From patchwork Wed Oct 5 09:46:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1686278 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=fJu9BoZ7; dkim=fail reason="key not found in DNS" header.d=true.cz header.i=@true.cz header.a=rsa-sha256 header.s=xnet header.b=HN/FRZuq; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mj8vd02Stz20Pd for ; Wed, 5 Oct 2022 20:50:36 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=PGoD41Ur4qxq6Y+nbuLIfI7GxUSqacpcEZZ6q3YJwoY=; b=fJu9BoZ7nNJb2U 853YJ8TEDWeq/Vo/jd3rHqBLtteqq+ap0FsbdxwZJwKmFM3Ybv+K/x1sm3VjB/1Pg5PEgVLbzRVDj nt4CNkhXPj4RTD66x498mSaNgIerUnmPNdQ/GEwnd7lLFAe+q1KiZ0sTkgck0uPTk0OAjKcJgpb5E OjpfdEOT9mjCsO7eyA8S4lE9PqrgtfZNj+xO3FYprVIBPRMYBanwuuboZUvP5HOxYVKuiOT4QYRbG dNdrLIK06R5rpo/DUBQrQm8drPsvQFrMh6Lbwz9JYSckDgc0qtcVLflpZzsSFD1UIgLknySsfQcBC XwWAvlZYNmcVrZxgfbAg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1og102-00DQZn-Mg; Wed, 05 Oct 2022 09:47:34 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zB-00DQJd-63 for openwrt-devel@lists.openwrt.org; Wed, 05 Oct 2022 09:46:45 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id 8D3D936BB; Wed, 5 Oct 2022 11:46:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=true.cz; s=xnet; t=1664963194; bh=4hzl3o3tJUX9Bk2+0QqKmwE922AI+dmQdZNGEZPRE24=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=HN/FRZuqBZGZ2BabYFaiM8XWLZLr/pl4A4aIahHntehLAy1NdrDyR7cKIniv/7b8K JDTUQtpmGf3wlcyfQeznUyfFli2QacbNwpQO3PL8o7jbpZh5YxOkERgRWlwGnkjZ/s 2zGHGHB1zcuJYwSWZZoTQhalDD5YOLIzAJ1/fovM= Received: by meh.true.cz (OpenSMTPD) with ESMTP id 52232d0a; Wed, 5 Oct 2022 11:46:10 +0200 (CEST) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz Subject: [PATCH 21.02 1/5] wolfssl: bump to v5.3.0-stable Date: Wed, 5 Oct 2022 11:46:26 +0200 Message-Id: <20221005094630.5311-2-ynezz@true.cz> In-Reply-To: <20221005094630.5311-1-ynezz@true.cz> References: <20221005094630.5311-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221005_024641_705414_BE1766CC X-CRM114-Status: GOOD ( 11.66 ) X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Eneas U de Queiroz This is mostly a bug fix release, including two that were already patched here: - 300-fix-SSL_get_verify_result-regression.patch - 400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Eneas U de Queiroz This is mostly a bug fix release, including two that were already patched here: - 300-fix-SSL_get_verify_result-regression.patch - 400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch Signed-off-by: Eneas U de Queiroz (cherry picked from commit 73c1fe2890baa5c0bfa46f53c5387f5e47de1acb) (cherry picked from commit 6f8db8fee3b7bd5cb8b1b2be59ee710a8f96860b) --- package/libs/wolfssl/Makefile | 4 ++-- ...fix-SSL_get_verify_result-regression.patch | 24 ------------------- ...rt-devcrypto-devcrypto_aes.c-remove-.patch | 19 --------------- 3 files changed, 2 insertions(+), 45 deletions(-) delete mode 100644 package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch delete mode 100644 package/libs/wolfssl/patches/400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index e8bf252de68c..1324a439299b 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=5.2.0-stable +PKG_VERSION:=5.3.0-stable PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=409b4646c5f54f642de0e9f3544c3b83de7238134f5b1ff93fb44527bf119d05 +PKG_HASH:=1a3bb310dc01d3e73d9ad91b6ea8249d081016f8eef4ae8f21d3421f91ef1de9 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch b/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch deleted file mode 100644 index d6e799874469..000000000000 --- a/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 87e43dd63ba429297e439f2dfd1ee8b45981e18b Mon Sep 17 00:00:00 2001 -From: Juliusz Sosinowicz -Date: Sat, 12 Feb 2022 00:34:24 +0100 -Subject: [PATCH] Reported in ZD13631 - -`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain - -References: https://github.com/wolfSSL/wolfssl/issues/4879 ---- - src/internal.