diff mbox series

[21.02,4/5] wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)

Message ID 20221005094630.5311-5-ynezz@true.cz
State Accepted
Delegated to: Petr Štetiar
Headers show
Series backport fix for TLSv1.3 RCE in uhttpd by using 5.5.1-stable | expand

Commit Message

Petr Štetiar Oct. 5, 2022, 9:46 a.m. UTC
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit ec8fb542ec3e4f584444a97de5ac05dbc2a9cde5)
(cherry picked from commit ce59843662961049a28033077587cabdc5243b15)
 package/libs/wolfssl/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox series


diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index ce66ec81eada..a1c968b81fe9 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@ 
 include $(TOPDIR)/rules.mk
 PKG_FIXUP:=libtool libtool-abiver