OpenSSL 3.0.18 is a security patch release. The most severe CVE fixed in this
release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230)
* Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232)
The removed patch is included upstream:
c0d968f0ac
Link: https://github.com/openwrt/openwrt/pull/20312
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
gettext-full only provides libintl which is not licensed under
GPL-3.0.-or-later but under LGPL-2.1-or-later as stated in
gettext-runtime/intl/COPYING.LIB
Fixes: c10d97484a (Add more license tags with SPDX identifiers)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/19943
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 13e10bb8d3)
elfutils libraries are not licensed under GPL-3.0-or-later, they are dual
licensed: GPL-2.0-or-later OR LGPL-3.0-or-later as clearly stated in
source files as well as on https://sourceware.org/elfutils:
The libraries and backends are dual GPLv2+/LGPLv3+. The utilities are GPLv3+.
Fixes: b98fb76646 (elfutils: import package from packages.git)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/19941
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 9a157b5d83)
The version of libxml2 was bumped from 2.13.6 to 2.14.5. Since version
2.14, libxml2 is not binary compatible with older versions. Therefore
add an abi version.
From the NEWS file:
Binary compatibility is restricted to versions 2.14 or newer. On ELF
systems, the soname was bumped from libxml2.so.2 to libxml2.so.16.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
Link: https://github.com/openwrt/openwrt/pull/19983
(cherry picked from commit 420be05d90)
Link: https://github.com/openwrt/openwrt/pull/19985
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
6e4ffe2c6657 ucode: add function for getting the number of entries in a snapshot
a62edd89255b ucode: add support for fetching kernel tracepoint events
edeb4d6dc690 udebug-cli: add support for streaming tracing data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 78188ee2bc)
3d953628bf17 udebugd: add support for setting an override config
93f6df0240e5 udebug-cli: add support for overriding config on the command line
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit c4e7b9b9b7)
This enables software that requires this cipher suite (e.g. OpenThread Border
Router) to be compiled against the shared library rather than a separate copy.
Signed-off-by: Karsten Sperling <ksperling@apple.com>
Link: https://github.com/openwrt/openwrt/pull/19489
(cherry picked from commit 97dc9f8dbf)
Link: https://github.com/openwrt/openwrt/pull/19839
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5d10084ea885 lib-ucode.c: add #define _GNU_SOURCE
a95364b41d52 udebug-cli: fix terminating uloop
c00eb9b685a8 ucode: use FILE handle for pcap output
4265167cb6e8 ucode: add error reporting to pcap_write
4a908ee731a6 udebug-cli: stop event loop on write failure
6e04f4187231 ucode: use ucv_resource_create_ex for remote rings
c297f04e1852 ucode: drop use ucv_resource_create
f207d37a1055 ucode: add support for specifying ring format
98683a94bcdd ucode: support appending array data, similar to socket.send()
a7ecd483ed38 ucode: allow calling udebug.init() multiple times
d4a4c788c416 ucode: fix allocation size of local ring meta
184706abaf50 ucode: add timestamp argument to foreach()
8442c948c193 ucode: add function for getting ring information
f4958a4c591a ucode: add const entries for enum udebug_format
14d4fec36993 udebug-cli: add logstream command
6ed8536142bb ucode: fix entries/size confusion
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 7b0ce213e9)
This release incorporates the following bug fixes and mitigations:
Miscellaneous minor bug fixes.
Link: https://github.com/openwrt/openwrt/pull/19325
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Backport upstream commit dropping external definition of mbrtowc. The
said definition conflicts with one provided by GCC 15. Issue found on
24.10 SDK.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
Trying to tcpdump DSA conduits results in errors such as
"unsupported DSA tag: mtk".
Backport two commits adding support for various DSA tags to libpcap.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit fad94e8cda)
Currently, enabling USB, BT or Netfilter support after initial compilation
will not trigger a rebuild, so add the missing PKG_CONFIG_DEPENDS so
that rebuild gets triggered.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
(cherry picked from commit fe37574be6)
Changes between 3.0.15 and 3.0.16 [11 Feb 2025]
CVE-2024-13176[1] - Fixed timing side-channel in ECDSA signature
computation.
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In
particular the NIST P-521 curve is affected. To be able to measure this
leak, the attacker process must either be located in the same physical
computer or must have a very fast network connection with low latency.
CVE-2024-9143[2] - Fixed possible OOB memory access with invalid
low-level GF(2^m) elliptic curve parameters.
Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit
values for the field polynomial can lead to out-of-bounds memory reads
or writes. Applications working with "exotic" explicit binary (GF(2^m))
curve parameters, that make it possible to represent invalid field
polynomials with a zero constant term, via the above or similar APIs,
may terminate abruptly as a result of reading or writing outside of
array bounds. Remote code execution cannot easily be ruled out.
1. https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
2. https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
Build system: x86/64
Build-tested: bcm27xx/bcm2712
Run-tested: bcm27xx/bcm2712
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/17947
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit b4e6fd7b76)
Adjust wolfssl version for apk by removing the "-stable"
from the OpenWrt version, although it is still needed for
upstream download archive name.
Define PKG_BUILD_DIR accordingly.
Utilize new short version to simplify ABI_VERSION calculation.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/16906
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit be952e98bc)
The ARIA block cipher is pretty uncommon in TLS, deactivate it for now.
This saves some space and reduces the possible variations and attack
vectors of mbedtls.
ARIA support was deactivated in OpenWrt 23.05 by default.
Link: https://github.com/openwrt/openwrt/pull/17342
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3c0ef48bc8)
On aarch64 musl gcc 14.x compiler, trying compiling elfutils 0.192 with
lto option enabled will cause null-dereference error.
Example error message:
...
elf_compress.c: In function 'elf_compress':
elf_compress.c:675:26: error: potential null pointer dereference [-Werror=null-dereference]
675 | shdr->sh_flags |= SHF_COMPRESSED;
| ^
elf_compress_gnu.c: In function 'elf_compress_gnu':
elf_compress_gnu.c:127:25: error: potential null pointer dereference [-Werror=null-dereference]
127 | shdr->sh_size = new_size;
| ^ ^
...
This is a false postive warning but will abort compilation if gcc has
`-Werror` flag. This commit add a patch for this, see the bugzilla
report below.
This commit backports a series of patches to fix some errors.
Add patch:
- 007-add-libeu-symbols-to-libelf.patch
- 008-fix-autoconf-ENABLE_IMA_VERIFICATION.patch
- 009-fix-null-dereference-with-lto.patch
Link: https://sourceware.org/bugzilla/show_bug.cgi?id=32311
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16886
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit afffcd09e5)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, libreadline only installs
```
/usr/lib/libhistory.so.8 -> libhistory.so.8.2
/usr/lib/libhistory.so.8.2
/usr/lib/libreadline.so.8 -> libreadline.so.8.2
/usr/lib/libreadline.so.8.2
```
But there is no `libreadline.so` or `libhistory.so` available.
So this happens:
```
root@OpenWRT:~# cat a.c
int main() {
}
root@OpenWRT:~# gcc a.c -lreadline
/usr/bin/ld: cannot find -lreadline: No such file or directory
collect2: error: ld returned 1 exit status
```
Unless, of course, one uses `-l:libreadline.so.8`... But that
doesn't help with binaries that try to dynamically open
`libreadline.so`. I have one of those here (the STklos Scheme
compiler -- I didn't make a PR for it because it's far from
being ready, but one issue is that it does use dlopen to use
readline...)
With the symlink, it works:
```
root@OpenWRT:~# ln -s /usr/lib/libreadline.so.8 /usr/lib/libreadline.so
root@OpenWRT:~#
root@OpenWRT:~# gcc a.c -lreadline
root@OpenWRT:~#
```
Another example: when trying to package rlwrap, the build failed
complaining it could not find readline (using `-lreadline`).
It would then be necessary to change rlwrap's `configure.ac`
(and also in all packages that use readline), but it seems
simpler to add the symlinks...
This PR changes the Makefile so it will include the links.
Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
Link: https://github.com/openwrt/openwrt/pull/16445
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 0000ba6ab8)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes the following security problem:
* CVE-2024-49195: Fix a buffer underrun in mbedtls_pk_write_key_der()
when called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled, and
the output buffer is smaller than the actual output. Fix a related
buffer underrun in mbedtls_pk_write_key_pem() when called on an opaque
RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled and MBEDTLS_MPI_MAX_SIZE is
smaller than needed for a 4096-bit RSA key.
Link: https://github.com/openwrt/openwrt/pull/16768
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Changes:
fa05d58e (tag: libnl3_10_0) libnl-3.10.0 release
490ffa07 python: fix flake8 warnings
6fc66dd8 doc: workaround LINK_DOC with empty libnl.dict
914812a9 lib: avoid overflow in computation of s_seq_next
5248e1a4 all: fix and enable "-Wsign-compare" warning
9451842e build: use AC_USE_SYSTEM_EXTENSIONS instead of defining _GNU_SOURCE
20664e1e build: move "-DPGKLIBDIR" and rename
81cab7da build: cleanup defining SYSCONFDIR on command line
cf47571c build: drop unnecessary "-Wno-missing-field-initializers" from default CFLAGS
131008f7 build: add "-Wvla" and "-Wdeclaration-after-statement" to default CFLAGS
7e05b622 lib: add internal _nla_len() helper
32688201 route: treat routes with via nexthops as universe scoped as well
c36c7faa format: reformat "include/base/nl-base-utils.h"
49f78229 tests: add a very basic test for route cache
2ebbc034 tests: add NLTstSelectRoute test helper
d784f2cb tests: set NLTST_IN_CI for not skipping tests accidentally
dcb9e2ef route: add missing priority to route_keygen() debug print
d44505ed tests: add helper to detect availablility of iproute2
774863b4 tests: add helper functions for tests
45a10f96 route: move "struct rtnl_nexthop" to "nl-priv-dynamic-route"
153f213b build: fix "check-progs" target in "Makefile.am"
a1e0b8b2 github: print test-suite.log in case of test failure
3e080631 route: expose nexthop id attribute
401c2488 tests: fix _nltst_object_to_string() to print one line only
529c2ab8 route: drop unused fields from "struct rtnl_route"
71e59e14 build: separate build tests from unit tests
8539b7d3 format: reformat "tests/nl-test-util.h" file
6db85366 route: merge branch 'bisdn:jogo_route_nh_cmp'
861fb809 route: use the new helper function for comparing nexthops
8cf29d7b nexthop: add a identical helper function
7cc72d19 utils: reserve the nl_has_capabiliy numbers for releases 3.10 - 3.12
30da5107 github,clang-format: update fedora version for clang-format
2301992b route: fix IPv6 ecmp route deleted nexthop matching
72e4d73f cache: merge branch 'ievenbach:aurora/cache-mgr-cb'
3381acef cache: use cleanup attribute in nl_cache_mngr_alloc_ex()
32cb9f39 cache: cleanup nl_cache_mngr_alloc_ex()
1dbdc30a cache: allow to allocate cache manager with custom refill socket
18b74e08 tests: test compiling all public headers with C++ compiler
691202bf tests: don't use $COMPILE for building header tests
15d90cbf include: add _NL_NO_WARN_DEPRECATED_HEADER for suppressing warning about deprecated headers
8a5f671a tests: avoid "-Wunused-parameter" warning in build headers test
db1a9d7d route: avoid compiler warning about calloc() arguments in rtnl_netem_set_delay_distribution()
3a43faa1 cache: fix new object in callback v2 on updated objects
46cae1bf socket: fix ubsan complaint about incorrect left-shift in generate_local_port()
96ddcd99 all: merge branch 'th/nl-debug'
13ab0122 github: test with --enable-debug=no configure option
264b244e utils: always define nl_debug_dp
dbe21b8d core: always define statements for NL_DBG()
e592dd89 build: always define NL_DEBUG
58734974 all: use defines for attributes
0c16c9cb route/bison: include "nl-default.h" in lex/yacc files
19d48b0f route: add support for layer 3 filtering on bridges
3646398d route: merge branch 'Cordell-O:main'
e21278ed tests: add test for bridge vlan attributes.
4f324f73 route: add support for vlan filtering on bridge ports.
bf071f2b route: Add support to set ageing time for dynamic bridge table entries
b76c3a5d tests: add unit test for `nl_addr_parse("default", AF_INET6, &addr6)`
8693347f lib/xfrm: add missing #include <time.h>
Small size increase:
955 bin/packages/mips_24kc-old/base/libnl200_3.9.0-r1_mips_24kc.ipk
11157 bin/packages/mips_24kc-old/base/libnl-cli200_3.9.0-r1_mips_24kc.ipk
34896 bin/packages/mips_24kc-old/base/libnl-core200_3.9.0-r1_mips_24kc.ipk
7698 bin/packages/mips_24kc-old/base/libnl-genl200_3.9.0-r1_mips_24kc.ipk
25400 bin/packages/mips_24kc-old/base/libnl-nf200_3.9.0-r1_mips_24kc.ipk
148366 bin/packages/mips_24kc-old/base/libnl-route200_3.9.0-r1_mips_24kc.ipk
956 bin/packages/mips_24kc-new/base/libnl200_3.10.0-r1_mips_24kc.ipk
11154 bin/packages/mips_24kc-new/base/libnl-cli200_3.10.0-r1_mips_24kc.ipk
34965 bin/packages/mips_24kc-new/base/libnl-core200_3.10.0-r1_mips_24kc.ipk
7699 bin/packages/mips_24kc-new/base/libnl-genl200_3.10.0-r1_mips_24kc.ipk
25385 bin/packages/mips_24kc-new/base/libnl-nf200_3.10.0-r1_mips_24kc.ipk
149852 bin/packages/mips_24kc-new/base/libnl-route200_3.10.0-r1_mips_24kc.ipk
Link: https://github.com/openwrt/openwrt/pull/16592
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
New releases of openssl are only published on GitHub, and official
downloads are also redirected to GitHub. So remove the old download
mirrors (file 404), and replace the current address with https.
Link: https://openssl-library.org/source/
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Link: https://github.com/openwrt/openwrt/pull/16470
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
* Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535)
Added github releases url as source mirror
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16332
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
