Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-CC: sirkilam...@msn.com
Hi, The wolfssl upstream released three patches for the version in Debian stable specifically in order to address the following three vulnerabilities present in bullseye: - CVE-2022-42961, scored by NVD as "5.3 medium" [1] - CVE-2022-39173, scored by NVD as "7.5 high" [2] - CVE-2022-42905, scored by NVD as "9.1 critical" [3] All three vulnerabilities are being tracked by DSA. [4] They were already fixed in unstable. There is no separate bug for the stable package. Given the increased popularity of the package [5] and the severity of the vulnerabilities, it seemed prudent to offer users of Debian stable an update. This bug was filed with a view toward the upcoming point release 11.6 for bullseye, which is scheduled for December 17. The freeze starts this weekend. The proposed upload has not seen a lot of testing. Following devref 5.5.1 [7] a source debdiff was attached. Please let me know if the version number is right and if you need any more information, or whether I may upload the package. Thanks! Kind regards, Felix Lechner [1] https://nvd.nist.gov/vuln/detail/CVE-2022-42961 [2] https://nvd.nist.gov/vuln/detail/CVE-2022-39173 [3] https://nvd.nist.gov/vuln/detail/CVE-2022-42905 [4] https://security-tracker.debian.org/tracker/source-package/wolfssl [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023697#28 [6] https://lists.debian.org/debian-release/2022/11/msg00251.html [7] https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
wolfssl_4.6.0+p1-0+deb11u1.dsc_wolfssl_4.6.0+p1-0+deb11u2.dsc.debdiff.xz
Description: Binary data