This is the latest 3.14.x point release with assorted bug fixes
from upstream. PYTHON3_PIP_VERSION is bumped from 26.0.1 to 26.1.1
to match the pip wheel bundled in the 3.14.5 source tarball; the
host build's ensurepip lookup of pip-$(PYTHON3_PIP_VERSION).whl
otherwise fails. The set of OpenWrt-side patches still applies
against the new source; only quilt context-line offsets needed
refreshing for the patches that touch Makefile.pre.in.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Resolves several security issues:
- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.
Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
* bugfix: only load the configuration once per run: a new `ban_confload`
guard short-circuits `f_conf()` on subsequent calls, avoiding
repeated `config_load` invocations
* new: the per-set report now sorts elements by their packet counter in
descending order before truncating to the top 50, so the report
shows the most active elements instead of just the first 50 found
Signed-off-by: Dirk Brenken <dev@brenken.org>
Bump from 46.0.7 to the current 48.0.0 release. Notable upstream
changes since 46.0.7:
- 48.0.0 drops Python 3.8 support (requires 3.9+); raises
Py_LIMITED_API floor to 0x030900f0.
- Adds ML-KEM / ML-DSA post-quantum primitives via OpenSSL 3.5.0+
(in addition to existing AWS-LC / BoringSSL paths).
- BACKWARDS INCOMPATIBLE: stricter X.509 CRL signature-algorithm
matching (mismatched inner/outer algs now raise ValueError at parse
time).
- Drops 32-bit Windows wheels and ships macOS only on arm64.
Replace the old downstream cross-compile fix with a backport of the
upstream-merged version from pyca/cryptography PR #14904
(commit 5d072cb2a685, scheduled for the release after 48.0.0).
Release notes:
https://cryptography.io/en/latest/changelog/#v48-0-0
Fixes: https://github.com/openwrt/packages/issues/29521
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes since 2024-05-13:
c24e06c2 configure: Check for SVE support in MS armasm64 via as_check
3a8b5be2 aarch64: Use elf_aux_info() for CPU feature detection on FreeBSD/OpenBSD
1243d9ff Provide x264_getauxval() wrapper for getauxvaul() and elf_aux_info()
80c1c47c configure: Add DragonFly support
3a21e97b Fix build with Android NDK and API < 24 for 32-bit targets
b1d2de88 Use getauxval() on Linux and elf_aux_info() on FreeBSD/OpenBSD on arm/ppc
da14df55 Make use of sysconf(3) _SC_NPROCESSORS_ONLN and _SC_NPROCESSORS_CONF
023112c6 aarch64: defines involving bit shifts should be unsigned
938601b9 Use sysctlbyname(3) hw.logicalcpu on macOS
a64111b1 Enable use of __sync_fetch_and_add() wherever detected instead of just X86
450946f9 ci: Test compiling for Android
52f7694d Use sched_getaffinity on Android
373697b4 Bump dates to 2025
c80f8a28 msvsdepend: Allow using the script for .S sources too
27d83708 Makefile: Generate dependency information implicitly while compiling
a0191bd8 configure: Use as_check for checking for aarch64 features
72ce1cde configure: Use as_check for the main check for whether NEON is supported
f87ca183 configure: Check for .arch and .arch_extension for enabling aarch64 extensions
87044b21 aarch64: Use configure detected directives for enabling SVE/SVE2
fc4012fb configure: Check for the dotprod and i8mm aarch64 extensions
0e48d072 aarch64: Add flags for runtime detection of dotprod and i8mm
570f6c70 aarch64: Add runtime detection of extensions on Windows and macOS
fe9e4a7f Provide implementations for functions using the instructions SDOT/UDOT in the DotProd Armv8 extension.
32c3b801 lavf: Update the code to work with the latest libavutil API
4360ac37 ci: Fix ffmpeg build
40617ddb ci: Remove vlc-contrib dependency
85b5ccea Update gas-preprocessor.pl to the latest upstream version
ff620d0c configure: Use MSYSTEM_CARCH for default arch on msys2
714e07b4 arm: Don't test x264_cpu_fast_neon_mrc_test on Windows
291476d7 windows: Fix named pipes detection
b35605ac i8mm & neon hpel_filter optimization
0480cb05 riscv64: add compile support
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When python3 -m build is invoked during host-compile, it fails with:
/builder/staging_dir/hostpkg/bin/python3.14: No module named build
The package's HOST_BUILD_DEPENDS only pulled in python3 and
python-packaging, missing the actual host tooling for the new
pyproject build flow:
- python-build : provides the 'build' module itself
- python-installer : installs the resulting wheel
- python-wheel : wheel format support
- python-flit-core : marshmallow's declared build-backend
(build-backend = "flit_core.buildapi" in
pyproject.toml)
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
- f_search: refactored backup and local block-/allowlist scan to run in parallel
- f_search: raise the search timeout in backups to max. 90 seconds
- f_load: skip f_fetch for search action, no remote download is needed for local lookups
- f_dns: skip destructive paths (file wipe, f_dnsup) for search and report actions
- LuCI: adapt search backend changes in the frontend
- LuCI: minor frontend fixes & improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
Kernel version 6.18.33 backports kmalloc_obj macros but GFP flags are
required, which causes build failures as ovpn omits GFP flags. Undef
those macros to fix the build.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
First upstream release since 2023-07. All four locally-carried patches
are merged in 1.0.4 and can be dropped:
- 0001 (PR #57): udev_device.c TOCTOU race fix
- 0002 (PR #62): avoid OOM on small systems
- 0003 (PR #66): correct touchpad detection
- 0004 (PR #80): hwdb USB ID lookup from usb.ids
The release also pulls in PR #79 (do not assume EV_REL and EV_ABS are
mutually exclusive in udev_device.c).
