* update to 4.17.5
* changelog: https://www.samba.org/samba/history/samba-4.17.5
* refresh patch
* CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
* CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
* CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
* CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
This resolves errors logged during macOS TimeMachine backups.
https://bugzilla.samba.org/show_bug.cgi?id=15210
Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>
* major performance improvements: clean-up/optimize all nft calls
* add a new "ban_reportelements" option,
to disable the (time consuming) Set element count in the report (enabled by default)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Currently compilation fails because of:
```
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
```
What's interesting package gets built but when trying to access UI there's
`404: page not found` error.
It has been reported in multiple places:
* https://github.com/AdguardTeam/AdGuardHome/issues/5559
* https://github.com/AdguardTeam/AdGuardHome/issues/4595
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
Backport a pending PR to add nftables support.
Upstream PR: https://github.com/v2rayA/v2rayA/pull/805
As nftables merged ipv4/ipv6 support into a single command, so simply
enable ipv6 support by default.
While at it, backport a upstreamed fix for simple-obfs plugin.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Commit 81d2b72 added a package providing libdeflate. Tiff by default
links to it, causing a build error.
Package libtiff is missing dependencies for the following libraries:
libdeflate.so.0
This commit forces libdeflate use off to avoid this. No revision bump is
done because the package is currently not compiling anyway.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- Fix leaking symbolic links in the opt_socket_path directory
- cgroup: Stumble on if we can't set up oom handling
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Add package for libdeflate which is a library for fast, whole-buffer
DEFLATE-based compression and decompression.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
* added a Set survey, to list all elements of a certain set
* changed the default logterm for asterisk
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Netbird is similar vpn service as tailscale and zerotier.
Description:
NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.
It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
These patches should not be backported to OpenWrt, otherwise tproxy
won't work for devices connected to br-lan (bypassed by the fw rules).
We have introduced a new compile-time flag for new version (which
is not released yet), but it's unnecessray to backport redudant
patches as here is still at the old version.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
drop disas and bios patches
refresh patches
qemu: vhost-scsi does not exist, drop unsupported vhost options
qemu: disable VDUSE by default
qemu: slirp and vnc-png option gone
Note: libpng still needed if vnc enabled.
Link: https://github.com/openwrt/packages/pull/18623
Signed-off-by: Vladimir Ermakov <vooon341@gmail.com>
(squash commits)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Also added patch that is from alpine's same package to assist building on musl.
Hostpkg build on musl also kept failing, so I added few more overrides, which
made it work perfectly.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Security:
- This release fixes CVE-2023-0778, which allowed a malicious user to potentially replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.
Bugfixes:
- Fixed a bug where containers started via the podman-kube systemd template would always use the "passthrough" log driver (#17482).
- Fixed a bug where pulls would unexpectedly encounter an EOF error. Now, Podman automatically transparently resumes aborted pull connections.
- Fixed a race condition in Podman's signal proxy.
Misc:
- Updated the containers/image library to v5.24.1.
Patch also refreshed
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* add oisdbig as new feed
* LuCI frontend preparation:
- the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
- supply country list in /etc/banip/banip.countries
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
