Hello,
I just noticed there have been multiple vulnerabilities patched in OpenSSL[1]. My OpenWRT 24.10.5 seems to have libopenssl 3.0.18-r1 installed and apparently would need to be upgraded to 3.0.19 to get the fixes. How would I go about doing that?
[1] https://cybersecuritynews.com/openssl-vulnerabilities-code-execution/
I recommend to go offline till patches are available.
You could either update https://github.com/openwrt/openwrt/blob/openwrt-24.10/package/libs/openssl/Makefile and submit a PR, or move to 25.12 (or snapshot), which has jumped to the OpenSSL 3.5 series.
Iām currently trying to figure out the actual risks, esp. related to the RCE one CVE-2025-15467. I only expose a Wireguard endpoint from my internet facing router, so would it suffice to just turn that off? Would router be safe then?
Okay, but OpenSSL 3.5 series has those vulns too, fixed in 3.5.5.
Wireguard does not use openssl as far as I know
openssl v3.5.5 has been merged into main- and 25.12.x snapshots three days ago; 24.10.x however still needs attention (~someone to provide a tested patch/ PR).
Indeed! A quick googling around seems to support this.
Are you saying RCE in stable release is OK?
In 25.12.0-rc4 it's fixed.
root@ER605v2:~# apk info libopenssl3
libopenssl3-3.5.5-r1 description:
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Transport Layer Security (TLS) protocol as well as a full-strength general-purpose cryptography library. This package contains the OpenSSL shared libraries, needed by other programs.
libopenssl3-3.5.5-r1 webpage:
https://www.openssl.org/
libopenssl3-3.5.5-r1 installed size:
4522 KiB
This is not Remote Code Execution, but merely Code Execution issue - PKCS#12 refers to certificate material stored in a specific archive file format only. So you would have to use OpenSSL tooling to interpret a (crafted or affected) PKCS#12-encoded file to be vulnerable; socket clients or servers using OpenSSL should be fine.
Yes, openssl advisory talks about vectors and environmental factors....
I am not saying anything to that effect, regardless of the practical severity.
I was merely stating the current state of the active branches (which in turn will feed into the next releases):
At no point did I insinuate that bugs don't need to be fixed, nor evaluate effective security impact on the package config used by OpenWrt. And -as of yesterday- no one had submitted a fix, yet - as of today, there is a pending PR. That is merely a fact, an explanation of the status quo (ante), nothing else.
And already rejected by clankers.....