99a4abd0ff
Apply two patches fixing low-severity vulnerabilities related to certificate policies validation: - Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. - Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Note: OpenSSL also released a fix for low-severity security advisory CVE-2023-466. It is not included here because the fix only changes the documentation, which is not built nor included in any OpenWrt package. Due to the low-severity of these issues, there will be not be an immediate new release of OpenSSL. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> |
||
|---|---|---|
| .github | ||
| config | ||
| doc | ||
| include | ||
| LICENSES | ||
| package | ||
| scripts | ||
| target | ||
| toolchain | ||
| tools | ||
| .gitattributes | ||
| .gitignore | ||
| BSDmakefile | ||
| Config.in | ||
| COPYING | ||
| feeds.conf.default | ||
| Makefile | ||
| README_EN.md | ||
| README.md | ||
| rules.mk | ||
Welcome to Lean's git source of OpenWrt and packages
How to build your Openwrt firmware.
Note:
-
DO NOT USE root USER FOR COMPILING!!!
-
Users within China should prepare proxy before building.
-
Web admin panel default IP is 192.168.1.1 and default password is "password".
Let's start!
-
First, install Ubuntu 64bit (Ubuntu 20.04 LTS x86 is recommended).
-
Run
sudo apt-get updatein the terminal, and then runsudo apt-get -y install build-essential asciidoc binutils bzip2 gawk gettext git libncurses5-dev libz-dev patch python3 python2.7 unzip zlib1g-dev lib32gcc1 libc6-dev-i386 subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake libtool autopoint device-tree-compiler g++-multilib antlr3 gperf wget curl swig rsync -
Run
git clone https://github.com/coolsnowwolf/ledeto clone the source code, and thencd ledeto enter the directory -
./scripts/feeds update -a ./scripts/feeds install -a make menuconfig -
Run
make -j8 download V=sto download libraries and dependencies (user in China should use global proxy when possible) -
Run
make -j1 V=s(integer following -j is the thread count, single-thread is recommended for the first build) to start building your firmware.
This source code is promised to be compiled successfully.
You can use this source code freely, but please link this GitHub repository when redistributing. Thank you for your cooperation!
Rebuild:
cd lede
git pull
./scripts/feeds update -a && ./scripts/feeds install -a
make defconfig
make -j8 download
make -j$(($(nproc) + 1)) V=s
If reconfiguration is need:
rm -rf ./tmp && rm -rf .config
make menuconfig
make -j$(($(nproc) + 1)) V=s
Build result will be produced to bin/targets directory.
Special tips:
-
This source code doesn't contain any backdoors or close source applications that can monitor/capture your HTTPS traffic, SSL is the final castle of cyber security. Safety is what a firmware should achieve.
-
If you have any technical problem, you may join the QQ discussion group: 297253733, link: click here
-
Want to learn OpenWrt development but don't know how? Can't motivate yourself for self-learning? Not enough fundamental knowledge? Learn OpenWrt development with Mr. Zuo through his Beginner OpenWrt Training Course. Click here to register.
Router Recommendation
Not Sponsored: If you are finding a low power consumption, small and performance promising x86/x64 router, I personally recommend the EZPROv1 Alumium Edition (N3710 4000M): Details
Donation
If this project does help you, please consider donating to support the development of this project.
Alipay
