[Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.1

[Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.1

[Fabrice Fontaine]

Denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.
This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/wolfssl/wolfssl.hash | 2 +-
 package/wolfssl/wolfssl.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash
index f1401e4cda..3849ffb9fc 100644
--- a/package/wolfssl/wolfssl.hash
+++ b/package/wolfssl/wolfssl.hash
@@ -1,5 +1,5 @@
 # Locally computed:
-sha256  c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f  wolfssl-5.5.0.tar.gz
+sha256  97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3  wolfssl-5.5.1.tar.gz
 
 # Hash for license files:
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk
index ca360312c9..95d4f47952 100644
--- a/package/wolfssl/wolfssl.mk
+++ b/package/wolfssl/wolfssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WOLFSSL_VERSION = 5.5.0
+WOLFSSL_VERSION = 5.5.1
 WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
 WOLFSSL_INSTALL_STAGING = YES
 
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.1

[Yann E. MORIN]

Fabrice, All,

On 2022-09-28 23:36 +0200, Fabrice Fontaine spake thusly:
> Denial of service attack and buffer overflow against TLS 1.3
> servers using session ticket resumption. When built with
> --enable-session-ticket and making use of TLS 1.3 server code in
> wolfSSL, there is the possibility of a malicious client to craft a
> malformed second ClientHello packet that causes the server to crash.
> This issue is limited to when using both --enable-session-ticket and TLS
> 1.3 on the server side. Users with TLS 1.3 servers, and having
> --enable-session-ticket, should update to the latest version of wolfSSL.

I see that we are not explicitly using either --enable or
--disable-session-ticket, so what is the default, and were we impacted?

Also, we should have an explicit setting for that, rather than leave it
to chance.

> https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/wolfssl/wolfssl.hash | 2 +-
>  package/wolfssl/wolfssl.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash
> index f1401e4cda..3849ffb9fc 100644
> --- a/package/wolfssl/wolfssl.hash
> +++ b/package/wolfssl/wolfssl.hash
> @@ -1,5 +1,5 @@
>  # Locally computed:
> -sha256  c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f  wolfssl-5.5.0.tar.gz
> +sha256  97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3  wolfssl-5.5.1.tar.gz
>  
>  # Hash for license files:
>  sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
> diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk
> index ca360312c9..95d4f47952 100644
> --- a/package/wolfssl/wolfssl.mk
> +++ b/package/wolfssl/wolfssl.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -WOLFSSL_VERSION = 5.5.0
> +WOLFSSL_VERSION = 5.5.1
>  WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
>  WOLFSSL_INSTALL_STAGING = YES
>  
> -- 
> 2.35.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.1

[Fabrice Fontaine]

[-- Attachment #1.1: Type: text/plain, Size: 3557 bytes --]

Hi,

Le sam. 1 oct. 2022 à 18:52, Yann E. MORIN <yann.morin.1998@free.fr> a
écrit :

> Fabrice, All,
>
> On 2022-09-28 23:36 +0200, Fabrice Fontaine spake thusly:
> > Denial of service attack and buffer overflow against TLS 1.3
> > servers using session ticket resumption. When built with
> > --enable-session-ticket and making use of TLS 1.3 server code in
> > wolfSSL, there is the possibility of a malicious client to craft a
> > malformed second ClientHello packet that causes the server to crash.
> > This issue is limited to when using both --enable-session-ticket and TLS
> > 1.3 on the server side. Users with TLS 1.3 servers, and having
> > --enable-session-ticket, should update to the latest version of wolfSSL.
>
> I see that we are not explicitly using either --enable or
> --disable-session-ticket, so what is the default, and were we impacted?
>

session-ticket is disabled by default.
Moreover, session-ticket is enabled if nginx, wpas, haproxy or lighty is
enabled (but all of them are disabled).

So, we were not impacted except if the user has explicitly enabled this
option in its own tree.

>
> Also, we should have an explicit setting for that, rather than leave it
> to chance.
>

Why not, but wolfssl has a ton of options, should we also explicitly set
them to false even if they are disabled by default?


>
> > https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> Applied to master, thanks.
>
> Regards,
> Yann E. MORIN.
>
> > ---
> >  package/wolfssl/wolfssl.hash | 2 +-
> >  package/wolfssl/wolfssl.mk   | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash
> > index f1401e4cda..3849ffb9fc 100644
> > --- a/package/wolfssl/wolfssl.hash
> > +++ b/package/wolfssl/wolfssl.hash
> > @@ -1,5 +1,5 @@
> >  # Locally computed:
> > -sha256
> c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f
> wolfssl-5.5.0.tar.gz
> > +sha256
> 97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3
> wolfssl-5.5.1.tar.gz
> >
> >  # Hash for license files:
> >  sha256
> 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
> > diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk
> > index ca360312c9..95d4f47952 100644
> > --- a/package/wolfssl/wolfssl.mk
> > +++ b/package/wolfssl/wolfssl.mk
> > @@ -4,7 +4,7 @@
> >  #
> >
> ################################################################################
> >
> > -WOLFSSL_VERSION = 5.5.0
> > +WOLFSSL_VERSION = 5.5.1
> >  WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
> >  WOLFSSL_INSTALL_STAGING = YES
> >
> > --
> > 2.35.1
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
>
> --
>
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics'
> conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___
>      |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is
> no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v
>  conspiracy.  |
>
> '------------------------------^-------^------------------^--------------------'
>

Best Regards,

Fabrice

[-- Attachment #1.2: Type: text/html, Size: 5351 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.1

[Yann E. MORIN]

Fabrice, All,

On 2022-10-01 23:06 +0200, Fabrice Fontaine spake thusly:
> Hi,
> Le sam. 1 oct. 2022 à 18:52, Yann E. MORIN < [1]yann.morin.1998@free.fr> a écrit :
> 
>   Fabrice, All,
> 
>   On 2022-09-28 23:36 +0200, Fabrice Fontaine spake thusly:
>   > Denial of service attack and buffer overflow against TLS 1.3
>   > servers using session ticket resumption. When built with
>   > --enable-session-ticket and making use of TLS 1.3 server code in
>   > wolfSSL, there is the possibility of a malicious client to craft a
>   > malformed second ClientHello packet that causes the server to crash.
>   > This issue is limited to when using both --enable-session-ticket and TLS
>   > 1.3 on the server side. Users with TLS 1.3 servers, and having
>   > --enable-session-ticket, should update to the latest version of wolfSSL.
> 
>   I see that we are not explicitly using either --enable or
>   --disable-session-ticket, so what is the default, and were we impacted?
> 
> session-ticket is disabled by default.
> Moreover, session-ticket is enabled if nginx, wpas, haproxy or lighty is enabled (but all of them are disabled).

I am not sure I grokked that sentence.

> So, we were not impacted except if the user has explicitly enabled this option in its own tree.

OK.

>   Also, we should have an explicit setting for that, rather than leave it
>   to chance.
> 
> Why not, but wolfssl has a ton of options, should we also explicitly set them to false even if they are disabled by default?

Indeed, I just saw how many iot has, so we can't decently have all of
them explicitly stated.

I was ;ostly wondering if adding an explicit --disable-session-ticket
to then add a _IGNORE_CVES, which could be backported, rather than
backporting the version bump, to the stable branches. But since they all
already have 5.5.0, even the LTS, backporting the version bump is
better than adding an explicit --disable.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.1

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Denial of service attack and buffer overflow against TLS 1.3
 > servers using session ticket resumption. When built with
 > --enable-session-ticket and making use of TLS 1.3 server code in
 > wolfSSL, there is the possibility of a malicious client to craft a
 > malformed second ClientHello packet that causes the server to crash.
 > This issue is limited to when using both --enable-session-ticket and TLS
 > 1.3 on the server side. Users with TLS 1.3 servers, and having
 > --enable-session-ticket, should update to the latest version of wolfSSL.

 > https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.08.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot