Security update of nettle

Ola Lundqvist ola at
Sat Aug 6 22:05:35 UTC 2016

Hi Niels and gnutls maintainers

I do not think coordination with gnutls is needed. I can not see that
gnutls depend on nettle in wheezy.
I can see that it can potentially do that, but I do not think it do.

There are no dependencies declared on nettle library and from unstable
changelog it looks like this build dependency was first added in gnutls28.
Wheezy has gnutls28.

I may be wrong however.

Or can it be so that nettle is built in statically and that a build
dependency is not needed as some other package has a build dependency so we
get it indirectly?

I'm including the gnutls maintainers to get their opinion.

// Ola

On Sat, Aug 6, 2016 at 8:40 PM, Niels Möller <nisse at> wrote:

> Ola Lundqvist <ola at> writes:
> > Magnus, Niels and I have been discussing the nettle update due to
> >
> Please note that some coordinatoino with gnutls may be needed, to avoid
> a denial-of-service problem involving invalid private keys.
> > I suggest something like this:
> > "Protect against potential timing attacks against exponentiation
> operations
> > as described in CVE-2016-6489 RSA code is vulnerable to cache sharing
> > related attacks."
> I'd suggest the more general "side-channel attacks" over "timing
> attacks".
> /Niels
> --
> Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
> Internet email is subject to wholesale government surveillance.

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at                    Folkebogatan 26            \
|  opal at                   654 68 KARLSTAD            |
|                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Pkg-gnutls-maint mailing list