360d756 build: make find_md5 reproducible with AUTOREMOVE (+4,-3)
654e024 rules_mk: don't include wrapped bin with external toolchains (-1)
56fd835 rules_mk: use gcc versions for external toolchain (+3,-10)
fd7e8e4 scripts/ext-tools: introduce new script to install prebuilt tools (+98)
997ab54 scripts: fix various typos (+14,-14)
1e764ea scripts: ext-toolchain: fix wrong prefix in print_config generation (+4,-1)
ed78558 scripts: ext-toolchain: add option to overwrite config (+18,-4)
1f5b8a3 scripts: ext-toolchain: actually probe libc type on config generation (+1)
462c565 scripts: ext-toolchain: add support for info.mk in probe_cc (+7)
fd90eed scripts: ext-toolchain: add support for musl (+12,-2)
12b1d2f build: handle directory with whitespace in AUTOREMOVE clean (+4,-4)
cbce6c6 kernel: split kernel version to dedicated files (+7,-2)
904581c toolchain: Select USE_SSTRIP with external musl toolchain (-2)
66fa45e kernel: kmod-ipt-ulog: Remove package (-38)
39868a8 netfilter: remove no-op kconfig symbols (-8)
8b46a26 scripts/dl_github_archieve.py: fix generating unreproducible tar (+1,-1)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
23ad680 kernel: bump 5.4 to 5.4.231 (+33,-33)
122e0c7 kernel: bump 5.4 to 5.4.234 (+6,-6)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)

202d404 cmake: update to version 3.19.8 (+2,-2)
784565b tools/mkimage: fix build on MacOS arm64 (+47)

bc99ce5 imagebuilder: allow to specific ROOTFS_PARTSIZE (+3,-1)

d84d34e sdk: expose binary strip settings (+46)
904581c toolchain: Select USE_SSTRIP with external musl toolchain (-2)

629199f toolchain: Include ./include/fortify for external musl toolchain (+1)

060aa00 kernel: bump 5.4 to 5.4.219 (+11,-83)
9cec59c kernel: mtd: fix unbalanced of_node_put() in dynamic partitions code (+101)
3e8a713 kernel: mtd: backport extended dynamic partitions support (+152,-3)
ab26cdd kernel: mtd: backport SafeLoader parser (+240,-6)
079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
829cc60 kernel: backport flow_dissect support for tag_brcm (+62)
778afce kernel: Add missing mediatek configuration options (+1)
e506a0d kernel: bump 5.4 to 5.4.224 (+10,-10)
b01b924 kernel: update U-Boot nvmem driver to v6.2 release version (+168)
7492906 kernel: improve description of NTFS kernel packages (+3,-2)
cbce6c6 kernel: split kernel version to dedicated files (+7,-2)
067d7e9 kernel: backport b53/bcm_sf2 changes from v5.5 (+329,-30)
1f5024a kernel: backport b53/bcm_sf2 changes from v5.6 (+542,-75)
88a71fb kernel: backport b53/bcm_sf2 changes from v5.7 (+695,-28)
50d255d kernel: backport b53/bcm_sf2 changes from v5.8 (+589,-4)
12861e0 generic: add support for EON EN25QX128A spi nor flash (+21)
b119562 generic: 5.4: refresh kernel patches (+18,-18)
8e548ac kernel: fix typo for tegra crypto-sha1 module (+1,-1)
3e0faf2 kernel: build crypto md5/sha1/sha256 modules for powerpc (+19,-1)
ab90257 kenrel: kmod-rtc-pt7c4338: Remove package (-16)
e6b1094 kernel: kmod-w1-slave-ds2760: Remove package (-17)
66fa45e kernel: kmod-ipt-ulog: Remove package (-38)
0f42380 kernel: kmod-isdn4linux: Remove package (-32)
39868a8 netfilter: remove no-op kconfig symbols (-8)
cdd9bee kernel: add kmod-nvme package (+23)
9442653 kernel: expose (unhide) CONFIG_ASN1 as ksmbd requirement (+30)
ac7386a kernel: Reorder configuration (+9,-9)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
23ad680 kernel: bump 5.4 to 5.4.231 (+33,-33)
f86f8e5 kernel: support "linux,default-trigger" in leds-bcm63138 (+26)
a4f065a kernel: tcindex classifier has been retired (+1,-3)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)
cbe73ea kernel: remove obsolete netfilter tcp window size check bypass patch (-73)

