Security update of nettle

Ola Lundqvist ola at inguza.com
Sat Aug 6 22:05:35 UTC 2016 

Hi Niels and gnutls maintainers

I do not think coordination with gnutls is needed. I can not see that
gnutls depend on nettle in wheezy.
I can see that it can potentially do that, but I do not think it do.

There are no dependencies declared on nettle library and from unstable
changelog it looks like this build dependency was first added in gnutls28.
Wheezy has gnutls28.

I may be wrong however.

Or can it be so that nettle is built in statically and that a build
dependency is not needed as some other package has a build dependency so we
get it indirectly?

I'm including the gnutls maintainers to get their opinion.

// Ola



On Sat, Aug 6, 2016 at 8:40 PM, Niels Möller <nisse at lysator.liu.se> wrote:

> Ola Lundqvist <ola at inguza.com> writes:
>
> > Magnus, Niels and I have been discussing the nettle update due to
> > https://security-tracker.debian.org/tracker/CVE-2016-6489
>
> Please note that some coordinatoino with gnutls may be needed, to avoid
> a denial-of-service problem involving invalid private keys.
>
> > I suggest something like this:
> > "Protect against potential timing attacks against exponentiation
> operations
> > as described in CVE-2016-6489 RSA code is vulnerable to cache sharing
> > related attacks."
>
> I'd suggest the more general "side-channel attacks" over "timing
> attacks".
>
> /Niels
>
> --
> Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
> Internet email is subject to wholesale government surveillance.
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Folkebogatan 26            \
|  opal at debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20160807/5d5956f1/attachment.html>

More information about the Pkg-gnutls-maint mailing list