Source: wolfssl Version: 5.7.0-0.3 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/wolfSSL/wolfssl/pull/7619 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for wolfssl. CVE-2024-5814[0]: | A malicious TLS1.2 server can force a TLS1.3 client with downgrade | capability to use a ciphersuite that it did not agree to and achieve | a successful connection. This is because, aside from the extensions, | the client was skipping fully parsing the server hello. | https://doi.org/10.46586/tches.v2024.i1.457-500 Note, I'm filling this with RC severity as all the recent uploads were done as NMU. Is wolfssl right now ok to be released for upcoming trixie or should we need to keep it out? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-5814 https://www.cve.org/CVERecord?id=CVE-2024-5814 [1] https://github.com/wolfSSL/wolfssl/pull/7619 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
