* [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.2
@ 2022-10-29 8:00 Fabrice Fontaine
2022-10-29 16:06 ` Peter Korsgaard
2022-11-08 20:00 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-10-29 8:00 UTC (permalink / raw)
To: buildroot; +Cc: Sergio Prado, Fabrice Fontaine
In the case that the WOLFSSL_CALLBACKS macro is set when building
wolfSSL, there is a potential heap over read of 5 bytes when handling
TLS 1.3 client connections. This heap over read is limited to wolfSSL
builds explicitly setting the macro WOLFSSL_CALLBACKS, the feature does
not get turned on by any other build options. The macro
WOLFSSL_CALLBACKS is intended for debug use only, but if having it
enabled in production, users are recommended to disable
WOLFSSL_CALLBACKS. Users enabling WOLFSSL_CALLBACKS are recommended to
update their version of wolfSSL. CVE 2022-42905
https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/wolfssl/wolfssl.hash | 2 +-
package/wolfssl/wolfssl.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash
index 3849ffb9fc..65d77ca659 100644
--- a/package/wolfssl/wolfssl.hash
+++ b/package/wolfssl/wolfssl.hash
@@ -1,5 +1,5 @@
# Locally computed:
-sha256 97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3 wolfssl-5.5.1.tar.gz
+sha256 49c6195462cae034efe6c86268824ba515682508a5f5199358d56a4168a82cf0 wolfssl-5.5.2.tar.gz
# Hash for license files:
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk
index 95d4f47952..d9fa72ccf4 100644
--- a/package/wolfssl/wolfssl.mk
+++ b/package/wolfssl/wolfssl.mk
@@ -4,7 +4,7 @@
#
################################################################################
-WOLFSSL_VERSION = 5.5.1
+WOLFSSL_VERSION = 5.5.2
WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
WOLFSSL_INSTALL_STAGING = YES
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.2
2022-10-29 8:00 [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.2 Fabrice Fontaine
@ 2022-10-29 16:06 ` Peter Korsgaard
2022-11-08 20:00 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-10-29 16:06 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Sergio Prado, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> In the case that the WOLFSSL_CALLBACKS macro is set when building
> wolfSSL, there is a potential heap over read of 5 bytes when handling
> TLS 1.3 client connections. This heap over read is limited to wolfSSL
> builds explicitly setting the macro WOLFSSL_CALLBACKS, the feature does
> not get turned on by any other build options. The macro
> WOLFSSL_CALLBACKS is intended for debug use only, but if having it
> enabled in production, users are recommended to disable
> WOLFSSL_CALLBACKS. Users enabling WOLFSSL_CALLBACKS are recommended to
> update their version of wolfSSL. CVE 2022-42905
> https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.2
2022-10-29 8:00 [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.2 Fabrice Fontaine
2022-10-29 16:06 ` Peter Korsgaard
@ 2022-11-08 20:00 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-11-08 20:00 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Sergio Prado, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> In the case that the WOLFSSL_CALLBACKS macro is set when building
> wolfSSL, there is a potential heap over read of 5 bytes when handling
> TLS 1.3 client connections. This heap over read is limited to wolfSSL
> builds explicitly setting the macro WOLFSSL_CALLBACKS, the feature does
> not get turned on by any other build options. The macro
> WOLFSSL_CALLBACKS is intended for debug use only, but if having it
> enabled in production, users are recommended to disable
> WOLFSSL_CALLBACKS. Users enabling WOLFSSL_CALLBACKS are recommended to
> update their version of wolfSSL. CVE 2022-42905
> https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.08.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-08 20:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-29 8:00 [Buildroot] [PATCH 1/1] package/wolfssl: security bump to version 5.5.2 Fabrice Fontaine
2022-10-29 16:06 ` Peter Korsgaard
2022-11-08 20:00 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.