[Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.0
Yann E. MORIN
yann.morin.1998 at free.fr
Tue Sep 6 09:39:46 UTC 2022
Fabrice, All,
On 2022-09-04 11:26 +0200, Fabrice Fontaine spake thusly:
> Fix the following security vulnerabilities:
> - [Low] Fault injection attack on RAM via Rowhammer leads to ECDSA key
> disclosure. Users doing operations with private ECC keys such as
> server side TLS connections and creating ECC signatures, who also
> have hardware that could be targeted with a sophisticated Rowhammer
> attack should update the version of wolfSSL and compile using the
> macro WOLFSSL_CHECK_SIG_FAULTS.
> - [Low] In wolfSSL version 5.3.0 if compiled with
> --enable-session-ticket and the client has non-empty session cache,
> with TLS 1.2 there is the possibility oàf a man in the middle passing
> a large session ticket to the client and causing a crash due to an
> invalid free. There is also the potential for a malicious TLS 1.3
> server to crash a client in a similar manner except in TLS 1.3 it is
> not susceptible to a man in the middle attack. Users on the client
> side with –enable-session-ticket compiled in and using wolfSSL
> version 5.3.0 should update their version of wolfSSL.
> - [Low] If using wolfSSL_clear to reset a WOLFSSL object (vs the normal
> wolfSSL_free/wolfSSL_new) it can result in runtime issues. This
> exists with builds using the wolfSSL compatibility layer
> (--enable-opnesslextra) and only when the application is making use
> of wolfSSL_clear instead of SSL_free/SSL_new. In the case of a TLS
> 1.3 resumption, after continuing to use the WOLFSSH object after
> having called wolfSSL_clear, an application could crash. It is
> suggested that users calling wolfSSL_clear update the version of
> wolfSSL used.
> - Potential DoS attack on DTLS 1.2. In the case of receiving a
> malicious plaintext handshake message at epoch 0 the connection will
> enter an error state reporting a duplicate message. This affects both
> server and client side. Users that have DTLS enabled and in use
> should update their version of wolfSSL to mitigate the potential for
> a DoS attack.
>
> https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/wolfssl/wolfssl.hash | 2 +-
> package/wolfssl/wolfssl.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash
> index 01b21596e7..f1401e4cda 100644
> --- a/package/wolfssl/wolfssl.hash
> +++ b/package/wolfssl/wolfssl.hash
> @@ -1,5 +1,5 @@
> # Locally computed:
> -sha256 dc36cc19dad197253e5c2ecaa490c7eef579ad448706e55d73d79396e814098b wolfssl-5.4.0.tar.gz
> +sha256 c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f wolfssl-5.5.0.tar.gz
>
> # Hash for license files:
> sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
> diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk
> index 536fd863fe..ca360312c9 100644
> --- a/package/wolfssl/wolfssl.mk
> +++ b/package/wolfssl/wolfssl.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -WOLFSSL_VERSION = 5.4.0
> +WOLFSSL_VERSION = 5.5.0
> WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
> WOLFSSL_INSTALL_STAGING = YES
>
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list