New stable release on the 2.5.x development series. Highlights from
upstream's NEWS:
* gpgsm: Implement GCM encryption.
* gpgsm: New option --attribute and server command SETATTR to
include arbitrary signed or unsigned attributes into a
signature. Requires libksba >= 1.7.0 (bumped to 1.8.0 in the
preceding commit).
* gpgsm: Introduce system attribute _signingCertificateV2.
* gpg: Fix wrong assertion failure which could very rarely occur
during key signature checking.
* gpg: Consider certify-only keys for revocation signature check.
* gpgsm: Fix possible double free in the CMS parser.
* gpgsm: Fix possible too early removal of ephemeral keys.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Minor version bump on the GnuPG X.509 library. Highlights from
upstream's NEWS:
1.8.0 (2026-05-13)
* New function ksba_cms_get_attribute.
* Support building of unsigned attributes with
ksba_cms_add_attribute.
1.7.0 (2026-05-07)
* Add support for building AuthEnvelopedData.
* New function ksba_cms_add_attribute.
* Fix silent truncation of 64 bit length fields.
* Fix incorrect overflow guard condition in _ksba_ber_read_tl.
The added interfaces (ksba_cms_add_attribute, _get_attribute) are
required by GnuPG >= 2.5.20 to expose gpgsm's --attribute option.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
PostgreSQL 18.4 is a quarterly bug-fix release of the 18.x major
series. No security advisories listed against this release.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Stable bug-fix release in the 1.25.x series. Highlights from
upstream's ChangeLog include:
* Fix STL hardening assertion in the reverb effect.
* Fix a potential crash with older PipeWire headers.
* Fix capturing mono from a stereo or greater WASAPI input device.
* Add capture support to the SDL3 backend.
* Implement 3D processing for Distortion, Chorus, Flanger,
Pitch Shifter and Frequency Shifter effects.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When luci-proto-openvpn is selected in `make menuconfig`,
openvpn-openssl is picked up automatically. As mbedTLS is the default
TLS package, set DEFAULT_VARIANT on openvpn-mbedtls so that it is used
by default.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Add DDNS update support for blazingfast.io Anycast DNS via their
REST API. Authentication is performed via JWT token obtained from
the login endpoint. Zone records are fetched to verify the record
type before update, ensuring IPv4 services only target A records
and IPv6 services only target AAAA records.
Service, zone and record IDs are passed via param_opt as
space-separated key=value pairs:
service_id=X zone_id=Y record_id=Z
curl --config file approach is used throughout to avoid eval and
shell injection from user-controlled values. Supports both IPv4
and IPv6. For dual-stack, create two separate DDNS service sections
with their respective record IDs.
Tested on GL.iNet MT5000 (Brume 3) running OpenWrt with
ddns-scripts 2.8.2.
Signed-off-by: Fotios Kitsantas <fkitsantas@icloud.com>
Add source packages and library to version check overrides.
Fixes: b5d3a38e ("python3: move version checks to override")
Signed-off-by: George Sapkin <george@sapk.in>
To find the correct network interface to create a network entry for, check
which driver is driving the network interface.
Restrict creating a network entry with DHCP client to network interfaces
driven by the cdc_ether, r8152, rndis_host, or ipheth driver.
Ensure UCI section name derived from interface name is proper.
Do not disable using DNS servers advertised by the ISP. This was a
requirement of bsbf-bonding. We can now do this as we transparently proxy
all DNS traffic to Xray which resolves queries.
Do not exit non-zero as it's useless.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Update bsbf-resources to the GIT HEAD of 2026-05-16.
- files/etc/uci-defaults/99-bsbf-bonding:
- Do not ever exit non-zero. It prevents the script from being deleted
after it's run.
- Fix creating a new wan zone.
- Do not disable using DNS servers advertised by the ISP. We can now do
this as we transparently proxy all DNS traffic to Xray which resolves
queries.
- files/usr/sbin/bsbf-bonding:
- Attempting to source a file that doesn't exist breaks the rest of the
script. Therefore, only source /etc/bsbf/bsbf-bonding.conf if it
exists. Then, print to stderr if the configuration is improper.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
This software is no longer maintained because upstream
repository has been archived by the owner.
No packages depends on this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
- gated f_load behind a ubus socket check at the end of adblock.sh
to harden against pre-ubus invocations
- added a 'adb_bver' fallback in f_log for invocation paths without prior f_load execution
- minor code improvements and fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
- gated config sanity checks at the end of banip-functions.sh
behind 'ban_action' to skip them on init script sourcing paths (enable/disable/help)
- added a ubus socket guard around f_system to harden against pre-ubus sourcing
- added a 'ban_bver' fallback in f_log for sourcing paths without prior f_system execution
- reordered system utility references before system library sourcing,
so f_log has a valid 'ban_logcmd' available if the library check fails
- minor code improvements and fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
- gated config sanity checks at the end of travelmate-functions.sh
behind 'trm_action' to fix init script enable/disable/help paths
- added a ubus socket guard around f_system to harden against pre-ubus sourcing
- added a 'trm_bver' fallback in f_log for sourcing paths without prior f_system execution
- reordered system utility references before system library sourcing,
so f_log has a valid 'trm_logcmd' available if the library check fails
- minor code improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
captest, filecap, netcap and pscap (libcap-ng-bin) do not print the
package version string (0.8.4), causing generic version check failures
in CI.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The binary does not report the OpenWrt package version (2023.06.11~ab78c48f);
override the generic version check with test-version.sh.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The git archive hash changed due to .gitattributes normalization in the
upstream repository. Update PKG_MIRROR_HASH to the current value.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
When dnsmasq is disabled, /var/etc doesn't exist. minidlna start was then failing. Partially reverted commit 733aae9 which broke this.
Signed-off-by: Peter Maivald <plasticassius@gmail.com>
1.0.1 fixes a false-positive path-traversal check in destinations.py:
the 1.0.0 code used Path.resolve() to validate that each installed file
stays within the --destdir, but Path.resolve() follows symlinks.
OpenWrt's staging dir and toolchain directories contain many symlinks,
so resolved paths could escape the destdir comparison and trigger:
ValueError: Attempting to write <file> outside of the target directory
1.0.1 replaces Path.resolve() with os.path.abspath(), which normalises
the path without following symlinks, eliminating the false positive.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
George Sapkin