Hi Salvatore, Thank you for your email. I would like to package the new version but 3.10.2 was not signed on GitHub. (Upstream recently added those signatures for us.) The more recent release actually fixes two additional vulnerabilities, with one being more serious. Details are in [0] and replicated in part here:
This release of wolfSSL fixes 2 low and 1 medium level security vulnerability. Low level fix of buffer overflow for when loading in a malformed temporary DH file. Thanks to Yueh-Hsun Lin and Peng Li from KNOX Security, Samsung Research America for the report. Medium level fix for processing of OCSP response. If using OCSP without hard faults enforced and no alternate revocation checks like OCSP stapling then it is recommended to update. Low level fix for potential cache attack on RSA operations. If using wolfSSL RSA on a server that other users can have access to monitor the cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the initial report. I will wait with packaging until the release is signed, which may be after the weekend. Meanwhile, you are welcome to file reports for the other vulnerabilities. Did MITRE have them too? Thank you! Best regards, Felix [0] https://github.com/wolfSSL/wolfssl/releases/tag/v3.10.2-stable On Sat, Feb 25, 2017 at 2:27 AM, Salvatore Bonaccorso <car...@debian.org> wrote: > Source: wolfssl > Version: 3.9.10+dfsg-1 > Severity: grave > Tags: upstream security patch fixed-upstream > > Hi, > > the following vulnerability was published for wolfssl. > > CVE-2017-6076[0]: > | In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes > | it easier to extract RSA key information for a malicious user who has > | access to view cache on a machine. > > From the release notes: > > Low level fix for potential cache attack on RSA operations. If using > wolfSSL RSA on a server that other users can have access to monitor > the cache, then it is recommended to update wolfSSL. Thanks to Andreas > Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the > initial report. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-6076 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6076 > [1] https://github.com/wolfSSL/wolfssl/commit/ > 345df93978c41da1ac8047a37f1fed5286883d8d > [2] https://github.com/wolfSSL/wolfssl/pull/674 > > Regards, > Salvatore >
