OpenWrt v21.02.3 Changelog

This changelog lists all commits done in OpenWrt since the v21.02.2 tag, grouped by subsystem. The changes are chronologically ordered from top to bottom and cover the Git repository history until the tagging of the 21.02.3 release.

See also the release notes that provide a more accessible overview of the main changes in 21.02.3.

f1e1daa u-boot.mk: add LOCALVERSION (explicitly specify OpenWrt build) (+1)

49b2e63 tools/libressl: update to 3.3.3 (+3,-3)
2736a5d tools/libressl: update to 3.3.4 (+2,-2)
8ed3b5b tools/libressl: update to 3.4.1 (+2,-2)
0327104 tools/libressl: update to version 3.4.2 (+2,-2)
17e9553 tools: add xxd (from vim) (+34,-1)
92020d4 tools: xxd: use more convenient source tarball (+6,-20)
f65edc9 zlib: backport security fix for a reproducible crash in compressor (+688,-2)

3008f1f imagebuilder: fix broken image generation with external targets (+1,-1)

2d69d09 kernel: bump 5.4 to 5.4.182 (+37,-66)
28343cf kernel: backport DSA patches fixing null-pointer dereference (+143)
0e5350d mvebu: SFP backports for GPON modules (+262,-31)
39bf2ae kernel: bump 5.4 to 5.4.188 (+49,-54)

7bd583e uboot-envtools: mvebu: update uci defaults for Turris Omnia (+4,-1)
45b3f2a uboot-bcm4908: add package with BCM4908 U-Boot (+205)
864bba5 uboot-bcm4908: use "xxd" from staging_dir (+4,-4)
0687417 ath79: add support for Yuncore XD3200 (+49,-2)
2cc9ee8 ath79: add support for Yuncore A930 (+113)

b99d7ae wolfssl: fix API breakage of SSL_get_verify_result (+26)
abf8209 hostapd: fix radius problem due to invalid attributes (+3,-3)
b1c3539 openssl: bump to 1.1.1n (+2,-2)
88075c8 hostapd: ubus: add BSS transtiton request method (+112,-40)
53c60d4 hostapd: ubus: add notification for BSS transition response (+74)
3731ffa hostapd: report bssid, ssid and channel over ubus (+38)
95b0b87 hostapd: remove unused mac_buff allocation (-1)
e44a781 hostapd: add beacon_interval to get_status ubus output (+1)
411c73f hostapd: add op-class to get_status output (+8,-1)
180b750 hostapd: add STA extended capabilities to get_clients (+10)
f65edc9 zlib: backport security fix for a reproducible crash in compressor (+688,-2)
9132344 bpftools: fix feature override for masking clang (+1,-1)
c5ef62a wolfssl: bump to 5.2.0 (+7,-9)

41d36bb cypress-firmware: update it to version 5.4.18-2021_0812 (+37,-38)
52de8bf cypress-firmware: drop several packages (-54)

f44f8b0 base-files: call "sync" after initial setup (+1)

7fc3364 rpcd: backport 802.11ax support (+3,-3)
⇒ 8d26a1b iwinfo: add 802.11ax HE support (+45)

5cf00ad apm821xx: fix crash/panic related to SATA/SSD choice (+65)

2d69d09 kernel: bump 5.4 to 5.4.182 (+37,-66)
56d69ee ath79: fix label MAC address for Ubiquiti UniFi (+2,-4)
30e6f28 ath79: fix TPLINK_HWREV field for TL-WR1043ND v4 (+1)
cd17ca7 ath79: fix link for long cables with OCEDO Raccoon (+12,-1)
f651314 ath79: fix label MAC address for Ubiquiti UniFi AP Outdoor+ (+4,-2)
ee62912 ath79: migrate Archer C5 5GHz radio device paths (+1)
0687417 ath79: add support for Yuncore XD3200 (+49,-2)
2cc9ee8 ath79: add support for Yuncore A930 (+113)
9a76555 ath79: add support for MikroTik RouterBOARD mAP lite (+81,-1)
1d4dea6 ath79: Move TPLink WPA8630Pv2 to ath79-tiny target (+96,-42)

2d69d09 kernel: bump 5.4 to 5.4.182 (+37,-66)
39bf2ae kernel: bump 5.4 to 5.4.188 (+49,-54)
41a97c2 bcm27xx: add AMP2 to HifiBerry DAC+ / DAC+ Pro package (+9,-6)

2d69d09 kernel: bump 5.4 to 5.4.182 (+37,-66)
e12ffac bcm4908: fix USB PHY support (+147)
13c9f1f bcm4908: support "rootfs_data" on U-Boot devices (+122,-13)
e8a806c bcm4908: include U-Boot in images (+32,-3)

610b2cf ipq806x: base-files: asrock: fix bootcount include (+2,-5)
b2896d4 ipq806x: base-files: asrock: fix bootcount include (+1,-1)

2d69d09 kernel: bump 5.4 to 5.4.182 (+37,-66)
39bf2ae kernel: bump 5.4 to 5.4.188 (+49,-54)

d38f7ec mvebu: udpu: fix initramfs booting (+1,-1)
4910ffa mvebu: udpu: include LM75 kmod by default (+1,-1)
39bf2ae kernel: bump 5.4 to 5.4.188 (+49,-54)

2d69d09 kernel: bump 5.4 to 5.4.182 (+37,-66)

7612ecb ramips: mt7621: do memory detection on KSEG1 (+62)
952de38 Revert "ramips: increase spi-max-frequency for ipTIME mt7620 devices" (+1,-1)
c6256a6 ramips: remove kmod-mt7663-firmware-sta from device packages (+2,-2)
169c9e3 ramips: fix reboot for remaining 32 MB boards (+30,-4)

fdd862f sunxi: cortexa7: fix ethernet link detection on a20-olinuxino-lime2 (+1)

604274c x86: legacy: enable pata_sis driver (+1)

99b00ed mac80211: Update to version 5.10.110-1 (+73,-224)

Description: The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
Commits:
b1c3539 openssl: bump to 1.1.1n (+2,-2)

Description: In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25638
Commits:
c5ef62a wolfssl: bump to 5.2.0 (+7,-9)

Description: In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25640
Commits:
c5ef62a wolfssl: bump to 5.2.0 (+7,-9)