Skip to content

minor formatting fixes to changelog #10032

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JacobBarthelmeh wants to merge 1 commit into
base: master
Choose a base branch
from
+18 −18
Open

minor formatting fixes to changelog #10032

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions ChangeLog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ wolfSSL 5.8.4 and earlier on RISC-V RV32I architectures lacks a constant-time so
A protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6. Thanks to Hariprasad Kelassery Valsaraj of Temasek Laboratories for the report. Fixed in PR 9734.

* [Low] CVE-2026-4159
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. Thanks to Haruto Kimura (Stella). Fixed in PR9945.
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. Thanks to Haruto Kimura (Stella). Fixed in PR 9945.

* [Low] CVE-2026-4395
A heap buffer out of bounds write case existed in wolfSSL version 5.8.4 and earlier when importing an ECC key while built with KCAPI support. The fix implemented added a check on the raw pubkey length in wc_ecc_import_x963 before copying it to an internal struct. KCAPI support is turned off by default and only enabled with builds using --enable-kcapi. Thanks to Haruto Kimura (Stella) for the report. Fixed in PR 9988.
Expand Down Expand Up @@ -140,20 +140,20 @@ A heap buffer out of bounds write case existed in wolfSSL version 5.8.4 and earl
* Fixes to big-endian bugs found in Curve448 and Blake2S by @LinuxJedi (PR 9778).
* Fix cert chain size issue by @embhorn (PR 9827).
* Fix potential memory leak when copying into existing SHA contexts and zero init tmpSha by @night1rider (PR 9829).
* Add sanity checks in key export by @embhorn (PR9823). Thanks to Muhammad Arya Arjuna (pelioro) for the report.
* Add sanity checks in key export by @embhorn (PR 9823). Thanks to Muhammad Arya Arjuna (pelioro) for the report.
* CRL enhancements for revoked entries by @padelsbach (PR 9839).
* Fix DRBG_internal alloc in wc_RNG_HealthTestLocal by @embhorn (PR 9847).
* Various CMake fixes and improvements by @Frauschi (PRs 9605, 9725).
* RISC-V 32 no mul SP C: implement multiplication by @SparkiDev in (PR 9855).
* RISC-V 32 no mul SP C: implement multiplication by @SparkiDev (PR 9855).
* ASN: improve handling of ASN.1 parsing/encoding by @SparkiDev (PR 9872).
* Various fixes to CRL parsing by @miyazakh in (PRs 9628, 9873).
* Various fixes to CRL parsing by @miyazakh (PRs 9628, 9873).
* Harden hash comparison in TLS1.2 finished by @Frauschi (PR 9874).
* Various fixes to TLS sniffer by @mattia-moffa, @embhorn, @julek-wolfssl, @Frauschi (PRs 9571, 9643, 9867, 9901, 9924).
* Check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length by @philljj (PR 9943). Thanks to Haruto Kimura (Stella) for the report.
* Validate that the ticket length is at least ID_LEN before use in SetTicket, preventing an undersized buffer from being processed. @kareem-wolfssl (PR 9782).
* Validate that the ticket length is at least ID_LEN before use in SetTicket, preventing an undersized buffer from being processed by @kareem-wolfssl (PR 9782).
* Enforce null compression in compression_methods list by @julek-wolfssl (PR 9913).
* Additional sanity check on number of groups in set groups function by @JacobBarthelmeh (PR 9861).
* Resolves issues with asynchronous and crypto callback handling, adding test coverage to prevent regressions. by @dgarske (https://github.com/wolfSSL/wolfssl/pull/9784).
* Resolves issues with asynchronous and crypto callback handling, adding test coverage to prevent regressions by @dgarske (PR 9784).
* Fix checkPad to reject zero PKCS#7 padding value by @embhorn (PR 9878).
* Add sanity check on keysize found with ECC point import by @JacobBarthelmeh (PR 9989).
* Adds a range check to ensure session ticket lifetimes are within the bounds permitted by the TLS specification by @Frauschi (PR 9881).
Expand Down
12 changes: 6 additions & 6 deletions README
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ wolfSSL 5.8.4 and earlier on RISC-V RV32I architectures lacks a constant-time so
A protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6. Thanks to Hariprasad Kelassery Valsaraj of Temasek Laboratories for the report. Fixed in PR 9734.

