From: Hauke Mehrtens <[email protected]> This is a security update as currently in OpenWrt 19.07, there is version 4.14.202 it means that it is vulnerable against vulnerability known as Sad DNS (DNS cache poisoning). Since kernel 4.14.203, there is present mitigation to this attack by randomizing ICMP global rate limit.
More details can be found here: https://www.saddns.net/ Compile and runtime tested on x86/64. Also compile and run tested on all Turris devices (Turris 1.x - powerpc 8540, Turris Omnia - mvebu/cortex-a9_vfpv3-d16, Turris MOX - mvebu/aarch64_cortex-a53) Signed-off-by: Hauke Mehrtens <[email protected]> (cherry picked from commit 9cdc02be88d5c25791664b1baaf9a7c1a4382c95) Signed-off-by: Josef Schlehofer <[email protected]> [added commit message about run testing on Turris devices, added mention about Sad DNS] --- include/kernel-version.mk | 4 ++-- target/linux/cns3xxx/patches-4.14/210-dwc2_defaults.patch | 2 +- ...030-USB-serial-option-fix-dwm-158-3g-modem-interface.patch | 2 +- target/linux/generic/hack-4.14/204-module_strip.patch | 2 +- target/linux/generic/hack-4.14/930-crashlog.patch | 2 +- .../generic/pending-4.14/203-kallsyms_uncompressed.patch | 2 +- target/linux/generic/pending-4.14/920-mangle_bootargs.patch | 2 +- .../0067-generic-Mangle-bootloader-s-kernel-arguments.patch | 2 +- target/linux/mediatek/patches-4.14/0064-dts.patch | 2 +- ...arm64-mediatek-cleanup-message-for-platform-selectio.patch | 2 +- .../006-mvebu-Mangle-bootloader-s-kernel-arguments.patch | 2 +- .../linux/mvebu/patches-4.14/411-sfp-add-sfp-compatible.patch | 2 +- ...arm64-dts-armada-3720-espressobin-set-max-link-to-ge.patch | 2 +- .../octeon/patches-4.14/110-er200-ethernet_probe_order.patch | 4 ++-- .../996-generic-Mangle-bootloader-s-kernel-arguments.patch | 2 +- 15 files changed, 17 insertions(+), 17 deletions(-) diff --git a/include/kernel-version.mk b/include/kernel-version.mk index a58b17fbf4..e581897dc1 100644 --- a/include/kernel-version.mk +++ b/include/kernel-version.mk @@ -6,9 +6,9 @@ ifdef CONFIG_TESTING_KERNEL KERNEL_PATCHVER:=$(KERNEL_TESTING_PATCHVER) endif -LINUX_VERSION-4.14 = .202 +LINUX_VERSION-4.14 = .206 -LINUX_KERNEL_HASH-4.14.202 = 95c717ab5b0bdd2333e829f0507385fbe3424ceee810727f3a8551a0c74be328 +LINUX_KERNEL_HASH-4.14.206 = 1c233efaa5063983293a02d4692acc9ced9c03e18857364855d4f612347086ac remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1)))) sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1))))))) diff --git a/target/linux/cns3xxx/patches-4.14/210-dwc2_defaults.patch b/target/linux/cns3xxx/patches-4.14/210-dwc2_defaults.patch index 67f152f43d..0cc4dd1830 100644 --- a/target/linux/cns3xxx/patches-4.14/210-dwc2_defaults.patch +++ b/target/linux/cns3xxx/patches-4.14/210-dwc2_defaults.patch @@ -43,7 +43,7 @@ { + /* const struct of_device_id *match; - void (*set_params)(void *data); + void (*set_params)(struct dwc2_hsotg *data); + */ dwc2_set_default_params(hsotg); diff --git a/target/linux/generic/backport-4.14/030-USB-serial-option-fix-dwm-158-3g-modem-interface.patch b/target/linux/generic/backport-4.14/030-USB-serial-option-fix-dwm-158-3g-modem-interface.patch index ebd90a8ef2..4ad22b3de1 100644 --- a/target/linux/generic/backport-4.14/030-USB-serial-option-fix-dwm-158-3g-modem-interface.patch +++ b/target/linux/generic/backport-4.14/030-USB-serial-option-fix-dwm-158-3g-modem-interface.patch @@ -30,7 +30,7 @@ Signed-off-by: Johan Hovold <[email protected]> --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c -@@ -2001,7 +2001,8 @@ static const struct usb_device_id option +@@ -2011,7 +2011,8 @@ static const struct usb_device_id option { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d01, 0xff) }, /* D-Link DWM-156 (variant) */ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d02, 0xff) }, { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d03, 0xff) }, diff --git a/target/linux/generic/hack-4.14/204-module_strip.patch b/target/linux/generic/hack-4.14/204-module_strip.patch