Source: wolfssl
Version: 5.7.2-0.1
Severity: important
Tags: security upstream
X-Debbugs-Cc:
[email protected], Debian Security Team <
[email protected]>
Hi,
The following vulnerability was published for wolfssl.
CVE-2025-7394[0]:
| In the OpenSSL compatibility layer implementation, the function
| RAND_poll() was not behaving as expected and leading to the
| potential for predictable values returned from RAND_bytes() after
| fork() is called. This can lead to weak or predictable random
| numbers generated in applications that are both using RAND_bytes()
| and doing fork() operations. This only affects applications
| explicitly calling RAND_bytes() after fork() and does not affect any
| internal TLS operations. Although RAND_bytes() documentation in
| OpenSSL calls out not being safe for use with fork() without first
| calling RAND_poll(), an additional code change was also made in
| wolfSSL to make RAND_bytes() behave similar to OpenSSL after a
| fork() call without calling RAND_poll(). Now the Hash-DRBG used gets
| reseeded after detecting running in a new process. If making use of
| RAND_bytes() and calling fork() we recommend updating to the latest
| version of wolfSSL. Thanks to Per Allansson from Appgate for the
| report.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-7394
https://www.cve.org/CVERecord?id=CVE-2025-7394
[1]
https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)