Using BSS coloring is one way of improving performance on 802.11ax
radios, currently its only enabled by users adding he_bss_color to their
wireless UCI config.
This made sense as one could easily get BSS color collision as BSS color
range is 1-63.
Hostapd now has a way of dealing with BSS color collisions so we can just
assign a integer in the 1-63 range randomly if one is not set by users.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:
- Excessive Resource Usage Verifying X.509 Policy Constraints
(CVE-2023-0464)
Severity: Low
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit
this vulnerability by creating a malicious certificate chain that
triggers exponential use of computational resources, leading to a
denial-of-service (DoS) attack on affected systems.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
- Invalid certificate policies in leaf certificates are silently ignored
(CVE-2023-0465)
Severity: Low
Applications that use a non-default option when verifying certificates
may be vulnerable to an attack from a malicious CA to circumvent
certain checks.
Invalid certificate policies in leaf certificates are silently ignored
by OpenSSL and other certificate policy checks are skipped for that
certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on
the certificate altogether.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466. It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.
Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Import commit "ubi: Fix failure attaching when vid_hdr offset equals to
(sub)page size" which did not yet make it to stable upstream Linux trees.
Fixes: #12232Fixes: #12339
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit aad34818b5)
Setting this options modifies the rootfs size of created images. When
installing a large number of packages it may become necessary to
increase the size to have enough storage.
This option is only useful for supported devices, i.e. with an attached
SD Card or installed on a hard drive.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 7b7edd25a5)
On any currently supported hardware, the performance impact should not
matter anymore.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 75e78bcaab)
The USB port on the MR8300 randomly fails to feed bus-powered devices.
This is caused by a misconfigured pinmux. The GPIO68 should be used to
enable the USB power (active low), but it's inside the NAND pinmux.
This GPIO pin was found in the original firmware at a startup script in
both MR8300 and EA8300. Therefore apply the fix for both boards.
Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
Reviewed-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit ed64c33235)
Signed-off-by: Steffen Scheib <steffen@scheib.me>
Due to SCHED_FIFO being a broken scheduler model, all users of
sched_setscheduler() are converted to sched_set_fifo_low() upstream and
sched_setscheduler() is no longer exported.
The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.
Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 31f3f79700)
[Add DECLARE_TASKLET handling for kernel 5.4.235 too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.
The stuck queue is now passed to ndo_tx_timeout callback but not used so
far.
Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 804c541446)
[Add DECLARE_TASKLET handling for kernel 5.4.235 too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.
|Traceback (most recent call last):
| File "certdata2pem.py", line 125, in <module>
| cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1
...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
| File "/certdata2pem.py", line 31, in <module>
| from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'
More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."
Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 25bc66eb40)
This driver is backported from the v6.0 which deals with
"linux,default-trigger" in leds core. For kernel 5.4 we need
leds-bcm63138 to read trigger on its own.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This update mac80211 to version 5.10.168-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 4ae86b3358)
The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 21.02, so it doesn't have to be removed.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
