commit ea66e463cf added a new config
option LIBCURL_HTTP_AUTH to enable or disable HTTP_AUTH support in
cURL. It defaulted the option to n (disabled).
However, prior to this change HTTP_AUTH was enabled for cURL, as the
configure script defaults to HTTP_AUTH enabled when it is not
explicitly disabled.
This impacts any consumer of cURL that uses HTTP_AUTH, including
authentication by username and password in the URL. (Confirmed via
run testing).
So we set the default for the option to y (enabled).
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 57e6f89c02)
- Update daemon to 2.3.9 to fix removal of nftables rules in
`upnp_forward` and return the correct internal port; also resulted in
the excessive opening of new ports. Accept interface names starting
with digits
- Build from GitHub releases to get a reliable HTTPS server, as the
HTTP-only/HTTPS mirror were only available ~85%/77% over 3 months
https://redirect.github.com/miniupnp/miniupnp/issues/770https://stats.uptimerobot.com/DwGDxUB914
- Build daemon with `--disable-pppconn` to remove the old/IGDv1-only
extra WANPPPConnection SSDP announcements workaround not included in
other implementations since >15y
- Build daemon with `--vendorcfg` to allow customisation of the
router/friendly name (+5 potential options) displayed in Windows
Explorer, 384 bytes extra required on ARMv7 (binary)
- Remove old (iptables variant only) patches, as no longer needed
- Remove `clean_ruleset_interval/threshold` UCI config options as not
standard/working since OpenWrt 22.03, as nftables not supported
Fixes: https://github.com/openwrt/openwrt/issues/18011
Fixes: https://github.com/openwrt/luci/issues/7759
Fixes: https://github.com/openwrt/packages/issues/26352
Signed-off-by: Self-Hosting-Group <selfhostinggroup-git+openwrt@shost.ing>
[update fixes tag]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 70ce349f1c)
For zabbix-server-frontend, the absence of php8-mod-filter results in
many of the frontend's pages failing to render. Therefore add this
module as a frontend dependency.
Without php8-mod-openssl the frontend fails with:
[13-Dec-2025 18:47:25 UTC] PHP Fatal error: Uncaught Error: Call to
undefined function openssl_random_pseudo_bytes() in
/www/zabbix/include/classes/helpers/CEncryptHelper.php:89
Stack trace:
CEncryptHelper::generateKey()
thrown in /www/zabbix/include/classes/helpers/CEncryptHelper.php on
line 89
Therefore add php8-mod-openssl as a frontend dependency.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 33b868d540)
Due to the incorrect DEPENDS configuration, the vim-full and vim-fuller
packages won't show up in menuconfig if the vim-runtime package is not
selected. This happens because these packages depend on vim-runtime.
To fix this, add the '+' symbol to the DEPENDS line. This ensures that
when either vim-full or vim-fuller is selected, the vim-runtime package
(which is a dependency) will also be selected automatically.
Fixes: d1351b3 ("vim: fix config and runtime")
Signed-off-by: TeleostNaCl Dai <teleostnacl@gmail.com>
(cherry picked from commit 639fdb4008)
Signed-off-by: George Sapkin <george@sapk.in>
nginx modules must not provide nginx which causes them to not be able
to be installed alongside nginx due to the new apk provide fixes.
Remove PROVIDES from modules.
Remove nginx-ssl from PROVIDES as there is no non-ssl variant, i.e. all
version provide ssl.
Set nginx-ssl as the default variant.
Remove non-existent config value.
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 63a666bd05)
tar depended both on xz and xz-utils which xz already depended on.
Coupled with if PACKAGE_tar check it caused all packages that depended
on tar to have a circular Kconfig dependency. Remove the check and
dependency on xz-utils and leave xz one only.
Move libzstd dependency into DEPENDS.
Fixes: ad82c17 ("tar: fix EXTRA_DEPENDS")
Fixes: https://github.com/openwrt/packages/issues/28141
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 3dcc4f1d3f)
EXTRA_DEPENDS should be used for version constraints. Change to DEPENDS.
