Merge pull request from GHSA-xqhj-fmc7-f8mv

ecdsautils: verify: fix signature verification (CVE-2022-24884)

README.md

@@ -21,7 +21,7 @@ the future development of Gluon.
 
 Please refrain from using the `master` branch for anything else but development purposes!
 Use the most recent release instead. You can list all releases by running `git tag`
-and switch to one by running `git checkout v2020.2 && make update`.
+and switch to one by running `git checkout v2020.2.3 && make update`.
 
 If you're using the autoupdater, do not autoupdate nodes with anything but releases.
 If you upgrade using random master commits the nodes *will break* eventually.

contrib/actions/install-dependencies.sh

@@ -2,9 +2,7 @@
 
 set -e
 
-cp contrib/actions/sources.list /etc/apt/sources.list
-rm -rf /etc/apt/sources.list.d
-apt update
-apt install git subversion build-essential python gawk unzip libncurses5-dev zlib1g-dev libssl-dev wget time
-apt clean
+apt-get update
+apt-get install git subversion build-essential python gawk unzip libncurses-dev zlib1g-dev libssl-dev wget time
+apt-get clean
 rm -rf /var/lib/apt/lists/*

contrib/actions/sources.list

@@ -1,2 +0,0 @@
-deb http://mirror.netcologne.de/ubuntu/ bionic main restricted
-deb http://mirror.netcologne.de/ubuntu/ bionic-updates main restricted

docs/conf.py

@@ -24,7 +24,7 @@ copyright = '2015-2020, Project Gluon'
 author = 'Project Gluon'
 
 # The short X.Y version
-version = '2020.2'
+version = '2020.2.3'
 # The full version, including alpha/beta/rc tags
 release = version
 

docs/index.rst

@@ -78,11 +78,16 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
    :caption: Releases
    :maxdepth: 1
 
+   releases/v2020.2.3
+   releases/v2020.2.2
+   releases/v2020.2.1
    releases/v2020.2
+   releases/v2020.1.4
    releases/v2020.1.3
    releases/v2020.1.2
    releases/v2020.1.1
    releases/v2020.1
+   releases/v2019.1.3
    releases/v2019.1.2
    releases/v2019.1.1
    releases/v2019.1

docs/releases/v2019.1.3.rst

@@ -0,0 +1,68 @@
+Gluon 2019.1.3
+==============
+
+Bugfixes
+--------
+
+- Fixes a bug in the tunneldigger watchdog where the watchdog would incorrectly find itself while looking up the running tunneldigger process. It then went on and assumed a PID mismatch between the tunneldigger service and its PID file and therefore caused an unnecessary restart of the tunnel. (`#1952 <https://github.com/freifunk-gluon/gluon/issues/1952>`_)
+
+- Fixes an oversight in the firewalling of the respondd service where queries from prefix listed in ``extra_prefixes6`` would be dropped. (`#1941 <https://github.com/freifunk-gluon/gluon/issues/1941>`_)
+
+- Fixes a bug in ``gluon-web`` where forms would not correctly update their field visibility on reset. This affected, for example, the private wifi page in the config mode. (`#1970 <https://github.com/freifunk-gluon/gluon/pull/1970>`_)
+
+- Fixes RX buffer sizing in the ath10k driver to allow for frames larger than 1528 Bytes. (`#1992 <https://github.com/freifunk-gluon/gluon/pull/1992>`_)
+
+- Fixed handling of mesh interfaces together with outdoor mode, site.conf defaults and config mode (`#2049 <https://github.com/freifunk-gluon/gluon/pull/2049>`_) (`#2054 <https://github.com/freifunk-gluon/gluon/pull/2054>`_)
+
+- Fixes a bug with perl when building Gluon v2019.1.x with GCC10
+
+- Fixes a buffer leak in fastd when receiving invalid packets
+
+Other Changes
+-------------
+
+- Linux kernel has been updated to either
+
+  - 4.9.237 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.199 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+   - | Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+     | Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+     | metric.
+
+   - | Throughput values are not correctly acquired for different interface types.
+     | (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+     | This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+* Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2020.1.4.rst

