OpenWrt 23.05.0-rc2 Changelog
This changelog lists all commits done in OpenWrt since the v23.05.0-rc1 tag, grouped by subsystem. The changes are chronologically ordered from top to bottom and cover the Git repository history until the tagging of the 23.05.0-rc2 release.
See also the release notes that provide a more accessible overview of the main changes in 23.05.0-rc2.
Build System / Buildroot (21 changes)
b059aaf
build: export GIT_CEILING_DIRECTORIES for package builds (+2)
d05d886
image: improve uImage.FIT device tree overlay support (+22,-8)
4bb75f6
image: introduce DEVICE_DTC_FLAGS and DEVICE_DTCO_FLAGS (+22,-9)
948dc51
treewide: add ORIG_PATH variable (+9)
c7bd7a9
prereq-build: fix inconsistent value of $PATH (+3,-4)
43b92ff
prereq-build: do not replace binaries with symlinks (+4)
e972e4f
prereq-build: replace relative symlinks only if broken (+5)
ea22a1f
host-build: add support for a stampfile per installed binary (+4,-3)
f489858
grub2: enable EFI for armvirt (+41,-10)
ddb8845
scripts: gen_image_generic: allow the partition types to be set (+3,-1)
04d2f8f
build: use 128MiB as the boot/kernel partition size on armvirt target (+1)
0bedcbb
build: enable vmdk/vmware images for arm64 target (+2,-2)
a6afb3a
config: change references from armvirt to armsr (+5,-5)
ded67a3
scripts: qemustart: change armvirt references to armsr (+9,-9)
c05c069
u-boot.mk: add support for config customization (+3)
341e312
generic: groundwork for RISC-V (+41)
68bc059
kernel: bump 5.15 to 5.15.115 (+140,-473)
1de5f74
kernel: bump 5.15 to 5.15.116 (+18,-18)
1b6f2af
kernel: bump 5.15 to 5.15.117 (+36,-384)
63942b5
scripts: sercomm-kernel-header.py: improve compatibility (+3,-3)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Build System / Host Utilities (3 changes)
f307129
tools/findutils: define list of installed programs (+2)
0928545
tools/coreutils: rename list of installed programs (+4,-6)
0f30f47
firmware-utils: ptgen: add SiFive-related GUID types (+38)
Build System / Image Builder (1 change)
948dc51
treewide: add ORIG_PATH variable (+9)
Build System / SDK (2 changes)
Build System / Toolchain (2 changes)
948dc51
treewide: add ORIG_PATH variable (+9)
7390068
toolchain: gcc: backport inline subword atomic support for riscv (+6.2K,-3)
Kernel (20 changes)
76cabb9
kernel: Backport mvneta crash fix to 5.15 (+567,-12)
b99b89d
netfilter: fix typo in kmod-nft-dup-inet (+1,-1)
417b76b
generic: drop useless binfmt patch fixing compilation warning (-94)
11677aa
kernel: backport libcap workaround for BPF selftests (+433)
dc77819
generic: use only first element in bootconf for uImage.FIT (+15,-7)
7d48684
kernel: use struct group to wipe psb6970 volatile priv data (+9,-7)
ee7a223
kernel: fix wrong detection of Linux-Testing-Version in makefile DUMP (+9)
b1114c1
kernel: add mdio-bus-mux support (+15)
fc87a8f
generic: b53: rename exported symbols to avoid upstream conflict (+21,-21)
4d13a09
kernel: modules: fix mdio-bus-mux description (+1,-1)
963ce69
kernel: kmod-amazon-ena: move to top level netdevices (+15,-18)
23a828f
kernel: netdevices: change armvirt references to armsr (+4,-4)
753be38
kernel: mtd: bcm-wfi: add cferam name support (+14,-2)
68bc059
kernel: bump 5.15 to 5.15.115 (+140,-473)
8197901
kernel: add CONFIG_DRM_RCAR_USE_LVDS is not set (+1)
1de5f74
kernel: bump 5.15 to 5.15.116 (+18,-18)
1b6f2af
kernel: bump 5.15 to 5.15.117 (+36,-384)
09322f3
kernel: remove bridge offload hack (-846)
2cef1c3
netfilter: fix typo in nf-socket and nf-tproxy kconfig (+2,-2)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Packages / Boot Loaders (12 changes)
ecfcc47
uboot-rockchip: add Orange Pi R1 Plus support (+821)
3b8564f
uboot-rockchip: add Orange Pi R1 Plus LTS support (+499)
5f3c584
uboot-mediatek: adapt BPi-R3 and BPi-R64 to new device tree overlay (+40,-20)
41af35c
ipq807x: add initial support for prpl Foundation Haze board (+336,-1)
f489858
grub2: enable EFI for armvirt (+41,-10)
4b48f8a
grub2: change armvirt reference to armsr (+1,-1)
848759c
uboot-armsr: add support for QEMU armv7/armv8 (+104,-6)
08247ff
opensbi: add package for RISC-V (+63)
a11f2e6
uboot-sifiveu: add bootloader package for SiFive Ux40 boards (+566)
8a07469
ramips: Add support for Beeline SmartBox TURBO+ (+320,-9)
b6f2c58
ath79: add support for Aruba AP-115 (+261)
cd17d8d
filogic: add support for Netgear WAX220 (+324)
Packages / Common (11 changes)
1e4f9db
ubnt-ledbar: depend on mediatek and ramips subtargets (+1,-1)
a48d0bd
openssl: fix uci config for built-in engines (+3,-10)
436e477
kselftests-bpf: add kernel BPF tests (+63)
c78ba8a
valgrind: update to 3.21.0 (+25,-13)
e1d5949
openssl: update to 3.0.9 (+4,-294)
f3ec4a2
restool: update source.codeaurora.org repository link (+1,-1)
bc6bf2a
unetd: update to the latest version (+3,-3)
⇒ 412d030
network: prevent adding endpoint routes for addresses on the network (+81,-1)
⇒ faaf9ce
utils: fix ipv4 checksum issue (+1,-1)
⇒ 0e1c2fa
pex-msg: fix memory leak on fread fail in pex_msg_update_request_init (+3,-1)
⇒ 51be0ed
host: fix crash parsing gateway when no endpoint is specified (+1,-1)
⇒ ca17601
wg-linux: add support for splitting netlink messages for allowed ips (+32,-12)
⇒ 7d3986b
wg-linux: increase default messages size (+10,-1)
03455e7
qca-nss-dp: fix oops in nss_dp_probe (+3,-2)
e9ea571
wolfssl: change armvirt reference to armsr (+2,-2)
cd650f1
openssl: add linux-riscv64 into the targets list (+5,-1)
e9d2ff8
openssl: passing cflags to configure (+2,-1)
Packages / Firmware (3 changes)
774ca0c
ls-dpl: update source.codeaurora.org repository link (+1,-1)
793b9cd
ipq-wifi: bump to latest git HEAD (+5,-3)
⇒ 77775d2
ipq8074: add Netgear SXK80 ()
⇒ 6388ba9
ipq8074: update regdb for Netgear SXK80 BDF ()
⇒ c888dd0
qca-wireless: ipq40xx: Add BDFs for Eero Cento ()
⇒ a4cd21f
ipq8074: add Compex WPQ873 BDF ()
⇒ 0f73d32
ipq8074: update RegDB in new submitted BDF ()
7e6403a
ipq-wifi: update to version 2023-06-03 (+5,-3)
⇒ 47d5229
Add BDFs for prpl Foundation Haze board ()
⇒ a1897c8
qca-wireless: ipq40xx: add BDFs for ZTE MF287+ ()
⇒ a63bfab
ipq8074: update RegDB in new submitted BDF ()
⇒ 5b055ab
qcn9074: update RegDB in new submitted BDF ()
⇒ 40c4a35
Revert "ipq8074: update RegDB in new submitted BDF" ()
⇒ cd9c30c
ipq8074: update RegDB in new submitted BDF ()
Packages / OpenWrt base files (2 changes)
081dfcf
base-files: enable BPF JIT kallsyms by default (+1)
25f6252
base-files: upgrade: nand: add JFFS2 cleanmarkers support (+10,-2)
Packages / OpenWrt network userland (4 changes)
