Accepting request 899065 from security:tls

OBS-URL: https://build.opensuse.org/request/show/899065
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libnettle?expand=0&rev=39

libnettle.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Wed Jun  9 10:57:22 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
+
+- GNU Nettle 3.7.3: [CVE-2021-3580, bsc#1187060]
+  * Fix crash for zero input to rsa_sec_decrypt and
+    rsa_decrypt_tr. Potential denial of service vector.
+  * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
+    failure for out of range inputs, instead of either crashing,
+    or silently reducing input modulo n. Potential denial of
+    service vector.
+  * Ensure that rsa_decrypt returns failure for out of range
+    inputs, instead of silently reducing input modulo n.
+  * Ensure that rsa_sec_decrypt returns failure if the message
+    size is too large for the given key. Unlike the other bugs,
+    this would typically be triggered by invalid local
+    configuration, rather than by processing untrusted remote
+    data.
+
 -------------------------------------------------------------------
 Sun Mar 21 10:17:35 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
 

libnettle.spec

@@ -19,14 +19,14 @@
 %define soname 8
 %define hogweed_soname 6
 Name:           libnettle
-Version:        3.7.2
+Version:        3.7.3
 Release:        0
 Summary:        Cryptographic Library
-License:        LGPL-2.1-or-later AND GPL-2.0-or-later
+License:        GPL-2.0-or-later AND LGPL-2.1-or-later
 Group:          Development/Libraries/C and C++
 URL:            https://www.lysator.liu.se/~nisse/nettle/
-Source0:        https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz
-Source1:        https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz.sig
+Source0:        https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz
+Source1:        https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz.sig
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Source4:        %{name}-rpmlintrc
@@ -79,7 +79,7 @@ Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space.
 
 %package -n nettle
 Summary:        Cryptographic Tools
-License:        LGPL-2.1-or-later AND GPL-2.0-or-later
+License:        GPL-2.0-or-later AND LGPL-2.1-or-later
 Group:          Productivity/Security
 
 %description -n nettle

nettle-3.7.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162
-size 2382309

nettle-3.7.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:661f5eb03f048a3b924c3a8ad2515d4068e40f67e774e8a26827658007e3bcf0
+size 2383985