* [Low] CVE-2026-4159
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. Thanks to Haruto Kimura (Stella). Fixed in PR9945.
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. Thanks to Haruto Kimura (Stella). Fixed in PR 9945.

* [Low] CVE-2026-4395
A heap buffer out of bounds write case existed in wolfSSL version 5.8.4 and earlier when importing an ECC key while built with KCAPI support. The fix implemented added a check on the raw pubkey length in wc_ecc_import_x963 before copying it to an internal struct. KCAPI support is turned off by default and only enabled with builds using --enable-kcapi. Thanks to Haruto Kimura (Stella) for the report. Fixed in PR 9988.
Expand Down Expand Up @@ -218,20 +218,20 @@ A heap buffer out of bounds write case existed in wolfSSL version 5.8.4 and earl
* Fixes to big-endian bugs found in Curve448 and Blake2S by @LinuxJedi (PR 9778).
* Fix cert chain size issue by @embhorn (PR 9827).
* Fix potential memory leak when copying into existing SHA contexts and zero init tmpSha by @night1rider (PR 9829).
* Add sanity checks in key export by @embhorn (PR9823). Thanks to Muhammad Arya Arjuna (pelioro) for the report.
* Add sanity checks in key export by @embhorn (PR 9823). Thanks to Muhammad Arya Arjuna (pelioro) for the report.
* CRL enhancements for revoked entries by @padelsbach (PR 9839).
* Fix DRBG_internal alloc in wc_RNG_HealthTestLocal by @embhorn (PR 9847).
* Various CMake fixes and improvements by @Frauschi (PRs 9605, 9725).
* RISC-V 32 no mul SP C: implement multiplication by @SparkiDev in (PR 9855).
* RISC-V 32 no mul SP C: implement multiplication by @SparkiDev (PR 9855).
* ASN: improve handling of ASN.1 parsing/encoding by @SparkiDev (PR 9872).
* Various fixes to CRL parsing by @miyazakh in (PRs 9628, 9873).
* Various fixes to CRL parsing by @miyazakh (PRs 9628, 9873).
* Harden hash comparison in TLS1.2 finished by @Frauschi (PR 9874).
* Various fixes to TLS sniffer by @mattia-moffa, @embhorn, @julek-wolfssl, @Frauschi (PRs 9571, 9643, 9867, 9901, 9924).
* Check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length by @philljj (PR 9943). Thanks to Haruto Kimura (Stella) for the report.
* Validate that the ticket length is at least ID_LEN before use in SetTicket, preventing an undersized buffer from being processed. @kareem-wolfssl (PR 9782).
* Validate that the ticket length is at least ID_LEN before use in SetTicket, preventing an undersized buffer from being processed by @kareem-wolfssl (PR 9782).
* Enforce null compression in compression_methods list by @julek-wolfssl (PR 9913).
* Additional sanity check on number of groups in set groups function by @JacobBarthelmeh (PR 9861).
* Resolves issues with asynchronous and crypto callback handling, adding test coverage to prevent regressions. by @dgarske (https://github.com/wolfSSL/wolfssl/pull/9784).
* Resolves issues with asynchronous and crypto callback handling, adding test coverage to prevent regressions by @dgarske (PR 9784).
* Fix checkPad to reject zero PKCS#7 padding value by @embhorn (PR 9878).
* Add sanity check on keysize found with ECC point import by @JacobBarthelmeh (PR 9989).
* Adds a range check to ensure session ticket lifetimes are within the bounds permitted by the TLS specification by @Frauschi (PR 9881).
Expand Down
12 changes: 6 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ wolfSSL 5.8.4 and earlier on RISC-V RV32I architectures lacks a constant-time so
A protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6. Thanks to Hariprasad Kelassery Valsaraj of Temasek Laboratories for the report. Fixed in PR 9734.