index c53963c530..d93b545b7c 100644 --- a/target/linux/generic/hack-4.14/204-module_strip.patch +++ b/target/linux/generic/hack-4.14/204-module_strip.patch @@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <[email protected]> --- a/init/Kconfig +++ b/init/Kconfig -@@ -1903,6 +1903,13 @@ config TRIM_UNUSED_KSYMS +@@ -1904,6 +1904,13 @@ config TRIM_UNUSED_KSYMS If unsure, or if you need to build out-of-tree modules, say N. diff --git a/target/linux/generic/hack-4.14/930-crashlog.patch b/target/linux/generic/hack-4.14/930-crashlog.patch index 9d09dbd760..2da51fb406 100644 --- a/target/linux/generic/hack-4.14/930-crashlog.patch +++ b/target/linux/generic/hack-4.14/930-crashlog.patch @@ -41,7 +41,7 @@ Signed-off-by: Felix Fietkau <[email protected]> +#endif --- a/init/Kconfig +++ b/init/Kconfig -@@ -1009,6 +1009,10 @@ config RELAY +@@ -1010,6 +1010,10 @@ config RELAY If unsure, say N. diff --git a/target/linux/generic/pending-4.14/203-kallsyms_uncompressed.patch b/target/linux/generic/pending-4.14/203-kallsyms_uncompressed.patch index 1f5c83e94f..159a79988f 100644 --- a/target/linux/generic/pending-4.14/203-kallsyms_uncompressed.patch +++ b/target/linux/generic/pending-4.14/203-kallsyms_uncompressed.patch @@ -13,7 +13,7 @@ Signed-off-by: Felix Fietkau <[email protected]> --- a/init/Kconfig +++ b/init/Kconfig -@@ -1081,6 +1081,17 @@ config SYSCTL_ARCH_UNALIGN_ALLOW +@@ -1082,6 +1082,17 @@ config SYSCTL_ARCH_UNALIGN_ALLOW the unaligned access emulation. see arch/parisc/kernel/unaligned.c for reference diff --git a/target/linux/generic/pending-4.14/920-mangle_bootargs.patch b/target/linux/generic/pending-4.14/920-mangle_bootargs.patch index 2f6a52c23d..4d7dd3364d 100644 --- a/target/linux/generic/pending-4.14/920-mangle_bootargs.patch +++ b/target/linux/generic/pending-4.14/920-mangle_bootargs.patch @@ -13,7 +13,7 @@ Signed-off-by: Imre Kaloz <[email protected]> --- a/init/Kconfig +++ b/init/Kconfig -@@ -1427,6 +1427,15 @@ config EMBEDDED +@@ -1428,6 +1428,15 @@ config EMBEDDED an embedded system so certain expert options are available for configuration. diff --git a/target/linux/ipq806x/patches-4.14/0067-generic-Mangle-bootloader-s-kernel-arguments.patch b/target/linux/ipq806x/patches-4.14/0067-generic-Mangle-bootloader-s-kernel-arguments.patch index f0cc3ed509..c977dd1001 100644 --- a/target/linux/ipq806x/patches-4.14/0067-generic-Mangle-bootloader-s-kernel-arguments.patch +++ b/target/linux/ipq806x/patches-4.14/0067-generic-Mangle-bootloader-s-kernel-arguments.patch @@ -22,7 +22,7 @@ Signed-off-by: Adrian Panella <[email protected]> --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig -@@ -1934,6 +1934,17 @@ config ARM_ATAG_DTB_COMPAT_CMDLINE_EXTEN +@@ -1936,6 +1936,17 @@ config ARM_ATAG_DTB_COMPAT_CMDLINE_EXTEN The command-line arguments provided by the boot loader will be appended to the the device tree bootargs property. diff --git a/target/linux/mediatek/patches-4.14/0064-dts.patch b/target/linux/mediatek/patches-4.14/0064-dts.patch index a2f5000d4d..8cfda50035 100644 --- a/target/linux/mediatek/patches-4.14/0064-dts.patch +++ b/target/linux/mediatek/patches-4.14/0064-dts.patch @@ -106,7 +106,7 @@ reg = <6>; label = "cpu"; ethernet = <&gmac0>; -@@ -187,8 +227,6 @@ +@@ -188,8 +228,6 @@ }; }; }; diff --git a/target/linux/mediatek/patches-4.14/0124-arm64-mediatek-cleanup-message-for-platform-selectio.patch b/target/linux/mediatek/patches-4.14/0124-arm64-mediatek-cleanup-message-for-platform-selectio.patch index 6af0ae8316..1f8a549aac 100644 --- a/target/linux/mediatek/patches-4.14/0124-arm64-mediatek-cleanup-message-for-platform-selectio.patch +++ b/target/linux/mediatek/patches-4.14/0124-arm64-mediatek-cleanup-message-for-platform-selectio.patch @@ -16,7 +16,7 @@ Signed-off-by: Matthias Brugger <[email protected]> --- a/arch/arm64/Kconfig.platforms +++ b/arch/arm64/Kconfig.platforms -@@ -91,12 +91,13 @@ config ARCH_HISI +@@ -92,12 +92,13 @@ config ARCH_HISI