New upstream release includes fixes for the following security issues:
* CVE-2017-3140: With certain RPZ configurations, a response with TTL 0 could
cause named to go into an infinite query loop
* CVE-2017-3142: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
* CVE-2017-3143: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
afraid.org has a new update API with better IPV6 support. It needs to be
specifically enabled for each domain, so the original v1 api has been
Signed-off-by: Thomas Guyot-Sionnest <dermoth@aei.ca>
For now building from git using latest SHA (commits are relatively
infrequent). Set priority to come up immediately after network
interfaces are brought up. Patches have been submitted upstream
(but not yet accepted) to fix:
* a somewhat cross-compile unfriendly makefile;
* a header inclusion issue which causes MUSL compilation warnings;
* using the somewhat arcane posix_fallocate() in favor of the
more ubiquitous ftruncate() system call instead.
Hopefully the next release will include our submitted fixes and
we can transition to a numbered release.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
If lighttpd's scripts are rotated from under it while they're still open,
this will cause some weird things to happen. Give it a heads up that
the logs have moved.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Add enabled config option in the global uci section; it allows to put into
place the snmpd config but not yet start the netsnmp daemon.
If config option is unset; netsnmp daemon will be started as before.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Primarily a bugfix release for a CVE that doesn't affect lede/openwrt,
but also includes some websockets perfomance fixes.
Release notes at https://mosquitto.org/2017/07/version-1-4-13-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
This brings the route_allowed_ips option into parity with the addresses
option, which makes these same assumption. The parsing selection is made
to be identical between these two settings.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wait for hostapd comes up during boot
* remove needless ubus call during script startup
* remove needless iwinfo check (covered by package dependency)
Signed-off-by: Dirk Brenken <dev@brenken.org>
- Selecting only a single or subset of all components of shadowsocks-libev is
now possible (this is the main motivation behind the rewrite)
- Configuring multiple instances of the same component is now also possible
- Same option names as with the json config
- Unified configuration generation method for each component
- Add support for ss-local, ss-tunnel, ss-server
- Most data validation is now done with validate_data
- USE_PROCD=1
- Update ss-rules with the one from shadowsocks/luci-app-shadowsocks
- Add README.md
- Set myself as the maintainer
Addresses #4435
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* made DNS restart conditional (compare list hash values),
to prevent needless restarts of the DNS backend
Signed-off-by: Dirk Brenken <dev@brenken.org>
Apparently, even if you don't select the `openvswitch-python` package,
Python still gets built (for the target build).
But, if the python dependencies are conditional on the
`PACKAGE_openvswitch-python` symbol then they aren't build.
This should improve build times, if you only want to build the
`openvswitch` package.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Seems it was not failing for me because it was probably
using my host Python, which may have the `six` package
available.
This patch enforces the use of the packaged Python.
That way, it's more consistent that the python-six
package is available.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The most important change is local redirects being disabled by default.
There is an option called cgi.local-redir that allows enabling this
optimization manually back if needed.
Local redirects were initially introduced in 1.4.40 but caused many
problems for *some* web services.
One of problems is breaking Post/Redirect/Get design pattern. With
redirects handled on server side there is no browser redirection making
it "lose" the POST data.
Another possible issue are HTML forms with action="". With CGI local
redirects browser may be sending form data to the wrong URL (the one
that was supposed to redirect the browser).
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
From upstream's changelog:
* main: annotate init/exit functions to save memory
* selftest: remove antique siphash self test
* haskell: re-add updated haskell example
* socket: use ip_rt_put instead of dst_release
* device: avoid double icmp send on routing loop
* compat: clean up cruft
* global: cleanup IP header checking
* compat: do not export symbols unnecessarily
Various cleanups and updates.
* device: netdevice destruction logic change for 4.12
When Linux 4.12 is released next week, we're good to go.
* device: only use one sleep notifier
Rather than have a separate sleep notification for every interface, we now
have a single notifier for every interface. This improves performance,
especially when creating many interfaces at once.
