Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id
<ee4c0876608d99eb3f8b333b556fbd92e7a652eb.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1110813,
regarding bookworm-pu: package wolfssl/5.5.4-2+deb12u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110813: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110813
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:wolfssl
User: [email protected]
Usertags: pu
[ Reason ]
Fix for CVE-2025-7394. The Security Team does not support wolfssl
officially.
[ Impact ]
Users are vulnerable for CVE-2025-7394.
[ Tests ]
None.
[ Risks ]
Trivial codechange by upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in oldstable
[x] the issue is verified as fixed in unstable
[ Changes ]
Additional random reseed.
[ Other info ]
I have NMUed the package to fix this.
diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
--- wolfssl-5.5.4/debian/changelog 2023-10-23 19:46:16.000000000 +0200
+++ wolfssl-5.5.4/debian/changelog 2025-08-11 10:16:46.000000000 +0200
@@ -1,3 +1,10 @@
+wolfssl (5.5.4-2+deb12u2) bookworm; urgency=medium
+
+ * Stable update to address the following vulnerabilities:
+ - Fix CVE-2025-7394. (Closes: #1109549)
+
+ -- Bastian Germann <[email protected]> Mon, 11 Aug 2025 10:16:46 +0200
+
wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium
* Stable update to address the following vulnerabilities:
diff -Nru wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch
wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch
--- wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch 1970-01-01
01:00:00.000000000 +0100
+++ wolfssl-5.5.4/debian/patches/CVE-2025-7394.patch 2025-08-04
17:57:05.000000000 +0200
@@ -0,0 +1,42 @@
+From 0c12337194ee6dd082f082f0ccaed27fc4ee44f5 Mon Sep 17 00:00:00 2001
+From: Josh Holtrop <[email protected]>
+Date: Thu, 5 Jun 2025 19:48:34 -0400
+Subject: [PATCH] Reseed DRBG in RAND_poll()
+
+---
+ src/ssl.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index 80e55cf865..26c6c9fe67 100644
+--- a/src/ssl.c
++++ b/src/ssl.c
+@@ -26041,11 +26041,25 @@ int wolfSSL_RAND_poll(void)
+ return WOLFSSL_FAILURE;
+ }
+ ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz);
+- if (ret != 0){
++ if (ret != 0) {
+ WOLFSSL_MSG("Bad wc_RNG_GenerateBlock");
+ ret = WOLFSSL_FAILURE;
+- }else
+- ret = WOLFSSL_SUCCESS;
++ }
++ else {
++#ifdef HAVE_HASHDRBG
++ ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
++ if (ret != 0) {
++ WOLFSSL_MSG("Error reseeding DRBG");
++ ret = WOLFSSL_FAILURE;
++ }
++ else {
++ ret = WOLFSSL_SUCCESS;
++ }
++#else
++ WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
++ ret = WOLFSSL_FAILURE;
++#endif
++ }
+
+ return ret;
+ }
diff -Nru wolfssl-5.5.4/debian/patches/series
wolfssl-5.5.4/debian/patches/series
--- wolfssl-5.5.4/debian/patches/series 2023-10-23 19:46:16.000000000 +0200
+++ wolfssl-5.5.4/debian/patches/series 2025-08-11 10:15:23.000000000 +0200
@@ -5,3 +5,4 @@
disable-crl-monitor.patch
disable-jobserver.patch
cve-2023-3724.patch
+CVE-2025-7394.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.12
Hi,
Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.
Regards,
Adam
--- End Message ---
