On 21.04.2021 22:10, Magnus Kroken wrote:
This series backports two prior version updates for consistency, and
updates to 2.4.11 which fixes two security vulnerabilites affecting
OpenVPN peers running as servers.
Sorry, forgot to include testing details.
Compile-tested openvpn-openssl and
.
Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9
Signed-off-by: Magnus Kroken
(cherry-picked from commit d7e98bd7c5316f95cc11635371a39c6c0e18b9a7)
---
package/network
Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.
Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8
Signed-off-by: Magnus Kroken
(cherry-picked from commit bf43e5bbf91ca1a90df8dae3e2cce6bbb61d5cd9
setup.
This release also includes other bug fixes and improvements.
Signed-off-by: Magnus Kroken
---
package/network/services/openvpn/Makefile | 4 ++--
.../110-openssl-dont-use-deprecated-ssleay-symbols.patch | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff
This series backports two prior version updates for consistency, and
updates to 2.4.11 which fixes two security vulnerabilites affecting
OpenVPN peers running as servers.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.open
with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Magnus Kroken
ot SPL 2015.10-rc2 (Aug 18 2016 - 20:43:35)
Reverting the mentioned commit solves the issue. Any ideas about what
the problem is? Is there any additional data that would be useful?
Regards
Magnus Kroken
___
openwrt-devel mailing list
openwrt
compression, unless they build the OpenVPN package themselves.
Signed-off-by: Magnus Kroken
---
package/network/services/openvpn/Config-mbedtls.in| 2 +-
package/network/services/openvpn/Config-openssl.in| 2 +-
package/network/services/openvpn/files/openvpn.config | 6 +-
3 files changed
data_fallback_ciphers is set on the 2.5 peer and it contains a
cipher supported by the client.
Signed-off-by: Magnus Kroken
---
v2: Fix missed -/_ conversion in openvpn.options, thanks Jo for pointing
this out. Restored LZO as enabled by default to ease the version update,
proposal to disable LZO will be sent as
data_fallback_ciphers is set on the 2.5 peer and it contains a
cipher supported by the client.
Signed-off-by: Magnus Kroken
---
Compile-tested openssl variant on mips_24kc, powerpc_8540 and
arm_cortex-a9. Runtime-tested openssl variant as server on arm_cortex-a9.
I have tested the earlier 2.5 beta and RC
classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8
Signed-off-by: Magnus Kroken
data_fallback_ciphers is set on the 2.5 peer and it contains a
cipher supported by the client.
Signed-off-by: Magnus Kroken
---
Compile-tested mbedtls and openssl variants on mips_24kc and
arm_cortex-a9. Runtime-tested mbedtls variant as server and openssl as
client.
I propose disabling LZO compression support
l/mbed-tls/2020-August/000160.html
Regards,
Magnus Kroken
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
data_fallback_ciphers is set on the 2.5 peer and it contains a
cipher supported by the client.
Signed-off-by: Magnus Kroken
---
Compile-tested mbedtls and openssl variants on mips_24kc and
arm_cortex-a9. Runtime-tested mbedtls variant as server and openssl as
client.
Hopefully more people will test this and give
"option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)
Signed-off-by: Magnus Kroken
---
.../services/openvpn/files/openvpn.config | 83 +--
1 file c
s are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.
Signed-off-by: Magnus Kroken
---
Tested on arm/cortexa9. Tested with openvpn-mbedtls as server, uhttpd
serving HTTPS and uclient-fetch HTTPS download.
package/libs/mbedtls/Mak
This problem has been fixed in upstream commit
6b6a3d9339f1c08efaa18a7fb7357e20b48bdc95. This patch now (harmlessly)
adds the same definition a second time.
Signed-off-by: Magnus Kroken
---
.../patches/130-mconf_missing_sigwinch.patch| 13 -
1 file changed, 13 deletions
Signed-off-by: Magnus Kroken
Reported-by: Jordan Geoghegan
---
This was discussed a few days ago [1], but the patch wasn't caught by
Patchwork. Resending.
Jordan: I was not able to apply your patch, but it was easy enough to
fix. Please consider using git-send-email for future patches,
imum to set for OpenWrt given
how useful and flexible it is in its current state.
Regards,
Magnus Kroken
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
EATURE_TR_CLASSES
bool
default n
config BUSYBOX_DEFAULT_FEATURE_TR_EQUIV
bool
default n
I don't know what the size cost in the BusyBox binary is, but that will
likely be the deciding factor for such a change.
1:
https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=packa
Hi
On 20.05.2020 02:01, Jeonghum Joh wrote:
Hello Magnus Kroken,
Thank you so much!
Your script works like a charm!
