| Message ID | 20221005094630.5311-1-ynezz@true.cz |
|---|---|
| Headers | show |
| Series | backport fix for TLSv1.3 RCE in uhttpd by using 5.5.1-stable | expand |
On 10/5/22 11:46, Petr Štetiar wrote: > Hi, > > we need to upgrade wolfSSL to version 5.5.1 as it fixes several remotely > exploitable vulnerabilities in TLS v1.3 protocol handling, so I suggest to do > so by backporting following commits from 22.03 release. > > I've tested this change in x86/64 QEMU, using openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz image as a base: > > root@OpenWrt:/# opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade > Upgrading libustream-wolfssl20201210 on root from 2022-01-16-868fd881-1 to 2022-01-16-868fd881-2... > Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libustream-wolfssl20201210_2022-01-16-868fd881-2_x86_64.ipk > Installing libwolfssl5.5.1.99a5b54a (5.5.1-stable-2) to root... > Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libwolfssl5.5.1.99a5b54a_5.5.1-stable-2_x86_64.ipk > Upgrading px5g-wolfssl on root from 3 to 4.1... > Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//px5g-wolfssl_4.1_x86_64.ipk > Configuring libwolfssl5.5.1.99a5b54a. > Configuring libustream-wolfssl20201210. > Configuring px5g-wolfssl. > > Then verified, that: > > * px5g still works > * LuCI is still accessible over HTTPS > * opkg/uclient can still fetch from HTTPS > > Cheers, > > Petr > > 1. https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz > > Eneas U de Queiroz (2): > wolfssl: bump to v5.3.0-stable > wolfssl: bump to 5.4.0 > > Ivan Pavlov (1): > wolfssl: bump to 5.5.0 > > Petr Štetiar (2): > wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable > (CVE-2022-39173) > treewide: fix security issues by bumping all packages using libwolfssl Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Hi, we need to upgrade wolfSSL to version 5.5.1 as it fixes several remotely exploitable vulnerabilities in TLS v1.3 protocol handling, so I suggest to do so by backporting following commits from 22.03 release. I've tested this change in x86/64 QEMU, using openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz image as a base: root@OpenWrt:/# opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade Upgrading libustream-wolfssl20201210 on root from 2022-01-16-868fd881-1 to 2022-01-16-868fd881-2... Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libustream-wolfssl20201210_2022-01-16-868fd881-2_x86_64.ipk Installing libwolfssl5.5.1.99a5b54a (5.5.1-stable-2) to root... Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libwolfssl5.5.1.99a5b54a_5.5.1-stable-2_x86_64.ipk Upgrading px5g-wolfssl on root from 3 to 4.1... Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//px5g-wolfssl_4.1_x86_64.ipk Configuring libwolfssl5.5.1.99a5b54a. Configuring libustream-wolfssl20201210. Configuring px5g-wolfssl. Then verified, that: * px5g still works * LuCI is still accessible over HTTPS * opkg/uclient can still fetch from HTTPS Cheers, Petr 1. https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz Eneas U de Queiroz (2): wolfssl: bump to v5.3.0-stable wolfssl: bump to 5.4.0 Ivan Pavlov (1): wolfssl: bump to 5.5.0 Petr Štetiar (2): wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173) treewide: fix security issues by bumping all packages using libwolfssl package/libs/ustream-ssl/Makefile | 2 +- package/libs/wolfssl/Makefile | 4 ++-- .../patches/100-disable-hardening-check.patch | 2 +- .../libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- ...fix-SSL_get_verify_result-regression.patch | 24 ------------------- ...rt-devcrypto-devcrypto_aes.c-remove-.patch | 19 --------------- package/network/services/hostapd/Makefile | 2 +- package/utils/px5g-wolfssl/Makefile | 2 +- 8 files changed, 8 insertions(+), 51 deletions(-) delete mode 100644 package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch delete mode 100644 package/libs/wolfssl/patches/400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch