Source: wolfssl Version: 3.15.3+dfsg-2 Severity: grave Tags: security upstream
Hi, The following vulnerability was published for wolfssl. CVE-2019-11873[0]: | wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when | a current identity size is greater than a client identity size. An | attacker sends a crafted hello client packet over the network to a | TLSv1.3 wolfSSL server. The length fields of the packet: record | length, client hello length, total extensions length, PSK extension | length, total identity length, and identity length contain their | maximum value which is 2^16. The identity data field of the PSK | extension of the packet contains the attack data, to be stored in the | undefined memory (RAM) of the server. The size of the data is about 65 | kB. Possibly the attacker can perform a remote code execution attack. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11873 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11873 Please adjust the affected versions in the BTS as needed, could you double check 3.15.3 is affected. Regards, Salvatore
