ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-19 03:06:35 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity
This repository is a mirror of https://git.openwrt.org/openwrt/openwrt.git It is for reference only and is not active for check-ins. We will continue to accept Pull Requests here. They will be merged via staging trees then into openwrt.git.
56,972 Commits 9 Branches 77 Tags 901 MiB
C 61.2%
Makefile 19.3%
Shell 6.8%
Roff 6.7%
Perl 2.5%
Other 3.3%
c3cb2d48da
Go to file
Eneas U de Queiroz c3cb2d48da
openssl: fix CVE-2023-464 and CVE-2023-465 
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-07 11:26:26 +02:00
.github CI: build: disable cache of external toolchain/sdk 2023-03-22 01:07:57 +01:00
config build: add a config knob to enable LTO for all packages 2023-03-21 18:28:24 +01:00
include openssl: add legacy provider 2023-04-05 08:24:49 -03:00
LICENSES LICENSES: include all used licenses in LICENSES directory 2021-02-14 19:21:38 +01:00
package openssl: fix CVE-2023-464 and CVE-2023-465 2023-04-07 11:26:26 +02:00
scripts scripts: size_compare: print a grand total 2023-02-03 21:22:49 +01:00
target realtek: Fix typo for EnGenius EWS2910P 2023-04-07 11:22:37 +02:00
toolchain toolchain/gcc: enable zstd support 2023-03-17 02:08:25 +01:00
tools tools/zstd: update to 1.5.5 2023-04-07 11:18:54 +02:00
.gitattributes add .gitattributes to prevent the git autocrlf option from messing with CRLF/LF in files 2012-05-08 13:30:49 +00:00
.gitignore .gitgnore: add llvm-bpf 2021-11-21 18:18:01 +01:00
BSDmakefile build: use SPDX license tags 2021-02-05 14:54:47 +01:00
Config.in build: scripts/config - update to kconfig-v5.14 2022-02-19 13:10:01 +01:00
COPYING COPYING: add COPYING file to specify project licenses 2021-02-14 19:21:38 +01:00
feeds.conf.default feeds: use git-src-full to allow Git versioning 2022-02-15 00:24:24 +01:00
Makefile treewide: derive host and hostpkg path from STAGING_DIR 2023-01-09 21:33:20 +01:00
README.md README: add download section 2022-10-06 16:08:24 +02:00
rules.mk rules.mk: add FILECMD variable 2023-03-27 00:41:50 +02:00

README.md

OpenWrt logo

OpenWrt Project is a Linux operating system targeting embedded devices. Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developers, OpenWrt is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.

Sunshine!

Download

Built firmware images are available for many architectures and come with a package selection to be used as WiFi home router. To quickly find a factory image usable to migrate from a vendor stock firmware to OpenWrt, try the Firmware Selector.

If your device is supported, please follow the Info link to see install instructions or consult the support resources listed below.

An advanced user may require additional or specific package. (Toolchain, SDK, ...) For everything else than simple firmware download, try the wiki download page:

Development

To build your own firmware you need a GNU/Linux, BSD or MacOSX system (case sensitive filesystem required). Cygwin is unsupported because of the lack of a case sensitive file system.

Requirements

You need the following tools to compile OpenWrt, the package names vary between distributions. A complete list with distribution specific packages is found in the Build System Setup documentation.

binutils bzip2 diff find flex gawk gcc-6+ getopt grep install libc-dev libz-dev
make4.1+ perl python3.6+ rsync subversion unzip which

Quickstart

  1. Run ./scripts/feeds update -a to obtain all the latest package definitions defined in feeds.conf / feeds.conf.default

  2. Run ./scripts/feeds install -a to install symlinks for all obtained packages into package/feeds/

  3. Run make menuconfig to select your preferred configuration for the toolchain, target system & firmware packages.

  4. Run make to build your firmware. This will download all sources, build the cross-compile toolchain and then cross-compile the GNU/Linux kernel & all chosen applications for your target system.

Related Repositories

The main repository uses multiple sub-repositories to manage packages of different categories. All packages are installed via the OpenWrt package manager called opkg. If you're looking to develop the web interface or port packages to OpenWrt, please find the fitting repository below.

  • LuCI Web Interface: Modern and modular interface to control the device via a web browser.

  • OpenWrt Packages: Community repository of ported packages.

  • OpenWrt Routing: Packages specifically focused on (mesh) routing.

  • OpenWrt Video: Packages specifically focused on display servers and clients (Xorg and Wayland).

Support Information

For a list of supported devices see the OpenWrt Hardware Database

Documentation

Support Community

  • Forum: For usage, projects, discussions and hardware advise.
  • Support Chat: Channel #openwrt on oftc.net.

Developer Community

License

OpenWrt is licensed under GPL-2.0