895f92164b66 uloop: add ULOOP_PRIORITY support for EPOLLPRI events
f9b1f3ff17ba uloop: revert my flag changes from the ULOOP_PRIORITY change
2982bfb1c325 blob: fix wrong type for realloc result in blob_buffer_grow()
78c20f6c8579 json_script: convert recursive __json_script_file_free() to iterative
e7c13bf8cbca usock: fix off-by-one in nanosecond normalization in poll_restart()
68b3f1588de4 uloop: usock: add error checking for fcntl and remove duplicate include
03821f942c49 uloop: fix undefined behavior in signal bit operations for signals > 32
e6e6fd83e26d blobmsg: fix policy name length overflow and add bounds check in blobmsg_parse()
d30b9cc1a02d usock: fix integer overflow in timeout calculations
406e342bb900 udebug: fix double off-by-one in udebug_entry_vprintf()
700eca0bac66 blobmsg_json: fix integer overflow in blobmsg_puts()
6351fe552162 blobmsg_json: floor strbuf size and tighten the post-format guard
58b6543f1b25 blobmsg: fix unsigned integer overflow in blobmsg_alloc_string_buffer()
d7a3ae699df0 blobmsg: use correct byte-order macro when setting BLOB_ATTR_EXTENDED
23c6618a5b90 blobmsg_json: fix double format string to avoid truncation and data loss
1edf1d704e76 jshn: fix integer overflow and type confusion in jshn_parse_file
9b488010c4a7 utils: fix integer overflow in __calloc_a()
40a87f734b94 blob: fix integer overflow in buffer growth functions
02fccb465651 blob: use size_t for blob_memdup() length
0fa612ca08f7 json_script: avoid alloca() on attacker-controlled pattern length
8c9862b6921b blobmsg: fix integer overflow in blobmsg_realloc_string_buffer()
5fbef5bb94fb ustream: avoid INT_MAX overflow on malloc in ustream_vprintf()
1501e60e5554 md5: detect read errors in md5sum() instead of returning a bogus hash
Link: https://github.com/openwrt/openwrt/pull/23212
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
PCRE2 10.47 renamed LICENCE to LICENCE.md. Update PKG_LICENSE_FILES
to match the actual filename in the source tarball.
Signed-off-by: Michael Pfeifroth <michael.pfeifroth@westermo.com>
Link: https://github.com/openwrt/openwrt/pull/23164
Signed-off-by: Robert Marko <robimarko@gmail.com>
These are all unused by the current targets, clean up and stop
irritating the user with irrelevant grep results.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23240
Signed-off-by: Robert Marko <robimarko@gmail.com>
Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https://
across tools/ and package/. PKG_HASH alone does not protect against an
attacker tampering with insecure downloads when a maintainer regenerates
the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the
captured hash reflects real upstream content.
In-place http -> https (HTTPS reachability verified per host):
- tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools,
tools/libressl, tools/xz
- package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink
Replaced with @OPENWRT (HTTPS-only mirror) where the upstream HTTPS host
is dead or has a broken certificate:
- package/libs/popt (ftp.rpm.org cert mismatch)
- package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org)
- package/boot/imx-bootlets (trabant.uid0.hu cert mismatch)
- package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root)
Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is
already listed):
- package/boot/uboot-tools, tools/mkimage
Signed-off-by: Paul Spooren <mail@aparcar.org>
This release incorporates the following bug fixes and mitigations:
Fixed incorrect failure handling in RSA KEM RSASVE encapsulation.
(CVE-2026-31790)
Fixed loss of key agreement group tuple structure when the DEFAULT keyword
is used in the server-side configuration of the key-agreement group list.
(CVE-2026-2673)
Fixed potential use-after-free in DANE client code.
(CVE-2026-28387)
Fixed NULL pointer dereference when processing a delta CRL.
(CVE-2026-28388)
Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo.
(CVE-2026-28389)
Fixed possible NULL dereference when processing CMS
KeyTransportRecipientInfo.
(CVE-2026-28390)
Fixed heap buffer overflow in hexadecimal conversion.
(CVE-2026-31789)
No need refresh patches
Signed-off-by: Jack Sun <sunjiazheng321521@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22847
Signed-off-by: Robert Marko <robimarko@gmail.com>
This version fixes some security problems:
* Client impersonation while resuming a TLS 1.3 session
(CVE-2026-34873)
* Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
* PSA random generator cloning (CVE-2026-25835)
* Compiler-induced constant-time violations (CVE-2025-66442)
* Null pointer dereference when setting a distinguished name
(CVE-2026-34874)
* Buffer overflow in FFDH public key export (CVE-2026-34875)
* FFDH: lack of contributory behaviour due to improper input validation
(CVE-2026-34872)
* Signature Algorithm Injection (CVE-2026-25834)
* CCM multipart finish tag-length validation bypass (CVE-2026-34876)
* Risk of insufficient protection of serialized session or context data
leading to potential memory safety issues (CVE-2026-34877)
* Buffer underflow in x509_inet_pton_ipv6() (CVE-2026-25833)
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6
Size increases by 470 bytes on aarch64:
343995 bin/packages/aarch64_generic/base/libmbedtls21-3.6.5-r1.apk
344465 bin/packages/aarch64_generic/base/libmbedtls21-3.6.6-r1.apk
Link: https://github.com/openwrt/openwrt/pull/22787
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
libunwind solves these in different ways.
ppc-musl is still pending upstream.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21057
Signed-off-by: Robert Marko <robimarko@gmail.com>
Release Notes:
https://github.com/madler/zlib/blob/v1.3.2/ChangeLog
We also switch package tarball source to GitHub repository releases
to avoid package hash mismatch after the zstd upgrade.
The 005-* patch was suppressed by the upstream commit 15ba5055a935
("CMake: Adapt pkgconfig-file to the GnuInstallDirs layout.")
This patch also adjust the zlib.pc file path as it was changed in
the latest release.
The mipsel_24kc 'zlib' package size will increase by about 1 kB.
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/21228
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Forward the OpenWrt CPPFLAGS to the compile process. This fixes fortify
sources support.
Allow to extend the CPPFLAGS and not only overwrite.
Link: https://github.com/openwrt/openwrt/pull/22056
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Remove OR between GPL-2.0-or-later and LGPL-3.0-or-later to avoid
incorrect parsing of OR as a separate license in the SBOM.
Fixes: 9a157b5d83
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22003
Signed-off-by: Robert Marko <robimarko@gmail.com>
63413daa8760 uclient-http: fix HTTP authentication after deferred header processing
4fa6fae02f74 uclient-fetch: Extract opt_post variable
8df3120639a4 uclient-fetch: Use HEAD for --spider
0392dfc8e8c4 uclient-fetch: Support of --method, --body-data and --body-file
115c92824b6d uclient-fetch: add OPTIONS request type
a1531e89f6c2 uclient-fetch: support for WebDAV methods
Fixes: https://github.com/openwrt/uclient/issues/14
Signed-off-by: Felix Fietkau <nbd@nbd.name>
d324c0503040 libubox: send warnings to stderr
5a65cb5a79b7 libubox: document positional arguments
8c7b489daa02 libubox: add anonymous strings, ints, et al in arrays
5ec7ff2effb3 uloop: use volatile sig_atomic_t for do_sigchld flag
0efa2cd3b74c usock: check SO_ERROR after poll in usock_inet_timeout()
1a73ded9f738 usock: fix timeout handling in usock_inet_timeout()
1aa36ee774c8 usock: implement RFC 8305 Happy Eyeballs for usock_inet_timeout()
Fixes: https://github.com/openwrt/uclient/issues/8
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Changelog:
13701b5 libtraceevent: 1.9
6a3a815 libtraceevent: Add tep_load_modules() API
31fc91b libtraceevent: Add tep_parse_last_boot_info()
5e4ef1f libtraceevent: Add tep_btf_list_args()
aa49dce libtraceevent: Split out btf func init code from tep_btf_print_args()
239b063 libtraceevent: Do not change names of functions not of this library
c284dec libtraceevent: Handle __get_stacktrace()
1ba1262 libtraceevent: Move back to 1.8.99
263459e libtraceevent: Use BTF_INT_BITS/OFFSET() when parsing int parameters
0294b73 libtraceevent utest: Add simple test to test BTF parsing
38e03ac libtraceevent: Have BTF find functions with extra characters
b441fff libtraceevent: Add man page for the new BTF functions
87f30d9 libtraceevent: Add loading of BTF to the tep handle
3488dc9 libtraceevent: Move to 1.9 devel
Link: https://github.com/openwrt/openwrt/pull/21886
Signed-off-by: Nick Hainke <vincent@systemli.org>
Changelog:
6fad6a1 libtracefs: version 1.8.3
5505e14 libtracefs: Do not have utest fail debugfs/tracing not found
362574c libtracefs: Fix whitespace in enable_disable_all()
06c07be libtracefs: Make comm field a string
0a2a28f libtracefs/Documentation: Fix markup in the man page
57fcdc1 libtracefs: utest: Return non-zero exit code when something fails
ae03455 libtracefs: Fix tracefs_event_is_enabled() for all events
01a3fd3 libtracefs: Fix enum type in read_event_state
ef1656b libtracefs: Fix the /dev/null redirection compatibility in Makefile
Link: https://github.com/openwrt/openwrt/pull/21886
Signed-off-by: Nick Hainke <vincent@systemli.org>
Removing tmp/ after having built base-files or toolchain currently
breaks rootfs generation:
$ rm -rf tmp
$ make V=w
...
make[2] package/install
cat: .../openwrt/tmp/base-files.version: No such file or directory
cat: .../openwrt/openwrt/tmp/libc.version: No such file or directory
ERROR: 'base-files=' is not a valid world dependency, format is name(@tag)([<>~=]version)
make[2]: *** [package/Makefile💯 package/install] Error 99
The only way to recover from here is to clean toolchain and base-files via
$ make package/{base-files,toolchain}/clean
tmp is supposed to be ephemeral, so clearing it is an expected action,
which normally just triggers a regeneration of all files there.
