Several security issures are addressed:
- CVE-2020-8620 It was possible to trigger an assertion failure by sending
a specially crafted large TCP DNS message.
- CVE-2020-8621 named could crash after failing an assertion check in
certain query resolution scenarios where QNAME minimization and
forwarding were both enabled. To prevent such crashes, QNAME minimization is
now always disabled for a given query resolution process, if forwarders are
used at any point.
- CVE-2020-8622 It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
- CVE-2020-8623 When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code determining the
number of bits in the PKCS#11 RSA public key with a specially crafted
packet.
- CVE-2020-8624 update-policy rules of type subdomain were incorrectly
treated as zonesub rules, which allowed keys used in subdomain rules to
update names outside of the specified subdomains. The problem was fixed by
making sure subdomain rules are again processed as described in the ARM.
Full release notes are available at
https://ftp.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Drops pid files, no longer needed with procd management.
Now properly reloads on reload_config after UCI changes.
Signed-off-by: Karl Palsson <karlp@etactica.com>
[ Fixed two shellcheck warnings and bump PKG_RELEASE ]
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
The openfortivpn routes are a bit different than the standard ppp
routes so we need to handle them with a custom ppp-up script.
Gateway should not be set, and src should be set to the PPP local ip
address.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
fakepop is a fake pop3 daemon. It returns always the same messages to all users, it does not care about usernames and passwords. All user/pass combinations are accepted.
Signed-off-by: Marc Egerton <foxtrot@realloc.me>
Includes:
- dawn_uci: fix crashing when uci config is received
- tcpsocket: add option to add server ip
A new config option allows to add a server ip
option server_ip '10.0.0.2'
However, this server does not send anything back. Therefore it is not
possible to change the node configuration. This will probably be added
soon. The main goal of this commit is to allow monitoring of all nodes
in a network with DAWN, e.g. clients, channel utilization, ...
Also a network option (3) has been added which allows to use TCP but
not to announce your daemon in the broadcast domain. This allows you to
create a monitor-only node that holds only the local information and
forwards it to the central server.
A monitor-only node could be configured like
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '3'
Another possible config is
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '2'
Here, the node shares information with a central server, which can be
located outside the broadcast domain. Nevertheless, it also shares
information within its broadcast domain and can therefore perform
client steering.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Security release. From the changelog:
- In some circumstances, Mosquitto could leak memory when handling PUBLISH
messages. This is limited to incoming QoS 2 messages, and is related
to the combination of the broker having persistence enabled, a clean
session=false client, which was connected prior to the broker restarting,
then has reconnected and has now sent messages at a sufficiently high rate
that the incoming queue at the broker has filled up and hence messages are
being dropped. This is more likely to have an effect where
max_queued_messages is a small value. This has now been fixed. Closes
https://github.com/eclipse/mosquitto/issues/1793
Changelog: https://mosquitto.org/blog/2020/08/version-1-6-12-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
This patch makes it possible to configure and limit per-client internet
speed based on MAC address and it can work with SQM.
This feature is what OpenWRT currently lacks. This patch is largely based
on static.sh and the configuration file is similar to original nft-qos.
New configuration options and examples are listed below
config default 'default'
option limit_mac_enable '1'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'tv-box'
option macaddr 'AB:CD:EF:01:23:45'
option drate '1000'
option urate '50'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'my-pc'
option macaddr 'AB:CD:EF:01:23:46'
option drate '3000'
option urate '2000'
limit_mac_enable - enable rate limit based on MAC address
drunit - download rate unit
urunit - upload rate unit
macaddr - client MAC address
drate - download rate
urate - upload rate
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
improve startup and runtime performance by
1) moving common startup procedures out of hotplug script when called
from mwan3 start
2) reducing calls to iptables to check status of rules
3) consolidating iptables updates and updating with iptables-restore
4) do not wait for kill if nothing was killed
5) running interface hotplug scripts in parallel
6) eliminate operations in hotplug script that check status on every
single interface unnecessarily
7) consolidate how mwan3track makes hotplug calls
8) do not restart mwan3track on connected events
This is a significant refactor, but should not result in any breaking
changes or require users to update their configurations.
version bump to 2.9.0
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
In hash-checking mode[1], pip will verify downloaded package archives
(source tarballs in our case) against known SHA256 hashes before
installing the packages.
As a consequence, this requires the use of requirements files[2] and
pinning packages to known versions.
The syntax for package Makefiles has changed slightly;
HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement
specifiers like "foo>=1.0", only requirements file names (which are the
same as package names in the most common case).
This also updates affected packages, in particular:
* python-zipp: "setuptools_scm[toml]" has been split into
"setuptools-scm toml" to reuse the requirements file for
setuptools-scm (the extra depends installed by "setuptools_scm[toml]"
is toml).
* python-pycparser: This previously used ply 3.10, whereas the
requirements file will now install 3.11.
[1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode
[2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Setup user database if non-existent, configure uhttpd .php interpreter
and patch php scripts to work out-of-the-box.
Also ship Hotspot 2.0 SPP and OMA DM XML schema/DTD files needed at
run-time for both client and server.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
use only committed uci changes for updating routing table
use functions.sh functions rather than uci command line tool
to find interfaces for routing table.
consolidate rtmon_ipv4 and rtmon_ipv6 functions into a single function
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Add hs20-server and hs20-client packages correspoding to the
hs20/client and hs20/server folder in hostap.git.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* remove 'dshield' and 'sysctl' (discontinued)
* switch 'malwaredomains', 'shallalist' and 'winhelp' to https
* add a second regional list for poland (provided by matx1002)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fix shellcheck SC2230
> which is non-standard. Use builtin 'command -v' instead.
Once applied to everything concerning OpenWrt we can disable the busybox
feature `which` and save 3.8kB.
Signed-off-by: Paul Spooren <mail@aparcar.org>
GCC10 defaults to -fno-common, which breaks compilation when there are
multiple definitions of implicit "extern" variables. Remove the extra
definitions.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
From CHANGES_2.4:
SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
environment. [Yann Ylavic]
SECURITY: CVE-2020-11993 (cve.mitre.org)
mod_http2: when throttling connection requests, log statements
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
SECURITY:
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
to HTTP/2 PUSH a resource afterwards.
[Stefan Eissing, Eric Covener, Christophe Jaillet]
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
test_storage: fix compilation with musl 1.2.0
datastorage/test: improve scalability and performance
datastorage: fixed use of wrong client search
general: add memory auditing
memory auditing: bug fixes to memory auditing and hearing map
datastorage: fixes to linked list handling
tcpsocket: fix read callback function and arbitrary memory allocations
tcpsocket: leave loop if we read 0 byte
Furthermore, you can now dump the memory usage by sending a SIGHUP to
dawn process.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes misleading errors in the status file, and increases buffer
sizes to match the python implementation.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Noah Meyerhans
Karl Palsson
David Yang
Marc Egerton
Peter Stadler
Aaron Goodman
Jakov Smolic
Stan Grishin
Nick Hainke
Aleksander Morgado
Rosen Penev
Tong Zhang
Norman Gehrsitz
Jeffery To
Daniel Golle
Mateusz Stępień
Matthias Schiffer
Dirk Brenken
Maxim Storchak
Yousong Zhou
Wojciech Dubowik
Paul Spooren
Tony Ambardar
Sebastian Kemper
Chen Minqiang
Eric Luehrsen
Florian Eckert