Your message dated Fri, 15 Aug 2025 21:17:09 +0000
with message-id <[email protected]>
and subject line Bug#1109549: fixed in wolfssl 5.7.2-0.1+deb13u1
has caused the Debian Bug report #1109549,
regarding wolfssl: CVE-2025-7394
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109549: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109549
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wolfssl
Version: 5.7.2-0.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for wolfssl.
CVE-2025-7394[0]:
| In the OpenSSL compatibility layer implementation, the function
| RAND_poll() was not behaving as expected and leading to the
| potential for predictable values returned from RAND_bytes() after
| fork() is called. This can lead to weak or predictable random
| numbers generated in applications that are both using RAND_bytes()
| and doing fork() operations. This only affects applications
| explicitly calling RAND_bytes() after fork() and does not affect any
| internal TLS operations. Although RAND_bytes() documentation in
| OpenSSL calls out not being safe for use with fork() without first
| calling RAND_poll(), an additional code change was also made in
| wolfSSL to make RAND_bytes() behave similar to OpenSSL after a
| fork() call without calling RAND_poll(). Now the Hash-DRBG used gets
| reseeded after detecting running in a new process. If making use of
| RAND_bytes() and calling fork() we recommend updating to the latest
| version of wolfSSL. Thanks to Per Allansson from Appgate for the
| report.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7394
https://www.cve.org/CVERecord?id=CVE-2025-7394
[1]
https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wolfssl
Source-Version: 5.7.2-0.1+deb13u1
Done: Bastian Germann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
wolfssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated wolfssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Aug 2025 15:17:47 +0200
Source: wolfssl
Architecture: source
Version: 5.7.2-0.1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Jacob Barthelmeh <[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 1109549
Changes:
wolfssl (5.7.2-0.1+deb13u1) trixie; urgency=medium
.
* Fix CVE-2025-7394: weak/predictable random numbers. (Closes: #1109549)
Checksums-Sha1:
08f4e970043e24abf25dd93a694516da86e2a873 2040 wolfssl_5.7.2-0.1+deb13u1.dsc
aedbe5dbac4ee1e13600cc2dba68f5eeb867dce8 23591507 wolfssl_5.7.2.orig.tar.gz
d35bd9ca2e9d97bab512a19979d685ad32d78b3c 488 wolfssl_5.7.2.orig.tar.gz.asc
4d47be9a532c5be484e64481aae828b429c53420 34912
wolfssl_5.7.2-0.1+deb13u1.debian.tar.xz
4b35d26e36079e39ebcf332a21b41fd390ad425c 5628
wolfssl_5.7.2-0.1+deb13u1_source.buildinfo
Checksums-Sha256:
fd77179b9a2dfedfbe5df6a3384761c6ba83b367e0d0b61832e73e92a7259101 2040
wolfssl_5.7.2-0.1+deb13u1.dsc
0f2ed82e345b833242705bbc4b08a2a2037a33f7bf9c610efae6464f6b10e305 23591507
wolfssl_5.7.2.orig.tar.gz
0e5c0598631feac357b8252d4839b308606fba5aaba80061eb895e7e755094f7 488
wolfssl_5.7.2.orig.tar.gz.asc
a8c195c8c182b9d6c9bae3bc23a8d71a4f3dc7fedf1145282d022e47e1d8fd53 34912
wolfssl_5.7.2-0.1+deb13u1.debian.tar.xz
8a96fda97af07fae6b2635918075fed49f0f7c5c55c7a1c5eb422dec6662e439 5628
wolfssl_5.7.2-0.1+deb13u1_source.buildinfo
Files:
4d8b5eb0152e7fdb8266d39de0f92a10 2040 libs optional
wolfssl_5.7.2-0.1+deb13u1.dsc
bc28818fb83b793b6c23987e1b116735 23591507 libs optional
wolfssl_5.7.2.orig.tar.gz
d006eee323369aa3ab8871d79c829313 488 libs optional
wolfssl_5.7.2.orig.tar.gz.asc
a2ec4e08a2bd62a7c6079a9ae45c366f 34912 libs optional
wolfssl_5.7.2-0.1+deb13u1.debian.tar.xz
915146f70c165fca66a3cdcf70e41c46 5628 libs optional
wolfssl_5.7.2-0.1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmieEisQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFKMBDADVlKlqiOujxfjtwn/denHoHedv2APPmxzq
R7+waLG3z4DzVfx0mrvESpdSOjspaO4kvkdQA9dcx1BCiWm0CO9uNcDOls4qdsk+
BdzEMWVHNOUUuHMqGBeh5YWAIwzddTGyq+MQlPhNZb+a7mcGT52mm7OifF/RijGQ
0jkjF9ZOy+/9hOtDXxwg2nrX4lKnkKaseGTT+X8Rw7OZ31iD+SpvBnGzuJaQrUEN
LrlwJ2Ss+4I81ju6DCGz0MRLJLPUD1TK8Wtw/oKQTIOjbX7S6/W1RBJzOFqnHd32
Q8FO85pEEbDWNE1VxBSJLn1ZL0qFvw1TvcaTnDfTZDDupeYQA59bzO7BTm1rbI00
ET+W8qrSc2M6ii3RWYspR0fBS8axr4iWkxd5KKrwzoc9XVFfGrfdOPneEXwviRES
oPHfxCx0z5eNdn0mAEm9v0DtzEWiHsXj/FtXtXRT7/Dgrv0UeDAZU53jmb6Rv8zV
WO++TRZLDjkjLUredcWt6CpkB7344H8=
=c2KC
-----END PGP SIGNATURE-----
pgpqdNB30OoyR.pgp
Description: PGP signature
--- End Message ---
