Signed-off-by: Jeffery To <jeffery.to@gmail.com>

nghttp2: update to 1.43

Currently, we called `/usr/libexec/login.sh` as login command, but unfortunately the auth
is disabled by default in it[1], and this is really serious as it could be a free "backdoor"
for any spoiler who has conntectd to the router via LAN or wireless.

In my option, it shouldn't be exposed to anyone without auth, so I set the default login
command to `/bin/login`. And for those who really want that, they can do it themselves.

1. `login.sh` adjusts whether use authentication or not from system config named ttylogin,
which is set to disabled by default. See package/base-files/files/bin/config_generate#L243.

Signed-off-by: Tianling Shen <cnsztl@project-openwrt.eu.org>

3dc6c0af Bump version number to 1.43.0
e8762781 Update AUTHORS
2bf841e2 workflow: Build with UBSAN enabled
7ebab98e Merge pull request #1548 from nghttp2/py3-bindings
23fc6cc9 Bump Linux runner OS to ubuntu 20.04
2e35cdea Update doc
22af8e78 Require python3 for python bindings
c88e9100 Update ax_python_devel.m4
43ba3125 Merge pull request #1547 from nghttp2/sphinx-v3.3
3c17299a Update enum references
a7ecff65 Make doc generation work with sphinx v3.3
79a4f789 Merge pull request #1546 from nghttp2/py3-scripts
28ba0b37 Update document reference
6b7ade9f Require python3 for python scripts
46536729 Bump clang-format to 10
563c1173 Merge pull request #1544 from nghttp2/nghttpx-clear-mcpool
1c04ca80 Merge pull request #1540 from tavrez/patch-1
d32e20bc nghttpx: Make sure that Pool gets cleared when all buffers are returned
8b8ba6b0 Merge pull request #1542 from nghttp2/nghttpx-check-sigalg
81fb0153 nghttpx: Choose ECDSA cert if compatible signature algorithm available
d8c71d5f Added new nghttp2_ksl.c to Windows makefile
fb5b5aef Merge pull request #1537 from nghttp2/nghttpx-allow-colon-in-pattern
6787423e nghttpx: Add workaround to include ':' in backend pattern
ffcdf5df Merge pull request #1533 from LorenzNickel/patch-1
0cdb1738 Fix typo in security.rst
c9d5472f Bump version number to 1.43.0-DEV
15bd71ed Update manual pages

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

This fixes issue #13361.

Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>

- Update haproxy download URL and hash

Signed-off-by: Christian Lachner <gladiac@gmail.com>

php8: Don't run phpize8 with QUILT

banip: release 0.7.1

clamav: update to version 0.103.0

* add 'ban_extrasources' to handle banIP-unrelated sets for reporting
  and queries
* add set timeouts for local sources (maclist, whitelist, blacklist)

Signed-off-by: Dirk Brenken <dev@brenken.org>

zerotier: update to 1.6.3

rtty: update to 7.3.2

This tool can be used to automatically create wireguard tunnels. Using
rpcd a new wireguard interface is created on the server where the client
can connect to.

Wiregurad server automatically installs a user and associated ACL to use
the wireguard-installer-server features. The user is called wginstaller
and so is the password.

Get Usage:
  wg-client-installer get_usage --ip 127.0.0.1 --user wginstaller
	--password wginstaller

Register Interface:
  wg-client-installer register --ip 127.0.0.1 --user wginstaller
         --password wginstaller --bandwidth 10 --mtu 1400

Signed-off-by: Nick Hainke <vincent@systemli.org>

Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>

Allows targets such as prepare, refresh, or update to be run without
building dependencies for easier patch maintenance.

This is d741a64b7 applied to php8.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>

Signed-off-by: Moritz Warning <moritzwarning@web.de>

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

openvpn: Support username and password options

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

isc-dhcp: treat 'config host' like superset of 'config domain'

php8: update to 8.0.2

php8: fix cross-compiling for x86_64

netifyd: add reproducibility patch

libreswan: update to 4.2

nss: update to 3.61

lang/php7: Don't run phpize7 with QUILT

This fixes:
  - CVE-2021-21702

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

The build process uses a minilua helper for code generation
which must not be compiled with target cross-compiler but
the host compiler.

This error was spotted by buildbots:
ext/opcache/minilua /builder/shared-workdir/build/sdk/build_dir/
 target-x86_64_musl/php-8.0.1/ext/opcache/jit/dynasm/dynasm.lua
 -D X64=1 -o ext/opcache/jit/zend_jit_x86.c /builder/shared-workdir
 /build/sdk/build_dir/target-x86_64_musl/php-8.0.1/ext/opcache/jit/zend_jit_x86.dasc
/bin/bash: ext/opcache/minilua: No such file or directory
Makefile:406: recipe for target 'ext/opcache/jit/zend_jit_x86.c' failed
make[4]: *** [ext/opcache/jit/zend_jit_x86.c] Error 127

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

Not including an A record mapping will cause nsupdate to balk at
CNAME and MX records (and probably SRV as well) because the target
will be unknown at the time of parsing, until the lease gets
activated.

We need these RR's to be in place well before the servers even
come up.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

libs/nss: Don't run nsinstall with QUILT

banip: release 0.7.0

* major rewrite
* add support for multiple chains
* add mac whitelisting
* add support for multiple ssh daemons in parallel
* add an ipset report engine
* add mail notifications
* add suspend/resume functions
* add a cron wrapper to set an ipset related auto-timer for
  automatic blocklist updates
* add a list wrapper to add/remove blocklist sources
* add 19.x and Turris OS 5.x compatibility code
* sources stored in an external compressed json file
  (/etc/banip/banip.sources.gz)
* change Country/ASN download sources (faster/more reliable)
* fix DHCPv6/icmpv6 issues

Signed-off-by: Dirk Brenken <dev@brenken.org>

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>

Add "ipstatistics"-plugin. This plugin parses "/proc/net/netstat" and
"/proc/net/snmp6" to get the overall ipv4 and ipv6 usage.

Signed-off-by: Nick Hainke <vincent@systemli.org>

svox: Don't move files with QUILT

xray-core: fix service start / reload

Allows targets such as prepare, refresh, or update to be run without
building dependencies for easier patch maintenance.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>

This is significantly faster.

Signed-off-by: Andre Heider <a.heider@gmail.com>

Allows targets such as prepare, refresh, or update to be run without
building dependencies for easier patch maintenance.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>

Allows targets such as prepare, refresh, or update to be run without
building dependencies for easier patch maintenance.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>

Fix starting problem:
Starting function should be named 'start_service' instead of 'start_instance'.

Fix reloading problem:
Register reload tigger for uci config itself.
And, xray does not support reload currently, so use legacy restart as reload.

Fixes: 6c9b96352f ("xray-core: add init script")

Signed-off-by: Tianling Shen <cnsztl@project-openwrt.eu.org>

ksmbd(-tools): update to 3.3.4

macremapper: linux 5.6+ compatibility

prometheus-node-exporter-lua: update netstat

mini_snmpd: Fix minor nit in the init script

wget: update to 1.21.1

dockerd: change dockerd start level to 99 to avoid unknown conflicts

xray-core: add example configs and init script

Major changes are:

    add "vfs objects = acl_xattr" parameter in configuration.
    fix wrong group domain name in lsarpc response.
    set to SID_TYPE_UNKNOWN if there is no domain sid in server.

Signed-off-by: Rosen Penev <rosenp@gmail.com>