* [Buildroot] [PATCH 1/1] package/nettle: security bump to version 3.7.2
@ 2021-04-18 18:51 Fabrice Fontaine
2021-04-20 20:33 ` Thomas Petazzoni
2021-04-26 12:36 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-04-18 18:51 UTC (permalink / raw)
To: buildroot
Fix CVE-2021-20305: A flaw was found in Nettle in versions before 3.7.2,
where several Nettle signature verification functions (GOST DSA, EDDSA &
ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply
function being called with out-of-range scalers, possibly resulting in
incorrect results. This flaw allows an attacker to force an invalid
signature, causing an assertion failure or possible validation. The
highest threat to this vulnerability is to confidentiality, integrity,
as well as system availability.
https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.7.2_release_20210321/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/nettle/nettle.hash | 4 ++--
package/nettle/nettle.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/nettle/nettle.hash b/package/nettle/nettle.hash
index 5fd69200bf..09652dcc8b 100644
--- a/package/nettle/nettle.hash
+++ b/package/nettle/nettle.hash
@@ -1,6 +1,6 @@
# Locally calculated after checking pgp signature
-# https://ftp.gnu.org/gnu/nettle/nettle-3.7.1.tar.gz.sig
-sha256 156621427c7b00a75ff9b34b770b95d34f80ef7a55c3407de94b16cbf436c42e nettle-3.7.1.tar.gz
+# https://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz.sig
+sha256 8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162 nettle-3.7.2.tar.gz
# Locally calculated
sha256 a853c2ffec17057872340eee242ae4d96cbf2b520ae27d903e1b2fef1a5f9d1c COPYING.LESSERv3
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYINGv2
diff --git a/package/nettle/nettle.mk b/package/nettle/nettle.mk
index dc76fc21ff..bf833eb27e 100644
--- a/package/nettle/nettle.mk
+++ b/package/nettle/nettle.mk
@@ -4,7 +4,7 @@
#
################################################################################
-NETTLE_VERSION = 3.7.1
+NETTLE_VERSION = 3.7.2
NETTLE_SITE = http://www.lysator.liu.se/~nisse/archive
NETTLE_DEPENDENCIES = gmp
NETTLE_INSTALL_STAGING = YES
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/nettle: security bump to version 3.7.2
2021-04-18 18:51 [Buildroot] [PATCH 1/1] package/nettle: security bump to version 3.7.2 Fabrice Fontaine
@ 2021-04-20 20:33 ` Thomas Petazzoni
2021-04-26 12:36 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2021-04-20 20:33 UTC (permalink / raw)
To: buildroot
On Sun, 18 Apr 2021 20:51:14 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> Fix CVE-2021-20305: A flaw was found in Nettle in versions before 3.7.2,
> where several Nettle signature verification functions (GOST DSA, EDDSA &
> ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply
> function being called with out-of-range scalers, possibly resulting in
> incorrect results. This flaw allows an attacker to force an invalid
> signature, causing an assertion failure or possible validation. The
> highest threat to this vulnerability is to confidentiality, integrity,
> as well as system availability.
>
> https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.7.2_release_20210321/NEWS
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/nettle/nettle.hash | 4 ++--
> package/nettle/nettle.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/nettle: security bump to version 3.7.2
2021-04-18 18:51 [Buildroot] [PATCH 1/1] package/nettle: security bump to version 3.7.2 Fabrice Fontaine
2021-04-20 20:33 ` Thomas Petazzoni
@ 2021-04-26 12:36 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-04-26 12:36 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2021-20305: A flaw was found in Nettle in versions before 3.7.2,
> where several Nettle signature verification functions (GOST DSA, EDDSA &
> ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply
> function being called with out-of-range scalers, possibly resulting in
> incorrect results. This flaw allows an attacker to force an invalid
> signature, causing an assertion failure or possible validation. The
> highest threat to this vulnerability is to confidentiality, integrity,
> as well as system availability.
> https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.7.2_release_20210321/NEWS
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-26 12:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-18 18:51 [Buildroot] [PATCH 1/1] package/nettle: security bump to version 3.7.2 Fabrice Fontaine
2021-04-20 20:33 ` Thomas Petazzoni
2021-04-26 12:36 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.