On 10/5/22 11:46, Petr Štetiar wrote:
Hi,
we need to upgrade wolfSSL to version 5.5.1 as it fixes several remotely
exploitable vulnerabilities in TLS v1.3 protocol handling, so I suggest to do
so by backporting following commits from 22.03 release.
I've tested this change in x86/64 QEMU, using
openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz image as a base:
root@OpenWrt:/# opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade
Upgrading libustream-wolfssl20201210 on root from 2022-01-16-868fd881-1 to
2022-01-16-868fd881-2...
Downloading
http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libustream-wolfssl20201210_2022-01-16-868fd881-2_x86_64.ipk
Installing libwolfssl5.5.1.99a5b54a (5.5.1-stable-2) to root...
Downloading
http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libwolfssl5.5.1.99a5b54a_5.5.1-stable-2_x86_64.ipk
Upgrading px5g-wolfssl on root from 3 to 4.1...
Downloading
http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//px5g-wolfssl_4.1_x86_64.ipk
Configuring libwolfssl5.5.1.99a5b54a.
Configuring libustream-wolfssl20201210.
Configuring px5g-wolfssl.
Then verified, that:
* px5g still works
* LuCI is still accessible over HTTPS
* opkg/uclient can still fetch from HTTPS
Cheers,
Petr
1.
https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz
Eneas U de Queiroz (2):
wolfssl: bump to v5.3.0-stable
wolfssl: bump to 5.4.0
Ivan Pavlov (1):
wolfssl: bump to 5.5.0
Petr Štetiar (2):
wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable
(CVE-2022-39173)
treewide: fix security issues by bumping all packages using libwolfssl
Acked-by: Hauke Mehrtens <[email protected]>
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