Release notes:
https://github.com/illiliti/libudev-zero/releases/tag/1.0.4
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The three CLI helpers shipped by python3-argcomplete
(activate-global-python-argcomplete, register-python-argcomplete,
python-argcomplete-check-easy-install-script) don't accept a --version
flag and emit no PKG_VERSION string in their usage output. With all
three executables missing the version, the generic CI test stage
fails with "No executables in the package provided version 3.6.3".
Add a test-version.sh that emits a line containing PKG_VERSION so the
framework's "Version check override" passes. The existing test.sh
already exercises the Python module import.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
New features (pipx 1.12.0):
- Add --fetch-python / PIPX_FETCH_PYTHON env var (always|missing|never)
to control standalone Python interpreter downloads
- Add opt-in "uv" backend: pipx can now use "uv venv" and "uv pip" for
managing virtual environments
* When "uv" is on PATH, defaults to using uv for NEW venvs
* Existing venvs keep their recorded backend (pip or uv)
* Set PIPX_DEFAULT_BACKEND=pip to force pip even with uv available
* pipx install pip always uses the pip backend (uv venvs have no pip)
Deprecations:
- --fetch-missing-python and PIPX_FETCH_MISSING_PYTHON deprecated;
use --fetch-python=missing or PIPX_FETCH_PYTHON=missing instead
Changelog:
https://github.com/pypa/pipx/releases/tag/1.12.0
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes:
- Moved "headers" input type back to Mapping to avoid invariance issues
with MutableMapping and inferred dict types.
Users calling Request.headers.update() may need to narrow typing in code
(Closes#7441).
Security:
- CVE-2026-25645: Fixed extract_zipped_paths to extract contents to
a non-deterministic temp directory, to prevent malicious file replacement.
Does not affect default usage of Requests, only apps calling this utility
directly.
Changelog:
https://github.com/psf/requests/releases/tag/v2.34.2
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes (click 8.3.3):
- Fix help strings for "help_option_names" that do not contain "-"
- Help string generation now properly handles option names with dashes
Changelog:
https://github.com/pallets/click/releases
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The RTKLIB command-line tools (convbin, pos2kml, rnx2rtkp, rtkrcv,
str2str) don't accept a --version flag; passing any unrecognized option
triggers printhelp()/printusage() which only emits a synopsis block. The
generic CI version probe therefore can't find PKG_VERSION and marks the
package as missing a version match.
Add a test-version.sh that exit-0's for all five subpackages to skip the
generic version check, and a test.sh that exercises each binary's
synopsis output as a basic functional smoke test.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The MIPS variants (mips_24kc, mips_4kec, mipsel_24kc, mipsel_74kc) all
fail to compile preceph.c with an internal compiler error:
during RTL pass: reload
src/preceph.c:317:1: internal compiler error:
in lra_update_fp2sp_elimination, at lra-eliminations.cc:1416
This is a GCC LRA pass bug triggered when compiling with -mips16. Set
PKG_BUILD_FLAGS:=no-mips16 to strip the -mips16 / -minterlink-mips16
flags from CFLAGS for this package, matching the approach already used
by stress-ng for the same class of issue.
Bump PKG_RELEASE since only the build flags change.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
the original node_exporter exposes a node_os_info metric with a set of
data about the system [1] which is then used by several dashboards.
openwrt.lua already exposes OS info, but using the node_openwrt_info
metric requires changes to existing dashboards, and would require more
complex lookups when there are non-OpenWrt hosts in the overview too.
as we've already called ubus and fetched the data, we can expose it in
two formats easily.
[1] d6d0e710bb/collector/os_release.go (L190-L192)
Signed-off-by: Evgeni Golov <evgeni@golov.de>
Handle cases where 'mac' is missing (nil), a single string,
or an array (table).