42976b1
netifd: update to version 2023-05-31 (+3,-3)
⇒ fb1add3
bridge: remove stray newline from device status vlan port list (+1,-1)
⇒ 1fe1d4f
treewide: fix multiple compiler warnings (+30,-25)
⇒ 9d68f39
cmake: fix build by reordering the cflags definitions (+2,-1)
⇒ 9ba4229
bridge: make it more clear why the config was applied (+10,-4)
⇒ 38cbdc1
bridge: bridge_dump_info: add dumping of bridge attributes (+26)
3bdefae
netifd: Fix PKG_MIRROR_HASH (+1,-1)
bb03069
netifd: update to the latest version (+3,-3)
⇒ ec9dba7
system-linux: fix memory leak in system_bridge_vlan_check (-3)
02a37de
odhcpd: bump to latest git HEAD (+3,-3)
⇒ c6bff6f
router: Add PREF64 (RFC 8781) support (+97,-1)
⇒ 5211264
odhcpd: add support for dhcpv6_pd_min_len parameter (+43)
Packages / OpenWrt system userland (2 changes)
c653104
libubox: update to the latest version (+3,-3)
⇒ b09b316
blobmsg: add blobmsg_parse_attr function (+7)
⇒ eac92a4
blobmsg: add blobmsg_parse_array_attr (+8,-1)
⇒ ef5e8e3
usock: fix poll return code check (+1,-4)
⇒ 6fc29d1
jshn.sh: Add pretty-printing to json_dump (+11,-1)
⇒ 5893cf7
blobmsg: Don't do at run-time what can be done at compile-time (+3,-3)
⇒ 362951a
uloop: fix uloop_run_timeout (+4,-5)
⇒ 75a3b87
uloop: add support for integrating with a different event loop (+32,-13)
106c83a
uhttpd: update to latest git HEAD (+3,-3)
⇒ 34a8a74
uhttpd/file: fix string out of buffer range on uh_defer_script (+2,-2)
Target / apm821xx (2 changes)
4743756
apm821xx: mx60: drop nand-is-boot-medium (-2)
04ddeb8
apm821xx: switch over from DTB_SIZE to DEVICE_DTC_FLAGS (+19,-34)
Target / armsr (2 changes)
7198185
armsr: rename from armvirt (+38,-34)
848759c
uboot-armsr: add support for QEMU armv7/armv8 (+104,-6)
Target / armvirt (19 changes)
7c223a8
armvirt: add EFI support (+393,-19)
3f72d24
armvirt: disable LD dead code elimination on ARM32 (+23)
649d3a7
armvirt: update README with new image names (+40,-8)
84f566b
armvirt: set kernel partition as the EFI system partition (+1,-1)
b0e724e
armvirt: remove model name override (-13)
0bedcbb
build: enable vmdk/vmware images for arm64 target (+2,-2)
23ca9a1
armvirt: add ACPI support (+140,-1)
182fb97
armvirt: add 5.15 patches for NXP DPAA2 platform (+108)
f1a02ba
armvirt: add options and driver modules for NXP Layerscape DPAA2 platform (+157,-5)
2bec445
armvirt: 64: add support for other SystemReady-compatible vendors (+308,-3)
3eb2543
armvirt: 64: Add NXP i.MX 8M Mini/Nano/Quad/Plus EVK support (+155,-3)
a80eeec
armvirt: 64: Add storage support for qemu-sbsa platform (+4)
a86b74c
armvirt: 64: add Marvell (formerly Cavium) ThunderX series network driver (+20,-2)
bbd1676
armvirt: 64: add Allwinner A3/A83T/A64 (sun8i family) Ethernet (+12,-1)
4177b69
armvirt: package and select Rockchip DWMAC Ethernet driver (+13,-2)
067f252
armvirt: config changes required for framebuffer console (+13)
bacc385
armvirt: base-files: add tty0 to inittab (+1)
86b5022
armvirt: 64: disable CONFIG_SMC91X (+1,-1)
7198185
armsr: rename from armvirt (+38,-34)
Target / ath25 (1 change)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / ath79 (4 changes)
1de5f74
kernel: bump 5.15 to 5.15.116 (+18,-18)
1b6f2af
kernel: bump 5.15 to 5.15.117 (+36,-384)
b6f2c58
