All patches refreshed.
Verbatim copy from upstream's NEWS file:
* Version 3.8.9 (released 2025-02-07)
** libgnutls: leancrypto was added as an interim option for PQC
The library can now be built with leancrypto instead of liboqs for
post-quantum cryptography (PQC), when configured with
--with-leancrypto option instead of --with-liboqs.
** libgnutls: Experimental support for ML-DSA signature algorithm
The library and certtool now support ML-DSA signature algorithm as
defined in FIPS 204 and based on
draft-ietf-lamps-dilithium-certificates-04. This feature is
currently marked as experimental and can only be enabled when
compiled with --with-leancrypto or --with-liboqs.
Contributed by David Dudas.
** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
The support for ML-KEM post-quantum key encapsulation mechanisms
has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
draft-kwiatkowski-tls-ecdhe-mlkem-03.
** libgnutls: Fix potential DoS in handling certificates with numerous name
constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
bundled copy of libtasn1 has also been updated to the latest 4.20.0
release to complete the fix. Reported by Bing Shi (#1553).
[GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
** API and ABI modifications:
GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t
* Version 3.8.8 (released 2024-11-05)
** libgnutls: Experimental support for X25519MLKEM768 and SecP256r1MLKEM768 key exchange in TLS 1.3
The support for post-quantum key exchanges has been extended to
cover the final standard of ML-KEM, following
draft-kwiatkowski-tls-ecdhe-mlkem. The minimum supported version of
liboqs is bumped to 0.11.0.
** libgnutls: All records included in an OCSP response are now checked in TLS
Previously, when multiple records are provided in a single OCSP
response, only the first record was considered; now all those
records are examined until the server certificate matches.
** libgnutls: Handling of malformed compress_certificate extension is now more standard compliant
The server behavior of receiving a malformed compress_certificate
extension now more strictly follows RFC 8879; return
illegal_parameter alert instead of bad_certificate, as well as
overlong extension data is properly rejected.
** build: More flexible library linking options for compression libraries, TPM, and liboqs support
The configure options, --with-zstd, --with-brotli, --with-zlib,
--with-tpm2, and --with-liboqs now take 4 states:
yes/link/dlopen/no, to specify how the libraries are linked or
loaded.
** API and ABI modifications:
No changes since last version.
* Version 3.8.7 (released 2024-08-15)
** libgnutls: New configure option to compile out DSA support
The --disable-dsa configure option has been added to completely disable DSA
algorithm support.
** libgnutls: Experimental support for X25519Kyber768Draft00 key exchange in TLS
For testing purposes, the hybrid post-quantum key exchange defined
in draft-tls-westerbaan-xyber768d00 has been implemented using
liboqs. Since the algorithm is still not finalized, the support of
this key exchange is disabled by default and can be enabled with
the --with-liboqs configure option.
** API and ABI modifications:
GNUTLS_PK_MLKEM768: New enum member of gnutls_pk_algorithm_t
* Version 3.8.6 (released 2024-07-03)
** libgnutls: PBMAC1 is now supported as a MAC mechanism for PKCS#12
To be compliant with FIPS 140-3, PKCS#12 files with MAC based on
PBKDF2 (PBMAC1) is now supported, according to the specification
proposed in draft-ietf-lamps-pkcs12-pbmac1.
** libgnutls: SHA3 extendable output functions (XOF) are now supported
SHA3 XOF, SHAKE128 and SHAKE256, are now usable through a new
public API gnutls_hash_squeeze.
** API and ABI modifications:
gnutls_pkcs12_generate_mac3: New function
gnutls_pkcs12_flags_t: New enum
gnutls_hash_squeeze: New function
Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
Verbatim copy from upstream's release notes:
Notes for BIND 9.20.7
- New Features
- Implement the min-transfer-rate-in configuration option.
- A new option min-transfer-rate-in has been added to the view and zone configurations. It can abort incoming zone transfers that run very slowly due to network-related issues, for example. The default value is 10240 bytes in five minutes. [GL #3914]
- Add HTTPS record query to host command line tool.
- The host command was extended to also query for the HTTPS RR type by default.
- Implement sig0key-checks-limit and sig0message-checks-limit.
- Previously, a hard-coded limitation of a maximum of two key or message verification checks was introduced when checking a message’s SIG(0) signature, to protect against possible DoS attacks. Two as a maximum was chosen so that more than a single key should only be required during key rotations, and in that case two keys are enough. It later became apparent that there are other use cases where even more keys are required; see the related GitLab issue for examples.
