From 4cd106188a876163d5c056ec3c6e9bae0df8e0bb Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Wed, 28 Sep 2022 23:36:31 +0200 Subject: [PATCH] package/wolfssl: security bump to version 5.5.1 Denial of service attack and buffer overflow against TLS 1.3 servers using session ticket resumption. When built with --enable-session-ticket and making use of TLS 1.3 server code in wolfSSL, there is the possibility of a malicious client to craft a malformed second ClientHello packet that causes the server to crash. This issue is limited to when using both --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3 servers, and having --enable-session-ticket, should update to the latest version of wolfSSL. https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable Signed-off-by: Fabrice Fontaine Signed-off-by: Yann E. MORIN (cherry picked from commit 2e4c0e722f4d9494c2451458a42d4c4f8ef006ab) Signed-off-by: Peter Korsgaard --- package/wolfssl/wolfssl.hash | 2 +- package/wolfssl/wolfssl.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash index f1401e4cda..3849ffb9fc 100644 --- a/package/wolfssl/wolfssl.hash +++ b/package/wolfssl/wolfssl.hash @@ -1,5 +1,5 @@ # Locally computed: -sha256 c34b74b5f689fac7becb05583b044e84d3b10d39f38709f0095dd5d423ded67f wolfssl-5.5.0.tar.gz +sha256 97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3 wolfssl-5.5.1.tar.gz # Hash for license files: sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk index ca360312c9..95d4f47952 100644 --- a/package/wolfssl/wolfssl.mk +++ b/package/wolfssl/wolfssl.mk @@ -4,7 +4,7 @@ # ################################################################################ -WOLFSSL_VERSION = 5.5.0 +WOLFSSL_VERSION = 5.5.1 WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable) WOLFSSL_INSTALL_STAGING = YES