Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hi, The wolfssl upstream released a fixed version [1] of their library (4.6.0) that we already have in stable. Upstream would now like to see the fixed version in stable, if possible. The six fixes are not large, but all of them address grave or serious CVEs. * PR 3676: CVE-2021-3336 * PR 3990: OCSP Match Issue * PR 4211: CVE-2021-38597 * PR 4629: CVE-2021-44718 * PR 4813: CVE-2022-25638 * PR 4831: CVE-2022-25640 They relate to wolfSSL's support for TLS 1.3, which they were the first to implement commercially. [2] More details, including URLs, are available below. According to upstream, the fixed version includes no new features. All six patches are already in version 5.2.0-2 in testing and unstable, as well as in 5.2.0-2~bpo11+1 in bullseye-backports. One Debian patch already addressed CVE-2021-3336. It had been cherry-picked and was dropped with the availability of this version. Given the issue with openssl/valgrind years ago, I asked upstream to maintain a "stable" branch with a four-eye review by another member of the cryptographic staff. As their Debian distributor, I prefer not to backport fixes from Git myself. As mentioned in the changelog, upstream also updated some certificates in the test suite. Following devref 5.5.1, a source debdiff was attached. Thank you for your guidance! Kind regards, Felix Lechner P.S. I used to work upstream. [1] look for +p1, https://github.com/wolfSSL/wolfssl/releases/tag/v4.6.0-stable [2] https://www.prweb.com/releases/wolfssl_announces_the_first_commercial_release_of_tls_1_3/prweb15672854.htm * * * Hi Felix, No risks. The code in the affected areas hasn’t changed and has been broken since our TLS v1.3 support was originally created. Tomorrow morning I’ll put together a package and sign it and have another engineer review and sign it also. * * * Hey Felix, In order to update the stable v4.6.0 on Debian I’ve back-ported the following high severity fixes to v4.6.0-stable: * PR 3676: CVE-2021-3336 * PR 3990: OCSP Match Issue * PR 4211: CVE-2021-38597 * PR 4629: CVE-2021-44718 * PR 4813: CVE-2022-25638 * PR 4831: CVE-2022-25640 I’ve posted a +p1 bundle and signature to the release page here: https://github.com/wolfSSL/wolfssl/releases/tag/v4.6.0-stable * wolfssl-4.6.0-stable+p1.tar.gz (SHA256: 3a112c1436bbd1afdb457d0a517312d03ab430c74b98f95a20a028d41440099e) * wolfssl-4.6.0-stable+p1.tar.gz.asc Note: The make check fails due to some expired certificates. If you think it is important I can update those expired certs in the bundle and re-sign re-post… * * * Hey Felix, FYI: Here is the script I’ve written up to create a new official patch. This is my take on patches that should be applied. #!/bin/bash # Get Release curl -L -o wolfssl-4.6.0-stable.tar.gz https://github.com/wolfSSL/wolfssl/archive/refs/tags/v4.6.0-stable.tar.gz tar xzvf wolfssl-4.6.0-stable.tar.gz cd wolfssl-4.6.0-stable # CVE-2021-3336 curl -L -o pr3676.diff https://github.com/wolfSSL/wolfssl/pull/3676.diff patch -p1 < pr3676.diff # OCSP Match Issue curl -L -o pr3990.diff https://github.com/wolfSSL/wolfssl/pull/3990.diff patch -p1 < pr3990.diff # CVE-2021-38597 curl -L -o pr4211.diff https://github.com/wolfSSL/wolfssl/pull/4211.diff patch -p1 < pr4211.diff # CVE-2021-44718 curl -L -o pr4629.diff https://github.com/wolfSSL/wolfssl/pull/4629.diff patch -p1 < pr4629.diff # CVE-2022-25638 curl -L -o pr4813.diff https://github.com/wolfSSL/wolfssl/pull/4813.diff patch -p1 < pr4813.diff # CVE-2022-25640 curl -L -o pr4831.diff https://github.com/wolfSSL/wolfssl/pull/4831.diff patch -p1 < pr4831.diff rm *.diff cd .. # Tar/GZ tar -czvf wolfssl-4.6.0-stable-patched.tar.gz wolfssl-4.6.0-stable # Sign gpg --armor --default-key 5CA29677 --detach-sign wolfssl-4.6.0-stable-patched.tar.gz shasum -a 256 wolfssl-4.6.0-stable-patched.tar.gz
Attachment:
wolfssl_4.6.0-3.dsc_wolfssl_4.6.0+p1-1.dsc.debdiff.xz
Description: application/xz