| Summary: | <dev-libs/nettle-3.2-r1 : RSA code is vulnerable to cache-timing related attacks | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | alonbl, crypto+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1362016 | ||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
This patch was not added as-is in upstream, I cherry-picked the fixes and some more. Let's give people a chance to test for a few days. OK, let's stabilize. Thanks! Stable for HPPA PPC64. amd64 stable arm stable Stable on alpha. x86 stable sparc stable ppc stable ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). (In reply to Yury German from comment #11) > Arches, Thank you for your work. > New GLSA Request filed. > > Maintainer(s), please drop the vulnerable version(s). Done Thank you for clean-up. This issue was resolved and addressed in GLSA 201706-21 at https://security.gentoo.org/glsa/201706-21 by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : A cache-related side channel was found, in nettle-RSA code. An attacker could use a specially crafted RSA or DSA data, which could make the SSL/TLS connection suspectible to Man-in-the-Middle attacks: References: https://eprint.iacr.org/2016/596.pdf https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.