Additionally, add support for the 'duid' field.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Add a collector for the various fileystem metrics which matches the
node-exporter behaviour. This collector supports the following metrics:
* node_filesystem_size_bytes
* node_filesystem_free_bytes
* node_filesystem_avail_bytes
* node_filesystem_files
* node_filesystem_files_free
* node_filesystem_readonly
Signed-off-by: Will May <will.j.may@gmail.com>
Add a Prometheus collector for ModemManager that exports cellular modem
signal metrics via mmcli. Supports multiple modems (labeled by D-Bus
object path), exports overall signal quality and detailed per-technology
signal parameters (LTE, NR5G, UMTS, GSM, CDMA, ...).
Requires signal refresh to be enabled on the modem:
mmcli -m <id> --signal-setup=<interval_seconds>
Tested on: ath79/generic, GL.inet GL-X300B, OpenWrt 23.05.5
Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Jean-Laurent Girod <jeanlaurent.girod@icloud.com>
apk's ADB binary package format rejects both the backslash-escape and
the percent-encoding variants of the previous CPE id:
cpe:/a:erlang:erlang\/otp ERROR: info field 'tags' has invalid value
cpe:/a:erlang:erlang%2Fotp ERROR: info field 'tags' has invalid value
apk's tag value parser only accepts a restricted alphabet for ADB
package format and neither '\' nor '%' make the cut. The result is
that the package never produces an .apk.
Drop the '/otp' suffix entirely and use cpe:/a:erlang:erlang, which
matches the higher-level Erlang CPE entry. cve scanners that walked
the more specific erlang\/otp entry will fall back to this one.
This effectively reverts the product portion of bfdf01496 ("lang/erlang:
fix PKG_CPE_ID"), which was correct against the NIST 2.3 string but
incompatible with apk's tag parser.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Two unrelated issues both fixed here so the package + its samples
sub-package land in CI green:
1. PKG_CPE_ID escaping.
apk's ADB binary package format rejects both the backslash-escape
and the percent-encoding variants of the previous CPE id:
cpe:/a:apache:xerces-c\+\+ ERROR: info field 'tags' has invalid value
cpe:/a:apache:xerces-c%2B%2B ERROR: info field 'tags' has invalid value
apk's tag value parser only accepts a restricted alphabet for ADB
package format and neither '\' nor '%' make the cut. With xerces-c
unable to build, downstream consumers (notably sumo) also fail at
cmake configure time with "Failed to find XercesC".
Drop the '++' suffix entirely and use cpe:/a:apache:xerces-c, which
matches the higher-level Apache Xerces-C CPE entry. cve scanners
that walked the more specific xerces-c++ entry will fall back to
this one.
2. Generic version-check override for libxerces-c-samples.
The samples sub-package ships upstream demo programs
(CreateDOMDocument, DOMCount, DOMPrint, SAX2Count, ...) which do
not accept --version / -v / -V and therefore fail the framework's
"executable prints PKG_VERSION" probe, making the package overall
report "Generic tests failed". Add a minimal test-version.sh that
exits 0 so the version-probe is skipped and the remaining generic
checks (executable, no hardcoded paths, stripped, linked libs)
still run for every binary.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
lmdb-test ships /usr/bin/mtest, a stress test that unconditionally
opens ./testdb in the current directory and aborts (SIGABRT) when
that directory is missing. In the CI runtime container that's
always the case, so the framework's --version probe ends up with
"Aborted" output, no PKG_VERSION match, and the package gets
reported as "Generic tests failed - No executables in the package
provided version 0.9.35".
Add libs/lmdb/test-version.sh that handles each sub-package by name:
lmdb (library) and lmdb-test (no usable version probe) pass the
override, lmdb-utils runs 'mdb_dump -V' and matches against
PKG_VERSION, and unknown sub-packages fail loudly to force this
script to be updated. The other generic checks (no hardcoded paths,
stripped, linked libs) still run for every binary.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Bump from 2.0.1 to the latest 2.0 LTS release. This pulls in
upstream commit 53cb738795 ("dnsdist: make code boost-1.91
compatible", Otto Moerbeek, 2026-04-29), which fixes the build
break against Boost 1.91 currently shipped by OpenWrt:
dnsdist-lua.cc:3086:101: error: converting to
'boost::optional<unordered_map<...>>' from initializer list
would use explicit constructor 'constexpr boost::optional<T>::
optional(U&&) [...]'
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Some FortiGate VPN gateways require a specific authentication realm
when multiple domains or user groups are configured on the same server.
This commit updates the netifd protocol script to parse the 'realm'
option from the UCI configuration and correctly append it to the
openfortivpn command line arguments.
Signed-off-by: Xing-Kai Wang <my@xkwang.org>
