On 2/17/22 15:51, Petr Štetiar wrote:
This is amalgamation of backported changes since 4.7.0-stable release:

  Sergey V. Lobanov (2):

   5b13b0b02c70 wolfssl: update to 5.1.1-stable
   7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support

  Andre Heider (3):

   3f8adcb215ed wolfssl: remove --enable-sha512 configure switch
   249478ec4850 wolfssl: always build with --enable-reproducible-build
   4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

  Ivan Pavlov (1):

   16414718f9ae wolfssl: update to 4.8.1-stable

  David Bauer (1):

   f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng

  Christian Lamparter (1):

   86801bd3d806 wolfssl: fix Ed25519 typo in config prompt

The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:

  * OCSP request/response verification issue. (fixed in 4.8.0)
  * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 
(fixed in 4.8.1)
  * Issue with incorrectly validating a certificate (fixed in 5.0.0)
  * Hang with DSA signature creation when a specific q value is used (fixed in 
5.0.0)
  * Client side session resumption issue (fixed in 5.1.0)
  * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
  * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)

Cc: Hauke Mehrtens <[email protected]>
Cc: Eneas U de Queiroz <[email protected]>
Signed-off-by: Petr Štetiar <[email protected]>

Acked-by: Hauke Mehrtens <[email protected]>

---
  package/libs/wolfssl/Config.in                |  6 ++-
  package/libs/wolfssl/Makefile                 | 23 ++++++---
  .../patches/100-disable-hardening-check.patch |  2 +-
  .../patches/110-build-with-libtool-2.4.patch  | 13 +++++
  .../libs/wolfssl/patches/200-ecc-rng.patch    | 50 +++++++++++++++++++
  5 files changed, 86 insertions(+), 8 deletions(-)
  create mode 100644 
package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch
  create mode 100644 package/libs/wolfssl/patches/200-ecc-rng.patch


_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to