OpenWrt v23.05.3 Changelog

This changelog lists all commits done in OpenWrt since the v23.05.2 tag, grouped by subsystem. The changes are chronologically ordered from top to bottom and cover the Git repository history until the tagging of the 23.05.3 release.

See also the release notes that provide a more accessible overview of the main changes in 23.05.3.

c7b6cfa scripts/dump-target-info.pl: add new function to DUMP devices (+79,-1)
a39dca7 kernel: bump 5.15 to 5.15.138 (+19,-103)
95ebd60 kernel: bump 5.15 to 5.15.139 (+41,-88)
dae3991 scripts: sercomm-pid.py: use uppercase hwid in pid (+1,-1)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
af7ef78 ramips: add encrypted SGE factory image for D-Link devices (+5)
40cfdf5 kernel: bump 5.15 to 5.15.146 (+39,-39)
c1615f3 kernel: bump 5.15 to 5.15.147 (+30,-30)
183c0d5 kernel-build.mk: add support for compiling only DTS (+13,-4)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
6076806 build: add explicit --no-show-signature for git (+2,-2)
81f8b93 build: add $(STAGING_DIR) and $(BIN_DIR) preparation to target and package su... (+4)
4c1d13e kernel: bump 5.15 to 5.15.149 (+110,-107)
db7b247 kernel: bump 5.15 to 5.15.150 (+126,-258)

34e30fb firmware-utils: bump to latest openwrt-23.05 (+3,-3)
⇒ 8cad449 add dlink-sge-image for D-Link devices by SGE (+855)
⇒ 9afd8f4 tplink-safeloader: bump EAP615-Wall compat_level (+1,-1)
b54f710 firmware-utils: move patch to maintaince branch (+2,-40)
⇒ 40da903 firmware-utils: ptgen: add SiFive GPT partition support (+21)
5eb578a firmware-utils: bump to latest openwrt-23.05 (+3,-3)
⇒ b6a7e81 tplink-safeloader: bump EAP225-Outdoor v1 compat (+1,-1)
⇒ c46b4b4 tplink-safeloader: bump EAP225-V3 compat_level (+1,-1)
633eb11 firmware-utils: Fix PKG_MIRROR_HASH (+1,-1)

80c8d65 toolchain: glibc: Update glibc 2.37 to recent HEAD (+2,-2)

a39dca7 kernel: bump 5.15 to 5.15.138 (+19,-103)
95ebd60 kernel: bump 5.15 to 5.15.139 (+41,-88)
cc285dc generic: net: phy: realtek: add interrupt support for RTL8221B (+126)
49bde57 kernel: fix bridge proxyarp issue with some broken DHCP clients (+37)
c6425bb kernel: delete stray linux 6.1 patch (-63)
80ef582 rockchip: configure eth pad driver strength for orangepi r1 plus lts (+203)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
40cfdf5 kernel: bump 5.15 to 5.15.146 (+39,-39)
0cd6b3f linux/modules: remove deprecated module (+1,-2)
c1615f3 kernel: bump 5.15 to 5.15.147 (+30,-30)
6d962ca kernel: backport ethtool_puts (+139)
8a7f667 kernel: 5.15: backport v6.1 PHY changes required for Aquantia (+666,-64)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
277d97e kernel: 5.15: update Aquantia PHY driver to v6.1 code (+334,-85)
eda5930 generic: 5.15: backport upstream Aquantia PHY firmware loader patches (+3.0K,-43)
a2943e3 generic vxlan: don't learn non-unicast L2 destinations (+30)
78d493a generic l2tp: drop flow hash on forward (+31)
37c2bc4 mediatek: fixes for Ethernet on MT7988 SoC (+372,-11)
4c1d13e kernel: bump 5.15 to 5.15.149 (+110,-107)
3062b18 kernel: Remove dsmark support (+1,-2)
db7b247 kernel: bump 5.15 to 5.15.150 (+126,-258)
7f1d043 kernel: Remove unused schedulers (-3)
83e37f7 generic: 5.15: mtk_eth_soc: backport fix for hang on link up (+59,-8)
82e2d34 generic: mtk_eth_soc: fix PPE hanging issue (+59)
5c786dc kernel: hack: support inverted LEDs on MaxLinear GPY211 PHY (+11,-7)

