User Tools

Site Tools


releases:18.06:changelog-18.06.4

OpenWrt v18.06.4 Changelog

This changelog lists all commits done in OpenWrt since the v18.06.2 tag, grouped by subsystem. The changes are chronologically ordered from top to bottom and cover the Git repository history until the tagging of the 18.06.4 release.

Note that this log includes the changes of the v18.06.3 release which was quickly superseded by v18.06.4 due to upstream Kernel fixes made shortly after preparing the previous release. Refer to the incremental changelog for the exact changes between v18.06.3 and v18.06.4.

Build System / Buildroot (1 change)

4058406 build: Accept BIN_DIR parameter for legacy-images

Build System / Host Utilities (3 changes)

400601f tools/libelf: Add mirrors as main site is dead
aaa3452 tools/pkg-config: pass arguments at the end
24aefae tools/pkg-config: Handle variable substitution of 'bindir' to redirect to STA...

Kernel (67 changes)

1f1f421 kernel: bump 4.9 to 4.9.153
026f08a kernel: bump 4.14 to 4.14.96
21762fe kernel: bump 4.9 to 4.9.154
ef17eda kernel: bump 4.14 to 4.14.97
72870cc kernel: bump 4.9 to 4.9.155
fbb2186 kernel: bump 4.14 to 4.14.98
9fb3710 kernel: bump 4.9 to 4.9.156
62feabe kernel: bump 4.14 to 4.14.99
d669be4 kernel: bump 4.9 to 4.9.158
20f1b7d kernel: bump 4.14 4.14.101
e9cb40c kernel: bump 4.9 to 4.9.159
1be6ff6 kernel: bump 4.14 to 4.14.102
e2ba7a4 kernel: bump 4.9 to 4.9.160
9ee8c8d kernel: bump 4.14 to 4.14.103
eea5382 kernel: fix refcnt leak in LED netdev trigger on interface rename
5183df0 kernel: bump 4.9 to 4.9.161
810ee3b kernel: bump 4.14 to 4.14.104
2b9d2f6 kernel: bump 4.9 to 4.9.162
4918fe0 kernel: bump 4.14 to 4.14.105
24f3207 kernel: bump 4.9 to 4.9.163
0a637c7 kernel: bump 4.14 to 4.14.106
dcdf509 kernel: bump 4.9 to 4.9.164
6c3ca1d kernel: bump 4.14 to 4.14.107
dac25a5 kernel: bump 4.9 to 4.9.165
22a3e65 kernel: bump 4.14 to 4.14.108
1ff4cd1 kernel: bump 4.9 to 4.9.166
ca8b4d6 kernel: bump 4.14 to 4.14.109
07bd5b7 kernel: bump 4.9 to 4.9.167
dad220a kernel: bump 4.14 to 4.14.110
aa0e6fc kernel: bump 4.9 to 4.9.168
6c81f5f kernel: bump 4.14 to 4.14.111
15a70d0 kernel: bump 4.9 to 4.9.169
ac3b5f0 kernel: bump 4.14 to 4.14.112
a5c62c9 kernel: bump 4.9 to 4.9.170
3103bd5 kernel: bump 4.14 to 4.14.113
2faceb1 kernel: bump 4.9 to 4.9.171
4685bf1 kernel: bump 4.14 to 4.14.114
f105a9c kernel: bump 4.9 to 4.9.172
412d80c kernel: bump 4.14 to 4.14.115
f053a8c kernel: bump 4.9 to 4.9.175
d3053b1 kernel: bump 4.14 to 4.14.118
e6928e6 kernel: Fix arc kernel build
82e4b42 kernel: bump 4.9 to 4.9.176
152755c kernel: bump 4.14 to 4.14.119
85294fc kernel: bump 4.9 to 4.9.177
68a5e66 kernel: bump 4.14 to 4.14.120
054aecd kernel: bump 4.9 to 4.9.178
7e07320 kernel: bump 4.14 to 4.14.121
9591155 kernel: Fix arc kernel 4.14 build
e3408d0 kernel: bump 4.9 to 4.9.179
6563e49 kernel: bump 4.14 to 4.14.122
7fe1b4a kernel: bump 4.9 to 4.9.180
1867f10 kernel: bump 4.14 to 4.14.123
5dbac47 kernel: re-add bridge allow reception on disabled port
40b1e89 kernel: bump 4.9 to 4.9.181
f63a1ca kernel: bump 4.14 to 4.14.125
85eda6f kernel: mt29f_spinand: fix memory leak during page program
6fa6f74 kernel: backport 4.18 patch adding DMI_PRODUCT_SKU
e493230 kernel: bump 4.14 to 4.14.126
9de2f4d kernel: bump 4.9 to 4.9.182
2999c34 kernel: bump 4.14 to 4.14.127
bd0c398 kernel: bump 4.14 to 4.14.128
6c1bef8 kernel: bump 4.9 to 4.9.183
9c6fb1d kernel: bump 4.14 to 4.14.129
5e77116 kernel: bump 4.14 to 4.14.130
18266fc kernel: bump 4.9 to 4.9.184
d5ff089 kernel: bump 4.14 to 4.14.131

Packages / Boot Loaders (3 changes)

dcfca83 ipq40xx: copy Fritz4040 UBoot to STAGING_DIR_IMAGE
3239f56 uboot-fritz4040: Add host flags for host compiler
a0543d8 uboot-fritz4040: update PKG_MIRROR_HASH

Packages / Common (10 changes)

87fb8ae dnsmasq: allow using dnsmasq as the sole resolver
ce3a53c dnsmasq: prefer localuse over resolvfile guesswork
9f2cbca busybox: add missing install dir
4b4de23 openssl: update to 1.0.2r
ecfe0f1 ca-certificates: update to version 20190110
40ed838 mbedtls: update to version 2.16.1
dc1b578 curl: Fix multiple security problems
6761961 openssl: update to 1.0.2s
b463a13 hostapd: fix multiple security problems
3dc7402 uqmi: inherit firewall zone membership to virtual sub interfaces

Packages / OpenWrt base files (1 change)

9656f49 base-files: fix uci led oneshot/timer trigger

Packages / OpenWrt network userland (4 changes)

9b14c7d netifd: handle hotplug event socket errors
d0fa124 iprule: fix segfault (FS#1875)
a2aba5c system-linux: handle hotplug event socket ENOBUFS errors
a2c22b8 uqmi: fix PIN_STATUS_FAILED error with MC7455 WCDMA/LTE modem
3dc7402 uqmi: inherit firewall zone membership to virtual sub interfaces
ef686b7 uqmi: bump to latest git HEAD
01944dd uqmi_add_command: fixed command argument assignment
1965c71 uqmi: add explicit check for message type when expecting a response

Packages / OpenWrt system userland (6 changes)

e0505cc Revert "uhttpd: disable concurrent requests by default"
e9a7344 uci: fix heap use after free (FS#2288)
f199b96 uci: fix options list of section after type change
5d27e87 rpcd: fix init script reload action
fc39d5f fstools: media change detection (eg:sdcard) using kernel polling
25fc20d fstools: update to the latest master branch
bc2c876 libfstools: Print error in case of loop blkdev failure
ff1ded6 libfstools: Fix overflow of F2FS_MINSIZE constant
97ae9e0 fstools: block-mount: fix restart of fstab service

Target / apm821xx (4 changes)

6c81f5f kernel: bump 4.14 to 4.14.111
4685bf1 kernel: bump 4.14 to 4.14.114
b2b1265 apm821xx: backport accepted linux-crypto patches
f63a1ca kernel: bump 4.14 to 4.14.125

Target / ar7 (1 change)

1f1f421 kernel: bump 4.9 to 4.9.153

Target / ar71xx (16 changes)