* device: remove icmp conntrack hacks
We're moving hacks upstream the proper way, and then backporting them to
compat.
* receive: extend rate limiting to 1 second after under load detection
After we determine that we're under load, we now wait 1 second before not
being under load again, a timer which is global across all interfaces on a
given system.
* curve25519: satisfy sparse and use short types
* curve25519: keep certain sandy2x functions in C
Certain functions have been made into C, which should improve stack frames and
reliability.
* ratelimiter: rewrite from scratch
This is a big change. We no longer rely on x_tables or xt_hashlimit, instead
using a super minimal and sleek token bucket ratelimiter. This works much
better than the old cruft and should allow us to run more places. It also has
the benefit of being global, so that it's possible to have thousands of
interfaces without killing the system with separate GCs and vmallocs, which is
what happened prior.
* socket: verify saddr belongs to interface
We now more quickly react to changes of the v4 routing table, by ensuring that
the sticky source address is actually still valid.
* wg-quick: properly match IPv6 endpoint
wg-quick now works better with IPv6.
* wg-quick: use printf -v instead of namerefs for bash 4.2
This adds support for old bash, which means wg-quick should be generically
"bash 4 and up". I'm not happy about this but EL7 uses old bash, so we're
stuck with it.
* compat: support EL7.3
Support for RHEL, CentOS, ScientificLinux, and so forth.
* compat: support Ubuntu 14.04
An old crufty Ubuntu is now supported, since it's LTS.
* add bind support (see readme)
* export all blocked domains in one central file (adb_list.overall)
* prerequisite for proper bind support
* much faster sort operation with less memory consumption
* backups are still handled per source separately,
to be more flexible in adding/removing block list sources
* add additional 'wan6' interface trigger in default configuration
* various small fixes & optimizations
Signed-off-by: Dirk Brenken <dev@brenken.org>
If more then one interface get up/down at once mwan3 could be in a
undefined state, because more then one mwan3 hotplug script are running
and editing the iptables.
Lock the critical section should solve this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
A lot of autoconf-based scripts expect --with-foo-dir=$(STAGING_DIR)/usr
and break if they can't find bin/foo-config as a child of that path.
Putting things in $(STAGING_DIR)/host/bin seems to be suboptimal; I
could change the install path but there's no saying what that would
break.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
With this patch the unbound init routines manage resolv.conf if and only if
when unbound will listen on 127.0.0.1#53 and dnsmasq is not.
Also logs some cases where config values are overriden with sane defaults.
Fixes (partially) LEDE FS#785
Fixesopenwrt/packages#4487
Signed-off-by: Paul Oranje <por@xs4all.nl>
luci2-io-helper: bugfix buckup script read timeout
Reading files from stdin will block for ever. The uhttpd is killing the
backup process after script_timeout.
Switching read to non blocking mode and add a waitpid for the slave
process does not end in a script_timeout anymore.
Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* use iwinfo instead iw for wlan scanning,
scanning now works on radio-level
* enhance multiple radio support:
* support STA-only radio configurations,
e.g first radio with local AP, second radio
with a bunch of STAs (without APs)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Add config support which allow snmpd to take a more active role by sending
traps.
Following config options are supported which map directly on snmpd directives:
-trapcommunity
-trapsink
-trap2sink
-informsink
-authtrapenable
-v1trapaddress
-trapsess
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
- use exec directly to eliminate a level in the process tree
- use "$@" instead of "$*" to pass arguments to openconnect
According to openconnect(8), openconnect will call vpnc-script to
cleanup before quit when it received SIGINT(2) and will quit immediately
when it received SIGTERM (the default signal by kill command)
Before and after the change, openconnect process will be killed first
with SIGINT sent from netifd. This was decided by the
'proto_kill_command "$config" 2' notify call in the proto script.
SIGKILL is the only other signal that can be sent from netifd when the
process did not quit on SIGINT on time. There should be no need to trap
on signal 1 3 6 9 (HUP QUIT ABRT KILL)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>