wolfssl - Debian Package Tracker

general

source: wolfssl (main)
version: 5.7.2-0.1
maintainer: Jacob Barthelmeh (DMD)
arch: any
std-ver: 4.6.1
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 4.6.0+p1-0+deb11u2
old-bpo: 5.5.4-2~bpo11+1
stable: 5.5.4-2+deb12u1
testing: 5.7.2-0.1
unstable: 5.7.2-0.1

versioned links

4.6.0+p1-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.5.4-2~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.5.4-2+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.2-0.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libwolfssl-dev
libwolfssl42t64

action needed

A new upstream version is available: 5.8.2 high

A new upstream version 5.8.2 is available, you should consider packaging it.

Created: 2024-10-25 Last update: 2025-07-26 15:31

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-7394: In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.

Created: 2025-07-19 Last update: 2025-07-19 23:58

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-7394: In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.

Created: 2025-07-19 Last update: 2025-07-19 23:58

13 security issues in bullseye high

There are 13 open security issues in bullseye.

1 important issue:

CVE-2025-7394: In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.

12 issues postponed or untriaged:

CVE-2023-6936: (needs triaging) In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).
CVE-2023-6937: (needs triaging) wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating.
CVE-2024-0901: (needs triaging) Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length.
CVE-2024-1543: (postponed; to be fixed through a stable update) The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.org/10.46586/tches.v2024.i1.457-500
CVE-2024-1544: (postponed; to be fixed through a stable update) Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits.
CVE-2024-1545: (postponed; to be fixed through a stable update) Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure.
CVE-2024-2881: (postponed; to be fixed through a stable update) Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure.
CVE-2024-5288: (postponed; to be fixed through a stable update) An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is halted if any fault occurs. The success rate in a certain amount of connection requests can be processed via an advanced technique for ECDSA key recovery.
CVE-2024-5814: (postponed; to be fixed through a stable update) A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500
CVE-2024-5991: (postponed; to be fixed through a stable update) In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.
CVE-2022-34293: (needs triaging) wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.
CVE-2022-38152: (needs triaging) An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence are affected. Furthermore, wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API.

Created: 2025-07-19 Last update: 2025-07-19 23:58

11 security issues in bookworm high

There are 11 open security issues in bookworm.

1 important issue:

CVE-2025-7394: In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.

10 issues left for the package maintainer to handle:

CVE-2023-6936: (needs triaging) In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).
CVE-2023-6937: (needs triaging) wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating.
CVE-2024-0901: (needs triaging) Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length.
CVE-2024-1543: (needs triaging) The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.org/10.46586/tches.v2024.i1.457-500
CVE-2024-1544: (needs triaging) Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits.
CVE-2024-1545: (needs triaging) Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure.
CVE-2024-2881: (needs triaging) Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure.
CVE-2024-5288: (needs triaging) An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is halted if any fault occurs. The success rate in a certain amount of connection requests can be processed via an advanced technique for ECDSA key recovery.
CVE-2024-5814: (needs triaging) A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500
CVE-2024-5991: (needs triaging) In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-12-23 Last update: 2025-07-19 23:58

lintian reports 1 error high

Lintian reports 1 error about this package. You should make the package lintian clean getting rid of them.

Created: 2024-09-24 Last update: 2024-09-24 00:02

debian/patches: 2 patches to forward upstream low

Among the 6 debian patches available in version 5.7.2-0.1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-09-23 18:35

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-02-27 13:25

news

[rss feed]

[2024-09-25] wolfssl 5.7.2-0.1 MIGRATED to testing (Debian testing watch)
[2024-09-23] Accepted wolfssl 5.7.2-0.1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2024-05-05] wolfssl 5.7.0-0.3 MIGRATED to testing (Debian testing watch)
[2024-05-03] Accepted wolfssl 5.7.0-0.3 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2024-05-02] Accepted wolfssl 5.7.0-0.2 (source) into experimental (Bastian Germann) (signed by: bage@debian.org)
[2024-04-26] wolfssl 5.6.6-1.3 MIGRATED to testing (Debian testing watch)
[2024-04-08] Accepted wolfssl 5.7.0-0.1 (source) into experimental (Bastian Germann) (signed by: bage@debian.org)
[2024-02-29] Accepted wolfssl 5.6.6-1.3 (source) into unstable (Steve Langasek)
[2024-02-04] Accepted wolfssl 5.6.6-1.3~exp1 (source) into experimental (Steve Langasek)
[2024-01-15] Accepted wolfssl 5.5.4-2+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: bage@debian.org)
[2023-12-30] wolfssl 5.6.6-1.2 MIGRATED to testing (Debian testing watch)
[2023-12-27] Accepted wolfssl 5.6.6-1.2 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2023-12-26] Accepted wolfssl 4.6.0+p1-0+deb11u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: bage@debian.org)
[2023-12-23] Accepted wolfssl 5.6.6-1.1 (source) into experimental (Bastian Germann) (signed by: bage@debian.org)
[2023-12-22] Accepted wolfssl 5.6.6-1 (source i386) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
[2023-11-15] wolfssl 5.6.4-2 MIGRATED to testing (Debian testing watch)
[2023-11-13] Accepted wolfssl 5.6.4-2 (source) into unstable (Jacob Barthelmeh) (signed by: bage@debian.org)
[2023-11-05] Accepted wolfssl 5.6.4-1 (source amd64) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
[2023-11-01] Accepted wolfssl 5.5.4-2~bpo11+1 (source) into bullseye-backports (Debian FTP Masters) (signed by: bage@debian.org)
[2023-10-26] wolfssl 5.5.4-2.1 MIGRATED to testing (Debian testing watch)
[2023-10-23] Accepted wolfssl 5.5.4-2.1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2023-02-09] wolfssl 5.5.4-2 MIGRATED to testing (Debian testing watch)
[2023-02-06] Accepted wolfssl 5.5.4-2 (source) into unstable (Felix Lechner)
[2022-12-30] wolfssl 5.5.4-1 MIGRATED to testing (Debian testing watch)
[2022-12-27] Accepted wolfssl 5.5.4-1 (source) into unstable (Felix Lechner)
[2022-11-19] Accepted wolfssl 5.5.3-3~bpo11+1 (source amd64) into bullseye-backports (Debian FTP Masters) (signed by: Felix Lechner)
[2022-11-14] wolfssl 5.5.3-3 MIGRATED to testing (Debian testing watch)
[2022-11-11] Accepted wolfssl 5.5.3-3 (source) into unstable (Felix Lechner)
[2022-11-10] Accepted wolfssl 5.5.3-2 (source) into unstable (Felix Lechner)
[2022-11-10] Accepted wolfssl 5.5.3-1 (source amd64) into unstable (Debian FTP Masters) (signed by: Felix Lechner)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (1, 0)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.7.2-0.1