OpenWrt v21.02.4 Changelog
This changelog lists all commits done in OpenWrt since the v21.02.3 tag, grouped by subsystem. The changes are chronologically ordered from top to bottom and cover the Git repository history until the tagging of the 21.02.4 release.
See also the release notes that provide a more accessible overview of the main changes in 21.02.4.
Build System / Buildroot (14 changes)
bd84d51
build: fix ldconfig executable error in python (+1,-2)
44fa330
kernel: use KCFLAGS for passing EXTRA_OPTIMIZATION flags (+4,-11)
b0968be
kernel: support setting extra CFLAGS for kernel compilation (+5,-1)
b54ef39
bcm53xx: use -falign-functions=32 for kernel compilation (+1)
d445df8
feeds: use git-src-full to allow Git versioning (+6,-6)
4e22175
scripts: add xxdi.pl (+50)
70124b8
scripts: xxdi.pl: remove File::Slurp dependency (+17,-2)
45a486b
scripts: xxdi.pl: add xxd -i compat mode (+19,-18)
1c8c846
build: provide xxd -i with scripts/xxdi.pl (+4,-1)
f0bca34
scripts: always check certificates (+11,-2)
f14d7ce
scripts/download.pl: silence can't exec curl warning (+1,-1)
c07c565
scripts/download.pl: fix downloads with wget (+8,-2)
af88bdb
Makefile: fix stray \ warnings with grep-3.8 (+1,-1)
830b07f
build: add support for python3.11 and higher (+4,-2)
Build System / Feeds (1 change)
d445df8
feeds: use git-src-full to allow Git versioning (+6,-6)
Build System / Host Utilities (3 changes)
206d790
tools/libressl: update to version 3.4.3 (+2,-2)
2f82fc6
tools/libelf: alpine linux os type: linux-musl fix (+11)
c6d3f39
tools: remove xxd package (+1,-20)
Build System / SDK (2 changes)
41e0dc5
sdk: add spidev-test to the bundle of userspace sources (+16,-4)
fc86176
build: fix warnings from grep (+1,-1)
Kernel (22 changes)
1418439
kernel: add missing config symbols (+2)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74
kernel: bump 5.4 to 5.4.192 (+21,-21)
ce92de8
kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
6d891ad
kernel: check dst of flow offloading table (+119,-22)
8001e19
kernel: backport wireguard blake2s patch (+108)
3439c2f
kernel: Remove kmod-crypto-lib-blake2s (+1,-24)
44fa330
kernel: use KCFLAGS for passing EXTRA_OPTIMIZATION flags (+4,-11)
4ec80cd
kernel: drop patch adding hardcoded kernel compilation flags (-25)
e481244
kernel: backport LEDs driver for BCMBCA devices (+499)
e0b7557
kernel: update leds-bcm63138 driver (+85)
8d24ea3
kernel: rename 5.20 patches to 6.0 ()
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
afc1839
kernel: backport mtd patch adding of_platform_populate() calls (+88,-15)
c3c59e6
kernel: backport U-Boot environment data NVMEM driver (+359,-9)
8e5de89
kernel: bump 5.4 to 5.4.213 (+102,-107)
edf3363
kernel: backport mtd dynamic partition patch (+110,-4)
6564d3e
bcm53xx: update NVMEM driver for NVRAM (+230,-5)
4c45c11
kernel: update U-Boot NVMEM driver (+59)
221c624
kernel: fix possible mtd NULL pointer dereference (+32,-2)
084a8a2
kernel: bump 5.4 to 5.4.215 (+71,-71)
Packages / Boot Loaders (6 changes)
caeb618
ramips: add support for Sitecom WLR-4100 v1 002 (+204,-2)
052ff08
sunxi: add support for Banana Pi M2 Berry (+17)
3210166
ramips: add support for YunCore AX820/HWAP-AX820 (+152,-1)
4dca82b
uboot-bcm4908: update to the latest generic (+3,-3)
⇒ 6fb1cb6
arm: dts: add Netgear RAXE450 / RAXE550 (+52,-1)
⇒ 0625aad
arm: dts: add ASUS GT-AX6000 (+119,-1)
ee34451
uboot-bcm4908: add BCM4912 build (+33,-3)
5a31942
uboot-bcm4908: include SoC in output files (+4,-2)
Packages / Common (21 changes)
75cbd8d
wolfssl: fix compilation with /dev/crypto (+19)
b4a9597
hostapd: add support for enabling link measurements (+10)
1a2940f
hostapd: add ubus method for requesting link measurements (+65)
e2030fc
hostapd: add ubus link-measurements notifications (+43)
39aaec6
hostapd: refresh patches (+4,-4)
60e88fd
exfat: update to 5.19.1 (+2,-2)
78b7515
openssl: bump to 1.1.1o (+6,-6)
c2147ae
cryptodev-linux: update to 1.12 (+3,-35)
2039c04
openssl: bump to 1.1.1p (+2,-2)
6f89233
openssl: bump to 1.1.1q (+2,-2)
41e0dc5
sdk: add spidev-test to the bundle of userspace sources (+16,-4)
5f189f2
zlib: backport fix for heap-based buffer over-read (CVE-2022-37434) (+33,-1)
b93327c
zlib: backport null dereference fix (+30,-1)