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/src/internal.c -+++ b/src/internal.c -@@ -12342,6 +12342,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* - } - - ret = 0; /* clear errors and continue */ -+ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -+ ssl->peerVerifyRet = 0; -+ #endif - args->verifyErr = 0; - } - diff --git a/package/libs/wolfssl/patches/400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch b/package/libs/wolfssl/patches/400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch deleted file mode 100644 index 3c0c0a07afba..000000000000 --- a/package/libs/wolfssl/patches/400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch +++ /dev/null @@ -1,19 +0,0 @@ -From 096889927d9528d4fbeb3aab56d1fe8225d2e7ec Mon Sep 17 00:00:00 2001 -From: Daniel Pouzzner -Date: Thu, 14 Apr 2022 20:23:31 -0500 -Subject: [PATCH] wolfcrypt/src/port/devcrypto/devcrypto_aes.c: remove - redundant "int ret" in wc_AesCtrEncrypt() (supersedes #5052). - - -diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c -index 3bc1d5bb1..28e145e27 100644 ---- a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c -+++ b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c -@@ -208,7 +208,6 @@ int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) - int ret; - struct crypt_op crt; - byte* tmp; -- int ret; - - if (aes == NULL || out == NULL || in == NULL) { - return BAD_FUNC_ARG; From patchwork Wed Oct 5 09:46:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1686280 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=S/Vi/s6J; dkim=fail reason="key not found in DNS" header.d=true.cz header.i=@true.cz header.a=rsa-sha256 header.s=xnet header.b=aaTkv0pW; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mj8vd1WZDz23jW for ; Wed, 5 Oct 2022 20:50:37 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=W7Jkh8zkAIq2LAV9ki44yc49ehneOGp757DgjR4RJe8=; b=S/Vi/s6JDCLjTZ y/+cPRje4etcAFUrmFREPVE1vDPhE3JXgCeqyOrzQfZ5DDKWT1iJhFI4k97wVa5tpbMVegxnfaXbK NwrkXFzmo/hMR2uoueDCAeaLEySdlsaRLEO4He2QiR0mUstNNF0n2mu5ilRtT0RPfHfiJxM5fdKyh 0YhMkOpPw053I4mbkJDwKk9qe4IvU6R/4MjuTUtCEgA55deRXwg3e1XjAouN5MF73Mp5n8msXlU// Lrs2zCFSPfzFAuNCObdhBcdGrDfJRnSWXBPk4QEL84o5TQpe96gqCWdifIMvIRiPdVY5fJxzqMPI6 +I40P6nv33H9QUSWfUSQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zq-00DQY4-Of; Wed, 05 Oct 2022 09:47:22 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zB-00DQJf-7T for openwrt-devel@lists.openwrt.org; Wed, 05 Oct 2022 09:46:45 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id CB74B36BD; Wed, 5 Oct 2022 11:46:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=true.cz; s=xnet; t=1664963195; bh=qO6eLAMCHRdNVILXquxjX1lW7R3f00XfLpkEaijquxY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=aaTkv0pWt1AUhyHSCa0Rv7RBc9LDnTcdsbZ0v+FB8LmJbJb9iTxVS/YyD/QrSWruM Z5CIpkxb9PJzCHBbBVCPQ3WGT1AwVPgKgLe/G50GZqvPb+XjpLl3JBp8AFz7m0DoR1 MMHVMcyPOWFrcUlhQNvD6Is7y3S31NkhecBPSJRE= Received: by meh.true.cz (OpenSMTPD) with ESMTP id 