Commit Graph

1203 Commits

Author SHA1 Message Date
Chen Minqiang
fcde517d35 wolfssl: fix build with make < 4.2
Inline the preinst.arm-ce script. Support for including was added in
make 4.2 and is not working with older make versions.

Fixes: https://github.com/openwrt/openwrt/issues/11866
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2023-02-03 12:18:19 +01:00
Glenn Strauss
2a691fc7f2 mbedtls: x509 crt verify SAN iPAddress
backport from
X509 crt verify SAN iPAddress
https://github.com/Mbed-TLS/mbedtls/pull/6475

addresses
curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName)
https://github.com/Mbed-TLS/mbedtls/issues/6473

filed for
mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls
https://github.com/openwrt/packages/issues/19677

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2023-02-03 11:27:58 +01:00
ValdikSS ValdikSS
2fc170cc21 openssl: fix VIA Padlock AES-192 and 256 encryption
Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.

This commit correctly sets the number of swapping loops to be done.

Upstream: 2bcf8e69bd

Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: ValdikSS ValdikSS <iam@valdikss.org.ru>
2023-01-22 01:33:33 +01:00
David Bauer
00f1463df7 mbedtls: move source modification to patch
Patch the mbedtls source instead of modifying the compile-targets
in the prepare buildstep within OpenWrt.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-01-18 23:36:22 +01:00
Nick Hainke
e846606900 libpcap: update to 1.10.3
Changelog:
https://git.tcpdump.org/libpcap/blob/95691ebe7564afa3faa5c6ba0dbd17e351be455a:/CHANGES

Refresh patch:
- 300-Add-support-for-B.A.T.M.A.N.-Advanced.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-17 23:16:02 +01:00
Nick Hainke
d649c32989 libtracefs: update to 1.6.4
Update to latest release.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-13 22:02:20 +01:00
Nick Hainke
d1bdf5a9d9 libtraceevent: update to 1.7.1
Update to latest release.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-13 22:02:20 +01:00
Hauke Mehrtens
2748c45d46 elfutils: Ignore wrong use-after-free error
GCC 12.2.0 shows this false positive error message:
````
In function 'bigger_buffer',
    inlined from '__libdw_gunzip' at gzip.c:374:12:
gzip.c:96:9: error: pointer may be used after 'realloc' [-Werror=use-after-free]
   96 |     b = realloc (state->buffer, more -= 1024);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gzip.c:94:13: note: call to 'realloc' here
   94 |   char *b = realloc (state->buffer, more);
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
````

GCC bug report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104069

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-01-09 00:10:52 +01:00
Nick Hainke
acbae4f234 libpcap: update to 1.20.2
A huge rewrite in libpcap was introduced by dc14a7babca1 ("rpcap: have
the server tell the client its byte order.") [0]. The patch
"201-space_optimization.patch" does not apply at all anymore. So remove
it.

Refresh:
- 100-no-openssl.patch
- 102-skip-manpages.patch

Update the "300-Add-support-for-B.A.T.M.A.N.-Advanced.patch" with latest
PR [1].

old ipkg size:
90964 bin/packages/mips_24kc/base/libpcap1_1.10.1-5_mips_24kc.ipk

new ipkg size:
93340 bin/packages/mips_24kc/base/libpcap1_1.10.2-1_mips_24kc.ipk

[0] - dc14a7babc
[1] - https://github.com/the-tcpdump-group/libpcap/pull/980

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-06 16:20:06 +01:00
Linhui Liu
87b9825521 ncurses: update to 6.4
Update to the latest released version.

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-01-05 00:11:53 +01:00
Hauke Mehrtens
ee47a28cec treewide: Trigger reinstall of all wolfssl dependencies
The ABI of the wolfssl library changed a bit between version 5.5.3 and
5.5.4. This release update will trigger a rebuild of all packages which
are using wolfssl to make sure they are adapted to the new ABI.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-01-01 21:06:54 +01:00
Nick Hainke
04634b2d82 wolfssl: update to 5.5.4-stable
Remove upstreamed:
- 001-Fix-enable-devcrypto-build-error.patch

Refresh patch:
- 100-disable-hardening-check.patch

Release notes:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.4-stable

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-01 21:05:31 +01:00
Hauke Mehrtens
af3c9b74e1 mbedtls: update to version 2.28.2
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

Fixes the following CVEs:
* CVE-2022-46393: Fix potential heap buffer overread and overwrite in
DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.