f5db80a
uclibc++: fix compilation with long file paths (+86)
69ea8af
hostapd: ubus: fix uninitialized pointer (+1,-1)
cb65014
mac80211: disable ft-over-ds by default (+1,-1)
049e8f6
wolfssl: bump to v5.3.0-stable (+2,-45)
a13dacb
wolfssl: bump to 5.4.0 (+4,-4)
4be7eb7
wolfssl: bump to 5.5.0 (+5,-5)
914d912
wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173) (+2,-2)
8444302
treewide: fix security issues by bumping all packages using libwolfssl (+3,-3)
Packages / Firmware (6 changes)
c663368
firmware: intel-microcode: update to 20220207 (+4,-4)
4c8bf08
firmware: intel-microcode: update to 20220510 (+2,-2)
93f6051
wireless-regdb: update to version 2022.02.18 (+2,-2)
c028078
wireless-regdb: bump to 2022.06.06 (+3,-3)
2179d06
wireless-regdb: update to 2022-08-12 (+2,-2)
82ebc17
firmware: intel-microcode: update to 20220809 (+2,-2)
Packages / OpenWrt base files (1 change)
1ea34b9
base-files: add support for heartbeat led trigger (+9)
Packages / OpenWrt network userland (9 changes)
f7c445a
iwinfo: update to the latest version (+4,-4)
⇒ aa0e3c4
iwinfo: nl80211: add support for printing the device path for a phy (+91)
⇒ dd6d6d2
iwinfo: nl80211: use new path lookup function for nl80211_phy_idx_from_uci_path (+17,-30)
⇒ 268bb26
iwinfo: nl80211: support looking up phy by path=.. and macaddr=... (+25,-17)
⇒ c041464
iwinfo: nl80211: fix typo (+1,-1)
44781b2
iwinfo: update to the latest version (+3,-3)
⇒ c9b1672
nl80211: fix path compatibility issue (+11,-1)
01cc5e1
iwinfo: update to latest Git HEAD (+4,-4)
⇒ a0a0e02
iwinfo: rename hardware.txt to devices.txt (+1,-1)
b519d76
iwinfo: update to latest Git head (+3,-3)
⇒ 0e2a318
devices: add AMD RZ608 device-id (+1)
⇒ 234075b
devices: fix AMD RZ608 format (+1,-1)
⇒ 90bfbb9
devices: Add Cypress CYW43455 (+1)
5a18028
iwinfo: update to latest HEAD (+3,-3)
⇒ 562d015
iwinfo: nl80211: fix hwmode parsing for multi-band NICs (+33,-6)
⇒ a479b9b
devices: remove whitespace (+1,-1)
5b7d01b
iwinfo: update to latest HEAD (+3,-3)
⇒ dc6847e
iwinfo: nl80211: omit A-hwmode on non-5GHz hardware (+5,-5)
dd58c12
iwinfo: drop obsolete patch (-26)
b4ea8e1
firewall: config: remove restictions on DHCPv6 allow rule (+2,-4)
8444302
treewide: fix security issues by bumping all packages using libwolfssl (+3,-3)
Target / apm821xx (2 changes)
Target / ath25 (1 change)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / ath79 (7 changes)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74
kernel: bump 5.4 to 5.4.192 (+21,-21)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
1dd4b3f
ath79: add support for MikroTik RouterBOARD hAP ac lite (+142)
8b552b1
ath79: add support for RouterBOARD mAP (+134)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
8e5de89
kernel: bump 5.4 to 5.4.213 (+102,-107)
Target / bcm27xx (6 changes)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74
kernel: bump 5.4 to 5.4.192 (+21,-21)
ce92de8
kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
8e5de89
kernel: bump 5.4 to 5.4.213 (+102,-107)
Target / bcm4908 (12 changes)
e481244
kernel: backport LEDs driver for BCMBCA devices (+499)
c0448cd
bcm4908: backport latest DT patches (+363,-1)
366dfa4
bcm4908: use upstream-accepted watchdog patches (+11,-1)
114fc36
bcm4908: include U-Boot DTB files for ASUS GT-AX6000 & Netgear RAX220 (+34)
1727e35
bcm4908: backport bcmbca DT patches queued for 5.20 (+1.2K)
28ab4f3
bcm4908: prepare for Asus GT-AX6000 support (+10)
cc9c725
bcm4908: build bootfs image per-SoC (+92,-59)
36bab92
bcm4908: enable & setup packet steering (+49)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
61cf5ab
bcm4908: enable NVMEM U-Boot env data driver (+3)
deaad2c
bcm4908: backport mtd parser for Broadcom's U-Boot partition (+138)
f33b14d
bcm4908: fix -EPROBE_DEFER support in bcm4908_enet (+64,-1)
Target / bcm53xx (9 changes)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
c032ed3
bcm53xx: disable GRO by default at kernel level (+32)
a50f5b3
bcm53xx: enable & setup packet steering (+47)
e481244
kernel: backport LEDs driver for BCMBCA devices (+499)
c3c59e6
kernel: backport U-Boot environment data NVMEM driver (+359,-9)
44ce70f
bcm53xx: drop downstream patch that now breaks pinctrl driver (-31)
