OpenWrt v22.03.6: adjust config defaults

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git-full packages https://git.openwrt.org/feed/packages.git^38cb0129739bc71e0bb5a25ef1f6db70b7add04b
-src-git-full luci https://git.openwrt.org/project/luci.git^ce20b4a6e0c86313c0c6e9c89eedf8f033f5e637
-src-git-full routing https://git.openwrt.org/feed/routing.git^1cc7676b9f32acc30ec47f15fcb70380d5d6ef01
-src-git-full telephony https://git.openwrt.org/feed/telephony.git^5087c7ecbc4f4e3227bd16c6f4d1efb0d3edf460
+src-git-full packages https://git.openwrt.org/feed/packages.git^e34369a41b522a49dec9fb1d81b4ee6b32b731d8
+src-git-full luci https://git.openwrt.org/project/luci.git^74dd23bdb1c2ba00c68e3abf4d00233bb4f939cd
+src-git-full routing https://git.openwrt.org/feed/routing.git^777c115b0a6336d6582c5992d25b631b6d6d21fd
+src-git-full telephony https://git.openwrt.org/feed/telephony.git^33f2ae757b96bf32b0202b211973a246ca2c919b

include/host-build.mk

@@ -130,6 +130,7 @@ define Host/Exports/Default
   $(1) : export STAGING_PREFIX=$$(HOST_BUILD_PREFIX)
   $(1) : export PKG_CONFIG_PATH=$$(STAGING_DIR_HOST)/lib/pkgconfig:$$(HOST_BUILD_PREFIX)/lib/pkgconfig
   $(1) : export PKG_CONFIG_LIBDIR=$$(HOST_BUILD_PREFIX)/lib/pkgconfig
+  $(1) : export GIT_CEILING_DIRECTORIES=$$(BUILD_DIR_HOST)
   $(if $(HOST_CONFIG_SITE),$(1) : export CONFIG_SITE:=$(HOST_CONFIG_SITE))
   $(if $(IS_PACKAGE_BUILD),$(1) : export PATH=$$(TARGET_PATH_PKG))
 endef

include/image-commands.mk

@@ -378,7 +378,7 @@ endef
 
 define Build/netgear-dni
 	$(STAGING_DIR_HOST)/bin/mkdniimg \
-		-B $(NETGEAR_BOARD_ID) -v $(VERSION_DIST).$(firstword $(subst -, ,$(REVISION))) \
+		-B $(NETGEAR_BOARD_ID) -v $(shell cat $(VERSION_DIST)| sed -e 's/[[:space:]]/-/g').$(firstword $(subst -, ,$(REVISION))) \
 		$(if $(NETGEAR_HW_ID),-H $(NETGEAR_HW_ID)) \
 		-r "$(1)" \
 		-i $@ -o $@.new
@@ -391,7 +391,7 @@ define Build/netgear-encrypted-factory
 		--output-file $@ \
 		--model $(NETGEAR_ENC_MODEL) \
 		--region $(NETGEAR_ENC_REGION) \
-		--version V1.0.0.0.$(VERSION_DIST).$(firstword $(subst -, ,$(REVISION))) \
+		--version V1.0.0.0.$(shell cat $(VERSION_DIST)| sed -e 's/[[:space:]]/-/g').$(firstword $(subst -, ,$(REVISION))) \
 		--encryption-block-size 0x20000 \
 		--openssl-bin "$(STAGING_DIR_HOST)/bin/openssl" \
 		--key 6865392d342b4d212964363d6d7e7765312c7132613364316e26322a5a5e2538 \

include/image.mk

@@ -40,8 +40,10 @@ IMG_PREFIX_VERCODE:=$(if $(CONFIG_VERSION_CODE_FILENAMES),$(call sanitize,$(VERS
 IMG_PREFIX:=$(VERSION_DIST_SANITIZED)-$(IMG_PREFIX_VERNUM)$(IMG_PREFIX_VERCODE)$(IMG_PREFIX_EXTRA)$(BOARD)$(if $(SUBTARGET),-$(SUBTARGET))
 IMG_ROOTFS:=$(IMG_PREFIX)-rootfs
 IMG_COMBINED:=$(IMG_PREFIX)-combined
+ifeq ($(DUMP),)
 IMG_PART_SIGNATURE:=$(shell echo $(SOURCE_DATE_EPOCH)$(LINUX_VERMAGIC) | $(MKHASH) md5 | cut -b1-8)
 IMG_PART_DISKGUID:=$(shell echo $(SOURCE_DATE_EPOCH)$(LINUX_VERMAGIC) | $(MKHASH) md5 | sed -E 's/(.{8})(.{4})(.{4})(.{4})(.{10})../\1-\2-\3-\4-\500/')
+endif
 
 MKFS_DEVTABLE_OPT := -D $(INCLUDE_DIR)/device_table.txt
 
@@ -172,7 +174,9 @@ define Image/pad-to
 	mv $(1).new $(1)
 endef
 
+ifeq ($(DUMP),)
 ROOTFS_PARTSIZE=$(shell echo $$(($(CONFIG_TARGET_ROOTFS_PARTSIZE)*1024*1024)))
+endif
 
 define Image/pad-root-squashfs
 	$(call Image/pad-to,$(KDIR)/root.squashfs,$(if $(1),$(1),$(ROOTFS_PARTSIZE)))

include/kernel-5.10

@@ -1,2 +1,2 @@
-LINUX_VERSION-5.10 = .176
-LINUX_KERNEL_HASH-5.10.176 = ce072c60ba04173e05b2a1de3fefdeba5ac8b28b1958d92d21bdbf9b736ef793
+LINUX_VERSION-5.10 = .201
+LINUX_KERNEL_HASH-5.10.201 = 6afc06598fa8e3bc907cff75f995f372df51d40a284e260de78a3421b1f18218

include/kernel-defaults.mk

@@ -171,7 +171,7 @@ define Kernel/CompileImage/Initramfs
 	$(if $(SOURCE_DATE_EPOCH),touch -hcd "@$(SOURCE_DATE_EPOCH)" $(TARGET_DIR) $(TARGET_DIR)/init)
 	rm -rf $(KERNEL_BUILD_DIR)/linux-$(LINUX_VERSION)/usr/initramfs_data.cpio*
 ifeq ($(CONFIG_TARGET_ROOTFS_INITRAMFS_SEPARATE),y)
-ifneq ($(qstrip $(CONFIG_EXTERNAL_CPIO)),)
+ifneq ($(call qstrip,$(CONFIG_EXTERNAL_CPIO)),)
 	$(CP) $(CONFIG_EXTERNAL_CPIO) $(KERNEL_BUILD_DIR)/initrd.cpio
 else
 	( cd $(TARGET_DIR); find . | LC_ALL=C sort | $(STAGING_DIR_HOST)/bin/cpio --reproducible -o -H newc -R 0:0 > $(KERNEL_BUILD_DIR)/initrd.cpio )

include/package.mk

@@ -173,6 +173,7 @@ define Build/Exports/Default
   $(1) : export CONFIG_SITE:=$$(CONFIG_SITE)
   $(1) : export PKG_CONFIG_PATH:=$$(PKG_CONFIG_PATH)
   $(1) : export PKG_CONFIG_LIBDIR:=$$(PKG_CONFIG_PATH)
+  $(1) : export GIT_CEILING_DIRECTORIES:=$$(BUILD_DIR)
 endef
 Build/Exports=$(Build/Exports/Default)
 

include/scan.mk

@@ -49,7 +49,8 @@ define PackageDir
 		$$(call progress,Collecting $(SCAN_NAME) info: $(SCAN_DIR)/$(2)) \
 		echo Source-Makefile: $(SCAN_DIR)/$(2)/Makefile; \
 		$(if $(3),echo Override: $(3),true); \
-		$(NO_TRACE_MAKE) --no-print-dir -r DUMP=1 FEED="$(call feedname,$(2))" -C $(SCAN_DIR)/$(2) $(SCAN_MAKEOPTS) 2>/dev/null || { \
+		$(if $(findstring c,$(OPENWRT_VERBOSE)),$(MAKE),$(NO_TRACE_MAKE) --no-print-dir) -r DUMP=1 FEED="$(call feedname,$(2))" -C $(SCAN_DIR)/$(2) $(SCAN_MAKEOPTS) \
+			$(if $(findstring c,$(OPENWRT_VERBOSE)),,2>/dev/null) || { \
 			mkdir -p "$(TOPDIR)/logs/$(SCAN_DIR)/$(2)"; \
 			$(NO_TRACE_MAKE) --no-print-dir -r DUMP=1 FEED="$(call feedname,$(2))" -C $(SCAN_DIR)/$(2) $(SCAN_MAKEOPTS) > $(TOPDIR)/logs/$(SCAN_DIR)/$(2)/dump.txt 2>&1; \
 			$$(call progress,ERROR: please fix $(SCAN_DIR)/$(2)/Makefile - see logs/$(SCAN_DIR)/$(2)/dump.txt for details\n) \

include/version.mk

@@ -23,13 +23,13 @@ PKG_CONFIG_DEPENDS += \
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),22.03.4)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),22.03.6)
 
 VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r20123-38ccc47687)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r20265-f85a79bcb4)
 
 VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/releases/22.03.4)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/releases/22.03.6)
 
 VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)

package/Makefile

@@ -92,6 +92,10 @@ $(curdir)/index: FORCE
 			$(call ERROR_MESSAGE,WARNING: Applying padding in $$d/Packages to workaround usign SHA-512 bug!); \
 			{ echo ""; echo ""; } >> Packages;; \
 		esac; \
+		echo -n '{"architecture": "$(ARCH_PACKAGES)", "packages":{' > index.json; \
+		sed -n -e 's/^Package: \(.*\)$$/"\1":/p' -e 's/^Version: \(.*\)$$/"\1",/p' Packages | tr '\n' ' ' >> index.json; \
+		echo '}}' >> index.json; \
+		sed -i 's/, }}/}}/' index.json; \
 		gzip -9nc Packages > Packages.gz; \
 	); done
 ifdef CONFIG_SIGNED_PACKAGES

package/base-files/image-config.in

@@ -183,7 +183,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "https://downloads.openwrt.org/releases/22.03.4"
+		default "https://downloads.openwrt.org/releases/22.03.6"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/boot/at91bootstrap/Makefile

@@ -13,6 +13,7 @@ PKG_VERSION:=v4.0.3
 PKG_MIRROR_HASH:=1ecdc31a13350fcdcaa3f77ed8ad73906f79fc668dbb2f337e1d5dd877bf9882
 PKG_SOURCE_VERSION:=1d9e673698d9db4a4f2301559f481274de2e75ae
 BINARIES_DIR:=build/binaries
+PKG_CPE_ID:=cpe:/a:linux4sam:at91bootstrap
 
 AT91BOOTSTRAP_V4=y
 ifdef CONFIG_PACKAGE_at91bootstrap-sama5d4_xplaineddf_uboot_secure

package/boot/uboot-bcm4908/Makefile

@@ -7,9 +7,9 @@ PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://git.openwrt.org/project/bcm63xx/u-boot.git
-PKG_SOURCE_DATE:=2022-03-15
-PKG_SOURCE_VERSION:=0625aad74d1f5b6f9c068955ad3fd7f6df635e50
-PKG_MIRROR_HASH:=0602e0e4f101ead206940eccca832b75191905c1e81290340a89b07dbee7a6ce
+PKG_SOURCE_DATE:=2022-12-08
+PKG_SOURCE_VERSION:=4435700d18a791dca0d8d767e5414dfac9df4451
+PKG_MIRROR_HASH:=6062ce611d7222eb3b9768bb4944ff1c7bcf26b997280adf5ea8d7afe83f28a8
 
 include $(INCLUDE_DIR)/u-boot.mk
 include $(INCLUDE_DIR)/package.mk

package/boot/uboot-envtools/files/ramips

@@ -18,7 +18,8 @@ alfa-network,quad-e4g|\
 alfa-network,r36m-e4g|\
 alfa-network,tube-e4g|\
 engenius,esr600h|\
-sitecom,wlr-4100-v1-002)
+sitecom,wlr-4100-v1-002|\
+zyxel,keenetic-lite-iii-a)
 	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x1000" "0x1000"
 	;;
 allnet,all0256n-4m|\
@@ -62,6 +63,11 @@ linksys,ea8100-v2|\
 mts,wg430223)
 	ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x1000" "0x20000"
 	;;
+snr,cpe-w4n-mt)
+	idx="$(find_mtd_index uboot-env)"
+	[ -n "$idx" ] && \
+		ubootenv_add_uci_config "/dev/mtd$idx" "0x0" "0x1000" "0x1000"
+	;;
 xiaomi,mi-router-3g-v2|\
 xiaomi,mi-router-4a-gigabit|\
 xiaomi,miwifi-3c)

package/firmware/intel-microcode/Makefile

@@ -8,13 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=intel-microcode
-PKG_VERSION:=20220809
+PKG_VERSION:=20230808
 PKG_RELEASE:=1
 
 PKG_SOURCE:=intel-microcode_3.$(PKG_VERSION).1.tar.xz
-PKG_SOURCE_URL:=@DEBIAN/pool/non-free/i/intel-microcode/
-PKG_HASH:=4cf6c3638bb52d9d45c1916af866fd0929628a6f459daac3edfd369149e9c665
+PKG_SOURCE_URL:=@DEBIAN/pool/non-free-firmware/i/intel-microcode/
+PKG_HASH:=29e77c275b3f60a691832c0844f70effbd94a4594d04af21e0c2e6e0c1ac1894
 PKG_BUILD_DIR:=$(BUILD_DIR)/intel-microcode-3.$(PKG_VERSION).1
+PKG_CPE_ID:=cpe:/a:intel:microcode
 
 PKG_BUILD_DEPENDS:=iucode-tool/host
 

package/firmware/ipq-wifi/Makefile

@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/version.mk
 
 PKG_NAME:=ipq-wifi
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_FLAGS:=nonshared
 
 include $(INCLUDE_DIR)/package.mk
@@ -25,36 +25,6 @@ endef
 # <https://wireless.wiki.kernel.org/en/users/drivers/ath10k/boardfiles>
 
 ALLWIFIBOARDS:= \
-	8dev_habanero-dvk \
-	aruba_ap-303 \
-	aruba_ap-365 \
-	asus_rt-ac42u \
-	avm_fritzrepeater-1200 \
-	buffalo_wtr-m2133hp \
-	cellc_rtl30vw \
-	devolo_magic-2-wifi-next \
-	dlink_dap2610 \
-	edgecore_ecw5410 \
-	edgecore_oap100 \
-	engenius_eap2200 \
-	engenius_emd1 \
-	engenius_emr3500 \
-	ezviz_cs-w3-wd1200g-eup \
-	glinet_gl-ap1300 \
-	glinet_gl-b2200 \
-	glinet_gl-s1300 \
-	linksys_ea8300 \
-	linksys_mr8300-v0 \
-	luma_wrtq-329acn \
-	mobipromo_cm520-79f \
-	nec_wg2600hp3 \
-	p2w_r619ac \
-	plasmacloud_pa1200 \
-	plasmacloud_pa2200 \
-	qxwlan_e2600ac-c1 \
-	qxwlan_e2600ac-c2 \
-	teltonika_rutx \
-	zte_mf286d \
 	zte_mf289f
 
 ALLWIFIPACKAGES:=$(foreach BOARD,$(ALLWIFIBOARDS),ipq-wifi-$(BOARD))
@@ -116,36 +86,6 @@ endef
 # Place files in this directory as board-<devicename>.<qca4019|qca9888|qca9984>
 # Add $(eval $(call generate-ipq-wifi-package,<devicename>,<display name>))
 
-$(eval $(call generate-ipq-wifi-package,8dev_habanero-dvk,8devices Habanero DVK))
-$(eval $(call generate-ipq-wifi-package,aruba_ap-303,Aruba AP-303))
-$(eval $(call generate-ipq-wifi-package,aruba_ap-365,Aruba AP-365))
-$(eval $(call generate-ipq-wifi-package,asus_rt-ac42u,ASUS RT-AC42U))
-$(eval $(call generate-ipq-wifi-package,avm_fritzrepeater-1200,AVM FRITZRepeater 1200))
-$(eval $(call generate-ipq-wifi-package,buffalo_wtr-m2133hp,Buffalo WTR-M2133HP))
-$(eval $(call generate-ipq-wifi-package,cellc_rtl30vw, Cell C RTL30VW))
-$(eval $(call generate-ipq-wifi-package,devolo_magic-2-wifi-next,devolo Magic 2 WiFi next))
-$(eval $(call generate-ipq-wifi-package,dlink_dap2610,D-Link DAP-2610))
-$(eval $(call generate-ipq-wifi-package,edgecore_ecw5410,Edgecore ECW5410))
-$(eval $(call generate-ipq-wifi-package,edgecore_oap100,Edgecore OAP100))
-$(eval $(call generate-ipq-wifi-package,engenius_eap2200,EnGenius EAP2200))
-$(eval $(call generate-ipq-wifi-package,engenius_emd1,EnGenius EMD1))
-$(eval $(call generate-ipq-wifi-package,engenius_emr3500,EnGenius EMR3500))
-$(eval $(call generate-ipq-wifi-package,ezviz_cs-w3-wd1200g-eup,EZVIZ CS-W3-WD1200G EUP))
-$(eval $(call generate-ipq-wifi-package,glinet_gl-ap1300,GL.iNet GL-AP1300))
-$(eval $(call generate-ipq-wifi-package,glinet_gl-b2200,GL.iNet GL-B2200))
-$(eval $(call generate-ipq-wifi-package,glinet_gl-s1300,GL.iNet GL-S1300))
-$(eval $(call generate-ipq-wifi-package,linksys_ea8300,Linksys EA8300))
-$(eval $(call generate-ipq-wifi-package,linksys_mr8300-v0,Linksys MR8300))
-$(eval $(call generate-ipq-wifi-package,luma_wrtq-329acn,Luma WRTQ-329ACN))
-$(eval $(call generate-ipq-wifi-package,mobipromo_cm520-79f,MobiPromo CM520-79F))
-$(eval $(call generate-ipq-wifi-package,nec_wg2600hp3,NEC Platforms WG2600HP3))
-$(eval $(call generate-ipq-wifi-package,p2w_r619ac,P&W R619AC))
-$(eval $(call generate-ipq-wifi-package,plasmacloud_pa1200,Plasma Cloud PA1200))
-$(eval $(call generate-ipq-wifi-package,plasmacloud_pa2200,Plasma Cloud PA2200))
-$(eval $(call generate-ipq-wifi-package,qxwlan_e2600ac-c1,Qxwlan E2600AC C1))
-$(eval $(call generate-ipq-wifi-package,qxwlan_e2600ac-c2,Qxwlan E2600AC C2))
-$(eval $(call generate-ipq-wifi-package,teltonika_rutx,Teltonika RUTX))
-$(eval $(call generate-ipq-wifi-package,zte_mf286d,ZTE MF286D))
 $(eval $(call generate-ipq-wifi-package,zte_mf289f,ZTE MF289F))
 
