Bug 205936 - security/wolfssl: Update to 3.8.0 (Fixes Security Vulnerability)
Summary: security/wolfssl: Update to 3.8.0 (Fixes Security Vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Johan van Selst
URL:
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2016-01-05 21:15 UTC by Christoph Moench-Tegeder
Modified: 2016-09-12 20:09 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (johans)
koobs: merge-quarterly?


Attachments
update wolfssl to 3.8.0 (3.19 KB, patch)
2016-01-05 21:15 UTC, Christoph Moench-Tegeder
no flags Details | Diff
UPDATING (421 bytes, text/plain)
2016-01-05 21:16 UTC, Christoph Moench-Tegeder
no flags Details
vuxml entry (1.87 KB, text/plain)
2016-01-05 21:16 UTC, Christoph Moench-Tegeder
no flags Details
poudriere testport log (41.88 KB, text/x-log)
2016-01-05 21:17 UTC, Christoph Moench-Tegeder
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Moench-Tegeder freebsd_committer 2016-01-05 21:15:03 UTC
Created attachment 165119 [details]
update wolfssl to 3.8.0

https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html
https://www.wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html (see Release 3.6.8)

Attached patch updates wolfssl to 3.8.0 (current release).
Enclosed:
- vuxml entry ready for pasting
- UPDATING entry (SSLv3 disabled by default, soversion bump)
- poudriere testport logs
Comment 1 Christoph Moench-Tegeder freebsd_committer 2016-01-05 21:16:00 UTC
Created attachment 165120 [details]
UPDATING

updating entry, ready for pasting (adjust date)
Comment 2 Christoph Moench-Tegeder freebsd_committer 2016-01-05 21:16:40 UTC
Created attachment 165121 [details]
vuxml entry

vuxml entries (passed "make validate")
Comment 3 Christoph Moench-Tegeder freebsd_committer 2016-01-05 21:17:08 UTC
Created attachment 165122 [details]
poudriere testport log
Comment 4 Johan van Selst freebsd_committer 2016-01-06 21:15:02 UTC
Thanks for the work, I plan to commit this soon. I'm inclined to omit the SSLv3 option, since I do not want encourage people to enable options that are removed for security reasons. This port has a lot of configure script options to are not listed as port options, because the defaults seem reasonable enough. Although I'm happy to add options if there is demand for it.

Do you require SSL3 support for some reason?
Comment 5 commit-hook freebsd_committer 2016-01-06 21:32:50 UTC
A commit references this bug:

Author: johans
Date: Wed Jan  6 21:32:11 UTC 2016
New revision: 405390
URL: https://svnweb.freebsd.org/changeset/ports/405390

Log:
  - Update WolfSSL to 3.8.0 (new MASTER_SITES, WWW entry and description)
  - Includes important security fixes for CVE-2015-7744 and CVE-2015-6925
    see https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html
  - Disables support for SSLv3

  PR:		205936
  Submitted by:	Christoph Moench-Tegeder <cmt@burggraben.net>
  MFH:		2016Q1

Changes:
  head/security/wolfssl/Makefile
  head/security/wolfssl/distinfo
  head/security/wolfssl/pkg-descr
  head/security/wolfssl/pkg-plist
Comment 6 Christoph Moench-Tegeder freebsd_committer 2016-01-06 21:44:59 UTC
Personally, I don't require SSLv3. But curl fails to build with wolfssl if wolfssl does not support SSLv3 - see http://www.yassl.com/forums/topic717-solved-undefined-reference-to-wolfsslv3clientmethod.html . I verified that the problem described there still persists with our current curl version.
I have no idea how many other ports would require SSLv3, or if anyone (still) uses SSLv3 somewhere, so I added it as an OPTION and mentioned it in UPDATING.
Comment 7 commit-hook freebsd_committer 2016-01-06 21:46:56 UTC
A commit references this bug:

Author: johans
Date: Wed Jan  6 21:46:08 UTC 2016
New revision: 405394
URL: https://svnweb.freebsd.org/changeset/ports/405394

Log:
  MFH: r405390

  - Update WolfSSL to 3.8.0 (new MASTER_SITES, WWW entry and description)
  - Includes important security fixes for CVE-2015-7744 and CVE-2015-6925
    see https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html
  - Disables support for SSLv3

  PR:		205936
  Submitted by:	Christoph Moench-Tegeder <cmt@burggraben.net>
  Approved by:	portmgr (droso), ports-secteam (feld)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/security/wolfssl/Makefile
  branches/2016Q1/security/wolfssl/distinfo
  branches/2016Q1/security/wolfssl/pkg-descr
  branches/2016Q1/security/wolfssl/pkg-plist
Comment 8 Johan van Selst freebsd_committer 2016-01-06 21:56:23 UTC
(In reply to Christoph Moench-Tegeder from comment #6)

That is a good reason to add it indeed. Unfortunately it is too late for me now, so will likely add an update for this tomorrow. I also plan to do UPDATING and VuXML tomorrow. Just wanted to push the fix soon, but was unaware of the curl issue.
Comment 9 Dmitry Marakasov freebsd_committer 2016-09-08 14:18:18 UTC
Any plans to add vuxml entry finally?
Comment 10 commit-hook freebsd_committer 2016-09-12 20:06:16 UTC
A commit references this bug:

Author: johans
Date: Mon Sep 12 20:05:48 UTC 2016
New revision: 421955
URL: https://svnweb.freebsd.org/changeset/ports/421955

Log:
  Document WolfSSL vulnerabilities (< 3.6.8)

  PR:		205936
  Submitted by:	Christoph Moench-Tegeder

Changes:
  head/security/vuxml/vuln.xml
Comment 11 Johan van Selst freebsd_committer 2016-09-12 20:09:35 UTC
Sorry about the long delay. Had asked somebody to review the vuxml entry, but never got a response and completely forgot about it. Committed now.