From patchwork Wed Oct 5 09:46:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1686281 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=YXTNAIn0; dkim=fail reason="key not found in DNS" header.d=true.cz header.i=@true.cz header.a=rsa-sha256 header.s=xnet header.b=dxcDFInE; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mj8vl0T5yz20Pd for ; Wed, 5 Oct 2022 20:50:43 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=qGctrFzhbW/lPv5HO58C1WxqVBCqIRCt+ngOj8o1o04=; b=YXTNAIn0GnRLiw iXM/3zIZ+luQlH/9+WQk+0W50WmDri8C14B2lBxN+Idmjit2n6b1/vthTJOKnn8vnvRZH/gsj/1UB iUCVSpt2TVB/a6UNn2Jg1eiZYSQ2fWj1D6sVOwsu67dJoSw2m4xFdJRThjfHT4WO7w3GGhr6EmQNk /ui64YeHlvat162AQ5D4VnJ3IUh5dX3vfSamk6Uw15J67lW0YCydQPUquu66VwrnDE1ANzvbhK4oB U6hSAxvm+gfj5XI14nXuHK2oi66v/92lymdcpxwJJEIYRjlawXZTUmPR/XguASrmjTSFjUuq3bH0U Vgl379IY2zvwx2sslX9Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1og10F-00DQdF-Qy; Wed, 05 Oct 2022 09:47:47 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zF-00DQP2-00 for openwrt-devel@lists.openwrt.org; Wed, 05 Oct 2022 09:46:47 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id 876C536C2; Wed, 5 Oct 2022 11:46:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=true.cz; s=xnet; t=1664963195; bh=KUiQbYTftLnf9pwDNCZthOXXauE60ZrTBVdMeaVLVig=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=dxcDFInE1pq52IaOnKfh5IgtX3Yjn8UwxKyO/TNNe38ibmcu3JGPHViAdj7kgd5Qw KRDK106ZW5R2c0w98aYlZ/INdjt4K4Bk5ltmZBgUNtzF/WvfjRBgdkga5dHQBLipZl CCb2HW0Zm919cWDCMJVcR1QVGY0cUCyqrHwXn/J8= Received: by meh.true.cz (OpenSMTPD) with ESMTP id f3e5060b; Wed, 5 Oct 2022 11:46:12 +0200 (CEST) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Cc: =?utf-8?q?Petr_=C5=A0tetiar?= Subject: [PATCH 21.02 5/5] treewide: fix security issues by bumping all packages using libwolfssl Date: Wed, 5 Oct 2022 11:46:30 +0200 Message-Id: <20221005094630.5311-6-ynezz@true.cz> In-Reply-To: <20221005094630.5311-1-ynezz@true.cz> References: <20221005094630.5311-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221005_024645_204424_365B1300 X-CRM114-Status: UNSURE ( 7.95 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: As wolfSSL is having hard time maintaining ABI compatibility between releases, we need to manually force rebuild of packages depending on libwolfssl and thus force their upgrade. Otherwise due to the [...] Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org As wolfSSL is having hard time maintaining ABI compatibility between releases, we need to manually force rebuild of packages depending on libwolfssl and thus force their upgrade. Otherwise due to the ABI handling we would endup with possibly two libwolfssl libraries in the system, including the patched libwolfssl-5.5.1, but still have vulnerable services running using the vulnerable libwolfssl-5.4.0. So in order to propagate update of libwolfssl to latest stable release done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages using wolfSSL library. Signed-off-by: Petr Štetiar (cherry picked from commit f1b7e1434f66a3cb09cb9e70b40add354a22e458) (cherry picked from commit 562894b39da381264a34ce31e9334c8a036fa139) --- package/libs/ustream-ssl/Makefile | 2 +- package/network/services/hostapd/Makefile | 2 +- package/utils/px5g-wolfssl/Makefile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/ustream-ssl/Makefile b/package/libs/ustream-ssl/Makefile index 7d9e830381dc..4f474978db77 100644 --- a/package/libs/ustream-ssl/Makefile +++ b/package/libs/ustream-ssl/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ustream-ssl -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index e529a2efd34e..001bdb439e2e 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=hostapd -PKG_RELEASE:=40 +PKG_RELEASE:=41 PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_PROTO:=git diff --git a/package/utils/px5g-wolfssl/Makefile b/package/utils/px5g-wolfssl/Makefile index 90296008d687..264a12aa4dd6 100644 --- a/package/utils/px5g-wolfssl/Makefile +++ b/package/utils/px5g-wolfssl/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=px5g-wolfssl -PKG_RELEASE:=$(COMMITCOUNT) +PKG_RELEASE:=$(COMMITCOUNT).1 PKG_LICENSE:=GPL-2.0-or-later PKG_USE_MIPS16:=0