362cd34d; Wed, 5 Oct 2022 11:46:11 +0200 (CEST) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz , Christian Marangi Subject: [PATCH 21.02 2/5] wolfssl: bump to 5.4.0 Date: Wed, 5 Oct 2022 11:46:27 +0200 Message-Id: <20221005094630.5311-3-ynezz@true.cz> In-Reply-To: <20221005094630.5311-1-ynezz@true.cz> References: <20221005094630.5311-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221005_024641_712582_57E42CC1 X-CRM114-Status: UNSURE ( 8.49 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Eneas U de Queiroz This version fixes two vulnerabilities: -CVE-2022-34293[high]: Potential for DTLS DoS attack -[medium]: Ciphertext side channel attack on ECC and DH operations. Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Eneas U de Queiroz This version fixes two vulnerabilities: -CVE-2022-34293[high]: Potential for DTLS DoS attack -[medium]: Ciphertext side channel attack on ECC and DH operations. The patch fixing x86 aesni build has been merged upstream. Signed-off-by: Eneas U de Queiroz (cherry picked from commit 9710fe70a68e0a004b1906db192d7a6c8f810ac5) Signed-off-by: Christian Marangi (cherry picked from commit ade7c6db1e6c2c0c8d2338948c37cfa7429ebccc) --- package/libs/wolfssl/Makefile | 4 ++-- .../libs/wolfssl/patches/100-disable-hardening-check.patch | 2 +- package/libs/wolfssl/patches/200-ecc-rng.patch | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 1324a439299b..d0a67e118be2 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=5.3.0-stable +PKG_VERSION:=5.4.0-stable PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=1a3bb310dc01d3e73d9ad91b6ea8249d081016f8eef4ae8f21d3421f91ef1de9 +PKG_HASH:=dc36cc19dad197253e5c2ecaa490c7eef579ad448706e55d73d79396e814098b PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 7e473b390bb2..d3ad2e27bc3e 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2338,7 +2338,7 @@ extern void uITRON4_free(void *p) ; +@@ -2442,7 +2442,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch index f1f156a8aeac..2e09e6d273e3 100644 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c -@@ -11655,21 +11655,21 @@ void wc_ecc_fp_free(void) +@@ -12288,21 +12288,21 @@ void wc_ecc_fp_free(void) #endif /* FP_ECC */ From patchwork Wed Oct 5 09:46:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1686279 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=n2N339e/; dkim=fail reason="key not found in DNS" header.d=true.cz header.i=@true.cz header.a=rsa-sha256 header.s=xnet header.b=ZadSLTNL; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mj8vd1Z16z23jY for ; Wed, 5 Oct 2022 20:50:36 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=9BcltC77iboDwSuVYiLzGfxUUzCJWSJgBGSnvaydW+k=; b=n2N339e/6TidlO t3Q+XezNoC7dXoN0JOJ8WsqeuF3x1iihf2JQ5d2xgo/VtQReYJXIoVUzRsKoIXnfN02MvC9dV3heE fRscFyOZa0H/ARnheh6Lk5Gj22+eGqDKVcaOtQ1xbKqq6uETfImtn0p9sYhNH0qXXFOdFF9PRpLgq bm7Og277oweQ9FWrXK2UGGYVnGK41FFBf5jHswGqhiP9eHO+TGBmPGrTdBH2zfdkvwzLkYVpLR9mt puzAJTFa1YvSvJGGW4E5p5c+L/ocXuYgQQCaXVE0SDOM/zPFgAIS/Z2GE4ehfE/bDzNipXiTmTzJK uab4nyemBvg22yFOYm8g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zT-00DQRz-IV; Wed, 05 Oct 2022 09:46:59 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zB-00DQJg-7S for openwrt-devel@lists.openwrt.org; Wed, 05 Oct 2022 09:46:43 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id 1E00B36C0; Wed, 5 Oct 2022 