Today CVE-2020-7221 was publicly discussed on oss-sec [1]. MariaDB
upstream had not mentioned this CVE in their last release notes. The CVE
is related to auth-pam and the possibility of a local mariadb to root
user exploit in the mysql_install_db script.
Upstream has made amendments to the script, but according to the oss-sec
posts the folder permissions were not updated as they should have been.
In OpenWrt the script mysql_install_db is actually patched to never run
the commands in question. This has been this way since MariaDB 10.4 was
made available.
Still, the directory permissions set by the postinstall script are too
lax. To quote the discoverer of the issue, Matthias Gerstner from Suse,
they exhibit "the dangerous situation of a setuid-root binary residing
in a directory owned by an unprivileged user".
This commit fixes this by changing the permissions to the following:
root:mariadb 0750 /usr/lib/mariadb/plugin/auth_pam_tool_dir
This way the setuid-root binary is only available to root and the
mariadb user, while at the same time the mariadb user has no ownership
of the directory.
[1] https://seclists.org/oss-sec/2020/q1/55
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
With mpd's build system, it requires either an iconv built into the libc
or icu. Since uClibc-ng as configured by OpenWrt currently has no iconv,
use icu for it to work around the problem. This is the simplest solution.
Added a patch to use boost's rounding functions. They are more appropriate
and work with uClibc-ng.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Set GOENV=off when building Go compiler and packages, to ignore user's
environment configuration file
* Set GOCACHE when building host Go
* Unset GOTMPDIR, to use the buildroot temp directory instead of temp
directories in build_dir
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This exporter exposes information of the connected stations acquired
from hostapd. These contain additional information compared to the
existing station exporter, however they require a full build of hostapd
/ wpad.
Signed-off-by: David Bauer <mail@david-bauer.net>
- Major version jump from v2.0 to v2.1
- Update haproxy download URL and hash
- Add new patches (see https://www.haproxy.org/bugs/bugs-2.1.2.html)
- Stop building LUA 5.3 in the haproxy build-process and use liblua5.3 as a dependency instead
Signed-off-by: Christian Lachner <gladiac@gmail.com>
- Migrate libusb dependency back to libsane
(virtually all useful backends for OpenWrt would need it anyway)
- Disabled new usb-record-replay feature (avoid libxml2 dep)
- Disabled new escl backend (network-only backend are not too useful
for OpenWrt and it requires libcurl, libnetsnmp, libavahi and libxml2)
- Workaround sane-daemon/postinst installation on Imagebuild
- Enabled backends kvs40xx and mustek_usb2 (fixed upstream)
- Fix bigendian compilation
(https://gitlab.com/sane-project/backends/-/merge_requests/329)
- Fix missing std::round() for uclibc
(https://gitlab.com/sane-project/backends/issues/237)
- Fixes FS#2685: coldplug was running before usblp was loaded. Now
it grants access do usblp when a device using it is plugged.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fixed license information.
Removed patch requiring autoreconf and replaced with a configure variable.
Removed faulty patch that broke systems without a disabled crypt size hack.
Replaced with using a SED command as well as bcrypt, which works in musl.
Removed su patch and converted it to a SED command in the Makefile.
Added new shadow utilities.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Rename "zip" to "infozip" to avoid name collision, as the same
zip package has been introduces to the build tools as zip.
Buildbot does not like that.
Reference to #10985 and #11089 as well as
ad8c2d6099
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Changelog:
* Fix OpenWRT with existing forwarder + fix dnsmasq restore issue
* Refactor service execution to better report errors
* Refactor merlin tz setup so it does not need to curl on boot
* Improve upgrade command for install.sh
* Do not mask curl error on install
* Fix timezone logging issue with Merlin
* Add support for Merlin John's fork
* Add raspbian support to installer
* Fix upgrade not reinstalling service
* Limit the aarch64 fix to merlin
* Reset DHCP DNS to self on Merlin router setup
* Fix memory issue with aarch64 based router
* Update Go version
* Allow override of detected env
* Setup timezone correctly on Merlin init script
* Don't ignore curl error on install
* Fix Asus Merlin John’s fork trust store issue
* Fix synology auto setup
* Fix report client info not enabled with setup-router option
* Add support for edgeos DHCP lease file locations
* Fix signal handling when running as a service
* Fix exit menu keyboard shortcut
* Do not fail on upgrade if uninstall failed
* Fix exit menu in installer
* Remove failing upx (for now)
* Make sure nextdns keeps running once ssh session is closed
* Add auto setup of Synology with DHCP server enabled
* Use router's DNS to discover more names
* Get A/AAAA from both answer and addition sections
* Ignore certain invalid names during discovery
* Fix activate with setup-router
* Fix serveral install issues
* Add exponential backoff to mdns probe retry
* Correctly end dhcp lease probing when discovery is cancelled
* Store DHCP/MDNS discovered addrs separately to avoid ping/pong
discovery
* Add DHCP lease support to client discovery
* Do not report mdns listen unreachable error as start will retry
* Reimplement mdns client discovery
* Fix installer GOARCH detection with arm6+
* Fix bin install on platforms needing sudo
* Correctly detect edgeos and ddwrt as routers
* Fix install.sh sudo
* Disable upx as it break many platforms
* Fix installer regression with merlin
* Fix mips64 detection
* Fix OpenWRT detection
* Fix UPX post build script
* Fix install with John's Asuswrt-Merlin fork
* Fix more DDWRT
* Fix DDWRT support
* Fix merlin service add/remove
* Use UPX to compress binaries typicially used on routers
* Revert "Remove direct dep on reflect"
* Use letters for installer menus
* Fix install script for upgrades not working if binary is running
* Do not return an error on mdns listen if at least one interface worked
* Fix installer for synology
* Fix pfSense support
* Remove the logs for each server on each connect
* Move install instructions to wiki
* Fix install.sh uid detection with merlin
* Fix install.sh for arm6+
* Add Synology init system support
* Fix install.sh
* Add a generic router setup that just changes the listen to public
* Update README
* Add auto setup support for EdgeOS
* Restore per OS install instruction in readme during installer beta
* Refactor install.sh
* Remove dep on golang.org/x/net/ipv[4|6]
* Remove direct dep on reflect
* Rewrite the zeroconf code to use dnsmessage instead miekg/dns
* Add auto setup support for DD-WRT
* Improve arch detection
* Add auto setup support for OpenWRT
* Add automatic router setup support
* Fix service
* Remove dep en seq on sysv style init scripts
* Add Entware init system support
* Report init system used on install and in UA
* Add EdgeOS support
* Reads /etc/hosts before forwarding queries to the upstream
* Fix localhost resolution with Linux arch empty /etc/hosts
* Use /etc/hosts file to resolve listen address and list on all IPs
listed
* Add support for multiple router firmware
* Fix hardened privacy disabling dual stack
* Add a config set sub command and refactor commands handling
* Add support for activate on freebsd
* Fix inverted MAC matching
* Add unit test for conf prefix match #35
* Activate uses listen address instead of static 127.0.0.1
* Improve FreeBSD integration
* Add FreeBSD support
* Fix a typo
* Use zip for windows archive
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
Edited PKG_RELEASE to 1
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Sebastian Kemper
Rosen Penev
Etienne Champetier
Jeffery To
Josef Schlehofer
Peter Stadler
Andreas Nilsen
David Bauer
Josip Kelečić
Christian Lachner
Luiz Angelo Daros de Luca
Nikos Mavrogiannopoulos
Hannu Nyman
Dirk Brenken
Andy Walsh
Michael Heimpold
Olivier Poitrey
Vision Lsm
Felix Fietkau