I'm requesting comments about updating this in 18.06. I'm sending this to 19.07 right away, but it won't be so easy with 18.06 because there is an ABI version change from 3.15.3 (current) to 3.15.7. Besides CVE-2019-13628, it is vulnerable to CVE-2018-16870: a variant of the Bleichenbacher attack.
I've managed to backport both fixes; * CVE-2019-13628 applied cleanly; * CVE-2018-16870 needed some work. I've run the testsuite, and all tests passed. I've used gdb while running them, and could verify that the tests covered all of the changed lines, except for some of the newly added error conditions. CVE-2019-13628 is scheduled to be issued on Sep 02. So we have three choices: * update to 4.1.0-stable: we have to deal with the ABI version change. If we do nothing, then dependent packages will not work without removal and reinstallation. We can increase PKG_RELEASE for the dependent packages, some of which may be cumbersome: hostapd and ustream-ssl will either require a cumbersome subpackage bump, or have everybody else that do not use wolfssl be prompted to needlessly update their packages. * apply a custom patch that will not be so thoroughly tested. * do nothing: both vulnerabilities are timing attacks, CVE-2018-16870 is rated medium-severity. We can wait for CVE-2019-13628's final grade, but wolfssl states it "is considered difficult to exploit". Even though I'm confident the patches will not do much harm, I'm more comfortable with updating to 4.1.0 and bumping dependent subpackages. A note about the removed patches: 400-additional_compatibility.patch: I couldn't find much about the need for this; it appears to be related to SNI support, which was new at the time. I've compiled all packages that use wolfssl and found no issues with them. ustream-ssl actually defines HAVE_SNI, and I have done extensive runtime tests without any issues. 900-remove-broken-autoconf-macros.patch: this was fixed upstream, and the jobserver was disabled by ./configure --disable-jobserver. Eneas U de Queiroz (1): wolfssl: bump to 4.1.0-stable package/libs/wolfssl/Config.in | 14 ++++------- package/libs/wolfssl/Makefile | 23 ++++++++----------- .../400-additional_compatibility.patch | 12 ---------- .../900-remove-broken-autoconf-macros.patch | 21 ----------------- 4 files changed, 15 insertions(+), 55 deletions(-) delete mode 100644 package/libs/wolfssl/patches/400-additional_compatibility.patch delete mode 100644 package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