 $(foreach PACKAGE,$(ALLWIFIPACKAGES),$(eval $(call BuildPackage,$(PACKAGE))))

package/firmware/layerscape/ls-dpl/Makefile

@@ -12,7 +12,7 @@ PKG_VERSION:=21.08
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://source.codeaurora.org/external/qoriq/qoriq-components/mc-utils
+PKG_SOURCE_URL:=https://github.com/nxp-qoriq/mc-utils
 PKG_SOURCE_VERSION:=LSDK-21.08
 PKG_MIRROR_HASH:=372498ff4b5c8a1ac64ead5856d03ee021332f57771989ed6fe066745372b242
 

package/firmware/linux-firmware/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=linux-firmware
-PKG_VERSION:=20220411
+PKG_VERSION:=20230804
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=@KERNEL/linux/kernel/firmware
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=020b11f6412f4956f5a6f98de7d41867d2b30ea0ce81b1e2d206ec9840363849
+PKG_HASH:=88d46c543847ee3b03404d4941d91c92974690ee1f6fdcbee9cef3e5f97db688
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 
@@ -21,6 +21,9 @@ SCAN_DEPS = *.mk
 
 include $(INCLUDE_DIR)/package.mk
 
+RSTRIP:=:
+STRIP:=:
+
 define Package/firmware-default
   SECTION:=firmware
   CATEGORY:=Firmware

package/firmware/linux-firmware/mediatek.mk

@@ -1,9 +1,9 @@
 Package/mt7601u-firmware = $(call Package/firmware-default,MediaTek MT7601U firmware)
 define Package/mt7601u-firmware/install
-	$(INSTALL_DIR) $(1)/lib/firmware
+	$(INSTALL_DIR) $(1)/lib/firmware/mediatek
 	$(INSTALL_DATA) \
-		$(PKG_BUILD_DIR)/mt7601u.bin \
-		$(1)/lib/firmware
+		$(PKG_BUILD_DIR)/mediatek/mt7601u.bin \
+		$(1)/lib/firmware/mediatek
 endef
 $(eval $(call BuildPackage,mt7601u-firmware))
 

package/firmware/linux-firmware/qca_ath10k.mk

@@ -1,14 +1,3 @@
-QCA99X0_BOARD_REV:=e404444dfc0baf7d0fcde21ab8ec333608c9960c
-QCA99X0_BOARD_FILE:=board-2.bin.$(QCA99X0_BOARD_REV)
-
-define Download/qca99x0-board
-  URL:=https://github.com/kvalo/ath10k-firmware/raw/master/QCA99X0/hw2.0/
-  URL_FILE:=board-2.bin
-  FILE:=$(QCA99X0_BOARD_FILE)
-  HASH:=f91975dca2435fa6f8570146e6b255c2a70b9ffbdf5ef16a29d67bec7374c11a
-endef
-$(eval $(call Download,qca99x0-board))
-
 Package/ath10k-board-qca4019 = $(call Package/firmware-default,ath10k qca4019 board firmware)
 define Package/ath10k-board-qca4019/install
 	$(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA4019/hw1.0
@@ -117,7 +106,7 @@ Package/ath10k-board-qca99x0 = $(call Package/firmware-default,ath10k qca99x0 bo
 define Package/ath10k-board-qca99x0/install
 	$(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA99X0/hw2.0
 	$(INSTALL_DATA) \
-		$(DL_DIR)/$(QCA99X0_BOARD_FILE) \
+		$(PKG_BUILD_DIR)/ath10k/QCA99X0/hw2.0/board-2.bin \
 		$(1)/lib/firmware/ath10k/QCA99X0/hw2.0/board-2.bin
 endef
 $(eval $(call BuildPackage,ath10k-board-qca99x0))

package/firmware/wireless-regdb/Makefile

@@ -1,12 +1,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wireless-regdb
-PKG_VERSION:=2023.02.13
+PKG_VERSION:=2023.09.01
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@KERNEL/software/network/wireless-regdb/
-PKG_HASH:=fe81e8a8694dc4753a45087a1c4c7e1b48dee5a59f5f796ce374ea550f0b2e73
+PKG_HASH:=26d4c2a727cc59239b84735aad856b7c7d0b04e30aa5c235c4f7f47f5f053491
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 

package/kernel/bpf-headers/Makefile

@@ -53,7 +53,7 @@ KERNEL_MAKE := \
 	$(MAKE) -C $(PKG_BUILD_DIR) \
 		ARCH=$(BPF_KARCH) \
 		CROSS_COMPILE=$(BPF_ARCH)-linux- \
-		LLVM=1 CC="$(CLANG)" LD="$(TARGET_CROSS)ld" \
+		LLVM=1 LLVM_IAS=1 CC="$(CLANG)" LD="$(TARGET_CROSS)ld" \
 		HOSTCC="$(HOSTCC)" \
 		HOSTCXX="$(HOSTCXX)" \
 		HOST_LOADLIBES="-L$(STAGING_DIR_HOST)/lib" \

package/kernel/linux/modules/netfilter.mk

@@ -188,7 +188,7 @@ $(eval $(call KernelPackage,nf-flow))
 define KernelPackage/nf-socket
   SUBMENU:=$(NF_MENU)
   TITLE:=Netfilter socket lookup support
-  KCONFIG:= $(KCOFNIG_NF_SOCKET)
+  KCONFIG:= $(KCONFIG_NF_SOCKET)
   FILES:=$(foreach mod,$(NF_SOCKET-m),$(LINUX_DIR)/net/$(mod).ko)
   AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_SOCKET-m)))
 endef
@@ -199,7 +199,7 @@ $(eval $(call KernelPackage,nf-socket))
 define KernelPackage/nf-tproxy
   SUBMENU:=$(NF_MENU)
   TITLE:=Netfilter tproxy support
-  KCONFIG:= $(KCOFNIG_NF_TPROXY)
+  KCONFIG:= $(KCONFIG_NF_TPROXY)
   FILES:=$(foreach mod,$(NF_TPROXY-m),$(LINUX_DIR)/net/$(mod).ko)
   AUTOLOAD:=$(call AutoProbe,$(notdir $(NF_TPROXY-m)))
 endef

package/kernel/linux/modules/netsupport.mk

@@ -91,7 +91,7 @@ define KernelPackage/vxlan
 	+kmod-udptunnel4 \
 	+IPV6:kmod-udptunnel6
   KCONFIG:=CONFIG_VXLAN
-  FILES:=$(LINUX_DIR)/drivers/net/vxlan.ko
+  FILES:=$(LINUX_DIR)/drivers/net/vxlan/vxlan.ko
   AUTOLOAD:=$(call AutoLoad,13,vxlan)
 endef
 

package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh

@@ -753,7 +753,7 @@ mac80211_setup_supplicant() {
 	if [ "$mode" = "sta" ]; then
 		wpa_supplicant_add_network "$ifname"
 	else
-		wpa_supplicant_add_network "$ifname" "$freq" "$htmode" "$noscan"
+		wpa_supplicant_add_network "$ifname" "$freq" "$htmode" "$hostapd_noscan"
 	fi
 
 	NEWSPLIST="${NEWSPLIST}$ifname "
@@ -783,7 +783,7 @@ mac80211_setup_supplicant_noctl() {
 		return 1
 	}
 
-	wpa_supplicant_add_network "$ifname" "$freq" "$htmode" "$noscan"
+	wpa_supplicant_add_network "$ifname" "$freq" "$htmode" "$hostapd_noscan"
 
 	NEWSPLIST="${NEWSPLIST}$ifname "
 	[ "$enable" = 0 ] && {

package/kernel/mt76/Makefile

@@ -8,9 +8,9 @@ PKG_LICENSE_FILES:=
 
 PKG_SOURCE_URL:=https://github.com/openwrt/mt76
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2022-09-06
-PKG_SOURCE_VERSION:=d70546462b7b51ebc2bcdd5c534fdf3465be62a4
-PKG_MIRROR_HASH:=3d6b68d70a78c0072ed10ab2548344b6b3a70ad99e4edc258fafa16886f4abf9
+PKG_SOURCE_DATE:=2023-09-11
+PKG_SOURCE_VERSION:=bdf8ea71700746c634c064d6477aa143f821d6f6
+PKG_MIRROR_HASH:=a080a83068abc204d1f563022391625875ef77deda14be49888c179ff78fa8c8
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_USE_NINJA:=0

package/kernel/mt76/patches/100-aggregation-definitions.patch

@@ -1,13 +0,0 @@
---- a/mt7915/init.c
-+++ b/mt7915/init.c
-@@ -327,8 +327,8 @@ mt7915_init_wiphy(struct ieee80211_hw *h
- 	struct mt7915_dev *dev = phy->dev;
- 
- 	hw->queues = 4;
--	hw->max_rx_aggregation_subframes = IEEE80211_MAX_AMPDU_BUF;
--	hw->max_tx_aggregation_subframes = IEEE80211_MAX_AMPDU_BUF;
-+	hw->max_rx_aggregation_subframes = IEEE80211_MAX_AMPDU_BUF_HE;
-+	hw->max_tx_aggregation_subframes = IEEE80211_MAX_AMPDU_BUF_HE;
- 	hw->netdev_features = NETIF_F_RXCSUM;
- 
- 	hw->radiotap_timestamp.units_pos =

package/kernel/mt76/patches/110-api_update.patch

@@ -1,11 +0,0 @@
---- a/tx.c
-+++ b/tx.c
-@@ -325,7 +325,7 @@ mt76_tx(struct mt76_phy *phy, struct iee
- 	if ((dev->drv->drv_flags & MT_DRV_HW_MGMT_TXQ) &&
- 	    !(info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) &&
- 	    !ieee80211_is_data(hdr->frame_control) &&
--	    !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) {
-+	    !ieee80211_is_bufferable_mmpdu(skb)) {
- 		qid = MT_TXQ_PSD;
- 	}
- 

