Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-developer:security [2021/09/21 21:44] – [Reproducible builds] unify links vgaeteradocs:guide-developer:security [2023/10/13 09:25] – add 23.05 hauke
Line 5: Line 5:
 This covers the OpenWrt distribution with the official package feeds hosted at https://github.com/openwrt/ and also the OpenWrt specific tools hosted at https://git.openwrt.org/ like procd, ubus and libubox This covers the OpenWrt distribution with the official package feeds hosted at https://github.com/openwrt/ and also the OpenWrt specific tools hosted at https://git.openwrt.org/ like procd, ubus and libubox
  
-===== Vulnerability Reporting =====+===== Vulnerability reporting =====
 Security bugs should be reported in confidentiality to [[contact@openwrt.org]], see [[:bugs#reporting_security_bugs|Reporting security bugs]] for details. Security bugs should be reported in confidentiality to [[contact@openwrt.org]], see [[:bugs#reporting_security_bugs|Reporting security bugs]] for details.
  
 ===== Security advisories ===== ===== Security advisories =====
-==== Security advisories 2021 ==== 
-<nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2021-/"> 
  
-==== Security advisories 2020 ==== +/** Omit the footer because the edit/create date is inaccurate because the page's contents are autogenerated. */ 
-<nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2020-/">+{{page>advisory:start&link&nofooter}}
  
-==== Security advisories 2019 ==== +This only lists security advisories for components maintained directly by the OpenWrt team. This does not list all fixed security problems in third party components used by OpenWrt which can also affect the security of OpenWrt. We do not list known security problems in the Linux kernel, openssl and other third party components even when they affect use cases relevant for OpenWrt. The OpenWrt team monitors the upstream projects and backports security fixes for components used in the OpenWrt core repository to still supported OpenWrt versions. For example  [[https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33|159 CVEs]] were assigned to the Linux kernel in 2021 alone, OpenWrt regularly updates the minor Linux kernel version to get the recent fixes.
-<nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2019-/">+
  
 ===== Support status ===== ===== Support status =====
Line 22: Line 19:
  
 ^ Version ^ Current status ^ Projected EoL ^ ^ Version ^ Current status ^ Projected EoL ^
-21.02 | Fully supported | | +23.05 | Fully supported | - | 
-| 19.07 | Fully supported August 2021 +| 22.03 | Security maintenance | EoL (April 2024) | 
-| 18.06 | End of life | December 2020 |+| 21.02 | End of life | EoL (May 2023) 
 +| 19.07 | End of life EoL (April 2022) 
 +| 18.06 | End of life | EoL |
 | 17.01 | End of life | EoL | | 17.01 | End of life | EoL |
 | 15.05 | End of life | EoL | | 15.05 | End of life | EoL |
 +
 +The projected EoL can be extended later, depending on the future situation, like the release date of the next release.
  
 The Version references the most recent stable version from this release branch. The Version references the most recent stable version from this release branch.
Line 34: Line 35:
   * End of life means that we will *not* provide any updates also for severe security problem. Please update to more recent versions.   * End of life means that we will *not* provide any updates also for severe security problem. Please update to more recent versions.
  
-The Projected EoL can be extended later, depending on the future situation, like the release date of the next release.+A OpenWrt major version will get into fully supported status after it was initially released. 
 +When the next OpenWrt major version is released the old version will move into security maintenance mode. 
 +A OpenWrt major version will move into end of Life 1 year after the initial release or 6 months after the release of the next major versions. The later date will be used. We plan to do a final minor release at the end of the support cycle.
  
 This only covers the core OpenWrt packages and not the external package feeds hosted on github. This only covers the core OpenWrt packages and not the external package feeds hosted on github.
Line 46: Line 49:
 ==== uscan ==== ==== uscan ====
 The [[https://sdwalker.github.io/uscan/index.html|uscan report]] shows the version number of all packages from the base and the package repository and compares it against the recent upstream released versions. The [[https://sdwalker.github.io/uscan/index.html|uscan report]] shows the version number of all packages from the base and the package repository and compares it against the recent upstream released versions.
-In addition the tool which generates this page also checks for existing CVEs assigned to the packages based on the Common Platform Enumeration (CPE) which is listed in the PKG_CPE_ID  variable of many packages.+In addition the tool which generates this page also checks for existing CVEs assigned to the packages based on the Common Platform Enumeration (CPE) which is listed in the PKG_CPE_ID variable of many packages.
 That page is updated weekly for master and the active release branches. That page is updated weekly for master and the active release branches.
  
 ==== Coverity Scan ==== ==== Coverity Scan ====
 OpenWrt uses the commercial [[https://scan.coverity.com/projects/openwrt|Coverity Scan]] tool which is available for free to open source projects to do static code analyses on the OpenWrt components. OpenWrt uses the commercial [[https://scan.coverity.com/projects/openwrt|Coverity Scan]] tool which is available for free to open source projects to do static code analyses on the OpenWrt components.
-This scans one OpenWrt build per week and reports the problems found in the components developed in the OpenWrt project  like procd and ubus, but not on (patched) third party components.+This scans one OpenWrt build per week and reports the problems found in the components developed in the OpenWrt project like procd and ubus, but not on (patched) third party components.
  
