- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123



Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

I think I added these respawn params [a while back],
when I did the conversion to procd init script format.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

some modems needs to be enabled with CFUN=1 before to set the pin

Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>

When in ra server mode, configure nameservers passed in router
announcements from the dns value (which is already used by odhcpd).

This also fixes FS#677 by using the global IPv6 address of the router
instead of the link local address (if no nameservers are configured).

Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]

Update curl to 7.54.0
Update and fresh patches

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>

Update ipset to 6.32

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>

We enabled lua interpreter by default as it doesn't make any problem in the uhttpd config file and we modify the index page to use it.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>

93abe6f config: fix invalid hoplimit in RA message
2ae08d1 config: fix invalid retranstime in RA message
0005cb4 config: fix invalid reachabletime in RA message
5683dd2 config: limit ra_mtu to 65535
f8d40a5 router: fix interface mtu read error
f8f4b87 config: limit ra_retranstime to 60000
a2d8bf6 dhcpv4: display two hex digits per octet in syslog
a9e9bc4 config: make RA retransTime configurable via uci
2cb6b48 config: make RA reachableTime configurable via uci
e4504db config: make RA curHopLimit configurable via uci
9dd5316 config: make RA mtu configurable via UCI
29cb2ff config: fix dhcpv4 server being started
0ef74ec ndp.c: add switch/case fallthrough comments

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>

None of the variables in this "local" declaration are actually set in
wpa_supplicant_add_network().

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>

Fix [FS#766] Intermittent SIGSEGV crash of dnsmasq-full

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

Update to version 2.4.2 in order to address two potential Denial-of-Service
vectors in OpenVPN.

CVE-2017-7478 - Don't assert out on receiving too-large control packets
CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over

Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2
Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits



Signed-off-by: Jo-Philipp Wich <jo@mein.io>

If no DUID is set for a host, it should be empty, not the last one set for a previous host.

Signed-off-by: Arjen de Korte <build+lede@de-korte.org>

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

This patch adds the interface-name option for each dhcp config
in /etc/config/dhcp.

With the interface_name option users can define a DNS name for each dhcp section
that will be resolved by dnsmasq with the underlaying interface address.

For example:
config dhcp 'lan'
	option interface 'lan'
	...
	list interface_name 'home.lan'
	...

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]

If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>

Don't display unnecessary dhcp_option usage warning in case
dhcp_option is empty

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx



The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]

When sta is configured, hostapd receives 'stop' and 'update' command from
wpa_supplicant. In the update command, hostapd gets sta parameters with
which it configures ap.

Problem is, with the default wireless configuration:
mode:11g freq:2.4GHz channel:1
If sta is connected to 5GHz network, then ap does not work. Ideally with
340-reload_freq_change.patch hostapd should reload the frequency changes
and start ap in 5GHz, but ap becomes invisible in the network.

This issue can be reproduced with following /etc/config/wireless:
config wifi-device  radio0
        option type     mac80211
        option channel  1
        option hwmode   11g
        option path     'virtual/uccp420/uccwlan'
        option htmode   'none'

config wifi-iface 'ap'
        option device 'radio0'
        option encryption 'none'
        option mode 'ap'
        option network 'ap'
        option ssid 'MyTestNet'
        option encryption none

config wifi-iface 'sta'
       option device radio0
       option network sta
       option mode sta
       option ssid TestNet-5G
       option encryption psk2
       option key 12345

This change updates current_mode structure based on configured hw_mode
received from wpa_supplicant. Also prepare rates table after frequency
selection.

Signed-off-by: Abhilash Tuse <Abhilash.Tuse@imgtec.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, patch refresh]

A number of small tweaks & improvements on the way to a final release.
Most notable:

Improve DHCPv4 address-in-use check.
Remove the recently introduced RFC-6842 (Client-ids in DHCP replies)
support as it turns out some clients are getting upset.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

They will not be in conflict anymore ;)

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

9268ca6 ndp: don't trigger IPv6 ping when neighbor entry is invalid
2b3355f ndp: fix adding proxy neighbor entries
7dff5b4 ndp: fix wrong interface name in syslog message
a54afb5 dhcpv6-ia: Fix segfault when writing DHCPv4 leases in state file
c0e9dbf ubus: don't segfault when there're no leases

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Configuring dhcp_option as an option does not allow the usage of white
spaces in the option value; fix this by supporting dhcp_option as a list
config while still supporting the option config to maintain backwards
compatibility

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Install procd interface triggers only for interfaces which are enabled
so dropbear instances running on (an) enabled interface(s) are not
restarted due to an interface trigger of an interface which is disabled.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Based on a patch by Alexandru Ardelean.
netifd ubus reload call returns the actual reload error status;
return error status as well in reload_service

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

11cb9cf ubus: add interface method to trigger renew event
4375d1b system-linux: allow "throw" route type
5fbd904 netifd: propagate error code on netifd_reload()
6e0acec interface-ip: fix device name for IPv6 link-local DNS server

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

570069d ubus: rework dumping IPv6 and IPv4 leases
4e579c4 dhcpv6-ia: simplify logic to write statefile and dhcpv6 logging

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

The dep for the nftables support was wrong, if someone actually enable
that option gain a compilation error. This fix this problem.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>

minor/cosmetic: fixes the following misleading message:

root@box:~ /etc/init.d/dnsmasq restart
sh: out of range

Signed-off-by: Bastian Bittorf <bb@npl.de>

Signed-off-by: Felix Fietkau <nbd@nbd.name>

Switch to git repo
Removed musl patch
Refreshed existing patch

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]

Signed-off-by: Felix Fietkau <nbd@nbd.name>

Update OpenVPN to 2.4.1
Remove 200-small_build_enable_occ.patch as it's included upstream.
Refresh patches
Add mirror and switch to HTTPS

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>

Commit f4e312dd adds libnetlink to
staging dir but did not add the header files libgenl.h and ll_map.h
which define functions belonging to libnetlink lib

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Similar to odhcpd, allow using ISC DHCPd instead of dnsmasq.
Disable DHCP and/or DHCP6 in case ISC DHCP is present and
enabled.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

Fix fw3 warnings in dhcp script in case fw3 is not enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

3d9f406 rework IPv6 dns address selection (FS#635)
bc6c3ac ndp: keep an exact copy of IPv6 interface addresses
6eb1e01 ndp: code cleanup
eea7d03 rework IPv6 address dump logic
24d21c7 ndp: add syslog debug tracing

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>

These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"

Fixes FS#640

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>