Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

opennds: Release v10.1.2 #1005

Merged
merged 2 commits into from
Jul 31, 2023
Merged

opennds: Release v10.1.2 #1005

merged 2 commits into from
Jul 31, 2023

Conversation

bluewavenet
Copy link
Contributor

@bluewavenet bluewavenet commented Jul 29, 2023

Maintainer: Rob White rob@blue-wave.net

Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64

Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 23.05, 22.03

Description:
opennds (10.1.2)

Security Advisory - This version contains fixes for multiple potential security vulnerabilities
Credit - Stanislav Dashevskyi - standash.github.io [standash]
It also contains some minor bug fixes

  • Fix - Generate unique sha256 faskey if not set in config - CVE-2023-38324 [bluewavenet]
  • Fix - NULL pointer dereference if user_agent is NULL - CVE-2023-38320, CVE-2023-38322 [bluewavenet]
  • Fix - NULL pointer dereference if authdir is called with an incomplete or missing query string - CVE-2023-38313, CVE-2023-38314, CVE-2023-38315 [bluewavenet]
  • Fix - remove deprecated and non-functioning unescape callback - CVE-2023-38316 [bluewavenet]
  • Fix - prevent potential recursive dependency and detect if conflicting package is installed (in addition to the CONFLICTS: nodogsplash line in the makefile, code was added to check for the presence of nodogsplash on opennds startup) [bluewavenet]

Signed-off-by: Rob White rob@blue-wave.net

Maintainer: Rob White rob@blue-wave.net

Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64

Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 23.05, 22.03

Description:
opennds (10.1.2)

Security Advisory. This version contains fixes for multiple potential security vulnerabilities
Credit - Stanislav Dashevskyi - standash.github.io [standash]
It also contains some minor bug fixes
  * Fix - Generate unique sha256 faskey if not set in config - CVE-2023-38324 [bluewavenet]
  * Fix - NULL pointer dereference if user_agent is NULL - CVE-2023-38320, CVE-2023-38322 [bluewavenet]
  * Fix - NULL pointer dereference if authdir is called with an incomplete or missing query string - CVE-2023-38313, CVE-2023-38314, CVE-2023-38315 [bluewavenet]
  * Fix - remove deprecated and non-functioning unescape callback - CVE-2023-38316 [bluewavenet]
  * Fix - prevent potential recursive dependency and detect if conflicting package is installed [bluewavenet]


Signed-off-by: Rob White <rob@blue-wave.net>
@bluewavenet
Copy link
Contributor Author

@mwarning @PolynomialDivision @BKPepe
This is a critical update fixing several potential security vulnerabilities as noted in the comment above.

@PolynomialDivision
Copy link
Member

PolynomialDivision commented Jul 29, 2023

Can you add a notice that you removed the conflict for nodogslpash in the commit message and why you removed it?

@bluewavenet
Copy link
Contributor Author

@PolynomialDivision

a notice that you removed the conflict

Implicitly, that is what this means:

Fix - prevent potential recursive dependency and detect if conflicting package is installed [bluewavenet]

I have updated it ;-)

@bluewavenet
Copy link
Contributor Author

@PolynomialDivision @mwarning @BKPepe
It is interesting that, as both opennds and nodogsplash have the common component ndsctl (albeit from a different code base), opkg detects that component is already present from a previous install of the "conflicting package" and fails the new install.
This works for both nodogsplash and opennds.

It is a different matter if the operating system is not OpenWrt, so some detection code has been added to opennds to mitigate that case.

@BKPepe
Copy link
Member

BKPepe commented Jul 30, 2023

Fix - prevent potential recursive dependency and detect if conflicting package is installed (explicitly, the CONFLICTS: nodogsplash line in the makefile was removed and code added to check for the presence of nodogsplash on opennds startup) [bluewavenet]

Still, I do think that there should be that conflict in the Makefile as we can not relay that it won't be changed in the future in your source code. I haven't followed your recent discussion about nodogosplash closely.

opennds/Makefile Outdated Show resolved Hide resolved
@bluewavenet
Copy link
Contributor Author

Arrrgh

Reinstate CONFLICTS:=nodogsplash

Signed-off-by: Rob White <rob@blue-wave.net>
@BKPepe BKPepe merged commit e4a53c1 into openwrt:master Jul 31, 2023
11 checks passed
@bluewavenet
Copy link
Contributor Author

@BKPepe
Thank you!

@BKPepe
Copy link
Member

BKPepe commented Jul 31, 2023 via email

@bluewavenet
Copy link
Contributor Author

@BKPepe
You read my mind, I was about to do PRs for 23.05 and 22.03...

I will do cherry picks

If you are sure you have time, that's excellent, thank you.

@bluewavenet
Copy link
Contributor Author

@BKPepe
It has propagated more or less everywhere now in master.
I'm happy to do PR's for the cherry picks to stable branches to save you time....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants