Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: sirkilamole@msn.com
Hi,
The wolfssl upstream released three patches for the version in Debian
stable specifically in order to address the following three
vulnerabilities present in bullseye:
- CVE-2022-42961, scored by NVD as "5.3 medium" [1]
- CVE-2022-39173, scored by NVD as "7.5 high" [2]
- CVE-2022-42905, scored by NVD as "9.1 critical" [3]
All three vulnerabilities are being tracked by DSA. [4] They were
already fixed in unstable.
There is no separate bug for the stable package.
Given the increased popularity of the package [5] and the severity of
the vulnerabilities, it seemed prudent to offer users of Debian stable
an update.
This bug was filed with a view toward the upcoming point release 11.6
for bullseye, which is scheduled for December 17. The freeze starts
this weekend.
The proposed upload has not seen a lot of testing.
Following devref 5.5.1 [7] a source debdiff was attached.
Please let me know if the version number is right and if you need any
more information, or whether I may upload the package. Thanks!
Kind regards,
Felix Lechner
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-42961
[2] https://nvd.nist.gov/vuln/detail/CVE-2022-39173
[3] https://nvd.nist.gov/vuln/detail/CVE-2022-42905
[4] https://security-tracker.debian.org/tracker/source-package/wolfssl
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023697#28
[6] https://lists.debian.org/debian-release/2022/11/msg00251.html
[7] https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
Attachment:
wolfssl_4.6.0+p1-0+deb11u1.dsc_wolfssl_4.6.0+p1-0+deb11u2.dsc.debdiff.xz
Description: Binary data