From fdeced6692b12641097864399ab930b88cebff64 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 27 Jan 2026 17:35:25 +0100 Subject: [PATCH 1/3] system/Config.in: do not reference md5 for sha256 option Commit bf3626002f ("system cfg: remove mkpasswd MD5 format option") dropped the MD5 option, so stop referring to it from the sha256 one to limit confusion. Signed-off-by: Peter Korsgaard Signed-off-by: Julien Olivain --- system/Config.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/Config.in b/system/Config.in index 0652b94a3bf6..98bbd9309243 100644 --- a/system/Config.in +++ b/system/Config.in @@ -67,7 +67,7 @@ choice config BR2_TARGET_GENERIC_PASSWD_SHA256 bool "sha-256" help - Use SHA256 to encode passwords which is stronger than MD5. + Use SHA256 to encode passwords. config BR2_TARGET_GENERIC_PASSWD_SHA512 bool "sha-512" From fb523a75cfdf60906fc266a14475335937ea76ed Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 27 Jan 2026 17:35:26 +0100 Subject: [PATCH 2/3] package/busybox: default to BR2_TARGET_GENERIC_PASSWD_* algo Make busybox follow the BR2_TARGET_GENERIC_PASSWD_* system configuration option, E.G. cat defconfig BR2_x86_core2=y BR2_TOOLCHAIN_EXTERNAL=y BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_CORE2_MUSL_BLEEDING_EDGE=y BR2_STATIC_LIBS=y BR2_TARGET_GENERIC_PASSWD_SHA512=y ./target/usr/bin/mkpasswd --help BusyBox v1.37.0 (2026-01-27 17:31:51 CET) multi-call binary. Usage: mkpasswd [-P FD] [-m TYPE] [-S SALT] [PASSWORD] [SALT] Print crypt(3) hashed PASSWORD -P N Read password from fd N -m TYPE des,md5,sha256/512 (default sha512) -S SALT ./target/usr/bin/mkpasswd test $6$VQ6lDdGRJOgs8Exs$gEWp1nN/FHCAgmoB6lD.fN13EKA40yV7WQmZJcFp114VrL/st74zP5iPsLHi5NFX/A6GAa1gD.yqzp5Lz3DKl/ Signed-off-by: Peter Korsgaard Signed-off-by: Julien Olivain --- package/busybox/busybox.mk | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk index d7eda71db6d1..446f93c36c42 100644 --- a/package/busybox/busybox.mk +++ b/package/busybox/busybox.mk @@ -176,6 +176,18 @@ define BUSYBOX_SET_CRYPT_SHA endef endif +ifeq ($(BR2_TARGET_GENERIC_PASSWD_SHA256),y) +define BUSYBOX_SET_DEFAULT_PASSWD_ALGO + $(call KCONFIG_SET_OPT,CONFIG_FEATURE_DEFAULT_PASSWD_ALGO,"sha256") +endef +endif + +ifeq ($(BR2_TARGET_GENERIC_PASSWD_SHA512),y) +define BUSYBOX_SET_DEFAULT_PASSWD_ALGO + $(call KCONFIG_SET_OPT,CONFIG_FEATURE_DEFAULT_PASSWD_ALGO,"sha512") +endef +endif + ifeq ($(BR2_USE_MMU),y) define BUSYBOX_SET_MMU $(call KCONFIG_DISABLE_OPT,CONFIG_NOMMU) @@ -427,6 +439,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS $(BUSYBOX_SET_MDEV) $(BUSYBOX_SET_CRYPT_SHA) $(BUSYBOX_LINUX_PAM) + $(BUSYBOX_SET_DEFAULT_PASSWD_ALGO) $(BUSYBOX_SET_INIT) $(BUSYBOX_SET_WATCHDOG) $(BUSYBOX_SET_SELINUX) From 22137df16bb03900f2801a7b4c2f2cf6c8574760 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 27 Jan 2026 17:47:13 +0100 Subject: [PATCH 3/3] package/go: security bump to version 1.25.6 Fixes the following vulnerabilities: - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm When parsing a URL-encoded form net/http may allocate an unexpected amount of memory when provided a large number of key-value pairs. This can result in a denial of service due to memory exhaustion. - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain The Config.Clone methods allows cloning a Config which has already been passed to a TLS function, allowing it to be mutated and reused. If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has not been called, crypto/tls will generate random session ticket keys and automatically rotate them. Config.Clone