pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/wolfssl
Module Name: pkgsrc
Committed By: fox
Date: Mon Mar 30 10:22:27 UTC 2026
Modified Files:
pkgsrc/security/wolfssl: Makefile PLIST distinfo
Log Message:
security/wolfssl: Update to 5.9.0
Changes since 5.8.4:
To download the release bundle of wolfSSL visit the download page at
www.wolfssl.com/download/
PR stands for Pull Request, and PR references a GitHub pull request number
where the code change was added.
Vulnerabilities
* [High CVE-2026-3548] Two buffer overflow vulnerabilities existed in the
wolfSSL CRL parser when parsing CRL numbers - both heap-based and
stack-based. Only affects builds with CRL support enabled when loading
untrusted CRLs. Fixed in PR 9628 and PR 9873.
* [High CVE-2026-3549] Heap Overflow in TLS 1.3 ECH parsing. An integer
underflow existed in ECH extension parsing logic causing out-of-bounds
writes. ECH is disabled by default; still evolving as a standard. Fixed in
PR 9817.
* [High CVE-2026-3547] Out-of-bounds read in ALPN parsing due to incomplete
validation. Affects builds with ALPN enabled (disabled by default but
enabled for Apache httpd, BIND, curl, HAProxy, Hitch, Lighttpd, JNI, nginx,
QUIC compatibility). Fixed in PR 9860.
* [Med. CVE-2026-2646] A heap-buffer-overflow vulnerability exists in
wolfSSL's wolfSSL_d2i_SSL_SESSION() function. Occurs when deserializing
session data with SESSION_CERTS enabled; requires loading maliciously
crafted external sessions. Fixed in PR 9748 and PR 9949.
* [Med. CVE-2026-3849] Stack Buffer Overflow in wc_HpkeLabeledExtract via
oversized ECH config. Malicious TLS servers supporting ECH could trigger
crashes with potential remote execution. Fixed in PR 9737.
* [Low CVE-2026-0819] wolfSSL PKCS7 SignedData encoding OOB write (signed
attributes). Occurs when creating signed PKCS7 with more than 7 signed
attributes. Fixed in PR 9630.
* [Low CVE-2026-1005] Integer underflow in wolfSSL packet sniffer. Affects
builds with --enable-sniffer and AEAD support; allows buffer overflow via
malformed TLS records. Fixed in PR 9571.
* [Low CVE-2026-2645] Logic flaw existed in the TLS 1.2 server state machine.
Server could incorrectly accept CertificateVerify before ClientKeyExchange.
Fixed in PR 9694.
* [Low CVE-2026-3230] Client does not catch if the required key_share
extension is missing from ServerHello. Client authenticates server
correctly but derives predictable key. Fixed in PR 9754.
* [Low CVE-2026-3229] Integer Overflow in Certificate Chain Allocation.
Affects APIs: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert,
wolfSSL_add0_chain_cert. Fixed in PR 9827.
* [Low CVE-2026-3579] wolfSSL 5.8.4 and earlier on RISC-V RV32I architectures
lacks constant-time software implementation for 64-bit multiplication,
exposing cryptographic data via timing side-channel. Fixed in PR 9855.
* [Low CVE-2026-3580] Compiler-induced timing leak in sp_256_get_entry_256_9
on RISC-V. GCC optimization breaks side-channel resistance of ECC scalar
multiplication. Fixed in PR 9855.
* [Low CVE-2026-3503] Protection mechanism failure in wolfCrypt post-quantum
implementations (ML-KEM and ML-DSA) on ARM Cortex-M allows physical
attackers to compromise key material via transient faults. Fixed in PR
9734.
* [Low CVE-2026-4159] 1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via
zero-length encrypted content. Requires crafted CMS EnvelopedData message.
Fixed in PR 9945.
* [Low CVE-2026-4395] Heap buffer out of bounds write case existed in wolfSSL
version 5.8.4 and earlier when importing an ECC key while built with KCAPI
support. Fixed in PR 9988.