Fixes: 6a559a9 ("chicken-scheme: version 5.2.0; include compiler")
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 970416925c)
EXTRA_DEPENDS should be used for version constraints. Change to DEPENDS.
Fixes: 488be84 ("utils/tar: Make compression, acl, and xattr support configuration options")
Fixes: 7a49296 ("utils/tar: Fix defaulting to selecting dependencies")
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit ad82c17f71)
When PHP8_DOM is enabled then xmlreader automatically gains a
dependency to php8-mod-dom, not only when the dom module
is actually built.
So fix it by declaring this dependency.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit e6c59b5188)
As with gettext modules described in #28078 and #28075, xml and dom
related module selection affects the dependencies of other packages.
Therefore, we invert the dependency logic:
PHP8_LIBXML and PHP8_DOM are are enabled by default and packages
which depend on libxml2 and --enable-dom=shared are not shown (and
the related configure args are disabled) if the config options are
not enabled.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit f9591b8518)
Fixes: php8: global package dependency changes based on module
selection
Fixes: #28078
As described in #28078 and #28075,
Some binaries gain a dependency on libstdcpp when mod-gettext is included
in the build, however this was not explicitly declared, so packaging
fails with (e.g.):
Package php8-cgi is missing dependencies for the following libraries:
libstdc++.so.6
In contrast to #28075, this commit takes the approach:
* Make use of --with-gettext depend on a configure flag (enabled by
default, since that matches current full build behaviour)
* Make sub-packages which require --with-gettext depend on the
configure flag
This means that e.g. php-cgi would not have gettext support if the
configure flag was disabled, and e.g. php-mod-gettext and php-mod-intl
would not be selectable.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 6d6233b6b7)
This package is only used by `fail2ban`. After updating `fail2ban` to
`1.1.0` (2a202b2091), the `2to3` package
is no longer needed. If required, anyone can reintroduce the package.
Signed-off-by: Wesley Gimenes <wehagy@proton.me>
(cherry picked from commit df05c12089)
Updates Zabbix to 7.0.21-r1 (latest 7.0 LTS version)
Note that for the frontend, clearing browser cache, cookies and other
site data for the zabbix frontend server may be necessary.
Security fixes compared to 7.0.12 (most are frontend only):
* CVE-2025-27238: API hostprototype.get lists data to users with
insufficient authorization https://support.zabbix.com/browse/ZBX-26988
* CVE-2025-27236: User information disclosure via api_jsonrpc.php on
method user.get with param search:
https://support.zabbix.com/browse/ZBX-27060
* CVE-2025-27231: LDAP 'Bind password' field value can be leaked by a
Zabbix Super Admin: https://support.zabbix.com/browse/ZBX-27062
* CVE-2025-49641: Insufficient permission check for the
problem.view.refresh action:
https://support.zabbix.com/browse/ZBX-27063
* CVE-2025-49643: Frontend DoS vulnerability due to asymmetric
resource consumption: https://support.zabbix.com/browse/ZBX-27284
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 0488c96b08)
- Install shared runtime for both full and fuller.
- Switch big to huge as big is just an alias to normal.
- Fix default config path for tiny variant.
- Use upstream default config for both full and fuller.
- Don't mark default config files for backup.
- Don't mix variant files.
- Mark fuller variant config files for backup.
- Update configure arguments and remove deprecated ones.
- Remove deprecated configuration variables.
- Improve descriptions.
- Fix the following error by installing the missing runtime files for
full and correctly installing the default config for tiny:
E1187: Failed to source defaults.vim
- Fix the following fuller error by installing the missing directory in
runtime:
Error detected while processing /usr/share/vim/vim91/plugin/netrwPlugin.vim:
line 7:
E919: Directory not found in 'packpath': "pack/*/opt/netrw"
Fixes: https://github.com/openwrt/packages/issues/20203
Fixes: https://github.com/openwrt/packages/issues/28104
Signed-off-by: George Sapkin <george@sapk.in>
This reverts commit cbdadd2f9e.
Seems to cause trouble at least in ipq806x/R7800, so let's revert
for cautionary reasons.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Fixes pgsql-server: the setup fails for any folder
Fixes#27228
Sets postgresql-specific configure flags that configure cannot run-test
to determine their value. This fixes improperly linked files that
prevent database initialization (at least) from working on the device.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 0bb3db019a)
* fixed f_uci function
* fixed f_switch function, reported in the turris forum
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit afce31650c)
This is a security release.
Security:
* CVE-2025-31498. A use-after-free bug has been uncovered in read_answers() that was introduced in v1.32.3. Please see GHSA-6hxc-62jh-p29v
* CVE-2025-62408. A use-after-free bug has been uncovered in read_answers() that was introduced in v1.32.3. Please see GHSA-jq53-42q6-pqr5
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit ebdb9536a9)
658b14b main: Add `stderr` option for cgi-exec to redirect stderr to stdout
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
(cherry picked from commit 90e227e755)
Remove many obsolete files.
Makefile:
* remove netifd-flavour related code
* remove trailing white spaces
Init-script:
* proper deletion of default network rules for IPv{4,6}
* fix netifd function error when IPv6 is enabled
* remove trailing white spaces
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 89e29f7141)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Update irqbalance to version 1.9.5
* drop the original local meson patch, as meson is now properly adopted
by upstream. But patch meson.build to keep glib2 library statically
linked in order to avoid a dependency and indirect size increase.
* disable unnecessary functions via meson features settings
(capng, numa, systemd, thermal, ui)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 65d83de7f8)
* hardened the uci config parsing
* added a fast, flexible & secure domain validator function, it eliminates > 99 % of garbage inputs
- Please note: the "rule" in the feed file now only includes parameters for the domain validator,
see readme for details. Please nuke a custom feed file from former versions - they are no longer
compatible
* readme update
* LuCI: fixed a minor issue in the logread template
* LuCI: adapted the rule select options in the custom feed editor to use the new domain validator
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit b085131830)
* split travelmate.s in a new central travelmate function library (usr/lib/travelmate-functions.sh) plus
a smal service script (/usr/bin/travelmate-service.sh)
* the vpn-, mail- and login scripts are now using the central function library
* rework the ntp hotplug script
* harden the config parsing
* support the curl interface option to specify which network pathway is used for outgoing requests
* the travelmate status now includes the backend- and frontend version information
* LuCI: use a special travelmate interface, e.g. trm_wwan or use an existing wwan interface
* LuCI: no longer call the logread binary, use rpc / the ubus log object instead
* LuCI: various code cleanups
* LuCI: various small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 990bf69fd7)
Disable posting formality check status comments and adding related
labels while the security token is being figured out.
Link: https://github.com/openwrt/packages/pull/28011
Fixes: 2c558a8 ("ci: label formality failures")
Fixes: 7658669 ("multi-arch-test-build: post formal summaries to PR")
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 1f2d66502b)
Current odhcpd in master writes MAC addresses with colons in his lease file,
this new odhcpd format leads to a crash loop in unbound (if DHCPv4 to SLAAC is selected).
Just remove the colons, before the processing in slaac_eui64 begins, fixes#28032
Signed-off-by: Dirk Brenken <dev@brenken.org>
As the python3-distutils was dropped while bumping the version
to 3.13.9 via 97a92f2e7a, remove the
python3-distutils from all packages that are currently using it.
OpenWrt already uses recent enough releases of these packages
that have adapted to work without distutils, so the dependency
can be safely removed.
Signed-off-by: Til Kaiser <mail@tk154.de>
Daniel F. Dickinson
Self-Hosting-Group
TeleostNaCl Dai
Wei-Ting Yang
George Sapkin
Michael Heimpold
Wesley Gimenes
Sandro Jäckel
Luiz Angelo Daros de Luca
Jonas Jelonek
Hannu Nyman
Dirk Brenken
Hirokazu MORIKAWA
Paul Donald
Stan Grishin
Eric Fahlgren
Vladimir Ulrich
Goetz Goerisch
Til Kaiser
Yanase Yuki
Jon Henrik Bjørnstad
Niklas Thorild