Resolves several security issues:
- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.
Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit ea421564d3)
Refresh the hardware database with the latest USB, PCI and PnP IDs.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit 3695f1dae5)
Make sure hwdata can be used by other packages during build by
adding InstallDev section which includes pkgconfig as well as
all types of IDs.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit e56d19245f)
First upstream release since 2023-07. All four locally-carried patches
are merged in 1.0.4 and can be dropped:
- 0001 (PR #57): udev_device.c TOCTOU race fix
- 0002 (PR #62): avoid OOM on small systems
- 0003 (PR #66): correct touchpad detection
- 0004 (PR #80): hwdb USB ID lookup from usb.ids
The release also pulls in PR #79 (do not assume EV_REL and EV_ABS are
mutually exclusive in udev_device.c).
Release notes:
https://github.com/illiliti/libudev-zero/releases/tag/1.0.4
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit f10dfca2ba)
Replace the four stub udev_hwdb_*() functions with a working
implementation that looks up vendor and product names from
/usr/share/hwdata/usb.ids, so callers using the standard libudev
hwdb API benefit without needing package-specific patches.
The patch is a clean backport of upstream commit 2bebebc9e0444
("udev: implement hwdb USB ID lookup from usb.ids (#80)") merged
to illiliti/libudev-zero master on 2026-05-19, post-1.0.3. Drop
when the package is bumped to the next libudev-zero release.
Upstream now defaults USB_IDS_PATH to ${SHAREDIR}/hwdata/usb.ids
with SHAREDIR=${PREFIX}/share, so the explicit
USB_IDS_PATH=/usr/share/hwdata/usb.ids in MAKE_FLAGS is no longer
needed and is dropped.
Fixes: https://github.com/openwrt/packages/issues/29386
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit 93759026fd)
Update from 017 to 019. Version 019 dropped autoconf in favour of meson,
so switch to include/meson.mk and drop PKG_FIXUP:=autoreconf and the
autoconf CONFIGURE_ARGS.
The binary lsusb no longer reads usb.ids directly; it now queries the
udev hardware database. lsusb.py still searches /usr/share/hwdata/usb.ids
for device name resolution.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit 1f0bfd80c7)
Use the ALTERNATIVES symlink handling to avoid conflicts with busybox
lsusb tool. Otherwise this package can not be installed if you also have
enabled lsusb from busybox.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit a39a55629b)
Use the ALTERNATIVES symlink handling to avoid conflicts with busybox
lspci tool. Otherwise this package can not be installed if you also have
enabled lspci from busybox.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit 31b6d1c8c3)
In OpenWrt 24.10, there is no host build for python-setuptools.
Lets have only build dependency for python-setuptools.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
The function snmpd_sink_add() has a guard clause that tests the literal
string "section", not the variable value "$section".
The test `[ -n "section" ]` always evaluates to true because the string
literal "section" is non-empty, making the check useless.
This function is only called internally with hardcoded arguments, so the
bug has no actual impact currently. For the same reason, this change
should not break existing configurations. However, I think it should be
fixed so future callers do not have a false sense of security.
Signed-off-by: Eric McDonald <librick-openwrt@proton.me>
(cherry picked from commit 93983e5b2a)
To support logging in net-snmp this commit introduces this feature. There is
a new uci config section 'logging'.
The following new parameters are used:
config logging
option log_file '/var/log/snmpd.log'
option log_file_priority 'i'
option log_syslog '0'
option log_syslog_facility 'd'
Signed-off-by: Christian Korber <ck@dev.tdt.de>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 7b616873d6)
This commit adds function 'snmpd_snmpv3_add' to the init script
to support SNMPv3 config parsing.
The new uci config section has the following configuration parameters:
config v3
option username 'John'
option allow_write '0'
option auth_type 'SHA|MD5'
option auth_pass 'passphrase'
option privacy_type 'AES|DES'
option privacy_pass 'passphrase'
option RestrictOID 'yes|no'
option RestrictedOID '1.3.6.1.2.1.1.1'
This new section is only relevant if the snmp_version 'v1/v2c/v3' or 'v3'
is set in the uci section 'general'.
Signed-off-by: Christian Korber <ck@dev.tdt.de>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 2fc221699d)
To use 'SNMPv3', the net-snmp package must be compiled with openssl support.
For this purpose, the current net-snmp is renamed into build 'nossl'.
This is a preparation commit to add the 'ssl' variant.
Signed-off-by: Christian Korber <ck@dev.tdt.de>
(cherry picked from commit b3530cc188)
The static build is not packaged and can therefore be removed as the build
artefact is not used.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit c08e7f411b)
This commit includes inttypes.h to prevent the following error:
```
mibgroup/ieee802dot11.c: In function 'displayWiExt':
mibgroup/ieee802dot11.c:4563:26: error: expected ')' before 'PRIdPTR'
4563 | printf ( "%s sens: %" PRIdPTR "\n", "SIOCGIWSENS", *(intptr_t *)&info.sens );
| ~ ^~~~~~~~
| )
mibgroup/ieee802dot11.c:31:1: note: 'PRIdPTR' is defined in header '<inttypes.h>'; did you forget to '#include <inttypes.h>'?
30 | #include "util_funcs/header_generic.h"
+++ |+#include <inttypes.h>
31 |
```
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
(cherry picked from commit babc163fe3)
Use #elif defined instead of #elifdef as seen elsewhere throughout the patch
file. This avoids the following errors when compiling with GCC 11:
```
mibgroup/ucd-snmp/proc.c:45:2: error: invalid preprocessing directive #elifdef; did you mean #ifdef?
45 | #elifdef HAVE_PCRE_H
| ^~~~~~~
| ifdef
mibgroup/ucd-snmp/proc.c:243:2: error: invalid preprocessing directive #elifdef; did you mean #ifdef?
243 | #elifdef HAVE_PCRE_H
| ^~~~~~~
| ifdef
```
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
(cherry picked from commit 665bac8e17)
zabbix-sender and zabbix-get are only build if agentd is built.
Therefore do not allow selection them if the full agentd is not
being built.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 736edbfa2f)
* Fix path to fping and use fping as fping6
* For privacy, disable call to public API to check for Zabbix version update
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 2aadd0d97f)
When we updated the zabbix agent to use username zabbix-agent
we neglected to update ubus acls for zabbix-extra-network.
Therefore update the username for the network and wifi acls.
Will close#29058 once backported to 25.12.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 0268b7cbc4)
Ensure consist JSON formatting by using jq --tab . <filename>.json.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 6b555ae5e0)
As noted in #28709 OpenWrt contains CONFIG_
symbols for Zabbix even when no Zabbix package is selected.
This fixes and Closes#28709.
We add a 'guard' symbol for the menus and choices so the only
generate CONFIG symbols when 'Enable Zabbix'
(CONFIG_ZABBIX_ENABLE_ZABBIX) is selected.
We also make all the Zabbix packages depend on this symbol,
for consistency.
This operates much as the pseudo-package solution, but without
a pseudo-package required.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit f0576eb36b)
mod_s2s was refactored into a single mod_s2s.lua in the flat modules
directory in 0.12.x; remove the obsolete subdirectory install rule that
caused the package build to fail.
Also add util/human/ and util/prosodyctl/ which are new subdirectories
in 0.12.x not covered by the previous install rules.
Force libidn instead of ICU for stringprep
prosody's configure script auto-detects stringprep backends and prefers
ICU when available, generating -DUSE_STRINGPREP_ICU and including
<unicode/usprep.h>. The OpenWrt SDK staging directory does not provide
ICU development headers, so the build fails with:
encodings.c:271:10: fatal error: unicode/usprep.h: No such file or directory
The Makefile DEPENDS already declares +libidn. Pass --with-idn=idn to
explicitly select the libidn backend, which is available in the staging
directory.
Also, pass TARGET="../util/" to MAKE_FLAGS. OpenWrt has it's own TARGET
env var which clobbers the 'TARGET' var from prosody's build (specified
as 'TARGET?=../util/')
Adding a test.sh to check for the correct version (since prosody mostly
has lua scripts).
Security release addressing multiple vulnerabilities. 0.12.6 is
likely the last release of the 0.12.x series (EOL June 2026).
Upstream advisory: https://prosody.im/security/
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit 42daa80ffe)
The prosody.im upstream updated the 0.12.4 tarball in-place, changing
its content without bumping the version. Update PKG_HASH to match the
currently published tarball.
Fixes: f4d305b73 ("prosody: update to 0.12.4")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit bf50291ab1)
Upstream is preparing the migration to a new website. As part of this, they
will be dropping the `www` prefix. Also, the package source is updated to use
mc's official OSU OSL mirror over HTTPS.
Signed-off-by: Yury V. Zaytsev <yury@shurup.com>
(cherry picked from commit 047ac71184)
Use cp instead of install when installing libraries to not follow
symlinks and create duplicate files.
Fixes: aa89f847 ("mosquitto: update to 2.0.18")
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit cc4f8076d9)
Ray Wang