| Age | Commit message (Collapse) | Author |
|
Kernel: T9067: Update Linux Kernel to 6.18.38
|
|
|
|
|
|
|
|
T9040: Build FIPS-provider OpenSSL version
|
|
Build FIPS-compatible OpenSSL binaries
The FIPS provider does not get built and installed automatically.
To enable it, you need to configure OpenSSL using the `enable-fips` option.
|
|
for the fix for legacy hash algorithm loading
to make MS-CHAP work correctly again
|
|
podman: T9024: package upgrade from v4.9.5 to v5.8.4
|
|
This updates the used Podman version from 4.9.5 to 5.8.4 which is a major bump.
For this update to work on Vyos we also do need to switch from crun to runc, as
the Debian Bookworm provided version of crun is not working with podman 5.8.4.
Building crun from Debian trixie package sources does not work due to missing
build time dependencies.
|
|
Kernel: T8914: add support for 2.5G pluggables on BCM57810S
|
|
Kernel: T8605: net/l2tp: allow unmanaged tunnel setup without route to peer
|
|
Add the well-known JAMESMTL kernel module patch for bnx2x to advertise 2.5Gbit/s
capabilities on Broadcom NetXtreme2-X cards with BCM57810S chipset.
This is useful for ISP GPON access networks that use 2.5Gbit/s pluggables and
need the NIC to negotiate beyond 1000baseT/Full, avoiding the 940Mbit/s
practical cap on overprovisioned 1G services.
References:
* https://hack-gpon.org/broadcom-57810s/
* https://github.com/JAMESMTL/snippets/blob/dceb2fee74d80c66d/bnx2x/patches/bnx2x_warpcore_8727_2_5g_sgmii_txfault.patch
|
|
|
|
T9013: Add FRR patch to fix BMP connect source-interface deletion
|
|
T9010: Update Linux Kernel to 6.18.36 and re-fresh Intel OOT driver versions
|
|
|
|
T8599: Make source packages required and fix them
|
|
|
|
Update versions:
* igb v5.20.28
* ixgbe v6.4.4
* ixgbevf v5.3.36
* i40e v2.30.18
* ice v2.6.6
* iavf v4.13.35
|
|
T8099: Update strongswan to 6.0.6
|
|
1.0 source format version needs tarball without '.orig' suffix as described in https://www.man7.org/linux/man-pages/man1/dpkg-source.1.html.
Only if debian/source/format exists and contains 3.0, use '.orig'
|
|
Patch modifies debian/control and debian/rules, there is no easy way to
fix source package creation in such case. As quick solution disable
source package build for this package (previously it failed silently)
|
|
Exit with error for other failures:
* Creating/installing dependency package should be error: e.g. debugging
why strongswan cannot find systemd could be easier if build.py failed
when it couldn't install systemd and not when `configure` couldn't
find it.
* Creating tarball
* pre_hook run
|
|
A lot of packages failed to build source package.
Stop ignoring source package build errors and fix it.
To fix source packages:
* Use <source_package>_<upstream_version>.orig.tar.gz naming for source
archive.
* Get `source_package` and `upstream_version` from changelog using
dpkg-parsechangelog utility
* Clean build-deps after usage or dpkg-source sees these files as
changes relative to upstream.
* Add '.github' to --diff-ignore source option
|
|
|
|
|
|
salt: T8973: remove package build due to feature removal
|
|
* Upgrade to 6.0.6
* Update 30-strongswan-configs.chroot to not change
/etc/strongswan.d/charon.conf as the file is part of package
strongswan-charon that should not be installed
* Rebase all patches
* Enable ML-KEM for Post Quantum
|
|
* Remove systemd-dev from dependencies
* Add `set -e` to build_cmd.
Strongswan depends on `systemd` and `systemd-dev`, installing both fails with:
```
The following packages have unmet dependencies:
systemd-dev : Breaks: systemd (< 253-2~) but 252.39-1~deb12u2 is to be installed
E: Unable to correct problems, you have held broken packages.
```
`systemd-dev` contains pkg-config files for systemd and udev, but
current `systemd` package installs identical
`/usr/share/pkgconfig/systemd.pc` - maybe that's why packages cannot be
installed simultaneously.
So remove it from dependencies.
Though the package failed to build, `./build.py` returned 0 as
`build_cmd` has two build commands one after another without any checks
of exit value of first one that builds strongswan. Added `set -e` so
that any failure in any of commands results to build failure.
|
|
T8426: FRR support for EVPN Anycast
|
|
As salt has been marked deprecated via T8056 and is thus deprecated in VyOS 1.5
and VyOS 1.4 it is time to remove it from the rolling release.
|
|
|
|
|
|
PR #1204 ("ci: T8943: migrate branch-name refs current->rolling (rollout
1c)") covered .github/workflows/ only and missed seven commit_id values
in scripts/package-build/ that referenced the pre-1c default-branch
names of vyos-owned repos.
The GitHub branch-rename redirect works for the REST API and web UI,
not for git refs in a fresh clone — scripts/package-build/build.py
clones the upstream and `git checkout <commit_id>`, which fails after
the source repo was renamed.
