mod_s2s was refactored into a single mod_s2s.lua in the flat modules
directory in 0.12.x; remove the obsolete subdirectory install rule that
caused the package build to fail.
Also add util/human/ and util/prosodyctl/ which are new subdirectories
in 0.12.x not covered by the previous install rules.
Force libidn instead of ICU for stringprep
prosody's configure script auto-detects stringprep backends and prefers
ICU when available, generating -DUSE_STRINGPREP_ICU and including
<unicode/usprep.h>. The OpenWrt SDK staging directory does not provide
ICU development headers, so the build fails with:
encodings.c:271:10: fatal error: unicode/usprep.h: No such file or directory
The Makefile DEPENDS already declares +libidn. Pass --with-idn=idn to
explicitly select the libidn backend, which is available in the staging
directory.
Also, pass TARGET="../util/" to MAKE_FLAGS. OpenWrt has it's own TARGET
env var which clobbers the 'TARGET' var from prosody's build (specified
as 'TARGET?=../util/')
Adding a test.sh to check for the correct version (since prosody mostly
has lua scripts).
Security release addressing multiple vulnerabilities. 0.12.6 is
likely the last release of the 0.12.x series (EOL June 2026).
Upstream advisory: https://prosody.im/security/
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes https://github.com/openwrt/packages/issues/27952
Update avahi from 0.8 to 0.9-rc4. The 0.9 development line accumulates
four years of bug and security fixes since the 0.8 release (2020-02-18).
Notable improvements in 0.9-rc4 over 0.8:
Security (all CVEs previously backported as patches, now removed):
- CVE-2023-38469: reject TXT records whose total rdata exceeds
AVAHI_DNS_RDATA_MAX, preventing heap-buffer reads under crafted mDNS
- CVE-2023-38470: ensure each DNS label is at least one byte, preventing
an infinite loop on malformed packets
- CVE-2023-38471: extract host name via avahi_unescape_label() before
generating an alternative to avoid operating on a raw escaped string
- CVE-2023-38472: check that rdata pointer is non-NULL before passing to
avahi_rdata_parse() from dbus-entry-group
- CVE-2023-38473: derive alternative host name from its unescaped form,
fixing incorrect hostname collision resolution with escaped labels
Bug fixes (previously backported):
- Fix NULL-pointer crashes in avahi_s_*_browser_new() (#175)
- Avoid infinite loop in avahi-daemon simple-protocol by handling
AVAHI_WATCH_HUP event in client_work
- Fix potential undefined behaviour in avahi_dns_packet_consume_uint32:
cast uint8_t operands to uint32_t before shifting
- Fix memory/CPU leak in the simple event loop: cleanup_watches() was
zeroing timeout_req_cleanup instead of watch_req_cleanup, so completed
watches were never removed from the linked list
- Emit D-Bus error reply when avahi-daemon cannot resolve a hostname or
service, rather than crashing with a NULL dereference
- Increase ini-file-parser line buffer from 256 to 1024 bytes to handle
longer configuration values without silent truncation
Other changes:
- P2P tunnel support: IFF_MULTICAST is no longer required for
point-to-point interfaces when allow-point-to-point=yes
- Runtime directory: configure.ac now derives the socket path from
${runstatedir} (defaults to ${localstatedir}/run), so the
explicit patch reverting the /run hardcoding is no longer needed
- Patch 010-pkgconfig.patch (pkgconfig prefix alignment) is retained
as it has not been merged upstream
Dropped patches (all merged upstream):
020-revert-runtime-dir-systemd-change.patch
100-p2p-no-iff_multicast-required.patch
200-Fix-NULL-pointer-crashes-from-175.patch
201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch
203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
204-Emit-error-if-requested-service-is-not-found.patch
205-conf-file-line-lengths.patch
300-CVE-2023-38469.patch through 304-CVE-2023-38473.patch
Library SONAMES unchanged: libavahi-common.so.3, libavahi-core.so.7,
libavahi-client.so.3 — no reverse dependency rebuilds required.
Disable libsystemd (not available on OpenWrt)
avahi 0.9-rc4 added --enable-libsystemd which defaults to enabled and
fails configure when libsystemd is not found via pkg-config. OpenWrt
does not provide libsystemd; disable it explicitly.
Also pass --with-systemdsystemunitdir=no to suppress the pkg-config
lookup for the systemd unit directory.
Drop po/ subdir from build
The 0.9-rc4 tarball is a raw git archive; po/Makefile.in.in is not
pre-generated as it was in the 0.8 release tarball. autopoint (from
gettext) is needed to install it, but is not available in the OpenWrt
SDK. Since OpenWrt does not use NLS translations, remove po/ from
SUBDIRS in Makefile.am to avoid the missing po/Makefile.in.in error
during configure.
