Univention Bugzilla – Bug 53809
nettle: Multiple issues (4.4)
Last modified: 2021-09-22 17:12:57 CEST
New Debian nettle 3.3-1+deb9u1 fixes: This update addresses the following issues: * Remote crash in RSA decryption via manipulated ciphertext (CVE-2021-3580) * Out of bounds memory access in signature verification (CVE-2021-20305)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/nettle_3.3-1.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/nettle_3.3-1+deb9u1.dsc @@ -1,3 +1,19 @@ +3.3-1+deb9u1 [Sat, 18 Sep 2021 15:52:42 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2021-20305: + A flaw was found in Nettle, where several Nettle signature verification + functions (EDDSA & ECDSA) result in the Elliptic Curve Cryptography point + (ECC) multiply function being called with out-of-range scalers, possibly + resulting in incorrect results. This flaw allows an attacker to force an + invalid signature, causing an assertion failure or possible validation. The + highest threat to this vulnerability is to confidentiality, integrity, as + well as system availability. + * Fix CVE-2021-3580: + A flaw was found in the way nettle's RSA decryption functions handled + specially crafted ciphertext. An attacker could use this flaw to provide a + manipulated ciphertext leading to application crash and denial of service. + 3.3-1 [Sun, 02 Oct 2016 18:44:03 +0200] Magnus Holmgren <holmgren@debian.org>: * New upstream release. <http://piuparts.knut.univention.de/4.4-8/#3890027904589794918>
OK: yaml OK: announce_errata OK: patch OK: piuparts
<https://errata.software-univention.de/#/?erratum=4.4x1054>