An update for nettle is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1177 Final 1.0 1.0 2021-05-06 Initial 2021-05-06 2021-05-06 openEuler SA Tool V1.0 2021-05-06 nettle security update An update for nettle is now available for openEuler-20.03-LTS-SP1. Nettle is a cryptographic library designed to fit any context: in crypto toolkits for object-oriented languages, in applications like LSH or GnuPG, or even in kernel space. Security Fix(es): A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-20305) An update for nettle is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High nettle https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1177 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-20305 https://nvd.nist.gov/vuln/detail/CVE-2021-20305 openEuler-20.03-LTS-SP1 nettle-debugsource-3.6-2.oe1.aarch64.rpm nettle-devel-3.6-2.oe1.aarch64.rpm nettle-3.6-2.oe1.aarch64.rpm nettle-debuginfo-3.6-2.oe1.aarch64.rpm nettle-help-3.6-2.oe1.noarch.rpm nettle-3.6-2.oe1.src.rpm nettle-3.6-2.oe1.x86_64.rpm nettle-debuginfo-3.6-2.oe1.x86_64.rpm nettle-debugsource-3.6-2.oe1.x86_64.rpm nettle-devel-3.6-2.oe1.x86_64.rpm A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability. 2021-05-06 CVE-2021-20305 openEuler-20.03-LTS-SP1 High 8.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H nettle security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1177