[Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.4.0

[Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.4.0

[Fabrice Fontaine]

Fix the following vulnerabilities:
 - [High] Potential for DTLS DoS attack. In wolfSSL versions before
   5.4.0 the return-routability check is wrongly skipped in a specific
   edge case. The check on the return-routability is there for stopping
   attacks that either consume excessive resources on the server, or try
   to use the server as an amplifier sending an excessive amount of
   messages to a victim IP. If using DTLS 1.0/1.2 on the server side
   users should update to avoid the potential DoS attack. CVE-2022-34293
 - [Medium] Ciphertext side channel attack on ECC and DH operations.
   Users on systems where rogue agents can monitor memory use should
   update the version of wolfSSL and change private ECC keys.

https://github.com/wolfSSL/wolfssl/releases/tag/v5.4.0-stable
https://www.wolfssl.com/docs/security-vulnerabilities/

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/wolfssl/wolfssl.hash | 2 +-
 package/wolfssl/wolfssl.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash
index 63eebf93bb..01b21596e7 100644
--- a/package/wolfssl/wolfssl.hash
+++ b/package/wolfssl/wolfssl.hash
@@ -1,5 +1,5 @@
 # Locally computed:
-sha256  409b4646c5f54f642de0e9f3544c3b83de7238134f5b1ff93fb44527bf119d05  wolfssl-5.2.0.tar.gz
+sha256  dc36cc19dad197253e5c2ecaa490c7eef579ad448706e55d73d79396e814098b  wolfssl-5.4.0.tar.gz
 
 # Hash for license files:
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk
index 58b6f296ab..536fd863fe 100644
--- a/package/wolfssl/wolfssl.mk
+++ b/package/wolfssl/wolfssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WOLFSSL_VERSION = 5.2.0
+WOLFSSL_VERSION = 5.4.0
 WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
 WOLFSSL_INSTALL_STAGING = YES
 
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.4.0

[Thomas Petazzoni via buildroot]

On Mon,  8 Aug 2022 10:11:41 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Fix the following vulnerabilities:
>  - [High] Potential for DTLS DoS attack. In wolfSSL versions before
>    5.4.0 the return-routability check is wrongly skipped in a specific
>    edge case. The check on the return-routability is there for stopping
>    attacks that either consume excessive resources on the server, or try
>    to use the server as an amplifier sending an excessive amount of
>    messages to a victim IP. If using DTLS 1.0/1.2 on the server side
>    users should update to avoid the potential DoS attack. CVE-2022-34293
>  - [Medium] Ciphertext side channel attack on ECC and DH operations.
>    Users on systems where rogue agents can monitor memory use should
>    update the version of wolfSSL and change private ECC keys.
> 
> https://github.com/wolfSSL/wolfssl/releases/tag/v5.4.0-stable
> https://www.wolfssl.com/docs/security-vulnerabilities/
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/wolfssl/wolfssl.hash | 2 +-
>  package/wolfssl/wolfssl.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.4.0

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix the following vulnerabilities:
 >  - [High] Potential for DTLS DoS attack. In wolfSSL versions before
 >    5.4.0 the return-routability check is wrongly skipped in a specific
 >    edge case. The check on the return-routability is there for stopping
 >    attacks that either consume excessive resources on the server, or try
 >    to use the server as an amplifier sending an excessive amount of
 >    messages to a victim IP. If using DTLS 1.0/1.2 on the server side
 >    users should update to avoid the potential DoS attack. CVE-2022-34293
 >  - [Medium] Ciphertext side channel attack on ECC and DH operations.
 >    Users on systems where rogue agents can monitor memory use should
 >    update the version of wolfSSL and change private ECC keys.

 > https://github.com/wolfSSL/wolfssl/releases/tag/v5.4.0-stable
 > https://www.wolfssl.com/docs/security-vulnerabilities/

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.05.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot