This version fixes multiple security problems:
CVE-2025-7395: Problem in certificate verification on Apple devices
CVE-2025-7394: Predictable results from RAND_bytes() after fork call in OpenSSL compatibility layer
CVE-2025-7396: Activate Curve25519 blinding support
See Release notes:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.8.0-stablehttps://github.com/wolfSSL/wolfssl/releases/tag/v5.8.2-stable
wolfSSL is now GPLv3 instead of GPLv2, see:
629c5b4cf6
The file size increased a bit:
```
546060 bin/packages/mipsel_24kc/base/libwolfssl5.7.6.e624513f-5.7.6-r1.apk
560684 bin/packages/mipsel_24kc/base/libwolfssl5.8.2.e624513f-5.8.2-r1.apk
```
Link: https://github.com/openwrt/openwrt/pull/20547
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
PKG_NAME was lost during package migration from "packages" feed to "main" feed.
Signed-off-by: Matthias Franck <matthias.franck@softathome.com>
Link: https://github.com/openwrt/openwrt/pull/20662
Signed-off-by: Robert Marko <robimarko@gmail.com>
This mainly improve the CFLAGS handling on compilation of OpenSSL.
The CFLAGS are currently passed 2 times generating compilation warning
due to -fhonour-copts passed 2 times.
This can be improved by passing the CFLAGS as env to the OpenSSL
Configure tool.
For consistency we do the same for CPPFLAGS and LDFLAGS.
This permits to drop redundant flags in the Compile phase and from the
.conf file.
Link: https://github.com/openwrt/openwrt/pull/20665
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Patch CMakeLists.txt for cmake 4.x compatibility.
New cmake versions require at least 3.5 as 'cmake_minimum_required'
in CMakeLists.txt. In future 3.10 will be required.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20265
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Patch CMakeLists.txt in selected apps for cmake 4.x compatibility.
New cmake versions require at least 3.5 as 'cmake_minimum_required'
in CMakeLists.txt. In future 3.10 will be required.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20265
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Patch CMakeLists.txt in selected apps for cmake 4.x compatibility.
New cmake versions require at least 3.5 as 'cmake_minimum_required'
in CMakeLists.txt. In future 3.10 will be required.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20265
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This reverts commit 096739a93d.
The new fortify-headers version needs some more work to be usable in
OpenWrt. Revert this to fix the builds again.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add compatibility with the new fortify-headers 2.3.3 by
disabling two warnings.
Fixes: 6268692bd2 ("toolchain: fortify-headers: Update to version 2.3.3")
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/20552
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
release is Moderate.
This release incorporates the following bug fixes and mitigations:
Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
(CVE-2025-9230)
Fix Timing side-channel in SM2 algorithm on 64 bit ARM.
(CVE-2025-9231)
Fix Out-of-bounds read in HTTP client no_proxy handling.
(CVE-2025-9232)
Reverted the synthesised OPENSSL_VERSION_NUMBER change for the release
builds, as it broke some exiting applications that relied on the previous
3.x semantics, as documented in OpenSSL_version(3).
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/20275
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
d3be5474f6e6 udebug-cli: ignore zero-length messages in logstream
c79f02d899df ucode: fix skipping lines where the timestamp cannot be parsed
5327524e7153 cmake: bump minimum required version to 3.13
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
If there is used $(PKG_NAME) in PKG_SOURCE_URL,
then it can not be copy&pasted to the browser's address bar.
Let's remove $(PKG_NAME) and use hardcoded project name
in the PKG_SOURCE_URL
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20193
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fix typo in patch file suffix.
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20178
Signed-off-by: Robert Marko <robimarko@gmail.com>
Removed upstreamed patch: 0001-Don-t-keep-the-store-open-in-by_store_ctrl_ex.patch
Release notes:
This is a bug fix release.
This release incorporates the following bug fixes and mitigations:
Added FIPS 140-3 PCT on DH key generation.
Fixed the synthesised OPENSSL_VERSION_NUMBER.
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/20133
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The version of libxml2 was bumped from 2.13.6 to 2.14.5. Since version
2.14, libxml2 is not binary compatible with older versions. Therefore
add an abi version.
