Fixes multiple security issues:
* CVE-2022-0667 -- An assertion could occur in resume_dslookup() if the
fetch had been shut down earlier
* CVE-2022-0635 -- Lookups involving a DNAME could trigger an INSIST when
"synth-from-dnssec" was enabled
* CVE-2022-0396 -- A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the CLOSE_WAIT
state blocking indefinitely when out-of-order processing was
disabled.
* CVE-2021-25220 -- The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside the
configured bailiwick
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit 4c6ea5379c)
This fixes CVE-2022-23308.
Also switch to GNOME as download source and xz tarball.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 81fd836f97)
Show error message instead of segfaulting in case of an invalid URL
being read from UCI config.
Fixes: #17971
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit c0d2c82528)
Fallback to use 'sdcard' image in case there is neither 'sysupgrade'
nor 'combined' image available.
This allows using 'auc' on targets where 'sdcard' image is also used
for sysupgrade (such as some mvebu-based devices with eMMC).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 6b041752a0)
Accept both 'y' and 'Y' as positive confirmation when asking the user
if auc should proceed with requesting and installing an upgrade.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d27ecdcc49)
Add option to allow only requesting an image but not actually download
or sysupgrade anything.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 19c135685f)
* Use SPDX
* Use CA (ucert) public key
* Update repo link
* Update maintainer email
* Format description
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit a54b9570ad)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
If config parameter is not set, tvheadend will bind to LAN IP address by default.
Fixes issue #16500 without requiring user modifications to config file. It's also more secure if firewall becomes disabled.
Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
(cherry picked from commit 95cbfe893b)
There is no reason for the kmod to depend on the binary package
itself, neither for building nor for installing.
That dependency prevents phase1 from building the kmod even though
support is enabled in the binary.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
(cherry picked from commit 385923321b)
Includes fix for CVE-2022-21716 (The Twisted SSH client and server
implementation naively accepted an infinite amount of data for the
peer's SSH version identifier.)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 630d6800f2)
Remove un-necessary crowdsec package dependency, to be able to use
crowdsec-firewall-bouncer independently from crowdsec local installation.
(with remote API)
Fix issue: https://github.com/openwrt/packages/issues/17406
Description:
using crowdsec-firewall-bouncer on many OpenWRT devices connected
with my domain LAPI server (which collect many crowdsec machines,
mostly nginx), it works great. Actually, crowdsec package is not
mandatory for that usage, it would be great if it was not a dependency.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
(cherry picked from commit ffd97e173c)
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
Switch to AUTORELEASE for simplicity.
Switch to building with Ninja for faster compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 0ac671880d)
Switch to new upstream and switch package name.
Further disable features to avoid extra dependencies.
Build with PIC to avoid build failures with mips16.
Remove no longer needed patch. Upstream fixed it differently.
Use AUTORELEASE for simplicity.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 3b812f93d6)
The FreeBSD project stopped publishing HTTP date headers and seeks to
limit further resource taxing by distributed htpdate clients using the
www.freebsd.org host as default time source.
Fixes: #17924
Reported-by: Allan Jude <allanjude@freebsd.org>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit e871318002)
