Bug#1004181: marked as done (wolfssl: CVE-2022-23408)

[Debian Bug Tracking System]

Your message dated Thu, 10 Feb 2022 19:04:15 +0000
with message-id <e1niejn-0003kr...@fasolo.debian.org>
and subject line Bug#1004181: fixed in wolfssl 5.1.1-1
has caused the Debian Bug report #1004181,
regarding wolfssl: CVE-2022-23408
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1004181: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004181
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: wolfssl
Version: 5.0.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/wolfSSL/wolfssl/pull/4710
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for wolfssl.

CVE-2022-23408[0]:
| wolfSSL 5.x before 5.1.1 uses non-random IV values in certain
| situations. This affects connections (without AEAD) using AES-CBC or
| DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of
| misplaced memory initialization in BuildMessage in internal.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-23408
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23408
[1] https://github.com/wolfSSL/wolfssl/pull/4710
[2] 
https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: wolfssl
Source-Version: 5.1.1-1
Done: Felix Lechner <felix.lech...@lease-up.com>

We believe that the bug you reported is fixed in the latest version of
wolfssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Lechner <felix.lech...@lease-up.com> (supplier of updated wolfssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Feb 2022 10:35:24 -0800
Source: wolfssl
Architecture: source
Version: 5.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Felix Lechner <felix.lech...@lease-up.com>
Changed-By: Felix Lechner <felix.lech...@lease-up.com>
Closes: 1004181
Changes:
 wolfssl (5.1.1-1) unstable; urgency=medium
 .
   * New upstream release. (Closes: #1004181)
   * Fixes CVE-2022-23408: "non-random IV values in certain situations"
Checksums-Sha1:
 fd0d0711e3ea7f371baed42652b8042e7bbf15ee 2418 wolfssl_5.1.1-1.dsc
 6354b7d30e3731ac6ca27928a65e2ef9af624c6c 11105761 wolfssl_5.1.1.orig.tar.gz
 98c8b8d88135ab1de99d21c229997b0b5501df7a 488 wolfssl_5.1.1.orig.tar.gz.asc
 74b7bfd7368ea5eea8f68034e32b10735fbcbf17 31912 wolfssl_5.1.1-1.debian.tar.xz
 d6f5aefb9d3b88cc8d966f7d200c320cab69383f 6485 wolfssl_5.1.1-1_source.buildinfo
Checksums-Sha256:
 d178fbb27138d78cf4942758ac1810ef776a886e6c5c64b3ec4ac69fceb8eb53 2418 
wolfssl_5.1.1-1.dsc
 d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92 11105761 
wolfssl_5.1.1.orig.tar.gz
 9b03de8d4c857862e4bc03dccc9b55dd0a7c71ade7225152a60f26e7a436af94 488 
wolfssl_5.1.1.orig.tar.gz.asc
 5282597599d10a4b3deacea7d70638520e64fd2bdd6bc3e825604bb569d50d11 31912 
wolfssl_5.1.1-1.debian.tar.xz
 d239f0f68cc8da6f3a917a433949e4286e89a38e590ca583576a76c15ca50b7b 6485 
wolfssl_5.1.1-1_source.buildinfo
Files:
 89a0d4d22dd163c2a417b08164392c5f 2418 libs optional wolfssl_5.1.1-1.dsc
 d84a2c724a900e2f83a51f3f160a6505 11105761 libs optional 
wolfssl_5.1.1.orig.tar.gz
 a17bf364c34718e06e7e965b411d9d8b 488 libs optional 
wolfssl_5.1.1.orig.tar.gz.asc
 4ff5dcdbbab9037b2b09ac3ed3ae81f0 31912 libs optional 
wolfssl_5.1.1-1.debian.tar.xz
 1bd657b7ff6013f4a3854162e015b5f0 6485 libs optional 
wolfssl_5.1.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKvBAEBCgCZFiEE8E0cIgLi+g0BiFTarFipTxFhjuAFAmIFXd1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYw
NEQxQzIyMDJFMkZBMEQwMTg4NTREQUFDNThBOTRGMTE2MThFRTAbHGZlbGl4Lmxl
Y2huZXJAbGVhc2UtdXAuY29tAAoJEKxYqU8RYY7gCHUP/1Hu3D04YIF4nl4TOH10
bMF4PH0pP/IpGkUWudQpVeKgza04HET2Hf0OZ2uPbfOP5x4NoyEewmQtsblSAGIr
SrnEYOi1cJxkOP/gHPCeFFnv/N7VNq26ox7cCMqnhyx7u52kXbeF8ybEg0gLJQE3
8Rz3QxfA/Xqg1RZPjddS8ViGExkrxcUHyvzXkJeSxugjnhIl+oO2egTcODuDn1by
F06ivCyS3YH+MZkHMBVUiT3ZMJH5Wu6qF/g/V5WRROP/JvzLb3zEyDOX/y9dd/gl
QQVHBv9JxsjTwoUieAxWXj4CX8V/MpFmpkZ23RspzDK2cZDP8RLsOQ6hNgwdf6iG
B2vgVQBWrpWguTmHv8NEz3jMdafNoZnPPuzg2bS+vmW3ZF0e+igSWM/p45W76SOE
JztfajhTGg9XDdTDCDgYjUyGExLxhPwBBhz6eKaLRnVwJRBxfmaEOVkm7C1A1a3n
ZWsUYpyCPyktHz7lzlOFaTYbcHitoiOOjqSFyI/brZQhHJi6/2xa9afFknsmI+A+
nVk/4MJ30CFHNomiRvkPOpSGeIy+bxAXnAtb+6JiZdM7v+9QoXs0eb/CBWjEPQPy
AtJaAA+HTPRKNx04vpqw+2G4E93xxmrPE0rtt1P++oYCuqgOwMtydiTQtm5HcrPq
n2EujmD56YbMV1qnPGn6FpzU
=fjX+
-----END PGP SIGNATURE-----

--- End Message ---