UBUNTU-CVE-2023-6937

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2023-6937

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-6937.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-6937

Related

CVE-2023-6937

Published

2024-02-15T18:15:00Z

Modified

2024-10-15T14:12:46Z

Summary

[none]

Details

wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating.

References

Affected packages

Ubuntu:Pro:16.04:LTS / wolfssl

Package

Name: wolfssl
Purl: pkg:deb/ubuntu/wolfssl?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.4.8+dfsg-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / wolfssl

Package

Name: wolfssl
Purl: pkg:deb/ubuntu/wolfssl?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.10.2+dfsg-2

3.12.0+dfsg-1

3.12.2+dfsg-1

3.13.0+dfsg-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / wolfssl

Package

Name: wolfssl
Purl: pkg:deb/ubuntu/wolfssl?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.1.0+dfsg-2

4.2.0+dfsg-1

4.2.0+dfsg-2

4.2.0+dfsg-3

4.3.0+dfsg-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / wolfssl

Package

Name: wolfssl
Purl: pkg:deb/ubuntu/wolfssl?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.6.0-3

5.*

5.0.0-1

5.1.1-1

5.2.0-1

5.2.0-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / wolfssl

Package

Name: wolfssl
Purl: pkg:deb/ubuntu/wolfssl?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.6-1.2

Affected versions

5.*

5.5.4-2

5.5.4-2.1

5.6.4-2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "5.6.6-1.2",
            "binary_name": "libwolfssl-dev"
        },
        {
            "binary_version": "5.6.6-1.2",
            "binary_name": "libwolfssl42"
        },
        {
            "binary_version": "5.6.6-1.2",
            "binary_name": "libwolfssl42-dbgsym"
        }
    ]
}