Hi, we need to upgrade wolfSSL to version 5.5.1 as it fixes several remotely exploitable vulnerabilities in TLS v1.3 protocol handling, so I suggest to do so by backporting following commits from 22.03 release.
I've tested this change in x86/64 QEMU, using openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz image as a base: root@OpenWrt:/# opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade Upgrading libustream-wolfssl20201210 on root from 2022-01-16-868fd881-1 to 2022-01-16-868fd881-2... Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libustream-wolfssl20201210_2022-01-16-868fd881-2_x86_64.ipk Installing libwolfssl5.5.1.99a5b54a (5.5.1-stable-2) to root... Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libwolfssl5.5.1.99a5b54a_5.5.1-stable-2_x86_64.ipk Upgrading px5g-wolfssl on root from 3 to 4.1... Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//px5g-wolfssl_4.1_x86_64.ipk Configuring libwolfssl5.5.1.99a5b54a. Configuring libustream-wolfssl20201210. Configuring px5g-wolfssl. Then verified, that: * px5g still works * LuCI is still accessible over HTTPS * opkg/uclient can still fetch from HTTPS Cheers, Petr 1. https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz Eneas U de Queiroz (2): wolfssl: bump to v5.3.0-stable wolfssl: bump to 5.4.0 Ivan Pavlov (1): wolfssl: bump to 5.5.0 Petr Štetiar (2): wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173) treewide: fix security issues by bumping all packages using libwolfssl package/libs/ustream-ssl/Makefile | 2 +- package/libs/wolfssl/Makefile | 4 ++-- .../patches/100-disable-hardening-check.patch | 2 +- .../libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- ...fix-SSL_get_verify_result-regression.patch | 24 ------------------- ...rt-devcrypto-devcrypto_aes.c-remove-.patch | 19 --------------- package/network/services/hostapd/Makefile | 2 +- package/utils/px5g-wolfssl/Makefile | 2 +- 8 files changed, 8 insertions(+), 51 deletions(-) delete mode 100644 package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch delete mode 100644 package/libs/wolfssl/patches/400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