3846b6e filogic: support Telenor branded ZyXEL EX5700 (+403)
e1d1c26 mediatek: add support for Cetron CT3003 (+286)
28d15e2 mediatek: filogic: add support for Ubiquiti UniFi 6 Plus (U6+) (+198)
b530d49 filogic: add support for GL.iNet GL-MT6000 (+636)
6143b73 uboot-mediatek: fix typo in bootmenu for GL-MT6000 (+1,-1)
4f9c411 uboot-mediatek: add JCG Q30 PRO support (+434)
d924690 mediatek: add support for Zbtlink ZBT-Z8102AX (+374,-2)
18d7962 ramips: add support for Rostelecom RT-FE-1A (+282)
51881b2 mediatek: add support for Routerich AX3000 (+360,-2)
7338733 mediatek: filogic: add support ASUS RT-AX59U (+314,-8)
401d8c7 uboot-mediatek: add initial Zyxel EX5601-T0 support (+454)
02272df uboot-envtools: add support for Zyxel EX5601-T0 ubootmod (+8)

40bd2bb firmware-utils: new package replacing otrx (+33,-46)
d6b6261 firmware-utils: package oseama (+8,-944)
6264d12 firmware-utils: update to Git HEAD (2023-11-21) (+4,-4)
⇒ 1d42292 tplink-safeloader: Add TP-Link Archer A6 V3.20 (+3,-1)
⇒ 3338f53 tplink-safeloader: add TL-WPA8635P v3 (+4,-3)
⇒ 17ca5ee tplink-safeloader: add TL-WPA8631P v4 (+1)
⇒ f730ad2 bcmblob: new tool for reading Broadcom's BLOBs (+456)
⇒ cb1ddac firmware-utils: fix typo in error message when no OpenSSL library found (+1,-1)
⇒ 9166331 bcmclm: new tool for reading Broadcom's CLM data (+338)
⇒ a2d49fb tplink-safeloader: add RU support-list entry for Archer C6U v1 (+2,-1)
⇒ bb12cf5 tplink-safeloader: Add support for TP-Link Deco M5 The special_id values are ... (+81)
⇒ 9e2de85 tplink-safeloader: add EAP610 v3 and EAP613 v1 (+33)
⇒ a170683 firmware-utils: fix use of NULL string progname (+2)
⇒ 89875fc tplink-safeloader: CPE510: add Canadian support (+1)
⇒ 9e211d2 mktplinkfw2: add support to extract bootloader images (+18,-1)
⇒ c18f662 mktplinkfw2: add support to pack bootloader (+116,-14)
⇒ 3dc1339 mktplinkfw2: show exact exceed bytes when the image is to big (+13,-9)
⇒ d16ff79 tplink-safeloader: WPA8631: add v4 AU, US (+2)
⇒ 0fa1cc5 zytrx: add LTE5398-M904 (+1)
⇒ + 8 more...
982bfd9 ucode: adjust module dependencies (+1,-1)
81b7da1 lua5.3: fix typo calling lua53 instead of lua5.3 for Package Default (+3,-3)
5cc1918 dropbear: increase default receive window size (+6)
9cd0023 hostapd: add missing NULL pointer check on radar notification (+3)
c909fda hostapd: ACS: Fix typo in bw_40 frequency array (+25)
e05659e bcm27xx-userland: update to latest version (+2,-2)
1da896f bcm27xx-gpu-fw: update to latest version (+15,-15)
b5c7289 mbedtls: security bump to version 2.28.7 (+2,-2)
9ee626f ucode: add libjson-c/host dependency (+1)
aa762ad openssl: update to 3.0.13 (+6,-6)
b79583c wifi-scripts: fix fullmac phy detection (+1,-1)
31ae972 hostapd: fix FILS AKM selection with EAP-192 (+1,-1)
c8898f4 kernel: lantiq: ltq-vmmc: introduce user group for vmmc (+2)
e5a12ed hostapd: fix 11r defaults when using SAE (+1,-1)
503f78f hostapd: fix 11r defaults when using WPA (+14,-14)
0844937 umdns: update to Git 7c675979 (2024-03-04) (+4,-4)
⇒ 7c67597 interface: fix interface memory corruption (+2,-1)
6549a71 dropbear: cherry-pick upstream patches (+338,-1)
af22a16 dnsmasq: mark global ubus context as closed after fork (+1,-1)
875822f dnsmasq: version 2.90 (+64,-58)
853b638 dnsmasq: reset PKG_RELEASE (+1,-1)
03a3a72 dnsmasq: Backport 2 upstream patches (+88,-24)

