[Libwebsockets] Security updates

Andy Green andy at warmcat.com
Thu Jan 21 16:38:57 CET 2016


Hi -

TL;DR: Everyone running a public lws server should update to master HEAD, v1.5.1 tag or v1.6.1 tag.

A user on github has been able to test lws server part using the Codenomicon commercial fuzzer

http://www.codenomicon.com/

This is the technology that found Heartbleed

http://www.codenomicon.com/news/news/2014/05/20/heartbleed-and-safeguard-how-we-found-it.html

He found some crash bugs in lws using the fuzzer:

https://github.com/warmcat/libwebsockets/issues/391

they are all now fixed in master HEAD but that leaves us a problem, some people are reasonably sticking on v1.5 for a bit until convenient to deal with our api normalization changes.  And the packaging has targeted v1.6.

To help ease the pain a bit I backported the fixes to v1.5-stable and v1.6-stable branches, and tagged the current HEAD of those 'v1.5.1' and 'v1.6.1'.

Normally I would withold this for a bit until the packaging can update but since this happened on githib in public, I think no point this time.

Sorry for the problem, but on the bright side if you are using master HEAD (shortly to become v1.7) that has been confirmed now to pass

 - Codenomicon in http/ws and https/wss modes

 - Coverity Static Analysis (0 defects)

 - Autobahn ws fuzzer (one fail 2.10 ping spamming, that is not in the ws standard)

As part of debugging the finds from codenomicon I added a skeletal fuzzing proxy on HEAD, fuzxy.  This uses http_proxy= to stand between the client and server and have the opportunity to inject, mess with or delete network traffic in both directions.  It just has a handful of tests operated by hand right now but this could grow into something useful to help reduce any future surprises.

-Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://libwebsockets.org/pipermail/libwebsockets/attachments/20160121/40067fcd/attachment.html>


More information about the Libwebsockets mailing list