ath79: add support for Aruba AP-115 (+261)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / bcm27xx (2 changes)
Target / bcm63xx (4 changes)
3506efe
bcm63xx: fix NETGEAR DGND3700v2 boot loop (+1)
e6acfe0
bcm63xx: switch to standard nand_do_upgrade (+2,-37)
dee8ca6
bcm63xx: fix the Home Hub 2a power LED (+1,-1)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / bmips (22 changes)
8a77ffc
bmips: bump LZMA Loader address (+1,-1)
725319a
bmips: add support for Observa VH4032N (+269,-2)
f25afae
bmips: add support for Netgear DGND3700 v1, DGND3800B (+334)
13579e6
bmips: add support for Netgear EVG2000 (+260,-1)
0ea4866
bmips: dts: improve and align device tree files (+40,-71)
b6c9312
bmips: image: rename Device/bcm63xx_netgear (+4,-4)
bb1f3eb
bmips: dgnd3700v1/dgnd3800b: add missing kmod-leds-gpio (+4,-2)
0880d5d
bmips: add support for Comtrend VR-3025un (+200)
cfdcf4b
bmips: add support for Comtrend WAP-5813n (+249)
8f1251a
bmips: add support for Comtrend AR-5381u (+205)
18a85ec
bmips: fix NETGEAR DGND3700v2 boot loop (+1)
70afa8e
bmips: switch to standard nand_do_upgrade (+4,-45)
40966d6
bmips: add support for Actiontec R1000H (+241)
b8bbe0d
bmips: bump LOADER_ENTRY to RAM + 16M (+1,-1)
3d66e7f
bmips: add support for Sercomm AD1018 (+353)
b073d6c
bmips: dts: dgnd3700: fix WAN port (+1,-1)
66e1bef
bmips: add support for Comtrend VG-8050 (+258)
6d37705
bmips: fix DMA RAC flush (+84)
43746c4
bmips: enable the data Read Ahead Cache for BMIPS4350 (+42)
ac68321
bmips: add support for NuCom R5010UNv2 (+234,-2)
aa256ab
bmips: add support for Arcadyan AR7516 (+208)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / ipq40xx (2 changes)
0c15f45
ipq40xx: convert Buffalo WTR-M2133HP to DSA (+31,-2)
b1b829a
ipq40xx: meraki-mr33, meraki-mr74: disable image generation (+2)
Target / ipq806x (3 changes)
ea11b6e
ipq806x: use new package name for NEC WG2600HP3 (+1,-1)
11ad38f
Revert "ipq806x: disable cache and fabric devfreq driver to improve stability" (+2,-2)
6f9495b
ipq806x: set PERFORMANCE as the default cpufreq governor (+2,-2)
Target / ipq807x (4 changes)
145d485
ipq807x: image: factor out common eMMC bits (+12,-9)
f8d26ec
ipq807x: image: cleanup unused variables (-3)
41af35c
ipq807x: add initial support for prpl Foundation Haze board (+336,-1)
1e7fa53
ipq807x: image: fix eMMC flashing/recovery from within initramfs (+2,-2)
Target / lantiq (1 change)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / layerscape (2 changes)
16d06a1
layerscape: 5.15: update source.codeaurora.org ppfe driver reference (+1,-1)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / mediatek (11 changes)
c4c14e9
mediatek: use cpufreq fix suggested by MediaTek (+53,-29)
4494791
mediatek: use existing I2C clock names (+1,-56)
d46e13d
mediatek: convert mt7986a-zyxel-ex5601-t0-stock.dts to UNIX (+560,-560)
bca0403
mediatek: use updated device tree overlay mechanism for BPi-R64 (+19,-2)
a65ec9f
mediatek: sync MT7986 device trees with upstream (+994,-1.0K)
49bd38f
mediatek: set new compat version if booted on R64 and R3 (+20)
703a551
mediatek: use DEVICE_DTC_FLAGS for BPi-R64 (+1)
e827f8f
mediatek: use DEVICE_DTC_FLAGS and drop DTC_FLAGS where not needed (+1,-3)
1b6f2af
kernel: bump 5.15 to 5.15.117 (+36,-384)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
