[Buildroot] [git commit branch/2022.05.x] package/wolfssl: security bump to version 5.5.0

[Buildroot] [git commit branch/2022.05.x] package/wolfssl: security bump to version 5.5.0

[Peter Korsgaard]

[-- Attachment #1: Type: text/plain, Size: 3510 bytes --]

commit: https://git.buildroot.net/buildroot/commit/?id=dc33bac56dcbf2a2bdd1c3eb43d9de72aab9bd1a
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.05.x

Fix the following security vulnerabilities:
 - [Low] Fault injection attack on RAM via Rowhammer leads to ECDSA key
   disclosure. Users doing operations with private ECC keys such as
   server side TLS connections and creating ECC signatures, who also
   have hardware that could be targeted with a sophisticated Rowhammer
   attack should update the version of wolfSSL and compile using the
   macro WOLFSSL_CHECK_SIG_FAULTS.
 - [Low] In wolfSSL version 5.3.0 if compiled with
   --enable-session-ticket and the client has non-empty session cache,
   with TLS 1.2 there is the possibility oàf a man in the middle passing
   a large session ticket to the client and causing a crash due to an
   invalid free. There is also the potential for a malicious TLS 1.3
   server to crash a client in a similar manner except in TLS 1.3 it is
   not susceptible to a man in the middle attack. Users on the client
   side with –enable-session-ticket compiled in and using wolfSSL
   version 5.3.0 should update their version of wolfSSL.
 - [Low] If using wolfSSL_clear to reset a WOLFSSL object (vs the normal
   wolfSSL_free/wolfSSL_new) it can result in runtime issues. This
   exists with builds using the wolfSSL compatibility layer
   (--enable-opnesslextra) and only when the application is making use
   of wolfSSL_clear instead of SSL_free/SSL_new. In the case of a TLS
   1.3 resumption, after continuing to use the WOLFSSH object after
   having called wolfSSL_clear, an application could crash. It is
   suggested that users calling wolfSSL_clear update the version of
   wolfSSL used.
 - Potential DoS attack on DTLS 1.2. In the case of receiving a
   malicious plaintext handshake message at epoch 0 the connection will
   enter an error state reporting a duplicate message. This affects both
   server and client side. Users that have DTLS enabled and in use
   should update their version of wolfSSL to mitigate the potential for
   a DoS attack.

https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1891419db38e4d85595b2111db448f68eef684b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/wolfssl/wolfssl.hash | 2 +-
 package/wolfssl/wolfssl.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash
index 01b21596e7..f1401e4cda 100644
--- a/package/wolfssl/wolfssl.hash
+++ b/package/wolfssl/wolfssl.hash
@@ -1,5 +1,5 @@
 # Locally computed:
-sha256  dc36cc19dad197253e5c2ecaa490c7eef579ad448706e55d73d79396e814098b  wolfssl-5.4.0.tar.gz
+sha256  c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f  wolfssl-5.5.0.tar.gz
 
 # Hash for license files:
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk
index 536fd863fe..ca360312c9 100644
--- a/package/wolfssl/wolfssl.mk
+++ b/package/wolfssl/wolfssl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WOLFSSL_VERSION = 5.4.0
+WOLFSSL_VERSION = 5.5.0
 WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
 WOLFSSL_INSTALL_STAGING = YES
 

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot