opennds: Release v10.1.2

[bluewavenet]

Maintainer: Rob White rob@blue-wave.net

Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64

Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 23.05, 22.03

Description:
opennds (10.1.2)

Security Advisory - This version contains fixes for multiple potential security vulnerabilities
Credit - Stanislav Dashevskyi - standash.github.io [standash]
It also contains some minor bug fixes

• Fix - Generate unique sha256 faskey if not set in config - CVE-2023-38324 [bluewavenet]
• Fix - NULL pointer dereference if user_agent is NULL - CVE-2023-38320, CVE-2023-38322 [bluewavenet]
• Fix - NULL pointer dereference if authdir is called with an incomplete or missing query string - CVE-2023-38313, CVE-2023-38314, CVE-2023-38315 [bluewavenet]
• Fix - remove deprecated and non-functioning unescape callback - CVE-2023-38316 [bluewavenet]
• Fix - prevent potential recursive dependency and detect if conflicting package is installed (in addition to the CONFLICTS: nodogsplash line in the makefile, code was added to check for the presence of nodogsplash on opennds startup) [bluewavenet]

Signed-off-by: Rob White rob@blue-wave.net

[bluewavenet]

@mwarning @PolynomialDivision @BKPepe
This is a critical update fixing several potential security vulnerabilities as noted in the comment above.

[PolynomialDivision]

Can you add a notice that you removed the conflict for nodogslpash in the commit message and why you removed it?

[bluewavenet]

@PolynomialDivision

a notice that you removed the conflict

Implicitly, that is what this means:

Fix - prevent potential recursive dependency and detect if conflicting package is installed [bluewavenet]

I have updated it ;-)

[bluewavenet]

@PolynomialDivision @mwarning @BKPepe
It is interesting that, as both opennds and nodogsplash have the common component ndsctl (albeit from a different code base), opkg detects that component is already present from a previous install of the "conflicting package" and fails the new install.
This works for both nodogsplash and opennds.

It is a different matter if the operating system is not OpenWrt, so some detection code has been added to opennds to mitigate that case.

[BKPepe]

Fix - prevent potential recursive dependency and detect if conflicting package is installed (explicitly, the CONFLICTS: nodogsplash line in the makefile was removed and code added to check for the presence of nodogsplash on opennds startup) [bluewavenet]

Still, I do think that there should be that conflict in the Makefile as we can not relay that it won't be changed in the future in your source code. I haven't followed your recent discussion about nodogosplash closely.

[bluewavenet]

Arrrgh

[bluewavenet]

@BKPepe
Thank you!

[BKPepe]

No need to create PRs to stable branches. I will do cherry picks, there. Dne po 31. 7. 2023 13:54 uživatel Rob White ***@***.***> napsal:

…

@BKPepe <https://github.com/BKPepe> Thank you! — Reply to this email directly, view it on GitHub <#1005 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7IDVEFJ6XPJQM6Q4NEWXLXS6MFVANCNFSM6AAAAAA24VA2UE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[bluewavenet]

@BKPepe
You read my mind, I was about to do PRs for 23.05 and 22.03...

I will do cherry picks

If you are sure you have time, that's excellent, thank you.

[bluewavenet]

@BKPepe
It has propagated more or less everywhere now in master.
I'm happy to do PR's for the cherry picks to stable branches to save you time....