Staging tree of Christian Lamparter https://git.openwrt.org/openwrt/staging/chunkeey/atom?h=v19.07.9 2022-02-13T17:27:18Z 2022-02-13T17:27:18Z Hauke Mehrtens 2022-01-29T10:56:27Z urn:sha1:1691c1168d15752eaeb9ab2dda15553754df95be This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. CVE-2021-44732 The sizes of the ipk changed on MIPS 24Kc like this: 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 57f38e2c827e3be71d8b1709073e366afe011985) 2022-02-13T17:26:55Z Rosen Penev 2021-07-13T20:27:09Z urn:sha1:419b9f4c45141ec37d9c0936ca19380e77a79a3f Switched to AUTORELEASE to avoid manual increments. Release notes: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11 Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit fcfd741eb83520e496eb09de5f8b2f2b62792a80) 2022-02-13T09:51:47Z Hauke Mehrtens 2021-12-26T22:38:52Z urn:sha1:bfa4cccd46c3f2c38cb48db27b381035e003a3b8 The http://www.us.tcpdump.org mirror will go offline soon, only use the normal download URL. Reported-by: Denis Ovsienko <denis@ovsienko.info> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 18bdfc803bef00fad03f90b73b6e65c3c79cb397) Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [rebased for OpenWrt 21.02 branch] (cherry picked from commit 4dddb7ca3669e93d4da2b1ca43b8bc22bd007e48) 2022-01-16T17:52:58Z Eneas U de Queiroz 2022-01-10T19:37:47Z urn:sha1:b50eb70e01c6fa4a77b5493ed4478c18e8bd2744 This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 5beaa75d94c4a981c580905b84c7ef33caf0c3e2) 2021-08-30T15:15:37Z Eneas U de Queiroz 2021-08-26T17:38:07Z urn:sha1:fdea0036a210427477b6cc1de7cee036e18aff39 This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> 2021-08-30T15:15:37Z Eneas U de Queiroz 2021-08-26T17:38:06Z urn:sha1:40c03b101cf40af4a6f6e1efb4731edabfe88ea9 This sets the --cross-compile-prefix option when running Configure, so that that it will not use the host gcc to figure out, among other things, compiler defines. It avoids errors, if the host 'gcc' is handled by clang: mips-openwrt-linux-musl-gcc: error: unrecognized command-line option '-Qunused-arguments' Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> Tested-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit 2f75348923e564f1b73fbc32f7cabc355cd6e2b9) 2021-03-27T06:44:43Z Eneas U de Queiroz 2021-03-26T17:46:29Z urn:sha1:81266d900104d657275aa5df3fb7629f7892c57a This version fixes 2 security vulnerabilities, among other changes: - CVE-2021-3450: problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 0bd0de7d43b3846ad0d7006294e1daaadfa7b532) 2021-03-27T06:42:14Z Petr Štetiar 2021-03-27T06:42:14Z urn:sha1:6165bb0d6009283ffd8f330622b2155ee29c9c0b Apparently it fixes some broken URLs and as a bonus it makes cherry-picking of fixes easier. Signed-off-by: Petr Štetiar <ynezz@true.cz> 2021-03-27T06:35:25Z Magnus Kroken 2021-03-14T18:42:33Z urn:sha1:c336db7a78261d354ab2f2e5a3f79389ba13cb9f This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. Security fixes: * Fix a buffer overflow in mbedtls_mpi_sub_abs() * Fix an errorneous estimation for an internal buffer in mbedtls_pk_write_key_pem() * Fix a stack buffer overflow with mbedtls_net_poll() and mbedtls_net_recv_timeout() * Guard against strong local side channel attack against base64 tables by making access aceess to them use constant flow code Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10 Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit dbde2bcf60b5d5f54501a4b440f25fe7d02fbe5d) 2021-03-06T14:48:43Z Eneas U de Queiroz 2021-02-21T21:33:30Z urn:sha1:c64742a96ea2f673cae1f33222368a11696b6a3d Biggest fix for this version is CVE-2021-3336, which has already been applied here. There are a couple of low severity security bug fixes as well. Three patches are no longer needed, and were removed; the one remaining was refreshed. This tool shows no ABI changes: https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d1dfb577f1c0d5b1f1fa35000c9ad7abdb7d10ed)