11:46:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=true.cz; s=xnet; t=1664963195; bh=ihewd8uJj1cBojoHWYa4Zc++ABTpS8F2r5otT9GWtyU=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ZadSLTNL4emLPBohqvLG/KB1tHGf+9YjgJz2rb3uEdNDlJvWhPU3XJr9lWJ21KEum SFOdTAcBr1YniB0SYSVziwgQJmuFiBmsN//4Xk4SEWGnjTFzO7N664ntK39S3CrTU6 6oeYuOi17yvRoNqRdRRVPrVqlDkXCx8DE08d1tqA= Received: by meh.true.cz (OpenSMTPD) with ESMTP id 36b909ea; Wed, 5 Oct 2022 11:46:11 +0200 (CEST) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Cc: Ivan Pavlov Subject: [PATCH 21.02 3/5] wolfssl: bump to 5.5.0 Date: Wed, 5 Oct 2022 11:46:28 +0200 Message-Id: <20221005094630.5311-4-ynezz@true.cz> In-Reply-To: <20221005094630.5311-1-ynezz@true.cz> References: <20221005094630.5311-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221005_024641_701228_975C6BF4 X-CRM114-Status: UNSURE ( 8.37 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Ivan Pavlov Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch Some low severity vulnerabilities fixed OpenVPN compatibility fixed (broken in 5.4.0) Other fixes && improvements Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Ivan Pavlov Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch Some low severity vulnerabilities fixed OpenVPN compatibility fixed (broken in 5.4.0) Other fixes && improvements Signed-off-by: Ivan Pavlov (cherry picked from commit 3d88f26d74f7771b808082cef541ed8286c40491) (cherry picked from commit 0c8425bf11590afb0c6f1545b328ecb6ed4aee87) --- package/libs/wolfssl/Makefile | 4 ++-- .../libs/wolfssl/patches/100-disable-hardening-check.patch | 2 +- package/libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index d0a67e118be2..ce66ec81eada 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=5.4.0-stable +PKG_VERSION:=5.5.0-stable PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc36cc19dad197253e5c2ecaa490c7eef579ad448706e55d73d79396e814098b +PKG_HASH:=c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index d3ad2e27bc3e..01bb5974ba33 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2442,7 +2442,7 @@ extern void uITRON4_free(void *p) ; +@@ -2445,7 +2445,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch index 2e09e6d273e3..d68ef7f3853a 100644 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c -@@ -12288,21 +12288,21 @@ void wc_ecc_fp_free(void) +@@ -12348,21 +12348,21 @@ void wc_ecc_fp_free(void) #endif /* FP_ECC */ @@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h -@@ -650,10 +650,8 @@ WOLFSSL_API +@@ -650,10 +650,8 @@ WOLFSSL_ABI WOLFSSL_API void wc_ecc_fp_free(void); WOLFSSL_LOCAL void wc_ecc_fp_init(void); From patchwork Wed Oct 5 09:46:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1686277 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=tOK6OALX; dkim=fail reason="key not found in DNS" header.d=true.cz header.i=@true.cz header.a=rsa-sha256 header.s=xnet header.b=jGS6hG3S; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mj8vf3XSPz23jZ for ; Wed, 5 Oct 2022 20:50:38 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=F/uhxHKGU5StpnwVqZyK7mNxlvO5NHxR8xL8A19pjco=; b=tOK6OALXsFnwN6 WxJIBG5N/ebko1Fnf1Bo/xkPjoWxZPBDu1KtlO3VO/ImzNnp5MnvwLRT1UnVipK5Rt8sitLHlFoB4 EXXfMtD13O5FJopxZONQWOv722f6qDEcQoK0iEu5j4nG95vwznPURibseHiyljBiUZC2HJ1L9wjSr 2+P0NfUKWsz+oY4TvwLF8eHdxGKoRz3KJY2vLJPxtlUU5NTQgfej3arrJ2nWWN3dhtyvlC3AimeS4 RFthJLx/XTwQ24lSiAWL4csR2HnNUshtC7SNtn49qBu8yYbrO5BbJMBcToP81nG6c7bkB8i8xPxDW QB+w/8HAtyrwY0dSnMdw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zf-00DQVd-0x; Wed, 05 Oct 2022 09:47:11 