This enables support for Hisilicon ARMv8 SoC family config ARCH_MEDIATEK diff --git a/target/linux/mvebu/patches-4.14/006-mvebu-Mangle-bootloader-s-kernel-arguments.patch b/target/linux/mvebu/patches-4.14/006-mvebu-Mangle-bootloader-s-kernel-arguments.patch index 4ef86edb6a..f9d902b4d9 100644 --- a/target/linux/mvebu/patches-4.14/006-mvebu-Mangle-bootloader-s-kernel-arguments.patch +++ b/target/linux/mvebu/patches-4.14/006-mvebu-Mangle-bootloader-s-kernel-arguments.patch @@ -28,7 +28,7 @@ Signed-off-by: Michael Gray <[email protected]> --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig -@@ -1934,6 +1934,17 @@ config ARM_ATAG_DTB_COMPAT_CMDLINE_EXTEN +@@ -1936,6 +1936,17 @@ config ARM_ATAG_DTB_COMPAT_CMDLINE_EXTEN The command-line arguments provided by the boot loader will be appended to the the device tree bootargs property. diff --git a/target/linux/mvebu/patches-4.14/411-sfp-add-sfp-compatible.patch b/target/linux/mvebu/patches-4.14/411-sfp-add-sfp-compatible.patch index 9174765e6a..6fce278305 100644 --- a/target/linux/mvebu/patches-4.14/411-sfp-add-sfp-compatible.patch +++ b/target/linux/mvebu/patches-4.14/411-sfp-add-sfp-compatible.patch @@ -14,7 +14,7 @@ Signed-off-by: Russell King <[email protected]> --- a/drivers/net/phy/sfp.c +++ b/drivers/net/phy/sfp.c -@@ -1168,6 +1168,7 @@ static int sfp_remove(struct platform_de +@@ -1169,6 +1169,7 @@ static int sfp_remove(struct platform_de static const struct of_device_id sfp_of_match[] = { { .compatible = "sff,sfp", }, diff --git a/target/linux/mvebu/patches-4.14/528-arm64-dts-armada-3720-espressobin-set-max-link-to-ge.patch b/target/linux/mvebu/patches-4.14/528-arm64-dts-armada-3720-espressobin-set-max-link-to-ge.patch index 5ff9b47268..6ce49f71f0 100644 --- a/target/linux/mvebu/patches-4.14/528-arm64-dts-armada-3720-espressobin-set-max-link-to-ge.patch +++ b/target/linux/mvebu/patches-4.14/528-arm64-dts-armada-3720-espressobin-set-max-link-to-ge.patch @@ -62,7 +62,7 @@ Signed-off-by: Tomasz Maciej Nowak <[email protected]> --- a/arch/arm64/boot/dts/marvell/armada-3720-espressobin.dts +++ b/arch/arm64/boot/dts/marvell/armada-3720-espressobin.dts -@@ -79,6 +79,8 @@ +@@ -83,6 +83,8 @@ /* J9 */ &pcie0 { status = "okay"; diff --git a/target/linux/octeon/patches-4.14/110-er200-ethernet_probe_order.patch b/target/linux/octeon/patches-4.14/110-er200-ethernet_probe_order.patch index 6b1eaf92a2..e5330ffbd6 100644 --- a/target/linux/octeon/patches-4.14/110-er200-ethernet_probe_order.patch +++ b/target/linux/octeon/patches-4.14/110-er200-ethernet_probe_order.patch @@ -1,6 +1,6 @@ --- a/drivers/staging/octeon/ethernet.c +++ b/drivers/staging/octeon/ethernet.c -@@ -673,6 +673,7 @@ static int cvm_oct_probe(struct platform +@@ -674,6 +674,7 @@ static int cvm_oct_probe(struct platform int interface; int fau = FAU_NUM_PACKET_BUFFERS_TO_FREE; int qos; @@ -8,7 +8,7 @@ struct device_node *pip; int mtu_overhead = ETH_HLEN + ETH_FCS_LEN; -@@ -796,13 +797,19 @@ static int cvm_oct_probe(struct platform +@@ -797,13 +798,19 @@ static int cvm_oct_probe(struct platform } num_interfaces = cvmx_helper_get_number_of_interfaces(); diff --git a/target/linux/oxnas/patches-4.14/996-generic-Mangle-bootloader-s-kernel-arguments.patch b/target/linux/oxnas/patches-4.14/996-generic-Mangle-bootloader-s-kernel-arguments.patch index a06825f7c8..313b9b5640 100644 --- a/target/linux/oxnas/patches-4.14/996-generic-Mangle-bootloader-s-kernel-arguments.patch +++ b/target/linux/oxnas/patches-4.14/996-generic-Mangle-bootloader-s-kernel-arguments.patch @@ -22,7 +22,7 @@ Signed-off-by: Adrian Panella <[email protected]> --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig -@@ -1934,6 +1934,17 @@ config ARM_ATAG_DTB_COMPAT_CMDLINE_EXTEN +@@ -1936,6 +1936,17 @@ config ARM_ATAG_DTB_COMPAT_CMDLINE_EXTEN The command-line arguments provided by the boot loader will be appended to the the device tree bootargs property. -- 2.25.1 _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
