[Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.6.4

[Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.6.4

[Fabrice Fontaine]

[Medium] A fix was added, but still under review for completeness, for a
Bleichenbacher style attack, leading to being able to decrypt a saved
TLS connection and potentially forge a signature after probing with a
large number of trial connections. This issue is around RSA decryption
and affects static RSA cipher suites on the server side, which are not
recommended to be used and are off by default. Static RSA cipher suites
were also removed from the TLS 1.3 protocol and only present in TLS 1.2
and lower. All padding versions of RSA decrypt are affected since the
code under review is outside of the padding processing. Information
about the private keys is NOT compromised in affected code. It's
recommended to disable static RSA cipher suites and update the version
of wolfSSL used if using RSA private decryption alone outside of TLS.

https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.4-stable

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/wolfssl/wolfssl.hash | 2 +-
 package/wolfssl/wolfssl.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash
index 3407586edd..fb5a570de8 100644
--- a/package/wolfssl/wolfssl.hash
+++ b/package/wolfssl/wolfssl.hash
@@ -1,5 +1,5 @@
 # Locally computed:
-sha256  2e74a397fa797c2902d7467d500de904907666afb4ff80f6464f6efd5afb114a  wolfssl-5.6.3.tar.gz
+sha256  031691906794ff45e1e792561cf31759f5d29ac74936bc8dffb8b14f16d820b4  wolfssl-5.6.4.tar.gz
 
 # Hash for license files:
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk
index 9b35a6a84a..17452fdcaf 100644
--- a/package/wolfssl/wolfssl.mk
+++ b/package/wolfssl/wolfssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WOLFSSL_VERSION = 5.6.3
+WOLFSSL_VERSION = 5.6.4
 WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
 WOLFSSL_INSTALL_STAGING = YES
 
-- 
2.42.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.6.4

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > [Medium] A fix was added, but still under review for completeness, for a
 > Bleichenbacher style attack, leading to being able to decrypt a saved
 > TLS connection and potentially forge a signature after probing with a
 > large number of trial connections. This issue is around RSA decryption
 > and affects static RSA cipher suites on the server side, which are not
 > recommended to be used and are off by default. Static RSA cipher suites
 > were also removed from the TLS 1.3 protocol and only present in TLS 1.2
 > and lower. All padding versions of RSA decrypt are affected since the
 > code under review is outside of the padding processing. Information
 > about the private keys is NOT compromised in affected code. It's
 > recommended to disable static RSA cipher suites and update the version
 > of wolfSSL used if using RSA private decryption alone outside of TLS.

 > https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.4-stable

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.6.4

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
 >> [Medium] A fix was added, but still under review for completeness, for a
 >> Bleichenbacher style attack, leading to being able to decrypt a saved
 >> TLS connection and potentially forge a signature after probing with a
 >> large number of trial connections. This issue is around RSA decryption
 >> and affects static RSA cipher suites on the server side, which are not
 >> recommended to be used and are off by default. Static RSA cipher suites
 >> were also removed from the TLS 1.3 protocol and only present in TLS 1.2
 >> and lower. All padding versions of RSA decrypt are affected since the
 >> code under review is outside of the padding processing. Information
 >> about the private keys is NOT compromised in affected code. It's
 >> recommended to disable static RSA cipher suites and update the version
 >> of wolfSSL used if using RSA private decryption alone outside of TLS.

 >> https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.4-stable

 >> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

 > Committed, thanks.

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot