| 2021-02-03 22:06:40 |
Felix Lechner |
description |
Hi,
I maintain this package. Please perform a security update to version 4.6.0 on your 20.10 (groovy) release. The new version resolves a vulnerability [1]. The vulnerability is already public but grave enough to warrant this filing.
According to our experience in Debian, either version 4.6.0-1 or 4.6.0-2 should be suitable for a security update. (We did not ship wolfssl in buster.) Both advertise the same shared object version (24) as the older upstream version 4.5.0.
The new version is missing two symbols [2], but neither appears to be relevant. The package names, which can be an issue for shared libraries, are identical.
A targeted patch (as requested on #ubuntu-hardened) is not currently available. [3]
As a side note, there is a report from OpenWRT that hostapd suffers from FTBFS with 4.6.0 [4] but they use different build options. More important, I believe Ubuntu builds wpa with OpenSSL so the issue is moot for you.
Due to Debian's poor experience with maintainer patches on security-relevant packages [5] I recommend against attempting to fix older releases yourself. I may try to have another word with upstream about it for your earlier releases. Some of the developers there use Ubuntu. Thanks!
Kind regards
Felix Lechner
[1] https://security-tracker.debian.org/tracker/CVE-2020-36177
[2] https://salsa.debian.org/lechner/wolfssl/-/commit/70a636e93ef222cafc8b4bab727e4f15a4bdafc3
[3] https://github.com/wolfSSL/wolfssl/issues/3709
[4] https://github.com/wolfSSL/wolfssl/pull/3610
[5] https://www.schneier.com/blog/archives/2008/05/random_number_b.html |
Hi,
I maintain this package in Debian. Please perform a security update to version 4.6.0 on your 20.10 (groovy) release. The new version resolves a vulnerability [1]. The vulnerability is already public but grave enough to warrant this filing.
According to our experience in Debian, either version 4.6.0-1 or 4.6.0-2 should be suitable for a security update. (We did not ship wolfssl in buster.) Both advertise the same shared object version (24) as the older upstream version 4.5.0.
The new version is missing two symbols [2], but neither appears to be relevant. The package names, which can be an issue for shared libraries, are identical.
A targeted patch (as requested on #ubuntu-hardened) is not currently available. [3]
As a side note, there is a report from OpenWRT that hostapd suffers from FTBFS with 4.6.0 [4] but they use different build options. More important, I believe Ubuntu builds wpa with OpenSSL so the issue is moot for you.
Due to Debian's poor experience with maintainer patches on security-relevant packages [5] I recommend against attempting to fix older releases yourself. I may try to have another word with upstream about it for your earlier releases. Some of the developers there use Ubuntu. Thanks!
Kind regards
Felix Lechner
[1] https://security-tracker.debian.org/tracker/CVE-2020-36177
[2] https://salsa.debian.org/lechner/wolfssl/-/commit/70a636e93ef222cafc8b4bab727e4f15a4bdafc3
[3] https://github.com/wolfSSL/wolfssl/issues/3709
[4] https://github.com/wolfSSL/wolfssl/pull/3610
[5] https://www.schneier.com/blog/archives/2008/05/random_number_b.html |
|
