| Message ID | 20240407170706.2785735-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/wolfssl: security bump to version 5.7.0 | expand |
On 07/04/2024 19:07, Fabrice Fontaine wrote: > Vulnerabilities > - [High] CVE-2024-0901 Potential denial of service and out of bounds > read. Affects TLS 1.3 on the server side when accepting a connection > from a malicious TLS 1.3 client. If using TLS 1.3 on the server side > it is recommended to update the version of wolfSSL used. > - [Med] CVE-2024-1545 Fault Injection vulnerability in > RsaPrivateDecryption function that potentially allows an attacker > that has access to the same system with a victims process to perform > a Rowhammer fault injection. > - [Med] Fault injection attack with EdDSA signature operations. This > affects ed25519 sign operations where the system could be susceptible > to Rowhammer attacks. > > No official tarball provided so switch to github and set autoreconf > > https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, thanks. Regards, Arnout > --- > package/wolfssl/wolfssl.hash | 2 +- > package/wolfssl/wolfssl.mk | 6 ++++-- > 2 files changed, 5 insertions(+), 3 deletions(-) > > diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash > index 59e42e98b9..e705bba9fd 100644 > --- a/package/wolfssl/wolfssl.hash > +++ b/package/wolfssl/wolfssl.hash > @@ -1,5 +1,5 @@ > # Locally computed: > -sha256 75aaafe3b8c776d1ac417288116c8d444115f9fac5acb382a39a7d163dfd618d wolfssl-5.6.6.tar.gz > +sha256 2de93e8af588ee856fe67a6d7fce23fc1b226b74d710b0e3946bc8061f6aa18f wolfssl-5.7.0.tar.gz > > # Hash for license files: > sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING > diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk > index 68c69afd59..893408eca4 100644 > --- a/package/wolfssl/wolfssl.mk > +++ b/package/wolfssl/wolfssl.mk > @@ -4,14 +4,16 @@ > # > ################################################################################ > > -WOLFSSL_VERSION = 5.6.6 > -WOLFSSL_SITE = https://github.com/wolfSSL/wolfssl/releases/download/v$(WOLFSSL_VERSION)-stable > +WOLFSSL_VERSION = 5.7.0 > +WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable) > WOLFSSL_INSTALL_STAGING = YES > > WOLFSSL_LICENSE = GPL-2.0+ > WOLFSSL_LICENSE_FILES = COPYING LICENSING > WOLFSSL_CPE_ID_VENDOR = wolfssl > WOLFSSL_CONFIG_SCRIPTS = wolfssl-config > +# From git > +WOLFSSL_AUTORECONF = YES > WOLFSSL_DEPENDENCIES = host-pkgconf > > WOLFSSL_CONF_OPTS = --disable-examples --disable-crypttests
diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash index 59e42e98b9..e705bba9fd 100644 --- a/package/wolfssl/wolfssl.hash +++ b/package/wolfssl/wolfssl.hash @@ -1,5 +1,5 @@ # Locally computed: -sha256 75aaafe3b8c776d1ac417288116c8d444115f9fac5acb382a39a7d163dfd618d wolfssl-5.6.6.tar.gz +sha256 2de93e8af588ee856fe67a6d7fce23fc1b226b74d710b0e3946bc8061f6aa18f wolfssl-5.7.0.tar.gz # Hash for license files: sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk index 68c69afd59..893408eca4 100644 --- a/package/wolfssl/wolfssl.mk +++ b/package/wolfssl/wolfssl.mk @@ -4,14 +4,16 @@ # ################################################################################ -WOLFSSL_VERSION = 5.6.6 -WOLFSSL_SITE = https://github.com/wolfSSL/wolfssl/releases/download/v$(WOLFSSL_VERSION)-stable +WOLFSSL_VERSION = 5.7.0 +WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable) WOLFSSL_INSTALL_STAGING = YES WOLFSSL_LICENSE = GPL-2.0+ WOLFSSL_LICENSE_FILES = COPYING LICENSING WOLFSSL_CPE_ID_VENDOR = wolfssl WOLFSSL_CONFIG_SCRIPTS = wolfssl-config +# From git +WOLFSSL_AUTORECONF = YES WOLFSSL_DEPENDENCIES = host-pkgconf WOLFSSL_CONF_OPTS = --disable-examples --disable-crypttests
Vulnerabilities - [High] CVE-2024-0901 Potential denial of service and out of bounds read. Affects TLS 1.3 on the server side when accepting a connection from a malicious TLS 1.3 client. If using TLS 1.3 on the server side it is recommended to update the version of wolfSSL used. - [Med] CVE-2024-1545 Fault Injection vulnerability in RsaPrivateDecryption function that potentially allows an attacker that has access to the same system with a victims process to perform a Rowhammer fault injection. - [Med] Fault injection attack with EdDSA signature operations. This affects ed25519 sign operations where the system could be susceptible to Rowhammer attacks. No official tarball provided so switch to github and set autoreconf https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/wolfssl/wolfssl.hash | 2 +- package/wolfssl/wolfssl.mk | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-)