Source: wolfssl Version: 5.0.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/wolfSSL/wolfssl/pull/4710 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for wolfssl. CVE-2022-23408[0]: | wolfSSL 5.x before 5.1.1 uses non-random IV values in certain | situations. This affects connections (without AEAD) using AES-CBC or | DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of | misplaced memory initialization in BuildMessage in internal.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-23408 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23408 [1] https://github.com/wolfSSL/wolfssl/pull/4710 [2] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
