- align the config option names
- re-order the configuration options
- add some help text
- drop obsolete notes regarding older PHP versions and obsolete CONFLICT
- remove (meanwhile) unrecognized configure options
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 551e00c8fc)
* Add a needed BUILD_DEPENDENCY on icu package, when PHP8_INTL is
defined.
* Make PHP8_DOM selecting PHP8_LIBXML instead of depending on it.
* PHP8_INTL does not depend on PHP8_GETTEXT, it builds also
without gettext.
* Always show option for choosing PHP8_FULLUCIDATA
* For php8-cgi, php-cli, etc, a libstdcpp dependency is only gained
when PHP8_INTL is selected, therefore update those conditional depends.
As some combinations of these changes can change the binaries output,
PKG_RELEASE has been bumped.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit f8b8ce62c5)
Add more menuconfig help text descriptions, and
convert some mixed tabs and spaces to spaces.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 1a01a175fa)
xmlreader was selecting package php8-mod-dom as well as depending on
PHP8_DOM, while php8-mod-dom also depended on PHP8_DOM (and therefore
selected PHP8_DOM when php8-mod-dom was selected). This is a Kconfig
recursive dependency, so break the recursion by noting that because
php8-mod-xmlreader selects php8-mod-dom, PHP8_DOM is a transitive
depends, so php8-mod-xmlreader should not depend on PHP8_DOM itself.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 247c1a1964)
Switch to a single CONFIG_ per line, and alphabetize.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 8d7faa245a)
The php8 Makefile is already quite large. To improve readability, move
config section to a separate 'Config.in' file. To ensure that the PHP8
option is only saved in '.config' if PHP8 has been selected for building. A
depends on 'PACKAGE_php8' is added to the configuration option in the
'Config.in' file.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 74a3da92b2)
Fixes security issues:
- CVE-2025-13878: Malformed BRID and HHIT records could trigger an
assertion failure.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit 7b25d573e2)
Package is not being used anywhere and the version in the repo has not
been updated in over four years.
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit ac5a4f132a)
* fixed a potential deadlock during startup, when dns reporting is disabled
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 9df8a2b58c)
Release notes:
https://lists.gnu.org/archive/html/coreutils-announce/2025-09/msg00000.htmlhttps://lists.gnu.org/archive/html/coreutils-announce/2025-11/msg00000.html
- Drop chcon and runcon as they require SELinux support and cannot be built from
coreutils 9.9 when configured with --without-selinux.
- Add libgmp dependency for coreutils-basenc to fix missing libgmp.so.10.
- Switch to -std=gnu17 to avoid build failure.
```
lib/openat-die.c: In function 'openat_save_fail':
lib/openat-die.c:37:3: error: format not a string literal and no format arguments [-Werror=format-security]
37 | error (exit_failure, errnum,
| ^~~~~
lib/openat-die.c: In function 'openat_restore_fail':
lib/openat-die.c:56:3: error: format not a string literal and no format arguments [-Werror=format-security]
56 | error (exit_failure, errnum,
| ^~~~~
```
- Refresh patch.
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
(cherry picked from commit 3f2fbc888e)
* rework DNS reporting: more reliable, more information (request type), better performance
* fixed minor issues
* readme update
* LuCI: added new DNS page (incl. Allowed/Blocked canvas)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 81891964ed)
HOST BUILD ONLY
Update to 22.22.0
This is a security release.
Notable Changes
(CVE-2025-59465) add TLSSocket default error handler
(CVE-2025-55132) disable futimes when permission model is enabled
lib,permission:
(CVE-2025-55130) require full read and write to symlink APIs
src:
(CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
src,lib:
(CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
tls:
(CVE-2026-21637) route callback exceptions through error handlers
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit 3cb4028f46)
passlib is unmaintained since 2020 and a maintained fork called libpass,
which is a drop-in replacement (even using the passlib module name), is
now available. https://github.com/Kozea/Radicale/issues/1952 has more
information.
Therefore we remove the python-passlib package from this repo.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 3de4d24830)
This eliminates a dependency on the unmaintained passlib
(python3-passlib) package and add a dependency on libpass, a maintained
fork of passlib: https://github.com/Kozea/Radicale/pull/1953
In addition Radicale auth type 'autodetect' for `htpasswd` auth has
been improved by upstream.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 7af729700b)
passlib has not be updated since 2020 and is therefore a dead project.
Radicale (used in this repo as radicale3) has updated to use libpass (a
maintained fork of passlib): https://github.com/Kozea/Radicale/pull/1953
therefore add python3-libpass to provide libpass, a drop-in replacement
for passlib, and a dependency for Radicale v3.6.0.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit ead09d5fd9)
We update the missing sections defaults to match the upstream default,
which are also our defaults when there is an UCI configuration, and
are also the defaults for the LuCI app.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit c199e37415)
We update the initscript to rebuild the radicale3 target configuration
file and then HUP the radicale3 process to reload it, on a reload
event, rather than the default which does not regenerate the target
configuration.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 9e33952b60)
With recent changes to the proposed PR
(https://github.com/openwrt/luci/pull/8216) for the LuCI app for
radicale3, it is not longer necessary that uncommented configuration
be present in /etc/config/radicale3 for the LuCI app to work.
Therefore make the initial uci config commented sample only.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 78cf89d7d3)
When LuCI uploads files like the SSL key and certificate, it makes the
files readable only by root. Since radicale is running as a
non-privileged user it is unable to access a certificate and key
uploaded by LuCI, therefore when SSL cert and key (and optional CA) are
configured, make them group radicale3 and group readable, so the
radicale server can use them.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit ecf9fb51db)
* Various options have changed since radicale2, and the current
initscripts set configuration that prevents radicale3 from starting
in some cases. So update the options to radicale3.
* LuCI will not display the app when the config file is empty, so
uncomment the first (server section) line.
* Changed the default data directory to /var (emphemeral storage) as
OpenWrt policy is to not write flash by default. As with PostgreSQL,
to be useful the user will need to set configuration for an
appropriate path.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit b1210d155d)
* fix service_reload in initscript so it reloads configuration
* fold long lines for readability
* shellcheck is a useful linter, if a bit pedantic, so use it and
update script to address its warnings.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 2dfa60f3f7)
- Fixed HTTPResponse.read_chunked() to properly handle leftover data
in the decoder's buffer when reading compressed chunked responses.
- Fixed a security issue where decompression-bomb safeguards of the
streaming API were bypassed when HTTP redirects were followed.
(CVE-2026-21441)
- Started treating Retry-After times greater than 6 hours as 6 hours
by default.
- Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
Release notes:
https://github.com/urllib3/urllib3/releases/tag/2.6.2https://github.com/urllib3/urllib3/releases/tag/2.6.3
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
(cherry picked from commit 295c75a2b9)
- Fix posix-mode issue with "wait -n", where it can return process IDs
outside the requested set
- Do not try to use shm_open, there is too much variance in behavior
across systems
- Remove internal quoting that causes failures when expanding nested
array subscripts in an arithmetic context
- Fix issue with source when read(2) returns fewer characters than
fstat(2) says are available
- Fix crash when restoring default disposition for SIGINT in
asynchronous subshell
- Fix issues with range expressions and non-ascii characters in glob
patterns when globasciiranges is enabled
- Fix issue where nofork command substitutions can affect
redirections in the calling shell
- Fix issue with calling mbrtowc too much when translating
ansic-single-quoted strings
- Fix crash when interrupting reverse i-search with ^C
Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
(cherry picked from commit 4a02dcb1c3)
* added firewall rules based on nftables in a separate isolated nftables table (inet adblock)
and chains (prerouting), with MAC addresses stored in an nftables set.
