openwrt/package/libs
Eneas U de Queiroz b6cbab1ad7
openssl: fix CVE-2023-464 and CVE-2023-465
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-17 12:05:29 -03:00
..
argp-standalone argp-standalone: fix compilation with Alpine Linux 2022-03-16 17:58:24 +01:00
elfutils elfutils: Add missing musl-fts dependency 2022-01-07 20:50:50 -08:00
gettext-full gettext-full: add gmsgfmt symlink in host install 2022-04-05 00:20:24 +02:00
gmp gmp: update to 6.2.1 2021-02-14 19:38:15 +01:00
jansson jansson: Activate link time optimization (LTO) 2020-09-06 20:30:18 +02:00
libaudit libaudit: add host-build required by policycoreutils/host 2020-09-01 14:24:07 +01:00
libbsd libbsd: update to 0.10.0 2020-02-22 16:34:57 +01:00
libcap libcap: Update to version 2.63 2022-02-01 21:25:02 +01:00
libevent2 libevent2: update to 2.1.12 2021-02-14 19:38:15 +01:00
libiconv package: replace $(STAGING_DIR)/host with $(STAGING_DIR_HOSTPKG) 2017-01-10 22:15:37 +01:00
libiconv-full libiconv-full: Makefile polishing 2020-11-26 13:09:32 -10:00
libjson-c libjson-c: don't build shared host libraries 2021-11-20 21:08:24 +01:00
libmnl libmnl: fix build when bash is not located at /bin/bash 2022-08-05 15:24:57 +02:00
libnetfilter-conntrack libnetfilter-conntrack: backport patch fixing compilation with 5.15 2022-03-05 21:05:45 +01:00
libnfnetlink libnfnetlink: update to 1.0.2 2022-04-10 16:26:01 +01:00
libnftnl libnftnl: add package CPE ID 2022-10-23 14:21:03 +02:00
libnl libnl: update to 3.5.0 2019-11-01 21:19:40 +01:00
libnl-tiny libnl-tiny: update to the latest version 2021-12-14 22:59:10 +01:00
libpcap libpcap: fix PKG_CONFIG_DEPENDS for rpcapd 2022-07-20 18:12:52 +02:00
libselinux libselinux: add missing host-build dependency on libsepol/host 2022-04-10 16:26:01 +01:00
libsemanage libsemanage: update to version 3.3 2021-10-28 22:15:02 +01:00
libsepol libsepol: update to version 3.3 2021-10-31 13:01:24 +00:00
libtool treewide: revise library packaging 2019-01-24 10:39:30 +01:00
libubox libubox: update to the latest version 2022-06-07 21:36:58 +02:00
libunwind libunwind: add ppc64 support 2021-12-21 21:37:05 +02:00
libusb libusb: fix missing link 2022-06-25 00:05:21 +02:00
mbedtls mbedtls: move source modification to patch 2023-01-18 23:39:11 +01:00
musl-fts musl-fts: add host build 2022-04-11 23:17:55 +02:00
ncurses ncurses: add package CPE ID 2022-10-23 14:21:03 +02:00
nettle nettle: disable assembler on ppc64 2021-12-21 21:36:55 +02:00
openssl openssl: fix CVE-2023-464 and CVE-2023-465 2023-04-17 12:05:29 -03:00
pcre pcre: disable shared libraries for host builds 2022-04-05 00:20:24 +02:00
popt popt: Use modern toolchain logic 2019-02-26 23:20:04 +01:00
readline readline: add host PIC 2022-04-17 21:47:11 +02:00
sysfsutils treewide: revise library packaging 2019-01-24 10:39:30 +01:00
toolchain toolchain: reproducible libstdcpp 2022-04-06 13:59:44 +01:00
uclient uclient: update to Git version 2023-04-13 2023-04-13 20:54:06 +02:00
ustream-ssl treewide: Trigger reinstall of all wolfssl dependencies 2023-01-01 21:42:41 +01:00
wolfssl wolfssl: update to 5.5.4-stable 2023-01-01 21:42:39 +01:00
zlib zlib: backport null dereference fix 2022-08-09 08:12:46 +02:00