From ${URL} : A cache-related side channel was found, in nettle-RSA code. An attacker could use a specially crafted RSA or DSA data, which could make the SSL/TLS connection suspectible to Man-in-the-Middle attacks: References: https://eprint.iacr.org/2016/596.pdf https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This patch was not added as-is in upstream, I cherry-picked the fixes and some more. Let's give people a chance to test for a few days.
OK, let's stabilize. Thanks!
Stable for HPPA PPC64.
amd64 stable
arm stable
Stable on alpha.
x86 stable
sparc stable
ppc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
(In reply to Yury German from comment #11) > Arches, Thank you for your work. > New GLSA Request filed. > > Maintainer(s), please drop the vulnerable version(s). Done
Thank you for clean-up.
This issue was resolved and addressed in GLSA 201706-21 at https://security.gentoo.org/glsa/201706-21 by GLSA coordinator Kristian Fiskerstrand (K_F).