c51d49b wireless-regdb: update to 2024.01.23 (+3,-3)
97f6a6b ath11k-firmware: Move to new upstream repository for board-2.bin (+1,-1)
e0bae5e firmware: intel-microcode: update to 20231114 (+2,-2)
100a560 firmware: intel-microcode: update to 20240312 (+2,-2)

7606dac base-files: support parse DT LED color and function (+31)
6b7c473 base-files: execute package's "postinst" after executing uci-defaults (+5,-5)

b0fc8b4 netifd: update to Git openwrt-23.05 (2024-01-04) (+4,-36)
⇒ c739dee system-linux: refresh MAC address on DSA port conduit change (+14,-1)
⇒ 8587c07 interface-ip: fix IPv4 route target masking (+1,-1)
⇒ 33d6c26 system-linux: fix bogus debug error messages on adding bridge members (+10,-7)
⇒ 0832e8f wireless: add bridge_isolate option (+42,-15)
⇒ 5ca7a90 bridge: fix reload on bridge vlan changes (+1,-2)
⇒ be4ffb3 bridge: rework config change pvid handling (+14,-11)
⇒ 923c437 system-linux: set master early on apply settings (+9,-8)
⇒ b944241 system-linux: skip refreshing MAC on master change if custom MAC (+2,-1)
⇒ b635a09 system-linux: set pending to 0 on ifindex found or error for if_get_master (+13,-7)
⇒ 2bbe49c device: Log error message if device initialization failed (+7,-2)
⇒ 2703f74 Revert "system-linux: set pending to 0 on ifindex found or error for if_get_m... (+7,-13)
⇒ 9cb0cb4 system-linux: fix race condition in netlink socket error handing (+13,-25)
⇒ c18cc79 device: restore cleared flags on device down (+8)

78beef6 jsonfilter: update to Git HEAD (2024-01-23) (+3,-3)
⇒ 013b75a jsonfilter: drop legacy json-c support (+2,-3)
⇒ 594cfa8 main: fix spurious premature parse aborts in array mode (+2,-4)
1ca61b7 uhttpd: handle reload after uhttpd-mod-ubus installation using postinst (+8,-7)

fbe86d0 linux: add dtb makefile target to targets list (+1,-1)

db7b247 kernel: bump 5.15 to 5.15.150 (+126,-258)

a39dca7 kernel: bump 5.15 to 5.15.138 (+19,-103)
ad363f6 ath79: make boot-leds service executable ()
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
e214118 ath79: move UniFi AC template into common (+7,-7)
5ad0568 ath79: add support for UniFi UK-Ultra (+56,-1)
cdc907a ath79: read back reset register (+33)
c55aaa7 ath79: generic: disable SPI-NOR write protect unconditionally (+2)
58c9308 ath79: ubnt,bullet-m-xw: set PHY max-speed to 100Mbps (+1)
e5af19e ath79: ubnt-bullet-m-xw: fix Ethernet PHY traffic (+1,-2)
e302172 ath79: add Ubiquiti Rocket M XW as alternate name to Bullet M XW (+3)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
4c1d13e kernel: bump 5.15 to 5.15.149 (+110,-107)