In 0.9-rc4 the D-Bus system.d directory changed from
$(sysconfdir)/dbus-1/system.d to $(datadir)/dbus-1/system.d,
so avahi-dbus.conf is now installed under usr/share/dbus-1/system.d.
Update the install rule source path accordingly; keep the on-device
destination at /etc/dbus-1/system.d for compatibility.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
This reverts commit d114f46db1.
Apparently the libm does not exist as a package, so the commit is wrong.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
On master, updater help and missing-option text still refer to '-N'.
Use '-S' instead so the messages match accepted script options.
Also clarify that SECTION is the UCI section name/id to start.
This is a text-only change; runtime behavior is unchanged.
Bump PKG_RELEASE to 4.
Fixes: #27737
Signed-off-by: Dharmik Parmar <dharmikparmar2004@yahoo.com>
Changelog:
- Add UCM profiles for DualSense PS5 controller and multiple Qualcomm
platforms
- Improve USB audio device handling and HDA initialization patterns
- Enhance phantom jack detection and optional headphone output handling
- Add support for Steinberg audio devices and new MediaTek SoC configs
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changelog:
- Update to Unicode 15.1.0 standard with U+19DA marked DISALLOWED
- Switch from gnulib submodule to GNULIB_REVISION for build management
- Fix uninitialized memory and compiler warnings
- Improve reproducibility and cross-platform build compatibility
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changelog:
- Fix uninitialized value bug in idna_to_unicode_4z4z on malloc failure
- Restore Unicode table generation scripts for modern Perl compatibility
- Fix Windows/musl compatibility for version checking
- Achieve reproducible builds across tested platforms
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
- optimized pidfile handling in the init file
- small cornercase fixes & improvements
- drop deprecated 'drop' feed (replaced by 'spamhaus' json feed with the same content)
- LuCI: expose the new JSON Lines Format in the feed editor
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
FindLuaJIT.cmake uses NO_DEFAULT_PATH and only searches hardcoded
luajit-specific paths, so it never finds regular Lua. However if
LUAJIT_INCLUDE_DIRS and LUAJIT_LIBRARY are pre-set in the CMake
cache, find_path/find_library skip their searches, the module sets
LUAJIT_FOUND=ON and also sets LUA_INCLUDE_DIR/LUA_LIBRARIES from
those values, and the if(NOT LUAJIT_FOUND) guard skips the broken
find_package(Lua REQUIRED) call that fails under CMake 4.3.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Add a recurring workflow that runs every day at 5:30 and marks all PRs
that have formality check failures (i.e. marked as 'not following
guidelines') that have not been active in the past 14 days as stale.
Close stale PRs after 14 more days.
Signed-off-by: George Sapkin <george@sapk.in>
libquadmath is only packaged for x86 and powerpc targets in OpenWrt.
Declaring it as an unconditional runtime dependency of boost-charconv
causes apk installation failure on all other architectures (e.g.
i386, arm, mips) with "libquadmath (no such package)".
Guard the dependency with an ARCH filter so it is only pulled in on
platforms where the package actually exists.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
boost: add x86 to libquadmath arch conditional in boost-charconv
libquadmath is available on x86 (i386) in addition to x86_64 and
powerpc variants. Include it in the filter so boost-charconv gets
the correct dependency on 32-bit x86 targets.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
MinOZW does not implement any --version flag, so skip the generic
version check. Just verify the binary is present and executable.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
boost::asio::post() without an explicit executor fails to compile with
Boost >= 1.82 due to changes in the executor model: bare lambdas no
longer have an implicit system executor that satisfies the
blocking.never requirement.
Pass io_context_ explicitly as the first argument so the handler is
dispatched on the correct io_context thread, which is the original
intent of the call (making stop() safe to call from any thread).
Add test.sh
domoticz is a daemon requiring a database and network port; it does not
implement a --version flag. Verify the binary is present and executable.
Disable LTO to fix link failure on i386 with musl fortify
Suggested via https://github.com/openwrt/packages/pull/29239
Also tested.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Bump to latest upstream snapshot (2025-11-05). re2 uses date-based
versioning from git. This brings roughly two years of upstream
improvements including performance optimisations, bug fixes, and
C++17/20 compatibility improvements.
Reference:
https://github.com/google/re2/releases/tag/2025-11-05
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
This commit was merged into the master branch by accident
and should be undone. Adding ujail as a hardcoded dependency
is incorrect, as ujail is meant to be an optional dependency.
A better approach is to implement ujail support within
the init script, which was discussed in the pull request
(https://github.com/openwrt/packages/pull/29277),
consistent with how other packages in the repository handle this.
Therefore, reverting for now.
This reverts commit e6b5141c7e.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
If python3-gpiod is enabled and the python-setuptools host package is
missing, the setuptools.build_meta import will cause a build failure.
Fix this by adding a conditional build dependency.
Signed-off-by: Ernestas Kulik <ernestas@baltic.engineering>
The python3-light dependency gets lugged even with the package disabled,
so this commit makes python3-light a conditional dependency, similar to
gensio in 0c245fda70.
Signed-off-by: Ernestas Kulik <ernestas.k@iconn-networks.com>
Use cp instead of install when installing libraries to not follow
symlinks and create duplicate files.
Fixes: aa89f847 ("mosquitto: update to 2.0.18")
Signed-off-by: George Sapkin <george@sapk.in>
update to version v4.10, disable building gnulib-tests to avoid
compilation errors.
Add --disable-xattr to CONFIGURE_ARGS to avoid linking an unneeded
dependency.
Changes in sed since v4.9, from NEWS:
** Bug fixes
sed 's/a/b/g' (and other global substitutions) now works on input
lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
would evoke a "panic" (exit 4).
[bug present since the beginning]
'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
an attacker swap a symlink between resolution and open, causing sed to
read attacker-chosen content and write it to the original target.
[bug introduced in sed 4.1e]
sed no longer falsely matches when back-references are combined with
optional groups (.?) and the $ anchor. For example, this no longer
falsely matches the empty string at beginning of line:
$ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/'
Xab
[bug present since "the beginning"]
In --posix mode, sed no longer mishandles backslash escapes (\n,
\t, \a, etc.) after a named character class like [[:alpha:]].
For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the
trailing newline, treating \n as a literal backslash and an 'n'
rather than a newline. This happened when an earlier backslash
escape in the same regex had already been converted, shifting the
in-place normalization buffer.
[bug introduced in sed 4.9]
sed --debug no longer crashes when a label (":") command is compiled
before the --debug option is processed, e.g., sed -f<(...) --debug.
[bug introduced in sed 4.7 with --debug]
sed no longer rejects the documented GNU extension 'a**' (equivalent
to 'a*') in Basic Regular Expression (BRE) mode. Previously, this
worked only with -E (ERE mode), even though grep has always accepted
it in BRE mode.
[bug present since "the beginning"]
sed no longer rejects "\c[" in regular expressions
[bug present since the beginning]
'sed --follow-symlinks -i' no longer mishandles an operand that is a
short symbolic link to a long symbolic link to a file.
[bug introduced in sed 4.9]
Fix some some longstanding but unlikely integer overflows.
Internally, 'sed' now more often prefers signed integer arithmetic,
which can be checked automatically via 'gcc -fsanitize=undefined'.
** Changes in behavior
In the default C locale, diagnostics now quote 'like this' (with
apostrophes) instead of `like this' (with a grave accent and an
apostrophe). This tracks the GNU coding standards.
'sed --posix' now warns about uses of backslashes in the 's' command
that are handled by GNU sed but are not portable to other
implementations.
** Build-related
builds no longer fail on platforms without the <getopt.h> header or
getopt_long function.
[bug introduced in sed 4.9]
Signed-off-by: Russell Senior <russell@personaltelco.net>
libfastjson uses modf() from libm but does not declare the dependency.
With BIND_NOW (CONFIG_PKG_RELRO_FULL), this can cause the dynamic linker
to process libfastjson's relocations before libm's GOT is set up,
triggering a crash in libm's IFUNC resolver on PowerPC.
Fixes: https://github.com/openwrt/packages/issues/29160
Signed-off-by: micpf <micpf@westermo.com>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, improve nftables rules
- Update PKG_VERSION to 2026.03.18.
- Set PKG_RELEASE to 1.
- Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
- Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.
files/etc/init.d/https-dns-proxy:
- Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
table. A top-level `chain` outside any table is invalid nftables
syntax and is rejected on kernel 6.18+, breaking firewall load.
Fixesmossdef-org/https-dns-proxy#7.
- Syntax-check the generated snippet with `nft -c -f` after write
and report OK/FAIL on the start path.
- On remove, explicitly `nft delete table` in addition to removing
the snippet file, so the live ruleset is cleaned up immediately
rather than waiting for the next fw4 reload.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
In order to create a proper jail, we net the procd-ujail package.
