Bug#801120: wolfssl: CVE-2015-6925: DoS and DoS amplification
Hi Felix, On Tue, Oct 06, 2015 at 03:29:46PM +0200, Sebastian Ramacher wrote: > Source: wolfssl > Version: 3.4.8+dfsg-1 > Severity: important > Tags: security fixed-upstream > > Hi, > > wolfssl 3.6.8 was released fixing CVE-2015-6925. The DTLS server > implementation in earlier versions allowed to run DoS attacks on a > wolfssl based DTLS server or use it to amplify an DoS attack since the > DTLS cookie was not generated properly. > > See the upstream announcement [1, 2] and the PoC [3] for more details. > > When fixing this issue, please include CVE identifier in the changelog. > > [1] > https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found,_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html > [2] > http://wolfssl.com/wolfSSL/Blog/Entries/2015/9/18_wolfSSL_3.6.8_is_Now_Available.html > [3] https://github.com/IAIK/wolfSSL-DoS Any news on this. Could you upload 3.6.8 to unstable? Regards, Salvatore
Bug#801120: wolfssl: CVE-2015-6925: DoS and DoS amplification
Source: wolfssl Version: 3.4.8+dfsg-1 Severity: important Tags: security fixed-upstream Hi, wolfssl 3.6.8 was released fixing CVE-2015-6925. The DTLS server implementation in earlier versions allowed to run DoS attacks on a wolfssl based DTLS server or use it to amplify an DoS attack since the DTLS cookie was not generated properly. See the upstream announcement [1, 2] and the PoC [3] for more details. When fixing this issue, please include CVE identifier in the changelog. [1] https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found,_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html [2] http://wolfssl.com/wolfSSL/Blog/Entries/2015/9/18_wolfSSL_3.6.8_is_Now_Available.html [3] https://github.com/IAIK/wolfSSL-DoS Cheers -- Sebastian Ramacher Institute for Applied Information Processing and Communications, Graz University of Technology Inffeldgasse 16a, 8010 Graz, Austria Web: http://www.iaik.tugraz.at/