openssl sets additional cflags in its configuration script. We need to
make it aware of our custom cflags to avoid adding conflicting cflags.
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
Fix a typo where the wrong KCONFIG was used and fix selecting the
correct kernel config option to use these packages.
Fixes: 4f443c885ded ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]
o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
o Fixed handling of invalid certificate policies in leaf certificates
(CVE-2023-0465)
o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add new package for building bootloader for the SiFive U-series boards. Supported
boards at this stage are the HiFive Unleashed and HiFive Unmatched.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
OpenSBI is a form of a first-stage bootloader, which initializes
certain parts of an SoC and then passes on control to the second
stage bootloader i.e. an u-boot image.
We're introducing the package with release v1.2, which provides
SBI v0.3 and the SBI SRST extensions which helps to gracefully
reboot/shutdown various HiFive-U SoCs.
Tested on SiFive Unleashed and Unmatched boards.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
The MDIO bus multiplexing framework is used by some drivers
such as dwmac-sun8i.
As this is a per-driver requirement, set it to be hidden in the menu.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
The firmware file for mt7601u (MediaTek MT7601U Wireless MACs) has
been moved to the mediatek/ folder by commit
8451c2b1 mt76xx: Move the old Mediatek WiFi firmware to mediatek
Address this by updating the location of the firmware file in our
linux-firmware Makefile generating the mt7601u-firmware package.
All other MediaTek Wi-Fi firmware files are supplied by OpenWrt's
own repository rather than being taken from linux-firmware.
Fixes: d53fe5d9ce ("linux-firmware: update to 20230515")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Package offloading firmware for MT7981 which has been added to
linux-firmware recently and became available in this release.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Ensure the MAC address for all NanoPi R1 boards is assigned uniquely for
each board.
The vendor ships the device in two variants; one with and one without
eMMC; but both without static mac-addresses.
In order to assign both board types unique MAC addresses, fall back on
the same method used for the NanoPi R2S and R4S in case the EEPROM
chip is not present by generating the board MAC from the SD card CID.
[0] https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R1#Hardware_Spec
Similar too and based on:
commit b5675f500daf ("rockchip: ensure NanoPi R4S has unique MAC address")
Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
Synchronize the ath11k backports with the current ath-next tree.
This replaces the 160MHz with the upstreamed one, fixes 6GHz only WIPHY
registration, allows SAR usage on WCN6750 and plenty of REO fixes.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Fix the trivial abscence of $() when assigning engine config files to
the main libopenssl-config package even if the corresponding engines
were not built into the main library.
This is mostly cosmetic, since scripts/ipkg-build tests the file's
presence before it is actually included in the package's conffiles.
Fixes: 30b0351039 "openssl: configure engine packages during install"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:
- Excessive Resource Usage Verifying X.509 Policy Constraints
(CVE-2023-0464)
Severity: Low
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit
this vulnerability by creating a malicious certificate chain that
triggers exponential use of computational resources, leading to a
denial-of-service (DoS) attack on affected systems.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
- Invalid certificate policies in leaf certificates are silently ignored
(CVE-2023-0465)
Severity: Low
Applications that use a non-default option when verifying certificates
may be vulnerable to an attack from a malicious CA to circumvent
certain checks.
Invalid certificate policies in leaf certificates are silently ignored
by OpenSSL and other certificate policy checks are skipped for that
certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on
the certificate altogether.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466. It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.
Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