package/kernel/mt76/patches/120-wifi-mt76-ignore-key-disable-commands.patch

@@ -1,301 +0,0 @@
-From: Felix Fietkau <nbd@nbd.name>
-Date: Wed, 22 Mar 2023 10:17:49 +0100
-Subject: [PATCH] wifi: mt76: ignore key disable commands
-
-This helps avoid cleartext leakage of already queued or powersave buffered
-packets, when a reassoc triggers the key deletion.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
----
-
---- a/mt7603/main.c
-+++ b/mt7603/main.c
-@@ -512,15 +512,15 @@ mt7603_set_key(struct ieee80211_hw *hw,
- 	    !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
- 		return -EOPNOTSUPP;
- 
--	if (cmd == SET_KEY) {
--		key->hw_key_idx = wcid->idx;
--		wcid->hw_key_idx = idx;
--	} else {
-+	if (cmd != SET_KEY) {
- 		if (idx == wcid->hw_key_idx)
- 			wcid->hw_key_idx = -1;
- 
--		key = NULL;
-+		return 0;
- 	}
-+
-+	key->hw_key_idx = wcid->idx;
-+	wcid->hw_key_idx = idx;
- 	mt76_wcid_key_setup(&dev->mt76, wcid, key);
- 
- 	return mt7603_wtbl_set_key(dev, wcid->idx, key);
---- a/mt7615/mac.c
-+++ b/mt7615/mac.c
-@@ -1178,8 +1178,7 @@ EXPORT_SYMBOL_GPL(mt7615_mac_set_rates);
- static int
- mt7615_mac_wtbl_update_key(struct mt7615_dev *dev, struct mt76_wcid *wcid,
- 			   struct ieee80211_key_conf *key,
--			   enum mt76_cipher_type cipher, u16 cipher_mask,
--			   enum set_key_cmd cmd)
-+			   enum mt76_cipher_type cipher, u16 cipher_mask)
- {
- 	u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx) + 30 * 4;
- 	u8 data[32] = {};
-@@ -1188,27 +1187,18 @@ mt7615_mac_wtbl_update_key(struct mt7615
- 		return -EINVAL;
- 
- 	mt76_rr_copy(dev, addr, data, sizeof(data));
--	if (cmd == SET_KEY) {
--		if (cipher == MT_CIPHER_TKIP) {
--			/* Rx/Tx MIC keys are swapped */
--			memcpy(data, key->key, 16);
--			memcpy(data + 16, key->key + 24, 8);
--			memcpy(data + 24, key->key + 16, 8);
--		} else {
--			if (cipher_mask == BIT(cipher))
--				memcpy(data, key->key, key->keylen);
--			else if (cipher != MT_CIPHER_BIP_CMAC_128)
--				memcpy(data, key->key, 16);
--			if (cipher == MT_CIPHER_BIP_CMAC_128)
--				memcpy(data + 16, key->key, 16);
--		}
-+	if (cipher == MT_CIPHER_TKIP) {
-+		/* Rx/Tx MIC keys are swapped */
-+		memcpy(data, key->key, 16);
-+		memcpy(data + 16, key->key + 24, 8);
-+		memcpy(data + 24, key->key + 16, 8);
- 	} else {
-+		if (cipher_mask == BIT(cipher))
-+			memcpy(data, key->key, key->keylen);
-+		else if (cipher != MT_CIPHER_BIP_CMAC_128)
-+			memcpy(data, key->key, 16);
- 		if (cipher == MT_CIPHER_BIP_CMAC_128)
--			memset(data + 16, 0, 16);
--		else if (cipher_mask)
--			memset(data, 0, 16);
--		if (!cipher_mask)
--			memset(data, 0, sizeof(data));
-+			memcpy(data + 16, key->key, 16);
- 	}
- 
- 	mt76_wr_copy(dev, addr, data, sizeof(data));
-@@ -1219,7 +1209,7 @@ mt7615_mac_wtbl_update_key(struct mt7615
- static int
- mt7615_mac_wtbl_update_pk(struct mt7615_dev *dev, struct mt76_wcid *wcid,
- 			  enum mt76_cipher_type cipher, u16 cipher_mask,
--			  int keyidx, enum set_key_cmd cmd)
-+			  int keyidx)
- {
- 	u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx), w0, w1;
- 
-@@ -1238,9 +1228,7 @@ mt7615_mac_wtbl_update_pk(struct mt7615_
- 	else
- 		w0 &= ~MT_WTBL_W0_RX_IK_VALID;
- 
--	if (cmd == SET_KEY &&
--	    (cipher != MT_CIPHER_BIP_CMAC_128 ||
--	     cipher_mask == BIT(cipher))) {
-+	if (cipher != MT_CIPHER_BIP_CMAC_128 || cipher_mask == BIT(cipher)) {
- 		w0 &= ~MT_WTBL_W0_KEY_IDX;
- 		w0 |= FIELD_PREP(MT_WTBL_W0_KEY_IDX, keyidx);
- 	}
-@@ -1257,19 +1245,10 @@ mt7615_mac_wtbl_update_pk(struct mt7615_
- 
- static void
- mt7615_mac_wtbl_update_cipher(struct mt7615_dev *dev, struct mt76_wcid *wcid,
--			      enum mt76_cipher_type cipher, u16 cipher_mask,
--			      enum set_key_cmd cmd)
-+			      enum mt76_cipher_type cipher, u16 cipher_mask)
- {
- 	u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx);
- 
--	if (!cipher_mask) {
--		mt76_clear(dev, addr + 2 * 4, MT_WTBL_W2_KEY_TYPE);
--		return;
--	}
--
--	if (cmd != SET_KEY)
--		return;
--
- 	if (cipher == MT_CIPHER_BIP_CMAC_128 &&
- 	    cipher_mask & ~BIT(MT_CIPHER_BIP_CMAC_128))
- 		return;
-@@ -1280,8 +1259,7 @@ mt7615_mac_wtbl_update_cipher(struct mt7
- 
- int __mt7615_mac_wtbl_set_key(struct mt7615_dev *dev,
- 			      struct mt76_wcid *wcid,
--			      struct ieee80211_key_conf *key,
--			      enum set_key_cmd cmd)
-+			      struct ieee80211_key_conf *key)
- {
- 	enum mt76_cipher_type cipher;
- 	u16 cipher_mask = wcid->cipher;
-@@ -1291,19 +1269,14 @@ int __mt7615_mac_wtbl_set_key(struct mt7
- 	if (cipher == MT_CIPHER_NONE)
- 		return -EOPNOTSUPP;
- 
--	if (cmd == SET_KEY)
--		cipher_mask |= BIT(cipher);
--	else
--		cipher_mask &= ~BIT(cipher);
--
--	mt7615_mac_wtbl_update_cipher(dev, wcid, cipher, cipher_mask, cmd);
--	err = mt7615_mac_wtbl_update_key(dev, wcid, key, cipher, cipher_mask,
--					 cmd);
-+	cipher_mask |= BIT(cipher);
-+	mt7615_mac_wtbl_update_cipher(dev, wcid, cipher, cipher_mask);
-+	err = mt7615_mac_wtbl_update_key(dev, wcid, key, cipher, cipher_mask);
- 	if (err < 0)
- 		return err;
- 
- 	err = mt7615_mac_wtbl_update_pk(dev, wcid, cipher, cipher_mask,
--					key->keyidx, cmd);
-+					key->keyidx);
- 	if (err < 0)
- 		return err;
- 
-@@ -1314,13 +1287,12 @@ int __mt7615_mac_wtbl_set_key(struct mt7
- 
- int mt7615_mac_wtbl_set_key(struct mt7615_dev *dev,
- 			    struct mt76_wcid *wcid,
--			    struct ieee80211_key_conf *key,
--			    enum set_key_cmd cmd)
-+			    struct ieee80211_key_conf *key)
- {
- 	int err;
- 
- 	spin_lock_bh(&dev->mt76.lock);
--	err = __mt7615_mac_wtbl_set_key(dev, wcid, key, cmd);
-+	err = __mt7615_mac_wtbl_set_key(dev, wcid, key);
- 	spin_unlock_bh(&dev->mt76.lock);
- 
- 	return err;
---- a/mt7615/main.c
-+++ b/mt7615/main.c
-@@ -391,18 +391,17 @@ static int mt7615_set_key(struct ieee802
- 
- 	if (cmd == SET_KEY)
- 		*wcid_keyidx = idx;
--	else if (idx == *wcid_keyidx)
--		*wcid_keyidx = -1;
--	else
-+	else {
-+		if (idx == *wcid_keyidx)
-+			*wcid_keyidx = -1;
- 		goto out;
-+	}
- 
--	mt76_wcid_key_setup(&dev->mt76, wcid,
--			    cmd == SET_KEY ? key : NULL);
--
-+	mt76_wcid_key_setup(&dev->mt76, wcid, key);
- 	if (mt76_is_mmio(&dev->mt76))
--		err = mt7615_mac_wtbl_set_key(dev, wcid, key, cmd);
-+		err = mt7615_mac_wtbl_set_key(dev, wcid, key);
- 	else
--		err = __mt7615_mac_wtbl_set_key(dev, wcid, key, cmd);
-+		err = __mt7615_mac_wtbl_set_key(dev, wcid, key);
- 
- out:
- 	mt7615_mutex_release(dev);
---- a/mt7615/mt7615.h
-+++ b/mt7615/mt7615.h
-@@ -482,11 +482,9 @@ int mt7615_mac_write_txwi(struct mt7615_
- void mt7615_mac_set_timing(struct mt7615_phy *phy);
- int __mt7615_mac_wtbl_set_key(struct mt7615_dev *dev,
- 			      struct mt76_wcid *wcid,
--			      struct ieee80211_key_conf *key,
--			      enum set_key_cmd cmd);
-+			      struct ieee80211_key_conf *key);
- int mt7615_mac_wtbl_set_key(struct mt7615_dev *dev, struct mt76_wcid *wcid,
--			    struct ieee80211_key_conf *key,
--			    enum set_key_cmd cmd);
-+			    struct ieee80211_key_conf *key);
- void mt7615_mac_reset_work(struct work_struct *work);
- u32 mt7615_mac_get_sta_tid_sn(struct mt7615_dev *dev, int wcid, u8 tid);
- 
---- a/mt76x02_util.c
-+++ b/mt76x02_util.c
-@@ -455,20 +455,20 @@ int mt76x02_set_key(struct ieee80211_hw
- 	msta = sta ? (struct mt76x02_sta *)sta->drv_priv : NULL;
- 	wcid = msta ? &msta->wcid : &mvif->group_wcid;
- 
--	if (cmd == SET_KEY) {
--		key->hw_key_idx = wcid->idx;
--		wcid->hw_key_idx = idx;
--		if (key->flags & IEEE80211_KEY_FLAG_RX_MGMT) {
--			key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
--			wcid->sw_iv = true;
--		}
--	} else {
-+	if (cmd != SET_KEY) {
- 		if (idx == wcid->hw_key_idx) {
- 			wcid->hw_key_idx = -1;
- 			wcid->sw_iv = false;
- 		}
- 
--		key = NULL;
-+		return 0;
-+	}
-+
-+	key->hw_key_idx = wcid->idx;
-+	wcid->hw_key_idx = idx;
-+	if (key->flags & IEEE80211_KEY_FLAG_RX_MGMT) {
-+		key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
-+		wcid->sw_iv = true;
- 	}
- 	mt76_wcid_key_setup(&dev->mt76, wcid, key);
- 
---- a/mt7915/main.c
-+++ b/mt7915/main.c
-@@ -387,16 +387,15 @@ static int mt7915_set_key(struct ieee802
- 		mt7915_mcu_add_bss_info(phy, vif, true);
- 	}
- 
--	if (cmd == SET_KEY)
-+	if (cmd == SET_KEY) {
- 		*wcid_keyidx = idx;
--	else if (idx == *wcid_keyidx)
--		*wcid_keyidx = -1;
--	else
-+	} else {
-+		if (idx == *wcid_keyidx)
-+			*wcid_keyidx = -1;
- 		goto out;
-+	}
- 
--	mt76_wcid_key_setup(&dev->mt76, wcid,
--			    cmd == SET_KEY ? key : NULL);
--
-+	mt76_wcid_key_setup(&dev->mt76, wcid, key);
- 	err = mt76_connac_mcu_add_key(&dev->mt76, vif, &msta->bip,
- 				      key, MCU_EXT_CMD(STA_REC_UPDATE),
- 				      &msta->wcid, cmd);
---- a/mt7921/main.c
-+++ b/mt7921/main.c
-@@ -463,16 +463,15 @@ static int mt7921_set_key(struct ieee802
- 
- 	mt7921_mutex_acquire(dev);
- 
--	if (cmd == SET_KEY)
-+	if (cmd == SET_KEY) {
- 		*wcid_keyidx = idx;
--	else if (idx == *wcid_keyidx)
--		*wcid_keyidx = -1;
--	else
-+	} else {
-+		if (idx == *wcid_keyidx)
-+			*wcid_keyidx = -1;
- 		goto out;
-+	}
- 
--	mt76_wcid_key_setup(&dev->mt76, wcid,
--			    cmd == SET_KEY ? key : NULL);
--
-+	mt76_wcid_key_setup(&dev->mt76, wcid, key);
- 	err = mt76_connac_mcu_add_key(&dev->mt76, vif, &msta->bip,
- 				      key, MCU_UNI_CMD(STA_REC_UPDATE),
- 				      &msta->wcid, cmd);