1f1f421 kernel: bump 4.9 to 4.9.153
bc3eb97 ar71xx: Fix 5 GHz MAC address for Archer C60 v2
dcdf509 kernel: bump 4.9 to 4.9.164
aa0e6fc kernel: bump 4.9 to 4.9.168
9c4fa1b ar71xx: Remove ath10k packages from archer-c7-v1 (fixes FS#1743)
c7eb679 ar71xx: Add "info" partition for TP-Link Archer C7 v5
7268ebb ar71xx: Correct MAC address for WAN interface of Archer C7 v5
6ac061f ar71xx: Fix IMAGE_SIZE for TP-Link Archer C7 v5
e6e5435 ar71xx: GL.iNet AR300M family: correct LED definitions
f105a9c kernel: bump 4.9 to 4.9.172
f053a8c kernel: bump 4.9 to 4.9.175
cf2aa87 ar71xx: Fix network setup for TP-Link Archer C25 v1
85294fc kernel: bump 4.9 to 4.9.177
40b1e89 kernel: bump 4.9 to 4.9.181
9de2f4d kernel: bump 4.9 to 4.9.182
6c1bef8 kernel: bump 4.9 to 4.9.183

Target / bcm53xx (1 change)

f63a1ca kernel: bump 4.14 to 4.14.125

Target / brcm2708 (8 changes)

9fb3710 kernel: bump 4.9 to 4.9.156
e9cb40c kernel: bump 4.9 to 4.9.159
aa0e6fc kernel: bump 4.9 to 4.9.168
f105a9c kernel: bump 4.9 to 4.9.172
f053a8c kernel: bump 4.9 to 4.9.175
40b1e89 kernel: bump 4.9 to 4.9.181
fc1dae5 brcm2708: Revert "staging: vc04_services: prevent integer overflow in create_...
6c1bef8 kernel: bump 4.9 to 4.9.183

Target / brcm63xx (4 changes)

e336124 brcm63xx: HG655b: fix the imagetag at dts
dcdf509 kernel: bump 4.9 to 4.9.164
cfb72ee brcm63xx: drop own implementation of DT partitions in favour of upstream
4b633af brcm63xx: drop linux,part-probe usage where possible

Target / cns3xxx (2 changes)

6563e49 kernel: bump 4.14 to 4.14.122
1867f10 kernel: bump 4.14 to 4.14.123

Target / gemini (2 changes)

62feabe kernel: bump 4.14 to 4.14.99
84aba57 gemini: 4.14: Fix up DNS-313 compatible string

Target / ipq40xx (2 changes)

1be6ff6 kernel: bump 4.14 to 4.14.102
dcfca83 ipq40xx: copy Fritz4040 UBoot to STAGING_DIR_IMAGE

Target / ipq806x (6 changes)

62feabe kernel: bump 4.14 to 4.14.99
1be6ff6 kernel: bump 4.14 to 4.14.102
22a3e65 kernel: bump 4.14 to 4.14.108
d3053b1 kernel: bump 4.14 to 4.14.118
68a5e66 kernel: bump 4.14 to 4.14.120
5fe809d Revert "ipq806x: fix EA8500 switch control"

Target / ixp4xx (5 changes)

1f1f421 kernel: bump 4.9 to 4.9.153
21762fe kernel: bump 4.9 to 4.9.154
9fb3710 kernel: bump 4.9 to 4.9.156
e2ba7a4 kernel: bump 4.9 to 4.9.160
40b1e89 kernel: bump 4.9 to 4.9.181

Target / kirkwood (2 changes)

dac25a5 kernel: bump 4.9 to 4.9.165
22a3e65 kernel: bump 4.14 to 4.14.108

Target / lantiq (7 changes)

1f1f421 kernel: bump 4.9 to 4.9.153
026f08a kernel: bump 4.14 to 4.14.96
1a6d7a6 lantiq: tdw89x0: Fix WLAN LED on TP-Link W8970 v1.2 (FS#2232)
f053a8c kernel: bump 4.9 to 4.9.175
d3053b1 kernel: bump 4.14 to 4.14.118
e3408d0 kernel: bump 4.9 to 4.9.179
6563e49 kernel: bump 4.14 to 4.14.122

Target / layerscape (18 changes)

