Several security issures are addressed:
- CVE-2020-8620 It was possible to trigger an assertion failure by sending
a specially crafted large TCP DNS message.
- CVE-2020-8621 named could crash after failing an assertion check in
certain query resolution scenarios where QNAME minimization and
forwarding were both enabled. To prevent such crashes, QNAME minimization is
now always disabled for a given query resolution process, if forwarders are
used at any point.
- CVE-2020-8622 It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
- CVE-2020-8623 When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code determining the
number of bits in the PKCS#11 RSA public key with a specially crafted
packet.
- CVE-2020-8624 update-policy rules of type subdomain were incorrectly
treated as zonesub rules, which allowed keys used in subdomain rules to
update names outside of the specified subdomains. The problem was fixed by
making sure subdomain rules are again processed as described in the ARM.
Full release notes are available at
https://ftp.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Drops pid files, no longer needed with procd management.
Now properly reloads on reload_config after UCI changes.
Signed-off-by: Karl Palsson <karlp@etactica.com>
[ Fixed two shellcheck warnings and bump PKG_RELEASE ]
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
fakepop is a fake pop3 daemon. It returns always the same messages to all users, it does not care about usernames and passwords. All user/pass combinations are accepted.
Signed-off-by: Marc Egerton <foxtrot@realloc.me>
Commit cb058bf changed gstreamer1's build options, and this broke some
applications.
First, -Doption-parsing=false is intended for very specific embedded
applications rather general packages. Please see:
https://github.com/openwrt/packages/pull/8847https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/388
Second, -Dregistry=false seems to break plugin discovery. Symptoms of
this include broken applications and gst-inspect-1.0 listing zero plugins.
Fixes#13180.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
Includes:
- dawn_uci: fix crashing when uci config is received
- tcpsocket: add option to add server ip
A new config option allows to add a server ip
option server_ip '10.0.0.2'
However, this server does not send anything back. Therefore it is not
possible to change the node configuration. This will probably be added
soon. The main goal of this commit is to allow monitoring of all nodes
in a network with DAWN, e.g. clients, channel utilization, ...
Also a network option (3) has been added which allows to use TCP but
not to announce your daemon in the broadcast domain. This allows you to
create a monitor-only node that holds only the local information and
forwards it to the central server.
A monitor-only node could be configured like
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '3'
Another possible config is
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '2'
Here, the node shares information with a central server, which can be
located outside the broadcast domain. Nevertheless, it also shares
information within its broadcast domain and can therefore perform
client steering.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Add license information.
Add PKG_INSTALL and PKG_BUILD_PARALLEL for consistency between packages.
Minor cleanups.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
There are intermittent build failures on the buildbots because of this.
I see the same build failures locally as well.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Security release. From the changelog:
- In some circumstances, Mosquitto could leak memory when handling PUBLISH
messages. This is limited to incoming QoS 2 messages, and is related
to the combination of the broker having persistence enabled, a clean
session=false client, which was connected prior to the broker restarting,
then has reconnected and has now sent messages at a sufficiently high rate
that the incoming queue at the broker has filled up and hence messages are
being dropped. This is more likely to have an effect where
max_queued_messages is a small value. This has now been fixed. Closes
https://github.com/eclipse/mosquitto/issues/1793
Changelog: https://mosquitto.org/blog/2020/08/version-1-6-12-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
This patch makes it possible to configure and limit per-client internet
speed based on MAC address and it can work with SQM.
This feature is what OpenWRT currently lacks. This patch is largely based
on static.sh and the configuration file is similar to original nft-qos.
New configuration options and examples are listed below
config default 'default'
option limit_mac_enable '1'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'tv-box'
option macaddr 'AB:CD:EF:01:23:45'
option drate '1000'
option urate '50'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'my-pc'
option macaddr 'AB:CD:EF:01:23:46'
option drate '3000'
option urate '2000'
limit_mac_enable - enable rate limit based on MAC address
drunit - download rate unit
urunit - upload rate unit
macaddr - client MAC address
drate - download rate
urate - upload rate
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Since making ffmpeg dependent on BUILD_PATENTED, the full variant
becomes unable to play mp3s. Change that.
libmad is superior to mpg123 because of its faster decoding speed on
soft float systems and because in MPD, it supports streams (HTTP for
example).
ffmpeg supports streams as well. Avoid libmad in that case.
Minor Makefile cleanups.
Signed-off-by: Rosen Penev <rosenp@gmail.com>