- This change introduces two new configuration options for the views: sig0key-checks-limit and sig0message-checks-limit. They define how many keys can be checked to find a matching key, and how many message verifications are allowed to take place once a matching key has been found. The former provides slightly less “expensive” key parsing operations and defaults to 16. The latter protects against expensive cryptographic operations when there are keys with colliding tags and algorithm numbers; the default is 2. [GL #5050]
- Bug Fixes
- Fix dual-stack-servers configuration option.
- The dual-stack-servers configuration option was not working as expected; the specified servers were not being used when they should have been, leading to resolution failures. This has been fixed. [GL #5019]
- Fix a data race causing a permanent active client increase.
- Previously, a data race could cause a newly created fetch context for a new client to be used before it had been fully initialized, which would cause the query to become stuck; queries for the same data would be either paused indefinitely or dropped because of the clients-per-query limit. This has been fixed. [GL #5053]
- Fix deferred validation of unsigned DS and DNSKEY records.
- When processing a query with the “checking disabled” bit set (CD=1), named stores the invalidated result in the cache, marked “pending”. When the same query is sent with CD=0, the cached data is validated and either accepted as an answer, or ejected from the cache as invalid. This deferred validation was not attempted for DS and DNSKEY records if they had no cached signatures, causing spurious validation failures. The deferred validation is now completed in this scenario.
- Also, if deferred validation fails, the data is now re-queried to find out whether the zone has been corrected since the invalid data was cached. [GL #5066]
- Fix RPZ race condition during a reconfiguration.
- With RPZ in use, named could terminate unexpectedly because of a race condition when a reconfiguration command was received using rndc. This has been fixed. [GL #5146]
- “CNAME and other data check” not applied to all types.
- An incorrect optimization caused “CNAME and other data” errors not to be detected if certain types were at the same node as a CNAME. This has been fixed. [GL #5150]
- Relax private DNSKEY and RRSIG constraints.
- DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to allow empty key and signature material after the algorithm identifier for PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within the expected use of these types, as no key material is shared and the signatures are ineffective, but these are private algorithms and they can be totally insecure. [GL #5167]
- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
- Previously, when parsing responses, named incorrectly rejected responses without matching RRSIG records for NSEC/DS/NSEC3 records in the authority section. This rejection, if appropriate, should have been left for the validator to determine and has been fixed. [GL #5185]
- Fix TTL issue with ANY queries processed through RPZ “passthru”.
- Answers to an “ANY” query which were processed by the RPZ “passthru” policy had the response-policy’s max-policy-ttl value unexpectedly applied. This has been fixed. [GL #5187]
- dnssec-signzone needs to check for a NULL key when setting offline.
- dnssec-signzone could dereference a NULL key pointer when resigning a zone. This has been fixed. [GL #5192]
- Fix a bug in the statistics channel when querying zone transfer information.
- When querying zone transfer information from the statistics channel, there was a rare possibility that named could terminate unexpectedly if a zone transfer was in a state when transferring from all the available primary servers had failed earlier. This has been fixed. [GL #5198]
- Fix assertion failure when dumping recursing clients.
- Previously, if a new counter was added to the hash table while dumping recursing clients via the rndc recursing command, and fetches-per-zone was enabled, an assertion failure could occur. This has been fixed. [GL #5200]
- Dump the active resolver fetches from dns_resolver_dumpfetches()
- Previously, active resolver fetches were only dumped when the fetches-per-zone configuration option was enabled. Now, active resolver fetches are dumped along with the number of clients-per-query counters per resolver fetch.
Notes for BIND 9.20.6
- New Features
- Adds support for EDE code 1 and 2.
- Support was added for EDE codes 1 and 2, which might occur during DNSSEC validation in the case of an unsupported RRSIG algorithm or DNSKEY digest. [GL #2715]
- Add an rndc command to toggle jemalloc profiling.
- The new command is rndc memprof; the memory profiling status is also reported inside rndc status. The status shows whether named can toggle memory profiling, and whether the server is built with jemalloc. [GL #4759]
- Add support for multiple extended DNS errors.
- The Extended DNS Error (EDE) mechanism may raise errors during a DNS resolution. named is now able to add up to three EDE codes in a DNS response. If there are duplicate error codes, only the first one is part of the DNS response. [GL #5085]
- Print the expiration time of stale records.
- BIND now prints the expiration time of any stale RRsets in the cache dump.
- Bug Fixes
- Recently expired records could be returned with a timestamp in future.
