mirror of
https://git.openwrt.org/openwrt/openwrt.git
synced 2026-03-14 23:09:45 +01:00
ce59843662
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.
This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.
Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.
Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| argp-standalone | ||
| elfutils | ||
| gettext-full | ||
| gmp | ||
| jansson | ||
| libaudit | ||
| libbsd | ||
| libcap | ||
| libevent2 | ||
| libiconv | ||
| libiconv-full | ||
| libjson-c | ||
| libmnl | ||
| libnetfilter-conntrack | ||
| libnfnetlink | ||
| libnftnl | ||
| libnl | ||
| libnl-tiny | ||
| libpcap | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| libtool | ||
| libubox | ||
| libunwind | ||
| libusb | ||
| mbedtls | ||
| musl-fts | ||
| ncurses | ||
| nettle | ||
| openssl | ||
| pcre | ||
| popt | ||
| readline | ||
| sysfsutils | ||
| toolchain | ||
| uclient | ||
| ustream-ssl | ||
| wolfssl | ||
| zlib | ||