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zB-00DQJh-5K for openwrt-devel@lists.openwrt.org; Wed, 05 Oct 2022 09:46:45 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id 5C12036C1; Wed, 5 Oct 2022 11:46:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=true.cz; s=xnet; t=1664963195; bh=Az8nyFeI3padxh6rkX3jhY6+sf93ldyo6999hVVgNcQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=jGS6hG3SnEn4nWjwHWSQA8ez1pk9jMJbOUleCYAkMYlLY928eoSUBLjU1hvYCmCNT s6nG/7LP+dxlP5g8n/gUIubQ7+xe1nrp3Xn77tVjXagowSXehRe3xhySjYLLouJBqh gWWvDCT30gitRSzjl7D0/9dqXft8t0PhT935qUC0= Received: by meh.true.cz (OpenSMTPD) with ESMTP id 0f0da33c; Wed, 5 Oct 2022 11:46:12 +0200 (CEST) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Cc: =?utf-8?q?Petr_=C5=A0tetiar?= , Kien Truong Subject: [PATCH 21.02 4/5] wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173) Date: Wed, 5 Oct 2022 11:46:29 +0200 Message-Id: <20221005094630.5311-5-ynezz@true.cz> In-Reply-To: <20221005094630.5311-1-ynezz@true.cz> References: <20221005094630.5311-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221005_024641_719481_6402FF3E X-CRM114-Status: UNSURE ( 8.34 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Fixes denial of service attack and buffer overflow against TLS 1.3 servers using session ticket resumption. When built with --enable-session-ticket and making use of TLS 1.3 server code in wolfSSL, th [...] Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Fixes denial of service attack and buffer overflow against TLS 1.3 servers using session ticket resumption. When built with --enable-session-ticket and making use of TLS 1.3 server code in wolfSSL, there is the possibility of a malicious client to craft a malformed second ClientHello packet that causes the server to crash. This issue is limited to when using both --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3 servers, and having --enable-session-ticket, should update to the latest version of wolfSSL. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin. Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable Fixes: CVE-2022-39173 Fixes: https://github.com/openwrt/luci/issues/5962 References: https://github.com/wolfSSL/wolfssl/issues/5629 Tested-by: Kien Truong Reported-by: Kien Truong Signed-off-by: Petr Štetiar (cherry picked from commit ec8fb542ec3e4f584444a97de5ac05dbc2a9cde5) (cherry picked from commit ce59843662961049a28033077587cabdc5243b15) --- package/libs/wolfssl/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index ce66ec81eada..a1c968b81fe9 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=5.5.0-stable +PKG_VERSION:=5.5.1-stable PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f +PKG_HASH:=97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 From patchwork Wed Oct 5 09:46:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1686281 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=YXTNAIn0; dkim=fail reason="key not found in DNS" header.d=true.cz header.i=@true.cz header.a=rsa-sha256 header.s=xnet header.b=dxcDFInE; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mj8vl0T5yz20Pd for ; Wed, 5 Oct 2022 20:50:43 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=qGctrFzhbW/lPv5HO58C1WxqVBCqIRCt+ngOj8o1o04=; b=YXTNAIn0GnRLiw iXM/3zIZ+luQlH/9+WQk+0W50WmDri8C14B2lBxN+Idmjit2n6b1/vthTJOKnn8vnvRZH/gsj/1UB iUCVSpt2TVB/a6UNn2Jg1eiZYSQ2fWj1D6sVOwsu67dJoSw2m4xFdJRThjfHT4WO7w3GGhr6EmQNk /ui64YeHlvat162AQ5D4VnJ3IUh5dX3vfSamk6Uw15J67lW0YCydQPUquu66VwrnDE1ANzvbhK4oB