@@ -0,0 +1,47 @@
+Gluon 2020.1.4
+==============
+
+Added hardware support
+----------------------
+
+- Added support for TP-Link CPE210 3.20 (`#2080 <https://github.com/freifunk-gluon/gluon/issues/2080>`_)
+
+Bugfixes
+--------
+
+- Fixed a rare race-condition during mesh interface teardown (`#2057 <https://github.com/freifunk-gluon/gluon/pull/2057>`_)
+
+- Fixed handling of mesh interfaces together with outdoor mode, site.conf defaults and config mode (`#2049 <https://github.com/freifunk-gluon/gluon/pull/2049>`_) (`#2054 <https://github.com/freifunk-gluon/gluon/pull/2054>`_)
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.193
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).

docs/releases/v2020.2.1.rst

@@ -0,0 +1,47 @@
+Gluon 2020.2.1
+==============
+
+Added hardware support
+----------------------
+
+- Added support for TP-Link CPE210 3.20 (`#2080 <https://github.com/freifunk-gluon/gluon/issues/2080>`_)
+
+Bugfixes
+--------
+
+- Fixed handling of *mesh_on_lan* enabled in site configuration (`#2090 <https://github.com/freifunk-gluon/gluon/issues/2090>`_)
+
+- Fixed build issues with lantiq-xrx200 target by removing unsupported DSL modem packages (`#2087 <https://github.com/freifunk-gluon/gluon/pull/2087>`_)
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.193
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations not using VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).

docs/releases/v2020.2.2.rst

@@ -0,0 +1,42 @@
+Gluon 2020.2.2
+==============
+
+Bugfixes
+--------
+
+- Fixed unstable WiFi on some units of the TP-Link Archer C50 v4 (`#2133 <https://github.com/freifunk-gluon/gluon/pull/2133>`_)
+
+- Fixed CVE-2020-27638 in fastd
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.209
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations not using VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).

docs/releases/v2020.2.3.rst

@@ -0,0 +1,49 @@
+Gluon 2020.2.3
+==============
+
+Bugfixes
+--------
+
+- LEDs on the ASUS RT-AC51 are now fully functional.
+
+- Netgear EX6150v1 randomly booting into failsafe mode has been fixed.
+  This happened dependant on the state of the mode setting switch.
+
+- Dnsmasq has been patched against multiple security issues in its DNS response validation.
+  See the OpenWrt advisory at https://openwrt.org/advisory/2021-01-19-1
+
+
+Other changes
+-------------
+
+- Linux kernel has been updated to 4.14.224
+- batman-adv fixes were backported from its 2021.0 release
+- OpenSSL has been updated to 1.1.1k
+
+Known issues
+------------
+
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+  - Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+    metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations not using VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+

docs/releases/v2020.2.rst

@@ -173,8 +173,9 @@ Build system
 Known issues
 ------------
 
-* Out of memory situations with high client count on ath9k.
-  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the
+  NAND flash which the NAND driver before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
 
 * The integration of the BATMAN_V routing algorithm is incomplete.
 
@@ -189,3 +190,9 @@ Known issues
   (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
 
   Reducing the TX power in the Advanced Settings is recommended.
+
+* In configurations not using VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).

docs/site-example/site.conf

@@ -1,4 +1,4 @@
--- This is an example site configuration for Gluon v2020.2
+-- This is an example site configuration for Gluon v2020.2.3
 --
 -- Take a look at the documentation located at
 -- https://gluon.readthedocs.io/ for details.

docs/user/getting_started.rst

@@ -8,7 +8,7 @@ Gluon's releases are managed using `Git tags`_. If you are just getting
 started with Gluon we recommend to use the latest stable release of Gluon.
 
 Take a look at the `list of gluon releases`_ and notice the latest release,
-e.g. *v2020.2*. Always get Gluon using git and don't try to download it
+e.g. *v2020.2.3*. Always get Gluon using git and don't try to download it
 as a Zip archive as the archive will be missing version information.
 
 Please keep in mind that there is no "default Gluon" build; a site configuration
@@ -44,7 +44,7 @@ Building the images
 -------------------
 
 To build Gluon, first check out the repository. Replace *RELEASE* with the
-version you'd like to checkout, e.g. *v2020.2*.
+version you'd like to checkout, e.g. *v2020.2.3*.
 
 ::
 

modules

@@ -2,15 +2,15 @@ GLUON_FEEDS='packages routing gluon'
 
 OPENWRT_REPO=https://github.com/openwrt/openwrt.git
 OPENWRT_BRANCH=openwrt-19.07
-OPENWRT_COMMIT=9cafcbe0bdd601d07ed55bee0136f5d8393c37a8
+OPENWRT_COMMIT=9882a54c4848e2e282bca435c6aa0025d9fa37df
 
 PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git
 PACKAGES_PACKAGES_BRANCH=openwrt-19.07
-PACKAGES_PACKAGES_COMMIT=e76090945523c71c2406276f6d42b2e7f078a2d8
+PACKAGES_PACKAGES_COMMIT=476b8b82bb7447a1ed847c96d85de567e09cdb62
 
 PACKAGES_ROUTING_REPO=https://github.com/openwrt-routing/packages.git
 PACKAGES_ROUTING_BRANCH=openwrt-19.07
-PACKAGES_ROUTING_COMMIT=9b42e24a54f03ebb6f58224b49036e8f739b175f
+PACKAGES_ROUTING_COMMIT=101632e153b41238bc19dfd96ba2d23339dbcb76
 
 PACKAGES_GLUON_REPO=https://github.com/freifunk-gluon/packages.git
-PACKAGES_GLUON_COMMIT=12e41d0ff07ec54bbd67a31ab50d12ca04f2238c
+PACKAGES_GLUON_COMMIT=8d53ff54e562ddb2ed8397781dd78edc76f6ff38

package/gluon-core/Config.in

@@ -24,16 +24,12 @@ config KERNEL_TUN
 config KERNEL_L2TP_V3
 	bool
 
-config KERNEL_L2TP_IP
-	bool
-
 config KERNEL_L2TP_ETH
 	bool
 
 config KERNEL_L2TP
 	bool
 	select KERNEL_L2TP_V3
-	select KERNEL_L2TP_IP
 	select KERNEL_L2TP_ETH
 
 

package/gluon-mesh-wireless-sae/luasrc/lib/gluon/upgrade/205-wireless-mesh-sae

@@ -11,7 +11,7 @@ local function configure_sae(vif)
 	uci:set('wireless', vif, 'key', site.wifi.mesh.sae_passphrase() or hash.md5(site.prefix6()))
 end
 
-wireless.foreach_radio(uci, function(radio, _, _)
+wireless.foreach_radio(uci, function(radio)
 	local radio_name = radio['.name']
 	local vif = 'mesh_' .. radio_name
 	local enable = site.wifi.mesh.sae(false)

package/gluon-respondd/src/respondd-statistics.c

@@ -239,7 +239,7 @@ static void count_iface_stations(size_t *wifi24, size_t *wifi5, const char *ifna
 	}
 }
 
-static void count_stations(size_t *wifi24, size_t *wifi5, size_t *owe24, size_t owe5) {
+static void count_stations(size_t *wifi24, size_t *wifi5, size_t *owe24, size_t *owe5) {
 	struct uci_context *ctx = uci_alloc_context();
 	if (!ctx)
 		return;

package/libgluonutil/src/libgluonutil.h

@@ -42,6 +42,7 @@ struct json_object * gluonutil_wrap_and_free_string(char *str);
 
 bool gluonutil_has_domains(void);
 char * gluonutil_get_domain(void);
+char * gluonutil_get_primary_domain(void);
 struct json_object * gluonutil_load_site_config(void);
 
 #endif /* _LIBGLUON_LIBGLUON_H_ */

patches/openwrt/0009-ath79-enable-GL-AR750S-NOR-variant-from-master.patch

@@ -3,10 +3,10 @@ Date: Tue, 31 Mar 2020 21:50:28 +0200
 Subject: ath79: enable GL-AR750S NOR variant from master
 