package/libs/gmp/Makefile

@@ -19,6 +19,7 @@ PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
 PKG_FIXUP:=autoreconf
 PKG_LICENSE:=GPL-2.0-or-later
+PKG_CPE_ID:=cpe:/a:gmplib:gmp
 
 PKG_USE_MIPS16:=0
 

package/libs/libbsd/Makefile

@@ -10,6 +10,7 @@ PKG_HASH:=34b8adc726883d0e85b3118fa13605e179a62b31ba51f676136ecb2d0bc1a887
 
 PKG_LICENSE:=BSD-4-Clause
 PKG_LICENSE_FILES:=COPYING
+PKG_CPE_ID:=cpe:/a:freedesktop:libbsd
 
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1

package/libs/libnetfilter-conntrack/Makefile

@@ -18,6 +18,7 @@ PKG_HASH:=67bd9df49fe34e8b82144f6dfb93b320f384a8ea59727e92ff8d18b5f4b579a8
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=COPYING
+PKG_CPE_ID:=cpe:/a:netfilter:libnetfilter_conntrack
 
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1

package/libs/libpcap/Makefile

@@ -18,6 +18,7 @@ PKG_HASH:=ed285f4accaf05344f90975757b3dbfe772ba41d1c401c2648b7fa45b711bdd4
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
+PKG_CPE_ID:=cpe:/a:tcpdump:libpcap
 
 PKG_ASLR_PIE_REGULAR:=1
 

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.28.2
+PKG_VERSION:=2.28.5
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0
+PKG_HASH:=849e86b626e42ded6bf67197b64aa771daa54e2a7e2868dc67e1e4711959e5e3
 
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=gpl-2.0.txt

package/libs/mbedtls/patches/100-fix-compile.patch

@@ -1,22 +0,0 @@
-Fix a compile problem introduced in commit 331c3421d1f0 ("Address review comments")
-
-Bug report: https://github.com/Mbed-TLS/mbedtls/issues/6243
-
---- a/programs/ssl/ssl_server2.c
-+++ b/programs/ssl/ssl_server2.c
-@@ -2529,7 +2529,6 @@ int main( int argc, char *argv[] )
-         }
-         key_cert_init2 = 2;
- #endif /* MBEDTLS_ECDSA_C */
--    }
- 
- #if defined(MBEDTLS_USE_PSA_CRYPTO)
-     if( opt.key_opaque != 0 )
-@@ -2558,6 +2557,7 @@ int main( int argc, char *argv[] )
-     }
- #endif /* MBEDTLS_USE_PSA_CRYPTO */
- #endif /* MBEDTLS_CERTS_C */
-+    }
- 
-     mbedtls_printf( " ok (key types: %s - %s)\n", mbedtls_pk_get_name( &pkey ), mbedtls_pk_get_name( &pkey2 ) );
- #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

package/libs/openssl/Makefile

@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=t
+PKG_BUGFIX:=w
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_PARALLEL:=1
@@ -25,7 +25,7 @@ PKG_SOURCE_URL:= \
 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b
+PKG_HASH:=cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
@@ -332,6 +332,7 @@ define Build/Configure
 			--libdir=lib \
 			--openssldir=/etc/ssl \
 			--cross-compile-prefix="$(TARGET_CROSS)" \
+			$(TARGET_CFLAGS) \
 			$(TARGET_CPPFLAGS) \
 			$(TARGET_LDFLAGS) \
 			$(OPENSSL_OPTIONS) && \

package/libs/popt/Makefile

@@ -18,6 +18,7 @@ PKG_SOURCE_URL:= \
 	http://rpm5.org/files/popt/
 PKG_HASH:=e728ed296fe9f069a0e005003c3d6b2dde3d9cad453422a10d6558616d304cc8
 PKG_LICENSE:=MIT
+PKG_CPE_ID:=cpe:/a:popt_project:popt
 
 PKG_FIXUP:=autoreconf
 PKG_REMOVE_FILES:=autogen.sh aclocal.m4

package/libs/sysfsutils/Makefile

@@ -15,6 +15,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@SF/linux-diag
 PKG_HASH:=e865de2c1f559fff0d3fc936e660c0efaf7afe662064f2fb97ccad1ec28d208a
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
+PKG_CPE_ID:=cpe:/a:sysfsutils_project:sysfsutils
 
 PKG_LICENSE:=LGPL-2.1
 PKG_LICENSE_FILES:=COPYING cmd/GPL lib/LGPL

package/libs/uclient/Makefile

@@ -5,9 +5,9 @@ PKG_RELEASE=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uclient.git
-PKG_MIRROR_HASH:=7c443cac02a734dd312c65618f4de17248d188317f30a9fac192c1503b3d5c05
-PKG_SOURCE_DATE:=2021-05-14
-PKG_SOURCE_VERSION:=6a6011df3429ffa5958d12b1327eeda4fd9daa47
+PKG_MIRROR_HASH:=16c6c97f45d9737fb40628ea22ae347541a1e37d8d1576e04ffbaa5fc92f3b6d
+PKG_SOURCE_DATE:=2023-04-13
+PKG_SOURCE_VERSION:=007d945467499f43656b141171d31f5643b83a6c
 CMAKE_INSTALL:=1
 
 PKG_BUILD_DEPENDS:=ustream-ssl

package/libs/wolfssl/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=5.5.4-stable
-PKG_RELEASE:=$(AUTORELEASE)
+PKG_VERSION:=5.6.4-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b7ee150e49def77c765bc02aac92ddeb0bebefd4cb12aa263d8f95e405221fb8
+PKG_HASH:=031691906794ff45e1e792561cf31759f5d29ac74936bc8dffb8b14f16d820b4
 
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1

package/libs/wolfssl/patches/100-disable-hardening-check.patch

@@ -1,10 +1,10 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2496,7 +2496,7 @@ extern void uITRON4_free(void *p) ;
- #endif
+@@ -2630,7 +2630,7 @@ extern void uITRON4_free(void *p) ;
  
  /* warning for not using harden build options (default with ./configure) */
--#ifndef WC_NO_HARDEN
+ /* do not warn if big integer support is disabled */
+-#if !defined(WC_NO_HARDEN) && !defined(NO_BIG_INT)
 +#if 0
      #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \
          (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \

package/network/services/dropbear/files/dropbear.failsafe

@@ -1,8 +1,9 @@
 #!/bin/sh
 
 failsafe_dropbear () {
-	dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
-	dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
+	dropbearkey -t rsa -s 1024 -f /tmp/dropbear_rsa_failsafe_host_key
+	dropbearkey -t ed25519 -f /tmp/dropbear_ed25519_failsafe_host_key
+	dropbear -r /tmp/dropbear_rsa_failsafe_host_key -r /tmp/dropbear_ed25519_failsafe_host_key <> /dev/null 2>&1
 }
 
 boot_hook_add failsafe failsafe_dropbear

package/network/services/hostapd/Makefile

@@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostapd
-PKG_RELEASE:=$(AUTORELEASE).2
+PKG_RELEASE:=$(AUTORELEASE).3
 
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git

package/network/services/hostapd/patches/301-mesh-noscan.patch

@@ -24,8 +24,8 @@
  			   frequency);
  		goto out_free;
  	}
-+	if (ssid->noscan)
-+		conf->noscan = 1;
++	if (conf->noscan)
++		ssid->noscan = 1;
  
  	if (ssid->mesh_basic_rates == NULL) {
  		/*
@@ -36,7 +36,7 @@
  	enum hostapd_hw_mode hw_mode;
  	struct hostapd_hw_modes *mode = NULL;
 -	int ht40plus[] = { 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157,
-+	int ht40plus[] = { 1, 2, 3, 4, 5, 6, 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157,
++	int ht40plus[] = { 1, 2, 3, 4, 5, 6, 7, 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157,
  			   184, 192 };
  	int bw80[] = { 5180, 5260, 5500, 5580, 5660, 5745, 5955,
  		       6035, 6115, 6195, 6275, 6355, 6435, 6515,

package/network/services/uhttpd/Makefile

@@ -12,9 +12,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git
-PKG_SOURCE_DATE:=2022-10-31
-PKG_SOURCE_VERSION:=23977554d9694d025eada50a5547e99ee1be7838
-PKG_MIRROR_HASH:=e546fd57d0d0be6a51e2aeb5797febe8c89d2bba61b26c930ecb0616d5f6ace9
+PKG_SOURCE_DATE:=2023-06-25
+PKG_SOURCE_VERSION:=34a8a74dbdec3c0de38abc1b08f6a73c51263792
+PKG_MIRROR_HASH:=8206885eebed5d1827763bcc5bcf9ca3510ae22b0ad1f6432114f1136c32dde2
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=ISC
 

package/network/utils/ebtables/Makefile

@@ -17,6 +17,7 @@ PKG_SOURCE_VERSION:=48cff25dfea5b37e16ba5dc6601e98ab140f5f99
 PKG_MIRROR_HASH:=1327cdc3402e5e3056819e4e9b6f9d4a5bfd401f2c4f58447afb2c3c73fc8aac
 
