Debian Bug report logs -
#1041699
wolfssl: CVE-2023-3724
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Jacob Barthelmeh <sirkilamole@msn.com>:
Bug#1041699; Package src:wolfssl.
(Sat, 22 Jul 2023 12:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Jacob Barthelmeh <sirkilamole@msn.com>.
(Sat, 22 Jul 2023 12:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wolfssl
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for wolfssl.
CVE-2023-3724[0]:
| If a TLS 1.3 client gets neither a PSK (pre shared key) extension
| nor a KSE (key share extension) when connecting to a malicious
| server, a default predictable buffer gets used for the IKM (Input
| Keying Material) value when generating the session master secret.
| Using a potentially known IKM value when generating the session
| master secret key compromises the key generated, allowing an
| eavesdropper to reconstruct it and potentially allowing access to or
| meddling with message contents in the session. This issue does not
| affect client validation of connected servers, nor expose private
| key information, but could result in an insecure TLS 1.3 session
| when not controlling both sides of the connection. wolfSSL
| recommends that TLS 1.3 client side users update the version of
| wolfSSL used.
https://github.com/wolfSSL/wolfssl/pull/6412
https://github.com/wolfSSL/wolfssl/commit/00f1eddee429ff51390b20caadd2eb6afe51e1aa (v5.6.2-stable)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-3724
https://www.cve.org/CVERecord?id=CVE-2023-3724
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Jul 2023 12:21:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jacob Barthelmeh <sirkilamole@msn.com>:
Bug#1041699; Package src:wolfssl.
(Sat, 22 Jul 2023 16:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Jacob .." <SirKilaMole@msn.com>:
Extra info received and forwarded to list. Copy sent to Jacob Barthelmeh <sirkilamole@msn.com>.
(Sat, 22 Jul 2023 16:27:04 GMT) (full text, mbox, link).
Message #14 received at 1041699@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Thanks Moritz,
Started the process of adding a patch to wolfssl_4.6.0+p1-0+deb11u1.1.dsc.
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows
[Message part 2 (text/html, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 23 11:57:50 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon