| Age | Commit message (Collapse) | Author |
|
|
|
Add FRR patch for better MACVLAN support in FRR code.
|
|
The Kernel 6.18.33 now has an upstream fix for the fragnesia vulnerability
|
|
Kernel: T8880: reduce size of Kernel source TAR
|
|
* Kernel: T8846: consolidate config for CPU/Task time and stats accounting
* Kernel: T8879: add config section for hypervisor Virtual Socket Protocol
* Kernel: T8879: add missing Hyper-V drivers after 6.18 upgrade
Add drivers for Hyper-V hypervisor which got lost in transition from 6.6 to
6.18 Kernel upgrade.
|
|
Enable "make mrproper" before packaging kernel source tarball. After enabling
PWRU support in T8496, the auto-generated kernel source tarball grew from under
1 GB to ~4 GB, largely due to intermediate build artifacts (for example,
vmlinuz.o growing from 54 MB to 618 MB with additional debug symbols).
Since the tarball is intended to contain kernel sources and custom patches and
not intermediate objects, we now clean the tree with "make mrproper" before
creating the tarball. This keeps package size down while preserving
rebuildability.
|
|
This fixes the LPE https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
|
|
that allows unprivileged users to read files owned by any other user
|
|
Fragnesia is a universal Linux local privilege escalation exploit, discovered
with V12 by William Bowling with the V12 team. Fragnesia is a member of the
Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from
dirtyfrag which has received its own patch. However, it is in the same surface
and the mitigation is the same as for dirtyfrag.
It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve
arbitrary byte writes into the kernel page cache of read-only files, without
requiring any race condition.
The technique extends the page-cache write bug class that includes Dirty Pipe:
when a TCP socket transitions to espintcp ULP mode after data has already been
spliced from a file into the receive queue, the kernel processes the queued
file pages as ESP ciphertext. The AES-GCM keystream byte at counter block
position 2, byte 0 is XORed directly into the cached file page. By selecting
the IV nonce to produce a desired keystream byte, any target byte in the file
can be set to any value — one byte per trigger invocation.
From: https://github.com/v12-security/pocs/blob/532994fc003a7/fragnesia/README.md
|
|
kernel: T8847: Enable PSI metric data
|
|
T8542: Add functionality to generate SBOM file from ISO image
|
|
Kernel: T6847: update Intel Out-Of-Tree drivers for IGB, IXGBE, I40e, ICE and IAVF
|
|
Enable the kernel [Pressure Stall Information][PSI] accounting feature.
This allows users to gather data on CPU and memory starvation. It's very
useful to help find cases where the system performance is impacted by
overloaded CPUs.
[PSI]: https://docs.kernel.org/accounting/psi.html
Signed-off-by: SuperQ <superq@gmail.com>
|
|
Kernel-created L2TPv3 tunnels (genetlink L2TP_CMD_TUNNEL_CREATE without
L2TP_ATTR_FD) used udp_sock_create() and kernel_connect(), which invoke
__ip4_datagram_connect() / __ip6_datagram_connect(). Those paths insist on
a successful FIB lookup at connect time. If no route to the configured
remote existed yet, tunnel and interface creation failed.
The data path already resolves routes on transmit (e.g. __ip_queue_xmit(),
inet6_csk_route_socket()). This change defers requiring a route until
packets are sent.
Details:
- UDP encapsulation: bind with udp_sock_create() after zeroing peer_udp_port,
then l2tp_udp_sk_set_peer() sets daddr/dport and socket "connected" state
without caching sk_dst from connect.
- IPv4 L2TP/IP (l2tp_ip): on -ENETUNREACH / -EHOSTUNREACH from
__ip4_datagram_connect(), l2tp_ip_connect_deferred() installs peer and
bind-table updates without a connect-time route.
- IPv6 L2TP/IP (l2tp_ip6): same for __ip6_datagram_connect(), including
IPv4-mapped peers and scope / bound-device checks aligned with the normal
connect path.
Forwarding still only happens once the FIB can reach the peer. Until then
outgoing packets follow the existing no-route drop path.
Assisted-by: Cursor:claude-4.6-opus
Signed-off-by: Christian Breunig <christian@breunig.cc>
|
|
The Intel iavf driver (formerly i40evf) is the Linux virtual function driver
for modern Intel Ethernet adapters supporting SR-IOV, including the X700/E800
series.
