From the 3.7.2 release notes: This is a bugfix release, fixing a bug in ECDSA signature verification that could lead to a denial of service attack (via an assertion failure) or possibly incorrect results. It also fixes a few related problems where scalars are required to be canonically reduced modulo the ECC group order, but in fact may be slightly larger. Upgrading to the new version is strongly recommended. Even when no assert is triggered in ecdsa_verify, ECC point multiplication may get invalid intermediate values as input, and produce incorrect results. It's trivial to construct alleged signatures that result in invalid intermediate values. It appears difficult to construct an alleged signature that makes the function misbehave in such a way that an invalid signature is accepted as valid, but such attacks can't be ruled out without further analysis. Thanks to Guido Vranken for setting up the fuzzer tests that uncovered this problem.
Tell us when ready to stable.
Ping
x86 done
amd64 done
sparc done
arm64 done
arm done
hppa stable
ppc64 done
ppc done
s390 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
*** This bug has been marked as a duplicate of bug 780483 ***