bump to 2.4.46
From CHANGES_2.4:

SECURITY: CVE-2020-11984 (cve.mitre.org)
  mod_proxy_uwsgi: Malicious request may result in information disclosure
  or RCE of existing file on the server running under a malicious process
  environment. [Yann Ylavic]

SECURITY: CVE-2020-11993 (cve.mitre.org)
  mod_http2: when throttling connection requests, log statements
  where possibly made that result in concurrent, unsafe use of
  a memory pool. [Stefan Eissing]

SECURITY:
  mod_http2: a specially crafted value for the 'Cache-Digest' header
  request would result in a crash when the server actually tries
  to HTTP/2 PUSH a resource afterwards.
  [Stefan Eissing, Eric Covener, Christophe Jaillet]

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2020-08-08 16:19:45 +02:00
Sebastian Kemper 61f3bd507c apache/apr/apr-util: remove maintainer
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2020-08-08 16:19:34 +02:00
Sebastian Kemper 234fe24e48 apache: revisit suEXEC setup
When adding suEXEC to the apache package, Alpine's package [1] served as
a template. Not enough attention was paid to the details.

Alpine uses a different layout. So for OpenWrt to use /var/www as
DocumentRoot does not make sense. /var is also volatile on OpenWrt. This
commit removes the configure argument. The default is htdocsdir.

This also does away with uidmin/gidmin 99. The default is 100, which is
fine.

Finally, the suexec binary is moved from /usr/sbin to
/usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with
"4750" (see [2]) and the group set to the user's group. While that would
be possible, it would cause a few headaches on OpenWrt. The group would
need to be changed first in a post-install script and a call to chmod
would need to be made afterward, to make the binary SUID again.

It's easier to hide the SUID binary away from others in a directory.
This way we don't need to use chmod in the post-install script.

[1] https://github.com/alpinelinux/aports/tree/master/main/apache2
[2] https://httpd.apache.org/docs/2.4/suexec.html

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2020-08-08 16:19:22 +02:00
Sebastian Kemper d5096a76f5 apache: create log directory o=
Hides away the contents of the log directory from others.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2020-08-08 16:19:10 +02:00
Eric Luehrsen 47288133f0 unbound: update to 1.11.0
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
2020-08-07 01:10:27 -04:00