Security Advisory 2024-12-06-1 - OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection (CVE-2024-54143)

DESCRIPTION Due to the combination of the command injection in the imagebuilder image and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes the hash collision. The issue consists of two main...

Security Advisory 2022-10-17-1 - Multiple issues in mac80211 and cfg80211 (CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721 and CVE-2022-42722)

DESCRIPTION Multiple vulnerabilities were found in the Linux Kernel mac80211 and cfg80211 framework. OpenWrt takes the mac80211 and cfg80211 framework from the wireless backports project which copies it from a more recent Linux kernel version. These vulnerabilities are in the multi BSSID MBSSID...

Security Advisory 2022-10-04-1 - wolfSSL buffer overflow during a TLS 1.3 handshake (CVE-2022-39173)

DESCRIPTION In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow on server during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are...

Security Advisory 2021-08-01-2 - Stored XSS in hostname UCI variable (CVE-2021-33425)

DESCRIPTION Multiple OpenWrt LuCI templates, including the one shipped by default, integrated the content of the UCI hostname variable without stripping it from malicious JavaScript. This allowed an attacker, which can control the content of the UCI hostname variable, to inject a arbitrary...

Security Advisory 2021-08-01-3 - luci-app-ddns: Multiple authenticated RCEs (CVE-2021-28961)

DESCRIPTION An authenticated user in LuCI is able to inject shell code in luci-app-ddns. Multiple variables in the luci-app-ddns applications where not validated before they were executed on the system's shell, which could be exploited by adding system shell commands. REQUIREMENTS To exploit this...

Security Advisory 2021-08-01-1 - XSS via missing input validation of host names displayed (CVE-2021-32019)

DESCRIPTION Missing input validation of host names displayed in OpenWrt LuCI web-interface leads to Cross-site scripting, which can be used to gain full control over the affected system. REQUIREMENTS Users need to visit the LuCI “Connection status” page of the router and activate the host name...

Security Advisory 2021-02-02-1 - netifd and odhcp6c routing loop on IPv6 point to point links (CVE-2021-22161)

DESCRIPTION In case a link prefix route points to a point-to-point link it can trigger a routing loop if the destination IPv6 address belongs to the prefix and is not a local IPv6 address. If such a packet is received and not directed to a local IPv6 address it will be routed back to the...

Security Advisory 2021-02-02-2 - wolfSSL heap buffer overflow in RsaPad_PSS (CVE-2020-36177)

DESCRIPTION RsaPadPSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. The issue is marked as critical with CVSS score of 9.8. REQUIREMENTS It's still work in progress, there is not that much information about it...

Security Advisory 2021-01-19-1 - dnsmasq multiple vulnerabilities (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687)

DESCRIPTION Dnsmasq has two sets of vulnerabilities, one set of memory corruption issues handling DNSSEC and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on the target device and perform cache poisoning attacks against the target...

Security Advisory 2021-01-17-1 - OpenWrt forum break-in on 16-Jan-2021

DESCRIPTION Around 0400 GMT on 16 Jan 2021, an administrator account on the OpenWrt forum https://forum.openwrt.org was breached. It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled. The intruder was able to download a...

Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705)

DESCRIPTION A flaw has been found in the ICMP rate limiting algorithm of the Linux kernel. This flaw allows an off-path attacker to quickly determine open ephemeral ports that are used by applications making outbound connections. This can be exploited by an off-path attacker to more easily perfor...

Security Advisory 2020-12-09-2 - libuci import heap use after free (CVE-2020-28951)

DESCRIPTION Possibly exploitable vulnerability was found in Unified Config Interface UCI library named libuci, specifically in uciimport C API function. CVE-2020-28951 has been assigned to this issue. API: Application Programming Interface REQUIREMENTS In order to exploit this vulnerability a...

Security Advisory 2020-05-06-1 - umdns out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11750)

DESCRIPTION umdns in OpenWrt through 18.06.8 and 19.07.2 has potential for out-of-bounds reads of heap data and possible buffer overflow. umdns is the OpenWrt Multicast DNS Daemon. We have not been made aware of any exploits at this time, however users are advised to update the umdns package to...

Security Advisory 2020-05-06-2 - relayd out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11752)

DESCRIPTION relayd in OpenWrt through 19.07.2 and 18.06.8 has potential for out-of-bounds reads of heap data and possible buffer overflow. relayd is a transparent routing / relay daemon for OpenWrt. It can be used to relay traffic between two networks, including DHCP and broadcast, when other...

Security Advisory 2020-02-21-1 - ppp buffer overflow vulnerability (CVE-2020-8597)

DESCRIPTION A remotely exploitable vulnerability was found in Point-to-Point Protocol Daemon pppd, which has a significant potential impact due to the possibility of remote code execution prior to authentication. OpenWrt by default enables the FORTIFYSOURCE=1 compiler macro which introduces...

Security Advisory 2020-01-31-2 - libubox tagged binary data JSON serialization vulnerability (CVE-2020-7248)

DESCRIPTION Possibly exploitable vulnerability exists in the libubox library of OpenWrt, specifically in the parts related to JSON conversion of tagged binary data, so called blobs. An attacker could possibly exploit this behavior by providing specially crafted binary blob or JSON which would the...

Security Advisory 2020-01-31-1 - Opkg susceptible to MITM (CVE-2020-7982)

DESCRIPTION A bug in the package list parse logic of OpenWrt's opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts. The bug has been introduced with commit...

