fixes:
CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
- remove crypto auth compile fix
curl changelog of 7.46 states its fixed
- fix mbedtls and cyassl usability #19621 :
add path to certificate file (from Mozilla via curl) and
provide this in a new package
tested on ar71xx w. curl/mbedtls/wolfssl
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps. dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
dnsmasq maintains dnsmasq.time across reboots and uses it as a means of
determining if current time is good enough to validate dnssec time
stamps. By including /etc/dnsmasq.time as a time source for sysfixtime,
the mechanism was effectively defeated because time was set to the
last time that dnsmasq considered current even though that time is in
the past. Since that time is out of date, dns(sec) resolution would
fail thus defeating any ntp based mechanisms for setting the clock
correctly.
In theory the process is defeated by any files in /etc that are newer
than /etc/dnsmasq.time however dnsmasq now updates the file's timestamp
on process TERM so hopefully /etc/dnsmasq.time is the latest file
timestamp in /etc as part of LEDE shutdown/reboot.
Either way, including /etc/dnsmasq.time as a time source for
sysfixtime is not helpful.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
When imagebuild sorts package lists it breaks opkg's ability to realize
that a providers for a Provides has already been installed, when the sort
results in the provider being later in the list of packages that a package
which depends on a Provides (and hence the provider is not yet installed
for opkg to realize the provider was available doesn't not handle the case
of a package that is to be installed satisfying a dependency, only one that
is already installed (or which it schedules to be installed, which in the
absence of an installed provider is whichever provider happens to be the
default)
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps. dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.
dnsmasq maintains dnsmasq.time across reboots and uses it as a means of
determining if current time is good enough to validate dnssec time
stamps. By including /etc/dnsmasq.time as a time source for sysfixtime,
the mechanism was effectively defeated because time was set to the
last time that dnsmasq considered current even though that time is in
the past. Since that time is out of date, dns(sec) resolution would
fail thus defeating any ntp based mechanisms for setting the clock
correctly.
In theory the process is defeated by any files in /etc that are newer
than /etc/dnsmasq.time however dnsmasq now updates the file's timestamp
on process TERM so hopefully /etc/dnsmasq.time is the latest file
timestamp in /etc as part of LEDE shutdown/reboot.
Either way, including /etc/dnsmasq.time as a time source for
sysfixtime is not helpful.
Apparently symlink-tree has not been used in quite some time as it
fails to symlink the always required config dir
Also, if we pulled from git but .git is missing we get
many error messages on the symlinked tree without this
patch (which symlinks .git, if present)
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
Some SSL applications requires a certificates bundle rather
than a directory containing certificates. For thos applications
we build the ca-bundle package
Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
Add packaging of it87 hardware monitor kernel module. It is
a common thermal and voltage monitor that is in many x86
(at least) devices, and is just another i2c hwmon module.
Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
The patch 300-ath9k-force-rx_clear-when-disabling-rx.patch broke TX99 support
in ath9k. Fix the patch by only applying rx_clear if TX99 mode is not used.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Both scripts modified by this patch were added by me. First of all I
incorrectly added OpenWrt as Copyright holder. It was wrong because:
1) I simply can't transfer my moral rights according to the Polish law
2) Transfering copyrights (economic rights) requires an agreement which
I didn't sign with OpenWrt(.org).
Other than that I don't find these trivial scripts important enough to
put info about *my* copyrights in a header so this patch just drops them
completely.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
The libusb package is not parallel build save, a make -j16 reliably breaks it.
Forcibly disable parallel building.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
the recent fixes to make mount_root work during failsafe caused lots of
unwanted side effects. use the new preinit sentinel file to detect if
we are in preinit. this will also work if logged in via ssh.
Signed-off-by: John Crispin <john@phrozen.org>
