[PATCH 21.02 0/5] backport fix for TLSv1.3 RCE in uhttpd by using 5.5.1-stable

Hauke Mehrtens hauke at hauke-m.de
Wed Oct 5 10:44:54 PDT 2022


On 10/5/22 11:46, Petr Štetiar wrote:
> Hi,
> 
> we need to upgrade wolfSSL to version 5.5.1 as it fixes several remotely
> exploitable vulnerabilities in TLS v1.3 protocol handling, so I suggest to do
> so by backporting following commits from 22.03 release.
> 
> I've tested this change in x86/64 QEMU, using openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz image as a base:
> 
>    root at OpenWrt:/# opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade
>    Upgrading libustream-wolfssl20201210 on root from 2022-01-16-868fd881-1 to 2022-01-16-868fd881-2...
>    Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libustream-wolfssl20201210_2022-01-16-868fd881-2_x86_64.ipk
>    Installing libwolfssl5.5.1.99a5b54a (5.5.1-stable-2) to root...
>    Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libwolfssl5.5.1.99a5b54a_5.5.1-stable-2_x86_64.ipk
>    Upgrading px5g-wolfssl on root from 3 to 4.1...
>    Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//px5g-wolfssl_4.1_x86_64.ipk
>    Configuring libwolfssl5.5.1.99a5b54a.
>    Configuring libustream-wolfssl20201210.
>    Configuring px5g-wolfssl.
> 
> Then verified, that:
> 
>    * px5g still works
>    * LuCI is still accessible over HTTPS
>    * opkg/uclient can still fetch from HTTPS
> 
> Cheers,
> 
> Petr
> 
> 1. https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz
> 
> Eneas U de Queiroz (2):
>    wolfssl: bump to v5.3.0-stable
>    wolfssl: bump to 5.4.0
> 
> Ivan Pavlov (1):
>    wolfssl: bump to 5.5.0
> 
> Petr Štetiar (2):
>    wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable
>      (CVE-2022-39173)
>    treewide: fix security issues by bumping all packages using libwolfssl

Acked-by: Hauke Mehrtens <hauke at hauke-m.de>




More information about the openwrt-devel mailing list