Security Advisory 2020-01-13-1 - uhttpd invalid data access via HTTP POST request (CVE-2019-19945)

DESCRIPTION An invalid data access can be triggered with an HTTP POST request to a CGI script specifying both Transfer-Encoding: chunked and a large Content-Length which exceeds 2^31 and is interpreted as a signed negative number. The negative content length is assigned to r→contentlength in...

Security Advisory 2019-11-05-1 - LuCI stored XSS

DESCRIPTION A vulnerability has been reported in LuCI which allows injection of script code through maliciously crafted wireless network SSIDs. When joining a wireless network by clicking Network → Wireless → Join, the subsequent configuration view interprets the SSID of the network to join witho...

Security Advisory 2019-11-05-3 - ustream-ssl information disclosure (CVE-2019-5101, CVE-2019-5102)

DESCRIPTION An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a...

Security Advisory 2019-11-05-2 - LuCI CSRF vulnerability (CVE-2019-17367)

DESCRIPTION A logic flaw in LuCI's HTTP routing component led to ineffective CSRF token testing for various request endpoints, specifically ones using the arcombine dispatch action. This allows 3rd party web pages running in the same browser session as an active LuCI login session to perform...

curl: Security update (CVE-2016-0755)

The curl package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to a reported security issue. VERSION 7.40.0-3 = 7.40.0-3.1 CHANGELOG Wed, 2 Mar 2016 09:51:47 +0000 0914eea Bump pkg revision Tue, 1 Mar 2016 22:42:51 +0000 380df1a This fixes the following security...

wolfssl: Security update (2 CVEs)

The wolfssl package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 3.3.0-2 = 3.8.0-2 CHANGELOG Wed, 2 Mar 2016 10:01:48 +0000 cb7a26c Cyassl: disable Intel ASM for now With ASM support enabled, CyaSSL fails to build on all x86...

openssl: Security update (9 CVEs)

The openssl package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 1.0.2f-1 = 1.0.2g-1 CHANGELOG Tue, 1 Mar 2016 15:18:24 +0000 f4368a7 CVE-2016-0704 s2srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher...

openssl: Security update (2 CVEs)

The openssl package has been rebuilt and was uploaded to the Barrier Breaker 14.07 repository due to multiple security issues. VERSION 1.0.2e-1 = 1.0.2f-1 CHANGELOG Fri, 29 Jan 2016 13:25:24 +0000 b763ba2 Openssl: update to 1.0.2f fixes CVE-2016-0701, CVE-2015-3197 CHANGES...

openssl: Security update (2 CVEs)

The openssl package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 1.0.2e-1 = 1.0.2f-1 CHANGELOG Thu, 28 Jan 2016 18:26:18 +0000 87e9837 Update to 1.0.2f fixes CVE-2016-0701, CVE-2015-3197 CHANGES package/libs/openssl/Makefile | 4...

pcre: Security update (18 CVEs)

The pcre package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 8.37-2 = 8.38-1 CHANGELOG Mon, 25 Jan 2016 14:08:12 +0100 560cb22 fixes: CVE 2015-2327 CVE 2015-2328 CVE 2015-8380 CVE 2015-8381 CVE 2015-8382 CVE 2015-8383 CVE 2015-83...

prosody: Security update (2 CVEs)

The prosody package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 0.9.8-1 = 0.9.9-1 CHANGELOG Mon, 25 Jan 2016 13:31:29 +0100 bb23089 fixes: path traversal vulnerability in modhttpfiles CVE-2016-1231 use of weak PRNG in generation ...

php: Security update (CVE-2016-1903)

The php package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to a reported security issue. VERSION 5.6.16-1 = 5.6.17-1 CHANGELOG Sun, 24 Jan 2016 21:47:52 +0100 18d121b Update to 5.6.17 Fixes CVE-2016-1903. CHANGES lang/php5/Makefile | 6 +++--- 1 file changed, 3...

prosody: Security update (2 CVEs)

The prosody package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 0.9.8-1 = 0.9.9-1 CHANGELOG Mon, 25 Jan 2016 13:31:29 +0100 bb23089 fixes: path traversal vulnerability in modhttpfiles CVE-2016-1231 use of weak PRNG in generation ...

php: Security update (7 CVEs)

The php package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 5.6.8-1 = 5.6.17-1 CHANGELOG Sun, 24 Jan 2016 21:47:52 +0100 18d121b Update to 5.6.17 Fixes CVE-2016-1903. Wed, 23 Dec 2015 16:00:14 -0500 766cfcc Update to 5.6.16 Wed, ...

bind: Security update (4 CVEs)

The bind package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 9.9.7-P3-1 = 9.9.8-P3-1 CHANGELOG Sun, 24 Jan 2016 12:43:29 +0100 41dcf83 Fixes: CVE-2015-8704 CVE-2015-3193 CVE-2015-8000 CVE-2015-8461 CHANGES net/bind/Makefile | 4...

openssh: Security update (2 CVEs)

The openssh package has been rebuilt and was uploaded to the Chaos Calmer 15.05 repository due to multiple security issues. VERSION 6.8p1-1 = 7.1p2-1 CHANGELOG Sat, 16 Jan 2016 11:46:32 +0100 fc7fc89 Version 7.1p2 Use version 7.1p2 due to several security bulletins. CHANGES net/openssh/Makefile |...