[BUG: #266] configs: disable web interface in the default config

Disable web interface in the default config due to security vulnerabilities described in CVE-2023-22577. Please note that web interface can still be enabled manually in the config file in runtime. Signed-off-by: Adam Wujek <dev_public@wujek.eu>

[BUG: #266] configs: disable web interface in the default config
Disable web interface in the default config due to security vulnerabilities described in CVE-2023-22577. Please note that web interface can still be enabled manually in the config file in runtime. Signed-off-by: Adam Wujek <dev_public@wujek.eu>
1f2ef410 · Adam Wujek · 07760c6d · 1f2ef410 · 1f2ef410
Commit 1f2ef410 authored Dec 09, 2022 by Adam Wujek
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 5 deletions

wrs_release_defconfig configs/wrs_release_defconfig +2 -2

wrs-user-manual.in doc/wrs-user-manual.in +17 -3

No files found.
--- a/configs/wrs_release_defconfig
+++ b/configs/wrs_release_defconfig
@@ -2,7 +2,7 @@
 # Automatically generated file; DO NOT EDIT.
 # White Rabbit Switch  configuration
 #
-CONFIG_DOTCONF_FW_VERSION="6.0"
+CONFIG_DOTCONF_FW_VERSION="6.0.2"
 CONFIG_DOTCONF_HW_VERSION=""
 CONFIG_DOTCONF_INFO=""
 # CONFIG_DOTCONF_SOURCE_LOCAL is not set
@@ -700,7 +700,7 @@ CONFIG_WRSAUXCLK_PPSHIFT="0"
 CONFIG_LLDPD_TX_INTERVAL=5
 # CONFIG_LLDPD_MANAGEMENT_PORT_DISABLE is not set
 # CONFIG_LLDPD_MINIMUM_FRAME_SIZE is not set
-# CONFIG_HTTPD_DISABLE is not set
+CONFIG_HTTPD_DISABLE=y

 #
 # Developer options

--- a/doc/wrs-user-manual.in
+++ b/doc/wrs-user-manual.in
@@ -33,13 +33,13 @@
 @paragraphindent none
 @comment %**end of header
 @copying
-Copyright CERN 2020.
+Copyright CERN 2023.
 This document is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.
 @end copying

 @setchapternewpage off

-@set update-month June 2020
+@set update-month January 2023
 @c the release name below is substituted at build time
 @set release __RELEASE_GIT_ID__

@@ -317,7 +317,13 @@ the behavior of the WR Switch. Here are highlights:
    do not use LLDP and latency is of concern, you should disable LLDP option.
  @item @b{Disable web interface} - web interface is now disabled by default
    and considered deprecated (no effort was put in making sure it works
-    properly). @b{Users are strongly discouraged from using the web interface}.
+    properly).
+    A number of serious security vulnerabilities were found in the web interface
+    (including CVE-2023-22577).
+    Please note that it is still possible to enable web interface in run-time.
+    @b{Users are strongly discouraged from using the web interface}.
+    In exceptional cases the use of web-interface can be limited to well
+    controlled networks.
  @end itemize

 @item @b{DHCP forever configuration in menuconfig} - this behavior can be set 
@@ -1425,6 +1431,14 @@ appropriate way, before the respective service is started.
 @item CONFIG_HTTPD_DISABLE

 	Disable web interface on a switch.
+	Web interface is now disabled by default and considered deprecated.
+	A number of security vulnerabilities were found in the web interface
+	(including CVE-2023-22577).
+	Please note that it is still possible to enable web interface in
+	run-time.
+	@b{Users are strongly discouraged from using the web interface}.
+	In exceptional cases the use of web-interface can be limited to well
+	controlled networks.

 @item CONFIG_MONIT_DISABLE