[PATCH 21.02 0/5] backport fix for TLSv1.3 RCE in uhttpd by using 5.5.1-stable
Hauke Mehrtens
hauke at hauke-m.de
Wed Oct 5 10:44:54 PDT 2022
On 10/5/22 11:46, Petr Štetiar wrote:
> Hi,
>
> we need to upgrade wolfSSL to version 5.5.1 as it fixes several remotely
> exploitable vulnerabilities in TLS v1.3 protocol handling, so I suggest to do
> so by backporting following commits from 22.03 release.
>
> I've tested this change in x86/64 QEMU, using openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz image as a base:
>
> root at OpenWrt:/# opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade
> Upgrading libustream-wolfssl20201210 on root from 2022-01-16-868fd881-1 to 2022-01-16-868fd881-2...
> Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libustream-wolfssl20201210_2022-01-16-868fd881-2_x86_64.ipk
> Installing libwolfssl5.5.1.99a5b54a (5.5.1-stable-2) to root...
> Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//libwolfssl5.5.1.99a5b54a_5.5.1-stable-2_x86_64.ipk
> Upgrading px5g-wolfssl on root from 3 to 4.1...
> Downloading http://192.168.220.1/~ynezz/packages/21.02/x86_64/base//px5g-wolfssl_4.1_x86_64.ipk
> Configuring libwolfssl5.5.1.99a5b54a.
> Configuring libustream-wolfssl20201210.
> Configuring px5g-wolfssl.
>
> Then verified, that:
>
> * px5g still works
> * LuCI is still accessible over HTTPS
> * opkg/uclient can still fetch from HTTPS
>
> Cheers,
>
> Petr
>
> 1. https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/openwrt-21.02.3-x86-64-generic-squashfs-combined.img.gz
>
> Eneas U de Queiroz (2):
> wolfssl: bump to v5.3.0-stable
> wolfssl: bump to 5.4.0
>
> Ivan Pavlov (1):
> wolfssl: bump to 5.5.0
>
> Petr Štetiar (2):
> wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable
> (CVE-2022-39173)
> treewide: fix security issues by bumping all packages using libwolfssl
Acked-by: Hauke Mehrtens <hauke at hauke-m.de>
More information about the openwrt-devel
mailing list