I am no longer able to support maintaining the stubby daemon for openwrt. I suggest Jonathan Underwood <jonathan.underwood@gmail.com> as a replacement.
This commit brings UCI support to the stubby package.
o All options are documented in the README.md file.
o The README.md file has been re-written to include a short usage
manual.
o The default configuration now includes more Cloudflare addresses.
o The stubby service is (re)started using procd triggers from a
specified interface with a configurable time delay.
o Round robin use of upstream resolvers is now activated by
default.
o Client privacy is now activated by default.
o Options are added for specifying the log level of the daemon and
command line options passed to the stubby command.
Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
Remove the limit setting core="unlimited", since this shouldn't be needed
in production use (i.e. non-debug) and on an embedded platform, which is
why it's rarely used by any existing packages.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Add an SPKI pin for Cloudflare to help prevent MITM and downgrade attacks,
as described in RFC7858 (DNS over TLS). The setup of SPKI and the specific
SHA256 certificate hash are taken from Cloudflare's DoT configuration guide
published at https://developers.cloudflare.com/1.1.1.1/dns-over-tls/.
Note that the certificate is valid to March 25th 2020, 13:00 CET, which
provides ample time for issuance of a backup pin to support future key
rollover.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Retain the upstream value since privacy is usually the key user motivation
for using DNS-over-TLS, and simply note that those encountering sub-optimal
routing may consider disabling the setting.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The config file /etc/stubby/stubby.yml is not registered properly and any
local changes are being overwritten on upgrade or reinstall.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Move loading credential function before cert renewal call as credentials might be needed for some renewal operations ( ex: DNS )
Signed-off-by: Adrien DAURIAT <16813527+dauriata@users.noreply.github.com>
Since the new hotplug script in master was not backport (new feature),
for 18.06 branch revert the old behavior of running NUT daemons and
drivers as root by default to avoid permisions problems, but backport
fix the support for running as another user for those who can set the
appropriate permissions on the USB (or other) device.
Closes: #7742
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Defaulting to -fPIC is a bad idea, especially for executables (here:
sqlite3-cli). In short, there are certain security implications as well
as overhead/performance penalties. Details see:
https://wiki.gentoo.org/wiki/Project:Hardened/Position_Independent_Code_internals
The configure script is able to detect the need for PIC and adds the
flag when needed anyway (when compiling the library).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
A remote code execution vuln has been found in sqlite. Infos available
here:
https://blade.tencent.com/magellan/index_en.html
sqlite 3.26.0 contains the fix.
This commit also changes source URL to https.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Backport and squash the following commits from master:
5790053eb nut: Add missing conffiles
ceff68837 nut: Reorganize nut-server to clarify nut-driver
f6a2a97d2 nut: Use 'real' procd init for nut-monitor
918a62f91 nut: Make FSD really work
a2f64b3ba nut: Reduce user error with POWERDOWNFLAG
461393810 nut: Use quotes around filenames
1b6dbe7a7 nut: Remove duplicate/extraneous lines
0a49d0ffb nut: Fix checking for path before it exists
3b5a8eee8 nut: Various startup fixes for monitor and server
44e57d4bd nut: Fix variables for NUT drivers
36fd59dc7 nut: Fix extraneous config_get
192b0f164 nut: Fix a typo in setting a driver parameter
f48b060fa nut: Fix upsd runs as root
And bump PKG_RELEASE
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
This bumps libtiff's minor version from 9 to 10. In addition to the CVE
fixes that we already included this fixes:
CVE-2017-17095
CVE-2018-17101
CVE-2018-18557
The update is 100% backwards compatible, no symbol changes.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