Fix this by moving the version files to $(STAGING_DIR).
Fixes: 63e178f067 ("build: lock versions for special APK packages")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21803
Signed-off-by: Robert Marko <robimarko@gmail.com>
b3ee1209a3d0 uclient-http: reset fd to -1 after close in disconnect
9c2ad269c42b uclient-http: fix seq field check to use correct field
80c9bd29c233 uclient-http: fix hang on HTTP to HTTPS redirect
931bbfeb2c92 ucode: fix memory leak when using ssl context
Fixes: https://github.com/openwrt/uclient/issues/11
Fixes: https://github.com/openwrt/uclient/issues/13
Signed-off-by: Felix Fietkau <nbd@nbd.name>
ABI version is added to a package name during packaging, so there's no
need to specify it manually. And nothing explicitly depends on libelf1.
Fixes: d7bf089 ("elfutils: rename libelf1 to libelf")
Signed-off-by: George Sapkin <george@sapk.in>
Link: https://github.com/openwrt/openwrt/pull/21369
Signed-off-by: Robert Marko <robimarko@gmail.com>
Packages shouldn't provide a package that another package, in this case
wget from packages provides. Explicitly provide a virtual @wget-any
instead to match the implicit wget provide and switch the only consumer
to use the new provider.
Set uclient-fetch as the default variant for wget-any.
Signed-off-by: George Sapkin <george@sapk.in>
Link: https://github.com/openwrt/openwrt/pull/21369
Signed-off-by: Robert Marko <robimarko@gmail.com>
Ensure -fPIC is passed during the linking stage to fix LTO build
failures (relocation errors) on MIPS and other architectures.
Fixes: #20436
Signed-off-by: Anari Jalakas <anari.jalakas@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21455
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit add option to enable kTLS support, improving
performance by offloading TLS encryption and decryption to
kernel space.
- Reduced CPU usage by minimizing data copying between user space
and kernel space.
- Enables the use of the sendfile() system call with encrypted
sockets for zero-copy data transmission.
- Leverages hardware-accelerated NIC that support TLS offloading.
Signed-off-by: Tan Zien <nabsdh9@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21306
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
It seems old website has been retired.
Signed-off-by: Yanase Yuki <dev@zpc.st>
Link: https://github.com/openwrt/openwrt/pull/21279
Signed-off-by: Robert Marko <robimarko@gmail.com>
It seems old website has been retired.
Signed-off-by: Yanase Yuki <dev@zpc.st>
Link: https://github.com/openwrt/openwrt/pull/21279
Signed-off-by: Robert Marko <robimarko@gmail.com>
libc depends on knowing libgcc's ABI, so it needs to be evaluated first.
Otherwise libc will depend on an ABI-less libgcc causing the rest of the
toolchain to fail.
Building package index...
ERROR: unable to select packages:
libgcc (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: libgcc1
required by: world[libgcc]
Before:
libc fused dependencies: libgcc
libgcc fused dependencies:
libatomic fused dependencies: libgcc1
After:
libgcc fused dependencies:
libc fused dependencies: libgcc1
libatomic fused dependencies: libgcc1
Signed-off-by: George Sapkin <george@sapk.in>
Link: https://github.com/openwrt/openwrt/pull/21265
Signed-off-by: Robert Marko <robimarko@gmail.com>
This reverts commit c25265953b.
Linking of libpsx.so from libcap 2.77 fails on powerpc 464fp. Revert
back to the older version which works.
Bug report: https://bugzilla.kernel.org/show_bug.cgi?id=220860
Fixes: c25265953b ("libcap: update to 2.77")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Update to latest release.
Add patch `003-Revert-libcap-Add-build-ldflags-to-_makenames-rule.patch`
to fix errors in the form of:
```
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(__stack_chk_fail.o): relocation R_X86_64_32 against symbol `__stack_chk_guard' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(strerror.o): relocation R_X86_64_32 against `.rodata.errmsgstr' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(realloc.o): relocation R_X86_64_32S against hidden symbol `__malloc_size_classes' can not be used when making a PIE object
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(__stdout_write.o): relocation R_X86_64_32S against hidden symbol `__stdio_write' can not be used when making a PIE object
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(ofl.o): relocation R_X86_64_32 against `.bss.ofl_lock' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(stderr.o): warning: relocation against `__stderr_FILE' in read-only section `.rodata.stderr'
/usr/bin/ld.bfd: /usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu/Scrt1.o: in function `_start':
(.text+0x12): undefined reference to `__libc_csu_fini'
/usr/bin/ld.bfd: (.text+0x19): undefined reference to `__libc_csu_init'
collect2: error: ld returned 1 exit status
```
Changes: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/diff/?id=v1.2.77&id2=v1.2.69&dt=2
The apk size did not increase much:
Old size for armsr/armv8:
16245 libcap-2.69-r1.apk
new size for armsr/armv8:
16315 libcap-2.77-r1.apk
Signed-off-by: Nick Hainke <vincent@systemli.org>
Link: https://github.com/openwrt/openwrt/pull/20881
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
