It came to our attention that OpenSSL just published three new vulnerabilities.
ECDSA remote timing attack (CVE-2019-1547)
Fork Protection (CVE-2019-1549)
Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
These were implementation specific issues and do not affect wolfSSL. For a list of CVEs that apply to wolfSSL please watch the security page on our website here: https://www.wolfssl.com/docs/security-vulnerabilities/
We wanted to take this opportunity to remind our customers and users that wolfSSL is in no way related to OpenSSL. wolfSSL was written from the ground up and is a unique SSL/TLS implementation.
That being said, wolfSSL does support an OpenSSL compatibility layer allowing OpenSSL users to drop in wolfSSL but continue to use the most commonly found OpenSSL API’s after re-compiling their applications to link against wolfSSL.
One individual also pointed out the time delta between report and fix on the above CVEs and wolfSSL would like to remind our customers and users of how proud we are of our less than 48 hour delta between report and fix. For more on our response time and process regarding vulnerabilities check out https://www.wolfssl.com/everything-wanted-know-wolfssl-support-handles-vulnerability-reports-afraid-ask/
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.