aria2_project:aria2 is a better CPE ID than tatsuhiro_tsujikawa:aria2 as
this CPE ID has the latest CVE (whereas tatsuhiro_tsujikawa:aria2 only
has CVEs up to 2010):
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3🅰️aria2_project:aria2
Fixes: 299e5b0a9b (treewide: add PKG_CPE_ID for better cvescanner coverage)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Security
- Any simultaneous requests that are considered duplicates will now only
result in a single request to upstreams, reducing the chance of a cache
poisoning attack succeeding. This is controlled by the new configuration
object pending_requests, which has a single enabled property, set to
true by default.
NOTE: It's strongly recommended to leave it enabled, otherwise AdGuard
Home will be vulnerable to untrusted clients.
Changelog: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.61
Signed-off-by: George Sapkin <george@sapk.in>
Fixed:
- Filtering for DHCP clients.
- Incorrect label on login page.
- Validation process for the HTTPS port on the Encryption Settings page.
Changelog: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.60
Signed-off-by: George Sapkin <george@sapk.in>
This commit includes inttypes.h to prevent the following error:
```
mibgroup/ieee802dot11.c: In function 'displayWiExt':
mibgroup/ieee802dot11.c:4563:26: error: expected ')' before 'PRIdPTR'
4563 | printf ( "%s sens: %" PRIdPTR "\n", "SIOCGIWSENS", *(intptr_t *)&info.sens );
| ~ ^~~~~~~~
| )
mibgroup/ieee802dot11.c:31:1: note: 'PRIdPTR' is defined in header '<inttypes.h>'; did you forget to '#include <inttypes.h>'?
30 | #include "util_funcs/header_generic.h"
+++ |+#include <inttypes.h>
31 |
```
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
Add missing syscalls found with `/etc/init.d/transmission trace`.
fix crash on boot on x86_64 platform
Signed-off-by: Liangbin Lian <jjm2473@gmail.com>
* add an uci-defaults script for housekeeping and option migration from former versions
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Instead of just killing all the processes, let's actually reload them,
since that's what the user would expect when issuing a 'reload' command.
Move the killall portion to a kill function
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
* checked and fixed the kresd and smartdns support
* fixed another ETAG issue
* changed the enabled feeds in default config to certpl, aguard and adguard_tracking
* various other small fixes
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This update requires sshd-auth to be packaged due to the authentication
bin split introduced in this version.
Changelog: https://www.openssh.com/txt/release-10.0
Build system: x86/64
Build-tested: x86/64
Run-tested: x86/64
Signed-off-by: John Audia <therealgraysky@proton.me>
Add openssh-sk-helper package containing ssh-sk-helper.
The helper can be used by openssh-client, openssh-sftp-client,
and openssh-keygen to access `ecdsa_sk` and `ed25519_sk keys
provided by a FIDO U2F or FIDO2 hardware token connected over USB.
Close#24509
Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
This reverts commit 855db864b0.
The reverted commit doesn't make sense since the component
(ssh-sk-helper) that uses libfido2, which is mentioned in
the commit message, isn't packaged.
Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
* the ETAG function now supports country and asn feeds as well
* fixed becyber URL and other small fixes
* LuCI fixes and improvements (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added a 'DNS Shift' option, where the generated final DNS blocklist is moved to the backup directory and
only a soft link to this file is set in memory. As long as your backup directory is located on an external drive,
you should activate this option to save disk space
* added ETAG-Header support to make sure to download only feeds that has been changed,
use backups otherwise (not supported by uclient-fetch)
* removed aria2 support
* added brave as a new safesearch provider
* removed the racist terminology from the local lists and renamed it to "allowlist" and "blocklist"
* removed the 'list' and 'timer' function from init, use the LuCI feed editor and the standard cron frontend instead
* various code changes and improvements
* major LuCI frontend changes, incl. a custom feed editor (separate commit)
* partial readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fixes#25801. Adds the following commits to fix DHCP behaviour on
Strongswan 5.9.14:
- abbf9d28b0
- 00d8c36d6f
- a50ed3006e
Signed-off-by: Joel Low <joel@joelsplace.sg>
Commit 9fc79e2e2622 ("download: don't overwrite VERSION variable")
changed the variable for direct download call from VERSION to
SOURCE_VERSION.
This cause the dl_github_archive script to pass empty value for
--version arg making it always clone HEAD.
Correctly update the variable to SOURCE_VERSION to actually clone the
expected commit HASH.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reasons to drop:
- an unresolved issue which prevents updating gping to latest version.
gping now relies on support for fractional timespan of 'sleep', which
isn't enabled in main OpenWrt repository
- there are probably only few users of this package, if any, and I'm not
a user anymore either
- there are other equal or better tools for the same purpose
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Security fixes:
CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made
to abort with an ASSERT() message by sending a particular combination of authenticated and
malformed packets. No crypto integrity is violated, no data is leaked, and no remote code
execution is possible. This bug does not affect OpenVPN clients.
