Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-developer:security [2019/10/22 15:58] – Hardening build options hauke | docs:guide-developer:security [2023/10/13 09:25] – add 23.05 hauke | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Security ====== | ====== Security ====== | ||
| - | |||
| See [[: | See [[: | ||
| Line 6: | Line 5: | ||
| This covers the OpenWrt distribution with the official package feeds hosted at https:// | This covers the OpenWrt distribution with the official package feeds hosted at https:// | ||
| - | ===== Vulnerability | + | ===== Vulnerability |
| Security bugs should be reported in confidentiality to [[contact@openwrt.org]], | Security bugs should be reported in confidentiality to [[contact@openwrt.org]], | ||
| - | ===== Identifying problems | + | ===== Security advisories |
| - | The OpenWrt project uses multiple tools to identify potential security problems. | + | /** Omit the footer because the edit/create date is inaccurate because the page's contents are autogenerated. */ |
| - | The information are normally available for everyone and we appreciate fixes for problems reported by these tools form everyone. | + | {{page> |
| - | ==== uscan ==== | + | This only lists security advisories for components maintained directly by the OpenWrt team. This does not list all fixed security problems in third party components used by OpenWrt which can also affect the security of OpenWrt. We do not list known security problems in the Linux kernel, openssl and other third party components even when they affect use cases relevant for OpenWrt. The OpenWrt team monitors the upstream projects and backports security fixes for components used in the OpenWrt core repository to still supported OpenWrt versions. For example |
| - | This report shows the version number of all packages from the base and the package repository and compares it against the recent upstream released | + | ===== Support status ===== |
| - | In addition the tool which generates this page also checks for existing CVEs assigned to the packages based on the Common Platform Enumeration (CPE) which is listed in the PKG_CPE_ID | + | This lists the currently support or not supported OpenWrt |
| - | This page is weekly regenerated for master and the active release branches. | + | |
| - | [[https:// | + | |
| - | ==== Coverity Scan ==== | + | ^ Version ^ Current status ^ Projected EoL ^ |
| + | | 23.05 | Fully supported | - | | ||
| + | | 22.03 | Security maintenance | EoL (April 2024) | | ||
| + | | 21.02 | End of life | EoL (May 2023) | | ||
| + | | 19.07 | End of life | EoL (April 2022) | | ||
| + | | 18.06 | End of life | EoL | | ||
| + | | 17.01 | End of life | EoL | | ||
| + | | 15.05 | End of life | EoL | | ||
| - | OpenWrt uses the commercial Coverity Scan tool which is available for free to open source projects to do static code analyses | + | The projected EoL can be extended later, depending |
| - | This scans one OpenWrt build per week and reports | + | |
| - | [[https:// | + | |
| - | ===== Reproducible Builds ===== | + | The Version references the most recent stable version from this release branch. |
| - | OpenWrt | + | * Fully supported means that the OpenWrt |
| - | The reproducible builds | + | * Security maintenance means that the OpenWrt team fixes only security problems in this release but no bugs any more. |
| - | [[https://reproducible.debian.net/openwrt/openwrt.html]] | + | * End of life means that we will *not* provide any updates also for severe security problem. Please update |
| + | |||
| + | A OpenWrt major version will get into fully supported status after it was initially released. | ||
| + | When the next OpenWrt major version is released the old version will move into security maintenance mode. | ||
| + | A OpenWrt major version will move into end of Life 1 year after the initial release or 6 months after the release of the next major versions. The later date will be used. We plan to do a final minor release at the end of the support cycle. | ||
| + | |||
| + | This only covers the core OpenWrt packages and not the external package feeds hosted on github. | ||
| + | Some feed package maintainer do not take care of all OpenWrt versions where the the core components | ||
| + | For the best security support | ||
| + | |||
| + | ===== Identifying problems ===== | ||
| + | The OpenWrt | ||
| + | The information are normally available for everyone and we appreciate fixes for problems reported by these tools form everyone. | ||
| + | |||
| + | ==== uscan ==== | ||
| + | The [[https:// | ||
| + | In addition the tool which generates this page also checks | ||
| + | That page is updated weekly for master | ||
| + | |||
| + | ==== Coverity Scan ==== | ||
| + | OpenWrt uses the commercial | ||
| + | This scans one OpenWrt build per week and reports the problems found in the components developed in the OpenWrt project like procd and ubus, but not on (patched) third party components. | ||
| - | ===== deliver to users ===== | + | ===== Reproducible builds |
| + | The [[https:// | ||
| + | This proves that the produced releases really match the delivered source code and no backdoors were introduced in the build process. | ||
| - | OpenWrt operates multiple build bot instances which are building snapshots of the master and the supported release branches. See [[: | + | ===== Deliver to users ===== |
| + | OpenWrt operates multiple | ||
| - | When a change to a package is committed to the OpenWrt base repository of package feed the build bots are automatically | + | When a change to a package is committed to the OpenWrt base repository of package feed, the build bots are automatically |
| + | The newly built package can then be installed with opkg or be integrated with the image builder by users of OpenWrt. | ||
| + | This allows us to ship updates in about 2 days to the end users. | ||
| - | The kernel is normally located in its own partition and upgrades are not so easily possible. Therefore this mechanism currently | + | The kernel is normally located in its own partition and upgrades are not so easily possible. |
| + | Therefore this mechanism currently | ||
| ===== Hardening build options ===== | ===== Hardening build options ===== | ||
| - | OpenWrt activates some build hardening options at compile time for all packages | + | OpenWrt activates some build hardening options |
| + | Note that individual | ||
| - | Source: | + | ^ .config line ^ Enabled by default |
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| + | | '' | ||
| - | ^ .config line ^ Enabled by Default? ^ Notes ^ | ||
| - | | '' | ||
| - | | '' | ||
| - | | '' | ||
| - | | '' | ||
| - | | '' | ||
| - | | '' | ||
| - | | '' | ||
| - | | '' | ||
| - | | '' | ||