would copy these automatically generated keys into the returned Config, meaning that the two Configs would share session ticket keys, allowing sessions created using one Config could be used to resume sessions with the other Config. This can allow clients to resume sessions even though the Config may be configured such that they should not be able to do so. - CVE-2025-61731: cmd/go: unexpected code execution when invoking toolchain The Go toolchain supports multiple VCS which are used retrieving modules and embedding build information into binaries. On systems with Mercurial installed (hg) downloading modules (e.g. via go get or go mod download) from non-standard sources (e.g. custom domains) can cause unexpected code execution due to how external VCS commands are constructed. On systems with Git installed, downloading and building modules with malicious version strings could allow an attacker to write to arbitrary files on the system the user has access to. This can only be triggered by explicitly providing the malicious version strings to the toolchain, and does not affect usage of @latest or bare module paths. The toolchain now uses safer VCS options to prevent misinterpretation of untrusted inputs. In addition, the toolchain now disallows module version strings prefixed with a "-" or "/" character. - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. For details, see the announcement: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Signed-off-by: Peter Korsgaard Signed-off-by: Julien Olivain --- package/go/go.hash | 14 +++++++------- package/go/go.mk | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/package/go/go.hash b/package/go/go.hash index 7c689f9144b5..6134ec5f7556 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,9 +1,9 @@ # sha256 checksum from https://go.dev/dl/ -sha256 22a5fd0a91efcd28a1b0537106b9959b2804b61f59c3758b51e8e5429c1a954f go1.25.5.src.tar.gz -sha256 db908a86e888574ed3432355ba5372ad3ef2c0821ba9b91ceaa0f6634620c40c go1.25.5.linux-386.tar.gz -sha256 9e9b755d63b36acf30c12a9a3fc379243714c1c6d3dd72861da637f336ebb35b go1.25.5.linux-amd64.tar.gz -sha256 b00b694903d126c588c378e72d3545549935d3982635ba3f7a964c9fa23fe3b9 go1.25.5.linux-arm64.tar.gz -sha256 0b27e3dec8d04899d6941586d2aa2721c3dee67c739c1fc1b528188f3f6e8ab5 go1.25.5.linux-armv6l.tar.gz -sha256 f0904b647b5b8561efc5d48bb59a34f2b7996afab83ccd41c93b1aeb2c0067e4 go1.25.5.linux-ppc64le.tar.gz -sha256 a5d0a72b0dfd57f9c2c0cdd8b7e0f401e0afb9e8c304d3410f9b0982ce0953da go1.25.5.linux-s390x.tar.gz +sha256 58cbf771e44d76de6f56d19e33b77d745a1e489340922875e46585b975c2b059 go1.25.6.src.tar.gz +sha256 59fe62eee3cca65332acef3ebe9b6ff3272467e0a08bf7f68f96334902bf23b9 go1.25.6.linux-386.tar.gz +sha256 f022b6aad78e362bcba9b0b94d09ad58c5a70c6ba3b7582905fababf5fe0181a go1.25.6.linux-amd64.tar.gz +sha256 738ef87d79c34272424ccdf83302b7b0300b8b096ed443896089306117943dd5 go1.25.6.linux-arm64.tar.gz +sha256 679f0e70b27c637116791e3c98afbf8c954deb2cd336364944d014f8e440e2ae go1.25.6.linux-armv6l.tar.gz +sha256 bee02dbe034b12b839ae7807a85a61c13bee09ee38f2eeba2074bd26c0c0ab73 go1.25.6.linux-ppc64le.tar.gz +sha256 3d97cc5670a0da9cb177037782129f0bf499ecb47abc40488248548abd2c2c35 go1.25.6.linux-s390x.tar.gz sha256 911f8f5782931320f5b8d1160a76365b83aea6447ee6c04fa6d5591467db9dad LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index c932baf018e1..91e5fbf3479c 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.25.5 +GO_VERSION = 1.25.6 HOST_GO_GOPATH = $(HOST_DIR)/share/go-path HOST_GO_HOST_CACHE = $(HOST_DIR)/share/host-go-cache