 diff --git a/target/linux/ath79/base-files/etc/board.d/02_network b/target/linux/ath79/base-files/etc/board.d/02_network
-index 9b9bc8a7fc15300247bceeb431ab3ae8d3ac47e6..da45b40086c0cb0011c1db6b89ae75b981fcc9b7 100755
+index 5dda551caae0429880ee9d5965bfb6797d218e6d..b8fac8816c9a2b2a87a5d1335b41127666afe2e4 100755
 --- a/target/linux/ath79/base-files/etc/board.d/02_network
 +++ b/target/linux/ath79/base-files/etc/board.d/02_network
-@@ -151,7 +151,7 @@ ath79_setup_interfaces()
+@@ -155,7 +155,7 @@ ath79_setup_interfaces()
  	etactica,eg200)
  		ucidef_set_interface_lan "eth0" "dhcp"
  		;;
@@ -29,7 +29,7 @@ index d93e6dcd71ab19c53905daa41e95cc4fc614f114..c917f38211d0b246f064dba4b7feefec
  		ath10kcal_patch_mac $(macaddr_add $(mtd_get_mac_binary art 0) +1)
  		;;
 diff --git a/target/linux/ath79/dts/qca9563_glinet_gl-ar750s.dts b/target/linux/ath79/dts/qca9563_glinet_gl-ar750s.dts
-index 0145a24fbae2cdbe6fb6445607795af6b792352d..ebecb8cc776091ec019638589cb88159345d367f 100644
+index 03922bcd1fe9a453d5916537609317b94eea18c6..ff64e16d1ce7a94d16529e5954e1d50513a5e2cb 100644
 --- a/target/linux/ath79/dts/qca9563_glinet_gl-ar750s.dts
 +++ b/target/linux/ath79/dts/qca9563_glinet_gl-ar750s.dts
 @@ -7,8 +7,8 @@
@@ -41,8 +41,8 @@ index 0145a24fbae2cdbe6fb6445607795af6b792352d..ebecb8cc776091ec019638589cb88159
 +	compatible = "glinet,gl-ar750s-nor", "qca,qca9563";
 +	model = "GL.iNet GL-AR750S (NOR)";
  
- 	chosen {
- 		bootargs = "console=ttyS0,115200n8";
+ 	aliases {
+ 		led-boot = &power;
 diff --git a/target/linux/ath79/image/generic.mk b/target/linux/ath79/image/generic.mk
 index 55053be34f11f0df982c85f94c9180fdba9ff221..892ef10f870e347c8a1509cecd35bce4b5e98bee 100644
 --- a/target/linux/ath79/image/generic.mk

patches/openwrt/0010-tools-add-zstd.patch

@@ -6,7 +6,7 @@ Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
 (cherry picked from commit 258dc0d0fd3aae47add9b7dca40848a92d03a4ea)
 
 diff --git a/tools/Makefile b/tools/Makefile
-index d7207ba89dd91df558eaf970961fdef225aa1f37..14fe4fb4b5f4e0c745cb8592a39bcf238dcc5444 100644
+index b8d986b80cc4b34addf2b35a2b143cfcb583c717..33266ca72d01fa564fb3f06d675219d700edd481 100644
 --- a/tools/Makefile
 +++ b/tools/Makefile
 @@ -33,7 +33,7 @@ tools-$(CONFIG_TARGET_mxs) += elftosb sdimage

