This changelog lists all commits done in OpenWrt since the v21.02.6 tag, grouped by subsystem. The changes are chronologically ordered from top to bottom and cover the Git repository history until the tagging of the 21.02.7 release.
See also the release notes that provide a more accessible overview of the main changes in 21.02.6.
34d2883 kernel: backport fix for recently introduced UBI bug (+71,-2)
f8282da openssl: fix CVE-2023-464 and CVE-2023-465 (+263,-1)
e63b844 uclient: update to Git version 2023-04-13 (+3,-3)
⇒ dc54d2b tests: add certificate check against letsencrypt.org (+4)
⇒ 644d3c7 ci: improve wolfSSL test coverage (+53,-7)
⇒ 007d945 uclient: cancel state change timeout in uclient_disconnect() (+1)
Description: snapshot builds do not install correctly - Mar 2023 builds
Link: https://github.com/openwrt/openwrt/issues/12232
Commits:
34d2883 kernel: backport fix for recently introduced UBI bug (+71,-2)
Description: A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464
Commits:
f8282da openssl: fix CVE-2023-464 and CVE-2023-465 (+263,-1)
Description: Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0465
Commits:
f8282da openssl: fix CVE-2023-464 and CVE-2023-465 (+263,-1)