- Under rare circumstances, an RRSet that expired at the time of the query could be returned with a TTL in the future. This has been fixed.
- As a side effect, the expiration time of expired RRSets is no longer returned in a cache dump. [GL #5094]
- YAML string not terminated in negative response in delv.
- [GL #5098]
- Fix a bug in dnssec-signzone related to keys being offline.
- When dnssec-signzone was called on an already-signed zone and the private key file was unavailable, a signature that needed to be refreshed was dropped without being able to generate a replacement. This has been fixed. [GL #5126]
- Apply the memory limit only to ADB database items.
- Under heavy load, a resolver could exhaust the memory available for storing the information in the Address Database (ADB), effectively discarding previously stored information in the ADB. The memory used to retrieve and provide information from the ADB is no longer subject to the same memory limits that are applied to the Address Database. [GL #5127]
- Avoid unnecessary locking in the zone/cache database.
- Lock contention among many worker threads referring to the same database node at the same time is now prevented. This improves zone and cache database performance for any heavily contended database nodes. [GL #5130]
- Fix reporting of Extended DNS Error 22 (No Reachable Authority).
- This error code was previously not reported in some applicable situations. This has been fixed. [GL #5137]
Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
PKG_FIXUP:=autoreconf introduced in this commit[1] to fix builds with GCC 14
does not play well with GCC 13. Apply it conditionally.
I build some coreutils packages under GCC 13 and again under GCC 14 and both
completed successfully.
Build system: x86/64
Build-tested: x86/64
Fixes https://github.com/openwrt/packages/issues/26175
1. b1a648e1ff
Signed-off-by: John Audia <therealgraysky@proton.me>
This fixes the build on GCC 14 and solves issue https://github.com/openwrt/packages/issues/26175
Maintainer: @hnyman
Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
1) Added the ability to route different domains through different gateways, up to 32 routes.
2) The program has been switched from proxying mode to sniffer mode.
3) Blacklist has been added so that the specified subnets are not added to the routing table.
Signed-off-by: Khachatryan Karen <karen0734@gmail.com>
https://github.com/openwrt/packages/pull/26116
We will no longer be building packages for various target architectures for node.js.
I will be dropping node-related packages that are no longer needed for this reason.
You can still use hostpkg's node.js as a build tool, so you can still use yarn and javascript-obfuscator as before.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
The '--enable-http-auth' compile option in cURL is used to enable support
for HTTP authentication methods. This option allows cURL to handle various
authentication schemes, such as Basic, Digest, NTLM, and others, which
are commonly used in HTTP requests to secure access to resources.
This cURL compile option is default disabled. This should at least be enabled
as a compile option in OpenWrt so that it can be switched on if needed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
As documented by "man git-rev-parse", the "--short" option shortens
commit sha1sums to at least "length" characters, equal to core.abbrev if
that is specified in ~/.gitconfig.
The development processes of some other open source projects require
having a
[core]
abbrev = 12
in the .gitconfig, which is incompatible with the way in which docker
wants PKG_GIT_SHORT_COMMIT.
On my system, I get these errors:
make[3]: Entering directory 'feeds/packages/utils/dockerd'
(...)
# Verify CLI is the same version
( CLI_MAKEFILE="../docker/Makefile"; CLI_VERSION=$( grep --only-matching --perl-regexp '(?<=PKG_VERSION:=)(.*)' "${CLI_MAKEFILE}" ); if [ "${CLI_VERSION}" != "27.3.1" ]; then echo "ERROR: Expected 'PKG_VERSION:=27.3.1' in '${CLI_MAKEFILE}', found 'PKG_VERSION:=${CLI_VERSION}'"; exit 1; fi )
# Verify PKG_GIT_SHORT_COMMIT
( EXPECTED_PKG_GIT_SHORT_COMMIT=$( feeds/packages/utils/dockerd/git-short-commit.sh 'github.com/moby/moby' 'v27.3.1' 'tmp/git-short-commit/dockerd-27.3.1' ); if [ "${EXPECTED_PKG_GIT_SHORT_COMMIT}" != "41ca978" ]; then echo "ERROR: Expected 'PKG_GIT_SHORT_COMMIT:=${EXPECTED_PKG_GIT_SHORT_COMMIT}', found 'PKG_GIT_SHORT_COMMIT:=41ca978'"; exit 1; fi )
Trying remote 'github.com/moby/moby'
fatal: 'github.com/moby/moby' does not appear to be a git repository
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Trying remote 'https://github.com/moby/moby'
remote: Enumerating objects: 11117, done.
From https://github.com/moby/moby
* tag v27.3.1 -> FETCH_HEAD
HEAD is now at 41ca978a0a54 Merge pull request #48525 from thaJeztah/27.x_backport_govulncheck_permissions
ERROR: Expected 'PKG_GIT_SHORT_COMMIT:=41ca978a0a54', found 'PKG_GIT_SHORT_COMMIT:=41ca978'
make[3]: *** [Makefile:198: build_dir/target-aarch64_generic_glibc/dockerd-27.3.1/.prepared_d76b59f2eb81424899b1fbb9e44f77e2_6664517399ebbbc92a37c5bb081b5c53] Error 1
make[3]: Leaving directory 'feeds/packages/utils/dockerd'
time: package/feeds/packages/dockerd/compile#1.71#1.18#5.38
ERROR: package/feeds/packages/dockerd failed to build.
Since --short supports a length argument, use that to break the
dependency on the system .gitconfig.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Also fixes MIPS builds.
Seems there is some inline assembly that won't work with MIPS16
instructions.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
If you run the arp-scan tool cyclically, the kernel messages for
promiscuous mode are very annoying.
This backports an upstream patch to disable the unnecessary promiscuous
mode in arp-scan.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Adjust the dependency to the virtual coreutils main package in
each app to be selective. Otherwise you need to first select the
main coreutils before the actuall apps can be selected. That has
prevented other applications from depending on just one individual
coreutils app, as they have needed to depend also on the empty main
coreutils package.
Reference to discussion in:
https://github.com/openwrt/luci/issues/7605
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Upstream is preparing the migration to a new website. As part of this, they
will be dropping the `www` prefix. Also, the package source is updated to use
mc's official OSU OSL mirror over HTTPS.
Signed-off-by: Yury V. Zaytsev <yury@shurup.com>
Users running unprivileged containers will need to create
/etc/subgid and /etc/subuid and want to have them preserved
across updates. This commit adds them to the default backup set.
Signed-off-by: John Audia <therealgraysky@proton.me>
Co-authored-by: Tianling Shen <cnsztl@gmail.com>
Bug fixes:
efahl/owut@15d7342377 owut: fix incorrect log levels on list and blob commands
efahl/owut@3867b98d0e owut: fix parsing of certain APK versions
Enhancements:
efahl/owut@52e7d44c99 owut: allow user to override 'package_changes'
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
https://github.com/openwrt/packages/issues/26078
As a result of the discussion in this thread, the node.js package was changed to hostpkg only. In addition, this fix uses the pre-built version distributed on nodejs.
The use of pre-build is based on the suggestion of @artynet.
The packages in the node module are successfully built, but the target node.js itself cannot be provided, so it cannot be used.
Yarn, which is used in packages for web front ends, etc., can be used without any problems.
Support for host builds other than linux x86_64.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Now that we are building FreeIPMI library ipmitool will detect it
and since we are already passing --enable-intf-free it will build
support for FreeIPMI as well.
However, --enable-intf-free was previously no-op since it would just
fail to detect FreeIPMI and disable support for it but now it seems
that buildbots build FreeIPMI first and then ipmitool will fail with
missing dependency on FreeIPMI library.
Since FreeIPMI is quite big and previously ipmitool was built without
support for it anyway lets disable support for FreeIPMI in ipmitool and
if its required it can be made optional or as a package variant later.
This fixes building ipmitool via buildbots again.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Docker's backend storage driver can be configurable for certain
filesystems. The default is the overlay storage driver, but if you run
openwrt on a system with btrfs, this will allow you to override the
default configuration by settings the storage_driver in uci in dockerd's
global section. This value will be used in the created dockerd.json
file.
Signed-off-by: Keith T. Garner <kgarner@kgarner.com>
Wesley Gimenes
Nick Hainke
George Sapkin
Glenn Strauss
Pascal Ernster
John Audia
Dirk Brenken
Khachatryan Karen
Christian Lachner
Jan Hák
Ray Wang
Hirokazu MORIKAWA
Florian Eckert
Vladimir Oltean
Javier Marcet
Alexandru Ardelean
Martin Schiller
hingbong lo
Thiago Pereira Ricciardi
Maxim Storchak
Hannu Nyman
Yury V. Zaytsev
Álvaro Fernández Rojas
Eric Fahlgren
Robert Marko
Keith T. Garner
Koen Vandeputte