From the NEWS file:
Binary compatibility is restricted to versions 2.14 or newer. On ELF
systems, the soname was bumped from libxml2.so.2 to libxml2.so.16.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
Link: https://github.com/openwrt/openwrt/pull/19983
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
gettext-full only provides libintl which is not licensed under
GPL-3.0.-or-later but under LGPL-2.1-or-later as stated in
gettext-runtime/intl/COPYING.LIB
Fixes: c10d97484a (Add more license tags with SPDX identifiers)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/19943
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
elfutils libraries are not licensed under GPL-3.0-or-later, they are dual
licensed: GPL-2.0-or-later OR LGPL-3.0-or-later as clearly stated in
source files as well as on https://sourceware.org/elfutils:
The libraries and backends are dual GPLv2+/LGPLv3+. The utilities are GPLv3+.
Fixes: b98fb76646 (elfutils: import package from packages.git)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/19941
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
6e4ffe2c6657 ucode: add function for getting the number of entries in a snapshot
a62edd89255b ucode: add support for fetching kernel tracepoint events
edeb4d6dc690 udebug-cli: add support for streaming tracing data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
3d953628bf17 udebugd: add support for setting an override config
93f6df0240e5 udebug-cli: add support for overriding config on the command line
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Running the bootstrap script autogen.sh
handles the execution of autotools already,
so calling autoreconf before configure
makes this happen twice, which is unnecessary
and can lead to an occasional build problem.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Link: https://github.com/openwrt/openwrt/pull/19748
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, the build system overrides the value of the CC variable
for actual compilation after configuring for target builds.
However, the configure script now modifies the CC variable
to include "-std=gnu23" when the test for C23 features is successful.
The configure script also tests for the ability to use alignof
without including the stdalign.h header, and only includes it if necessary.
The test in the configure script is being done with the C23 standard option
but the compilation is being done without the C23 standard option,
leading to an unusual build error where alignof() is not defined.
Resolving the conflict between the autoconf macros and the build system
causes several other packages to fail, so instead in the meantime,
force the use of C23 standard to compile as part of the new standard
includes alignof as a keyword to deprecate the stdalign.h macro.
Forcing use of the new standard is safe for target builds
as the toolchain is known to support the option
and is always within our scope of version control.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Link: https://github.com/openwrt/openwrt/pull/19748
Signed-off-by: Robert Marko <robimarko@gmail.com>
OpenSSL 3.5.2 is a bug fix release:
This release incorporates the following bug fixes and mitigations:
Miscellaneous minor bug fixes.
The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc (Intel N150 based box)
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/19725
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This enables software that requires this cipher suite (e.g. OpenThread Border
Router) to be compiled against the shared library rather than a separate copy.
Signed-off-by: Karsten Sperling <ksperling@apple.com>
Link: https://github.com/openwrt/openwrt/pull/19489
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Update to a newer bugfix release of gettext.
Include gnulib-l10n as a new dependency.
All patches are automatically refreshed.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Link: https://github.com/openwrt/openwrt/pull/16522
Signed-off-by: Robert Marko <robimarko@gmail.com>
This package is a supplement for part of gettext
that uses gnulib sources, and includes the localizations
for messages specifically in gnulib files.
This is being added as a separate package
instead of a build target of gnulib
because that method of acquiring the localizations
requires the use of gettext and would be a reverse dependency.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Link: https://github.com/openwrt/openwrt/pull/16522
Signed-off-by: Robert Marko <robimarko@gmail.com>
Fallback to default mbedtls configurations in case of the package is
not configured. It is possible for some reasons it get built even if
it's unselected because of build system bugs or other build-only
dependencies. In this case current behavior will comment out all
necessary configurations and lead build errors.
Fixes: 5359639c2b ("mbedtls: Apply configuration in Configure instead of Prepare")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Link: https://github.com/openwrt/openwrt/pull/19495
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5d10084ea885 lib-ucode.c: add #define _GNU_SOURCE
a95364b41d52 udebug-cli: fix terminating uloop
c00eb9b685a8 ucode: use FILE handle for pcap output
4265167cb6e8 ucode: add error reporting to pcap_write
4a908ee731a6 udebug-cli: stop event loop on write failure
6e04f4187231 ucode: use ucv_resource_create_ex for remote rings
c297f04e1852 ucode: drop use ucv_resource_create
f207d37a1055 ucode: add support for specifying ring format
98683a94bcdd ucode: support appending array data, similar to socket.send()
a7ecd483ed38 ucode: allow calling udebug.init() multiple times
d4a4c788c416 ucode: fix allocation size of local ring meta
184706abaf50 ucode: add timestamp argument to foreach()
8442c948c193 ucode: add function for getting ring information
f4958a4c591a ucode: add const entries for enum udebug_format
14d4fec36993 udebug-cli: add logstream command
6ed8536142bb ucode: fix entries/size confusion
Signed-off-by: Felix Fietkau <nbd@nbd.name>
