Your message dated Fri, 13 Sep 2019 09:10:02 +0000 with message-id <e1i8hac-000csj...@fasolo.debian.org> and subject line Bug#929468: fixed in wolfssl 4.1.0+dfsg-1 has caused the Debian Bug report #929468, regarding wolfssl: CVE-2019-11873 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929468: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929468 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wolfssl Version: 3.15.3+dfsg-2 Severity: grave Tags: security upstream Hi, The following vulnerability was published for wolfssl. CVE-2019-11873[0]: | wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when | a current identity size is greater than a client identity size. An | attacker sends a crafted hello client packet over the network to a | TLSv1.3 wolfSSL server. The length fields of the packet: record | length, client hello length, total extensions length, PSK extension | length, total identity length, and identity length contain their | maximum value which is 2^16. The identity data field of the PSK | extension of the packet contains the attack data, to be stored in the | undefined memory (RAM) of the server. The size of the data is about 65 | kB. Possibly the attacker can perform a remote code execution attack. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11873 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11873 Please adjust the affected versions in the BTS as needed, could you double check 3.15.3 is affected. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wolfssl Source-Version: 4.1.0+dfsg-1 We believe that the bug you reported is fixed in the latest version of wolfssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 929...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Lechner <felix.lech...@lease-up.com> (supplier of updated wolfssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 11 Sep 2019 15:08:30 -0700 Source: wolfssl Binary: libwolfssl-dev libwolfssl19 libwolfssl19-dbgsym Architecture: source amd64 Version: 4.1.0+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Felix Lechner <felix.lech...@lease-up.com> Changed-By: Felix Lechner <felix.lech...@lease-up.com> Description: libwolfssl-dev - Development files for the wolfSSL encryption library libwolfssl19 - wolfSSL encryption library Closes: 918952 929468 Changes: wolfssl (4.1.0+dfsg-1) unstable; urgency=medium . * In 'telegram-cli', wolfSSL may have found its first user in Debian * Thank you to Liu Ying-Chun <paul...@debian.org> for helping with packaging * New upstream release - Fixes CVE-2019-11873 "Buffer Overflow in DoPreSharedKeys in tls13.c" (Closes: #929468) - Fixed CVE-2018-16870 in 3.15.7 "Bleichenbacher downgrade attack TLS" (Closes: #918952) * Bumped library major number to 19 * Updated shared object symbols * Updated Debian patches * Bumped Standards-Version to 4.4.0 * Bumped debhelper compat to 12, via debhelper-compat (= 12) in d/control * Excluded