HOST BUILD ONLY
Update to 22.22.0
This is a security release.
Notable Changes
(CVE-2025-59465) add TLSSocket default error handler
(CVE-2025-55132) disable futimes when permission model is enabled
lib,permission:
(CVE-2025-55130) require full read and write to symlink APIs
src:
(CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
src,lib:
(CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
tls:
(CVE-2026-21637) route callback exceptions through error handlers
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
passlib is unmaintained since 2020 and a maintained fork called libpass,
which is a drop-in replacement (even using the passlib module name), is
now available. https://github.com/Kozea/Radicale/issues/1952 has more
information.
Therefore we remove the python-passlib package from this repo.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
passlib has not be updated since 2020 and is therefore a dead project.
Radicale (used in this repo as radicale3) has updated to use libpass (a
maintained fork of passlib): https://github.com/Kozea/Radicale/pull/1953
therefore add python3-libpass to provide libpass, a drop-in replacement
for passlib, and a dependency for Radicale v3.6.0.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
* Add a needed BUILD_DEPENDENCY on icu package, when PHP8_INTL is
defined.
* Make PHP8_DOM selecting PHP8_LIBXML instead of depending on it.
* PHP8_INTL does not depend on PHP8_GETTEXT, it builds also
without gettext.
* Always show option for choosing PHP8_FULLUCIDATA
* For php8-cgi, php-cli, etc, a libstdcpp dependency is only gained
when PHP8_INTL is selected, therefore update those conditional depends.
As some combinations of these changes can change the binaries output,
PKG_RELEASE has been bumped.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Add more menuconfig help text descriptions, and
convert some mixed tabs and spaces to spaces.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
xmlreader was selecting package php8-mod-dom as well as depending on
PHP8_DOM, while php8-mod-dom also depended on PHP8_DOM (and therefore
selected PHP8_DOM when php8-mod-dom was selected). This is a Kconfig
recursive dependency, so break the recursion by noting that because
php8-mod-xmlreader selects php8-mod-dom, PHP8_DOM is a transitive
depends, so php8-mod-xmlreader should not depend on PHP8_DOM itself.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
The php8 Makefile is already quite large. To improve readability, move
config section to a separate 'Config.in' file. To ensure that the PHP8
option is only saved in '.config' if PHP8 has been selected for building. A
depends on 'PACKAGE_php8' is added to the configuration option in the
'Config.in' file.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
- Fixed HTTPResponse.read_chunked() to properly handle leftover data
in the decoder's buffer when reading compressed chunked responses.
- Fixed a security issue where decompression-bomb safeguards of the
streaming API were bypassed when HTTP redirects were followed.
(CVE-2026-21441)
- Started treating Retry-After times greater than 6 hours as 6 hours
by default.
- Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
Release notes:
https://github.com/urllib3/urllib3/releases/tag/2.6.2https://github.com/urllib3/urllib3/releases/tag/2.6.3
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
Pika is a pure-Python implementation of the AMQP 0-9-1 protocol that
tries to stay fairly independent of the underlying network support
library.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This software seems no longer maintained.
The latest upstream commit is 11 years ago,
and upstream repo has been archived.
No package depends on this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
This reverts commit 996046e642.
After that faulty commit the 'icu' package is always selected
even if php8 itself is not even selected.
Simple bug reproduction process:
perus@ub2510:/OpenWrt/aarch64$ rm .config
perus@ub2510:/OpenWrt/aarch64$ touch .config
perus@ub2510:/OpenWrt/aarch64$ make defconfig
Collecting package info: done
...
#
# configuration written to .config
#
perus@ub2510:/OpenWrt/aarch64$ grep -iE "php8|icu" .config
# PHP8
# CONFIG_PACKAGE_php8 is not set
CONFIG_PHP8_LIBXML=y
CONFIG_PHP8_DOM=y
CONFIG_PHP8_GETTEXT=y
CONFIG_PHP8_INTL=y
# CONFIG_PHP8_FULLICUDATA is not set
# end of PHP8
CONFIG_PACKAGE_icu=y
# CONFIG_PACKAGE_icu-data-tools is not set
# CONFIG_PACKAGE_icu-full-data is not set
Revert the commit, so that a fix can be developed and tested.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
With CONFIG_PHP8_GETTEXT php8 always gains a
dependency on a version of the 'icu' package,
however said dependency is not declared, so
on gets compilation errors when
CONFIG_PHP8_GETTEXT=y but PACKAGE_icu is not
selected.
Therefore select PACKAGE_icu when PHP8_GETTEXT is
selected.
Closes#28207
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Obsolete use of $(SDK) in configure conditionals can result in
dependency errors when building a subset of packages for packages which
have multiple sub-packages.
The reason it causes dependency issues is that (using libdbi-drivers as
an example) lines like:
ifneq ($(SDK)$(CONFIG_PACKAGE_libdbd-sqlite3),)
always evaluate to true if you are compiling in the SDK. So for a user
compiling from the SDK, the configure arguments are always added to the package build.
In the case of libdbi-drivers:
CONFIGURE_ARGS += \
--with-sqlite3 \
--with-sqlite3-incdir=$(STAGING_DIR)/usr/include \
-with-sqlite3-libdir=$(STAGING_DIR)/usr/lib
is always added even if PACKAGE_libdbd-sqlite3 is deselected. When
libdbd-sqlite3 is deselected, this dependency:
DEPENDS:=libdbi +libsqlite3
is not present, so when configure tries to find sqlite3 it fails.
Closes#28173 "tree-wide: obsolete $(SDK) in conditionals"
See also:
* "include: remove SDK exception from package install targets"
openwrt/openwrt@28f44a4
Performed tree-wide to ease revert if necessary, per:
https://github.com/openwrt/packages/issues/28173#issuecomment-3694615980
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Ruby 4.0 introduces "Ruby Box" and "ZJIT", and adds many improvements.
- Introduce experimental ZJIT compiler
- Improve YJIT performance and memory usage
- Add experimental Ruby Boxes object layout optimization
- VM and GC performance improvements
- Ractor runtime and scheduling enhancements
- Update language syntax and semantics (*nil behavior, logical operator parsing)
- Add Array#rfind and optimized Array#find
- Improve Binding API and implicit parameter access
- Extend Enumerator.produce with size keyword
- Enhance ArgumentError diagnostics with caller/callee context
- Add Fiber#raise(cause:)
- IO.select accepts Float::INFINITY timeout
- Improve Kernel#inspect extensibility
- Add Math.log1p and Math.expm1
- Promote Pathname and Set to core classes
- Extend Ractor API (join, value, lifecycle helpers)
- Fix endless and infinite Range behavior
- Define new top-level Ruby module
- Update Unicode to 17.0 and extend String strip methods
- Update bundled gems (RubyGems, Bundler, IRB, etc.)
Packaging changes:
- Include license files for all packages
- As ruby set moved into core, ruby-set is gone.
ruby-setsubclasscompact was added to include the set subclass
compatible layer
- Added conditional libatomic dependency for libruby
- YJIT and ZJIT are not built when cross-compiling (almost always for
openwrt, even when archs matches). However, the Makefile is ready for
both when upstream adds that feature. Config entries are marked as
BROKEN for now.
Changelog: https://github.com/ruby/ruby/compare/v3_4_0...v4.0.0
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
A patch is included in order to get the compiler (csc) to work properly
on the target device (comment in the OpenWRT package Makefile). csc,
chicken-install, chicken-status have been verified to work. What the
patch does is to remove -fmacro-prefix-map and -ldl in the strings that
are passed to gcc when the Scheme compiler runs. Without that, the
compiler will not run on the router. A longer description is in the
patch header.
Co-authored-by: George Sapkin <george@sapk.in>
Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
Split library into a separate package and refactor Makefile.
Strip all executable binaries without stripping the library that's
used by the compiler.
Add SPDX license identifier.
Signed-off-by: George Sapkin <george@sapk.in>
Check csi version and check if csc can compile a simple s-expression.
Co-authored-by: George Sapkin <george@sapk.in>
Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
EXTRA_DEPENDS should be used for version constraints. Change to DEPENDS.
Fixes: 6a559a9 ("chicken-scheme: version 5.2.0; include compiler")
Signed-off-by: George Sapkin <george@sapk.in>
This package is only used by `fail2ban`. After updating `fail2ban` to
`1.1.0` (2a202b2091), the `2to3` package
is no longer needed. If required, anyone can reintroduce the package.
Signed-off-by: Wesley Gimenes <wehagy@proton.me>
When PHP8_DOM is enabled then xmlreader automatically gains a
dependency to php8-mod-dom, not only when the dom module
is actually built.
So fix it by declaring this dependency.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
It seems this software is no longer maintained.
The last upstream commit is 4 years ago, and
this software only supports obsolete setup.py.
Users should use supported similar softwares, such
as speedtest-go in packages repo.
Signed-off-by: Yanase Yuki <dev@zpc.st>
As with gettext modules described in #28078 and #28075, xml and dom
related module selection affects the dependencies of other packages.
Therefore, we invert the dependency logic:
PHP8_LIBXML and PHP8_DOM are are enabled by default and packages
which depend on libxml2 and --enable-dom=shared are not shown (and
the related configure args are disabled) if the config options are
not enabled.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Fixes: php8: global package dependency changes based on module
selection
Fixes: #28078
As described in #28078 and #28075,
Some binaries gain a dependency on libstdcpp when mod-gettext is included
in the build, however this was not explicitly declared, so packaging
fails with (e.g.):
Package php8-cgi is missing dependencies for the following libraries:
libstdc++.so.6
In contrast to #28075, this commit takes the approach:
* Make use of --with-gettext depend on a configure flag (enabled by
default, since that matches current full build behaviour)
* Make sub-packages which require --with-gettext depend on the
configure flag
This means that e.g. php-cgi would not have gettext support if the
configure flag was disabled, and e.g. php-mod-gettext and php-mod-intl
would not be selectable.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
As the python3-distutils was dropped while bumping the version
to 3.13.9 via 97a92f2e7a, remove the
python3-distutils from all packages that are currently using it.
OpenWrt already uses recent enough releases of these packages
that have adapted to work without distutils, so the dependency
can be safely removed.
Signed-off-by: Til Kaiser <mail@tk154.de>
It looks like based on opened PRs [1],
there is no official support for Python 3.12+.
Unfortunately, this project is still using setup.py,
which is deprecated and no longer supported.
These days project metadata are stored in pyproject.toml
according to PEP 621.
Also, this project does not follow PEP625 as their
wheel name is in uppercase and it should be in lowercase.
[1] https://github.com/avian2/unidecode/pulls
[2] https://peps.python.org/pep-0621/
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This looks like it is not maintained anymore.
The last commit in the repository [1] is from 2017,
and the last tarball uploaded on PyPI is from 2015.
That tarball does not follow PEP625, because the
wheel and tarball begins with uppercase, it should be
in lowercase and as well it is still using setup.py.
Python these days is using pyproject.toml.
[1] https://github.com/washort/parsley
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
