Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.1

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Sergio Prado <sergio.prado@e-labworks.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.1
Date: Sun, 2 Oct 2022 11:59:04 +0200	[thread overview]
Message-ID: <20221002095904.GA2517@scaer> (raw)
In-Reply-To: <CAPi7W80PoLx4zqankep5Sv7vgB=t71xLg__BnqzpW-wm40WXdw@mail.gmail.com>

Fabrice, All,

On 2022-10-01 23:06 +0200, Fabrice Fontaine spake thusly:
> Hi,
> Le sam. 1 oct. 2022 à 18:52, Yann E. MORIN < [1]yann.morin.1998@free.fr> a écrit :
> 
>   Fabrice, All,
> 
>   On 2022-09-28 23:36 +0200, Fabrice Fontaine spake thusly:
>   > Denial of service attack and buffer overflow against TLS 1.3
>   > servers using session ticket resumption. When built with
>   > --enable-session-ticket and making use of TLS 1.3 server code in
>   > wolfSSL, there is the possibility of a malicious client to craft a
>   > malformed second ClientHello packet that causes the server to crash.
>   > This issue is limited to when using both --enable-session-ticket and TLS
>   > 1.3 on the server side. Users with TLS 1.3 servers, and having
>   > --enable-session-ticket, should update to the latest version of wolfSSL.
> 
>   I see that we are not explicitly using either --enable or
>   --disable-session-ticket, so what is the default, and were we impacted?
> 
> session-ticket is disabled by default.
> Moreover, session-ticket is enabled if nginx, wpas, haproxy or lighty is enabled (but all of them are disabled).

I am not sure I grokked that sentence.

> So, we were not impacted except if the user has explicitly enabled this option in its own tree.

OK.

>   Also, we should have an explicit setting for that, rather than leave it
>   to chance.
> 
> Why not, but wolfssl has a ton of options, should we also explicitly set them to false even if they are disabled by default?

Indeed, I just saw how many iot has, so we can't decently have all of
them explicitly stated.

I was ;ostly wondering if adding an explicit --disable-session-ticket
to then add a _IGNORE_CVES, which could be backported, rather than
backporting the version bump, to the stable branches. But since they all
already have 5.5.0, even the LTS, backporting the version bump is
better than adding an explicit --disable.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot