- Python3-pysocks was removed as it was not maintained in commit 95fe4bf332 ("python-pysocks: remove outdated and not maintained package")
- Python3-unidecode was removed in commit 09951a9cfd ("python-unidecode: drop unmaintained package"), because there is no official support for Python 3.12 and it is still using setup.py, which is deprecated.
Fixes:
```
WARNING: Makefile 'package/feeds/packages/onionshare-cli/Makefile' has a dependency on 'python3-pysocks', which does not exist
WARNING: Makefile 'package/feeds/packages/onionshare-cli/Makefile' has a dependency on 'python3-unidecode', which does not exist
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
- Patches automatically rebased
- Release notes: https://nmap.org/changelog.html#7.99
- Update Makefile due to ndiff dropped setup.py using pyproject.toml.
Remove PYTHON3_PKG_FORCE_DISTUTILS_SETUP and set PYTHON3_PKG_WHEEL_NAME
to match the ndiff package name rather than PKG_NAME (nmap).
Signed-off-by: John Audia <therealgraysky@proton.me>
PlatformIO's SCons builder loads its tool modules at the start of
'pio run', including platformio/builder/tools/piosize.py which imports
elftools.elf. python-platformio's HOST_BUILD_DEPENDS already lists
python-pyelftools/host so it is installed alongside platformio in
staging_dir/hostpkg, but the dependency does not always reach
meshtasticd's compile step via that indirect chain, leading to:
ModuleNotFoundError: No module named 'elftools'
File ".../site-packages/platformio/builder/tools/piosize.py", line 22:
from elftools.elf.descriptions import describe_sh_flags
Declare python-pyelftools/host directly in meshtasticd's build deps so
the host install is guaranteed before 'pio run' is invoked.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Currently if a dynamic interface changes (VLAN, tunnel, etc)
that Kea is listening on, it needs to be told externally to
restart. The re-detect option avoids this.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
3.0.3 is a security/vulnerability release on the stable 3.0 series.
Notable fixes since 3.0.2:
* **CVE-2026-3608** — A large number of bracket pairs in a JSON payload
sent to any endpoint caused a stack overflow during recursive parsing.
The exploit does not need a syntactically valid command, so it bypasses
RBAC and the command filters on the High-Availability endpoints
(upstream #4275 / #4288 / #4387).
* Null dereference when configuring the Control Agent with a socket
entry that lacks the mandatory ``socket-name`` is now caught
(#4388, #4365).
* UNIX command sockets are created group-writable so Stork 2.4.0+ and
other tooling using the configured group can talk to the daemon
(#4398, #4260).
Upstream's release notes flag "no incompatible changes" and "no known
issues" for this bump.
All current patches still apply cleanly.
Release notes:
https://ftp.isc.org/isc/kea/3.0.3/Kea-3.0.3-ReleaseNotes.txt
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Tracing Transmission 4.11 showed the Transmission is started to use
the pwritev2 syscall for better write performance.
Add pwritev2 and preadv2 (which may be used as well, and anyway
doesn't hurt) to the list of allowed syscalls.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Smoke-test each subpackage with a real code path (config validators,
helper script sourcing, Python interpreter / module imports, hook .so
/ UCI file presence) instead of relying on the generic --version probe.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
kea-admin and kea-shell were shipped without their helper script
and Python modules respectively, leaving both non-functional. Ship
the missing files, add +python3-light +python3-urllib +python3-openssl
to kea-shell, and rewrite its meson-baked host-absolute shebang and
sys.path.append to the on-target /usr/bin/python3 + $(PYTHON3_PKG_DIR).
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
None of the shipped binaries (mdnsd, dns-sd, mDNSClient/Net/Proxy*,
mDNSResponder) print the package version, so the generic probe always
fails. Add a test-version.sh exiting 0 for the three subpackages.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Commit 1ea43c352 ("kea: fix kea-libs dependencies") replaced the
direct +log4cplus dependency on kea-libs with the virtual name
+log4cplus-any. With only one log4cplus implementation in the feed,
nothing actually PROVIDES log4cplus-any other than the auto-generated
"package name + -any" alias on log4cplus itself.
apk treats `-any`-suffixed names as ambiguous virtuals that the
admin must resolve explicitly, even when only one provider exists,
and refuses to install:
ERROR: unable to select packages:
log4cplus-any (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: log4cplus
required by: kea-libs-3.0.2-r7[log4cplus-any]
That bubbles up to every kea subpackage runtime test in CI
(kea-admin, kea-ctrl, every kea-dhcp* and kea-hook-*) and fails
the multi-arch test build with exit code 3.
Switch back to +log4cplus directly; the +libstdcpp addition from
that earlier commit stays — it was the genuinely useful part of
the change. Bump PKG_RELEASE for the redo.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Snapshot builds for i386_pentium-mmx (and presumably every other
target now that Boost 1.91 has been bumped in the feed) fail with::
src/lib/dns/rdataclass.cc:1401:5: error: 'BOOST_STATIC_ASSERT'
was not declared in this scope; did you mean
'BOOST_HAS_STATIC_ASSERT'?
1401 | BOOST_STATIC_ASSERT(sizeof(numdata_) ==
``BOOST_STATIC_ASSERT`` lives in ``<boost/static_assert.hpp>``. In
earlier Boost releases it was reachable through any number of
transitive includes pulled in by Kea's other DNS headers; in 1.91
those transitive paths have been pruned, so call sites must include
the declaring header explicitly. ``050-boost-static-assert.patch``
already does this for ``src/lib/log/logger_level_impl.cc``;
``src/lib/dns/rdataclass.cc`` uses the same macro at SOA::getMinimum()
to size-check ``numdata_`` and was missed.
Extend the existing patch with the matching include in rdataclass.cc.
Same fix shape as the earlier hunk; no behavioural change.
Build log:
https://downloads.openwrt.org/snapshots/faillogs/i386_pentium-mmx/packages/kea/
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Cover each user-facing subpackage with a real functional check instead
of relying solely on the CI's generic --version probe:
- knot: knotc conf-check on a minimal YAML server config
- knot-dig: kdig -h (CLI parser smoke check)
- knot-host: khost -h
- knot-nsupdate: feed 'quit' through the REPL
- knot-zonecheck: validate a minimal example.com zone file end to end
- knot-keymgr: initialise a KASP DB in a temp directory
knot-libs, knot-libzscanner, and knot-tests are library/harness
subpackages; the generic ELF/SONAME checks already cover them.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The RRL module's kru.inc.c has a `static_assert(ATOMIC_CHAR16_T_LOCK_FREE
== 2, ...)` that breaks the build on any target whose toolchain does
not advertise lock-free 16-bit atomics (e.g. ARMv5 arm926ej-s).
Upstream considers the assertion non-essential and plans to drop it;
they recommended a patch over a Makefile-level RRL disable. Bump
PKG_RELEASE for the patch swap.
Suggested-by: Daniel Salzman <daniel.salzman@nic.cz>
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Resolves several security issues:
- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.
Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
* bugfix: only load the configuration once per run: a new `ban_confload`
guard short-circuits `f_conf()` on subsequent calls, avoiding
repeated `config_load` invocations
* new: the per-set report now sorts elements by their packet counter in
descending order before truncating to the top 50, so the report
shows the most active elements instead of just the first 50 found
Signed-off-by: Dirk Brenken <dev@brenken.org>
- f_search: refactored backup and local block-/allowlist scan to run in parallel
- f_search: raise the search timeout in backups to max. 90 seconds
- f_load: skip f_fetch for search action, no remote download is needed for local lookups
- f_dns: skip destructive paths (file wipe, f_dnsup) for search and report actions
- LuCI: adapt search backend changes in the frontend
- LuCI: minor frontend fixes & improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
Bump from 2.0.1 to the latest 2.0 LTS release. This pulls in
upstream commit 53cb738795 ("dnsdist: make code boost-1.91
compatible", Otto Moerbeek, 2026-04-29), which fixes the build
break against Boost 1.91 currently shipped by OpenWrt:
dnsdist-lua.cc:3086:101: error: converting to
'boost::optional<unordered_map<...>>' from initializer list
would use explicit constructor 'constexpr boost::optional<T>::
optional(U&&) [...]'
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Some FortiGate VPN gateways require a specific authentication realm
when multiple domains or user groups are configured on the same server.
This commit updates the netifd protocol script to parse the 'realm'
option from the UCI configuration and correctly append it to the
openfortivpn command line arguments.
Signed-off-by: Xing-Kai Wang <my@xkwang.org>
Josef Schlehofer
Wei-Ting Yang
Rui Salvaterra
David Mandy
Richard Schneidt
Seo Suchan
John Audia
Aleksander Jan Bajkowski
Hector Espert
W. Michael Petullo
Dirk Brenken
Olivier Poitrey
Alexandru Ardelean
Roc Lai
Philip Prindeville
Daniel Golle
George Sapkin
Noah Meyerhans
Tyrel M. McQueen
Sandro Jäckel
Xing-Kai Wang
Ray Wang