* CVE-2022-46392: An adversary with access to precise enough information
about memory accesses (typically, an untrusted operating system
attacking a secure enclave) could recover an RSA private key after
observing the victim performing a single private-key operation if the
window size used for the exponentiation was 3 or smaller.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-12-31 03:19:58 +01:00
Xuefer H
ab31547df0 libbsd: fix libpath to not use host path
libpath.so uses host path in ld script causing other packages fail to
cross compile, e.g. perl:
"ld: cannot find /usr/lib/libbsd.so.0.11.6: No such file or directory"

Fixes: openwrt/packages#19390

Signed-off-by: Xuefer H <xuefer@gmail.com>
2022-12-26 13:36:41 +01:00
Nick Hainke
b5d317f47e libtracefs: update to 1.6.3
Update to latest release.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-12-17 20:24:46 +01:00
Nick Hainke
b01f2d9f38 libtraceevent: update to 1.7.0
Update to latest release.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-12-17 20:24:46 +01:00
Linus Lüssing
26d10bad7c libpcap: add support for B.A.T.M.A.N. Advanced
This adds support for the layer 2 mesh routing protocol
B.A.T.M.A.N. Advanced. "batadv" can be used to filter on batman-adv
packets. It also allows later filters to look at frames inside the
tunnel when both "version" and "type" are specified.

Documentation for the batman-adv protocol can be found at the following
locations:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/batman-adv.rst
https://www.open-mesh.org/

--

This is a backport of the following upstream pull request:

https://github.com/the-tcpdump-group/libpcap/pull/980
-> "Add support for B.A.T.M.A.N. Advanced #980"

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
2022-12-14 01:06:26 +01:00
Chukun Pan
171691500e wolfssl: fix build with /dev/crypto
Backport upstream patch to fix build error when
/dev/crypto enabled.

dc9f46a3be

Fixes: #10944
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-12-11 03:30:14 +01:00
Nick Hainke
b76bcdb210 libtracefs: update to 1.6.2
378a9dd libtracefs: version 1.6.2
e6daa60 libtracefs: Add unit test to test mounting of tracefs_{tracing,debug}_dir()
32acbbf libtracefs: Have tracefs_{tracing,debug}_dir() mount {tracefs,debugfs} if not mounted

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-12-11 02:45:28 +01:00
Hauke Mehrtens
69f0c29b8b ustream-ssl: update to Git version 2022-12-07
9217ab4 ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
2ce1d48 ci: fix building with i.MX6 SDK
584f1f6 ustream-openssl: wolfSSL: provide detailed information in debug builds
aa8c48e cmake: add a possibility to set library version

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-12-08 01:17:26 +01:00
Tony Butler
3d205eb216 wolfssl: fix Config.in typo
Fix simple typo `/crytpo/crypto/` in a description string

Signed-off-by: Tony Butler <spudz76@gmail.com>
2022-11-27 12:58:33 +01:00
Nick Hainke
745f1ca976 wolfssl: update to v5.5.3
Remove "200-ecc-rng.patch" because it was upstramed by:
e2566bab21
Refreshed "100-disable-hardening-check.patch".

Fixes CVE 2022-42905.

Release Notes:
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.3-stable

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-27 12:58:33 +01:00
Nick Hainke
8db2db9890 libtracefs: update to 1.6.1
Update to latest version.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-18 20:27:52 +01:00
Glenn Strauss
0d43c22d47 libmbedtls: use defaults if no build opts selected
use defaults if no build opts selected
(allows build with defaults when mbedtls not selected and configured)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-16 12:27:18 +02:00
Glenn Strauss
1064252259 libmbedtls: disable older RSA ciphers
disable older RSA ciphers

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-13 21:51:22 +01:00
Glenn Strauss
aeeb12eb83 libmbedtls: enable crypto algorithms for hostap
enable additional crypto algorithms for hostap

hostap uses local implementations if not provided by crypto library,
so might as well enable in the crypto library for shared use by others.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-13 21:51:22 +01:00
Glenn Strauss
602a76ed65 libmbedtls: build option submenu
menuconfig libmbedtls build option submenu

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-13 21:51:22 +01:00
Nick Hainke
de79a0a9e0 zlib: update to 1.2.13
Remove "001-neon-implementation-of-adler32.patch" because upstreamed
deleted assembler code optimizations:
d0704a8201

Remove upstreamed patches:
- 006-fix-CVE-2022-37434.patch
- 007-fix-null-dereference-in-fix-CVE-2022-37434.patch

Refresh patches:
- 002-arm-specific-optimisations-for-inflate.patch
- 003-arm-specific-optimisations-for-inflate.patch
- 004-attach-sourcefiles-in-patch-002-to-buildsystem.patch

Switch to "https github.com" for downloading source files.

