Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-developer:security [2022/04/20 22:52] – makr 19.07 End of life haukedocs:guide-developer:security [2023/10/13 09:25] – add 23.05 hauke
Line 9: Line 9:
  
 ===== Security advisories ===== ===== Security advisories =====
-==== Security advisories 2021 ==== 
-<nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2021-/"> 
  
-==== Security advisories 2020 ==== +/** Omit the footer because the edit/create date is inaccurate because the page's contents are autogenerated. */ 
-<nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2020-/">+{{page>advisory:start&link&nofooter}}
  
-==== Security advisories 2019 ==== +This only lists security advisories for components maintained directly by the OpenWrt team. This does not list all fixed security problems in third party components used by OpenWrt which can also affect the security of OpenWrt. We do not list known security problems in the Linux kernel, openssl and other third party components even when they affect use cases relevant for OpenWrt. The OpenWrt team monitors the upstream projects and backports security fixes for components used in the OpenWrt core repository to still supported OpenWrt versions. For example  [[https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33|159 CVEs]] were assigned to the Linux kernel in 2021 alone, OpenWrt regularly updates the minor Linux kernel version to get the recent fixes.
-<nspages advisory -actualtitle -textPages="" -exclude -numberedList -sortId -reverse -title -pregPagesOn="/2019-/">+
  
 ===== Support status ===== ===== Support status =====
Line 22: Line 19:
  
 ^ Version ^ Current status ^ Projected EoL ^ ^ Version ^ Current status ^ Projected EoL ^
-21.02 | Fully supported | December 2022 +23.05 | Fully supported | - | 
-| 19.07 | End of life | March 2022 | +| 22.03 | Security maintenance | EoL (April 2024) | 
-| 18.06 | End of life | December 2020 |+| 21.02 | End of life | EoL (May 2023) 
 +| 19.07 | End of life | EoL (April 2022
 +| 18.06 | End of life | EoL |
 | 17.01 | End of life | EoL | | 17.01 | End of life | EoL |
 | 15.05 | End of life | EoL | | 15.05 | End of life | EoL |
Line 75: Line 74:
 Note that individual packages and/or targets may ignore or otherwise not respect these settings. Note that individual packages and/or targets may ignore or otherwise not respect these settings.
  
-^ .config line ^ Enabled by default ^ Notes ^ +^ .config line                                   ^ Enabled by default  ^ Notes                                                                                                                                
-| ''CONFIG_PKG_CHECK_FORMAT_SECURITY=y'' | Yes | ''-Wformat -Werror=format-security''+| ''CONFIG_PKG_CHECK_FORMAT_SECURITY=y''         | Yes                 | ''-Wformat -Werror=format-security''                                                                                                 
-| ''CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=y'' | Yes | ''-fstack-protector''+| ''CONFIG_PKG_CC_STACKPROTECTOR_REGULAR=y''     | Yes                 | ''-fstack-protector''                                                                                                                
-| ''CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y'' | | ''-fstack-protector-strong''+| ''CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y''      No                  | ''-fstack-protector-strong''                                                                                                         
-| ''CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=y'' | Yes | Kernel config CONFIG_STACKPROTECTOR | +| ''CONFIG_KERNEL_CC_STACKPROTECTOR_REGULAR=y''  | Yes                 | Kernel config CONFIG_STACKPROTECTOR                                                                                                  
-| ''CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y'' | | Kernel config CONFIG_STACKPROTECTOR_STRONG | +| ''CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y''   No                  | Kernel config CONFIG_STACKPROTECTOR_STRONG                                                                                           
-| ''CONFIG_PKG_FORTIFY_SOURCE_1=y'' | Yes | ''-D_FORTIFY_SOURCE=1'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc) | +| ''CONFIG_PKG_FORTIFY_SOURCE_1=y''              | Yes                 | ''-D_FORTIFY_SOURCE=1'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc)                              
-| ''CONFIG_PKG_FORTIFY_SOURCE_2=y'' | | ''-D_FORTIFY_SOURCE=2'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc) | +| ''CONFIG_PKG_FORTIFY_SOURCE_2=y''              No                  | ''-D_FORTIFY_SOURCE=2'' (Using [[https://git.2f30.org/fortify-headers/|fortify-headers]] for musl libc)                              
-| ''CONFIG_PKG_RELRO_FULL=y'' | Yes | ''-Wl,-z,now -Wl,-z,relro''+| ''CONFIG_PKG_RELRO_FULL=y''                    | Yes                 | ''-Wl,-z,now -Wl,-z,relro''                                                                                                          
-| ''CONFIG_PKG_ASLR_PIE=y'' | | ''-PIE'' (some own spec file) |+| ''CONFIG_PKG_ASLR_PIE_REGULAR=y''              Yes                 | ''-fPIC'' CFLAGS and ''-specs=hardened-build-ld'' LDFLAGS\\ PIE is activated for some binaries, mostly network exposed applications 
 +| ''CONFIG_PKG_ASLR_PIE_ALL=y''                  | No                  | PIE is activated for all applications                                                                                                | 
 +| ''CONFIG_KERNEL_SECCOMP''                      | Yes                 | Kernel config CONFIG_SECCOMP                                                                                                         | 
 +| ''CONFIG_SELINUX''                             | No                  | Kernel config SECURITY_SELINUX                                                                                                       |
  
  • Last modified: 2024/12/07 10:05
  • by ynezz