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.14/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Until now it was not possible to stop the acme service, because the handling
was done via cron. With this change, the acme handler can now be stopped by
calling '/etc/init.d/acme' stop. This call removes the entry from the crontab.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Since procd is now used, the call of '/etc/init.d/acme' does not have to be
locked separately. This code block can therefore be removed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
In the current implementation, the config change trigger is no longer set
at boot time. This is because during boot, only the '$CHALLENGE_DIR' is
created with the boot function. The 'start_service' is first called by first
cron call at midnight. This call is installing the service_triggers reload
handling.
To fix this, add a new extra_command 'renew' that is responsible to renew
the acme. This function is called from cron and the start_service
function does the rest.
* Create directories
* Install service reload trigger form acme config change
Fixes: 76f17ab15b (acme-common: Create challenge directory on boot)
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The 'ps' command from 'procps-ng' is used in favour of 'ps' from 'busybox'
when 'procps-ng' is installed. The problem is that the outputs are not
compatible and the ‘grep’ is different for further processing. To fix this,
always use the 'ps' command from 'busybox'.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
ddns-scripts-scaleway description section was not defined as such and was
overriding the package definition leading to:
Makefile:839: *** missing separator. Stop.
Fixes: a7867016c8 ("ddns-scripts: add support for Scaleway DNS")
Signed-off-by: Robert Marko <robimarko@gmail.com>
If the ModemManager is stopped via '/etc/init.d/modemmanager', mmcli calls
always remain in the process list. This is because the ModemManager-monitor
call is not terminated properly, as the kill signals are not handled
correctly in the startup script for mmcli.
To fix this, the signal handling is refactored.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The default 'timeout' value is 30 seconds when calling an mmcli action. That
is too long. For this reason, the mmcli 'timeout' option is specified for
calls and the value is set to 10 seconds.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* fixed a JSON reporting issue (when the map and NFT counters are disabled)
* optimized the getfetch function call within the reporting function
* removed the stale IPv6 links in the becyber feed
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added a geoIP Map to show home IPs and potential attacker IPs on a leafletjs based map
* significantly improved the reporting performance on multicore hardware
* removed aria2 support (it doesn't support post data requests)
* removed the following outbound feeds due to too many false positives:
adaway, adguard, adguardtrackers, antipopads, oisdbig, oisdnsfw, oisdsmall, stevenblack and yoyo
* renamed the banIP command "survey" to "content"
* various other small tweaks
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This requires backporting two upstream commits to avoid a segfault
due to the /etc/iproute2/rt_addrprotos.d and
/usr/share/iproute2/rt_addrprotos.d directories not existing on OpenWrt,
and the following compile error:
In file included from /home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/net/ethernet.h:10,
from vrrp.c:44:
/home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/netinet/if_ether.h:115:8: error: redefinition of 'struct ethhdr'
115 | struct ethhdr {
| ^~~~~~
In file included from vrrp.c:43:
/home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/linux/if_ether.h:173:8: note: originally defined here
173 | struct ethhdr {
| ^~~~~~
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
1) Fixed a bug that not all routers were deleted.
2) Log updated.
3) The "output" option has been removed from the service, it is now /tmp/antiblock
Signed-off-by: Khachatryan Karen <karen0734@gmail.com>
Verbatim copy from upstream's release notes:
Notes for BIND 9.20.7
- New Features
- Implement the min-transfer-rate-in configuration option.
- A new option min-transfer-rate-in has been added to the view and zone configurations. It can abort incoming zone transfers that run very slowly due to network-related issues, for example. The default value is 10240 bytes in five minutes. [GL #3914]
- Add HTTPS record query to host command line tool.
- The host command was extended to also query for the HTTPS RR type by default.
- Implement sig0key-checks-limit and sig0message-checks-limit.
- Previously, a hard-coded limitation of a maximum of two key or message verification checks was introduced when checking a message’s SIG(0) signature, to protect against possible DoS attacks. Two as a maximum was chosen so that more than a single key should only be required during key rotations, and in that case two keys are enough. It later became apparent that there are other use cases where even more keys are required; see the related GitLab issue for examples.
- This change introduces two new configuration options for the views: sig0key-checks-limit and sig0message-checks-limit. They define how many keys can be checked to find a matching key, and how many message verifications are allowed to take place once a matching key has been found. The former provides slightly less “expensive” key parsing operations and defaults to 16. The latter protects against expensive cryptographic operations when there are keys with colliding tags and algorithm numbers; the default is 2. [GL #5050]
- Bug Fixes
- Fix dual-stack-servers configuration option.
- The dual-stack-servers configuration option was not working as expected; the specified servers were not being used when they should have been, leading to resolution failures. This has been fixed. [GL #5019]
- Fix a data race causing a permanent active client increase.
- Previously, a data race could cause a newly created fetch context for a new client to be used before it had been fully initialized, which would cause the query to become stuck; queries for the same data would be either paused indefinitely or dropped because of the clients-per-query limit. This has been fixed. [GL #5053]
- Fix deferred validation of unsigned DS and DNSKEY records.