8e5de89
kernel: bump 5.4 to 5.4.213 (+102,-107)
6564d3e
bcm53xx: update NVMEM driver for NVRAM (+230,-5)
abf2c60
bcm53xx: backport clk driver fix for DT nodes names (+72)
Target / bcm63xx (2 changes)
e481244
kernel: backport LEDs driver for BCMBCA devices (+499)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / ipq40xx (4 changes)
e9431a8
ipq40xx: fix ar40xx driver (+3)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
cd7e6c8
ipq40xx: add Linksys MR8300 WAN port (+6,-2)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / ipq806x (4 changes)
ce92de8
kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
09dae4f
ipq806x: Archer VR2600: fix switch ports numbering (+3,-3)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / lantiq (3 changes)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / layerscape (6 changes)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74
kernel: bump 5.4 to 5.4.192 (+21,-21)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
8e5de89
kernel: bump 5.4 to 5.4.213 (+102,-107)
084a8a2
kernel: bump 5.4 to 5.4.215 (+71,-71)
Target / mediatek (6 changes)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
7ae0f74
kernel: bump 5.4 to 5.4.192 (+21,-21)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
68fbcc4
mediatek: remove crypto-hw-mtk package (-23)
1247010
mediatek: mt7623: fixes kconfig for hwcrypto (+1,-1)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / mvebu (6 changes)
6c44b15
mvebu: kernel: enable CONFIG_BLK_DEV_NVME (+5)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
ce92de8
kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
76ee3e1
mvebu: move upstreamed DTS files (ESPRESSObin) to files-5.4 ()
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / octeon (2 changes)
f94b30d
octeon: add SUPPORTED_DEVICES to er/erlite (+2)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / octeontx (1 change)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / oxnas (4 changes)
e0bdf83
kernel: bump 5.4 to 5.4.191 (+113,-219)
ce92de8
kernel: bump 5.4 to 5.4.194 (+13,-13)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
Target / pistachio (1 change)
edf3363
kernel: backport mtd dynamic partition patch (+110,-4)
Target / ramips (26 changes)
bea1891
ramips: remove obsolete mx25l25635f compatible hack (+4,-4)
92489b4
ramips: speed up spi frequency for Youku YK-L1 (+1,-1)
55f8eb8
ramips: improve pinctrl for Youku YK-L1 (+4,-16)
92af150
ramips: split Youku YK1 to YK-L1 and YK-L1c (+45,-12)
4123f17
ramips: add support for the Wavlink WL-WN579X3 (+227)
08ec622
ramips: make PHY initialization more descriptive (+4,-3)
c652a06
ramips: mt7620: enable autonegotiation for all ports (+1)
a14c2d4
ramips: mt7620: simplify DTS properties for GMAC (+23,-125)
6491212
ramips: mt7620: remove useless GMAC nodes (+4,-27)
01bbed7
ramips: mt7620: fix ethernet driver GMAC port init (+9,-15)
5d7805c
ramips: mt7620: allow both internal and external PHYs (+57,-62)
6876465
ramips: mt7620: use DTS to set PHY base address for external PHYs (+60,-7)
47db830
ramips: mt7620: move mt7620_mdio_mode() to ethernet driver (+38,-74)
6685eb2
ramips: mt7620: add ephy-disable option to switch driver (+13,-2)
3f976d0
ramips: mt7620: fix RGMII TXID PHY mode (+1,-1)
30e47fb
ramips: mt7620: ethernet: use more macros and bump version (+11,-7)
1769e31
ramips: mt7620: disable SOC VLANs for external switches (+6)
13c8895
ramips: zbt-wg2626: Add the reset gpio for PCIe port 1 (+3)
01dcdf7
ramips: fix RT-AC57U button level (+1,-1)
09a3561
ramips: fix booting on ZyXEL NBG-419N v2 (+1)
be06390
kernel: bump 5.4 to 5.4.203 (+262,-1.4K)
caeb618
ramips: add support for Sitecom WLR-4100 v1 002 (+204,-2)
3210166
ramips: add support for YunCore AX820/HWAP-AX820 (+152,-1)
bcaabe6
kernel: bump 5.4 to 5.4.211 (+192,-253)
1f24bd1
rampis: feed zbt-we1026 external watchdog (+9)
c670dfb
mt7620: fix missing kernel config symbol (+1)
Target / sunxi (1 change)
052ff08
sunxi: add support for Banana Pi M2 Berry (+17)
Target / x86 (1 change)
3439c2f
kernel: Remove kmod-crypto-lib-blake2s (+1,-24)
Wireless / Common (1 change)
39f1815
mac80211: fix QCA9561 PA bias (+47)
Wireless / MT76 (1 change)
4cb9d08
mt76: backport fix encap offload ethernet type check (+63)