Implemented the following firewall‑integrated features:
* external DNS Routing (unfiltered): routes DNS queries from selected devices or interfaces
to an external unfiltered DNS resolver
* external DNS Routing (filtered): routes DNS queries from selected devices or interfaces
to an external filtered DNS resolver
* force DNS: blocks or redirects all external DNS traffic from selected interfaces
to ensure that clients use the local resolver
* removed the optional generation of an additional jail list (only supported bydnsmasq),
use the new, resolver independent ext. DNS routing instead
* removed the pz-client-ip feature (only supported by bind),
use the new, resolver independent ext. DNS routing instead
* removed the obsolete, hardcoded fw4 rules for DNS enforcement
existing rules will be removed via uci-defaults script after adblock update
* changed the Jail mode to a simple allowlist-only mode
* fixed minor issues in the mail template
* readme update
* LuCI: added a new config tab "Firewall Settings"
* LuCI: fixed minor usability issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 389baa9d00)
Provide a virtual wget-any to match the uclient-fetch provides in base.
Remove unused gnu-wget provide.
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 38e19d3fb6)
We are pleased to announce the release of Unicode® ICU 78.2. It updates to CLDR 48.1. These are maintenance releases for ICU 78 and CLDR 48, with limited sets of bug fixes and no API or structural changes.
ICU 78.2 also includes a small number of bug fixes, as well as a minor update for time zone data (tzdata) version 2025c (2025-dec) ICU-23296.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit 1305fa9b58)
* hardened the uci config parsing
* added a fast, flexible & secure IPv4/IPv6 validator function, it eliminates > 99 % of garbage inputs
Please note: The ‘rule’ in the feed file now only contains parameters for the IP validator;
details can be found in the readme file. Old custom feed files are not compatible and will be
backed up/removed via the uci-defaults script
* added BCP38 support: to block packets with spoofed source IP addresses in all supported chains
* optimized the log monitor plus performance improvements
* removed the pallebone feed (discontinued)
* added the ipexdbl feed
* various small improvements
* LuCI: add the BC38 option under Table/Chain Settings
* LuCI: updating the custom feed editor
* LuCI: small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 396c65e670)
This package is not compiled due to this build log failure:
```
adding 'radicale-2.1.12.dist-info/RECORD'
removing build/bdist.linux-aarch64/wheel
Successfully built radicale-2.1.12-py3-none-any.whl
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/__main__.py", line 98, in <module>
_main(sys.argv[1:], "python -m installer")
~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/__main__.py", line 86, in _main
with WheelFile.open(args.wheel) as source:
~~~~~~~~~~~~~~^^^^^^^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a53_musl/usr/lib/python3.13/contextlib.py", line 141, in __enter__
return next(self.gen)
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/sources.py", line 162, in open
with zipfile.ZipFile(path) as f:
~~~~~~~~~~~~~~~^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a53_musl/usr/lib/python3.13/zipfile/__init__.py", line 1367, in __init__
self.fp = io.open(file, filemode)
~~~~~~~^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a53_musl/pypi/Radicale-2.1.12//openwrt-build/Radicale-2.1.12-*.whl'
```
This occurred due to PEP 625, which requires wheel filenames in lowercase.
The local build produces lowercase-compliant names (radicale-2.1.12-*.whl),
but the script searches for uppercase (Radicale-2.1.12-*.whl).
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 2f1a3a1f29)
Pika is a pure-Python implementation of the AMQP 0-9-1 protocol that
tries to stay fairly independent of the underlying network support
library.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit d8437af213)
Radicale is a small but powerful CalDAV (calendars, to-do lists) and
CardDAV (contacts) server.
This package provides the latest 3.x series, which succeeds radicale2.
This is replacament for recently dropped radicale2 and radicale1.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 16b5a43e39)
Michael Heimpold
Daniel F. Dickinson
Florian Eckert
Tianling Shen
TeleostNaCl Dai
Zhu Yujie
Noah Meyerhans
George Sapkin
Jens Wagner
Dirk Brenken
Wei-Ting Yang
Hirokazu MORIKAWA
xiao bo
Ray Wang
Niklas Thorild
Eric Fahlgren
Josef Schlehofer