- When processing a query with the “checking disabled” bit set (CD=1), named stores the invalidated result in the cache, marked “pending”. When the same query is sent with CD=0, the cached data is validated and either accepted as an answer, or ejected from the cache as invalid. This deferred validation was not attempted for DS and DNSKEY records if they had no cached signatures, causing spurious validation failures. The deferred validation is now completed in this scenario.
- Also, if deferred validation fails, the data is now re-queried to find out whether the zone has been corrected since the invalid data was cached. [GL #5066]
- Fix RPZ race condition during a reconfiguration.
- With RPZ in use, named could terminate unexpectedly because of a race condition when a reconfiguration command was received using rndc. This has been fixed. [GL #5146]
- “CNAME and other data check” not applied to all types.
- An incorrect optimization caused “CNAME and other data” errors not to be detected if certain types were at the same node as a CNAME. This has been fixed. [GL #5150]
- Relax private DNSKEY and RRSIG constraints.
- DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to allow empty key and signature material after the algorithm identifier for PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within the expected use of these types, as no key material is shared and the signatures are ineffective, but these are private algorithms and they can be totally insecure. [GL #5167]
- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
- Previously, when parsing responses, named incorrectly rejected responses without matching RRSIG records for NSEC/DS/NSEC3 records in the authority section. This rejection, if appropriate, should have been left for the validator to determine and has been fixed. [GL #5185]
- Fix TTL issue with ANY queries processed through RPZ “passthru”.
- Answers to an “ANY” query which were processed by the RPZ “passthru” policy had the response-policy’s max-policy-ttl value unexpectedly applied. This has been fixed. [GL #5187]
- dnssec-signzone needs to check for a NULL key when setting offline.
- dnssec-signzone could dereference a NULL key pointer when resigning a zone. This has been fixed. [GL #5192]
- Fix a bug in the statistics channel when querying zone transfer information.
- When querying zone transfer information from the statistics channel, there was a rare possibility that named could terminate unexpectedly if a zone transfer was in a state when transferring from all the available primary servers had failed earlier. This has been fixed. [GL #5198]
- Fix assertion failure when dumping recursing clients.
- Previously, if a new counter was added to the hash table while dumping recursing clients via the rndc recursing command, and fetches-per-zone was enabled, an assertion failure could occur. This has been fixed. [GL #5200]
- Dump the active resolver fetches from dns_resolver_dumpfetches()
- Previously, active resolver fetches were only dumped when the fetches-per-zone configuration option was enabled. Now, active resolver fetches are dumped along with the number of clients-per-query counters per resolver fetch.
Notes for BIND 9.20.6
- New Features
- Adds support for EDE code 1 and 2.
- Support was added for EDE codes 1 and 2, which might occur during DNSSEC validation in the case of an unsupported RRSIG algorithm or DNSKEY digest. [GL #2715]
- Add an rndc command to toggle jemalloc profiling.
- The new command is rndc memprof; the memory profiling status is also reported inside rndc status. The status shows whether named can toggle memory profiling, and whether the server is built with jemalloc. [GL #4759]
- Add support for multiple extended DNS errors.
- The Extended DNS Error (EDE) mechanism may raise errors during a DNS resolution. named is now able to add up to three EDE codes in a DNS response. If there are duplicate error codes, only the first one is part of the DNS response. [GL #5085]
- Print the expiration time of stale records.
- BIND now prints the expiration time of any stale RRsets in the cache dump.
- Bug Fixes
- Recently expired records could be returned with a timestamp in future.
- Under rare circumstances, an RRSet that expired at the time of the query could be returned with a TTL in the future. This has been fixed.
- As a side effect, the expiration time of expired RRSets is no longer returned in a cache dump. [GL #5094]
- YAML string not terminated in negative response in delv.
- [GL #5098]
- Fix a bug in dnssec-signzone related to keys being offline.
- When dnssec-signzone was called on an already-signed zone and the private key file was unavailable, a signature that needed to be refreshed was dropped without being able to generate a replacement. This has been fixed. [GL #5126]
- Apply the memory limit only to ADB database items.
- Under heavy load, a resolver could exhaust the memory available for storing the information in the Address Database (ADB), effectively discarding previously stored information in the ADB. The memory used to retrieve and provide information from the ADB is no longer subject to the same memory limits that are applied to the Address Database. [GL #5127]
- Avoid unnecessary locking in the zone/cache database.
- Lock contention among many worker threads referring to the same database node at the same time is now prevented. This improves zone and cache database performance for any heavily contended database nodes. [GL #5130]
- Fix reporting of Extended DNS Error 22 (No Reachable Authority).
- This error code was previously not reported in some applicable situations. This has been fixed. [GL #5137]
Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
1) Added the ability to route different domains through different gateways, up to 32 routes.
2) The program has been switched from proxying mode to sniffer mode.
3) Blacklist has been added so that the specified subnets are not added to the routing table.
Signed-off-by: Khachatryan Karen <karen0734@gmail.com>
Ignas Poklad