 ===== Reproducible builds ===== ===== Reproducible builds =====
Line 58: Line 61:
  
 ===== Deliver to users ===== ===== Deliver to users =====
-OpenWrt operates multiple [[:infrastructure#Buildbot|build bot instances]] which are building snapshots of the master and the supported release branches.+OpenWrt operates multiple [[:infrastructure#Buildbot|build bot instances]] which are building snapshots of the ''master'' and the supported release branches.
  
-When a change to a package is committed to the OpenWrt base repository of package feed the build bots are automatically detection this change and will rebuild this package. +When a change to a package is committed to the OpenWrt base repository of package feedthe build bots are automatically detecting this change and will rebuild this package. 
-The new newly build package can then be installed with opkg or be integrated with the image builder by users of OpenWrt.+The newly built package can then be installed with opkg or be integrated with the image builder by users of OpenWrt.
 This allows us to ship updates in about 2 days to the end users. This allows us to ship updates in about 2 days to the end users.
  
 The kernel is normally located in its own partition and upgrades are not so easily possible. The kernel is normally located in its own partition and upgrades are not so easily possible.
-Therefore this mechanism currently does not work for the kernel itself and kernel modules, there a new minor release is needed to ship fixes to end users.+Therefore this mechanism currently does not work for the kernel itself and kernel modules and a new minor release is needed to ship fixes to end users.
  
 ===== Hardening build options ===== ===== Hardening build options =====
-OpenWrt activates some build hardening options in the [[https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=config/Config-build.in|build configuration]] at compile time for all packages build.+OpenWrt activates some build hardening options in the [[https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=config/Config-build.in|build configuration]] at compile time for all package builds.
 Note that individual packages and/or targets may ignore or otherwise not respect these settings. Note that individual packages and/or targets may ignore or otherwise not respect these settings.
  
-^ .config line ^ Enabled by Default? ^ Notes ^ +^ .config line                                   ^ Enabled by default  ^ Notes                                                                                                                                
-| ''CONFIG_PKG_CHECK_FORMAT_SECURITY=y'' | Yes | ''-Wformat -Werror=format-security''+| ''CONFIG_PKG_CHECK_FORMAT_SECURITY=y''         | Yes                 | ''-Wformat -Werror=format-security''                                                                                                 
-| ''CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=y'' | Yes | ''-fstack-protector''+| ''CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=y''     | Yes                 | ''-fstack-protector''                                                                                                                
-| ''CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y'' | | ''-fstack-protector-strong''+| ''CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y''      No                  | ''-fstack-protector-strong''                                                                                                         
-| ''CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=y'' | Yes | Kernel config CONFIG_STACKPROTECTOR | +| ''CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=y''  | Yes                 | Kernel config CONFIG_STACKPROTECTOR                                                                                                  
-| ''CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y'' | | Kernel config CONFIG_STACKPROTECTOR_STRONG | +| ''CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y''   No                  | Kernel config CONFIG_STACKPROTECTOR_STRONG                                                                                           
-| ''CONFIG_PKG_FORTIFY_SOURCE_1=y'' | Yes | ''-D_FORTIFY_SOURCE=1'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc) | +| ''CONFIG_PKG_FORTIFY_SOURCE_1=y''              | Yes                 | ''-D_FORTIFY_SOURCE=1'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc)                              
-| ''CONFIG_PKG_FORTIFY_SOURCE_2=y'' | | ''-D_FORTIFY_SOURCE=2'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc) | +| ''CONFIG_PKG_FORTIFY_SOURCE_2=y''              No                  | ''-D_FORTIFY_SOURCE=2'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc)                              
-| ''CONFIG_PKG_RELRO_FULL=y'' | Yes | ''-Wl,-z,now -Wl,-z,relro''+| ''CONFIG_PKG_RELRO_FULL=y''                    | Yes                 | ''-Wl,-z,now -Wl,-z,relro''                                                                                                          
-| ''CONFIG_PKG_ASLR_PIE=y'' | | ''-PIE''  (some own spec file) |+| ''CONFIG_PKG_ASLR_PIE_REGULAR=y''              Yes                 | ''-fPIC'' CFLAGS and ''-specs=hardened-build-ld'' LDFLAGS\\ PIE is activated for some binaries, mostly network exposed applications 
 +| ''CONFIG_PKG_ASLR_PIE_ALL=y''                  | No                  | PIE is activated for all applications                                                                                                | 
 +| ''CONFIG_KERNEL_SECCOMP''                      | Yes                 | Kernel config CONFIG_SECCOMP                                                                                                         | 
 +| ''CONFIG_SELINUX''                             | No                  | Kernel config SECURITY_SELINUX                                                                                                       |
  
  • Last modified: 2024/12/07 10:05
  • by ynezz