Hi Felix, Sorry for the late reply!
On Sat, Feb 25, 2017 at 08:10:22AM -0800, Felix Lechner wrote: > Hi Salvatore, > > Thank you for your email. I would like to package the new version but > 3.10.2 was not signed on GitHub. (Upstream recently added those signatures > for us.) The more recent release actually fixes two additional > vulnerabilities, with one being more serious. Details are in [0] and > replicated in part here: To have the fixes in stretch, at this point of the release I suspect we will need to have them cherry-picked. Otherwise I think the release team will not ack it to unblock. > > This release of wolfSSL fixes 2 low and 1 medium level security > vulnerability. > > Low level fix of buffer overflow for when loading in a malformed temporary > DH file. Thanks to Yueh-Hsun Lin and Peng Li from KNOX Security, Samsung > Research America for the report. > > Medium level fix for processing of OCSP response. If using OCSP without > hard faults enforced and no alternate revocation checks like OCSP stapling > then it is recommended to update. > > Low level fix for potential cache attack on RSA operations. If using > wolfSSL RSA on a server that other users can have access to monitor the > cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, > Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the initial report. > > I will wait with packaging until the release is signed, which may be after > the weekend. Meanwhile, you are welcome to file reports for the other > vulnerabilities. Did MITRE have them too? Thank you! Alright, thanks for the information. I will check later today if I find if CVEs were already assigned. Will come back to you if I have some questions! Regards and thanks for your work! Salvatore
