From c4658ede712305455eaf72a67a74509d4434a46a Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Tue, 31 Oct 2023 15:58:30 +0100 Subject: [PATCH] package/wolfssl: security bump to version 5.6.4 [Medium] A fix was added, but still under review for completeness, for a Bleichenbacher style attack, leading to being able to decrypt a saved TLS connection and potentially forge a signature after probing with a large number of trial connections. This issue is around RSA decryption and affects static RSA cipher suites on the server side, which are not recommended to be used and are off by default. Static RSA cipher suites were also removed from the TLS 1.3 protocol and only present in TLS 1.2 and lower. All padding versions of RSA decrypt are affected since the code under review is outside of the padding processing. Information about the private keys is NOT compromised in affected code. It's recommended to disable static RSA cipher suites and update the version of wolfSSL used if using RSA private decryption alone outside of TLS. https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.4-stable Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard --- package/wolfssl/wolfssl.hash | 2 +- package/wolfssl/wolfssl.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/wolfssl/wolfssl.hash b/package/wolfssl/wolfssl.hash index 3407586edd..fb5a570de8 100644 --- a/package/wolfssl/wolfssl.hash +++ b/package/wolfssl/wolfssl.hash @@ -1,5 +1,5 @@ # Locally computed: -sha256 2e74a397fa797c2902d7467d500de904907666afb4ff80f6464f6efd5afb114a wolfssl-5.6.3.tar.gz +sha256 031691906794ff45e1e792561cf31759f5d29ac74936bc8dffb8b14f16d820b4 wolfssl-5.6.4.tar.gz # Hash for license files: sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/package/wolfssl/wolfssl.mk b/package/wolfssl/wolfssl.mk index 9b35a6a84a..17452fdcaf 100644 --- a/package/wolfssl/wolfssl.mk +++ b/package/wolfssl/wolfssl.mk @@ -4,7 +4,7 @@ # ################################################################################ -WOLFSSL_VERSION = 5.6.3 +WOLFSSL_VERSION = 5.6.4 WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable) WOLFSSL_INSTALL_STAGING = YES