Update to latest release.
Add patch `003-Revert-libcap-Add-build-ldflags-to-_makenames-rule.patch`
to fix errors in the form of:
```
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(__stack_chk_fail.o): relocation R_X86_64_32 against symbol `__stack_chk_guard' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(strerror.o): relocation R_X86_64_32 against `.rodata.errmsgstr' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(realloc.o): relocation R_X86_64_32S against hidden symbol `__malloc_size_classes' can not be used when making a PIE object
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(__stdout_write.o): relocation R_X86_64_32S against hidden symbol `__stdio_write' can not be used when making a PIE object
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(ofl.o): relocation R_X86_64_32 against `.bss.ofl_lock' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(stderr.o): warning: relocation against `__stderr_FILE' in read-only section `.rodata.stderr'
/usr/bin/ld.bfd: /usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu/Scrt1.o: in function `_start':
(.text+0x12): undefined reference to `__libc_csu_fini'
/usr/bin/ld.bfd: (.text+0x19): undefined reference to `__libc_csu_init'
collect2: error: ld returned 1 exit status
```
Changes: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/diff/?id=v1.2.77&id2=v1.2.69&dt=2
The apk size did not increase much:
Old size for armsr/armv8:
16245 libcap-2.69-r1.apk
new size for armsr/armv8:
16315 libcap-2.77-r1.apk
Signed-off-by: Nick Hainke <vincent@systemli.org>
Link: https://github.com/openwrt/openwrt/pull/20881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
libunwind fails to compile because the include for the WORDSIZE
definition was missing when compiling with musl libc.
This lead to unw_word_t being defined as 64 bit long instead
of the correct 32 bit.
Signed-off-by: David Bauer <mail@david-bauer.net>
Fix the cipher implementation to avoid treating empty input as finalizer.
This issue is fixed in the openssl 3.6 branch, but the fix approach from
that branch is not suitable for 3.5, since the code is completely different.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Switch to Meson build system and add missing dependency for
libtraceevent-extra.
This switch indirectly fix a compilation error on 32bit target that
weren't getting correct target CFlags. Using Meson fix honour our CFlags
and fix the compilation error.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
MUSL doesn't provide PTHREAD_RWLOCK_PREFER_WRITER_NONRECURSIVE_NP as
it's only glibc and as the MACRO say, it's NP (not portable).
Add patch to check for this and disable overwriting the function
accordingly.
Fixes: 9bdf723476 ("libunistring: update to 1.4.1")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
JIT support in pcre2 allows for extra performance for regex operations in
applications that support it. As outlined in
https://pcre.org/current/doc/html/pcre2jit.html#SEC2 64-bit ARM is
supported.
I tested this on an GL.Inet MT6000 which is an aarch64 device and to my
knowledge everything works as expected. The primary application I tested
this on was haproxy, which makes use pcre for several operations.
If there are no known downsides or known breakages I suggest to
default-enable this feature for aarch64.
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20891
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This version fixes multiple security problems:
CVE-2025-7395: Problem in certificate verification on Apple devices
CVE-2025-7394: Predictable results from RAND_bytes() after fork call in OpenSSL compatibility layer
CVE-2025-7396: Activate Curve25519 blinding support
See Release notes:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.8.0-stablehttps://github.com/wolfSSL/wolfssl/releases/tag/v5.8.2-stable
wolfSSL is now GPLv3 instead of GPLv2, see:
629c5b4cf6
The file size increased a bit:
```
546060 bin/packages/mipsel_24kc/base/libwolfssl5.7.6.e624513f-5.7.6-r1.apk
560684 bin/packages/mipsel_24kc/base/libwolfssl5.8.2.e624513f-5.8.2-r1.apk
```
Link: https://github.com/openwrt/openwrt/pull/20547
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
PKG_NAME was lost during package migration from "packages" feed to "main" feed.
Signed-off-by: Matthias Franck <matthias.franck@softathome.com>
Link: https://github.com/openwrt/openwrt/pull/20662
Signed-off-by: Robert Marko <robimarko@gmail.com>
This mainly improve the CFLAGS handling on compilation of OpenSSL.
The CFLAGS are currently passed 2 times generating compilation warning
due to -fhonour-copts passed 2 times.
This can be improved by passing the CFLAGS as env to the OpenSSL
Configure tool.
For consistency we do the same for CPPFLAGS and LDFLAGS.
This permits to drop redundant flags in the Compile phase and from the
.conf file.
Link: https://github.com/openwrt/openwrt/pull/20665
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Patch CMakeLists.txt for cmake 4.x compatibility.
New cmake versions require at least 3.5 as 'cmake_minimum_required'
in CMakeLists.txt. In future 3.10 will be required.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20265
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Patch CMakeLists.txt in selected apps for cmake 4.x compatibility.
New cmake versions require at least 3.5 as 'cmake_minimum_required'
in CMakeLists.txt. In future 3.10 will be required.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20265
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Patch CMakeLists.txt in selected apps for cmake 4.x compatibility.
New cmake versions require at least 3.5 as 'cmake_minimum_required'
in CMakeLists.txt. In future 3.10 will be required.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20265
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This reverts commit 096739a93d.
The new fortify-headers version needs some more work to be usable in
OpenWrt. Revert this to fix the builds again.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add compatibility with the new fortify-headers 2.3.3 by
disabling two warnings.
Fixes: 6268692bd2 ("toolchain: fortify-headers: Update to version 2.3.3")
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20552
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
release is Moderate.
This release incorporates the following bug fixes and mitigations:
Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
(CVE-2025-9230)
Fix Timing side-channel in SM2 algorithm on 64 bit ARM.
(CVE-2025-9231)
Fix Out-of-bounds read in HTTP client no_proxy handling.
(CVE-2025-9232)
Reverted the synthesised OPENSSL_VERSION_NUMBER change for the release
builds, as it broke some exiting applications that relied on the previous
3.x semantics, as documented in OpenSSL_version(3).
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/20275
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
d3be5474f6e6 udebug-cli: ignore zero-length messages in logstream
c79f02d899df ucode: fix skipping lines where the timestamp cannot be parsed
5327524e7153 cmake: bump minimum required version to 3.13
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
If there is used $(PKG_NAME) in PKG_SOURCE_URL,
then it can not be copy&pasted to the browser's address bar.
Let's remove $(PKG_NAME) and use hardcoded project name
in the PKG_SOURCE_URL
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20193
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fix typo in patch file suffix.
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20178
Signed-off-by: Robert Marko <robimarko@gmail.com>
Removed upstreamed patch: 0001-Don-t-keep-the-store-open-in-by_store_ctrl_ex.patch
Release notes:
This is a bug fix release.
This release incorporates the following bug fixes and mitigations:
Added FIPS 140-3 PCT on DH key generation.
Fixed the synthesised OPENSSL_VERSION_NUMBER.
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/20133
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
