Your message dated Mon, 23 Sep 2024 10:37:58 +0000
with message-id <e1ssgs6-009gc2...@fasolo.debian.org>
and subject line Bug#1081791: fixed in wolfssl 5.7.2-0.1
has caused the Debian Bug report #1081791,
regarding wolfssl: CVE-2024-5814
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1081791: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081791
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: wolfssl
Version: 5.7.0-0.3
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/wolfSSL/wolfssl/pull/7619
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for wolfssl.
CVE-2024-5814[0]:
| A malicious TLS1.2 server can force a TLS1.3 client with downgrade
| capability to use a ciphersuite that it did not agree to and achieve
| a successful connection. This is because, aside from the extensions,
| the client was skipping fully parsing the server hello.
| https://doi.org/10.46586/tches.v2024.i1.457-500
Note, I'm filling this with RC severity as all the recent uploads were
done as NMU. Is wolfssl right now ok to be released for upcoming
trixie or should we need to keep it out?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-5814
https://www.cve.org/CVERecord?id=CVE-2024-5814
[1] https://github.com/wolfSSL/wolfssl/pull/7619
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wolfssl
Source-Version: 5.7.2-0.1
Done: Bastian Germann <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
wolfssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <b...@debian.org> (supplier of updated wolfssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Sep 2024 11:52:19 +0200
Source: wolfssl
Architecture: source
Version: 5.7.2-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jacob Barthelmeh <sirkilam...@msn.com>
Changed-By: Bastian Germann <b...@debian.org>
Closes: 1081788 1081789 1081790 1081791
Changes:
wolfssl (5.7.2-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release fixing CVE-2024-1544, CVE-2024-5288, CVE-2024-5814,
and CVE-2024-5991. (Closes: #1081788, #1081789, #1081790, #1081791)
Checksums-Sha1:
d7a19bb4597514df3b64f60588b1587f780e5e36 2007 wolfssl_5.7.2-0.1.dsc
aedbe5dbac4ee1e13600cc2dba68f5eeb867dce8 23591507 wolfssl_5.7.2.orig.tar.gz
d35bd9ca2e9d97bab512a19979d685ad32d78b3c 488 wolfssl_5.7.2.orig.tar.gz.asc
9d2855d1724137317f231d578db5691877caa2d4 34384 wolfssl_5.7.2-0.1.debian.tar.xz
123d3472870bf7bd4aa64cce6df5938b602a6f3f 5485
wolfssl_5.7.2-0.1_source.buildinfo
Checksums-Sha256:
83f2659360bcf97f817592cf5e5f5225aac0a4ada6be3e19413c3a068dbe7343 2007
wolfssl_5.7.2-0.1.dsc
0f2ed82e345b833242705bbc4b08a2a2037a33f7bf9c610efae6464f6b10e305 23591507
wolfssl_5.7.2.orig.tar.gz
0e5c0598631feac357b8252d4839b308606fba5aaba80061eb895e7e755094f7 488
wolfssl_5.7.2.orig.tar.gz.asc
bc1d7b89144d62837970413a80d0d27ebf2f6d282122164835865e0d2cea07c8 34384
wolfssl_5.7.2-0.1.debian.tar.xz
da761deea60c9e73e0f50fd9837ab91881fe60ba491bfadb7a70307838750451 5485
wolfssl_5.7.2-0.1_source.buildinfo
Files:
1c94bc170e5761ff4e561d83b1ab52c5 2007 libs optional wolfssl_5.7.2-0.1.dsc
bc28818fb83b793b6c23987e1b116735 23591507 libs optional
wolfssl_5.7.2.orig.tar.gz
d006eee323369aa3ab8871d79c829313 488 libs optional
wolfssl_5.7.2.orig.tar.gz.asc
8e98388050fedc2d76e2e2cf42c4dd0c 34384 libs optional
wolfssl_5.7.2-0.1.debian.tar.xz
48e2c27d543c08295e4401db7f9b54d6 5485 libs optional
wolfssl_5.7.2-0.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmbxPngQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFCOhDAC8AfqgHVBC3GE0LVxHT+qqEwNiTPbDZSNx
69Y3uVR5bwCaAzSHirrd1eXwydfGluY6elsQa2WAEos0R/BFHeVTSCGh1xLM2wIP
I3suwqnH+DRJM04uu0Dw5mQDaTvU02j7VIty+jjNwF7GDiGdxI58lR0ptf5/MsUJ
Y0cn39ynDaeShlo+h71G3cDTCMxfZIFIytTc1EBSe2nOP3DQpwP8A80XFis9vhdT
XC5UEnpy7iKCPGYW+LlHi0rpsDIDqgjDqjd1WtN/PJudbnCeRAS/TTu6Iw7/wmGF
MWjolaokGvFcKQTn2MJy5CF1o+3aajHJ44+F1BNQb1IXGfY4ZwXoRkshUw4Apffn
KyPy0n09UQKyXR7ioRkXxEoPhwM0SvDFXVWhrXvU1ca54rpIPxAq89kdbk5fVNqg
4jc1pS/WgSPBQ6rct2XbjrqDxGhl+fvEdy3fEFBMwzIcVtnmF+Ng3PWVSPKSBzAg
9ycMmmwCu1tk0o4bWChP/lxF+t7/PH0=
=Q9nn
-----END PGP SIGNATURE-----
pgpjNnJwBzPZ7.pgp
Description: PGP signature
--- End Message ---
