- Update to 3.7.3 in SLE-15-SP4: [SLE-19765, jsc#SLE-18132]
  - Add libnettle-rpmlintrc
  - Remove patches upstream:
    * libnettle-CVE-2021-20305.patch
    * libnettle-CVE-2021-3580-rsa_decrypt.patch
    * libnettle-CVE-2021-3580-rsa_sec.patch
    * nettle-respect-cflags.patch

- GNU Nettle 3.7.3: [CVE-2021-3580, bsc#1187060]
  * Fix crash for zero input to rsa_sec_decrypt and
    rsa_decrypt_tr. Potential denial of service vector.
  * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
    failure for out of range inputs, instead of either crashing,
    or silently reducing input modulo n. Potential denial of
    service vector.
  * Ensure that rsa_decrypt returns failure for out of range
    inputs, instead of silently reducing input modulo n.
  * Ensure that rsa_sec_decrypt returns failure if the message
    size is too large for the given key. Unlike the other bugs,
    this would typically be triggered by invalid local
    configuration, rather than by processing untrusted remote
    data.

- GNU Nettle 3.7.2:
  * fix a bug in ECDSA signature verification that could lead to a
    denial of service attack (via an assertion failure) or possibly
    incorrect results (CVE-2021-20305, boo#1184401)
  * fix a few related problems where scalars are required to be
    canonically reduced modulo the ECC group order, but in fact may
    be slightly larger

• Files Changed
• Browse Source