I'd like to use this script in our board. This board would be our
customer's new product - 5G router.
We are Telesquare Inc. (www.telesquare.co.kr <http://www.tel
etwork.vlan
sections. I do know it doesn't work in my current device script,
although I attempted to fix that error in the code above. Consider it a
hint.
In addition, I've not mentioned 'uci commit' or commands to reload
configuration/services, which you probabl
uted as late as possible.
The commands you would need for option 2 is probably:
uci -q set network.wwan=interface
uci -q set network.wwan.proto='dhcp'
uci -q set network.wwan.ifname='usb0'
exit 0
This is very simple, you may want to script checks to ensure the script
is run
.
Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9
Signed-off-by: Magnus Kroken
---
Compile- and run-tested on arm.
Tests run: openvpn-mbedtls as server.
package/network
: Magnus Kroken
---
Compile- and run-tested on arm/mvebu.
Tests run:
openvpn-mbedtls (as server)
uhttpd and uclient-fetch using libustream-mbedtls
package/libs/mbedtls/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/libs/mbedtls/Makefile b/package/libs
Hi all
On 03.04.2020 11:21, Bjørn Mork wrote:
David Bauer writes:
As the reported major bugs are ironed out, switch to the new kernel to
begin testing with a broader audience.
Hmm... I wonder if you might want to hold back on that for a while.
I have no useful info yet since I don't have
Signed-off-by: Magnus Kroken
---
According to e-mail about pushing kernel 5.4 support to master, 5.4 was added
as testing
kernel for supported targets. For mpc85xx, 5.4 was set as its default
kernel. (This technically also applies to ipq807x, but master has no
support for it on any prior kernel
On 25.01.2020 18:33, Magnus Kroken wrote:
Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA.
Release announcement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released
Security advisory:
https://tls.mbed.org/tech-updates/security-advis
ff-by: Magnus Kroken
---
Runtime-tested on mips/ath79. Tested with uhttpd and uclient-fetch using
libustream-mbedtls.
package/libs/mbedtls/Makefile | 4 +-
package/libs/mbedtls/patches/200-config.patch | 44 +--
2 files changed, 24 insertions(+), 24 deletions(-)
Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.
Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8
Signed-off-by: Magnus Kroken
---
Runtime-tested openvpn-mbedtls and openvpn-openssl on x86_64.
openvpn
Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch,
the issue has been fixed upstream.
Signed-off-by: Magnus Kroken
---
package/libs/mbedtls/Makefile | 4 +-
package/libs/mbedtls/patches/200-config.patch | 46 +--
...optimized-MULADDC-code-only
Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch,
the issue has been fixed upstream.
Signed-off-by: Magnus Kroken
---
Runtime-tested on: ath79
package/libs/mbedtls/Makefile | 4 +-
package/libs/mbedtls/patches/200-config.patch | 46
this file completely
(which now fails, as the file content is changed by
343-MIPS-ath79-Fix-potentially-missed-IRQ-handling-durin.patch).
Kind regards,
André
Regards,
Magnus Kroken
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt
OpenVPN as of 2.4.7 uses some OpenSSL APIs that are deprecated in
OpenSSL >= 1.1.0.
Signed-off-by: Magnus Kroken
---
Thank you Rosen Penev for pointing this out.
As OpenSSL is built with deprecated APIs by default in OpenWrt
at the moment, I assume this will be the case for the 19.0x rele
Signed-off-by: Magnus Kroken
---
package/network/services/openvpn/Makefile | 6 +++---
.../openvpn/patches/100-mbedtls-disable-runtime-version-check.patch | 2 +-
.../openvpn/patches/210-build_always_use_internal_lz4.patch | 2 +-
3 files changed, 5 insertions
Hi Russell, Kevin
On 14.10.2018 11:34, Russell Senior wrote:
Apply two upstream patches to address two CVEs:
* CVE-2018-1000156
* CVE-2018-6952
Add PKG_CPE_ID to Makefile.
Build tested on apm821xx and ar71xx.
Signed-off-by: Russell Senior
---
tools/patch/Makefile
Signed-off-by: Magnus Kroken
---
target/linux/mpc85xx/config-4.9| 361 -
...erpc-85xx-add-gpio-keys-to-of-match-table.patch | 10 -
.../100-powerpc-85xx-tl-wdr4900-v1-support.patch | 78 -
.../101-powerpc-85xx-hiveap-330-support.patch | 30
Based on patches previously submitted by Achim Gottinger:
http://lists.infradead.org/pipermail/openwrt-devel/2018-June/012719.html
Tested on TP-Link TL-WDR4900 v1.
Signed-off-by: Magnus Kroken
---
target/linux/mpc85xx/config-4.14 | 365 +
...erpc-85xx-add
Signed-off-by: Magnus Kroken
---
target/linux/mpc85xx/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/linux/mpc85xx/Makefile b/target/linux/mpc85xx/Makefile
index b181e67c0e..1eac544344 100644
--- a/target/linux/mpc85xx/Makefile
+++ b/target/linux/mpc85xx
Hi Achim
On 06.06.2018 23:42, Achim Gottinger wrote:
Am 05.06.2018 um 00:09 schrieb Magnus Kroken:
Tested-by: Magnus Kroken
Works well on my WDR4900v1. I don't use the crypto driver, so can't
respond to those changes, but the Wi-Fi radios, ethernet and the basic
hardware works fi
* Fixed a security issue in the X.509 module which could lead to a buffer
overread during certificate extensions parsing.
* Several bugfixes.
* Improvements for better support for DTLS on low-bandwidth, high latency
networks with high packet loss.
Signed-off-by: Magnus Kroken
---
Compile
Hi
2018-07-30 12:30 GMT+02:00 Jo-Philipp Wich :
> My personal approach would be picking one of these, swapping "software"
> with "documentation" and put that in fine print into the wiki footer,
> somewhere next to the license remark.
>
> Having this is yellow warning banner on top of every documen
Signed-off-by: Magnus Kroken
---
Runtime tested on mips/ath79, mips/ar71xx and powerpc/mpc85xx.
General bump to the latest stable version. This version fixes issues
with the nsenter and dpkg utilities in BusyBox, which OpenWrt does
not build by default.
package/utils/busybox/Makefile | 6
Signed-off-by: Magnus Kroken
---
Runtime-tested on
* powerpc/mpc85xx (with 4.14 support patches by Achim Gottinger)
* mips/ath79
include/kernel-version.mk | 4 ++--
.../patches-4.14/0035-MIPS-ath79-fix-QCA956x-boot.patch| 6 +++---
.../324-v4.16-netfilter
.
Fixed typo in subject sould be patch 2/3 and not 1/3.
Signed-off-by: Achim Gottinger
---
Tested-by: Magnus Kroken
Works well on my WDR4900v1. I don't use the crypto driver, so can't
respond to those changes, but the Wi-Fi radios, ethernet and the basic
hardware works fine.
Mo
Hi Bill
On 28.02.2018 15:18, Bill Yuan wrote:
Hi,
I noticed the default LAN IP is still 192.168.1.1 even after I
configured the "preinit network interface" in "preinit configuration
options". Can someone please share with me where is the proper way to
pre-define the LAN IP?
The build syste
On 15.02.2018 16.52, Philip Prindeville wrote:
Well, right! That was my first approach with a “config" option to do exactly
that, but it was shot down:
https://github.com/openwrt/packages/pull/5520
I even defaulted the option to continue to allow passwords so that only people
who (a) selecte
On 14.02.2018 22.13, Michelle Sullivan wrote:
FWIW, I had misunderstood the intent of the original comments... OpenSSH
server vs Dropbear - if someone is using OpenSSH server they already
went in with advanced config as Dropbear is the default - I'd err on the
side of security as they should alre
On 17.04.2016 14.18, Hauke Mehrtens wrote:
Why are you changing these default values? I do not see any commit
between 1.24.1 and 1.24.2 that changes anything to Kconfig.
Hauke
Sorry, you are right. I ran the config update scripts, I interpreted
r47775 [1] as that should always be done when do
Signed-off-by: Magnus Kroken
---
Runtime tested on mips/ar71xx and mipsel/brcm47xx
Fixes since 1.24.1:
* scripts/trylink: fix static build with glibc again
* truncate: always set mode when opening file to avoid fortify errors
* [g]unzip: fix recent breakage.
* unzip: test for bad archive SEGVing
Patches applied upstream and dropped:
280-fix_find_regression.patch
300-ip-addr-improvements.patch
Fixed upstream:
290-ash-fix-a-regression-in-handling-local-variables.patch (see thread:
http://lists.busybox.net/pipermail/busybox/2015-April/082783.html)
Signed-off-by: Magnus Kroken
---
v2
Patches applied upstream and dropped:
280-fix_find_regression.patch
300-ip-addr-improvements.patch
Signed-off-by: Magnus Kroken
---
Run-time tested on ar71xx (TL-WDR4300). Compile-tested on mpc85xx and mvebu.
Size comparison:
210569 busybox_1.23.2-3_ar71xx.ipk
209573 busybox_1.24.1-1_ar71xx.ipk
Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.
Signed-off-by: Magnus Kroken
---
package/libs/openssl/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/package
53 matches
Mail list logo