21762fe kernel: bump 4.9 to 4.9.154
72870cc kernel: bump 4.9 to 4.9.155
9fb3710 kernel: bump 4.9 to 4.9.156
e9cb40c kernel: bump 4.9 to 4.9.159
e2ba7a4 kernel: bump 4.9 to 4.9.160
2b9d2f6 kernel: bump 4.9 to 4.9.162
24f3207 kernel: bump 4.9 to 4.9.163
dac25a5 kernel: bump 4.9 to 4.9.165
1ff4cd1 kernel: bump 4.9 to 4.9.166
07bd5b7 kernel: bump 4.9 to 4.9.167
15a70d0 kernel: bump 4.9 to 4.9.169
a5c62c9 kernel: bump 4.9 to 4.9.170
2faceb1 kernel: bump 4.9 to 4.9.171
f105a9c kernel: bump 4.9 to 4.9.172
f053a8c kernel: bump 4.9 to 4.9.175
e3408d0 kernel: bump 4.9 to 4.9.179
40b1e89 kernel: bump 4.9 to 4.9.181
6c1bef8 kernel: bump 4.9 to 4.9.183

Target / mediatek (6 changes)

ef17eda kernel: bump 4.14 to 4.14.97
fbb2186 kernel: bump 4.14 to 4.14.98
62feabe kernel: bump 4.14 to 4.14.99
68a5e66 kernel: bump 4.14 to 4.14.120
f63a1ca kernel: bump 4.14 to 4.14.125
5e77116 kernel: bump 4.14 to 4.14.130

Target / mpc85xx (1 change)

15a70d0 kernel: bump 4.9 to 4.9.169

Target / mvebu (8 changes)

fbb2186 kernel: bump 4.14 to 4.14.98
810ee3b kernel: bump 4.14 to 4.14.104
0a637c7 kernel: bump 4.14 to 4.14.106
22a3e65 kernel: bump 4.14 to 4.14.108
ac3b5f0 kernel: bump 4.14 to 4.14.112
68a5e66 kernel: bump 4.14 to 4.14.120
f63a1ca kernel: bump 4.14 to 4.14.125
c449130 mvebu: fixes commit f63a1caf22cb

Target / oxnas (6 changes)

1bfe1ce oxnas: cheery-pick DTS improvements from master
f1803e3 oxnas: add SoC restart driver for reboot
4918fe0 kernel: bump 4.14 to 4.14.105
22a3e65 kernel: bump 4.14 to 4.14.108
68a5e66 kernel: bump 4.14 to 4.14.120
bd0c398 kernel: bump 4.14 to 4.14.128

Target / ramips (10 changes)

026f08a kernel: bump 4.14 to 4.14.96
ef17eda kernel: bump 4.14 to 4.14.97
62feabe kernel: bump 4.14 to 4.14.99
0a637c7 kernel: bump 4.14 to 4.14.106
4336cfd ramips: allow packets with ttl=0
22a3e65 kernel: bump 4.14 to 4.14.108
d3053b1 kernel: bump 4.14 to 4.14.118
b5ce521 ramips: rt305x: Reduce size of a5-v11 image
f63a1ca kernel: bump 4.14 to 4.14.125
bd0c398 kernel: bump 4.14 to 4.14.128

Target / sunxi (2 changes)

4918fe0 kernel: bump 4.14 to 4.14.105
68a5e66 kernel: bump 4.14 to 4.14.120

Target / x86 (2 changes)

85294fc kernel: bump 4.9 to 4.9.177
68a5e66 kernel: bump 4.14 to 4.14.120

Wireless / Common (8 changes)

d997712 ath9k: register GPIO chip for OF targets
19a6c4b mac80211: brcmfmac: fix a possible NULL pointer dereference
d32bbd7 mac80211: brcmfmac: backport 5.0 & 5.1 important changes/fixes
08db939 mac80211: backport tx queue start/stop fix
85cb473 mac80211: add a fix to prevent unsafe queue wake calls during restart
02aed76 mac80211: brcmfmac: early work on FullMAC firmware crash recovery
2d2e615 mac80211: brcmfmac: really add early fw crash recovery
2cd234d mac80211: brcmfmac: backport important fixes from kernel 5.2

