Source: wolfssl Version: 5.7.0-0.3 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/wolfSSL/wolfssl/pull/7416 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for wolfssl. CVE-2024-5288[0]: | An issue was discovered in wolfSSL before 5.7.0. A safe-error attack | via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. | When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with | private ECC keys, such as in server-side TLS connections, the | connection is halted if any fault occurs. The success rate in a | certain amount of connection requests can be processed via an | advanced technique for ECDSA key recovery. Note the official CVE description from MITRE seems to not cover the where the issue was fixed. According to upstream and merged commits this should be in 5.7.2 only. Note, I'm filling this with RC severity as all the recent uploads were done as NMU. Is wolfssl right now ok to be released for upcoming trixie or should we need to keep it out? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-5288 https://www.cve.org/CVERecord?id=CVE-2024-5288 [1] https://github.com/wolfSSL/wolfssl/pull/7416 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