Updated:
libnss-mapuser/package.toml current -> rolling
libpam-radius-auth/package.toml current -> rolling
vpp/package.toml (vyos-vpp-patches) current -> rolling
vyos-1x/package.toml current -> rolling
tacacs/package.toml (libtacplus-map) master -> rolling
tacacs/package.toml (libpam-tacplus) master -> rolling
tacacs/package.toml (libnss-tacplus) master -> rolling
Verified post-rename defaults via `gh api repos/vyos/<r> --jq
.default_branch` for all seven; verified the failure mode via a fresh
`git clone https://github.com/vyos/vyos-1x.git` + `git checkout current`
which errors with "pathspec 'current' did not match any file(s) known
to git".
LTS branches (sagitta/circinus/equuleus) were scanned and require no
changes — only third-party `evgeny-gridasov/openvpn-otp` master appears
there, unaffected by 1c.
🤖 Generated by [robots](https://vyos.io)
|
|
|
|
Add FRR patch for better MACVLAN support in FRR code.
|
|
The Kernel 6.18.33 now has an upstream fix for the fragnesia vulnerability
|
|
Kernel: T8880: reduce size of Kernel source TAR
|
|
* Kernel: T8846: consolidate config for CPU/Task time and stats accounting
* Kernel: T8879: add config section for hypervisor Virtual Socket Protocol
* Kernel: T8879: add missing Hyper-V drivers after 6.18 upgrade
Add drivers for Hyper-V hypervisor which got lost in transition from 6.6 to
6.18 Kernel upgrade.
|
|
Enable "make mrproper" before packaging kernel source tarball. After enabling
PWRU support in T8496, the auto-generated kernel source tarball grew from under
1 GB to ~4 GB, largely due to intermediate build artifacts (for example,
vmlinuz.o growing from 54 MB to 618 MB with additional debug symbols).
Since the tarball is intended to contain kernel sources and custom patches and
not intermediate objects, we now clean the tree with "make mrproper" before
creating the tarball. This keeps package size down while preserving
rebuildability.
|
|
This fixes the LPE https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
|
|
that allows unprivileged users to read files owned by any other user
|
|
Fragnesia is a universal Linux local privilege escalation exploit, discovered
with V12 by William Bowling with the V12 team. Fragnesia is a member of the
Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from
dirtyfrag which has received its own patch. However, it is in the same surface
and the mitigation is the same as for dirtyfrag.
It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve
arbitrary byte writes into the kernel page cache of read-only files, without
requiring any race condition.
The technique extends the page-cache write bug class that includes Dirty Pipe:
when a TCP socket transitions to espintcp ULP mode after data has already been
spliced from a file into the receive queue, the kernel processes the queued
file pages as ESP ciphertext. The AES-GCM keystream byte at counter block
position 2, byte 0 is XORed directly into the cached file page. By selecting
the IV nonce to produce a desired keystream byte, any target byte in the file
can be set to any value — one byte per trigger invocation.
From: https://github.com/v12-security/pocs/blob/532994fc003a7/fragnesia/README.md
|
|
kernel: T8847: Enable PSI metric data
|
|
Kernel: T6847: update Intel Out-Of-Tree drivers for IGB, IXGBE, I40e, ICE and IAVF
|
|
Enable the kernel [Pressure Stall Information][PSI] accounting feature.
This allows users to gather data on CPU and memory starvation. It's very
useful to help find cases where the system performance is impacted by
overloaded CPUs.
[PSI]: https://docs.kernel.org/accounting/psi.html
Signed-off-by: SuperQ <superq@gmail.com>
|
|
Kernel-created L2TPv3 tunnels (genetlink L2TP_CMD_TUNNEL_CREATE without
L2TP_ATTR_FD) used udp_sock_create() and kernel_connect(), which invoke
__ip4_datagram_connect() / __ip6_datagram_connect(). Those paths insist on
a successful FIB lookup at connect time. If no route to the configured
remote existed yet, tunnel and interface creation failed.
The data path already resolves routes on transmit (e.g. __ip_queue_xmit(),
inet6_csk_route_socket()). This change defers requiring a route until
packets are sent.
Details:
- UDP encapsulation: bind with udp_sock_create() after zeroing peer_udp_port,
then l2tp_udp_sk_set_peer() sets daddr/dport and socket "connected" state
without caching sk_dst from connect.
- IPv4 L2TP/IP (l2tp_ip): on -ENETUNREACH / -EHOSTUNREACH from
__ip4_datagram_connect(), l2tp_ip_connect_deferred() installs peer and
bind-table updates without a connect-time route.
- IPv6 L2TP/IP (l2tp_ip6): same for __ip6_datagram_connect(), including
IPv4-mapped peers and scope / bound-device checks aligned with the normal
connect path.
Forwarding still only happens once the FIB can reach the peer. Until then
outgoing packets follow the existing no-route drop path.
Assisted-by: Cursor:claude-4.6-opus
Signed-off-by: Christian Breunig <christian@breunig.cc>
|
|
The Intel iavf driver (formerly i40evf) is the Linux virtual function driver
for modern Intel Ethernet adapters supporting SR-IOV, including the X700/E800
series.
Renamed to iavf to support future devices, it replaced i40evf entirely by 2019.
The driver facilitates high-performance networking in virtualized environments.
This commit contains custom patches to make the driver build.
|
|
Instead of one build function per driver (ixgbe, i40, ice) which will anyways
result in the same Python code path to be executed - use one common helper
name: build_intel_nic
|
|
The current version of the Intel ice driver does not compile with a recent
LTS Kernel due to missing internal Kernel API adjustments in the Intel driver.
This commit contains custom patches to make the driver build.
|