Source: wolfssl Version: 5.2.0-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for wolfssl. CVE-2022-42961[0]: | An issue was discovered in wolfSSL before 5.5.0. A fault injection | attack on RAM via Rowhammer leads to ECDSA key disclosure. Users | performing signing operations with private ECC keys, such as in | server-side TLS connections, might leak faulty ECC signatures. These | signatures can be processed via an advanced technique for ECDSA key | recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to | address the vulnerability.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-42961 https://www.cve.org/CVERecord?id=CVE-2022-42961 Regards, Salvatore
