<feed xmlns='http://www.w3.org/2005/Atom'>
<title>mtk-20170518/package/network/services, branch v17.01.2</title>
<subtitle>MTK 20170518 : Mediatek SDK based on OpenWRT Barrier Breaker</subtitle>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/'/>
<entry>
<title>umdns: remove superfluous include in init script</title>
<updated>2017-06-01T23:29:51+00:00</updated>
<author>
<name>Jo-Philipp Wich</name>
<email>jo@mein.io</email>
</author>
<published>2017-06-01T23:26:20+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=e78a641f526708ce1df5ce661cfabd7de3e6e295'/>
<id>e78a641f526708ce1df5ce661cfabd7de3e6e295</id>
<content type='text'>
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich &lt;jo@mein.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich &lt;jo@mein.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>dnsmasq: bump to 2.77</title>
<updated>2017-06-01T22:25:08+00:00</updated>
<author>
<name>Jo-Philipp Wich</name>
<email>jo@mein.io</email>
</author>
<published>2017-06-01T22:12:34+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=cdfc6788a9fc7c0a4b90ab92ab302e0a2506cc54'/>
<id>cdfc6788a9fc7c0a4b90ab92ab302e0a2506cc54</id>
<content type='text'>
This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich &lt;jo@mein.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich &lt;jo@mein.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>dnsmasq: make tftp root if not existing</title>
<updated>2017-06-01T22:09:14+00:00</updated>
<author>
<name>Alberto Bursi</name>
<email>alberto.bursi@outlook.it</email>
</author>
<published>2017-05-02T17:31:17+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=9e20cc56b9a7244b14a5aa8d807148a619339103'/>
<id>9e20cc56b9a7244b14a5aa8d807148a619339103</id>
<content type='text'>
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi &lt;alberto.bursi@outlook.it&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi &lt;alberto.bursi@outlook.it&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>dnsmasq: use logical interface name for dhcp relay config</title>
<updated>2017-06-01T22:07:02+00:00</updated>
<author>
<name>Karl Vogel</name>
<email>karl.vogel@gmail.com</email>
</author>
<published>2017-03-29T09:39:35+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=ebf46d2c5bd3c4f1ff80544a134f87131e011056'/>
<id>ebf46d2c5bd3c4f1ff80544a134f87131e011056</id>
<content type='text'>
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel &lt;karl.vogel@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel &lt;karl.vogel@gmail.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>dnsmasq: don't point --resolv-file to default location unconditionally</title>
<updated>2017-06-01T22:06:24+00:00</updated>
<author>
<name>Philip Prindeville</name>
<email>philipp@redfish-solutions.com</email>
</author>
<published>2017-03-14T18:58:37+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=78edfff5303533dc52a1ac64ad745acc0a8a743e'/>
<id>78edfff5303533dc52a1ac64ad745acc0a8a743e</id>
<content type='text'>
If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville &lt;philipp@redfish-solutions.com&gt;
Signed-off-by: Hans Dedecker &lt;dedeckeh@gmail.com&gt; [minor cleanup]
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville &lt;philipp@redfish-solutions.com&gt;
Signed-off-by: Hans Dedecker &lt;dedeckeh@gmail.com&gt; [minor cleanup]
</pre>
</div>
</content>
</entry>
<entry>
<title>samba: bump PKG_RELEASE</title>
<updated>2017-05-27T15:40:21+00:00</updated>
<author>
<name>Jo-Philipp Wich</name>
<email>jo@mein.io</email>
</author>
<published>2017-05-27T10:15:06+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=22478bf47321820ca49fdefe1594bd9260736438'/>
<id>22478bf47321820ca49fdefe1594bd9260736438</id>
<content type='text'>
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich &lt;jo@mein.io&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich &lt;jo@mein.io&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mac80211, hostapd: always explicitly set beacon interval</title>
<updated>2017-05-27T12:24:13+00:00</updated>
<author>
<name>Matthias Schiffer</name>
<email>mschiffer@universe-factory.net</email>
</author>
<published>2017-05-13T14:17:44+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=4bd3b8f8b0bc97cb7de4242b4f67c57ea8296de5'/>
<id>4bd3b8f8b0bc97cb7de4242b4f67c57ea8296de5</id>
<content type='text'>
One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer &lt;mschiffer@universe-factory.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).

Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.

Fixes FS#619.

Signed-off-by: Matthias Schiffer &lt;mschiffer@universe-factory.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>hostapd: add legacy_rates option to disable 802.11b data rates.</title>
<updated>2017-05-27T12:24:13+00:00</updated>
<author>
<name>Nick Lowe</name>
<email>nick.lowe@gmail.com</email>
</author>
<published>2017-03-27T09:50:23+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=e194e1b3c838a301178effb639804c28fe67354d'/>
<id>e194e1b3c838a301178effb639804c28fe67354d</id>
<content type='text'>
Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx

The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe &lt;nick.lowe@gmail.com&gt;
Signed-off-by: Felix Fietkau &lt;nbd@nbd.name&gt; [cleanup, defaults change]
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)

The basic_rate option and supported_rates option are filtered based on this.

The rationale for the change, stronger now than in 2014, can be found in:

https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx

The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.

Signed-off-by: Nick Lowe &lt;nick.lowe@gmail.com&gt;
Signed-off-by: Felix Fietkau &lt;nbd@nbd.name&gt; [cleanup, defaults change]
</pre>
</div>
</content>
</entry>
<entry>
<title>dropbear: bump to 2017.75</title>
<updated>2017-05-24T16:04:51+00:00</updated>
<author>
<name>Kevin Darbyshire-Bryant</name>
<email>kevin@darbyshire-bryant.me.uk</email>
</author>
<published>2017-05-20T11:54:11+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=dd19a41520c54f13f9d9da2f5ff7dcebd3d8f085'/>
<id>dd19a41520c54f13f9d9da2f5ff7dcebd3d8f085</id>
<content type='text'>
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant &lt;kevin@darbyshire-bryant.me.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant &lt;kevin@darbyshire-bryant.me.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>samba: fix CVE-2017-7494</title>
<updated>2017-05-24T13:41:30+00:00</updated>
<author>
<name>Stijn Tintel</name>
<email>stijn@linux-ipv6.be</email>
</author>
<published>2017-05-24T12:44:03+00:00</published>
<link rel='alternate' type='text/html' href='http://www.chd.sx/cgit/mtk-20170518/commit/?id=51db1f5a9a3ecd5cc2c5de724641c4636a0a86e2'/>
<id>51db1f5a9a3ecd5cc2c5de724641c4636a0a86e2</id>
<content type='text'>
Signed-off-by: Stijn Tintel &lt;stijn@linux-ipv6.be&gt;
(cherry picked from commit 3f0d3d12da77d8833a725f99f6fa08640678a1ae)
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Stijn Tintel &lt;stijn@linux-ipv6.be&gt;
(cherry picked from commit 3f0d3d12da77d8833a725f99f6fa08640678a1ae)
</pre>
</div>
</content>
</entry>
</feed>
