diff options
| author | Hauke Mehrtens | 2024-07-14 23:06:38 +0000 |
|---|---|---|
| committer | Hauke Mehrtens | 2024-07-15 21:57:44 +0000 |
| commit | 3a0232ffd33f2dc894c671d90de6b2766399f4dc (patch) | |
| tree | 86313da7636f5d242b80cc31fd67693689952685 | |
| parent | 22258443921c59d25da741266cbac583a7402714 (diff) | |
| download | openwrt-3a0232ffd33f2dc894c671d90de6b2766399f4dc.tar.gz | |
wolfssl: Update to version 5.7.2
This fixes multiple security problems:
* [Medium] CVE-2024-1544
Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.
* [Medium] CVE-2024-5288
A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.
* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.
* [Low] CVE-2024-5991
In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.
* [Medium] CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.
* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.
* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.
Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.
Link: https://github.com/openwrt/openwrt/pull/15948
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
| -rw-r--r-- | package/libs/wolfssl/Makefile | 6 | ||||
| -rw-r--r-- | package/libs/wolfssl/patches/100-disable-hardening-check.patch | 2 |
2 files changed, 5 insertions, 3 deletions
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 60ba85e15f..bac4a8ef52 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=5.7.0-stable +PKG_VERSION:=5.7.2-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=2de93e8af588ee856fe67a6d7fce23fc1b226b74d710b0e3946bc8061f6aa18f +PKG_HASH:=0f2ed82e345b833242705bbc4b08a2a2037a33f7bf9c610efae6464f6b10e305 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 @@ -51,6 +51,8 @@ PKG_CONFIG_DEPENDS+=\ include $(INCLUDE_DIR)/package.mk +DISABLE_NLS:= + define Package/libwolfssl/Default SECTION:=libs SUBMENU:=SSL diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 680d3588a6..174e657982 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2945,7 +2945,7 @@ extern void uITRON4_free(void *p) ; +@@ -3046,7 +3046,7 @@ extern void uITRON4_free(void *p) ; /* warning for not using harden build options (default with ./configure) */ /* do not warn if big integer support is disabled */ |