Mirror of packages feed https://git-03.infra.openwrt.org/feed/packages/atom?h=master 2026-05-14T22:13:25Z 2026-05-14T22:13:25Z Daniel Golle 2026-05-08T17:14:04Z urn:sha1:82d729ced2d59d4e69e77fb0d03a4e915116d7d1 4.99.3 (security release): * Addresses EXIM-Security-2026-05-01.1: a remotely reachable Use-After-Free vulnerability in Exim's BDAT (binary data transmission) body parsing path when using the GnuTLS backend. This can lead to heap corruption and potential code execution. Affects 4.97 through 4.99.x when built with GnuTLS support AND with STARTTLS and CHUNKING advertised. Reported by xbow security. Previous security releases folded into this bump: 4.99.2 (security release): * Addresses Exim-Security-2026-04.1, covering 4 CVEs: - CVE-2026-40684: Possible crash with malicious DNS data (musl libc) - CVE-2026-40685: Possible OOB read/write on corrupt JSON in header - CVE-2026-40686: Possible OOB read with large UTF8 trailing characters - CVE-2026-40687: Possible OOB read/write with SPA authenticator 4.99.1 (security release): * Re-incarnation of CVE-2025-26794, ports fixes from 4.98.1/4.98.2. Link: https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/ Link: https://git.exim.org/exim.git/blob/refs/tags/exim-4.99.3:/doc/doc-txt/ChangeLog Signed-off-by: Daniel Golle <daniel@makrotopia.org> 2026-05-08T20:28:27Z Yanase Yuki 2026-01-02T09:06:57Z urn:sha1:b0d8a3d384915c2de1c5b473fcfb8b3996bb849b This commit converts plain HTTP URLs to HTTPS, and updates old or outdated URLs. Signed-off-by: Yanase Yuki <dev@zpc.st> 2026-04-16T18:48:36Z Alexandru Ardelean 2026-04-13T07:50:38Z urn:sha1:8d3c00421392c9c4c6c920977959ab7fae237261 Seems a lot of packages are just getting abandoned by people. Will pick these up and see them through. Signed-off-by: Alexandru Ardelean <alex@shruggie.ro> 2026-03-20T13:54:46Z Fabrice Fontaine 2026-03-19T21:25:57Z urn:sha1:bb47b0279642252acc3e46a1f2edd8638cebf05e cpe:/a:bogofilter_project:bogofilter is the correct CPE ID for bogofilter: https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:bogofilter_project:bogofilter Fixes: 299e5b0a9bce19d6e96cb9ff217028b36ee2dd36 (treewide: add PKG_CPE_ID for better cvescanner coverage) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> 2026-03-15T07:21:15Z Fabrice Fontaine 2026-03-14T13:32:29Z urn:sha1:fc6cb08c64ba3366e488e4c3737628f54f048d58 cpe:/a:opendkim:opendkim is the correct CPE ID for opendkim: https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3:a:opendkim:opendkim Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> 2026-02-04T05:39:56Z Daniel F. Dickinson 2026-01-25T16:05:43Z urn:sha1:444b62cbccf13492096fc0216d661f2ccf47f069 As described in #28261 Not compiled with OpenSSL, the SSL variant of the mailsend package is not actually being compiled with OpenSSL. This is due to an upstream configure check borrowed from an ancient version of BIND, which no longer works. As a workaround we add `-DHAVE_OPENSSL=1` to the `TARGET_CFLAGS` when building the SSL variant. This results in a complaint about COPTS not being honoured correctly, but results in `mailsend` compiled with OpenSSL (i.e. works). Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca> 2026-01-09T09:52:21Z W. Michael Petullo 2026-01-08T15:14:08Z urn:sha1:428d835cb5ed75aeca266a83010ce01254b5ddbd Remove two patches no longer needed due to changes upstream. Signed-off-by: W. Michael Petullo <mike@flyn.org> 2026-01-01T14:27:12Z Josef Schlehofer 2025-12-31T02:38:27Z urn:sha1:4e86243a89ac8acb7e5c7143af080ba3f6028acd Release notes: ``` v0.5.21.1 2024-08-14 Aki Tuomi <aki.tuomi@open-xchange.com> - sieve: When saving to local storage failed after a successful action in sieve (e.g. redirect, vacation), the mail was reported as successfully delivered, although it was lost locally. ``` Copy&pasted from https://raw.githubusercontent.com/dovecot/pigeonhole/0.5.21.1/NEWS Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> 2026-01-01T14:27:12Z Josef Schlehofer 2025-12-31T02:33:18Z urn:sha1:547ac2e84ea205432e1eabc5588d31ad0652ed37 The current pigeonhole Makefile is more complex than it needs to be, with too many unique variables and the resulting package version is currently this one: ``` dovecot-pigeonhole_2.3.21.0.5.21-r1_aarch64_cortex-a53.ipk ``` and based on Repology [1], it looks like we are the only GNU/Linux distribution, who includes dovecot version and pigeonhole version together. We should not include the extra dovecot version, because even project [2] website does not do it except their tarball. What we can do better is that we added and modify a little bit EXTRA_DEPENDS, which ensures that pigenhole 0.5.21.1 will be used for Dovecot 2.3, because of that, we can have package version as it should be. ``` dovecot-pigeonhole_0.5.21-r1_arm_cortex-a9_vfpv3-d16.ipk ``` Because of the changed versioning, we can remove the dynamic shell execution for version extraction. [1] https://repology.org/project/dovecot-pigeonhole/versions [2] https://pigeonhole.dovecot.org/download Fixes: 6c6a40ab57d1151f981237f81935b19486c45026 ("pigeonhole: fix runtime dependency on dovecot's ABI") Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> 2026-01-01T14:27:12Z Josef Schlehofer 2025-12-31T01:21:38Z urn:sha1:d4f9e59a96969c5588fb7f31e4477480f761b763 Use $(XARGS) variable instead of plain xargs command, consistent with the dovecot package implementation. Remove unnecessary space in EXTRA_DEPENDS version constraint. Fixes failing error on buildbot: ``` make[3]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule. Makefile:62: *** multiple target patterns. Stop. time: package/feeds/packages/pigeonhole/compile#0.52#0.42#1.15 ``` Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>