Resolves several security issues:
- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.
Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit ea421564d3)
The function snmpd_sink_add() has a guard clause that tests the literal
string "section", not the variable value "$section".
The test `[ -n "section" ]` always evaluates to true because the string
literal "section" is non-empty, making the check useless.
This function is only called internally with hardcoded arguments, so the
bug has no actual impact currently. For the same reason, this change
should not break existing configurations. However, I think it should be
fixed so future callers do not have a false sense of security.
Signed-off-by: Eric McDonald <librick-openwrt@proton.me>
(cherry picked from commit 93983e5b2a)
To support logging in net-snmp this commit introduces this feature. There is
a new uci config section 'logging'.
The following new parameters are used:
config logging
option log_file '/var/log/snmpd.log'
option log_file_priority 'i'
option log_syslog '0'
option log_syslog_facility 'd'
Signed-off-by: Christian Korber <ck@dev.tdt.de>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 7b616873d6)
This commit adds function 'snmpd_snmpv3_add' to the init script
to support SNMPv3 config parsing.
The new uci config section has the following configuration parameters:
config v3
option username 'John'
option allow_write '0'
option auth_type 'SHA|MD5'
option auth_pass 'passphrase'
option privacy_type 'AES|DES'
option privacy_pass 'passphrase'
option RestrictOID 'yes|no'
option RestrictedOID '1.3.6.1.2.1.1.1'
This new section is only relevant if the snmp_version 'v1/v2c/v3' or 'v3'
is set in the uci section 'general'.
Signed-off-by: Christian Korber <ck@dev.tdt.de>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 2fc221699d)
To use 'SNMPv3', the net-snmp package must be compiled with openssl support.
For this purpose, the current net-snmp is renamed into build 'nossl'.
This is a preparation commit to add the 'ssl' variant.
Signed-off-by: Christian Korber <ck@dev.tdt.de>
(cherry picked from commit b3530cc188)
The static build is not packaged and can therefore be removed as the build
artefact is not used.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit c08e7f411b)
This commit includes inttypes.h to prevent the following error:
```
mibgroup/ieee802dot11.c: In function 'displayWiExt':
mibgroup/ieee802dot11.c:4563:26: error: expected ')' before 'PRIdPTR'
4563 | printf ( "%s sens: %" PRIdPTR "\n", "SIOCGIWSENS", *(intptr_t *)&info.sens );
| ~ ^~~~~~~~
| )
mibgroup/ieee802dot11.c:31:1: note: 'PRIdPTR' is defined in header '<inttypes.h>'; did you forget to '#include <inttypes.h>'?
30 | #include "util_funcs/header_generic.h"
+++ |+#include <inttypes.h>
31 |
```
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
(cherry picked from commit babc163fe3)
Use #elif defined instead of #elifdef as seen elsewhere throughout the patch
file. This avoids the following errors when compiling with GCC 11:
```
mibgroup/ucd-snmp/proc.c:45:2: error: invalid preprocessing directive #elifdef; did you mean #ifdef?
45 | #elifdef HAVE_PCRE_H
| ^~~~~~~
| ifdef
mibgroup/ucd-snmp/proc.c:243:2: error: invalid preprocessing directive #elifdef; did you mean #ifdef?
243 | #elifdef HAVE_PCRE_H
| ^~~~~~~
| ifdef
```
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
(cherry picked from commit 665bac8e17)
mod_s2s was refactored into a single mod_s2s.lua in the flat modules
directory in 0.12.x; remove the obsolete subdirectory install rule that
caused the package build to fail.
Also add util/human/ and util/prosodyctl/ which are new subdirectories
in 0.12.x not covered by the previous install rules.
Force libidn instead of ICU for stringprep
prosody's configure script auto-detects stringprep backends and prefers
ICU when available, generating -DUSE_STRINGPREP_ICU and including
<unicode/usprep.h>. The OpenWrt SDK staging directory does not provide
ICU development headers, so the build fails with:
encodings.c:271:10: fatal error: unicode/usprep.h: No such file or directory
The Makefile DEPENDS already declares +libidn. Pass --with-idn=idn to
explicitly select the libidn backend, which is available in the staging
directory.
