package/wolfssl: security bump to version 5.6.4

[Medium] A fix was added, but still under review for completeness, for a
Bleichenbacher style attack, leading to being able to decrypt a saved
TLS connection and potentially forge a signature after probing with a
large number of trial connections. This issue is around RSA decryption
and affects static RSA cipher suites on the server side, which are not
recommended to be used and are off by default. Static RSA cipher suites
were also removed from the TLS 1.3 protocol and only present in TLS 1.2
and lower. All padding versions of RSA decrypt are affected since the
code under review is outside of the padding processing. Information
about the private keys is NOT compromised in affected code. It's
recommended to disable static RSA cipher suites and update the version
of wolfSSL used if using RSA private decryption alone outside of TLS.

https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.4-stable

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine 2023-10-31 15:58:30 +01:00 committed by Peter Korsgaard
parent 957e2d2ffd
commit c4658ede71
2 changed files with 2 additions and 2 deletions

View File

@ -1,5 +1,5 @@
# Locally computed:
sha256 2e74a397fa797c2902d7467d500de904907666afb4ff80f6464f6efd5afb114a wolfssl-5.6.3.tar.gz
sha256 031691906794ff45e1e792561cf31759f5d29ac74936bc8dffb8b14f16d820b4 wolfssl-5.6.4.tar.gz
# Hash for license files:
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING

View File

@ -4,7 +4,7 @@
#
################################################################################
WOLFSSL_VERSION = 5.6.3
WOLFSSL_VERSION = 5.6.4
WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
WOLFSSL_INSTALL_STAGING = YES