8f45981 uboot-layerscape: adjust LS1012A-IOT config and env (+46,-1)

04ca5a8 openssl: bump to 1.1.1s (+2.5K,-200)
b33090a wolfssl: update to v5.5.3 (+4,-56)
18f05da dnsmasq: Backport DHCPv6 server fix (CVE-2022-0934) (+179)
66fa45e kernel: kmod-ipt-ulog: Remove package (-38)
1b6e9b3 opkg: add patch to avoid remove package repeatly with force (+37,-1)
dbbf5c2 openssl: bump to 1.1.1t (+2,-2)
f67f60b ca-certicficates: Update to version 20211016 (+2,-2)
23c86d4 ca-certificates: fix python3-cryptography woes in certdata2pem.py (+53)
3d93d2c ltq-atm/ltq-ptm: add kernel 5.10 compatiblity (+27)
8e12360 lantiq: ltq-tapi: add kernel 5.10 compatiblity (+51)

8a11563 base-files: support "metric" in board.json (+2,-1)

1eda1a7 iwinfo: update to latest HEAD (+3,-3)
⇒ 705d3b5 iwinfo: Add missing auth_suites mappings for WPA3 (+2)
dec6584 iwinfo: update to latest HEAD (+3,-3)
⇒ 0dad3e6 Add support for CCMP-256 and GCMP-256 ciphers (+43,-18)

1392bec procd: add patch to fix compilation error (+36)

079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)

ab26cdd kernel: mtd: backport SafeLoader parser (+240,-6)
079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
122e0c7 kernel: bump 5.4 to 5.4.234 (+6,-6)

060aa00 kernel: bump 5.4 to 5.4.219 (+11,-83)
079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
e506a0d kernel: bump 5.4 to 5.4.224 (+10,-10)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
23ad680 kernel: bump 5.4 to 5.4.231 (+33,-33)
122e0c7 kernel: bump 5.4 to 5.4.234 (+6,-6)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)

da4e388 bcm4908: optimize Ethernet driver by using build_skb() (+152)
973c18f bcm4908: backport bcm4908_enet fix for NULL dereference (+103,-4)
1d12cfd bcm4908: backport upstream BQL support for bcm4908_enet (+45)
01b096a bcm4908: use upstream patches for Asus GT-AC5300 LEDs (+12,-3)
940adf4 bcm4908: fix Asus GT-AX6000 image (+66,-4)
660d8f4 bcm4908: update DTS files with the latest changes (+2.7K,-8)
067d7e9 kernel: backport b53/bcm_sf2 changes from v5.5 (+329,-30)
1f5024a kernel: backport b53/bcm_sf2 changes from v5.6 (+542,-75)
88a71fb kernel: backport b53/bcm_sf2 changes from v5.7 (+695,-28)
50d255d kernel: backport b53/bcm_sf2 changes from v5.8 (+589,-4)
13bd05e bcm4908: backport v6.4 pending DTS changes (+791,-1)
c874aa4 bcm4908: include usbport trigger (+2,-1)

060aa00 kernel: bump 5.4 to 5.4.219 (+11,-83)
ab26cdd kernel: mtd: backport SafeLoader parser (+240,-6)
8035ac0 bcm53xx: backport the latest upstream DT changes (+1.6K)
1ba74c1 bcm53xx: backport missed DT patch cleaning up CRU block (+91,-6)
94c2cee bcm53xx: specify switch ports for more devices (+864)
494b889 bcm53xx: backport early DT patches queued for 5.16 (+602,-4)
37d5351 bcm53xx: add first 5.17 DTS changes (+175)
35e470a bcm53xx: use more upsteam DT patches from 5.16 / 5.17 (+164)
d074806 bcm53xx: use new USB 2.0 PHY binding (+183)
93ebd96 bcm53xx: backport DT changes from 5.17 & 5.18 (+471,-1)
40c0d28 bcm53xx: update DTS files with the latest changes (+2.3K,-12)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)

4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)

23ad680 kernel: bump 5.4 to 5.4.231 (+33,-33)

079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
c58384b ipq40xx: luma_wrtq-acn329: swap ethernet MAC addresses (+5)
b119562 generic: 5.4: refresh kernel patches (+18,-18)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)
2541ca6 ipq40xx: Linksys MR8300: fix the USB port power (+11,-1)

ab26cdd kernel: mtd: backport SafeLoader parser (+240,-6)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
23ad680 kernel: bump 5.4 to 5.4.231 (+33,-33)

079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
5c85a3e lantiq: enable interrupts on second VPEs (+86)
206012e lantiq: add 6.1 tag to upstream patch (+3,-2)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)

079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
e506a0d kernel: bump 5.4 to 5.4.224 (+10,-10)
88e8ca2 layerscape: fix compilation error for missing define of dwc quirk (+6,-2)
1f5024a kernel: backport b53/bcm_sf2 changes from v5.6 (+542,-75)
b119562 generic: 5.4: refresh kernel patches (+18,-18)
ee1eda7 layerscape: fix felix DSA driver compilation (+26)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
23ad680 kernel: bump 5.4 to 5.4.231 (+33,-33)
122e0c7 kernel: bump 5.4 to 5.4.234 (+6,-6)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)

175a3cb mediatek: add missing config symbols (+1)
e506a0d kernel: bump 5.4 to 5.4.224 (+10,-10)
067d7e9 kernel: backport b53/bcm_sf2 changes from v5.5 (+329,-30)
1f5024a kernel: backport b53/bcm_sf2 changes from v5.6 (+542,-75)
88a71fb kernel: backport b53/bcm_sf2 changes from v5.7 (+695,-28)
50d255d kernel: backport b53/bcm_sf2 changes from v5.8 (+589,-4)
b119562 generic: 5.4: refresh kernel patches (+18,-18)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)

079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
0d4a025 mpc85xx: Drop pci aliases to avoid domain changes (+67)

4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)

5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)

060aa00 kernel: bump 5.4 to 5.4.219 (+11,-83)
079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)

060aa00 kernel: bump 5.4 to 5.4.219 (+11,-83)
3e8a713 kernel: mtd: backport extended dynamic partitions support (+152,-3)
b119562 generic: 5.4: refresh kernel patches (+18,-18)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)

09a649f ramips: rt3883: enable lzma-loader for Belkin F9K1109v1 (+1,-1)
ab26cdd kernel: mtd: backport SafeLoader parser (+240,-6)
d604032 ramips: fix GB-PC1 and GB-PC2 device support (+69,-56)
794ddf5 ramips: fix GB-PC1 and GB-PC2 LEDs (+15,-17)
b119562 generic: 5.4: refresh kernel patches (+18,-18)
76c9c2b rampis: fix Reference to non-existent node for GB-PC2 (+1,-2)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)
5e69c09 kernel: bump 5.4 to 5.4.238 (+300,-318)

f5646ae realtek: update rtl83xx switch driver to the updated DSA API (+3,-1)

079ce04 kernel: bump 5.4 to 5.4.224 (+102,-101)
4292832 kernel: bump 5.4 to 5.4.230 (+183,-213)

e889677 sunxi: fix wifi connection for Banana Pi M2 Berry (+1,-1)

b3142ff mac80211: Update to version 5.10.149-1 (+80,-179)
06bec84 mac80211: Update to version 5.10.157 (+61,-61)
8d995b3 mac80211: Update to version 5.10.168-1 (+16,-16)
3262108 mac80211, mt76: add fixes for recently discovered security issues (+676,-9)

3262108 mac80211, mt76: add fixes for recently discovered security issues (+676,-9)