a39dca7 kernel: bump 5.15 to 5.15.138 (+19,-103)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
40cfdf5 kernel: bump 5.15 to 5.15.146 (+39,-39)
c1615f3 kernel: bump 5.15 to 5.15.147 (+30,-30)
ac97ea1 bcm27xx: config: update documentation links (+2,-2)
5a4389f bcm27xx: 5.15: turn on cpu erratum for A72 and disable A53 (+1,-7)
c82ca6d bcm27xx: base-files: properly detect boot partition (+8,-4)
9a86995 bcm27xx: improve image generation script (+8,-9)
be7d9da bcm27xx: base-files: fix platform_copy_config (+1,-1)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
e87be1b bcm27xx: base-files: fix platform_copy_config (+1,-1)
4c1d13e kernel: bump 5.15 to 5.15.149 (+110,-107)
db7b247 kernel: bump 5.15 to 5.15.150 (+126,-258)

40cfdf5 kernel: bump 5.15 to 5.15.146 (+39,-39)

db7b247 kernel: bump 5.15 to 5.15.150 (+126,-258)

1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)

1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)

40cfdf5 kernel: bump 5.15 to 5.15.146 (+39,-39)

67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
8a7f667 kernel: 5.15: backport v6.1 PHY changes required for Aquantia (+666,-64)
9e41117 ipq40xx: fix PHY subsystem compilation (phy_interface_num_ports()) (+11)
eda5930 generic: 5.15: backport upstream Aquantia PHY firmware loader patches (+3.0K,-43)

67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
4c1d13e kernel: bump 5.15 to 5.15.149 (+110,-107)
db7b247 kernel: bump 5.15 to 5.15.150 (+126,-258)

95ebd60 kernel: bump 5.15 to 5.15.139 (+41,-88)
fcf08d9 ipq807x: fix edgecore EAP102 lan/wan (+6,-6)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
b0f3fd5 ipq807x: prpl-haze: fix sysupgrade flashing from bootloader (+2,-1)

20615c4 kirkwood: fix Ctera C200 V1 ubi part name (+9)

a39dca7 kernel: bump 5.15 to 5.15.138 (+19,-103)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
64d8c27 Revert "lantiq: xway: kernel: enable SMP support" (-26)
db7b247 kernel: bump 5.15 to 5.15.150 (+126,-258)
2f2ecea lantiq: Fix build after kernel 5.15.150 (+3,-11)

8a7f667 kernel: 5.15: backport v6.1 PHY changes required for Aquantia (+666,-64)

