1. 21 Aug, 2018 4 commits
  2. 17 Aug, 2018 1 commit
  3. 16 Aug, 2018 10 commits
  4. 15 Aug, 2018 2 commits
  5. 10 Aug, 2018 6 commits
    • Hauke Mehrtens's avatar
      mbedtls: update to version 2.7.5 · 5886a506
      Hauke Mehrtens authored
      
      
      This fixes the following security problems:
      * CVE-2018-0497: Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel
      * CVE-2018-0498: Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      5886a506
    • Hauke Mehrtens's avatar
      curl: fix some security problems · 9bc43f3e
      Hauke Mehrtens authored
      
      
      This fixes the following security problems:
      * CVE-2017-1000254: FTP PWD response parser out of bounds read
      * CVE-2017-1000257: IMAP FETCH response out of bounds read
      * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read
      * CVE-2018-1000007: HTTP authentication leak in redirects
      * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write
      * CVE-2018-1000121: LDAP NULL pointer dereference
      * CVE-2018-1000122: RTSP RTP buffer over-read
      * CVE-2018-1000301: RTSP bad headers buffer over-read
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      9bc43f3e
    • John Crispin's avatar
      wpa_supplicant: fix CVE-2018-14526 · b3983323
      John Crispin authored
      Unauthenticated EAPOL-Key decryption in wpa_supplicant
      
      Published: August 8, 2018
      Identifiers:
      - CVE-2018-14526
      Latest version available from: https://w1.fi/security/2018-1/
      
      Vulnerability
      
      A vulnerability was found in how wpa_supplicant processes EAPOL-Key
      frames. It is possible for an attacker to modify the frame in a way that
      makes wpa_supplicant decrypt the Key Data field without requiring a
      valid MIC value in the frame, i.e., without the frame being
      authenticated. This has a potential issue in the case where WPA2/RSN
      style of EAPOL-Key construction is used with TKIP negotiated as the
      pairwise cipher. It should be noted that WPA2 is not supposed to be used
      with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
      and with that pairwise cipher, this vulnerability is not applicable in
      practice.
      
      When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
      field is encrypted using RC4. This vulnerability allows unauthenticated
      EAPOL-Key frames to be processed and due to the RC4 design, this makes
      it possible for an attacker to modify the plaintext version of the Key
      Data field with bitwise XOR operations without knowing the contents.
      This can be used to cause a denial of service attack by modifying
      GTK/IGTK on the station (without the attacker learning any of the keys)
      which would prevent the station from accepting received group-addressed
      frames. Furthermore, this might be abused by making wpa_supplicant act
      as a decryption oracle to try to recover some of the Key Data payload
      (GTK/IGTK) to get knowledge of the group encryption keys.
      
      Full recovery of the group encryption keys requires multiple attempts
      (128 connection attempts per octet) and each attempt results in
      disconnection due to a failure to complete the 4-way handshake. These
      failures can result in the AP/network getting disabled temporarily or
      even permanently (requiring user action to re-enable) which may make it
      impractical to perform the attack to recover the keys before the AP has
      already changes the group keys. By default, wpa_supplicant is enforcing
      at minimum a ten second wait time between each failed connection
      attempt, i.e., over 20 minutes waiting to recover each octet while
      hostapd AP implementation uses 10 minute default for GTK rekeying when
      using TKIP. With such timing behavior, practical attack would need large
      number of impacted stations to be trying to connect to the same AP to be
      able to recover sufficient information from the GTK to be able to
      determine the key before it gets changed.
      
      Vulnerable versions/configurations
      
      All wpa_supplicant versions.
      
      Acknowledgments
      
      Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
      Leuven for discovering and reporting this issue.
      
      Possible mitigation steps
      
      - Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
      can be done also on the AP side.
      
      - Merge the following commits to wpa_supplicant and rebuild:
      
      WPA: Ignore unauthenticated encrypted EAPOL-Key data
      
      This patch is available from https://w1.fi/security/2018-1/
      
      
      
      - Update to wpa_supplicant v2.7 or newer, once available
      Signed-off-by: default avatarJohn Crispin <john@phrozen.org>
      b3983323
    • Luis Araneda's avatar
      tools: findutils: fix compilation with glibc 2.28 · 6449ed15
      Luis Araneda authored
      
      
      Add a temporary workaround to compile with glibc 2.28
      as some constants were removed and others made private
      Signed-off-by: default avatarLuis Araneda <luaraneda@gmail.com>
      6449ed15
    • Luis Araneda's avatar
      tools: m4: fix compilation with glibc 2.28 · 6e78c550
      Luis Araneda authored
      
      
      Add a temporary workaround to compile with glibc 2.28
      as some constants were removed and others made private
      Signed-off-by: default avatarLuis Araneda <luaraneda@gmail.com>
      6e78c550
    • Rafał Miłecki's avatar
      brcm47xx: revert upstream commit breaking BCM4718A1 · 583fd4b2
      Rafał Miłecki authored
      
      
      This fixes kernel hang when booting on BCM4718A1 (& probably BCM4717A1).
      Signed-off-by: default avatarRafał Miłecki <rafal@milecki.pl>
      (cherry picked from commit 4c1aa64b)
      Fixes: aaecfecd ("kernel: bump kernel 4.4 to version 4.4.139")
      583fd4b2
  6. 09 Aug, 2018 2 commits
  7. 08 Aug, 2018 2 commits
    • Zoltan HERPAI's avatar
      firmware: amd64-microcode: update to 20180524 · b5d9776c
      Zoltan HERPAI authored
      
      
        * New microcode update packages from AMD upstream:
          + New Microcodes:
            sig 0x00800f12, patch id 0x08001227, 2018-02-09
          + Updated Microcodes:
            sig 0x00600f12, patch id 0x0600063e, 2018-02-07
            sig 0x00600f20, patch id 0x06000852, 2018-02-06
        * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support,
          plus other unspecified fixes/updates.
      Signed-off-by: default avatarZoltan HERPAI <wigyori@uid0.hu>
      b5d9776c
    • Zoltan HERPAI's avatar
      firmware: intel-microcode: bump to 20180703 · 55ab8649
      Zoltan HERPAI authored
      
      
        * New upstream microcode data file 20180703
          + Updated Microcodes:
            sig 0x000206d6, pf_mask 0x6d, 2018-05-08, rev 0x061d, size 18432
            sig 0x000206d7, pf_mask 0x6d, 2018-05-08, rev 0x0714, size 19456
            sig 0x000306e4, pf_mask 0xed, 2018-04-25, rev 0x042d, size 15360
            sig 0x000306e7, pf_mask 0xed, 2018-04-25, rev 0x0714, size 17408
            sig 0x000306f2, pf_mask 0x6f, 2018-04-20, rev 0x003d, size 33792
            sig 0x000306f4, pf_mask 0x80, 2018-04-20, rev 0x0012, size 17408
            sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672
            sig 0x00050654, pf_mask 0xb7, 2018-05-15, rev 0x200004d, size 31744
            sig 0x00050665, pf_mask 0x10, 2018-04-20, rev 0xe00000a, size 18432
            sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
          + First batch of fixes for: Intel SA-00115, CVE-2018-3639, CVE-2018-3640
          + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
          + SSBD support (Spectre-v4 mitigation) and fix Spectre-v3a for:
            Sandybridge server, Ivy Bridge server, Haswell server, Skylake server,
            Broadwell server, a few HEDT Core i7/i9 models that are actually gimped
            server dies.
      Signed-off-by: default avatarZoltan HERPAI <wigyori@uid0.hu>
      55ab8649
  8. 04 Aug, 2018 4 commits
  9. 25 Jul, 2018 2 commits
    • Kevin Darbyshire-Bryant's avatar
      kmod-sched-cake: bump to 20180716 · e5b7404f
      Kevin Darbyshire-Bryant authored
      
      
      Bump to the latest cake recipe.
      
      This backports tc class support to kernel 4.9 and other than conditional
      kernel compilation pre-processor macros represents the cake that has
      gone upstream into kernel 4.19.  Loud cheer!
      
      Fun may be had by changing cake tin classification for packets on
      ingress. e.g.
      
      tc filter add dev ifb4eth0 parent 800b: protocol ip u32 match \
      ip dport 6981 0xffff action skbedit priority 800b:1
      
      Where 800b: represents the filter handle for the ifb obtained by 'tc
      qdisc' and the 1 from 800b:1 represents the cake tin number.  So the
      above example puts all incoming packets destined for port 6981 into the
      BULK (lowest priority) tin.
      
      f39ab9a Obey tin_order for tc filter classifiers
      1e2473f Clean up after latest backport.
      82531d0 Reorder includes to fix out of tree compilation
      52cbc00 Code style cleanup
      6cdb496 Fix argument order for NL_SET_ERR_MSG_ATTR()
      cab17b6 Remove duplicate call to qdisc_watchdog_init()
      71c7991 Merge branch 'backport-classful'
      32aa7fb Fix compilation on Linux 4.9
      9f8fe7a Fix compilation on Linux 4.14
      ceab7a3 Rework filter classification
      aad5436 Fixed version of class stats
      be1c549 Add cake-specific class stats
      483399d Use tin_order for class dumps
      80dc129 Add class dumping
      0c8e6c1 Fix dropping when using filters
      c220493 Add the minimum class ops
      5ed54d2 Start implementing tc filter/class support
      Signed-off-by: default avatarKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
      (cherry picked from commit c729c43b)
      e5b7404f
    • Jo-Philipp Wich's avatar
      iproute2: merge upstream CAKE support · 2725ad8d
      Jo-Philipp Wich authored
      Add upstream support for CAKE into iproute2 and conditionally enable it
      depending on the build environment we're running under.
      
      When running with SDK=1 and CONFIG_BUILDBOT=y we assume that we're
      invoked by the release package builder at
      http://release-builds.lede-project.org/17.01/packages/
      
       and produce shared
      iproute2 executables with legacy CAKE support for older released kernels.
      
      When not running under the release package builder environment, produce
      nonshared packages using the new, upstream CAKE support suitable for
      the latest kernel.
      
      Depending on the environment, suffix the PKG_RELEASE field with either
      "-cake-legacy" or "-cake-upstream" to ensure that the nonshared packages
      are preferred by opkg for newer builds.
      Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
      2725ad8d
  10. 22 Jul, 2018 1 commit
  11. 20 Jul, 2018 1 commit
  12. 19 Jul, 2018 5 commits