09f4533 CI: add formal checks (+96)
6d4d665 CI: allow dots in commit subject area (+1,-1)
9c4d81e CI: build changes in tools/ on ubuntu/macos (+129)
d3a8cac CI: move logs/ to GITHUB_WORKSPACE (+6,-1)
cf2b72e CI: usability improvements for tools (+13,-3)
e1e47d5 CI: add Kernel compile tests (+143)
73e37f2 CI: run inside the buildbot docker container (+24,-46)
1cf24ed CI: kernel: Trigger workflow for more directories (+2)
ae63723 CI: kernel: Use downloads.cdn.openwrt.org (+2,-2)
fde584a CI: kernel: Show used OpenWrt configuration (+5)
93d67c9 CI: kernel: Checkout feeds from github (+24)
5978ab4 CI: kernel: Build all kernel modules (+3)
8dc0a96 CI: kernel: Cache external toolchain (+13,-2)
3082e83 CI: package kmods in kernel workflow (+5)
8496275 CI: include automatic Pull Request Labeler (+115)
3a9f927 build: harden GitHub workflow permissions (+17)
2e29823 ci: move scripts into separate directory (+1,-1)
01000b0 ci: show build failures directly in job log output (+20,-5)
6f9067e CI: use buildbot container for building (+50,-67)
ec55b12 CI: create Docker container containing compiled tools (+67)
f4db275 CI: use tools:latest container to speedup kernel workflow (+12,-3)
3ba78a8 CI: Add workaround for github uppercase usernames (+16,-2)
c95622a CI: tools: compile tools with ccache support for tools container (+2,-1)
9718dff CI: kernel: use ccache to speedup workflow (+17)
305688f CI: kernel: generate ccache cache on kernel push (+6)
2454da3 CI: bump actions/checkout action to v3 (+10,-10)
c4345c7 CI: bump actions/download,upload-artifact action to v3 (+7,-7)
3e41081 CI: labeler: target major version of labeler action (+1,-1)
5872b1b CI: kernel: check if patch are refreshed for each target (+71)
4460990 ci: kernel: trigger build check on changes in kernel.mk as well (+2,-2)
1ae1959 CI: kernel: fix deprecation of set-output (+3,-3)
c14030c CI: packages: Add github CI job to build all packages (+151)
1b34fc2 CI: packages.yml: Fix usage of pre-build tools (+2)
6ca1d74 meta: drop issue_template (-13)
43980bf CI: Simplify if conditions (+2,-2)
02391a5 CI: Extract the OpenWrt building to own sub workflow (+331,-341)
b0e6bce CI: Allow building with internal toolchain (+20,-1)
0943f4d CI: Build all boards and testing kernel (+29)
5bc5df1 CI: tools: support per branch tools container (+26,-1)
4053632 CI: build: add support for per branch tools container (+56,-2)
69c0c3c CI: build: add support for external toolchains from stable branch (+27,-2)
006e525 CI: build: add support to fallback to sdk for external toolchain (+33,-8)
ee05f20 CI: add support to tag pr targeting stable branch (+14)
26f35c4 CI: labeler: fix wrong label for pr targeting stable branch (+3,-3)
d48f38c CI: fix matching for openwrt release branch for container selection (+12,-8)
8df40b1 CI: build: fix matching for openwrt release branch for toolchain parsing (+8,-6)
be3b061 CI: trigger check also on build and check-kernel-patches workflow change (+6)
d03c520 CI: build: fix use of sdk as toolchain (+28)
50ad1e5 CI: build: skip sdk adapt to external toolchain on cache hit (+1,-1)
295c612 CI: kernel: don't checkout and install feeds (-1)
e819523 CI: build: fix external toolchain use with release tag tests (+1,-1)

Description: xiaomi-4a-gigabit-edition has a new flash which is EN25QX128@44Mhz cause a endless reboot
Link: https://github.com/openwrt/openwrt/issues/9442
Commits:
12861e0 generic: add support for EON EN25QX128A spi nor flash (+21)

Description: [22.03] layerscape: Not booting with LS1021A-IOT
Link: https://github.com/openwrt/openwrt/issues/9894
Commits:
8f45981 uboot-layerscape: adjust LS1012A-IOT config and env (+46,-1)

Description: mpc85xx: PCIe addresses change from kernel 5.10.135 -> 5.10.138 breaks `/etc/config/wireless`
Link: https://github.com/openwrt/openwrt/issues/10530
Commits:
0d4a025 mpc85xx: Drop pci aliases to avoid domain changes (+67)

Description: ramips Belkin F9K1109 fails to boot due to large kernel
Link: https://github.com/openwrt/openwrt/issues/10968
Commits:
09a649f ramips: rt3883: enable lzma-loader for Belkin F9K1109v1 (+1,-1)

Description: [21.02-SNAPSHOT] cannot build: Reference to non-existent node or label "macaddr_factory_e000"
Link: https://github.com/openwrt/openwrt/issues/11654
Commits:
76c9c2b rampis: fix Reference to non-existent node for GB-PC2 (+1,-2)

Description: A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0934
Commits:
18f05da dnsmasq: Backport DHCPv6 server fix (CVE-2022-0934) (+179)

Description: A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304
Commits:
dbbf5c2 openssl: bump to 1.1.1t (+2,-2)

Description: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450
Commits:
dbbf5c2 openssl: bump to 1.1.1t (+2,-2)

Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47522
Commits:
3262108 mac80211, mt76: add fixes for recently discovered security issues (+676,-9)

Description: The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215
Commits:
dbbf5c2 openssl: bump to 1.1.1t (+2,-2)

Description: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286
Commits:
dbbf5c2 openssl: bump to 1.1.1t (+2,-2)