Source: wolfssl Version: 3.4.8+dfsg-1 Severity: important Tags: security fixed-upstream
Hi, wolfssl 3.6.8 was released fixing CVE-2015-6925. The DTLS server implementation in earlier versions allowed to run DoS attacks on a wolfssl based DTLS server or use it to amplify an DoS attack since the DTLS cookie was not generated properly. See the upstream announcement [1, 2] and the PoC [3] for more details. When fixing this issue, please include CVE identifier in the changelog. [1] https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found,_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html [2] http://wolfssl.com/wolfSSL/Blog/Entries/2015/9/18_wolfSSL_3.6.8_is_Now_Available.html [3] https://github.com/IAIK/wolfSSL-DoS Cheers -- Sebastian Ramacher Institute for Applied Information Processing and Communications, Graz University of Technology Inffeldgasse 16a, 8010 Graz, Austria Web: http://www.iaik.tugraz.at/