package/wolfssl: security bump to version 5.6.4
[Medium] A fix was added, but still under review for completeness, for a Bleichenbacher style attack, leading to being able to decrypt a saved TLS connection and potentially forge a signature after probing with a large number of trial connections. This issue is around RSA decryption and affects static RSA cipher suites on the server side, which are not recommended to be used and are off by default. Static RSA cipher suites were also removed from the TLS 1.3 protocol and only present in TLS 1.2 and lower. All padding versions of RSA decrypt are affected since the code under review is outside of the padding processing. Information about the private keys is NOT compromised in affected code. It's recommended to disable static RSA cipher suites and update the version of wolfSSL used if using RSA private decryption alone outside of TLS. https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.4-stable Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
parent
957e2d2ffd
commit
c4658ede71
@ -1,5 +1,5 @@
|
||||
# Locally computed:
|
||||
sha256 2e74a397fa797c2902d7467d500de904907666afb4ff80f6464f6efd5afb114a wolfssl-5.6.3.tar.gz
|
||||
sha256 031691906794ff45e1e792561cf31759f5d29ac74936bc8dffb8b14f16d820b4 wolfssl-5.6.4.tar.gz
|
||||
|
||||
# Hash for license files:
|
||||
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
################################################################################
|
||||
|
||||
WOLFSSL_VERSION = 5.6.3
|
||||
WOLFSSL_VERSION = 5.6.4
|
||||
WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
|
||||
WOLFSSL_INSTALL_STAGING = YES
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user