wolfssl: CVE-2015-6925: DoS and DoS amplification

Debian Bug report logs - #801120
wolfssl: CVE-2015-6925: DoS and DoS amplification

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sebastian.ramacher@iaik.tugraz.at>

To: submit@bugs.debian.org

Subject: wolfssl: CVE-2015-6925: DoS and DoS amplification

Date: Tue, 6 Oct 2015 15:29:46 +0200

Source: wolfssl
Version: 3.4.8+dfsg-1
Severity: important
Tags: security fixed-upstream

Hi,

wolfssl 3.6.8 was released fixing CVE-2015-6925. The DTLS server
implementation in earlier versions allowed to run DoS attacks on a
wolfssl based DTLS server or use it to amplify an DoS attack since the
DTLS cookie was not generated properly.

See the upstream announcement [1, 2] and the PoC [3] for more details.

When fixing this issue, please include CVE identifier in the changelog.

[1]
https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found,_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html
[2]
http://wolfssl.com/wolfSSL/Blog/Entries/2015/9/18_wolfSSL_3.6.8_is_Now_Available.html
[3] https://github.com/IAIK/wolfSSL-DoS

Cheers
-- 
Sebastian Ramacher
Institute for Applied Information Processing and Communications,
Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Web: http://www.iaik.tugraz.at/

Message #10 received at 801120@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Sebastian Ramacher <sebastian.ramacher@iaik.tugraz.at>, 801120@bugs.debian.org

Subject: Re: Bug#801120: wolfssl: CVE-2015-6925: DoS and DoS amplification

Date: Tue, 22 Mar 2016 21:23:56 +0100

Hi Felix,

On Tue, Oct 06, 2015 at 03:29:46PM +0200, Sebastian Ramacher wrote:
> Source: wolfssl
> Version: 3.4.8+dfsg-1
> Severity: important
> Tags: security fixed-upstream
> 
> Hi,
> 
> wolfssl 3.6.8 was released fixing CVE-2015-6925. The DTLS server
> implementation in earlier versions allowed to run DoS attacks on a
> wolfssl based DTLS server or use it to amplify an DoS attack since the
> DTLS cookie was not generated properly.
> 
> See the upstream announcement [1, 2] and the PoC [3] for more details.
> 
> When fixing this issue, please include CVE identifier in the changelog.
> 
> [1]
> https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found,_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html
> [2]
> http://wolfssl.com/wolfSSL/Blog/Entries/2015/9/18_wolfSSL_3.6.8_is_Now_Available.html
> [3] https://github.com/IAIK/wolfSSL-DoS

Any news on this. Could you upload 3.6.8 to unstable?

Regards,
Salvatore

Message #17 received at 801120-close@bugs.debian.org (full text, mbox, reply):

From: Felix Lechner <felix.lechner@gmail.com>

To: 801120-close@bugs.debian.org

Subject: Bug#801120: fixed in wolfssl 3.9.10+dfsg-1

Date: Mon, 05 Dec 2016 10:00:30 +0000

Source: wolfssl
Source-Version: 3.9.10+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wolfssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 801120@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Lechner <felix.lechner@gmail.com> (supplier of updated wolfssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 Dec 2016 20:51:20 -0800
Source: wolfssl
Binary: libwolfssl3 libwolfssl-dev
Architecture: source amd64
Version: 3.9.10+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Felix Lechner <felix.lechner@gmail.com>
Changed-By: Felix Lechner <felix.lechner@gmail.com>
Description:
 libwolfssl-dev - Development files for the wolfSSL encryption library
 libwolfssl3 - wolfSSL encryption library
Closes: 792626 793134 801120
Changes:
 wolfssl (3.9.10+dfsg-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #793134)
   * Fixed CVE-2015-6925 (Closes: #801120)
   * No longer installing arch-dependent options.h (Closes: #792626)
   * New major number is 3
   * Using '--enable-distro' to define ABI
   * Removed all ABI-related build options selecting features
   * Upgraded Build-Depends: debhelper >=10; bumped compat to 10
   * Removed Build-Depends: dh-exec
   * Switched to automatic generation of debug package (dbgsym)
   * Changed package descriptions and capitalized wolfSSL correctly
   * Deleted compatibility links for libcyassl5
   * Removed control file references to libcyassl5
   * Disabled examples and tests for building without network
   * Removed duplicate license names from debian/copyright
   * Updated watch file for upstream's new version tagging scheme on GitHub
   * Added public key signature verification in watch file
   * Updated Standard-Version: 3.9.8
Checksums-Sha1:
 f25f0e22da42f423eca6b2d0ebc4307991b8a28c 1532 wolfssl_3.9.10+dfsg-1.dsc
 f8a197887935f6f59b31c3dd4e4f49be1d0b6f5e 1412503 wolfssl_3.9.10+dfsg.orig.tar.gz
 5b8a7a4e3f86fe71d9ffd944351e2d0c98af08e7 14336 wolfssl_3.9.10+dfsg-1.debian.tar.xz
 bc6b4ac5f681920d4661dce208796e034c407331 451704 libwolfssl-dev_3.9.10+dfsg-1_amd64.deb
 bdc4352f7a24a4d61bcbb253a1a2f0de5ee20c30 804138 libwolfssl3-dbgsym_3.9.10+dfsg-1_amd64.deb
 53835d03bb076aa07b4fb9fcbbe16ea86cb77998 300286 libwolfssl3_3.9.10+dfsg-1_amd64.deb
 813ce360b6780d46103e955d7bdef7c4fa6b5fa3 5302 wolfssl_3.9.10+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 1fa9907c86284349e61f314726e746bf7b16283c826dccf1787dec5c924c92ff 1532 wolfssl_3.9.10+dfsg-1.dsc
 9ee8541e768dcfbeaa785a6302a37dc56744dd4853a6fc700fbd0438bec83c6a 1412503 wolfssl_3.9.10+dfsg.orig.tar.gz
 f5f32aacea19a618e653f176ec80eda15971271dfe502d0b0c2d3f8e0bba1017 14336 wolfssl_3.9.10+dfsg-1.debian.tar.xz
 a932145af09e1f4fe355b9a1aa28cd38135cb1155034f0ef6fea74621ec03d81 451704 libwolfssl-dev_3.9.10+dfsg-1_amd64.deb
 fe7165296c5a52dccd9da0978901440234dba64338de894ef129da085847413f 804138 libwolfssl3-dbgsym_3.9.10+dfsg-1_amd64.deb
 d81fad1996214500593100e39cefcdb4b097c2591249cd873c8215c967e8eb75 300286 libwolfssl3_3.9.10+dfsg-1_amd64.deb
 13ede1148bdbca74168aaec27f4844e3d470cca6b57b055aaba06aa4c74b75d1 5302 wolfssl_3.9.10+dfsg-1_amd64.buildinfo
Files:
 a3c804e782600f4e13b7fabb15859cbe 1532 libs optional wolfssl_3.9.10+dfsg-1.dsc
 2de75a66780b596966840b58a4bb515d 1412503 libs optional wolfssl_3.9.10+dfsg.orig.tar.gz
 588b8779c0894273a453192898a50ec9 14336 libs optional wolfssl_3.9.10+dfsg-1.debian.tar.xz
 07483b1aee2d483a4264e48ab02b9e13 451704 libdevel optional libwolfssl-dev_3.9.10+dfsg-1_amd64.deb
 517c54de4aeba6c58e14481b704cd9aa 804138 debug extra libwolfssl3-dbgsym_3.9.10+dfsg-1_amd64.deb
 c02447fe11e9b9ed6823209020ee0786 300286 libs optional libwolfssl3_3.9.10+dfsg-1_amd64.deb
 9834f3f8a05fecaeff82fc8fd2919b2f 5302 libs optional wolfssl_3.9.10+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYQw6qAAoJEFOMB2b0vLOOM8oH/i2dw5hc60z8mykOJ0GHrU9R
W3TvFdOBrJUUmPhBCgTSZf6Z+Tr+MrldH0TRqHxC5eDN4aaQoOtnxJKhsCDn479p
eI+vPUxrjskUohjn6lSv9ot3QYji+IsOBp7teotZ3Srpht5FwNLfhUiWL7VSKMh9
oKB2XOm0H7jsQegYY8bhP0PjCMVk070BhCV7EKQmyc0l1idVbqhtMrQEjxcqPZli
3spJxK716tV1gMi/DBL+xkpz6BGc0MxMC1Aaa1mC5T7QOqIprNaVIJ1ze9VeiwMO
iar8JVCsw+TlH9MwvmOHB5MnNnvZrXxrf8pJ7QYjR2DJ9uHrK+HZGtXLnSOpJg4=
=p8Zq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.