[Libwebsockets] Security updates

Andy Green andy at warmcat.com
Fri Jan 22 08:57:55 CET 2016



On January 22, 2016 3:28:18 PM GMT+08:00, Andrejs Hanins <andrejs.hanins at ubnt.com> wrote:
>Hi Andy,
>
>On 01/21/2016 05:38 PM, Andy Green wrote:
>
>Hi -
>
>TL;DR: Everyone running a public lws server should update to master
>HEAD, v1.5.1 tag or v1.6.1 tag.
>
>Thanks for the fixes! For v1.6.1 tag the value of
>CPACK_PACKAGE_VERSION_PATCH still 0, isn't it a mistake?

You're right, I added a patch to do that and updated v1.6.1 tag to point to that.

-Andy

>
>A user on github has been able to test lws server part using the
>Codenomicon commercial fuzzer
>
>http://www.codenomicon.com/
>
>This is the technology that found Heartbleed
>
>http://www.codenomicon.com/news/news/2014/05/20/heartbleed-and-safeguard-how-we-found-it.html
>
>He found some crash bugs in lws using the fuzzer:
>
>https://github.com/warmcat/libwebsockets/issues/391
>
>they are all now fixed in master HEAD but that leaves us a problem,
>some people are reasonably sticking on v1.5 for a bit until convenient
>to deal with our api normalization changes. And the packaging has
>targeted v1.6.
>
>To help ease the pain a bit I backported the fixes to v1.5-stable and
>v1.6-stable branches, and tagged the current HEAD of those 'v1.5.1' and
>'v1.6.1'.
>
>Normally I would withold this for a bit until the packaging can update
>but since this happened on githib in public, I think no point this
>time.
>
>Sorry for the problem, but on the bright side if you are using master
>HEAD (shortly to become v1.7) that has been confirmed now to pass
>
>- Codenomicon in http/ws and https/wss modes
>
>- Coverity Static Analysis (0 defects)
>
>- Autobahn ws fuzzer (one fail 2.10 ping spamming, that is not in the
>ws standard)
>
>As part of debugging the finds from codenomicon I added a skeletal
>fuzzing proxy on HEAD, fuzxy. This uses http_proxy= to stand between
>the client and server and have the opportunity to inject, mess with or
>delete network traffic in both directions. It just has a handful of
>tests operated by hand right now but this could grow into something
>useful to help reduce any future surprises.
>
>-Andy
>
>
>_______________________________________________ Libwebsockets mailing
>list Libwebsockets at ml.libwebsockets.org
>http://ml.libwebsockets.org/mailman/listinfo/libwebsockets 
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Libwebsockets mailing list
>Libwebsockets at ml.libwebsockets.org
>http://ml.libwebsockets.org/mailman/listinfo/libwebsockets




More information about the Libwebsockets mailing list