Sign me up Login

Details about package wolfssl

Name: wolfssl (PTS)
Uploader: Jacob Barthelmeh <sirkilamole@msn.com> (Debian QA page)
Description: libwolfssl35 - wolfSSL encryption library
libwolfssl-dev - Development files for the wolfSSL encryption library

Package uploads

Upload #1

Information

Version: 5.5.4-2+deb12u3
Uploaded: 2026-07-07 20:07
Source package: wolfssl_5.5.4-2+deb12u3.dsc
Distribution: bookworm-security
Section: libs
Priority: optional
Homepage: https://www.wolfssl.com/products/wolfssl/

Changelog

 wolfssl (5.5.4-2+deb12u3) bookworm-security; urgency=high
 .
   * Backport upstream security fixes. (See #1140765, #1140815)
   * CVE-2026-5194: enforce that a certificate signatureAlgorithm OID
     matches the issuer key type, preventing acceptance of forged
     ECDSA/EdDSA certificate signatures.
   * CVE-2026-55961: reject degenerate (certs-only) PKCS#7 objects with
     no verified signer in wolfSSL_PKCS7_verify().
   * CVE-2026-55967: reject AES-GCM cumulative message sizes that would
     overflow the 32-bit counters in the streaming update API.
   * CVE-2026-55962: require a client Certificate/CertificateVerify when
     a TLS 1.3 post-handshake CertificateRequest is outstanding.
   * CVE-2026-7511: report the certificate that actually verified the
     signature as the PKCS#7 signer.
   * CVE-2026-6731: apply DNS name constraints to the Subject Common Name
     when no subjectAltName is present.
   * CVE-2026-6681: honour the caller-supplied output buffer size in the
     PKCS#7 decode paths.
   * CVE-2026-6678: fix an integer underflow in wc_PKCS7_DecryptOri when
     handling crafted OtherRecipientInfo.
   * CVE-2026-6450: reject CRLs containing unrecognized critical
     extensions.
   * CVE-2026-6329: reject PKCS#12 MAC length mismatches instead of
     comparing an attacker-controlled length.
   * CVE-2026-6325: bound the index in SetSuitesHashSigAlgo to prevent an
     out-of-bounds write.
   * CVE-2026-6094: bound the encrypted-content size in
     wc_PKCS7_DecodeEnvelopedData to prevent a heap over-read.
   * CVE-2026-6092: enforce Encrypt-then-MAC on the TLS resumption path.
   * CVE-2026-6331: require an exact-length HMAC tag in
     EVP_DigestVerifyFinal.

QA information

Comments

No comments