patches/openwrt/0013-mt76-mt76x0-disable-GTK-offloading.patch

@@ -1,49 +0,0 @@
-From: David Bauer <mail@david-bauer.net>
-Date: Sat, 13 Jun 2020 19:19:17 +0200
-Subject: mt76: mt76x0: disable GTK offloading
-
-When the GTK is offloaded, MT7610 won't transmit any multicast frames.
-This is most likely due to a bug in the offloading datapath. MT7612 is
-not affected.
-
-Disable GTK offloading for now. It can be re-enabled once the bug in the
-offloading path is fixed.
-
-Signed-off-by: David Bauer <mail@david-bauer.net>
-
-diff --git a/package/kernel/mt76/patches/001-mt76-mt76x0-disable-gtk-offloading.patch b/package/kernel/mt76/patches/001-mt76-mt76x0-disable-gtk-offloading.patch
-new file mode 100644
-index 0000000000000000000000000000000000000000..e7e19ac957dbfaa9510016d3387abe9eed353538
---- /dev/null
-+++ b/package/kernel/mt76/patches/001-mt76-mt76x0-disable-gtk-offloading.patch
-@@ -0,0 +1,30 @@
-+From ae01717951013fbc8bb0315d902d5b9f5873631a Mon Sep 17 00:00:00 2001
-+From: David Bauer <mail@david-bauer.net>
-+Date: Fri, 12 Jun 2020 01:09:57 +0200
-+Subject: [PATCH] mt76: mt76x0: disable GTK offloading
-+
-+When the GTK is offloaded, MT7610 won't transmit any multicast frames.
-+This is most likely due to a bug in the offloading datapath. MT7612 is
-+not affected.
-+
-+Disable GTK offloading for now. It can be re-enabled once the bug in the
-+offloading path is fixed.
-+
-+Signed-off-by: David Bauer <mail@david-bauer.net>
-+---
-+ drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 ++++
-+ 1 file changed, 4 insertions(+)
-+
-+--- a/mt76x02_util.c
-++++ b/mt76x02_util.c
-+@@ -432,6 +432,10 @@ int mt76x02_set_key(struct ieee80211_hw
-+ 	    !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
-+ 		return -EOPNOTSUPP;
-+ 
-++	/* MT76x0 GTK offloading is currently broken */
-++	if (is_mt76x0(dev) && !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
-++		return -EOPNOTSUPP;
-++
-+ 	/*
-+ 	 * In USB AP mode, broadcast/multicast frames are setup in beacon
-+ 	 * data registers and sent via HW beacons engine, they require to

patches/packages/packages/0001-fastd-update-to-v19.patch

@@ -26,7 +26,7 @@ index 3350eb3099a26c870d70373c0712a8b59881ee5c..e6440075e561093c86543943cb982d01
  config FASTD_ENABLE_CIPHER_NULL
  	bool "Enable the null cipher"
 diff --git a/net/fastd/Makefile b/net/fastd/Makefile
-index 44b37b6ca300ba43f15d7a116fb654ccd0a69e99..8eabc34db6f3b906ddb1b5df5c232309e85d2ffb 100644
+index f4890b56931a75849229d25fe78720e19d493383..7483e7b003041fb59991d72d0ccfcc8a28bb17a3 100644
 --- a/net/fastd/Makefile
 +++ b/net/fastd/Makefile
 @@ -8,13 +8,13 @@
@@ -34,9 +34,9 @@ index 44b37b6ca300ba43f15d7a116fb654ccd0a69e99..8eabc34db6f3b906ddb1b5df5c232309
  
  PKG_NAME:=fastd
 -PKG_VERSION:=18
--PKG_RELEASE:=4
+-PKG_RELEASE:=5
 +PKG_VERSION:=19
-+PKG_RELEASE:=1
++PKG_RELEASE:=2
  
  PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz

patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch

@@ -0,0 +1,73 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Wed, 27 Apr 2022 19:01:39 +0200
+Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884)
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile
+index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644
+--- a/utils/ecdsautils/Makefile
++++ b/utils/ecdsautils/Makefile
+@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=ecdsautils
+ PKG_VERSION:=0.3.2.20160630
+-PKG_RELEASE:=1
++PKG_RELEASE:=2
+ PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba
+--- /dev/null
++++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+@@ -0,0 +1,48 @@
++From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001
++Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net>
++From: Matthias Schiffer <mschiffer@universe-factory.net>
++Date: Wed, 20 Apr 2022 22:04:07 +0200
++Subject: [PATCH] verify: fix signature verification (CVE-2022-24884)
++
++Verify that r and s are non-zero. Without these checks, an all-zero
++signature is always considered valid.
++
++While it would be nicer to error out in ecdsa_verify_prepare_legacy()
++already, that would require users of libecdsautil to check a return value
++of the prepare step. To be safe, implement the fix in an API/ABI-compatible
++way that doesn't need changes to the users.
++---
++ src/lib/ecdsa.c | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c
++index 8cd7722be8cd..a661b56bd7c8 100644
++--- a/src/lib/ecdsa.c
+++++ b/src/lib/ecdsa.c
++@@ -135,6 +135,12 @@ regenerate:
++ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
++   ecc_int256_t w, u1, tmp;
++ 
+++  if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
+++    // Signature is invalid, mark by setting ctx->r to an invalid value
+++    memset(&ctx->r, 0, sizeof(ctx->r));
+++    return;
+++  }
+++
++   ctx->r = signature->r;
++ 
++   ecc_25519_gf_recip(&w, &signature->s);
++@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
++   ecc_25519_work_t s2, work;
++   ecc_int256_t w, tmp;
++ 
+++  // Signature was detected as invalid in prepare step
+++  if (ecc_25519_gf_is_zero(&ctx->r))
+++    return false;
+++
++   ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
++   ecc_25519_add(&work, &ctx->s1, &s2);
++   ecc_25519_store_xy_legacy(&w, NULL, &work);
++-- 
++2.36.0
++

