An update for nettle is now available for openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1177
Final
1.0
1.0
2021-05-06
Initial
2021-05-06
2021-05-06
openEuler SA Tool V1.0
2021-05-06
nettle security update
An update for nettle is now available for openEuler-20.03-LTS-SP1.
Nettle is a cryptographic library designed to fit any context: in crypto toolkits for object-oriented languages, in applications like LSH or GnuPG, or even in kernel space.
Security Fix(es):
A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-20305)
An update for nettle is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
nettle
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1177
https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-20305
https://nvd.nist.gov/vuln/detail/CVE-2021-20305
openEuler-20.03-LTS-SP1
nettle-debugsource-3.6-2.oe1.aarch64.rpm
nettle-devel-3.6-2.oe1.aarch64.rpm
nettle-3.6-2.oe1.aarch64.rpm
nettle-debuginfo-3.6-2.oe1.aarch64.rpm
nettle-help-3.6-2.oe1.noarch.rpm
nettle-3.6-2.oe1.src.rpm
nettle-3.6-2.oe1.x86_64.rpm
nettle-debuginfo-3.6-2.oe1.x86_64.rpm
nettle-debugsource-3.6-2.oe1.x86_64.rpm
nettle-devel-3.6-2.oe1.x86_64.rpm
A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
2021-05-06
CVE-2021-20305
openEuler-20.03-LTS-SP1
High
8.1
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nettle security update
2021-05-06
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1177