This change includes fixes for several security issues:
* CVE-2017-3138: rndc "" could trigger an assertion failure in named.
* CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to
upstream queries could trigger assertion failures.
* CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion
failure.
* CVE-2017-3135: If a server is configured with a response policy zone
(RPZ) that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read triggering a
server crash.
* CVE-2016-9444: named could mishandle authority sections with missing
RRSIGs, triggering an assertion failure.
* CVE-2016-9131: named mishandled some responses where covering RRSIG
records were returned without the requested data, resulting in an
assertion failure.
* CVE-2016-9131: named incorrectly tried to cache TKEY records which could
trigger an assertion failure when there was a class mismatch.
* CVE-2016-8864: It was possible to trigger assertions when processing
responses containing answers of type DNAME.
* CVE-2016-6170: Added the ability to specify the maximum number of
records permitted in a zone (max-records #;). This provides a mechanism
to block overly large zone transfers, which is a potential risk with
slave zones from other parties.
* CVE-2016-2776: It was possible to trigger an assertion when rendering a
message using a specially crafted request.
* CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could
trigger an infinite recursion bug in lwresd or named with lwres
configured if, when combined with a search list entry from resolv.conf,
the resulting name is too long.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
fixes webroot to be defined as
_currentRoot='/www'
instead of being interpreted as
_currentRoot='"/www"'
Signed-off-by: Aleksei Nosachev <nos1609@hotmail.com>
* create /etc/vsftpd directory for extra config files
like userlist, certificate and key
* modify config file to use that directory
* include that directory in conffiles for backup
* use PKG_HASH
* update URL
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
backend:
* various small fixes & optimizations
LuCI frontend (see luci repo):
* Limit Blacklist/Whitelist Online editing to max. 512 KB, approx.
20.000 domains per list
* Automatically refresh the overview page after button onclick event,
e.g. 'Suspend/Resume' or 'Save & Apply'
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Notes:
- drop un-needed patches
- bump kernel support up to 4.9
- switch from git repo to release tarball
- use OVS intree kernel module ; seems that using the kernel module
from the package has certain issues due to the glue/backport code
that tries to adapt to many kernel versions and has a potential
to mess up ; not to mention, the glue code makes the kmod
a few times larger than it should be
- tested on x86_64 VM
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Full changelog available at:
https://mosquitto.org/2017/02/version-1-4-11-released/
Mostly ipv6 and websockets fixes, but requires a patch (submitted
upstream) to work around an accidental glibc dependency upstream.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Adds the "notifications" option which is important when connecting
mosquitto to rabbitmq for instance.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Earlier, PROVIDES handling was clarified for the broker and the library.
Use the same style to properly provide the -client-ssl and -client-nossl
packages.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Added a new config entry udp_port to split UDP port from TCP. This is
useful when particular port is blocked by the ISP.
udp_port falls back to port if not set to be compatible with current
config file.
Also fixed an ifname typo from the last commit.
Signed-off-by: Qian Sheng <billsq@billsq.me>
If netifd set an interface up/down which is not tracked by mwan3 the
connected network of that interface should regardless be added/removed to the
mwan3_connected ipset.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
For configurations where another web server is running on port 80, running
acme.sh in standalone mode fails. Try to detect this and refuse to run; and
allow the user to configure a webroot directory to use the running webserver for
certificate verification.
This also updates acme.sh to the latest version.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
- Moves /etc/freeradius3/sites-{enabled,available}/inner-tunnel to be part of
the freeradius3-mod-eap package. This prevents conflicts between
freeradius3-mod-eap-peap and freeradius3-mod-eap-ttls which both included the
file before. This fixes LEDE bug FS#678.
- Change the demo cert validity to be 1 year instead of 60 days. Should keep the
cert valid for the duration of the LEDE release cycle (with some slack). This
fixes#4239.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* add "adb_forcedns" to redirect all dns requests
to local resolver (disabled by default)
* add "adb_forcesrt" to enable overall sort / duplicate removal
on low memory devices with less than 64 MB RAM (disabled by default)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* no longer misuse ubus/procd service object for travelmate runtime
information, now save all required information directly
in a JSON file/format
* new 'status' init command to print runtime information
* add a configurable interface trigger timeout for
nested & slow modem/router setups, set 'trm_triggerdelay' accordingly
* change start priority & refine reload timings
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* change start priority to get all interface trigger events, even on
fast hardware
* made default trigger delay more conservative to fix possible start up
issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
As reported by @thornley-touchstar, there are some issues in the
showshortport and showport commands on the monitoring channel.
After short dicussion with upstream, the following patches were merged
upstream to fix the issue(s).
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
darkstat's configure script searches for libbsd for different routines,
so if it manages to pick it up, make sure the dependency is reflected.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Use newest acme.sh release (2.6.8).
Remove dependency on ca-certificates and add dependency on ca-bundle.
Update environment variable.
Signed-off-by: Daniel Halmschlager <da@halms.at>
* no longer misuse ubus/procd service object for adblock runtime
information, now save all required information directly
in a JSON file/format (/tmp/adb_runtime.json)
* new 'status' init command to print runtime information
* add a configurable interface trigger timeout for
nested or slow modem/router setups,
set 'adb_triggerdelay' accordingly (default 1 second)
* add support for pure http download utilities like wget-nossl
or uclient-fetch without libustream-ssl (http donwloads only!)
* fix stop action
* fix enabled/disabled action
* fix country code in regional list for china
* LuCI update to reflect all changes
Signed-off-by: Dirk Brenken <dev@brenken.org>
Mislav Novakovic
Noah Meyerhans
Dirk Brenken
Aleksei Nosachev
Jason A. Donenfeld
Hannu Nyman
Nikos Mavrogiannopoulos
Stan Grishin
Alexandru Ardelean
Moritz Warning
Karl Palsson
David Thornley
Christian Schoenebeck
Nikil Mehta
Qian
Florian Eckert
Stijn Tintel
Toke Høiland-Jørgensen
Eric Luehrsen
Daniel Golle
Michael Heimpold
Philip Prindeville
Florian Fainelli
Daniel H
Kevin Darbyshire-Bryant