Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.4.0

From: Peter Korsgaard <peter@korsgaard.com>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Sergio Prado <sergio.prado@e-labworks.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.4.0
Date: Thu, 15 Sep 2022 00:14:58 +0200	[thread overview]
Message-ID: <87o7vhob6l.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20220808081141.582053-1-fontaine.fabrice@gmail.com> (Fabrice Fontaine's message of "Mon, 8 Aug 2022 10:11:41 +0200")

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix the following vulnerabilities:
 >  - [High] Potential for DTLS DoS attack. In wolfSSL versions before
 >    5.4.0 the return-routability check is wrongly skipped in a specific
 >    edge case. The check on the return-routability is there for stopping
 >    attacks that either consume excessive resources on the server, or try
 >    to use the server as an amplifier sending an excessive amount of
 >    messages to a victim IP. If using DTLS 1.0/1.2 on the server side
 >    users should update to avoid the potential DoS attack. CVE-2022-34293
 >  - [Medium] Ciphertext side channel attack on ECC and DH operations.
 >    Users on systems where rogue agents can monitor memory use should
 >    update the version of wolfSSL and change private ECC keys.

 > https://github.com/wolfSSL/wolfssl/releases/tag/v5.4.0-stable
 > https://www.wolfssl.com/docs/security-vulnerabilities/

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.05.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot