[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47222: Serious bug in Nettle's ecdsa_verify
|
From: |
Ludovic Courtès |
|
Subject: |
bug#47222: Serious bug in Nettle's ecdsa_verify |
|
Date: |
Fri, 16 Apr 2021 22:46:50 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi!
(- Niels, - nettle-bugs)
nisse@lysator.liu.se (Niels Möller) skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Are there plans to make a new 3.5 release including these fixes?
>
> No, I don't plan any 3.5.x release.
>
>> Alternatively, could you provide guidance as to which commits should be
>> cherry-picked in 3.5 for downstream distros?
>
> Look at the branch release-3.7-fixes
> (https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/).
> The commits since 3.7.1 are the ones you need.
>
> Changes to gostdsa and ed448 will not apply, since those curves didn't
> exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to
> refactoring when adding ed448.
I confirm these patches don’t apply, and I’m not comfortable fiddling
with that.
Leo and I checked and found that Debian doesn’t have 3.5. Do other
distros have backports of these patches to 3.5?
If not, our options are:
1. to invest in the backport ourselves, with good peer review, ideally
getting it stamped by Niels & co;
2. to wait until a full rebuild has come.
It’s not an ideal situation. Thoughts?
Ludo’.