 PKG_LICENSE:=GPL-2.0
+PKG_CPE_ID:=cpe:/a:netfilter:ebtables
 
 include $(INCLUDE_DIR)/package.mk
 

package/network/utils/ipset/Makefile

@@ -18,6 +18,7 @@ PKG_HASH:=0a5545aaadb640142c1f888d366a78ddf8724799967fa20686a70053bd621751
 
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 PKG_LICENSE:=GPL-2.0
+PKG_CPE_ID:=cpe:/a:netfilter:ipset
 
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1

package/network/utils/iw/Makefile

@@ -17,6 +17,7 @@ PKG_HASH:=4c44e42762f903f9094ba5a598998c800a97a62afd6fd31ec1e0a799e308659c
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=GPL-2.0
+PKG_CPE_ID:=cpe:/a:kernel:iw
 
 include $(INCLUDE_DIR)/package.mk
 

package/network/utils/layerscape/restool/Makefile

@@ -12,7 +12,7 @@ PKG_VERSION:=21.08
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://source.codeaurora.org/external/qoriq/qoriq-components/restool
+PKG_SOURCE_URL:=https://github.com/nxp-qoriq/restool
 PKG_SOURCE_VERSION:=LSDK-21.08
 PKG_MIRROR_HASH:=0396644927b8f3da20183227562f695c8063d3d4c6bb606e8f31dda450e962e4
 

package/system/ca-certificates/Makefile

@@ -7,17 +7,20 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ca-certificates
-PKG_VERSION:=20211016
+PKG_VERSION:=20230311
 PKG_RELEASE:=1
 PKG_MAINTAINER:=
 
 PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@DEBIAN/pool/main/c/ca-certificates
-PKG_HASH:=2ae9b6dc5f40c25d6d7fe55e07b54f12a8967d1955d3b7b2f42ee46266eeef88
+PKG_HASH:=83de934afa186e279d1ed08ea0d73f5cf43a6fbfb5f00874b6db3711c64576f3
 PKG_INSTALL:=1
 
 include $(INCLUDE_DIR)/package.mk
 
+TAR_OPTIONS+= --strip-components 1
+TAR_CMD=$(HOST_TAR) -C $(1) $(TAR_OPTIONS)
+
 define Package/ca-certificates
   SECTION:=base
   CATEGORY:=Base system
@@ -34,13 +37,6 @@ define Package/ca-bundle
   PROVIDES:=ca-certs
 endef
 
-define Build/Prepare
-	$(DECOMPRESS_CMD) $(HOST_TAR) -C $(PKG_BUILD_DIR) $(TAR_OPTIONS)
-	$(Build/Patch)
-endef
-
-MAKE_PATH := work
-
 define Build/Install
 	mkdir -p \
 		$(PKG_INSTALL_DIR)/usr/sbin \

package/system/ca-certificates/patches/0001-ca-certificates-fix-python3-cryptography-woes-in-cer.patch

@@ -18,8 +18,8 @@ Reported-by: Chen Minqiang <ptpt52@gmail.com>
 Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
 Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
 ---
---- a/work/mozilla/certdata2pem.py
-+++ b/work/mozilla/certdata2pem.py
+--- a/mozilla/certdata2pem.py
++++ b/mozilla/certdata2pem.py
 @@ -21,16 +21,12 @@
  # USA.
  
@@ -42,8 +42,8 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
          if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
              continue
 -
--        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
--        if cert.not_valid_after < datetime.datetime.now():
+-        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+-        if cert.not_valid_after < datetime.datetime.utcnow():
 -            print('!'*74)
 -            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
 -            print('!'*74)

package/system/iucode-tool/Makefile

@@ -14,6 +14,7 @@ PKG_RELEASE:=2
 PKG_SOURCE:=iucode-tool_$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://gitlab.com/iucode-tool/releases/raw/latest
 PKG_HASH:=12b88efa4d0d95af08db05a50b3dcb217c0eb2bfc67b483779e33d498ddb2f95
+PKG_CPE_ID:=cpe:/a:iucode-tool_project:iucode-tool
 
 PKG_BUILD_DEPENDS:=USE_UCLIBC:argp-standalone USE_MUSL:argp-standalone
 HOST_BUILD_DEPENDS:=HOST_OS_MACOS:argp-standalone/host

package/system/urngd/Makefile

@@ -5,9 +5,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/urngd.git
-PKG_SOURCE_DATE:=2020-01-21
-PKG_SOURCE_VERSION:=c7f7b6b65b82eda4675b42d8cd28d76ea7aebf1a
-PKG_MIRROR_HASH:=2d31025b79fe130c579d6c3f4bf4dc12abc43a7319b20a5cdca24ae363ec70f3
+PKG_SOURCE_DATE:=2023-11-01
+PKG_SOURCE_VERSION:=44365eb1e1165f2a44cb31f404b04cf85031718e
+PKG_MIRROR_HASH:=743bdfacf1f1e779047a55fe8f388aaf31f6e55e8a4d0a00fcabffb68af2202e
 
 PKG_LICENSE:=GPL-2.0 BSD-3-Clause
 PKG_LICENSE_FILES:=

package/utils/adb/Makefile

@@ -13,6 +13,7 @@ PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_SOURCE_VERSION)
 PKG_SOURCE:=$(PKG_SOURCE_SUBDIR).tar.xz
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_SUBDIR)
 PKG_MAINTAINER:=Henryk Heisig <hyniu@o2.pl>
+PKG_CPE_ID:=cpe:/a:google:android_debug_bridge
 
 include $(INCLUDE_DIR)/package.mk
 

package/utils/bsdiff/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bsdiff
 PKG_VERSION:=4.3
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.daemonology.net/bsdiff/
@@ -18,6 +18,7 @@ PKG_MAINTAINER:=Hauke Mehrtens <hauke@hauke-m.de>
 HOST_BUILD_DEPENDS:=bzip2/host
 
 PKG_LICENSE:=BSD-2-Clause
+PKG_CPE_ID:=cpe:/a:daemonology:bsdiff
 
 include $(INCLUDE_DIR)/host-build.mk
 include $(INCLUDE_DIR)/package.mk

package/utils/bsdiff/patches/001-musl.patch

@@ -1,6 +1,6 @@
---- a/bsdiff.c	2005-08-17 00:13:52.000000000 +0200
-+++ b/bsdiff.c	2016-02-21 01:39:31.157915765 +0100
-@@ -101,7 +101,7 @@
+--- a/bsdiff.c
++++ b/bsdiff.c
+@@ -101,7 +101,7 @@ static void split(off_t *I,off_t *V,off_
  	if(start+len>kk) split(I,V,kk,start+len-kk,h);
  }
  
@@ -9,7 +9,7 @@
  {
  	off_t buckets[256];
  	off_t i,h,len;
-@@ -139,7 +139,7 @@
+@@ -139,7 +139,7 @@ static void qsufsort(off_t *I,off_t *V,u
  	for(i=0;i<oldsize+1;i++) I[V[i]]=i;
  }
  
@@ -18,7 +18,7 @@
  {
  	off_t i;
  
-@@ -149,8 +149,8 @@
+@@ -149,8 +149,8 @@ static off_t matchlen(u_char *old,off_t
  	return i;
  }
  
@@ -29,7 +29,7 @@
  {
  	off_t x,y;
  
-@@ -175,7 +175,7 @@
+@@ -175,7 +175,7 @@ static off_t search(off_t *I,u_char *old
  	};
  }
  
@@ -38,7 +38,7 @@
  {
  	off_t y;
  
-@@ -196,7 +196,7 @@
+@@ -196,7 +196,7 @@ static void offtout(off_t x,u_char *buf)
  int main(int argc,char *argv[])
  {
  	int fd;
@@ -47,7 +47,7 @@
  	off_t oldsize,newsize;
  	off_t *I,*V;
  	off_t scan,pos,len;
-@@ -206,9 +206,9 @@
+@@ -206,9 +206,9 @@ int main(int argc,char *argv[])
  	off_t overlap,Ss,lens;
  	off_t i;
  	off_t dblen,eblen;
@@ -60,9 +60,9 @@
  	FILE * pf;
  	BZFILE * pfbz2;
  	int bz2err;
---- a/bspatch.c	2005-08-17 00:14:00.000000000 +0200
-+++ b/bspatch.c	2016-02-21 01:39:29.753859970 +0100
-@@ -36,7 +36,7 @@
+--- a/bspatch.c
++++ b/bspatch.c
+@@ -36,7 +36,7 @@ __FBSDID("$FreeBSD: src/usr.bin/bsdiff/b
  #include <unistd.h>
  #include <fcntl.h>
  
@@ -71,7 +71,7 @@
  {
  	off_t y;
  
-@@ -62,8 +62,8 @@
+@@ -62,8 +62,8 @@ int main(int argc,char * argv[])
  	int fd;
  	ssize_t oldsize,newsize;
  	ssize_t bzctrllen,bzdatalen;

package/utils/bsdiff/patches/020-CVE-2014-9862.patch

@@ -0,0 +1,37 @@
+From: The FreeBSD Project
+Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862
+Subject: CVE-2014-9862 - check for a negative value on numbers of bytes
+  The implementation of bspatch does not check for a negative value on numbers
+  of bytes read from the diff and extra streams, allowing an attacker who
+  can control the patch file to write at arbitrary locations in the heap.
+  .
+  bspatch's main loop reads three numbers from the "control" stream in
+  the patch: X, Y and Z. The first two are the number of bytes to read
+  from "diff" and "extra" (and thus only non-negative), while the
+  third one could be positive or negative and moves the oldpos pointer
+  on the source image. These 3 values are 64bits signed ints (encoded
+  somehow on the file) that are later passed the function that reads
+  from the streams, but those values are not verified to be
+  non-negative.
+  .
+  Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
+  The patch was downloaded from a link pointed by
+  https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp
+
+---
+ bspatch.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/bspatch.c
++++ b/bspatch.c
+@@ -152,6 +152,10 @@ int main(int argc,char * argv[])
+ 		};
+ 
+ 		/* Sanity-check */
++		if ((ctrl[0] < 0) || (ctrl[1] < 0))
++			errx(1,"Corrupt patch\n");
++
++		/* Sanity-check */
+ 		if(newpos+ctrl[0]>newsize)
+ 			errx(1,"Corrupt patch\n");
+ 

package/utils/bsdiff/patches/033-CVE-2020-14315.patch

@@ -0,0 +1,383 @@
+Description: patch for CVE-2020-14315
+ A memory corruption vulnerability is present in bspatch as shipped in
+ Colin Percival’s bsdiff tools version 4.3. Insufficient checks when
+ handling external inputs allows an attacker to bypass the sanity checks
+ in place and write out of a dynamically allocated buffer boundaries.
+Source: https://svnweb.freebsd.org/base/head/usr.bin/bsdiff/bspatch/bspatch.c?revision=352742&view=co
+Author: tony mancill <tmancill@debian.org>
+Comment: The patch was created by comparing the Debian sources to the
+ "Confirmed Patched Version" [1] documented in the
+ X41 D-SEC GmbH Security Advisory: X41-2020-006 [2].
+ References to FreeBSD capsicum have been dropped.  Definitions for
+ TYPE_MINIMUM and TYPE_MAXIMUM have been borrowed from the Debian
+ coreutils package sources but originate in gnulib [3] and are used to
+ define OFF_MIN and OFF_MAX (limits of off_t). Whitespace changes from
+ the confirmed patched version are also included and keep the difference
+ between the Debian sources and the confirmed patched version minimal.
+ .
+ [1] https://svnweb.freebsd.org/base/head/usr.bin/bsdiff/bspatch/bspatch.c?revision=352742&view=co
+ [2] https://www.openwall.com/lists/oss-security/2020/07/09/2
+ [3] https://www.gnu.org/software/gnulib/
+Last-Update: 2021-04-03
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964796
+
+--- a/bspatch.c
++++ b/bspatch.c
+@@ -1,4 +1,6 @@
+ /*-
++ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
++ *
+  * Copyright 2003-2005 Colin Percival
+  * All rights reserved
+  *
+@@ -25,55 +27,147 @@
+  */
+ 
+ #if 0
+-__FBSDID("$FreeBSD: src/usr.bin/bsdiff/bspatch/bspatch.c,v 1.1 2005/08/06 01:59:06 cperciva Exp $");
++__FBSDID("$FreeBSD$");
+ #endif
+ 
+ #include <bzlib.h>
+-#include <stdlib.h>
++#include <err.h>
++#include <fcntl.h>
++#include <libgen.h>
++#include <limits.h>
++#include <stdint.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
+-#include <err.h>
+ #include <unistd.h>
+-#include <fcntl.h>
++
++#ifndef O_BINARY
++#define O_BINARY 0
++#endif
++#define HEADER_SIZE 32
++
++/* TYPE_MINIMUM and TYPE_MAXIMUM taken from coreutils */
++#ifndef TYPE_MINIMUM
++#define TYPE_MINIMUM(t) \
++  ((t) ((t) 0 < (t) -1 ? (t) 0 : ~ TYPE_MAXIMUM (t)))
++#endif
++#ifndef TYPE_MAXIMUM
++#define TYPE_MAXIMUM(t) \
++  ((t) ((t) 0 < (t) -1 \
++        ? (t) -1 \
++        : ((((t) 1 << (sizeof (t) * CHAR_BIT - 2)) - 1) * 2 + 1)))
++#endif
++
++#ifndef OFF_MAX
++#define OFF_MAX TYPE_MAXIMUM(off_t)
++#endif
++
++#ifndef OFF_MIN
++#define OFF_MIN TYPE_MINIMUM(off_t)
++#endif
++
++static char *newfile;
++static int dirfd = -1;
++
++static void
++exit_cleanup(void)
++{
++
++	if (dirfd != -1 && newfile != NULL)
++		if (unlinkat(dirfd, newfile, 0))
++			warn("unlinkat");
++}
++
++static inline off_t
++add_off_t(off_t a, off_t b)
++{
++	off_t result;
++
++#if __GNUC__ >= 5 || \
++    (defined(__has_builtin) && __has_builtin(__builtin_add_overflow))
++	if (__builtin_add_overflow(a, b, &result))
++		errx(1, "Corrupt patch");
++#else
++	if ((b > 0 && a > OFF_MAX - b) || (b < 0 && a < OFF_MIN - b))
++		errx(1, "Corrupt patch");
++	result = a + b;
++#endif
++	return result;
++}
+ 
+ static off_t offtin(unsigned char *buf)
+ {
+ 	off_t y;
+ 
+-	y=buf[7]&0x7F;
+-	y=y*256;y+=buf[6];
+-	y=y*256;y+=buf[5];
+-	y=y*256;y+=buf[4];
+-	y=y*256;y+=buf[3];
+-	y=y*256;y+=buf[2];
+-	y=y*256;y+=buf[1];
+-	y=y*256;y+=buf[0];
++	y = buf[7] & 0x7F;
++	y = y * 256; y += buf[6];
++	y = y * 256; y += buf[5];
++	y = y * 256; y += buf[4];
++	y = y * 256; y += buf[3];
++	y = y * 256; y += buf[2];
++	y = y * 256; y += buf[1];
++	y = y * 256; y += buf[0];
+ 
+-	if(buf[7]&0x80) y=-y;
++	if (buf[7] & 0x80)
++		y = -y;
+ 
+-	return y;
++	return (y);
+ }
+ 
+-int main(int argc,char * argv[])
++static void
++usage(void)
+ {
+-	FILE * f, * cpf, * dpf, * epf;
+-	BZFILE * cpfbz2, * dpfbz2, * epfbz2;
++
++	fprintf(stderr, "usage: bspatch oldfile newfile patchfile\n");
++	exit(1);
++}
++
++int main(int argc, char *argv[])
++{
++	FILE *f, *cpf, *dpf, *epf;
++	BZFILE *cpfbz2, *dpfbz2, *epfbz2;
++	char *directory, *namebuf;
+ 	int cbz2err, dbz2err, ebz2err;
+-	int fd;
+-	ssize_t oldsize,newsize;
+-	ssize_t bzctrllen,bzdatalen;
+-	unsigned char header[32],buf[8];
++	int newfd, oldfd;
++	off_t oldsize, newsize;
++	off_t bzctrllen, bzdatalen;
++	unsigned char header[HEADER_SIZE], buf[8];
+ 	unsigned char *old, *new;
+-	off_t oldpos,newpos;
++	off_t oldpos, newpos;
+ 	off_t ctrl[3];
+-	off_t lenread;
+-	off_t i;
++	off_t i, lenread, offset;
+ 
+-	if(argc!=4) errx(1,"usage: %s oldfile newfile patchfile\n",argv[0]);
++	if (argc != 4)
++		usage();
+ 
+ 	/* Open patch file */
+-	if ((f = fopen(argv[3], "r")) == NULL)
++	if ((f = fopen(argv[3], "rb")) == NULL)
++		err(1, "fopen(%s)", argv[3]);
++	/* Open patch file for control block */
++	if ((cpf = fopen(argv[3], "rb")) == NULL)
++		err(1, "fopen(%s)", argv[3]);
++	/* open patch file for diff block */
++	if ((dpf = fopen(argv[3], "rb")) == NULL)
+ 		err(1, "fopen(%s)", argv[3]);
++	/* open patch file for extra block */
++	if ((epf = fopen(argv[3], "rb")) == NULL)
++		err(1, "fopen(%s)", argv[3]);
++	/* open oldfile */
++	if ((oldfd = open(argv[1], O_RDONLY | O_BINARY, 0)) < 0)
++		err(1, "open(%s)", argv[1]);
++	/* open directory where we'll write newfile */
++	if ((namebuf = strdup(argv[2])) == NULL ||
++	    (directory = dirname(namebuf)) == NULL ||
++	    (dirfd = open(directory, O_DIRECTORY)) < 0)
++		err(1, "open %s", argv[2]);
++	free(namebuf);
++	if ((newfile = basename(argv[2])) == NULL)
++		err(1, "basename");
++	/* open newfile */
++	if ((newfd = openat(dirfd, newfile,
++	    O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, 0666)) < 0)
++		err(1, "open(%s)", argv[2]);
++	atexit(exit_cleanup);
+ 
+ 	/*
+ 	File format:
+@@ -90,104 +184,104 @@ int main(int argc,char * argv[])
+ 	*/
+ 
+ 	/* Read header */
+-	if (fread(header, 1, 32, f) < 32) {
++	if (fread(header, 1, HEADER_SIZE, f) < HEADER_SIZE) {
+ 		if (feof(f))
+-			errx(1, "Corrupt patch\n");
++			errx(1, "Corrupt patch");
+ 		err(1, "fread(%s)", argv[3]);
+ 	}
+ 
+ 	/* Check for appropriate magic */
+ 	if (memcmp(header, "BSDIFF40", 8) != 0)
+-		errx(1, "Corrupt patch\n");
++		errx(1, "Corrupt patch");
+ 
+ 	/* Read lengths from header */
+-	bzctrllen=offtin(header+8);
+-	bzdatalen=offtin(header+16);
+-	newsize=offtin(header+24);
+-	if((bzctrllen<0) || (bzdatalen<0) || (newsize<0))
+-		errx(1,"Corrupt patch\n");
++	bzctrllen = offtin(header + 8);
++	bzdatalen = offtin(header + 16);
++	newsize = offtin(header + 24);
++	if (bzctrllen < 0 || bzctrllen > OFF_MAX - HEADER_SIZE ||
++	    bzdatalen < 0 || bzctrllen + HEADER_SIZE > OFF_MAX - bzdatalen ||
++	    newsize < 0 || newsize > SSIZE_MAX)
++		errx(1, "Corrupt patch");
+ 
+ 	/* Close patch file and re-open it via libbzip2 at the right places */
+ 	if (fclose(f))
+ 		err(1, "fclose(%s)", argv[3]);
+-	if ((cpf = fopen(argv[3], "r")) == NULL)
+-		err(1, "fopen(%s)", argv[3]);
+-	if (fseeko(cpf, 32, SEEK_SET))
+-		err(1, "fseeko(%s, %lld)", argv[3],
+-		    (long long)32);
++	offset = HEADER_SIZE;
++	if (fseeko(cpf, offset, SEEK_SET))
++		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
+ 	if ((cpfbz2 = BZ2_bzReadOpen(&cbz2err, cpf, 0, 0, NULL, 0)) == NULL)
+ 		errx(1, "BZ2_bzReadOpen, bz2err = %d", cbz2err);
+-	if ((dpf = fopen(argv[3], "r")) == NULL)
+-		err(1, "fopen(%s)", argv[3]);
+-	if (fseeko(dpf, 32 + bzctrllen, SEEK_SET))
+-		err(1, "fseeko(%s, %lld)", argv[3],
+-		    (long long)(32 + bzctrllen));
++	offset = add_off_t(offset, bzctrllen);
++	if (fseeko(dpf, offset, SEEK_SET))
++		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
+ 	if ((dpfbz2 = BZ2_bzReadOpen(&dbz2err, dpf, 0, 0, NULL, 0)) == NULL)
+ 		errx(1, "BZ2_bzReadOpen, bz2err = %d", dbz2err);
+-	if ((epf = fopen(argv[3], "r")) == NULL)
+-		err(1, "fopen(%s)", argv[3]);
+-	if (fseeko(epf, 32 + bzctrllen + bzdatalen, SEEK_SET))
+-		err(1, "fseeko(%s, %lld)", argv[3],
+-		    (long long)(32 + bzctrllen + bzdatalen));
++	offset = add_off_t(offset, bzdatalen);
++	if (fseeko(epf, offset, SEEK_SET))
++		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
+ 	if ((epfbz2 = BZ2_bzReadOpen(&ebz2err, epf, 0, 0, NULL, 0)) == NULL)
+ 		errx(1, "BZ2_bzReadOpen, bz2err = %d", ebz2err);
+ 
+-	if(((fd=open(argv[1],O_RDONLY,0))<0) ||
+-		((oldsize=lseek(fd,0,SEEK_END))==-1) ||
+-		((old=malloc(oldsize+1))==NULL) ||
+-		(lseek(fd,0,SEEK_SET)!=0) ||
+-		(read(fd,old,oldsize)!=oldsize) ||
+-		(close(fd)==-1)) err(1,"%s",argv[1]);
+-	if((new=malloc(newsize+1))==NULL) err(1,NULL);
+-
+-	oldpos=0;newpos=0;
+-	while(newpos<newsize) {
++	if ((oldsize = lseek(oldfd, 0, SEEK_END)) == -1 ||
++	    oldsize > SSIZE_MAX ||
++	    (old = malloc(oldsize)) == NULL ||
++	    lseek(oldfd, 0, SEEK_SET) != 0 ||
++	    read(oldfd, old, oldsize) != oldsize ||
++	    close(oldfd) == -1)
++		err(1, "%s", argv[1]);
++	if ((new = malloc(newsize)) == NULL)
++		err(1, NULL);
++
++	oldpos = 0;
++	newpos = 0;
++	while (newpos < newsize) {
+ 		/* Read control data */
+-		for(i=0;i<=2;i++) {
++		for (i = 0; i <= 2; i++) {
+ 			lenread = BZ2_bzRead(&cbz2err, cpfbz2, buf, 8);
+ 			if ((lenread < 8) || ((cbz2err != BZ_OK) &&
+ 			    (cbz2err != BZ_STREAM_END)))
+-				errx(1, "Corrupt patch\n");
+-			ctrl[i]=offtin(buf);
+-		};
++				errx(1, "Corrupt patch");
++			ctrl[i] = offtin(buf);
++		}
+ 
+ 		/* Sanity-check */
+-		if ((ctrl[0] < 0) || (ctrl[1] < 0))
+-			errx(1,"Corrupt patch\n");
++		if (ctrl[0] < 0 || ctrl[0] > INT_MAX ||
++		    ctrl[1] < 0 || ctrl[1] > INT_MAX)
++			errx(1, "Corrupt patch");
+ 
+ 		/* Sanity-check */
+-		if(newpos+ctrl[0]>newsize)
+-			errx(1,"Corrupt patch\n");
++		if (add_off_t(newpos, ctrl[0]) > newsize)
++			errx(1, "Corrupt patch");
+ 
+ 		/* Read diff string */
+ 		lenread = BZ2_bzRead(&dbz2err, dpfbz2, new + newpos, ctrl[0]);
+ 		if ((lenread < ctrl[0]) ||
+ 		    ((dbz2err != BZ_OK) && (dbz2err != BZ_STREAM_END)))
+-			errx(1, "Corrupt patch\n");
++			errx(1, "Corrupt patch");
+ 
+ 		/* Add old data to diff string */
+-		for(i=0;i<ctrl[0];i++)
+-			if((oldpos+i>=0) && (oldpos+i<oldsize))
+-				new[newpos+i]+=old[oldpos+i];
++		for (i = 0; i < ctrl[0]; i++)
++			if (add_off_t(oldpos, i) < oldsize)
++				new[newpos + i] += old[oldpos + i];
+ 
+ 		/* Adjust pointers */
+-		newpos+=ctrl[0];
+-		oldpos+=ctrl[0];
++		newpos = add_off_t(newpos, ctrl[0]);
++		oldpos = add_off_t(oldpos, ctrl[0]);
+ 
+ 		/* Sanity-check */
+-		if(newpos+ctrl[1]>newsize)
+-			errx(1,"Corrupt patch\n");
++		if (add_off_t(newpos, ctrl[1]) > newsize)
++			errx(1, "Corrupt patch");
+ 
+ 		/* Read extra string */
+ 		lenread = BZ2_bzRead(&ebz2err, epfbz2, new + newpos, ctrl[1]);
+ 		if ((lenread < ctrl[1]) ||
+ 		    ((ebz2err != BZ_OK) && (ebz2err != BZ_STREAM_END)))
+-			errx(1, "Corrupt patch\n");
++			errx(1, "Corrupt patch");
+ 
+ 		/* Adjust pointers */
+-		newpos+=ctrl[1];
+-		oldpos+=ctrl[2];
+-	};
++		newpos = add_off_t(newpos, ctrl[1]);
++		oldpos = add_off_t(oldpos, ctrl[2]);
++	}
+ 
+ 	/* Clean up the bzip2 reads */
+ 	BZ2_bzReadClose(&cbz2err, cpfbz2);
+@@ -197,12 +291,13 @@ int main(int argc,char * argv[])
+ 		err(1, "fclose(%s)", argv[3]);
+ 
+ 	/* Write the new file */
+-	if(((fd=open(argv[2],O_CREAT|O_TRUNC|O_WRONLY,0666))<0) ||
+-		(write(fd,new,newsize)!=newsize) || (close(fd)==-1))
+-		err(1,"%s",argv[2]);
++	if (write(newfd, new, newsize) != newsize || close(newfd) == -1)
++		err(1, "%s", argv[2]);
++	/* Disable atexit cleanup */
++	newfile = NULL;
+ 
+ 	free(new);
+ 	free(old);
+ 
+-	return 0;
++	return (0);
+ }

