Your message dated Tue, 15 Sep 2020 20:48:59 +0000 with message-id <e1kihsp-0002ja...@fasolo.debian.org> and subject line Bug#969663: fixed in wolfssl 4.5.0+dfsg-1 has caused the Debian Bug report #969663, regarding wolfssl: CVE-2020-12457 CVE-2020-15309 CVE-2020-24585 CVE-2020-24613 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 969663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969663 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wolfssl Version: 4.4.0+dfsg-7 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for wolfssl. CVE-2020-12457[0]: | An issue was discovered in wolfSSL before 4.5.0. It mishandles the | change_cipher_spec (CCS) message processing logic for TLS 1.3. If an | attacker sends ChangeCipherSpec messages in a crafted way involving | more than one in a row, the server becomes stuck in the ProcessReply() | loop, i.e., a denial of service. CVE-2020-15309[1]: | An issue was discovered in wolfSSL before 4.5.0, when single precision | is not employed. Local attackers can conduct a cache-timing attack | against public key operations. These attackers may already have | obtained sensitive information if the affected system has been used | for private key operations (e.g., signing with a private key). CVE-2020-24585[2]: | An issue was discovered in the DTLS handshake implementation in | wolfSSL before 4.5.0. Clear DTLS application_data messages in epoch 0 | do not produce an out-of-order error. Instead, these messages are | returned to the application. CVE-2020-24613[3]: | wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the | WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. | This is an incorrect implementation of the TLS 1.3 client state | machine. This allows attackers in a privileged network position to | completely impersonate any TLS 1.3 servers, and read or modify | potentially sensitive information between clients using the wolfSSL | library and these TLS servers. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-12457 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12457 [1] https://security-tracker.debian.org/tracker/CVE-2020-15309 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15309 [2] https://security-tracker.debian.org/tracker/CVE-2020-24585 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24585 [3] https://security-tracker.debian.org/tracker/CVE-2020-24613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24613 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wolfssl Source-Version: 4.5.0+dfsg-1 Done: Felix Lechner <felix.lech...@lease-up.com> We believe that the bug you reported is fixed in the latest version of wolfssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 969...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Lechner <felix.lech...@lease-up.com> (supplier of updated wolfssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 15 Sep 2020 12:49:03 -0700 Source: wolfssl Architecture: source Version: 4.5.0+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Felix Lechner <felix.lech...@lease-up.com> Changed-By: Felix Lechner <felix.lech...@lease-up.com> Closes: 969370 969663 Changes: wolfssl (4.5.0+dfsg-1) unstable; urgency=medium . * New upstream release; fixes CVE-2020-12457, CVE-2020-15309, CVE-2020-24585, CVE-2020-24613. (Closes: #969663) * Enable PKCS#11 support in d/rules. (Closes: #969370). * Remove patches submitted upstream and accepted: - rename-hash-type.patch - rename-validate-date-function.patch * Remove patches previously cherry-picked from the unreleased Git: - b07dfa425dc9416c4188830e79fd26.patch - c8b87eab5f2fe2ae2c3527bbfb33db6ed8b55999.patch * Refresh remaining Debian patches. * Marked the following patches as not needing forwarding to upstream: - dfsg.patch - disable-crl-monitor.patch - disable-jobserver.patch * Marked utf8.patch as forwarded; included URL for Github pull request. Checksums-Sha1: 679474667d57cf5f7884796121c23127476fc09e 2081 wolfssl_4.5.0+dfsg-1.dsc 810be63ebba31e2e6eb739b7e3d80425795fb0d8 4198156 wolfssl_4.5.0+dfsg.orig.tar.xz 689adeb4cb4121daa1d9287605b56b3bafb9c610 27984 wolfssl_4.5.0+dfsg-1.debian.tar.xz 5bf7f15ca2206f08c3d6f905af620939a92b9d7d 5703 wolfssl_4.5.0+dfsg-1_source.buildinfo Checksums-Sha256: ff2b48620cda8d935ea3531c4187c1bee34af9542f3fec7c7f9bfd5505487991 2081 wolfssl_4.5.0+dfsg-1.dsc a116b4a8a07e6146685188fe90a0ff587f1ec791e7e01b667d64d72db1a6184b 4198156 wolfssl_4.5.0+dfsg.orig.tar.xz 25e829b7663c2f57e3e4f49ab71d0179a6c5cf646776f2ba521562ccad523fa0 27984 wolfssl_4.5.0+dfsg-1.debian.tar.xz 10305e91c17c8e0ec8aea3d6783b2711cb91a048a51d8f4a9424e252740ba2f1 5703 wolfssl_4.5.0+dfsg-1_source.buildinfo Files: b2775e3124b8541d642af1c018966b7a 2081 libs optional wolfssl_4.5.0+dfsg-1.dsc 0c13a648df85a78ca08a72d72a4bdd92 4198156 libs optional wolfssl_4.5.0+dfsg.orig.tar.xz 3b35f2ddea93d39a5eb214735dd072f7 27984 libs optional wolfssl_4.5.0+dfsg-1.debian.tar.xz 4eab73e5c28e875b79676a3220a833a5 5703 libs optional wolfssl_4.5.0+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKvBAEBCgCZFiEE8E0cIgLi+g0BiFTarFipTxFhjuAFAl9hHx5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYw NEQxQzIyMDJFMkZBMEQwMTg4NTREQUFDNThBOTRGMTE2MThFRTAbHGZlbGl4Lmxl Y2huZXJAbGVhc2UtdXAuY29tAAoJEKxYqU8RYY7gU+oQANVJooRWNDe+ZqymEI6f ZVt/1Ge+YROWyBGS0MAz5WBw2IcGf0TH0TgznU8L5OP2rlOPSoX1ccJZuX4d67GQ vUc6JkA62aq1Yfe8sF81T8E3GAJVqTdxIYbUnZAD0Fc/2Diy3VfFmyG1IM7UYHyH JdbNLeuiFCXWbBDBo6JwLavD0IVR3/cWa6XrjMTz4comfhQoyxTBNmaHDNUN4HMG JxtjMJodgz3v8MVM/fYLA5QT9vkXK9k8wnl+HlyK1VRlwHmGlpl3TrelWNkxGr1y 8tApa1hSHAi/4Jw05BNH+/mQJvNxCCmPveVh3huvHOtxqxO80wA0C9LtlWKtUrCA Y0+BLIPQVDovCSAUSSK7vIWNNROZOKn+DwlIShSrZgYZtnNxbXZyMwMC7rU5mzBf 4+5D3bD0WCDMgKfoiA9PVoriiucw0pPiEUxNS+/2QzMMCkxA2Xv1lxvq/wUIrwRW n3kBneLon3ytrc+UNl5DSgM5tgPrj080AyxMfGPJ/IQjM1VGRyVyulLY01nCh0ib WtOvKFFpvM8Fwy64zr1brmtsuM00ytrMih5TWpdevUz0VIdsUg22z4qfKdQ3zNKS zLTh46MBmliUVybaGf6H0tPpJh8tvA+Kk8x6ZLKrUJKvYkwghNTRdM8S4Lk1WeqM y6ZCMOS7PXfs7VtkfagqRARJ =b1yO -----END PGP SIGNATURE-----
--- End Message ---