Also, pass TARGET="../util/" to MAKE_FLAGS. OpenWrt has it's own TARGET
env var which clobbers the 'TARGET' var from prosody's build (specified
as 'TARGET?=../util/')
Adding a test.sh to check for the correct version (since prosody mostly
has lua scripts).
Security release addressing multiple vulnerabilities. 0.12.6 is
likely the last release of the 0.12.x series (EOL June 2026).
Upstream advisory: https://prosody.im/security/
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit 42daa80ffe)
The prosody.im upstream updated the 0.12.4 tarball in-place, changing
its content without bumping the version. Update PKG_HASH to match the
currently published tarball.
Fixes: f4d305b73 ("prosody: update to 0.12.4")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit bf50291ab1)
Use cp instead of install when installing libraries to not follow
symlinks and create duplicate files.
Fixes: aa89f847 ("mosquitto: update to 2.0.18")
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit cc4f8076d9)
Bug-fix release. Fixes 20+ bugs and includes some performance
improvements. All users are encouraged to upgrade.
Highlights (all platforms):
* Fixed a 4.1.0 bug that failed to report some filesystem errors
to RPC clients querying free space.
* Fixed a 4.1.0 bug that kept a torrent's updated queue position
from being shown.
* Fixed a 4.1.0 bug that caused torrents' queuing order to
sometimes be lost between sessions.
* Hardened .torrent parsing by exiting sooner if 'pieces' has
an invalid size.
* Reverted a 4.1.0 RPC change that broke some 3rd party code by
returning floats rather than integers for speed limit fields.
* Fixed crash when pausing a torrent and editing its tracker
list at the same time.
* Fixed 4.1.0 crash on arm32 by switching crc32 libraries to
Mark Adler's crcany.
* Require UTF-8 filenames in .torrent files (per BitTorrent spec).
* Fixed crash when parsing a .torrent file with a bad 'pieces' key.
* Fixed potential fd leak when launching scripts on POSIX systems.
* Changed network traffic algorithm to spread bandwidth more
evenly amongst peers.
Link: https://github.com/transmission/transmission/releases/tag/4.1.1
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4216ad05af)
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, release 3
- update PKG_RELEASE to 3
files/etc/init.d/https-dns-proxy:
- refactor nftable rules to explicitly add and flush the table and
chains instead of block replacement
- make nftable `delete table` call silent in `notrack_nft remove`
- update `notrack_nft remove` to check for absence of nftable table
instead of just checking the file
- ensure `notrack_nft remove` sets _error=1 on failure
- ignore dnsmasq instances with port 0 in
`dnsmasq_instance_append_force_dns_port`
tests/run_tests.sh:
- add test case to ensure dnsmasq port 0 is ignored
- update `notrack_nft remove` test to confirm success when both file
and table are absent
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 4bac71e3cd)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
Fix nftables rule directory creation
- Bump PKG_RELEASE to 2.
files/etc/init.d/https-dns-proxy:
- Add 'mkdir -p' before writing nftables rules to ensure the parent
directory exists. This fixes an issue where the directory might not
exist on initial installation, causing errors.
tests/run_tests.sh:
- Add comprehensive regression tests for notrack_nft.
- Mock 'nft' to track invocations and control return codes for testing.
- Patch 'NOTRACK_NFT_FILE' to a test-specific path for isolated testing.
- Verify 'notrack_nft' correctly creates the parent directory if missing.
- Test content of generated nftables snippet, idempotence, and removal.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 3d9a73bd7e)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- update dependencies from perl to python
- support dropbear
Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
(cherry picked from commit b0a6a9147b)
Rsyncd only needs a subset of all capabilities so create
a dedicated user with these capabilities. This is better from both a
security and an isolation perspective than running as root.
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 2a7364534e)
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, improve nftables rules
- Update PKG_VERSION to 2026.03.18.
- Set PKG_RELEASE to 1.
- Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
- Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.
files/etc/init.d/https-dns-proxy:
- Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
table. A top-level `chain` outside any table is invalid nftables
syntax and is rejected on kernel 6.18+, breaking firewall load.
Fixesmossdef-org/https-dns-proxy#7.
- Syntax-check the generated snippet with `nft -c -f` after write
and report OK/FAIL on the start path.
- On remove, explicitly `nft delete table` in addition to removing
the snippet file, so the live ruleset is cleaned up immediately
rather than waiting for the next fw4 reload.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 0d5f7a16c1)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:Add nftables notrack for localhost traffic
- Removed. License is now included in the main project.
net/https-dns-proxy/Makefile:
- Bumped PKG_RELEASE to 5.
net/https-dns-proxy/files/etc/config/https-dns-proxy:
- Added 'option notrack_dns '1'' to the default configuration.
net/https-dns-proxy/files/etc/init.d/https-dns-proxy:
- Defined NOTRACK_NFT_FILE constant.
- Added 'notrack_dns' and 'notrack_ports' variables.
- Implemented 'notrack_nft' function to manage nftables rules for notracking local DNS traffic.
- Enabled loading of 'notrack_dns' boolean from configuration.
- Modified start_instance to collect listen_port into notrack_ports if notrack_dns is enabled.
- Modified start_service to call notrack_nft update/remove based on notrack_dns and collected ports.
- Modified stop_service to call notrack_nft remove.
- Updated service_started and service_stopped to trigger firewall config changes when notrack_dns is enabled.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit fa4b35ad53)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Use GitHub for sources URL
- Remove autoreconf fixup (it works out-of-the-box)
- Remove squid-mod-cachemgr package since cachemgr.cgi was removed upstream
- Rename ac_cv_epoll_works to squid_cv_epoll_works to follow upstream
- Don't customize target CFLAGS and LDFLAGS (they work as is)
- Remove nettle configure patch - upstream handles it correctly now
- Remove dummy comment in config menu
Signed-off-by: Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
(cherry picked from commit 55404adb91)
* Switch Hagezi URL to a more compact higher-level only domains list as we
prefer it anyways and there's less processing (thanks @dave14305)
* When update_config_sizes is unset, save collected sizes to RAM to improve
luci app performance (thanks @sshaikh)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 5e0b94f2a4)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
fix: avoid unnecessary dnsmasq restarts (thanks @egc112)
fix: insert, not add dns policies to ensure higher priority than the DNS
hijack rules (thanks @egc112)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 727ca8a3a5)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
The RFC-1918 zones are automatically synthesized locally by bind
to avoid forwarding queries about them to root nameservers. As
a result, we can't easily replace them with rndc addzone on the
fly. We need this for DHCP integration.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit 505ca0a0d4)
* add: ucode-mod-uloop dependency
* add: parallel downloads using uloop
* fix: explicit allow for domains from allow-lists
* fix: get environment information for getInitStatus RPCD call
* add: update tests
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 65ed2877ef)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* fix: ensure output in CLI in status and quick start commands
* fix: ensure relevant directories exist when using a (gzip) cache file on
first boot
* add: update functional tests
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit f4e6ada26d)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Fixes multiple security critical bugs with H3 handling. CVE submission is
pending.
- Updated haproxy PKG_VERSION and PKG_HASH
- Removed get-latest-patches.sh as it is not used anymore.
- See changes: http://git.haproxy.org/?p=haproxy-3.0.git;a=shortlog
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Config:
* update pause_timeout default value to 60
* add config option rpcd_token
Init script:
* add validation for rpcd_token
Ucode script:
* fix: always reload config options on RPCD calls to prevent stale values
* fix: shell_quote curl params
* fix: do not reload is_tty on each call
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 139d73b583)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* fix: detect/support point-to-point interfaces in dynamic routing mode
* fix: avoid IPv4/IPv6 address collisions on Tor policies
* fix: do not set triggers on boot when service is disabled in config
* fix: more robust forward stop/enable
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit ba216150c0)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Ray Wang