package/utils/dtc/Makefile

@@ -15,6 +15,7 @@ PKG_SOURCE_URL:=@KERNEL/software/utils/dtc
 PKG_MAINTAINER:=Yousong Zhou <yszhou4tech@gmail.com>
 PKG_LICENSE:=GPL-2.0-only
 PKG_LICENSE_FILES:=GPL
+PKG_CPE_ID:=cpe:/a:dtc_project:dtc
 
 PKG_INSTALL:=1
 

package/utils/lua/Makefile

@@ -19,6 +19,7 @@ PKG_BUILD_PARALLEL:=1
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=COPYRIGHT
+PKG_CPE_ID:=cpe:/a:lua:lua
 
 HOST_PATCH_DIR := ./patches-host
 

package/utils/lua/patches-host/010-lua-5.1.3-lnum-full-260308.patch

@@ -1600,18 +1600,18 @@
 + * (and doing them).
 + */
 +int try_addint( lua_Integer *r, lua_Integer ib, lua_Integer ic ) {
-+  lua_Integer v= ib+ic; /* may overflow */
-+  if (ib>0 && ic>0)      { if (v < 0) return 0; /*overflow, use floats*/ }
-+  else if (ib<0 && ic<0) { if (v >= 0) return 0; }
-+  *r= v;
++  /* Signed int overflow is undefined behavior, so catch it without causing it. */
++  if (ic>0)  { if (ib > LUA_INTEGER_MAX - ic) return 0; /*overflow, use floats*/ }
++  else       { if (ib < LUA_INTEGER_MIN - ic) return 0; }
++  *r = ib + ic;
 +  return 1;
 +}
 +
 +int try_subint( lua_Integer *r, lua_Integer ib, lua_Integer ic ) {
-+  lua_Integer v= ib-ic; /* may overflow */
-+  if (ib>=0 && ic<0)     { if (v < 0) return 0; /*overflow, use floats*/ }
-+  else if (ib<0 && ic>0) { if (v >= 0) return 0; }
-+  *r= v;
++  /* Signed int overflow is undefined behavior, so catch it without causing it. */
++  if (ic>0)  { if (ib < LUA_INTEGER_MIN + ic) return 0; /*overflow, use floats*/ }
++  else       { if (ib > LUA_INTEGER_MAX + ic) return 0; }
++  *r = ib - ic;
 +  return 1;
 +}
 +