openwrt/package/libs
Eneas U de Queiroz c3cb2d48da
openssl: fix CVE-2023-464 and CVE-2023-465
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-07 11:26:26 +02:00
..
argp-standalone treewide: opt-out of tree-wide LTO usage 2023-03-21 18:28:23 +01:00
elfutils treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16 2023-03-21 18:28:22 +01:00
gettext-full gettext-full: update to 0.21.1 2022-10-22 21:10:34 +02:00
gmp treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16 2023-03-21 18:28:22 +01:00
jansson treewide: add support for "lto" in PKG_BUILD_FLAGS 2023-03-21 18:28:22 +01:00
libaudit treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16 2023-03-21 18:28:22 +01:00
libbsd libbsd: fix libpath to not use host path 2022-12-26 13:36:41 +01:00
libcap libcap: update to 2.67 2023-02-25 00:14:38 +01:00
libevent2 treewide: add support for "lto" in PKG_BUILD_FLAGS 2023-03-21 18:28:22 +01:00
libiconv-full libiconv-full: add host build 2022-07-17 14:21:03 +02:00
libjson-c libjson-c: disable libbsd 2022-07-04 20:37:41 +02:00
libmd libmd: add library providing message digest functions 2022-09-11 01:30:11 +02:00
libmnl libmnl: add PKG_CPE_ID 2022-09-06 16:36:44 +01:00
libnetfilter-conntrack libnetfilter-conntrack: backport patch fixing compilation with 5.15 2022-03-05 21:05:45 +01:00
libnfnetlink libnfnetlink: add PKG_CPE_ID 2022-09-06 16:36:45 +01:00
libnftnl treewide: add support for "lto" in PKG_BUILD_FLAGS 2023-03-21 18:28:22 +01:00
libnl treewide: add support for "gc-sections" in PKG_BUILD_FLAGS 2023-03-21 18:28:22 +01:00
libnl-tiny libnl-tiny: update to the latest version 2023-04-02 02:25:16 +02:00
libpcap libpcap: update to 1.10.3 2023-01-17 23:16:02 +01:00
libselinux libselinux: add PKG_CPE_ID 2022-09-06 16:36:48 +01:00
libsemanage libsemanage: update to version 3.3 2021-10-28 22:15:02 +01:00
libsepol libsepol: add PKG_CPE_ID 2022-09-06 16:36:48 +01:00
libtool libtool: update to 2.4.7 2022-07-10 19:07:47 +02:00
libtraceevent libtraceevent: update to 1.7.2 2023-04-01 22:02:24 +02:00
libtracefs libtracefs: update to 1.6.4 2023-01-13 22:02:20 +01:00
libubox libubox: update to the latest version 2022-10-14 13:12:23 +02:00
libunwind libunwind: update to 1.6.2 2022-09-07 04:22:40 +01:00
libusb packages: libusb: add package 'fxload' (from libusb examples) 2022-09-17 00:44:08 +01:00
mbedtls treewide: opt-out of tree-wide LTO usage 2023-03-21 18:28:23 +01:00
musl-fts musl-fts: remove shared libraries from host 2022-03-27 14:38:13 +02:00
ncurses ncurses: add alacritty terminfo 2023-02-26 01:12:02 +01:00
nettle treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16 2023-03-21 18:28:22 +01:00
openssl openssl: fix CVE-2023-464 and CVE-2023-465 2023-04-07 11:26:26 +02:00
pcre pcre: pass -fPIC under host as well 2022-04-16 14:02:11 +02:00
popt popt: update to 1.19 2022-10-02 20:22:54 +02:00
readline readline: update to 8.2 2022-10-23 18:16:22 +02:00
sysfsutils sysfsutils: Define START early in file 2022-09-26 17:58:32 +01:00
toolchain toolchain: reproducible libstdcpp 2022-04-01 12:54:58 +01:00
uclient uclient: update to Git version 2021-05-14 2021-05-14 23:40:42 +02:00
ustream-ssl ustream-ssl: update to Git version 2023-02-25 2023-02-25 18:37:26 +01:00
wolfssl treewide: add support for "lto" in PKG_BUILD_FLAGS 2023-03-21 18:28:22 +01:00
zlib zlib: update to 1.2.13 2022-11-13 20:47:57 +01:00