New Features
* FIPS 205, SLH-DSA implementation. (PR 9838)
* Added OCSP responder API and support. (PR 9761)
* Add AES CryptoCB key import support. (PR 9658)
* Add the RNG bank facility to wolfCrypt, wc_rng_new_bankref(). (PR 9616)
Ports, Hardware Integration, and ASM Enhancements
* Add Renesas SK-S7G2 support. (PR 9561)
* Support for STM32 HMAC hardware. (PR 9745)
* Add STM32G0 hardware crypto support. (PR 9707)
* Misc STM32 fixes and testing improvements. (PR 9446, 9563)
* Various Thumb2 AES/SP ASM enhancements and fixes. (PR 9464, 9491, 9547,
9615, 9767)
* Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample. (PR 9765)
Rust Wrapper
* Added FIPS support. (PR 9739)
* Added modules for dilithium (PR 9819), chacha20-poly1305 (PR 9599),
curve25519 (PR 9594), blake2 (PR 9586), LMS (PR 9910), and ml-kem (PR
9833).
* Miscellaneous fixes and enhancements for RSA, ECC, HASHDRBG, HMAC-BLAKE2,
and XChaCha20-Poly1305. (PR 9453, 9499, 9500, 9624, 9687)
Post-Quantum Cryptography (PQC)
* General improvements for WOLFSSL_NO_MALLOC PQC support. (PR 9674)
* Various ML-DSA bug fixes. (PR 9575, 9696)
* Fixed a bug with ML-DSA verification with WOLFSSL_DILITHIUM_SMALL. (PR
9760)
* ML-KEM bug fixes and improvements. (PR 9470, 9621, 9822)
* Collection of ML-KEM fixes including DTLS 1.3 cookie and ClientHello
fragment handling, static memory handling, memory leak in TLS server PQC
handling with ECH, and expanded hybrid/individual ML-KEM level test
coverage. (PR 9968)
TLS/DTLS
* Add support for TLS 1.3 Brainpool curves. (PR 9701)
* DTLS retransmission enhancement. (PR 9623)
* Fix DTLS header size calculation. (PR 9513)
* Fix (D)TLS fragmentation size checks. (PR 9592)
* Extend AIA interface. (PR 9728)
* Various TLS 1.3 and extension fixes. (PR 9528, 9538, 9466, 9662, 9824, 9934)
* Improve TLS message order checks. (PR 9694, 9718)
* TLS ECH improvements. (PR 9737)
* Harden compare of mac with TLS 1.3 finished. (PR 9864)
PKCS
* Add PKCS7 ECC raw sign callback support. (PR 9656)
* Add RSA-PSS support for SignedData. (PR 9742)
* Support for ML-DSA via PKCS#11. (PR 9726, 9836)
* Fix PKCS11 object leak in Pkcs11ECDH. (PR 9780)
* Fix PKCS#7 SignedData parsing for non-OCTET_STRING content types. (PR 9559)
* Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI. (PR 9854)
Kernel
* Various linuxkm fixes and enhancements for Tegra kernels. (PR 9478, 9540,
9512)
* freebsdkm: FIPS support (PR 9590), and x86 crypto acceleration support. (PR
9714)
* Support offline FIPS hash calculation in linuxkm. (PR 9800)
Testing Improvements
* Increase test coverage for PQC and CMake. (PR 9637)
* API testing: split out and better organized test cases. (PR 9641)
* Added test for session deserialization input validation. (PR 9759)
* Added TLS Anvil workflow. (PR 9804)
* Added rng-tools 6.17 testing. (PR 9810)
* Added openldap 2.6.9 testing. (PR 9805)
* Add bind 9.20.11 to the test matrix. (PR 9806)
* Misc testing fixes. (PR 9584, 9670, 9688, 9710, 9716, 9755)
* Implement a stateful port tracking mechanism for test port assignment. (PR
9850)
Bug Fixes
* Fix for buffer overflow write in the wolfSSL CAAM driver for Integrity OS
on i.MX6.
* API Documentation: various fixes and improvements. (PR 9458, 9552, 9570,
9585)
* Fix potential memory under-read in TLS ticket processing function.
* Fix IP address check in wolfSSL_X509_check_host(). (PR 9502)
* Check if ctx and ssl are null when checking public key in certificate. (PR
9506)
* Fix test when ECH and harden are enabled. (PR 9510)
* Fix wc_CmacFree() to use correct heap pointer from internal Aes structure.
(PR 9527)
* Various Coverity analyzer fixes. (PR 9437, 9534, 9619, 9646, 9812, 9842,
9887, 9933)
* Fix dereference before Null check. (PR 9591)
* Fix memory leak in case of handshake error. (PR 9609)
* Fix MatchBaseName. (PR 9626)
* ChaCha20 Aarch64 ASM fix. (PR 9627)
* Fix TLSX_Parse to correctly handle client and server cert type ext with
TLS1.3. (PR 9657)
* Fix cert SW issues in Aes and rng. (PR 9681)
* Various fixes for NO_RNG builds. (PR 9689, 9698)
* Fixes for STSAFE-A120 ECDHE. (PR 9703)
* Fix Crash when using Sha224 Callback with MAX32666. (PR 9712)
* Fix for RSA private key parsing (allowing public) and RSA keygen no malloc
support. (PR 9715)
* Fix null check in ECDSA encode. (PR 9771)
* Various static analyzer fixes. (PR 9786, 9788, 9795, 9801, 9817)
* Fix switch case handling in TLSX_IsGroupSupported function. (PR 9777)
* Fixes to big-endian bugs found in Curve448 and Blake2S. (PR 9778)
* Fix cert chain size issue. (PR 9827)
* Fix potential memory leak when copying into existing SHA contexts. (PR
9829)
* Add sanity checks in key export. (PR 9823)
* CRL enhancements for revoked entries. (PR 9839)
* Fix DRBG_internal alloc in wc_RNG_HealthTestLocal. (PR 9847)
* Various CMake fixes and improvements. (PR 9605, 9725)
* RISC-V 32 no mul SP C: implement multiplication. (PR 9855)
* ASN: improve handling of ASN.1 parsing/encoding. (PR 9872)
* Various fixes to CRL parsing. (PR 9628, 9873)
* Harden hash comparison in TLS1.2 finished. (PR 9874)
* Various fixes to TLS sniffer. (PR 9571, 9643, 9867, 9901, 9924)
* Check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length. (PR 9943)
* Validate that the ticket length is at least ID_LEN before use in SetTicket.
(PR 9782)
* Enforce null compression in compression_methods list. (PR 9913)
* Additional sanity check on number of groups in set groups function. (PR
9861)
* Resolves issues with asynchronous and crypto callback handling. (PR 9784)
* Fix checkPad to reject zero PKCS#7 padding value. (PR 9878)
* Add sanity check on keysize found with ECC point import. (PR 9989)
* Adds a range check to ensure session ticket lifetimes are within bounds.
(PR 9881)
* Fix potential overflows in hash used-size calculation for TI and SE050. (PR
9954)
* Correct a constant mismatch for draft QUIC transport params. (PR 9868)
* Correct the key type detection logic in Falcon and SPHINCS+. (PR 9979,
9980)
* XMSS: Fix index copy for signing. (PR 9978)
* Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in
X509_add_ext. (PR 9940)
* Ensure CheckHeaders length does not exceed packet size in sniffer. (PR
9947)
* SP fixes: 32-bit ARM assembly fixes modular exponentiation bug. (PR 9964)
* Fix buffer-overflow in LMS leaf cache indexing. (PR 9919)
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 pkgsrc/security/wolfssl/Makefile
cvs rdiff -u -r1.17 -r1.18 pkgsrc/security/wolfssl/PLIST
cvs rdiff -u -r1.30 -r1.31 pkgsrc/security/wolfssl/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/wolfssl/Makefile
diff -u pkgsrc/security/wolfssl/Makefile:1.29 pkgsrc/security/wolfssl/Makefile:1.30
--- pkgsrc/security/wolfssl/Makefile:1.29 Sun Nov 30 14:19:13 2025