cd17d8d
filogic: add support for Netgear WAX220 (+324)
Target / mvebu (2 changes)
76cabb9
kernel: Backport mvneta crash fix to 5.15 (+567,-12)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / octeon (1 change)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / oxnas (1 change)
2804fff
oxnas: Enable CONFIG_CRYPTO_LZ4 (+3)
Target / ramips (11 changes)
b42ee4d
ramips: fix lzma-loader for ASIARF boards (+2)
0c885c1
ramips: tplink,mr600v2: fix image generation for sysupgrade image (+3)
91221d9
ramips: enable LED button for TP-Link EC330-G5u v1 (+16)
bc7362f
ramips: fix first boot network configuration for TOZED ZLT S12 PRO (+1)
df34f71
ramips: fix button definitions for Zyxel WSM20 (+2,-2)
8b20b8f
ramips: mt7621-dts: move wan port to gmac1 YunCore FAP-640 (+20,-7)
1de5f74
kernel: bump 5.15 to 5.15.116 (+18,-18)
8a07469
ramips: Add support for Beeline SmartBox TURBO+ (+320,-9)
0a63e72
ramips: mt7621: add support for Zbtlink ZBT-WG1608 (32M) (+29,-1)
fca03ea
ramips: fix lan leds for Wavlink WL-WN535K1 (+5,-5)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / realtek (3 changes)
61c1b9a
realtek: Add missing headers (+8)
e7aae81
realtek: eth: Do not write directly to dev->addr (+13,-11)
51c397c
kernel: bump 5.15 to 5.15.118 (+50,-50)
Target / rockchip (3 changes)
c11115b
rockchip: add Orange Pi R1 Plus support (+505,-3)
3f3586a
rockchip: add Orange Pi R1 Plus LTS support (+88,-4)
a46e5ce
rockchip: fix setup network config for nanopi r2c (+1)
Target / sifiveu (2 changes)
4a281a7
sifiveu: add new target for SiFive U-based boards (+1.3K)
1b6f2af
kernel: bump 5.15 to 5.15.117 (+36,-384)
Target / x86 (2 changes)
ef1effd
x86/64: Enable IOMMU_V2 support for later CPUs (+1,-1)
963ce69
kernel: kmod-amazon-ena: move to top level netdevices (+15,-18)
Target / {armvirt (1 change)
7198185
armsr: rename from armvirt (+38,-34)
Target / {armvirt => armsr} (1 change)
7198185
armsr: rename from armvirt (+38,-34)
Wireless / Common (3 changes)
802e99a
mac80211: backport EMA beacon support (+374,-2)
7baa157
mac80211: ath11k: sync with ath-next (+2.7K,-8)
e962f86
mac80211: always use mac80211 loss detection (+36)
Miscellaneous (2 changes)
Addressed bugs
#12766
Description: arm_mpcore: SDK fails to compile kmod-lib-lz4
Link: https://github.com/openwrt/openwrt/issues/12766
Commits:
2804fff
oxnas: Enable CONFIG_CRYPTO_LZ4 (+3)
#12866
Description: openssl fails to compile for mips64_octeonplus
Link: https://github.com/openwrt/openwrt/issues/12866
Commits:
e9d2ff8
openssl: passing cflags to configure (+2,-1)
Security fixes
CVE-2023-0464
Description: A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464
Commits:
e1d5949
openssl: update to 3.0.9 (+4,-294)
CVE-2023-0465
Description: Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0465
Commits:
e1d5949
openssl: update to 3.0.9 (+4,-294)
CVE-2023-0466
Description: The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0466
Commits:
e1d5949
openssl: update to 3.0.9 (+4,-294)
CVE-2023-1255
Description: Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1255
Commits:
e1d5949
openssl: update to 3.0.9 (+4,-294)
CVE-2023-2650
Description: Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650
Commits:
e1d5949
openssl: update to 3.0.9 (+4,-294)