openwrt/package/libs
John Audia 3167f7c9fa
openssl: bump to 1.1.1t
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

  *) Fixed X.400 address type confusion in X.509 GeneralName.

     There is a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
     vulnerability may allow an attacker who can provide a certificate chain and
     CRL (neither of which need have a valid signature) to pass arbitrary
     pointers to a memcmp call, creating a possible read primitive, subject to
     some constraints. Refer to the advisory for more information. Thanks to
     David Benjamin for discovering this issue. (CVE-2023-0286)

     This issue has been fixed by changing the public header file definition of
     GENERAL_NAME so that x400Address reflects the implementation. It was not
     possible for any existing application to successfully use the existing
     definition; however, if any application references the x400Address field
     (e.g. in dead code), note that the type of this field has changed. There is
     no ABI change.
     [Hugo Landau]

  *) Fixed Use-after-free following BIO_new_NDEF.

     The public API function BIO_new_NDEF is a helper function used for
     streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
     to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
     be called directly by end user applications.

     The function receives a BIO from the caller, prepends a new BIO_f_asn1
     filter BIO onto the front of it to form a BIO chain, and then returns
     the new head of the BIO chain to the caller. Under certain conditions,
     for example if a CMS recipient public key is invalid, the new filter BIO
     is freed and the function returns a NULL result indicating a failure.
     However, in this case, the BIO chain is not properly cleaned up and the
     BIO passed by the caller still retains internal pointers to the previously
     freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
     then a use-after-free will occur. This will most likely result in a crash.
     (CVE-2023-0215)
     [Viktor Dukhovni, Matt Caswell]

  *) Fixed Double free after calling PEM_read_bio_ex.

     The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
     decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
     data. If the function succeeds then the "name_out", "header" and "data"
     arguments are populated with pointers to buffers containing the relevant
     decoded data. The caller is responsible for freeing those buffers. It is
     possible to construct a PEM file that results in 0 bytes of payload data.
     In this case PEM_read_bio_ex() will return a failure code but will populate
     the header argument with a pointer to a buffer that has already been freed.
     If the caller also frees this buffer then a double free will occur. This
     will most likely lead to a crash.

     The functions PEM_read_bio() and PEM_read() are simple wrappers around
     PEM_read_bio_ex() and therefore these functions are also directly affected.

     These functions are also called indirectly by a number of other OpenSSL
     functions including PEM_X509_INFO_read_bio_ex() and
     SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
     internal uses of these functions are not vulnerable because the caller does
     not free the header argument if PEM_read_bio_ex() returns a failure code.
     (CVE-2022-4450)
     [Kurt Roeckx, Matt Caswell]

  *) Fixed Timing Oracle in RSA Decryption.

     A timing based side channel exists in the OpenSSL RSA Decryption
     implementation which could be sufficient to recover a plaintext across
     a network in a Bleichenbacher style attack. To achieve a successful
     decryption an attacker would have to be able to send a very large number
     of trial messages for decryption. The vulnerability affects all RSA padding
     modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
     (CVE-2022-4304)
     [Dmitry Belyavsky, Hubert Kario]

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 4ae86b3358)

The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 22.03, so it doesn't have to be removed.

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
2023-02-14 17:08:23 +01:00
..
argp-standalone argp-standalone: fix compilation with Alpine Linux 2022-03-16 17:58:24 +01:00
elfutils elfutils: Add missing musl-fts dependency 2022-01-07 20:50:50 -08:00
gettext-full gettext-full: add gmsgfmt symlink in host install 2022-04-05 00:20:24 +02:00
gmp gmp: update to 6.2.1 2021-02-14 19:38:15 +01:00
jansson jansson: Activate link time optimization (LTO) 2020-09-06 20:30:18 +02:00
libaudit libaudit: add host-build required by policycoreutils/host 2020-09-01 14:24:07 +01:00
libbsd libbsd: update to 0.10.0 2020-02-22 16:34:57 +01:00
libcap libcap: Update to version 2.63 2022-02-01 21:25:02 +01:00
libevent2 libevent2: update to 2.1.12 2021-02-14 19:38:15 +01:00
libiconv package: replace $(STAGING_DIR)/host with $(STAGING_DIR_HOSTPKG) 2017-01-10 22:15:37 +01:00
libiconv-full libiconv-full: Makefile polishing 2020-11-26 13:09:32 -10:00
libjson-c libjson-c: don't build shared host libraries 2021-11-20 21:08:24 +01:00
libmnl libmnl: fix build when bash is not located at /bin/bash 2022-08-05 15:24:57 +02:00
libnetfilter-conntrack libnetfilter-conntrack: backport patch fixing compilation with 5.15 2022-03-05 21:05:45 +01:00
libnfnetlink libnfnetlink: update to 1.0.2 2022-04-10 16:26:01 +01:00
libnftnl libnftnl: add package CPE ID 2022-10-23 14:21:03 +02:00
libnl libnl: update to 3.5.0 2019-11-01 21:19:40 +01:00
libnl-tiny libnl-tiny: update to the latest version 2021-12-14 22:59:10 +01:00
libpcap libpcap: fix PKG_CONFIG_DEPENDS for rpcapd 2022-07-20 18:12:52 +02:00
libselinux libselinux: add missing host-build dependency on libsepol/host 2022-04-10 16:26:01 +01:00
libsemanage libsemanage: update to version 3.3 2021-10-28 22:15:02 +01:00
libsepol libsepol: update to version 3.3 2021-10-31 13:01:24 +00:00
libtool treewide: revise library packaging 2019-01-24 10:39:30 +01:00
libubox libubox: update to the latest version 2022-06-07 21:36:58 +02:00
libunwind libunwind: add ppc64 support 2021-12-21 21:37:05 +02:00
libusb libusb: fix missing link 2022-06-25 00:05:21 +02:00
mbedtls mbedtls: move source modification to patch 2023-01-18 23:39:11 +01:00
musl-fts musl-fts: add host build 2022-04-11 23:17:55 +02:00
ncurses ncurses: add package CPE ID 2022-10-23 14:21:03 +02:00
nettle nettle: disable assembler on ppc64 2021-12-21 21:36:55 +02:00
openssl openssl: bump to 1.1.1t 2023-02-14 17:08:23 +01:00
pcre pcre: disable shared libraries for host builds 2022-04-05 00:20:24 +02:00
popt popt: Use modern toolchain logic 2019-02-26 23:20:04 +01:00
readline readline: add host PIC 2022-04-17 21:47:11 +02:00
sysfsutils treewide: revise library packaging 2019-01-24 10:39:30 +01:00
toolchain toolchain: reproducible libstdcpp 2022-04-06 13:59:44 +01:00
uclient uclient: update to Git version 2021-05-14 2021-05-14 23:40:42 +02:00
ustream-ssl treewide: Trigger reinstall of all wolfssl dependencies 2023-01-01 21:42:41 +01:00
wolfssl wolfssl: update to 5.5.4-stable 2023-01-01 21:42:39 +01:00
zlib zlib: backport null dereference fix 2022-08-09 08:12:46 +02:00