-
nettle (3.4.1-0ubuntu0.18.04.1) bionic-security; urgency=medium
* SECURITY UPDATE: Bleichenbacher type side-channel based padding oracle
attack in endian conversion of RSA decrypted PKCS#1 v1.5 data
- Updated to upstream 3.4.1 tarball.
- debian/*symbols: added new 3.4.1 symbols.
- CVE-2018-16869
* SECURITY UPDATE: crash in RSA decryption via manipulated ciphertext
- debian/patches/CVE-2021-3580-1.patch: change _rsa_sec_compute_root_tr
to take a fixed input size in rsa-decrypt-tr.c, rsa-internal.h,
rsa-sec-decrypt.c, rsa-sign-tr.c, testsuite/rsa-encrypt-test.c.
- debian/patches/CVE-2021-3580-2.patch: add input check to rsa_decrypt
family of functions in rsa-decrypt-tr.c, rsa-decrypt.c,
rsa-sec-decrypt.c, rsa.h, testsuite/rsa-encrypt-test.c.
- CVE-2021-3580
-- Marc Deslauriers <email address hidden> Mon, 14 Jun 2021 09:33:12 -0400
-
nettle (3.4-1ubuntu0.1) bionic-security; urgency=medium
* SECURITY UPDATE: Out of Bound memory access in signature verification
- debian/patches/CVE-2021-20305-1.patch: new functions
ecc_mod_mul_canonical and ecc_mod_sqr_canonical in
curve25519-eh-to-x.c, curve448-eh-to-x.c, ecc-eh-to-a.c,
ecc-internal.h, ecc-j-to-a.c, ecc-mod-arith.c, ecc-mul-m.c.
- debian/patches/CVE-2021-20305-2.patch: use ecc_mod_mul_canonical for
point comparison in eddsa-verify.c.
- debian/patches/CVE-2021-20305-3.patch: fix bug in ecc_ecdsa_verify in
ecc-ecdsa-verify.c, testsuite/ecdsa-sign-test.c.
- debian/patches/CVE-2021-20305-4.patch: ensure ecdsa_sign output is
canonically reduced in ecc-ecdsa-sign.c.
- debian/patches/CVE-2021-20305-6.patch: similar fix for eddsa in
eddsa-hash.c.
- debian/libhogweed4.symbols: added new symbols.
- CVE-2021-20305
-- Marc Deslauriers <email address hidden> Wed, 07 Apr 2021 10:17:03 -0400
-
nettle (3.4-1) unstable; urgency=low
* New upstream release (Closes: #884013).
* multiarch_dev.patch: no longer replace definition of GMP_NUMB_BITS;
upstream changed it to "n/a" when mini-gmp isn't used.
* debian/rules: Switch to dh_update_autotools_config.
* Rename libnettle5.docs -> libnettle6.docs so that the NEWS and README
files will be included again.
* Bump Standards-Version to 4.1.2.
-- Magnus Holmgren <email address hidden> Tue, 12 Dec 2017 19:27:18 +0100
-
nettle (3.3-2) unstable; urgency=low
* multiarch_dev.patch: Replace definition of GMP_NUMB_BITS calculated by
configure with the same calculation to be done at compile time (only
used if this package would be rebuilt with --enable-mini-gmp). Thus
declare nettle-dev Multi-Arch: same (Closes: #856160).
* Upgrade to Debhelper compat level 9.
* Drop old style -dbg package and switch to automatically created
-dbgsym packages. Since the old package was built with Debhelper level
8 there are actually no file conflicts.
* Declare nettle-bin Multi-Arch: foreign.
* Bump Standards-Version to 4.1.0.
-- Magnus Holmgren <email address hidden> Sun, 10 Sep 2017 23:25:31 +0200