Release Announcements:
https://github.com/madler/zlib/releases/tag/v1.2.13

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-13 20:47:57 +01:00
Nick Hainke
6830fb37cb libnftnl: update to 1.2.4
Release Announcement:
https://lore.kernel.org/netfilter-devel/Y20W+LT%2F+sq%2Fi2rz@salvia/T/#u

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-12 13:15:16 +01:00
John Audia
a0814f04ed openssl: bump to 1.1.1s
Changes between 1.1.1r and 1.1.1s [1 Nov 2022]

  *) Fixed a regression introduced in 1.1.1r version not refreshing the
     certificate data to be signed before signing the certificate.
     [Gibeom Gwon]

 Changes between 1.1.1q and 1.1.1r [11 Oct 2022]

  *) Fixed the linux-mips64 Configure target which was missing the
     SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
     platform.
     [Adam Joseph]

  *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
     causing incorrect results in some cases as a result.
     [Paul Dale]

  *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
     report correct results in some cases
     [Matt Caswell]

  *) Fixed a regression introduced in 1.1.1o for re-signing certificates with
     different key sizes
     [Todd Short]

  *) Added the loongarch64 target
     [Shi Pujin]

  *) Fixed a DRBG seed propagation thread safety issue
     [Bernd Edlinger]

  *) Fixed a memory leak in tls13_generate_secret
     [Bernd Edlinger]

  *) Fixed reported performance degradation on aarch64. Restored the
     implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
     32-bit lane assignment in CTR mode") for 64bit targets only, since it is
     reportedly 2-17% slower and the silicon errata only affects 32bit targets.
     The new algorithm is still used for 32 bit targets.
     [Bernd Edlinger]

  *) Added a missing header for memcmp that caused compilation failure on some
     platforms
     [Gregor Jasny]

Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B

Signed-off-by: John Audia <therealgraysky@proton.me>
2022-11-05 14:07:46 +00:00
Nick Hainke
bef3699ad5 elfutils: update to 1.88
Release Notes:
https://sourceware.org/pipermail/elfutils-devel/2022q4/005561.html

Refresh patches:
- 003-libintl-compatibility.patch
- 100-musl-compat.patch
- 101-no-fts.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-05 14:07:46 +00:00
Hauke Mehrtens
5b7c99bc4c libnl-tiny: update to the latest version
db3b2cd libnl-tiny: set SOCK_CLOEXEC if available

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-11-01 18:04:39 +01:00
Nick Hainke
96aa052c40 readline: update to 8.2
Release Announcement:
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00013.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-23 18:16:22 +02:00
Nick Hainke
b6d850317b gettext-full: update to 0.21.1
Release Announcement:
https://lists.gnu.org/archive/html/info-gnu/2020-07/msg00009.html

Further, refresh 001-autotools.patch and manually refresh 010-m4.patch.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-22 21:10:34 +02:00
Nick Hainke
8ad82d31a0 libbsd: update to 0.11.7
Changes:
084911c Release libbsd 0.11.7
3538d38 man: Discourage using the library in non-overlay mode
03fccd1 include: Adjust reallocarray() per glibc adoption
6b6e686 include: Adjust arc4random() per glibc adoption
da1f45a include: explicit_bzero() requires _DEFAULT_SOURCE
2f9eddc include: Simplify glibc version dependent macro handling
28298ac doc: Switch references from pkg-config to pkgconf
ef981f9 doc: Add missing empty line to separate README sections
6928d78 doc: Refer to the main git repository as primary
d586575 test: Fix explicit_bzero() test on the Hurd
be327c6 fgetwln: Add comment about lack of getwline(3) for recommendation
a14612d setmode: Dot not use saveset after free
f4baceb man: Rewrite gerprogname(3bsd) from scratch
f35c545 man: Lowercase man page title
b466b14 man: Document that some arc4random(3) functions are now in glibc 2.36
1f6a48b Sync arc4random(3) implementation from OpenBSD
873639e Fix ELF support for big endian SH
c9c78fd man: Use -compact also for alternative functions in libbsd(7)
5f21307 getentropy: Fix function cast for getauxval()

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-22 21:10:34 +02:00
Petr Štetiar
3826e72b8e ncurses: add package CPE ID
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.

Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-19 21:40:23 +02:00
Petr Štetiar
efb4324c36 libnftnl: add package CPE ID
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.

Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-19 21:40:23 +02:00
Felix Fietkau
0a4a0c7193 libubox: update to the latest version
ea56013409d5 jshn.sh: add json_add_fields function for adding multiple fields at once

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:23 +02:00
Chukun Pan
ffd29a55c3 libnl-tiny: update to the latest version
c42d890 build static library
28c44ca genl_family: explicitly null terminate
                     strncpy destination buffer

This fixes the compilation with gcc 12.