a39dca7 kernel: bump 5.15 to 5.15.138 (+19,-103)
3846b6e filogic: support Telenor branded ZyXEL EX5700 (+403)
e1d1c26 mediatek: add support for Cetron CT3003 (+286)
28d15e2 mediatek: filogic: add support for Ubiquiti UniFi 6 Plus (U6+) (+198)
b530d49 filogic: add support for GL.iNet GL-MT6000 (+636)
f3a8820 mediatek: filogic: remove kmod-usb2 for GL-MT6000 (+1,-1)
f8c149d mediatek: fix eeprom loading (Mercusys MR90X v1) (+8,-16)
557a32a filogic: add support for ASUS TUF AX6000 (+411,-5)
6df6f03 mediatek: filogic: add JCG Q30 PRO support (+256)
d924690 mediatek: add support for Zbtlink ZBT-Z8102AX (+374,-2)
efdafcc mediatek: filogic: Fix GPIOs for Zbtlink ZBT-Z8102AX (+1,-1)
af740e9 mediatek: fix the name of buswidth to bus-width (+36,-36)
b95e9da mediatek: fiilogic: device tree `switch@1f` fix (+20,-20)
583e672 mediatek: filogic: reorder alphabetically (+64,-66)
0186032 mediatek: filogic: add Acelink EW-7886CAX support (+258)
1598d87 mediatek: add support for Confiabits MT7981 (+319)
fd68317 mediatek: add SPDX header for Confiabits MT7981 DTS (+1)
9a7b14d mediatek: enable mt7981-wo-firmware package by default (+2,-2)
51881b2 mediatek: add support for Routerich AX3000 (+360,-2)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
40cfdf5 kernel: bump 5.15 to 5.15.146 (+39,-39)
d4a21d7 mediatek: GL-MT6000: Add missing LED state definitions (+6,-3)
4103958 mediatek: fix BPI-R3 wifi mac address (+3,-3)
f41f10f mediatek: GL-MT6000: Change LED colors (+3,-3)
2dfd145 mediatek: fix ethernet rx hang issue on MT7981/MT7986 (+722)
7338733 mediatek: filogic: add support ASUS RT-AX59U (+314,-8)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
c90901f mediatek: fix failsafe ethernet for NWA50AX Pro (+2,-1)
eda5930 generic: 5.15: backport upstream Aquantia PHY firmware loader patches (+3.0K,-43)
b30b1d3 mediatek: filogic: Cudy WR3000 v1 wps button fix (+1,-1)
91ef14a mediatek: mt7981: improve fan behaviour (+32,-20)
04ec453 mediatek: update LED/Key bindings for Buffalo WSR-2533DHP2 (+24,-13)
7e47913 mediatek: update NVMEM bindings for Buffalo WSR-2533DHP2 (+14,-12)
9c793c4 mediatek: add label-mac-device for Buffalo WSR-2533DHP2 (+1)
a26ea17 mediatek: drop pwm7_pins from Buffalo WSR-2533DHP2 (-9)
882d20e mediatek: merge trx helpers in image/mt7622.mk (+18,-24)
65f9f31 mediatek: separate dts/dtsi for Buffalo WSR series (+240,-226)
5b4df9a mediatek: add support for Buffalo WSR-3200AX4S (+225,-2)
f555fa6 mediatek: Add support for D-Link EAGLE PRO AI M32 (+450)
e2954a1 mediatek: Add support for TP-Link EAP225v5 (+199,-1)
6bec680 mediatek: add Zyxel EX5601-T0 with uboot custom partition (+658,-516)
9627654 mediatek: Cetron CT3003: fixes typo for spi properties (+6,-6)
37c2bc4 mediatek: fixes for Ethernet on MT7988 SoC (+372,-11)
6f70e09 mediatek: filogic: add support for Cudy RE3000 v1 (+252,-1)
4c1d13e kernel: bump 5.15 to 5.15.149 (+110,-107)
db7b247 kernel: bump 5.15 to 5.15.150 (+126,-258)
b3ad42e filogic: fix wifi eeprom filename for tuf-ax6000 The router use mt7986_eeprom... (+5,-2)
5c786dc kernel: hack: support inverted LEDs on MaxLinear GPY211 PHY (+11,-7)
6961fe9 mediatek: filogic: Asus TUF AX6000 fix inverted LED for 2.5Gb LAN port (+1)
0a571c9 mediatek: filogic: replace built-in Aquantia driver with module (+1,-2)
a8f5109 mediatek: mt7622: linksys-e8450: set driving strength for SPI-NAND (+7,-1)

de37b56 mpc85xx: increase available RAM on Extreme Networks WS-AP3825i (+57,-2)
6261ae1 mpc85xx: allow mapping of cpu1 spin-table page (-1)

95ebd60 kernel: bump 5.15 to 5.15.139 (+41,-88)
59fd8f0 mvebu: fix RTC of IEI-World Puzzle M90x devices (+24,-2)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
4c1d13e kernel: bump 5.15 to 5.15.149 (+110,-107)
f02920d mvebu: enable thermal zone polling for IEI Puzzle devices (+6,-3)