targets/ar71xx-generic

@@ -251,18 +251,50 @@ if (env.GLUON_REGION or '') ~= '' then
 	tplink_region_suffix = '-' .. env.GLUON_REGION
 end
 
-device('tp-link-cpe210-v1.0', 'cpe210-220-v1', {
-	aliases = {'tp-link-cpe210-v1.1', 'tp-link-cpe220-v1.1'},
+device('tp-link-cpe210-v1', 'cpe210-220-v1', {
+	aliases = {
+		'tp-link-cpe220-v1',
+	},
+	manifest_aliases = {
+		'tp-link-cpe210-v1.0',
+		'tp-link-cpe210-v1.1',
+		'tp-link-cpe220-v1.1',
+	},
 })
-device('tp-link-cpe210-v2.0', 'cpe210-v2')
-device('tp-link-cpe210-v3.0', 'cpe210-v3')
-
-device('tp-link-cpe510-v1.0', 'cpe510-520-v1', {
-	aliases = {'tp-link-cpe510-v1.1', 'tp-link-cpe520-v1.1'},
+device('tp-link-cpe210-v2', 'cpe210-v2', {
+	manifest_aliases = {
+		'tp-link-cpe210-v2.0',
+	},
+})
+device('tp-link-cpe210-v3', 'cpe210-v3', {
+	manifest_aliases = {
+		'tp-link-cpe210-v3.0',
+		'tp-link-cpe210-v3.1',
+		'tp-link-cpe210-v3.20',
+	},
 })
 
-device('tp-link-wbs210-v1.20', 'wbs210-v1')
-device('tp-link-wbs510-v1.20', 'wbs510-v1')
+device('tp-link-cpe510-v1', 'cpe510-520-v1', {
+	aliases = {
+		'tp-link-cpe520-v1',
+	},
+	manifest_aliases = {
+		'tp-link-cpe510-v1.0',
+		'tp-link-cpe510-v1.1',
+		'tp-link-cpe520-v1.1',
+	},
+})
+
+device('tp-link-wbs210-v1', 'wbs210-v1', {
+	manifest_aliases = {
+		'tp-link-wbs210-v1.20',
+	},
+})
+device('tp-link-wbs510-v1', 'wbs510-v1', {
+	manifest_aliases = {
+		'tp-link-wbs510-v1.20',
+	},
+})
 
 device('tp-link-tl-wr710n-v1', 'tl-wr710n-v1', {
 	class = 'tiny', -- 32M ath9k

targets/lantiq-xrx200

@@ -1,3 +1,17 @@
+packages {
+	'-ltq-vdsl-vr9-vectoring-fw-installer',
+	'-kmod-ltq-vdsl-vr9-mei',
+	'-kmod-ltq-vdsl-vr9',
+	'-kmod-ltq-atm-vr9',
+	'-kmod-ltq-ptm-vr9',
+	'-kmod-ltq-deu-vr9',
+	'-ltq-vdsl-app',
+	'-dsl-vrx200-firmware-xdsl-a',
+	'-dsl-vrx200-firmware-xdsl-b-patch',
+	'-ppp-mod-pppoa',
+}
+
+
 device('avm-fritz-box-7360-sl', 'avm_fritz7360sl', {
 	factory = false,
 	aliases = {'avm-fritz-box-7360-v1', 'avm-fritz-box-7360-v2'},

targets/ramips-mt7620

@@ -42,7 +42,9 @@ device('tp-link-archer-c2-v1', 'tplink_c2-v1', {
 	factory = false,
 })
 
-device('tp-link-archer-c20-v1', 'tplink_c20-v1')
+device('tp-link-archer-c20-v1', 'tplink_c20-v1', {
+	factory = false,
+})
 
 device('tp-link-archer-c20i', 'ArcherC20i')