Hi Salvatore, A version fixing the vulnerability is available on Mentors <https://mentors.debian.net/package/wolfssl>. Please feel free to upload it.
With a new soname version, this upload will go through NEW. Also I am not sure the library will make it into stretch. Currently, no packages depend on it. In the past, I cooperated with Clint Byrum as a sponsor and copied him on this message. Perhaps he would prefer to upload? Thank you! Best regards, Felix On Mon, Feb 27, 2017 at 5:14 AM, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi Felix, > > Sorry for the late reply! > > On Sat, Feb 25, 2017 at 08:10:22AM -0800, Felix Lechner wrote: > > Hi Salvatore, > > > > Thank you for your email. I would like to package the new version but > > 3.10.2 was not signed on GitHub. (Upstream recently added those > signatures > > for us.) The more recent release actually fixes two additional > > vulnerabilities, with one being more serious. Details are in [0] and > > replicated in part here: > > To have the fixes in stretch, at this point of the release I suspect > we will need to have them cherry-picked. Otherwise I think the release > team will not ack it to unblock. > > > > > This release of wolfSSL fixes 2 low and 1 medium level security > > vulnerability. > > > > Low level fix of buffer overflow for when loading in a malformed > temporary > > DH file. Thanks to Yueh-Hsun Lin and Peng Li from KNOX Security, Samsung > > Research America for the report. > > > > Medium level fix for processing of OCSP response. If using OCSP without > > hard faults enforced and no alternate revocation checks like OCSP > stapling > > then it is recommended to update. > > > > Low level fix for potential cache attack on RSA operations. If using > > wolfSSL RSA on a server that other users can have access to monitor the > > cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, > > Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the initial report. > > > > I will wait with packaging until the release is signed, which may be > after > > the weekend. Meanwhile, you are welcome to file reports for the other > > vulnerabilities. Did MITRE have them too? Thank you! > > Alright, thanks for the information. I will check later today if I > find if CVEs were already assigned. Will come back to you if I have > some questions! > > Regards and thanks for your work! > > Salvatore >