resource.h and generated html in d/copyright * Updated some end dates in d/copyright Checksums-Sha1: 0348351b306a4d6f931243b9223cb633dfab11b3 1859 wolfssl_4.1.0+dfsg-1.dsc d22a7c05b8d9e4fb91c628bec172506dc30104fc 3372856 wolfssl_4.1.0+dfsg.orig.tar.xz 7cd274e02fd79414ab689edee3c60a1b90bb261e 18204 wolfssl_4.1.0+dfsg-1.debian.tar.xz 46b6a8faa0530c0c93a3fbfd0fc7f9672686c214 766984 libwolfssl-dev_4.1.0+dfsg-1_amd64.deb 192ac971e49eec57b7eb942aeace2e4f41a0fceb 1567292 libwolfssl19-dbgsym_4.1.0+dfsg-1_amd64.deb ee81c72f1a8469e8af4ed7c3de1ec619a46bc242 526684 libwolfssl19_4.1.0+dfsg-1_amd64.deb f6018b035c5b9a6fb3418085a6867633e0377be9 6150 wolfssl_4.1.0+dfsg-1_amd64.buildinfo Checksums-Sha256: 8538c26901c53e36aad0211361a616dbd59dcca02ab66b42338e0b85bd64141c 1859 wolfssl_4.1.0+dfsg-1.dsc a24389413ec02df88c2dee3de4f4751a743f567da92e927f480959934621adc9 3372856 wolfssl_4.1.0+dfsg.orig.tar.xz 9afc2ce8ac7081ecd7fac32415c34b50037162bfae1f1735ac6b0c50522e98f2 18204 wolfssl_4.1.0+dfsg-1.debian.tar.xz 7608d137ed570973a81280b3916d5d389efa1da147b6399baae542d2b83f60df 766984 libwolfssl-dev_4.1.0+dfsg-1_amd64.deb 7aa5d20d81e029023a3fbe594052ead2b2d37275d5c2986d194bd88ecd1716ab 1567292 libwolfssl19-dbgsym_4.1.0+dfsg-1_amd64.deb a2a15617dc67c97a2a7f3f6cc8ac8e6c7559e4ce5d6a70020d9ba4d087da4d55 526684 libwolfssl19_4.1.0+dfsg-1_amd64.deb b6c21533d1277b4683165c2a59844804f26a18f6f3b9669d0ea8f151d927cc88 6150 wolfssl_4.1.0+dfsg-1_amd64.buildinfo Files: 1f0d0f05c4dd3b00b3e33c1e99818942 1859 libs optional wolfssl_4.1.0+dfsg-1.dsc 2e169d525e1f5824433a5bff828ff3ad 3372856 libs optional wolfssl_4.1.0+dfsg.orig.tar.xz 839ea662b0ef29fc88a829256b0099a2 18204 libs optional wolfssl_4.1.0+dfsg-1.debian.tar.xz b861f7cfb13980bdfdd543e5d25d8dc3 766984 libdevel optional libwolfssl-dev_4.1.0+dfsg-1_amd64.deb f13f289323fafa3cd2b14e50202feac4 1567292 debug optional libwolfssl19-dbgsym_4.1.0+dfsg-1_amd64.deb 0653013f48b0d5dd3fbbdc27fa36b294 526684 libs optional libwolfssl19_4.1.0+dfsg-1_amd64.deb adcd38b6f82280cfad3b7c2543257578 6150 libs optional wolfssl_4.1.0+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEo2h49GQQhoFgDLZIRBc/oT0FiIgFAl15080ACgkQRBc/oT0F iIjCOg//d6ifz8pXjhgxw1P8XQ/u7C2SON916C9c9mMk3kdDvhNVW3Gmb2M2JbUY jfjLZAylBQ/My/uXsD4IoGajGM5sLxV6nNixqL+jib5EgwbQlUU1Rn1HEdrxfs13 rBb564UV0Qb/XmacQmzg8BS0nEz+CI5SKTrQ9v56or7NmmHnHIY0wPwuIdVERMvb Kk/fXr0++xt3sMTWF+BBBrPn2k9KE83U7u7/Iy5HN1djGz/m8K/5C4Da2wg++fkK RRrMn4OijOhhptbu1GdPUdEpu+TsVVSGQyASS68/A/kdVKsriaeY4BzNUXS5yP1z ZJDVSUdBToZOCkU1S2sXfFFhgaeo2RpBk7zrOXYwU7W5MTxmAPHUAmTaKwdfZEgB ckgocD0CWB3ip1YstRXH8cq6lsfnc5C8reQEC7/xDtdz+KEHtMxavHwNJn+ZfmsQ SV8r3cy3YzEZwDqr/gWaEvM0xAipr0mUf5KURXS/Ok9YRxJHb9xWFIUFk+sGtxNz UmgcIUzHI6+G0qkIhwQT3DjhB/ERW2fXLvPiJBMZEDQ55bhId9d/XKGo7rgNE1Ll +26IuwzyjeiB8xYQGp048PNsx9z7BU7xM8ka1XCcJ0Ylhuz6WOW+ce9lqdXlgx+0 VFtV+5BxVwbdy6x2ewgGpLxInCtODkAPCJpQ+w2ADeaE2TCifFM= =qhJa -----END PGP SIGNATURE-----
--- End Message ---
