From ${URL} : From Nettle 3.1 ChangeLog: > NEWS for the Nettle 3.1 release > [...] > Bug fixes: > [...] > * Eliminate out-of-bounds reads in the C implementation of > memxor (related to valgrind's --partial-loads-ok flag). This refers to the following commits: (branch merge) https://git.lysator.liu.se/nettle/nettle/commit/20525ae7096438f9816dc1faffe9b9d8984bb0a7 and specifically: https://git.lysator.liu.se/nettle/nettle/commit/57122465ccc89996f9f8f71e7607ee67a2860e1c https://git.lysator.liu.se/nettle/nettle/commit/842abf376289059cd3dce34a851a3f701ad1f9b3 No further information is available at this moment. Comment 1 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
It will take much time for 3.1 to become stable, we will have to back port this if it effects 2.7
Since back porting is needed, setting Whiteboard to ebuild.
it is not trivial backport, are there any references that someone has else already done this?
This looks outdated, nettle 3.1.1 is currently the only version in the tree.
(In reply to Hanno Boeck from comment #4) > This looks outdated, nettle 3.1.1 is currently the only version in the tree. Thanks for picking up on this, indeed nettle 3.1.1 got stabilized in bug 560724 @Security: GLSA Vote: No Fwiw, redhad concludes "This does not appear to have any security relevance on our target architectures. If anybody has any evidence to the contrary, please feel free to reopen the bug." Anyone aware of any CVE for this issue that can document a contrary view, or a statement where one is not assigned for reason of no security implication?