wolfssl: Please update 20.10 (groovy) to version 4.6.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wolfssl (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hi,
I maintain this package in Debian. Please perform a security update to version 4.6.0 on your 20.10 (groovy) release. The new version resolves a vulnerability [1]. The vulnerability is already public but grave enough to warrant this filing.
According to our experience in Debian, either version 4.6.0-1 or 4.6.0-2 should be suitable for a security update. (We did not ship wolfssl in buster.) Both advertise the same shared object version (24) as the older upstream version 4.5.0.
The new version is missing two symbols [2], but neither appears to be relevant. The package names, which can be an issue for shared libraries, are identical.
A targeted patch (as requested on #ubuntu-hardened) is not currently available. [3]
As a side note, there is a report from OpenWRT that hostapd suffers from FTBFS with 4.6.0 [4] but they use different build options. More important, I believe Ubuntu builds wpa with OpenSSL so the issue is moot for you.
Due to Debian's poor experience with maintainer patches on security-relevant packages [5] I recommend against attempting to fix older releases yourself. I may try to have another word with upstream about it for your earlier releases. Some of the developers there use Ubuntu. Thanks!
Kind regards
Felix Lechner
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
CVE References
description: | updated |
information type: | Private Security → Public Security |
Changed in wolfssl (Ubuntu): | |
status: | New → Confirmed |