* [Low] CVE-2026-4159
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. Thanks to Haruto Kimura (Stella). Fixed in PR9945.
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. Thanks to Haruto Kimura (Stella). Fixed in PR 9945.

* [Low] CVE-2026-4395
A heap buffer out of bounds write case existed in wolfSSL version 5.8.4 and earlier when importing an ECC key while built with KCAPI support. The fix implemented added a check on the raw pubkey length in wc_ecc_import_x963 before copying it to an internal struct. KCAPI support is turned off by default and only enabled with builds using --enable-kcapi. Thanks to Haruto Kimura (Stella) for the report. Fixed in PR 9988.
Expand Down Expand Up @@ -245,20 +245,20 @@ A heap buffer out of bounds write case existed in wolfSSL version 5.8.4 and earl
* Fixes to big-endian bugs found in Curve448 and Blake2S by @LinuxJedi (PR 9778).
* Fix cert chain size issue by @embhorn (PR 9827).
* Fix potential memory leak when copying into existing SHA contexts and zero init tmpSha by @night1rider (PR 9829).
* Add sanity checks in key export by @embhorn (PR9823). Thanks to Muhammad Arya Arjuna (pelioro) for the report.
* Add sanity checks in key export by @embhorn (PR 9823). Thanks to Muhammad Arya Arjuna (pelioro) for the report.
* CRL enhancements for revoked entries by @padelsbach (PR 9839).
* Fix DRBG_internal alloc in wc_RNG_HealthTestLocal by @embhorn (PR 9847).
* Various CMake fixes and improvements by @Frauschi (PRs 9605, 9725).
* RISC-V 32 no mul SP C: implement multiplication by @SparkiDev in (PR 9855).
* RISC-V 32 no mul SP C: implement multiplication by @SparkiDev (PR 9855).
* ASN: improve handling of ASN.1 parsing/encoding by @SparkiDev (PR 9872).
* Various fixes to CRL parsing by @miyazakh in (PRs 9628, 9873).
* Various fixes to CRL parsing by @miyazakh (PRs 9628, 9873).
* Harden hash comparison in TLS1.2 finished by @Frauschi (PR 9874).
* Various fixes to TLS sniffer by @mattia-moffa, @embhorn, @julek-wolfssl, @Frauschi (PRs 9571, 9643, 9867, 9901, 9924).
* Check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length by @philljj (PR 9943). Thanks to Haruto Kimura (Stella) for the report.
* Validate that the ticket length is at least ID_LEN before use in SetTicket, preventing an undersized buffer from being processed. @kareem-wolfssl (PR 9782).
* Validate that the ticket length is at least ID_LEN before use in SetTicket, preventing an undersized buffer from being processed by @kareem-wolfssl (PR 9782).
* Enforce null compression in compression_methods list by @julek-wolfssl (PR 9913).
* Additional sanity check on number of groups in set groups function by @JacobBarthelmeh (PR 9861).
* Resolves issues with asynchronous and crypto callback handling, adding test coverage to prevent regressions. by @dgarske (https://github.com/wolfSSL/wolfssl/pull/9784).
* Resolves issues with asynchronous and crypto callback handling, adding test coverage to prevent regressions by @dgarske (PR 9784).
* Fix checkPad to reject zero PKCS#7 padding value by @embhorn (PR 9878).
* Add sanity check on keysize found with ECC point import by @JacobBarthelmeh (PR 9989).
* Adds a range check to ensure session ticket lifetimes are within the bounds permitted by the TLS specification by @Frauschi (PR 9881).
Expand Down
Loading