U6hSAxvm+gfj5XI14nXuHK2oi66v/92lymdcpxwJJEIYRjlawXZTUmPR/XguASrmjTSFjUuq3bH0U Vgl379IY2zvwx2sslX9Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1og10F-00DQdF-Qy; Wed, 05 Oct 2022 09:47:47 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1og0zF-00DQP2-00 for openwrt-devel@lists.openwrt.org; Wed, 05 Oct 2022 09:46:47 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id 876C536C2; Wed, 5 Oct 2022 11:46:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=true.cz; s=xnet; t=1664963195; bh=KUiQbYTftLnf9pwDNCZthOXXauE60ZrTBVdMeaVLVig=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=dxcDFInE1pq52IaOnKfh5IgtX3Yjn8UwxKyO/TNNe38ibmcu3JGPHViAdj7kgd5Qw KRDK106ZW5R2c0w98aYlZ/INdjt4K4Bk5ltmZBgUNtzF/WvfjRBgdkga5dHQBLipZl CCb2HW0Zm919cWDCMJVcR1QVGY0cUCyqrHwXn/J8= Received: by meh.true.cz (OpenSMTPD) with ESMTP id f3e5060b; Wed, 5 Oct 2022 11:46:12 +0200 (CEST) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Cc: =?utf-8?q?Petr_=C5=A0tetiar?= Subject: [PATCH 21.02 5/5] treewide: fix security issues by bumping all packages using libwolfssl Date: Wed, 5 Oct 2022 11:46:30 +0200 Message-Id: <20221005094630.5311-6-ynezz@true.cz> In-Reply-To: <20221005094630.5311-1-ynezz@true.cz> References: <20221005094630.5311-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221005_024645_204424_365B1300 X-CRM114-Status: UNSURE ( 7.95 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: As wolfSSL is having hard time maintaining ABI compatibility between releases, we need to manually force rebuild of packages depending on libwolfssl and thus force their upgrade. Otherwise due to the [...] Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org As wolfSSL is having hard time maintaining ABI compatibility between releases, we need to manually force rebuild of packages depending on libwolfssl and thus force their upgrade. Otherwise due to the ABI handling we would endup with possibly two libwolfssl libraries in the system, including the patched libwolfssl-5.5.1, but still have vulnerable services running using the vulnerable libwolfssl-5.4.0. So in order to propagate update of libwolfssl to latest stable release done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages using wolfSSL library. Signed-off-by: Petr Štetiar (cherry picked from commit f1b7e1434f66a3cb09cb9e70b40add354a22e458) (cherry picked from commit 562894b39da381264a34ce31e9334c8a036fa139) --- package/libs/ustream-ssl/Makefile | 2 +- package/network/services/hostapd/Makefile | 2 +- package/utils/px5g-wolfssl/Makefile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/ustream-ssl/Makefile b/package/libs/ustream-ssl/Makefile index 7d9e830381dc..4f474978db77 100644 --- a/package/libs/ustream-ssl/Makefile +++ b/package/libs/ustream-ssl/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ustream-ssl -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index e529a2efd34e..001bdb439e2e 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=hostapd -PKG_RELEASE:=40 +PKG_RELEASE:=41 PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_PROTO:=git diff --git a/package/utils/px5g-wolfssl/Makefile b/package/utils/px5g-wolfssl/Makefile index 90296008d687..264a12aa4dd6 100644 --- a/package/utils/px5g-wolfssl/Makefile +++ b/package/utils/px5g-wolfssl/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=px5g-wolfssl -PKG_RELEASE:=$(COMMITCOUNT) +PKG_RELEASE:=$(COMMITCOUNT).1 PKG_LICENSE:=GPL-2.0-or-later PKG_USE_MIPS16:=0