This changelog lists all commits done in OpenWrt since the v21.02.3 tag, grouped by subsystem. The changes are chronologically ordered from top to bottom and cover the Git repository history until the tagging of the 21.02.4 release.
See also the release notes that provide a more accessible overview of the main changes in 21.02.4.
bd84d51 build: fix ldconfig executable error in python (+1,-2)
44fa330 kernel: use KCFLAGS for passing EXTRA_OPTIMIZATION flags (+4,-11)
b0968be kernel: support setting extra CFLAGS for kernel compilation (+5,-1)
b54ef39 bcm53xx: use -falign-functions=32 for kernel compilation (+1)
d445df8 feeds: use git-src-full to allow Git versioning (+6,-6)
4e22175 scripts: add xxdi.pl (+50)
70124b8 scripts: xxdi.pl: remove File::Slurp dependency (+17,-2)
45a486b scripts: xxdi.pl: add xxd -i compat mode (+19,-18)
1c8c846 build: provide xxd -i with scripts/xxdi.pl (+4,-1)
f0bca34 scripts: always check certificates (+11,-2)
f14d7ce scripts/download.pl: silence can't exec curl warning (+1,-1)
c07c565 scripts/download.pl: fix downloads with wget (+8,-2)
af88bdb Makefile: fix stray \ warnings with grep-3.8 (+1,-1)
830b07f build: add support for python3.11 and higher (+4,-2)
d445df8 feeds: use git-src-full to allow Git versioning (+6,-6)
206d790 tools/libressl: update to version 3.4.3 (+2,-2)
2f82fc6 tools/libelf: alpine linux os type: linux-musl fix (+11)
c6d3f39 tools: remove xxd package (+1,-20)
41e0dc5 sdk: add spidev-test to the bundle of userspace sources (+16,-4)
fc86176 build: fix warnings from grep (+1,-1)
1418439 kernel: add missing config symbols (+2)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74 kernel: bump 5.4 to 5.4.192 (+21,-21)
ce92de8 kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
6d891ad kernel: check dst of flow offloading table (+119,-22)
8001e19 kernel: backport wireguard blake2s patch (+108)
3439c2f kernel: Remove kmod-crypto-lib-blake2s (+1,-24)
44fa330 kernel: use KCFLAGS for passing EXTRA_OPTIMIZATION flags (+4,-11)
4ec80cd kernel: drop patch adding hardcoded kernel compilation flags (-25)
e481244 kernel: backport LEDs driver for BCMBCA devices (+499)
e0b7557 kernel: update leds-bcm63138 driver (+85)
8d24ea3 kernel: rename 5.20 patches to 6.0 ()
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
afc1839 kernel: backport mtd patch adding of_platform_populate() calls (+88,-15)
c3c59e6 kernel: backport U-Boot environment data NVMEM driver (+359,-9)
8e5de89 kernel: bump 5.4 to 5.4.213 (+102,-107)
edf3363 kernel: backport mtd dynamic partition patch (+110,-4)
6564d3e bcm53xx: update NVMEM driver for NVRAM (+230,-5)
4c45c11 kernel: update U-Boot NVMEM driver (+59)
221c624 kernel: fix possible mtd NULL pointer dereference (+32,-2)
084a8a2 kernel: bump 5.4 to 5.4.215 (+71,-71)
caeb618 ramips: add support for Sitecom WLR-4100 v1 002 (+204,-2)
052ff08 sunxi: add support for Banana Pi M2 Berry (+17)
3210166 ramips: add support for YunCore AX820/HWAP-AX820 (+152,-1)
4dca82b uboot-bcm4908: update to the latest generic (+3,-3)
⇒ 6fb1cb6 arm: dts: add Netgear RAXE450 / RAXE550 (+52,-1)
⇒ 0625aad arm: dts: add ASUS GT-AX6000 (+119,-1)
ee34451 uboot-bcm4908: add BCM4912 build (+33,-3)
5a31942 uboot-bcm4908: include SoC in output files (+4,-2)
75cbd8d wolfssl: fix compilation with /dev/crypto (+19)
b4a9597 hostapd: add support for enabling link measurements (+10)
1a2940f hostapd: add ubus method for requesting link measurements (+65)
e2030fc hostapd: add ubus link-measurements notifications (+43)
39aaec6 hostapd: refresh patches (+4,-4)
60e88fd exfat: update to 5.19.1 (+2,-2)
78b7515 openssl: bump to 1.1.1o (+6,-6)
c2147ae cryptodev-linux: update to 1.12 (+3,-35)
2039c04 openssl: bump to 1.1.1p (+2,-2)
6f89233 openssl: bump to 1.1.1q (+2,-2)
41e0dc5 sdk: add spidev-test to the bundle of userspace sources (+16,-4)
5f189f2 zlib: backport fix for heap-based buffer over-read (CVE-2022-37434) (+33,-1)
b93327c zlib: backport null dereference fix (+30,-1)
f5db80a uclibc++: fix compilation with long file paths (+86)
69ea8af hostapd: ubus: fix uninitialized pointer (+1,-1)
cb65014 mac80211: disable ft-over-ds by default (+1,-1)
049e8f6 wolfssl: bump to v5.3.0-stable (+2,-45)
a13dacb wolfssl: bump to 5.4.0 (+4,-4)
4be7eb7 wolfssl: bump to 5.5.0 (+5,-5)
914d912 wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173) (+2,-2)
8444302 treewide: fix security issues by bumping all packages using libwolfssl (+3,-3)
c663368 firmware: intel-microcode: update to 20220207 (+4,-4)
4c8bf08 firmware: intel-microcode: update to 20220510 (+2,-2)
93f6051 wireless-regdb: update to version 2022.02.18 (+2,-2)
c028078 wireless-regdb: bump to 2022.06.06 (+3,-3)
2179d06 wireless-regdb: update to 2022-08-12 (+2,-2)
82ebc17 firmware: intel-microcode: update to 20220809 (+2,-2)
1ea34b9 base-files: add support for heartbeat led trigger (+9)
f7c445a iwinfo: update to the latest version (+4,-4)
⇒ aa0e3c4 iwinfo: nl80211: add support for printing the device path for a phy (+91)
⇒ dd6d6d2 iwinfo: nl80211: use new path lookup function for nl80211_phy_idx_from_uci_path (+17,-30)
⇒ 268bb26 iwinfo: nl80211: support looking up phy by path=.. and macaddr=... (+25,-17)
⇒ c041464 iwinfo: nl80211: fix typo (+1,-1)
44781b2 iwinfo: update to the latest version (+3,-3)
⇒ c9b1672 nl80211: fix path compatibility issue (+11,-1)
01cc5e1 iwinfo: update to latest Git HEAD (+4,-4)
⇒ a0a0e02 iwinfo: rename hardware.txt to devices.txt (+1,-1)
b519d76 iwinfo: update to latest Git head (+3,-3)
⇒ 0e2a318 devices: add AMD RZ608 device-id (+1)
⇒ 234075b devices: fix AMD RZ608 format (+1,-1)
⇒ 90bfbb9 devices: Add Cypress CYW43455 (+1)
5a18028 iwinfo: update to latest HEAD (+3,-3)
⇒ 562d015 iwinfo: nl80211: fix hwmode parsing for multi-band NICs (+33,-6)
⇒ a479b9b devices: remove whitespace (+1,-1)
5b7d01b iwinfo: update to latest HEAD (+3,-3)
⇒ dc6847e iwinfo: nl80211: omit A-hwmode on non-5GHz hardware (+5,-5)
dd58c12 iwinfo: drop obsolete patch (-26)
b4ea8e1 firewall: config: remove restictions on DHCPv6 allow rule (+2,-4)
8444302 treewide: fix security issues by bumping all packages using libwolfssl (+3,-3)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74 kernel: bump 5.4 to 5.4.192 (+21,-21)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
1dd4b3f ath79: add support for MikroTik RouterBOARD hAP ac lite (+142)
8b552b1 ath79: add support for RouterBOARD mAP (+134)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
8e5de89 kernel: bump 5.4 to 5.4.213 (+102,-107)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74 kernel: bump 5.4 to 5.4.192 (+21,-21)
ce92de8 kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
8e5de89 kernel: bump 5.4 to 5.4.213 (+102,-107)
e481244 kernel: backport LEDs driver for BCMBCA devices (+499)
c0448cd bcm4908: backport latest DT patches (+363,-1)
366dfa4 bcm4908: use upstream-accepted watchdog patches (+11,-1)
114fc36 bcm4908: include U-Boot DTB files for ASUS GT-AX6000 & Netgear RAX220 (+34)
1727e35 bcm4908: backport bcmbca DT patches queued for 5.20 (+1.2K)
28ab4f3 bcm4908: prepare for Asus GT-AX6000 support (+10)
cc9c725 bcm4908: build bootfs image per-SoC (+92,-59)
36bab92 bcm4908: enable & setup packet steering (+49)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
61cf5ab bcm4908: enable NVMEM U-Boot env data driver (+3)
deaad2c bcm4908: backport mtd parser for Broadcom's U-Boot partition (+138)
f33b14d bcm4908: fix -EPROBE_DEFER support in bcm4908_enet (+64,-1)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
c032ed3 bcm53xx: disable GRO by default at kernel level (+32)
a50f5b3 bcm53xx: enable & setup packet steering (+47)
e481244 kernel: backport LEDs driver for BCMBCA devices (+499)
c3c59e6 kernel: backport U-Boot environment data NVMEM driver (+359,-9)
44ce70f bcm53xx: drop downstream patch that now breaks pinctrl driver (-31)
8e5de89 kernel: bump 5.4 to 5.4.213 (+102,-107)
6564d3e bcm53xx: update NVMEM driver for NVRAM (+230,-5)
abf2c60 bcm53xx: backport clk driver fix for DT nodes names (+72)
e481244 kernel: backport LEDs driver for BCMBCA devices (+499)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
e9431a8 ipq40xx: fix ar40xx driver (+3)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
cd7e6c8 ipq40xx: add Linksys MR8300 WAN port (+6,-2)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
ce92de8 kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
09dae4f ipq806x: Archer VR2600: fix switch ports numbering (+3,-3)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74 kernel: bump 5.4 to 5.4.192 (+21,-21)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
8e5de89 kernel: bump 5.4 to 5.4.213 (+102,-107)
084a8a2 kernel: bump 5.4 to 5.4.215 (+71,-71)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74 kernel: bump 5.4 to 5.4.192 (+21,-21)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
68fbcc4 mediatek: remove crypto-hw-mtk package (-23)
1247010 mediatek: mt7623: fixes kconfig for hwcrypto (+1,-1)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
6c44b15 mvebu: kernel: enable CONFIG_BLK_DEV_NVME (+5)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
ce92de8 kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
76ee3e1 mvebu: move upstreamed DTS files (ESPRESSObin) to files-5.4 ()
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
f94b30d octeon: add SUPPORTED_DEVICES to er/erlite (+2)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
e0bdf83 kernel: bump 5.4 to 5.4.191 (+113,-219)
ce92de8 kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
edf3363 kernel: backport mtd dynamic partition patch (+110,-4)
bea1891 ramips: remove obsolete mx25l25635f compatible hack (+4,-4)
92489b4 ramips: speed up spi frequency for Youku YK-L1 (+1,-1)
55f8eb8 ramips: improve pinctrl for Youku YK-L1 (+4,-16)
92af150 ramips: split Youku YK1 to YK-L1 and YK-L1c (+45,-12)
4123f17 ramips: add support for the Wavlink WL-WN579X3 (+227)
08ec622 ramips: make PHY initialization more descriptive (+4,-3)
c652a06 ramips: mt7620: enable autonegotiation for all ports (+1)
a14c2d4 ramips: mt7620: simplify DTS properties for GMAC (+23,-125)
6491212 ramips: mt7620: remove useless GMAC nodes (+4,-27)
01bbed7 ramips: mt7620: fix ethernet driver GMAC port init (+9,-15)
5d7805c ramips: mt7620: allow both internal and external PHYs (+57,-62)
6876465 ramips: mt7620: use DTS to set PHY base address for external PHYs (+60,-7)
47db830 ramips: mt7620: move mt7620_mdio_mode() to ethernet driver (+38,-74)
6685eb2 ramips: mt7620: add ephy-disable option to switch driver (+13,-2)
3f976d0 ramips: mt7620: fix RGMII TXID PHY mode (+1,-1)
30e47fb ramips: mt7620: ethernet: use more macros and bump version (+11,-7)
1769e31 ramips: mt7620: disable SOC VLANs for external switches (+6)
13c8895 ramips: zbt-wg2626: Add the reset gpio for PCIe port 1 (+3)
01dcdf7 ramips: fix RT-AC57U button level (+1,-1)
09a3561 ramips: fix booting on ZyXEL NBG-419N v2 (+1)
be06390 kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
caeb618 ramips: add support for Sitecom WLR-4100 v1 002 (+204,-2)
3210166 ramips: add support for YunCore AX820/HWAP-AX820 (+152,-1)
bcaabe6 kernel: bump 5.4 to 5.4.211 (+192,-253)
1f24bd1 rampis: feed zbt-we1026 external watchdog (+9)
c670dfb mt7620: fix missing kernel config symbol (+1)
052ff08 sunxi: add support for Banana Pi M2 Berry (+17)
3439c2f kernel: Remove kmod-crypto-lib-blake2s (+1,-24)
39f1815 mac80211: fix QCA9561 PA bias (+47)
4cb9d08 mt76: backport fix encap offload ethernet type check (+63)
Description: Firewall: Default Allow-DHCPv6 rule option src_ip 'fc00::/6' prevents receiving ipv6 DHCP from ISP
Link: https://github.com/openwrt/openwrt/issues/5066
Commits:
b4ea8e1 firewall: config: remove restictions on DHCPv6 allow rule (+2,-4)
Description: mr8300: no WAN port in switch
Link: https://github.com/openwrt/openwrt/issues/9209
Commits:
cd7e6c8 ipq40xx: add Linksys MR8300 WAN port (+6,-2)
Description: [Zyxel NBG-419n v2 / 21.02.x boot fails / bootloop
Link: https://github.com/openwrt/openwrt/issues/9842
Commits:
09a3561 ramips: fix booting on ZyXEL NBG-419N v2 (+1)
Description: TP-Link Archer VR2600 v1 - Labelled LAN ports on router do not match Switch port numbering
Link: https://github.com/openwrt/openwrt/issues/10275
Commits:
09dae4f ipq806x: Archer VR2600: fix switch ports numbering (+3,-3)
Description: Tools: broken xxd download link
Link: https://github.com/openwrt/openwrt/issues/10555
Commits:
45a486b scripts: xxdi.pl: add xxd -i compat mode (+19,-18)
1c8c846 build: provide xxd -i with scripts/xxdi.pl (+4,-1)
c6d3f39 tools: remove xxd package (+1,-20)
Description: SSL certificate checking fails for source downloads (at least with wget)
Link: https://github.com/openwrt/openwrt/issues/10692
Commits:
c07c565 scripts/download.pl: fix downloads with wget (+8,-2)
Description: Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
Commits:
c663368 firmware: intel-microcode: update to 20220207 (+4,-4)
Description: Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695
Commits:
c663368 firmware: intel-microcode: update to 20220207 (+4,-4)
Description: Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0127
Commits:
c663368 firmware: intel-microcode: update to 20220207 (+4,-4)
Description: Improper initialization of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0145
Commits:
c663368 firmware: intel-microcode: update to 20220207 (+4,-4)
Description: Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0146
Commits:
c663368 firmware: intel-microcode: update to 20220207 (+4,-4)
Description: Out of bounds read under complex microarchitectural condition in memory subsystem for some Intel Atom(R) Processors may allow authenticated user to potentially enable information disclosure or cause denial of service via network access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33120
Commits:
c663368 firmware: intel-microcode: update to 20220207 (+4,-4)
Description: The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292
Commits:
2039c04 openssl: bump to 1.1.1p (+2,-2)
Description: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068
Commits:
2039c04 openssl: bump to 1.1.1p (+2,-2)
Description: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097
Commits:
6f89233 openssl: bump to 1.1.1q (+2,-2)
Description: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21151
Commits:
4c8bf08 firmware: intel-microcode: update to 20220510 (+2,-2)
Description: Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21233
Commits:
82ebc17 firmware: intel-microcode: update to 20220809 (+2,-2)
Description: wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34293
Commits:
a13dacb wolfssl: bump to 5.4.0 (+4,-4)
Description: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
Commits:
5f189f2 zlib: backport fix for heap-based buffer over-read (CVE-2022-37434) (+33,-1)
b93327c zlib: backport null dereference fix (+30,-1)
Description: In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are required to contain a list of duplicate cipher suites to trigger the buffer overflow. In total, two Client Hellos have to be sent: one in the resumed session, and a second one as a response to a Hello Retry Request message.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39173
Commits:
914d912 wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173) (+2,-2)
8444302 treewide: fix security issues by bumping all packages using libwolfssl (+3,-3)