Otherwise, AdGuardHome will run as unprivileged process,
and will not be able to listen on ports below 1024.
Signed-off-by: Alexander Krause <alexander.krause@cs.tu-dortmund.de>
zstdgrep and zstdless are shell script wrappers that do not output a
version string, so the generic CI version check fails for them. Add a
test.sh case that verifies they are present and executable instead.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
dbus-utils utilities do not implement --version so the generic CI
version check fails for them. Add a test.sh case that verifies the
binaries are present and executable instead.
dbus-utils: dbus-monitor, dbus-send, dbus-test-tool
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Several bluez utilities do not implement --version so the generic CI
version check fails for them. Add test.sh cases that verify the
binaries are present and executable instead.
bluez-daemon: obexd
bluez-utils: bdaddr, ciptool, hciattach, hciconfig, l2ping, l2test, rctest
bluez-utils-extra: gatttool
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes in 3.10:
- general bug fixes from libsepol (bounds statements in optional
blocks, type attribute handling in role-types rule, NULL dereference
and use-after-free fixes)
- treewide: add .clang-format configuration file
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes in 3.10:
- python/sepolicy: add support for DNF5
- sandbox/seunshare: replace system() with execv() to prevent shell
injection vulnerability
- seunshare: always use translations when printing
- setfiles: add -A option to disable SELINUX_RESTORECON_ADD_ASSOC
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes in 3.10:
- improve semanage man pages: add examples for -r RANGE flag usage
- semanage: reset active value when deleting boolean customizations
- various libsemanage/libsepol bug fixes and security hardening
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Existing package contains five libraries, some of which are > 1MB. Allow
packages which depend on only some of them to only pull in the ones they
need by splitting this package into finer-grained packages. Transition
can be done piecemeal as depending on glib2 will still pull in all the
libraries.
The original split commit (6bb0d6bd2) had a typo: the glib2 meta-package
used 'DEPENDS:+glib2-gthread +glib2-gio' (missing '='), which caused
the meta-package to have no effective dependencies. This meant packages
declaring '+glib2' did not get the sub-packages installed, causing APK
dependency checks to fail for all glib2 libraries across ~60 packages.
This re-applies the split with 'DEPENDS:=+glib2-gthread +glib2-gio'
(correct assignment syntax), so the meta-package properly pulls in all
sub-packages for consumers that still declare '+glib2'.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The generic CI test fails for /usr/bin/attr because that binary does
not implement --version. getfattr and setfattr do, so test those for
the version string and only verify attr is present and executable.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The CMakeLists.txt first tries FindLuaJIT.cmake which uses
NO_DEFAULT_PATH with hardcoded host paths, so it always fails in
cross-compilation. The fallback find_package(Lua REQUIRED) may also
fail to find a flat sysroot layout where lua.h lives at
/usr/include/lua.h rather than a versioned subdirectory.
Explicitly pass LUA_INCLUDE_DIR and LUA_LIBRARY to CMake to bypass
both finders, and depend on +liblua (the library package) instead of
+lua to ensure Build/InstallDev runs and Lua headers are present in
the staging directory before this package builds.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
- introduced a shared named nft limit (loglimit) referenced by
all log rules instead of per-rule limits, aligning with kernel printk rate limits
- added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning
the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting
entirely (useful for ulogd or other userspace log handlers that bypass printk)
- LuCI: made the new UCI option available (Log Settings)
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
wgsd (WireGuard Service Discovery plugin) pulls in
golang.zx2c4.com/wireguard/wgctrl -> mdlayher/genetlink v1.2.0 ->
mdlayher/netlink v1.6.2. This version of netlink calls
mdlayher/socket's Sendmsg/Recvmsg with the old API signatures
(pre-context.Context, single-return-value Sendmsg), but coredns
itself requires mdlayher/socket v0.5.1 which changed these
signatures to include context.Context and return (int, error).
Add a go get step that upgrades netlink to v1.7.2 after the wgsd
plugin dependencies are pulled in, ensuring the build uses a
netlink version compatible with socket v0.5.x.
Should fix:
https://downloads.openwrt.org/snapshots/faillogs/i386_pentium-mmx/packages/coredns/compile.txt
```
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:35: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:33: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:127:42: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:142:41: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
github.com/aws/aws-sdk-go-v2/aws/protocol/query
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
github.com/aws/smithy-go/private/requestcompression
```
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The prosody.im upstream updated the 0.12.4 tarball in-place, changing
its content without bumping the version. Update PKG_HASH to match the
currently published tarball.
Fixes: f4d305b73 ("prosody: update to 0.12.4")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Alexandru Ardelean