67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)

a39dca7 kernel: bump 5.15 to 5.15.138 (+19,-103)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
4c1d13e kernel: bump 5.15 to 5.15.149 (+110,-107)

67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)

a8f31d2 ramips: sercomm.mk: make common recipe to set a bit in pid (+5,-5)
fd277ee ramips: mt7620: drop unnecessary trailing tabs (+1,-1)
ebdaee7 ramips: add support for Sercomm CPJ routers (+431)
60e49cf ramips: fix label-mac for Xiaomi RA75 (+1,-1)
f6fb6bb ramips: mt7621: use lzma-loader for Sercomm NA502 (+1)
18d7962 ramips: add support for Rostelecom RT-FE-1A (+282)
8ce8726 ramips: mtk_eth_soc: allow multiple resets (+9,-8)
289515e ramips: mtk_eth_soc: wait longer after FE core reset to settle (+1,-1)
88501f8 ramips: dts: rt3352: reset FE and ESW cores together (+4,-4)
4e1bf2a ramips: dts: rt3050: reset FE and ESW cores together (+4,-4)
ee4a042 ramips: dts: rt5350: reset FE and ESW cores together (+4,-4)
0128d86 ramips: dts: mt7628an: reset FE and ESW cores together (+4,-4)
23506e7 raimps: mtk_eth_soc: drop rst_esw from ESW driver (+4,-20)
76f7dd3 ramips: lzma-loader: use virtual memory segments for uart base address (+17,-3)
2216b10 ramips: lzma-loader: use proper register names (+8,-5)
9cd589b ramips: lzma-loader: use default uart for rt305x (+1,-1)
e61d651 ramips: correct the PCIe port number for Unielec u7621-01 (+6,-7)
67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
6e39d24 ramips: add support for D-Link COVR-X1860 A1 (+235)
8a7f667 kernel: 5.15: backport v6.1 PHY changes required for Aquantia (+666,-64)
1c28058 kernel: bump 5.15 to 5.15.148 (+108,-146)
1bbb94d ramips: Add support for Cudy WR1300 v3 (+225,-170)
1562847 ramips: add support for TP-Link EX220 v1 (+265,-1)
63a7d5e ramips: add support for YunCore G720 (+202,-2)
200693f ramips: add support for Z-ROUTER ZR-2660 (+235,-1)

67d998e kernel: bump 5.15 to 5.15.145 (+558,-558)
72421d9 realtek: d-link dgs-1210-10p improve sfp support (+54,-2)
8a7f667 kernel: 5.15: backport v6.1 PHY changes required for Aquantia (+666,-64)
3a23eed realtek: fix zyxel-vers usage for XGS1250-12 (+1,-1)
eda5930 generic: 5.15: backport upstream Aquantia PHY firmware loader patches (+3.0K,-43)
79a7195 realtek: fix Netgear GS110TPP OEM install (+1)

80ef582 rockchip: configure eth pad driver strength for orangepi r1 plus lts (+203)

95ebd60 kernel: bump 5.15 to 5.15.139 (+41,-88)

9325da8 mac80211: fix a race condition related to enabling fast-xmit (+34)
3aec71a mac80211: add missing newline for "min_tx_power" (+1,-1)
3bf602d mac80211: avoid crashing on invalid band info (+34)
2fe497c mac80211: do not emit VHT160 capabilities if channel width is less than 160 MHz (+5)
48c81b8 wifi-scripts: Support HE Iftypes with multiple entries (+2,-2)
e94052b mac80211: ath11k: sync with upstream (+1.0K,-9)

