Hi, On Sun, Mar 21, 2021 at 01:14:00PM +0100, Andreas Metzler wrote: > Package: libnettle8 > Version: 3.7-2.1 > Severity: important > > Hello, > > nettle 3.7.2 features the following fix: > > | This is a bugfix release, fixing a bug in ECDSA signature > | verification that could lead to a denial of service attack > | (via an assertion failure) or possibly incorrect results. It > | also fixes a few related problems where scalars are required > | to be canonically reduced modulo the ECC group order, but in > | fact may be slightly larger. > | > | Upgrading to the new version is strongly recommended. > | > | Even when no assert is triggered in ecdsa_verify, ECC point > | multiplication may get invalid intermediate values as input, > | and produce incorrect results. It's trivial to construct > | alleged signatures that result in invalid intermediate values. > | It appears difficult to construct an alleged signature that > | makes the function misbehave in such a way that an invalid > | signature is accepted as valid, but such attacks can't be > | ruled out without further analysis. > > A DSA is currently not planned. Please upgrade nettle for sid (and > bullseye) to 3.7.2. > > FWIW I have forked the salsa repo and packaged the new version at > <https://salsa.debian.org/ametzler/nettle>. I have not sent a merge > request since Debian packaging involves multiple branches.
FTR, the security issue part has been assigned CVE-2021-20305. Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1942533 . Regards, Salvatore
