Register | Log in

wolfssl

Choose email to subscribe with

general

source: wolfssl (main)
version: 5.5.3-3
maintainer: Jacob Barthelmeh (DMD)
uploaders: Felix Lechner [DMD]
arch: any
std-ver: 4.6.1
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 4.6.0-3~bpo10+1
stable: 4.6.0+p1-0+deb11u1
stable-bpo: 5.5.3-3~bpo11+1
testing: 5.5.3-3
unstable: 5.5.3-3

versioned links

4.6.0-3~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.6.0+p1-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.2.0-2~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.5.3-3~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.5.3-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libwolfssl-dev
libwolfssl35

action needed

Marked for autoremoval on 25 December: #1023697 high

Version 5.5.3-3 of wolfssl is marked for autoremoval from testing on Sun 25 Dec 2022. It is affected by #1023697. The removal of wolfssl will also cause the removal of (transitive) reverse dependencies: lighttpd, swupdate, vdeplug-agno. You should try to prevent the removal by fixing these RC bugs.

Created: 2022-11-15 Last update: 2022-11-26 12:46

5 security issues in bullseye high

There are 5 open security issues in bullseye.

3 important issues:

CVE-2022-39173: In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are required to contain a list of duplicate cipher suites to trigger the buffer overflow. In total, two Client Hellos have to be sent: one in the resumed session, and a second one as a response to a Hello Retry Request message.
CVE-2022-42905: In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network attacker can trigger a buffer over-read on the heap of 5 bytes. (WOLFSSL_CALLBACKS is only intended for debugging.)
CVE-2022-42961: An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can be processed via an advanced technique for ECDSA key recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.)

2 issues left for the package maintainer to handle:

CVE-2022-34293: (needs triaging) wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.
CVE-2022-38152: (needs triaging) An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence are affected. Furthermore, wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-08-08 Last update: 2022-11-14 05:14

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-11-12 Last update: 2022-11-12 06:40

news

[2022-11-19] Accepted wolfssl 5.5.3-3~bpo11+1 (source amd64) into bullseye-backports (Debian FTP Masters) (signed by: Felix Lechner)
[2022-11-14] wolfssl 5.5.3-3 MIGRATED to testing (Debian testing watch)
[2022-11-11] Accepted wolfssl 5.5.3-3 (source) into unstable (Felix Lechner)
[2022-11-10] Accepted wolfssl 5.5.3-2 (source) into unstable (Felix Lechner)
[2022-11-10] Accepted wolfssl 5.5.3-1 (source amd64) into unstable (Debian FTP Masters) (signed by: Felix Lechner)
[2022-03-19] Accepted wolfssl 4.6.0+p1-0+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Felix Lechner)
[2022-02-25] wolfssl 5.2.0-2 MIGRATED to testing (Debian testing watch)
[2022-02-23] Accepted wolfssl 5.2.0-2~bpo11+1 (source amd64) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Felix Lechner)
[2022-02-23] Accepted wolfssl 5.2.0-2 (source) into unstable (Felix Lechner)
[2022-02-22] Accepted wolfssl 5.2.0-1 (source amd64) into unstable, unstable (Debian FTP Masters) (signed by: Felix Lechner)
[2022-02-13] Accepted wolfssl 5.1.1-1~bpo11+1 (source) into bullseye-backports (Felix Lechner)
[2022-02-13] wolfssl 5.1.1-1 MIGRATED to testing (Debian testing watch)
[2022-02-10] Accepted wolfssl 5.1.1-1 (source) into unstable (Felix Lechner)
[2022-01-11] Accepted wolfssl 5.0.0-1~bpo11+1 (source amd64) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Felix Lechner)
[2022-01-01] wolfssl 5.0.0-1 MIGRATED to testing (Debian testing watch)
[2021-12-28] Accepted wolfssl 5.0.0-1 (source amd64) into unstable, unstable (Debian FTP Masters) (signed by: Felix Lechner)
[2021-02-15] wolfssl 4.6.0-3 MIGRATED to testing (Debian testing watch)
[2021-02-11] Accepted wolfssl 4.6.0-3~bpo10+1 (source) into buster-backports (Felix Lechner)
[2021-02-10] Accepted wolfssl 4.6.0-3 (source) into unstable (Felix Lechner)
[2021-02-06] wolfssl 4.6.0-2 MIGRATED to testing (Debian testing watch)
[2021-02-03] Accepted wolfssl 4.6.0-2 (source) into unstable (Felix Lechner)
[2021-01-30] wolfssl 4.6.0-1 MIGRATED to testing (Debian testing watch)
[2021-01-30] Accepted wolfssl 4.6.0-1~bpo10+1 (source) into buster-backports (Felix Lechner)
[2021-01-28] Accepted wolfssl 4.6.0-1 (source) into unstable (Felix Lechner)
[2020-10-20] Accepted wolfssl 4.5.0+dfsg-4~bpo10+1 (source) into buster-backports (Felix Lechner) (signed by: Unit 193)
[2020-10-05] wolfssl 4.5.0+dfsg-4 MIGRATED to testing (Debian testing watch)
[2020-10-01] Accepted wolfssl 4.5.0+dfsg-4 (source) into unstable (Felix Lechner)
[2020-09-30] wolfssl 4.5.0+dfsg-3 MIGRATED to testing (Debian testing watch)
[2020-09-27] Accepted wolfssl 4.5.0+dfsg-3 (source) into unstable (Felix Lechner)
[2020-09-18] wolfssl 4.5.0+dfsg-2 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.2.0-2
2 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing