Thursday February 16 2023 Security Releases
Notable Changes
The following CVEs are fixed in this release:
* CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
* CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
* CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
* CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
* CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Add upstream fix for AARCH64 irq name parsing.
> On arm64 SoCs like TI's K3 SoC and few other SoCs,
> IRQ names don't get parsed correct due to which they
> end up being classified into wrong class. Fix this by
> considering last token to contain IRQ name always.
The fix seems to enable e.g. RT3200 to notice a few more
interrupts and start balancing them.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Instead of /sys/devices/virtual/ubi which will no longer be available
in future kernels, switch to /sys/class/ubi.
While at it fix unrelated arithmetic syntax error by guarding the
affected expression to not run on an empty string.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Maintainer: Tom Stöveken <tom@naaa.de>
Compile tested: SDK for OpenWrt 22.03.3
Run tested: x86/64 @ Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, OpenWrt 22.03.3
Description:
Updated to version 0.15.1
changed PKG_RELEASE:=2 due to deprecated value AUTORELEASE, squashed commits and then
changed PKG_RELEASE:=1 because upgrading the whole main PKG_VERSION (the major version item) should reset this to 1
Signed-off-by: Tom Stöveken <tom@naaa.de>
- 1.5.1
- Fix logic bug that can cause disconnects
- 1.5.0
- Refactor and improve ping/pong logic to resolve several issues,
including an infinite loop issue during reconnect
- Fix issue where `skip_utf8_validation = True` is ignored
- Fix issue where sslopt `is_ssl` is ignored
- Downgrade "websocket connected" message from logging.warning to
logging.info
- Update github actions to newer versions (669fe1b)
Signed-off-by: Javier Marcet <javier@marcet.info>
Samba4 running as Active Directory Domain Controller with the internal
DNS backend requires the nsupdate binary with GSSAPI support.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* add boot() function which waits for network.interface to come up
* switch oisd.nl hosts entry to domains
* remove erroneous oisd substitution from config-update file
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Update tailscale to version 1.36.0
- Patch iptables support
Tailscale does not (yet) support nftables.
Tailscale allows running with --netfilter=off allowing
end-user to create his own firewall rules, but this
affects only tailscale cli, not tailscaled daemon, so
connection cannot be made without error telling that
tailscaled was unable to determine execute iptables
for determining it's version.
There is a work-around for those who do not want
nft-iptables compatibility package; they can create
a script to /usr/bin/iptables which responds to
--version argument and echos fake version string
and on any other arguments or no arguments, just exits.
After this procedure and starting tailscale cli with
netfilter off- it works. Openwrt has moved on to
nftables, so iptables manipulation seems unnecessary.
Especially for other reasons, on Openwrt, firewall
should be configured on it's own, because firewall
rules made by other software, such as tailscale,
loose their firewalling rules when firewall restarts.
So I patched it to allow "fake" iptables pointing
to executable /bin/false and ignoring version
request. And I also set cli to default to
netfilter off setting.
If still end-user wants to use iptables, this
patch does not make it impossible; just install
iptables, or nft-iptables, and run tailscale
with argument --netfilter=on and it works out
as it did before, tailscaled daemon still
matches with iptables if it is found in $PATH.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
