This fixes the following security problems:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Not all kmod packages depends on kmod-ipt-compat-xtables, but this
kernel config option is required for building the whole package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
odhcpd daemon has hitless config reload support by means of the
sighup signal; add reload_service function which uses sighup
signal to reload the config
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This fixes building with musl and drops the dependency on the OpenWrt
kernel-header patches:
270-uapi-kernel.h-glibc-specific-inclusion-of-sysinfo.h.patch
271-uapi-libc-compat.h-do-not-rely-on-__GLIBC__.patch
272-uapi-if_ether.h-prevent-redefinition-of-struct-ethhd.patch
Use the new upstream location at netfilter.org and use a define instead
of a patch to "optimize".
See also: https://git.netfilter.org/arptables/log/
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
[Jo-Philipp Wich: add mirror SHA256 sum]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This adds support for "channels" command which displays more details
about channels. It includes e.g. info about available widths.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Update to latest Git head in order to import several fixes and enhancements.
- Disable drop invalid by default (FS#73, FS#154)
Instead of dropping packets with conntrack state INVALID, only allow streams
with explicit NEW or UNTRACKED conntrack state.
This change gives user defined rules the chance to accept traffic like ICMPv6
multicast which would be filtered away by the very early ctstate INVALID drop
rule otherwise.
The old behaviour can be restored by explicitely setting "drop_invalid" to 1
in the global firewall config section.
- Fix re-initialization of loadable iptables extensions on musl (FS#31)
Since musl does not implement actual dlclose() semantics, it is impossible to
re-run initializers on subsequent dlopen() calls.
The firewall3 executable now intercepts the extension registration calls
instead in order to be able to re-call them when needed.
This also allowed us to switch to libxtables' builtin extension loader as a
positive side-effect.
- Fix masquerade rules for multiple negated IP addresses (FS#248)
When building MASQUERADE rules for zones which specify multiple negated
addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of
the masquerading chain instead of creating multiple rules with inverted "-s"
arguments.
- Tag own rules using comments
Instead of relying on the nonstandard xt_id match, use the xt_comment match
to mark own rules. Existing comments are prefixed with "!fw3: " while
uncommented rules are marked with a sole "!fw3" string.
This allows removing the xt_id match entirely in a later commit.
- Make missing ubus connection nonfatal
Technically, firewall3 is able to operate without ubus just fine as long as
the zones are declared using "option device" or "option subnet" instead of
"option network" so do not abort execution if ubus could not be connected or
of no network namespace is exported in ubus.
This allows running firewall3 on ordinary Linux systems.
- Fix conntrack requirement detection for indirectly connected zones
The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.
Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.
- Add support for iptables 1.6.x
Adds support for the xtables version 11 api in order to allow building
against iptables 1.6.x
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
"This release fixes a few minor bugs, including a
(non-security-impacting) buffer overflow fix ported
from upstream cjson."
<http://software.es.net/iperf/news.html#iperf-3-1-4-released>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Adds the mac address of the DNS requestor to DNS queries which
are forwarded upstream and can be used to do filtering by the
upstream servers. This only works if the requestor is on the
same subnet as the dnsmasq server
The addmac parameter can hold the following values:
0 : mac address is not added
1 : mac address is added in binary format
base64 : mac address is added base64 encoded
text: : mac address is added in human readable format
as hex and colons
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
moving comgt and its modules to WWAN submenu to join uqmi as both are tools for WWAN modems.
I replaced the link with comgt's ubuntu manpage because the old link isn't working anymore.
Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
For Huawei devices like E3372 proper command for set lte mode is:
AT^SYSCFGEX="03",3fffffff,2,4,7fffffffffffffff,,
Eval is required for proper quotation.
Without this fix:
Fri Nov 4 19:07:49 2016 daemon.notice netifd: Interface 'wan' is setting up now
Fri Nov 4 19:07:52 2016 daemon.notice netifd: wan (2060): sending -> AT
Fri Nov 4 19:07:52 2016 daemon.notice netifd: wan (2060): sending -> ATZ
Fri Nov 4 19:07:53 2016 daemon.notice netifd: wan (2060): sending -> ATQ0
Fri Nov 4 19:07:53 2016 daemon.notice netifd: wan (2060): sending -> ATV1
Fri Nov 4 19:07:54 2016 daemon.notice netifd: wan (2060): sending -> ATE1
Fri Nov 4 19:07:55 2016 daemon.notice netifd: wan (2060): sending -> ATS0=0
Fri Nov 4 19:07:55 2016 daemon.notice netifd: wan (2060): sending -> AT+CGDCONT=1,"IP","internet"
Fri Nov 4 19:07:57 2016 daemon.notice netifd: wan (2060): sending -> AT^SYSCFGEX=\"03\",3fffffff,2,4,7fffffffffffffff,,
Fri Nov 4 19:07:58 2016 daemon.notice netifd: wan (2060): Error running AT-command
Fri Nov 4 19:07:58 2016 daemon.notice netifd: wan (2060): Failed to set operating mode
Fri Nov 4 19:07:58 2016 daemon.notice netifd: wan (2092): Stopping network
...
With this fix:
Fri Nov 4 19:10:59 2016 daemon.notice netifd: Interface 'wan' is setting up now
Fri Nov 4 19:11:01 2016 daemon.notice netifd: wan (2539): sending -> AT
Fri Nov 4 19:11:01 2016 daemon.notice netifd: wan (2539): sending -> ATZ
Fri Nov 4 19:11:02 2016 daemon.notice netifd: wan (2539): sending -> ATQ0
Fri Nov 4 19:11:03 2016 daemon.notice netifd: wan (2539): sending -> ATV1
Fri Nov 4 19:11:03 2016 daemon.notice netifd: wan (2539): sending -> ATE1
Fri Nov 4 19:11:04 2016 daemon.notice netifd: wan (2539): sending -> ATS0=0
Fri Nov 4 19:11:05 2016 daemon.notice netifd: wan (2539): sending -> AT+CGDCONT=1,"IP","internet"
Fri Nov 4 19:11:06 2016 daemon.notice netifd: wan (2539): sending -> AT^SYSCFGEX="03",3fffffff,2,4,7fffffffffffffff,,
Fri Nov 4 19:11:07 2016 daemon.notice netifd: wan (2539): sending -> AT^NDISDUP=1,1,"internet"
Fri Nov 4 19:11:08 2016 daemon.notice netifd: wan (2539): Connected, starting DHCP on wwan0
Fri Nov 4 19:11:08 2016 daemon.notice netifd: Interface 'wan' is now up
Fri Nov 4 19:11:08 2016 daemon.notice netifd: Network device 'wwan0' link is up
Fri Nov 4 19:11:08 2016 daemon.notice netifd: Network alias 'wwan0' link is up
Fri Nov 4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' is enabled
Fri Nov 4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' has link connectivity
Fri Nov 4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' is setting up now
...
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Rename the "ip" package declaration to "ip-tiny" and let both "ip-tiny" and
"ip-full" provide the virtual "ip" package. This allows users to freely choose
the "ip" command variant while other packages can continue to depend on "ip"
without needing to enforce a specific variant.
Note that this commit does not add busybox as "ip" provider due to
the following reasons:
- The builtin Busybox ip applet cannot be added or removed at runtime
- Both "ip-tiny" and "ip-full" are able to install without file clashes even
if the busybox applet is enabled
- The system is preferring full "ip-tiny" and "ip-full" at runtime, even
if Busybox ip is still present.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Ensure that selecting the wpa-supplicant-mesh package actually packages the
wpa_supplicant binary with SAE support and add missing dependency on OpenSSL.
Signed-off-by: Alexis Green <alexis@cessp.it>
[Jo-Philipp Wich: slightly reword commit message for clarity]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
We add an 'httpauth' section type that contains the options:
prefix: What virtual or real URL is being protected
username: The username for the Basic Auth dialogue
password: Hashed (crypt()) or plaintext password for the Basic Auth dialogue
httpauth section names are given included as list
items to the instances to which they are to be applied.
Further any existing httpd.conf file (really whatever
is configured in the instance, but default of
/etc/httpd.conf) is appended to the per-instance httpd.conf
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
During reload, we could send invalid information to the other
side and confuse it.
That's why, during reload we'll pause execution, do the reconfig
and resume + update when reload is done.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The problem is that interfaces are specified at start as
command line arguments, making them unchange-able via reload.
That means, we have to move (since lldpd allows this) the
interfaces-match-pattern option to be in a config file and reload
the configuration.
It's either that, or do a 'restart'.
Since we're generating the lldpd.conf file, we'll have to
move the 'sysconfdir' of lldpd to /tmp, where the files will
get written ; this will prevent any unncessary flash writes.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Adds support in uci for configuring multiple dnsmasq instances via
multiple dnsmasq sections.
The uci sections host, boot, mac, tag, vendorclass, userclass,
circuitid, ... will refer to a dnsmasq instance via the instance
parameter defined in the section; if the instance parameter is
not specified backwards compatibility is preserved.
Start/Stopping a dnsmasq instance can be achieved by passing the
dnsmasq instance name as argument to start/stop via the init script.
Multiple dnsmasq instances is usefull in scenarios where you want to
bind a dnsmasq instance to an interface in order to isolate networks.
This patch is a rework of a multiple dnsmasq instance patch by Daniel Dickinson
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Add a partially random O= item to the certificate subject in order
to make the automatically generated certificates' subjects unique.
Firefox has problems when several self-signed certificates
with CA:true attribute and identical subjects have been
seen (and stored) by the browser. Reference to upstream bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1147544https://bugzilla.mozilla.org/show_bug.cgi?id=1056341https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34
Certificates created by the OpenSSL one-liner fall into that category.
Avoid identical certificate subjects by including a new 'O=' item
with CommonName + a random part (8 chars). Example:
/CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ
That ensures that the browser properly sees the accumulating
certificates as separate items and does not spend time
trying to form a trust chain from them.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Prefer the old default 'px5g' for certificate creation
as Firefox seems to dislike OpenSSL-created certs.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
This option, defined by RFC3442, allows a DHCP server to send static
routes to a client. But the client has to request this option
explicitely.
Static routes are useful when the gateway configured by DHCP cannot be
in the same subnet as the client. This happens, for instance, when
using DHCP to hand out addresses in /32 subnets.
A new configuration option "classlessroute" is available, allowing
users to disable this feature (the option defaults to true).
Other DHCP clients already request this option by default (dhcpcd, for
instance, and possibly Windows). If a DHCP server does not support
this option, it will simply ignore it.
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
The special prefix of "/" should match any url by definition but the final
assertion which ensures that the matched prefix ends in '\0' or '/' is causing
matches against the "/" prefix to fail.
Update to current HEAD in order to fix this particular case.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
iperf upstream added some bugfixes to the already released 2.0.9 version
without changing the filename. This conflicts with old mirrored files
and the hash that we previously used.
To avoid conflict, use a renamed tarball from mirror2.openwrt.org
containing the new upstream changes
Signed-off-by: Felix Fietkau <nbd@nbd.name>