git.ipfire.org Git - thirdparty/openwrt.git/commit

author	Hauke Mehrtens <hauke@hauke-m.de>
	Sat, 4 Apr 2026 23:32:36 +0000 (01:32 +0200)
committer	Hauke Mehrtens <hauke@hauke-m.de>
	Mon, 6 Apr 2026 14:01:10 +0000 (16:01 +0200)
commit	f48ef0040b7e4a80283d0775d397b8a3c66b7275
tree	3322297f8b1217375e70854c306ff457fb481e0d	tree \| snapshot
parent	08bf7ef6d21c73a4e2fde690aec63b598aada3c0	commit \| diff

mbedtls: update to 3.6.6

This version fixes some security problems:
* Client impersonation while resuming a TLS 1.3 session
   (CVE-2026-34873)
* Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
* PSA random generator cloning (CVE-2026-25835)
* Compiler-induced constant-time violations (CVE-2025-66442)
* Null pointer dereference when setting a distinguished name
   (CVE-2026-34874)
* Buffer overflow in FFDH public key export (CVE-2026-34875)
* FFDH: lack of contributory behaviour due to improper input validation
   (CVE-2026-34872)
* Signature Algorithm Injection (CVE-2026-25834)
* CCM multipart finish tag-length validation bypass (CVE-2026-34876)
* Risk of insufficient protection of serialized session or context data
   leading to potential memory safety issues (CVE-2026-34877)
* Buffer underflow in x509_inet_pton_ipv6() (CVE-2026-25833)

Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6

Size increases by 470 bytes on aarch64:
343995 bin/packages/aarch64_generic/base/libmbedtls21-3.6.5-r1.apk
344465 bin/packages/aarch64_generic/base/libmbedtls21-3.6.6-r1.apk

Link: https://github.com/openwrt/openwrt/pull/22787
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

package/libs/mbedtls/Makefile		diff \| blob \| blame \| history
package/libs/mbedtls/patches/100-fix-gcc14-build.patch		diff \| blob \| blame \| history