Wireless / MT76 (6 changes)

13eeee7 mt76: update to the latest version
c3da1aa mt7603: trigger beacon stuck detection faster
7a53138 mt7603: trigger watchdog reset if flushing CAB queue fails
6eef33b mt7603: remove mt7603_txq_init
ae30c30 mt76: add driver callback for when a sta is associated
0db925f mt7603: update HT/VHT capabilities after assoc
b5ac8e4 mt7603: initialize LED callbacks only if CONFIG_MT76_LEDS is set
c989bac mt76x0: eeprom: fix chan_vs_power map in mt76x0_get_power_info
24bd2c0 mt76x0: phy: report target_power in debugfs
bc7ce2a mt76x0: init: introduce mt76x0_init_txpower routine
ab41836 mt76: update to the latest version
a4ec45c mt7603: fix LED support (copy CFLAGS from main Makefile)
edda5c5 mt76x02: use mask for vifs
dd52191 mt76x02: use commmon add interface for mt76x2u
a80acaf mt76x02: initialize mutli bss mode when set up address
38e832d mt76x02: minor beaconing init changes
171adaf mt76x02: init beacon config for mt76x2u
dcab682 mt76: beaconing fixes for USB
ff81de1 mt76x02: enable support for IBSS and MESH
8027b5d mt7603: remove copyright headers
e747e80 mt76: fix software encryption issues
2afa0d7 mt7603: remove WCID override for software encrypted frames
e5ace80 mt76: update to the latest version
a9d4c0e mt76: mt76x2: avoid running DPD calibration if tx is blocked
4d7e13f mt76: explicitly disable energy detect cca during scan
e3c1aad mt76: run MAC work every 100ms
4e8766a mt76: clear CCA timer stats in mt76x02_edcca_init
e301f23 mt76: measure the time between mt76x02_edcca_check runs
74075ef mt76: increase ED/CCA tx block threshold
8de93ce mt76: update to the latest version
28d81ff mt76x0: eeprom: fix VHT mcs{8,9} rate power offset
6e33ce6 mt76: move mt76_mcu_msg_alloc in mt76-core
4637f95 mt76: move mt76_mcu_get_response in mt76-core
1763cb0 mt76: move mt76_mcu_rx_event in mt76-core
4db9d75 mt76x0: mcu: remove useless commented configuration
91d0455 mt76: move mt76_dma_tx_queue_skb_raw in mt76-core module
0e8e53f mt76: remove add_buf pointer in mt76_queue_ops
db47920 mt7603: rely on mt76_mcu_msg_alloc routine
471c447 mt7603: rely on mt76_mcu_get_response routine
cacc986 mt7603: rely on mt76_mcu_rx_event routine
11ab620 mt7603: rely on mt76_tx_queue_skb_raw common routine
82fa312 mt7603: move alloc_dev common code in mt76_alloc_device
47d5922 mt76: move alloc_device common code in mt76_alloc_device
c50c993 mt76x2u: remove mt76x2u_alloc_device routine
6ed5b7a mt76x0: remove mt76x0u_alloc_device routine
e32e249 mt76x2: remove mt76x2_alloc_device routine
⇒ + 55 more…
f87a187 mt76: update to latest openwrt-18.06 branch
00ac79d mt7603: fix initialization of max rx length
320af65 mt76: mt7603: use the correct hweight8() function
bdee924 mt76: fix schedule while atomic in mt76x02_reset_state
abcb544 mt76x02: do not enable RTS/CTS by default
13eb73b mt76: update to latest openwrt-18.06 branch
9e3ef1f mt7603: fix sequence number assignment
a5f5605 mt7603: send BAR after powersave wakeup

Addressed bugs

#1743

Description: Archer C7 v1.1 is soft bricked with the 18.06 release
Link: https://bugs.openwrt.org/index.php?do=details&task_id=1743
Commits:
9c4fa1b ar71xx: Remove ath10k packages from archer-c7-v1 (fixes FS#1743)