+++ pkgsrc/security/wolfssl/Makefile Mon Mar 30 10:22:27 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.29 2025/11/30 14:19:13 fox Exp $
+# $NetBSD: Makefile,v 1.30 2026/03/30 10:22:27 fox Exp $
-DISTNAME= wolfssl-5.8.4
+DISTNAME= wolfssl-5.9.0
CATEGORIES= security
MASTER_SITES= https://www.wolfssl.com/
EXTRACT_SUFX= .zip
Index: pkgsrc/security/wolfssl/PLIST
diff -u pkgsrc/security/wolfssl/PLIST:1.17 pkgsrc/security/wolfssl/PLIST:1.18
--- pkgsrc/security/wolfssl/PLIST:1.17 Sun Nov 30 14:19:13 2025
+++ pkgsrc/security/wolfssl/PLIST Mon Mar 30 10:22:27 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.17 2025/11/30 14:19:13 fox Exp $
+@comment $NetBSD: PLIST,v 1.18 2026/03/30 10:22:27 fox Exp $
bin/wolfssl-config
include/wolfssl/callbacks.h
include/wolfssl/certs_test.h
@@ -131,6 +131,7 @@ include/wolfssl/wolfcrypt/pwdbased.h
include/wolfssl/wolfcrypt/random.h
include/wolfssl/wolfcrypt/rc2.h
include/wolfssl/wolfcrypt/ripemd.h
+include/wolfssl/wolfcrypt/rng_bank.h
include/wolfssl/wolfcrypt/rsa.h
include/wolfssl/wolfcrypt/sakke.h
include/wolfssl/wolfcrypt/settings.h
@@ -153,20 +154,24 @@ include/wolfssl/wolfcrypt/wc_encrypt.h
include/wolfssl/wolfcrypt/wc_lms.h
include/wolfssl/wolfcrypt/wc_mlkem.h
include/wolfssl/wolfcrypt/wc_port.h
+include/wolfssl/wolfcrypt/wc_slhdsa.h
include/wolfssl/wolfcrypt/wc_xmss.h
+include/wolfssl/wolfcrypt/wolfentropy.h
include/wolfssl/wolfcrypt/wolfevent.h
include/wolfssl/wolfcrypt/wolfmath.h
include/wolfssl/wolfcrypt/xmss.h
include/wolfssl/wolfio.h
+lib/cmake/wolfssl/wolfssl-config-version.cmake
+lib/cmake/wolfssl/wolfssl-config.cmake
+lib/cmake/wolfssl/wolfssl-targets.cmake
lib/libwolfssl.la
lib/pkgconfig/wolfssl.pc
share/doc/wolfssl/QUIC.md
share/doc/wolfssl/README.txt
-share/doc/wolfssl/example/async_client.c
-share/doc/wolfssl/example/async_server.c
share/doc/wolfssl/example/client.c
share/doc/wolfssl/example/echoclient.c
share/doc/wolfssl/example/echoserver.c
+share/doc/wolfssl/example/ocsp_responder.c
share/doc/wolfssl/example/sctp-client-dtls.c
share/doc/wolfssl/example/sctp-client.c
share/doc/wolfssl/example/sctp-server-dtls.c
Index: pkgsrc/security/wolfssl/distinfo
diff -u pkgsrc/security/wolfssl/distinfo:1.30 pkgsrc/security/wolfssl/distinfo:1.31
--- pkgsrc/security/wolfssl/distinfo:1.30 Sun Nov 30 14:19:13 2025
+++ pkgsrc/security/wolfssl/distinfo Mon Mar 30 10:22:27 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.30 2025/11/30 14:19:13 fox Exp $
+$NetBSD: distinfo,v 1.31 2026/03/30 10:22:27 fox Exp $
-BLAKE2s (wolfssl-5.8.4.zip) = 5b5983affd36cdb89525f5e70a17b382dfc56b5c1ff34727477d999e67c4aad8
-SHA512 (wolfssl-5.8.4.zip) = 3ed21b7584edef02325486814f096181afc01e90031786e4cee234bf820fb0493b06d641c0b0f1054e2d33ca1b997d9754c3075ce8b53a11b3d1a4ce214c011e
-Size (wolfssl-5.8.4.zip) = 27409830 bytes
+BLAKE2s (wolfssl-5.9.0.zip) = e13513f90bd69a9fe79c8f15ca8b7c14c57b5b8ea9bb8944fe1775592e65a816
+SHA512 (wolfssl-5.9.0.zip) = 02743c043fdc7c4132cd71f5caabf38fa5960520c83450c7246d87f539a62accf8781cde481ed191ed07bbc9f9e44f7812fe239a6a5c097ca13c67c2cd624167
+Size (wolfssl-5.9.0.zip) = 28246542 bytes
Home |
Main Index |
Thread Index |
Old Index