[openwrt/openwrt] wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)

LEDE Commits lede-commits at lists.infradead.org
Wed Oct 5 12:11:59 PDT 2022 

ynezz pushed a commit to openwrt/openwrt.git, branch openwrt-21.02:
https://git.openwrt.org/914d91274162ba7e125fcfc781b1128b7c42a856

commit 914d91274162ba7e125fcfc781b1128b7c42a856
Author: Petr Štetiar <ynezz at true.cz>
AuthorDate: Wed Sep 28 11:28:06 2022 +0200

    wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)
    
    Fixes denial of service attack and buffer overflow against TLS 1.3
    servers using session ticket resumption. When built with
    --enable-session-ticket and making use of TLS 1.3 server code in
    wolfSSL, there is the possibility of a malicious client to craft a
    malformed second ClientHello packet that causes the server to crash.
    
    This issue is limited to when using both --enable-session-ticket and TLS
    1.3 on the server side. Users with TLS 1.3 servers, and having
    --enable-session-ticket, should update to the latest version of wolfSSL.
    
    Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
    for research on tlspuffin.
    
    Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
    
    Fixes: CVE-2022-39173
    Fixes: https://github.com/openwrt/luci/issues/5962
    References: https://github.com/wolfSSL/wolfssl/issues/5629
    Tested-by: Kien Truong <duckientruong at gmail.com>
    Reported-by: Kien Truong <duckientruong at gmail.com>
    Signed-off-by: Petr Štetiar <ynezz at true.cz>
    (cherry picked from commit ec8fb542ec3e4f584444a97de5ac05dbc2a9cde5)
    (cherry picked from commit ce59843662961049a28033077587cabdc5243b15)
---
 package/libs/wolfssl/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index ce66ec81ea..a1c968b81f 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=5.5.0-stable
+PKG_VERSION:=5.5.1-stable
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f
+PKG_HASH:=97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3
 
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1

More information about the lede-commits mailing list