#2098

Description: Unable to detect wifi LED
Link: https://bugs.openwrt.org/index.php?do=details&task_id=2098
Commits:
d997712 ath9k: register GPIO chip for OF targets

#2122

Description: NAT-Loopback not working with NCM protocol
Link: https://bugs.openwrt.org/index.php?do=details&task_id=2122
Commits:
3dc7402 uqmi: inherit firewall zone membership to virtual sub interfaces

#2168

Description: Switch no longer work after restart on Linksys EA8500
Link: https://bugs.openwrt.org/index.php?do=details&task_id=2168
Commits:
5fe809d Revert "ipq806x: fix EA8500 switch control"

#2232

Description: Wifi LED on W8970 Not Working (v18.06.2)
Link: https://bugs.openwrt.org/index.php?do=details&task_id=2232
Commits:
1a6d7a6 lantiq: tdw89x0: Fix WLAN LED on TP-Link W8970 v1.2 (FS#2232)

#2288

Description: uci memory corruption when setting section name
Link: https://bugs.openwrt.org/index.php?do=details&task_id=2288
Commits:
e9a7344 uci: fix heap use after free (FS#2288)
f199b96 uci: fix options list of section after type change

Security fixes

CVE-2018-14618

Description: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618
Commits:
dc1b578 curl: Fix multiple security problems

CVE-2018-16839

Description: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16839
Commits:
dc1b578 curl: Fix multiple security problems

CVE-2018-16840

Description: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840
Commits:
dc1b578 curl: Fix multiple security problems

CVE-2018-16842

Description: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16842
Commits:
dc1b578 curl: Fix multiple security problems

CVE-2018-16890

Description: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890
Commits:
dc1b578 curl: Fix multiple security problems

CVE-2018-1000026

Description: Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000026
Commits:
e9cb40c kernel: bump 4.9 to 4.9.159
1be6ff6 kernel: bump 4.14 to 4.14.102

CVE-2019-3819

Description: A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ("root") can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3819
Commits:
d669be4 kernel: bump 4.9 to 4.9.158
20f1b7d kernel: bump 4.14 4.14.101

CVE-2019-3822

Description: libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822
Commits:
dc1b578 curl: Fix multiple security problems

CVE-2019-3823

Description: libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823
Commits:
dc1b578 curl: Fix multiple security problems

CVE-2019-9494

Description: The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494
Commits:
b463a13 hostapd: fix multiple security problems

CVE-2019-9495

Description: The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9495
Commits:
b463a13 hostapd: fix multiple security problems

CVE-2019-9496

Description: An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9496
Commits:
b463a13 hostapd: fix multiple security problems

CVE-2019-9497

Description: The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker will not be able to derive the session key or complete the key exchange. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9497
Commits:
b463a13 hostapd: fix multiple security problems

CVE-2019-9498

Description: The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9498
Commits:
6761961 openssl: update to 1.0.2s
b463a13 hostapd: fix multiple security problems

CVE-2019-9499

Description: The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9499
Commits:
6761961 openssl: update to 1.0.2s
b463a13 hostapd: fix multiple security problems

CVE-2019-11477

Description: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
Commits:
9de2f4d kernel: bump 4.9 to 4.9.182
2999c34 kernel: bump 4.14 to 4.14.127

CVE-2019-11478

Description: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
Commits:
9de2f4d kernel: bump 4.9 to 4.9.182
2999c34 kernel: bump 4.14 to 4.14.127

CVE-2019-11479

Description: Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
Commits:
9de2f4d kernel: bump 4.9 to 4.9.182
2999c34 kernel: bump 4.14 to 4.14.127

CVE-2019-11555

Description: The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_pwd.c and eap_peer/eap_pwd.c.

Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11555
Commits:
b463a13 hostapd: fix multiple security problems

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
releases/18.06/changelog-18.06.4.txt · Last modified: 2019/07/04 05:18 by jow