Re: OpenWrt 21.02 and 19.07 minor release

Thu, 10 Feb 2022 07:19:18 -0800 

looks like those dnsmasq exploits aren't real
bugs never looked by human (no commit related by it), but bots confirmed that thoses look fixed by commit 011f8cf1d011ade2f9e7231fca3cabfb1e8eaf06 


https://oss-fuzz.com/revisions?job=afl_asan_dnsmasq&range=202112300601:202201020605 
<https://oss-fuzz.com/revisions?job=afl_asan_dnsmasq&range=202112300601:202201020605>



when I read that commit it looks like 2.86 had bug that faild to build 
on gcc 4.8 and it caused fuzzer to get immediately crash, producing 
bunch of 'exploits'




2022-02-10 오전 7:58에 Hauke Mehrtens 이(가) 쓴 글:> On 1/25/22 00:07, 
Hauke Mehrtens wrote:

>> On 1/24/22 22:53, Hauke Mehrtens wrote:
>>> Hi,
>>>
>>> I would like to tag a new 21.02 and 19.07 minor release in about one
>>> week. I am not aware of a severe security problem, it was just some
>>> time since the last release.
>>>
>>> Are there any known regressions in the current stable branches
>>> compared to the last release and should we fix them?
>>>
>>> If we should backport some changes from master please just answer to
>>> this mail with the commit and a reason why you need it.
>>>
>>> There are already some pull requests on github:

>>> 
https://github.com/openwrt/openwrt/pulls?q=is%3Apr+is%3Aopen+label%3Arelease%2F21.02 


>>>
>>>

>>> 
https://github.com/openwrt/openwrt/pulls?q=is%3Apr+is%3Aopen+label%3Arelease%2F19.07 


>>>
>>>
>>> Hauke
>>
>> There are some security patches available for hostapd. Is someone
>> working on backporting them to OpenWrt 21.02 or 19.07?
>> https://w1.fi/security/2022-1/
>>
>> Dnsmasq also has some new CVEs assigned.
>> Is someone working on backporting these fixes?
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45951
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45952
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45953
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45954
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45955
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45956
>> https://nvd.nist.gov/vuln/detail/CVE-2021-45957
>>
>> Hauke
>
> Hi,
>
> Sorry for the delay, I haven't found the time to take care of these
> CVEs yet and I would like to get them fixed before the release.
>
> There are also some CVEs fixed in wolfssl:
> https://github.com/openwrt/openwrt/pull/4910
> This will probably break the ABI again.
>
> It would be nice if someone could tak over one component to get this
> fixed faster.
>
> Hauke
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel






















					Reply via email to