[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47222: Serious bug in Nettle's ecdsa_verify
From: |
Ludovic Courtès |
Subject: |
bug#47222: Serious bug in Nettle's ecdsa_verify |
Date: |
Thu, 25 Mar 2021 10:51:51 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi Niels,
> I've prepared a new bug-fix release of Nettle, a low-level
> cryptographics library, to fix a serious bug in the function to verify
> ECDSA signatures. Implications include an assertion failure, which could
> be used for denial-of-service, when verifying signatures on the
> secp_224r1 and secp521_r1 curves. More details in NEWS file below.
>
> Upgrading is strongly recomended.
Are there plans to make a new 3.5 release including these fixes?
Alternatively, could you provide guidance as to which commits should be
cherry-picked in 3.5 for downstream distros?
I’m asking because in Guix, the easiest way for us to deploy the fixes
on the ‘master’ branch would be by “grafting” a new Nettle variant
ABI-compatible with 3.5.1, which is the one packages currently depend on.
Thanks in advance,
Ludo’.