Addressed bugs
#5066
Description: Firewall: Default Allow-DHCPv6 rule option src_ip 'fc00::/6' prevents receiving ipv6 DHCP from ISP
Link: https://github.com/openwrt/openwrt/issues/5066
Commits:
b4ea8e1
firewall: config: remove restictions on DHCPv6 allow rule (+2,-4)
FS#4227 (#9209)
Description: mr8300: no WAN port in switch
Link: https://github.com/openwrt/openwrt/issues/9209
Commits:
cd7e6c8
ipq40xx: add Linksys MR8300 WAN port (+6,-2)
#9842
Description: [Zyxel NBG-419n v2 / 21.02.x boot fails / bootloop
Link: https://github.com/openwrt/openwrt/issues/9842
Commits:
09a3561
ramips: fix booting on ZyXEL NBG-419N v2 (+1)
#10275
Description: TP-Link Archer VR2600 v1 - Labelled LAN ports on router do not match Switch port numbering
Link: https://github.com/openwrt/openwrt/issues/10275
Commits:
09dae4f
ipq806x: Archer VR2600: fix switch ports numbering (+3,-3)
#10555
Description: Tools: broken xxd download link
Link: https://github.com/openwrt/openwrt/issues/10555
Commits:
45a486b
scripts: xxdi.pl: add xxd -i compat mode (+19,-18)
1c8c846
build: provide xxd -i with scripts/xxdi.pl (+4,-1)
c6d3f39
tools: remove xxd package (+1,-20)
#10692
Description: SSL certificate checking fails for source downloads (at least with wget)
Link: https://github.com/openwrt/openwrt/issues/10692
Commits:
c07c565
scripts/download.pl: fix downloads with wget (+8,-2)
Security fixes
CVE-2020-8694
Description: Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
Commits:
c663368
firmware: intel-microcode: update to 20220207 (+4,-4)
CVE-2020-8695
Description: Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695
Commits:
c663368
firmware: intel-microcode: update to 20220207 (+4,-4)
CVE-2021-0127
Description: Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0127
Commits:
c663368
firmware: intel-microcode: update to 20220207 (+4,-4)
CVE-2021-0145
Description: Improper initialization of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0145
Commits:
c663368
firmware: intel-microcode: update to 20220207 (+4,-4)
CVE-2021-0146
Description: Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0146
Commits:
c663368
firmware: intel-microcode: update to 20220207 (+4,-4)
CVE-2021-33120
Description: Out of bounds read under complex microarchitectural condition in memory subsystem for some Intel Atom(R) Processors may allow authenticated user to potentially enable information disclosure or cause denial of service via network access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33120
Commits:
c663368
firmware: intel-microcode: update to 20220207 (+4,-4)
CVE-2022-1292
Description: The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292
Commits:
2039c04
openssl: bump to 1.1.1p (+2,-2)
CVE-2022-2068
Description: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068
Commits:
2039c04
openssl: bump to 1.1.1p (+2,-2)
CVE-2022-2097
Description: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097
Commits:
6f89233
openssl: bump to 1.1.1q (+2,-2)
CVE-2022-21151
Description: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21151
Commits:
4c8bf08
firmware: intel-microcode: update to 20220510 (+2,-2)
CVE-2022-21233
Description: Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21233
Commits:
82ebc17
firmware: intel-microcode: update to 20220809 (+2,-2)
CVE-2022-34293
Description: wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34293
Commits:
a13dacb
wolfssl: bump to 5.4.0 (+4,-4)
CVE-2022-37434
Description: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
Commits:
5f189f2
zlib: backport fix for heap-based buffer over-read (CVE-2022-37434) (+33,-1)
b93327c
zlib: backport null dereference fix (+30,-1)
CVE-2022-39173
Description: In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are required to contain a list of duplicate cipher suites to trigger the buffer overflow. In total, two Client Hellos have to be sent: one in the resumed session, and a second one as a response to a Hello Retry Request message.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39173
Commits:
914d912
wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173) (+2,-2)
8444302
treewide: fix security issues by bumping all packages using libwolfssl (+3,-3)