5a0bdab mt76: drop default eeprom file for mt7986-firmware (-2)
c9c35dc mt76: Add firmware package for MT7922 (+14)
5ef41b1 mt76: update to latest HEAD (+3,-3)
⇒ b5d1361 mt76: mt7915: fix monitor mode issues (+21,-6)
⇒ bbbac7d wifi: mt76: rename mt76_packet_id_init/flush to mt76_wcid_init/cleanup (+35,-31)
⇒ f1e1e67 wifi: mt76: fix race condition related to checking tx queue fill status (+120,-20)
234f1a2 mt76: Fix PKG_MIRROR_HASH (+1,-1)

9cf5769 mwlwifi: update to version 10.4.10-20231120 (+525,-126)
⇒ 39fef3e Remove the tx done packets mechanism (+4,-26)
⇒ 5e4ffc4 Fix the AMPDU session lifecycle (+99,-47)
⇒ 13737d3 Change 88W8864 firmware to 7.2.9.27 ()
⇒ e25064e Beautify code (+7,-7)
⇒ 8f1a717 fix: num is a 1 instead 0 (+2,-2)
⇒ 2144904 factorization encrypted packet test (+41,-52)
⇒ 46b2d3c Improved encryption interoperability (+20,-92)
⇒ fb61bda add .gitignore (+6)
⇒ 28b0fc4 Add *.o.d as cleaned files (+1)
⇒ fb505f7 debug rewrite output mwl_debugfs_sta_read (+28,-44)
⇒ eca369b Rewrite AMSDU packets (+45,-62)
⇒ 166f5c7 Add wcb_base in debug info (8864) (+43)
⇒ 1b66b6d drop debug info in hostcmd_get_hw_spec() (-1)
⇒ cca8451 fix amsdu high ping latency (+37,-96)
⇒ 4af7083 dump_prob decommissioning (-67)
⇒ 2dae175 Code separation by chipset (+1.7K,-400)
⇒ + 11 more...

a527b34 build: do not depend on $(STAGING_DIR)/.prepared when in SDK (+1,-2)

Description: Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678
Commits:
aa762ad openssl: update to 3.0.13 (+6,-6)

Description: Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129
Commits:
aa762ad openssl: update to 3.0.13 (+6,-6)

Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6237
Commits:
aa762ad openssl: update to 3.0.13 (+6,-6)

Description: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6246
Commits:
80c8d65 toolchain: glibc: Update glibc 2.37 to recent HEAD (+2,-2)

Description: An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6779
Commits:
80c8d65 toolchain: glibc: Update glibc 2.37 to recent HEAD (+2,-2)

Description: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6780
Commits:
80c8d65 toolchain: glibc: Update glibc 2.37 to recent HEAD (+2,-2)

Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22655
Commits:
100a560 firmware: intel-microcode: update to 20240312 (+2,-2)

Description: Sequence of processor instructions leads to unexpected behavior for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583
Commits:
e0bae5e firmware: intel-microcode: update to 20231114 (+2,-2)

Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28746
Commits:
100a560 firmware: intel-microcode: update to 20240312 (+2,-2)

Description: Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36328
Commits:
6549a71 dropbear: cherry-pick upstream patches (+338,-1)

Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38575
Commits:
100a560 firmware: intel-microcode: update to 20240312 (+2,-2)

Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39368
Commits:
100a560 firmware: intel-microcode: update to 20240312 (+2,-2)

Description: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43490
Commits:
100a560 firmware: intel-microcode: update to 20240312 (+2,-2)

Description: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
Commits:
6549a71 dropbear: cherry-pick upstream patches (+338,-1)

Description: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
Commits:
875822f dnsmasq: version 2.90 (+64,-58)

Description: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868
Commits:
875822f dnsmasq: version 2.90 (+64,-58)

Description: Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727
Commits:
aa762ad openssl: update to 3.0.13 (+6,-6)

Description: An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23170
Commits:
b5c7289 mbedtls: security bump to version 2.28.7 (+2,-2)

Description: Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23775
Commits:
b5c7289 mbedtls: security bump to version 2.28.7 (+2,-2)