Renamed to iavf to support future devices, it replaced i40evf entirely by 2019.
The driver facilitates high-performance networking in virtualized environments.
This commit contains custom patches to make the driver build.
|
|
Instead of one build function per driver (ixgbe, i40, ice) which will anyways
result in the same Python code path to be executed - use one common helper
name: build_intel_nic
|
|
The current version of the Intel ice driver does not compile with a recent
LTS Kernel due to missing internal Kernel API adjustments in the Intel driver.
This commit contains custom patches to make the driver build.
|
|
The current version of the Intel i40e driver does not compile with a recent
LTS Kernel due to missing internal Kernel API adjustments in the Intel driver.
This commit contains custom patches to make the driver build.
|
|
|
|
|
|
|
|
the CDN to prevent a possible supply chain attack
|
|
|
|
Rework BGP-LS megapatch to include all latest work on BGP-LS
Rebase patches:
* 0021-pathd-add-optional-protocol-to-no-mpls-te-import.patch
* 0022-pathd-add-optional-parameters-to-no-index-cmd.patch
Delete patches already merged into 10.6.1:
* 0008-isis-fix-advertise-passive-only-routes-install.patch
* 0009-T7909-eigrp-malformed-update-fix.patch
* 0010-bgp-Support-multiple-labels-in-BGP-LU.patch
* 0011-zebra-add-CLI-no-versions-for-max-bw-and-others.patch
* 0014-Simplify-and-cleanup-mgmtd.patch
|
|
Systems under heavy load might require more time to init the VM
|
|
|
|
|
|
|
|
Avoid duplicated code when working with TPM
|
|
It does not make sense to have the common VyOS functionality for e.g VXLAN,
GENEVE, PPP, WireGuard, filesystems crypto or module signing duplicated for
both arm64 and x86_64.
Split out common configuration parts to be defined only once.
|
|
* Forwared port all out-of-tree driver patches
* Add Intel QAT patch to make it compile for LInux 6.18
* Remove out-of-tree OpenVPN DCO module - now available upstream
|
|
|
|
|
|
|
|
|
|
|
|
The inotify support for overlayfs is no longer needed. Native upstream support
landed in kernel 4.16 (commit 31747eda41ef/764baba80168 in 2018, which made
overlayfs hash inodes by their lower inode so fsnotify works on overlay mounts),
and kernel 6.8 (commit bc2473c90fca in 2023) extended it so fsnotify generates
events for operations on the real underlying files of an overlay.
The patch was an out-of-tree workaround that never went upstream and predates
these solutions.
|
|
T8445: add support for extension of activation system
|
|
linux-kernel: T8506: Use scripts/kconfig/merge_config.sh for merging kernel config fragments
|
|
T8636: add FRR patches that fix pathd no cmds
|
|
Kernel: T861: add custom VyOS CA to Kernel builds for later module signing
|
|
7735ca88019a4fc6a9affee9df276b9c99773148
pathd: add optional parameters to `no index` cmd
d421a3360bdb6eba18777388325b003b8bc985bc:
pathd: add optional protocol to 'no mpls-te import'
Both are upstream
|
|
Clone specific branch of kea-packaging repo.
|
|
fragments
Using scripts/kconfig/merge_config.sh for merging config fragments provides
validation and insights compared to the previously used simple
concatenation
|
|
With this addition we can always sign a Kernel module later and ship it if
needed, without re-compiling the Kernel.
Kernel will report:
[ 1.223891] Loaded X.509 cert 'VyOS Networks Secure Boot Signer 2025 - linux: 6ca57e2add335babd08da69b48c70693edd2b037'
Issuer: CN = VyOS Networks Secure Boot CA
Validity
Not Before: Apr 26 09:07:06 2025 GMT
Not After : Apr 24 09:07:06 2035 GMT
Subject: CN = VyOS Networks Secure Boot Signer 2025 - linux
|
|
PWRU (https://github.com/cilium/pwru) is a very useful tool to debug complex networking issues on Linux, as it allows you to trace how packets travel through the kernel functions
|
|
Add additional validation step to ensure that the transfer drive is unmounted successfully.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
|
Apply suggestion, add validation that the Syft binary was copied with success.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
|
Exclude the transfer directory from scan.
|
|
Use the Syft util to generate SBOM files in both CycloneDX and SPDX format. This process includes creating a transfer disk to copy the Syft util from the host machine and copy the scan results back to the host machine.
|