From 7332d33775aaeec410a4c4b65b3ee1833ce32410 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Wed, 4 May 2022 20:01:53 +0200
Subject: [PATCH] docs: releases/v2021.1.2: describe autoupdater security issue

---
 docs/releases/v2021.1.2.rst | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/docs/releases/v2021.1.2.rst b/docs/releases/v2021.1.2.rst
index 01122fa7c..67bd99e16 100644
--- a/docs/releases/v2021.1.2.rst
+++ b/docs/releases/v2021.1.2.rst
@@ -4,6 +4,9 @@ Gluon 2021.1.2 (unreleased)
 Important notes
 ---------------
 
+This release fixes a **critical security vulnerability** in Gluon's
+autoupdater.
+
 Upgrades to v2021.1 and later releases are only supported from releases v2018.2
 and later. Migration code for upgrades from older versions has been removed to
 simplify maintenance.
@@ -23,11 +26,30 @@ log.
 Bugfixes
 --------
 
-* **[SECURITY]** This release will fix a critical security vulnerability
+* **[SECURITY]** Autoupdater: Fix signature verification
+
+  A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
+  allows forgery of cryptographic signatures. This vulnerability can be
+  exploited to create a manifest accepted by the autoupdater without knowledge
+  of the signers' private keys. By intercepting nodes' connections to the update
+  server, such a manifest allows to distribute malicious firmware updates.
+
+  This is a **critical** vulnerability. All nodes with autoupdater must be
+  updated. Requiring multiple signatures for an update does *not* mitigate the
+  issue.
+
+  As a temporary workaround, the issue can be mitigated on individual nodes by
+  disabling the autoupdater via config mode or using the following commands::
+
+    uci set autoupdater.settings.enabled=0
+    uci commit autoupdater
+
+  A fixed firmware should be installed manually before enabling the autoupdater
+  again.
 
-  This bugfix has not been pushed to the public Gluon repository yet to avoid
-  disclosing information on the issue. A detailed advisory will be published at
-  the same time as the Gluon release.
+  See security advisory `GHSA-qhcg-9ffp-78pw
+  <https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
+  for further information on this vulnerability.
 
 * **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
 
-- 
GitLab