git.openwrt.org Git - openwrt/staging/stintel.git/commit

author	Hauke Mehrtens <hauke@hauke-m.de>
	Sun, 14 Jul 2024 23:06:38 +0000 (01:06 +0200)
committer	Hauke Mehrtens <hauke@hauke-m.de>
	Mon, 15 Jul 2024 21:57:44 +0000 (23:57 +0200)
commit	3a0232ffd33f2dc894c671d90de6b2766399f4dc
tree	86313da7636f5d242b80cc31fd67693689952685	tree \| snapshot
parent	22258443921c59d25da741266cbac583a7402714	commit \| diff

wolfssl: Update to version 5.7.2

This fixes multiple security problems:
* [Medium] CVE-2024-1544
   Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.

* [Medium] CVE-2024-5288
   A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.

* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.

* [Low] CVE-2024-5991
   In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.

* [Medium] CVE-2024-5814
   A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.

* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.

* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.

Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.

Link: https://github.com/openwrt/openwrt/pull/15948
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

package/libs/wolfssl/Makefile		diff \| blob \| history
package/libs/wolfssl/patches/100-disable-hardening-check.patch		diff \| blob \| history