From owner-svn-ports-all@freebsd.org Mon Sep 12 20:05:48 2016 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1AF2BD8D8A; Mon, 12 Sep 2016 20:05:48 +0000 (UTC) (envelope-from johans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8BAAFFCF; Mon, 12 Sep 2016 20:05:48 +0000 (UTC) (envelope-from johans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8CK5lDM083604; Mon, 12 Sep 2016 20:05:47 GMT (envelope-from johans@FreeBSD.org) Received: (from johans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8CK5lBQ083602; Mon, 12 Sep 2016 20:05:47 GMT (envelope-from johans@FreeBSD.org) Message-Id: <201609122005.u8CK5lBQ083602@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: johans set sender to johans@FreeBSD.org using -f From: Johan van Selst Date: Mon, 12 Sep 2016 20:05:47 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r421955 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2016 20:05:49 -0000 Author: johans Date: Mon Sep 12 20:05:47 2016 New Revision: 421955 URL: https://svnweb.freebsd.org/changeset/ports/421955 Log: Document WolfSSL vulnerabilities (< 3.6.8) PR: 205936 Submitted by: Christoph Moench-Tegeder Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Sep 12 19:44:03 2016 (r421954) +++ head/security/vuxml/vuln.xml Mon Sep 12 20:05:47 2016 (r421955) @@ -58,6 +58,56 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + wolfssl -- leakage of private key information + + + + 3.6.8 + + + + +

Florian Weimer of Redhat discovered that an optimization in + RSA signature validation can result in disclosure of the + server's private key under certain fault conditions.

+ + + + https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html + https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/ + CVE-2015-7744 + + + 2015-09-17 + 2016-01-05 + + + + wolfssl -- DDoS amplification in DTLS + + + wolfssl + 3.6.8 + + + + +

Sebastian Ramacher identified an error in wolfSSL's implementation + of the server side of the DTLS handshake, which could be abused + for DDoS amplification or a DoS on the DTLS server itself.

+ + + + https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html + https://github.com/IAIK/wolfSSL-DoS + CVE-2015-6925 + + + 2015-09-18 + 2016-01-05 + + gnutls -- OCSP validation issue