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-10-09 22:52:48 +02:00
Daniel Cousens
3bd04767ba
build: prefer HTTPS if available (for packages)
Changes PKG_SOURCE_URL's for arptables, bsdiff, dnsmasq,
fortify-headers, ipset, ipset-dns, libaudit, libpcap, libressl,
lua, lua5.3, tcpdump and valgrind, to HTTPS

Signed-off-by: Daniel Cousens <github@dcousens.com>
2022-10-05 17:37:07 +02:00
Petr Štetiar
f1b7e1434f treewide: fix security issues by bumping all packages using libwolfssl
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-03 17:52:06 +02:00
Nick Hainke
4f70380ff1 libtracefs: update to 1.5.0
Changes:
93f4d52 libtracefs: version 1.5
bc857db libtracefs: Add tracefs_u{ret}probe_alloc to generic man page
db55441 libtracefs: Add tracefs_debug_dir() to generic libtracefs man page
d2d5924 libtracefs: Add test instructions for openSUSE
4a7b475 libtracefs: Fix test suite typo
ee8c644 libtracefs: Add tracefs_tracer_available() helper
799d88e libtracefs: Add API to set custom tracing directory
1bb00d1 libtracefs: allow pthread inclusion overrideable in Makefile
04651d0 libtracefs sqlhist: Allow pointers to match longs
9de59a0 libtracefs: Remove double free attempt of new_event in tracefs_synth_echo_cmd()
0aaa86a libtracefs: Fix use after free in tracefs_synth_alloc()
d2d5340 libtracefs: Add missed_events to record
9aaa8b0 libtracefs: Set the number of CPUs in tracefs_local_events_system()
56a0ba0 libtracefs: Return negative number when tracefs_filter_string_append() fails
c5f849f libtracefs: Set the long size of the tep handle in tracefs_local_events_system()
5c8103e revert: 0de961e74f96 ("libtracefs: Set visibility of parser symbols as 'internal'")

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
cef2ec62ab libtraceevent: update to 1.6.3
Changes:
fda4ad9 libtraceevent: version 1.6.3
d02a61e libtraceevent: Add man pages for tep_plugin_kvm_get/put_func()
6643bf9 libtraceevent: Have kvm_exit/enter be able to show guest function
a596299 libtraceevent: Add tep_print_field() to check-manpages.sh deprecated
065c9cd libtraceevent: Add man page documentation of tep_get_sub_buffer_size()
6e18ecc libtraceevent: Add man page for tep_plugin_add_option()
6738713 libtraceevent: Add some missing functions to generic libtraceevent man page
deefe29 libtraceevent: Include meta data functions in libtraceevent man pages
cf6dd2d libtraceevent: Add tep_get_function_count() to libtraceevent man page
5bfc11e libtraceevent: Add printk documentation to libtraceevent man page
65c767b libtraceevent: Update man page to reflect tep_is_pid_registered() rename
7cd173f libtraceevent: Add check-manpages.sh
fd6efc9 libtraceevent: Documentation: Correct typo in example
5c375b0 libtraceevent: Fixing linking to C++ code
7839fc2 libtraceevent: Makefile - set LIBS as conditional assignment
c5493e7 libtraceevent: Remove double assignment of val in eval_num_arg()
efd3289 libtraceevent: Add warnings if fields are outside the event

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
d327466149 popt: update to 1.19
Add patch to fix compilation:
- 100-configure.ac-remove-require-gettext-version.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
04119d7cce libcap: update to 2.66
4f96e67 Up the release version to 2.66
60ff008 Fix typos in the cap_from_text.3 man page.
281b6e4 Add captrace to .gitignore file
09a2c1d Add an example of using BPF kprobing to trace capability use.
26e3a09 Clean up getpcaps code.
fc804ac getpcaps: catch PID parsing errors.
fc437fd Fix an issue with bash displaying an error.
7db9589 Some more simplifications for building
27e801b Fix for "make clean ; make -j48 test"

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Petr Štetiar
ec8fb542ec wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:53:56 +02:00
Petr Štetiar
a0cd133fde Revert "wolfssl: fix TLSv1.3 RCE in uhttpd by using latest 5.5.1-stable release"
This reverts commit a596a8396b as I've
just discovered private email, that the issue has CVE-2022-39173
assigned so I'm going to reword the commit and push it again.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:53:12 +02:00
Petr Štetiar
8ad9a72cbe wolfssl: refresh patches
So they're tidy and apply cleanly.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:36:19 +02:00
Petr Štetiar
a596a8396b wolfssl: fix TLSv1.3 RCE in uhttpd by using latest 5.5.1-stable release
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:36:19 +02:00
Kevin Darbyshire-Bryant
dafa663012 sysfsutils: Define START early in file
The luci ucode rewrite exposed the definition of START as being over 1K
from start of file.  Initial versions limited the search for START &
STOP to within the 1st 1K of a file.  Whilst the search has been
expanded, it doesn't do any harm to define START early in the file like
all other init scripts seen so far.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-09-26 17:58:32 +01:00