diff --git a/libnettle.changes b/libnettle.changes index 4ed495a..b43a826 100644 --- a/libnettle.changes +++ b/libnettle.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Wed Jan 2 13:48:54 UTC 2019 - Vítězslav Čížek + +- Update to 3.4.1 release + * Fix CVE-2018-16869 (bsc#1118086) + All functions using RSA private keys are now side-channel + silent, meaning that they try hard to avoid any branches or + memory accesses depending on secret data. This applies both to + the bignum calculations, which now use GMP's mpn_sec_* family + of functions, and the processing of PKCS#1 padding needed for + RSA decryption. + * Changes in behavior: + The functions rsa_decrypt and rsa_decrypt_tr may now clobber + all of the provided message buffer, independent of the + actual message length. They are side-channel silent, in that + branches and memory accesses don't depend on the validity or + length of the message. Side-channel leakage from the + caller's use of length and return value may still provide an + oracle useable for a Bleichenbacher-style chosen ciphertext + attack. Which is why the new function rsa_sec_decrypt is + recommended. + * New features: + A new function rsa_sec_decrypt. + * Bug fixes: + - Fix bug in pkcs1-conv, missing break statements in the + parsing of PEM input files. + - Fix link error on the pss-mgf1-test test, affecting builds + without public key support. + ------------------------------------------------------------------- Thu Dec 6 12:56:30 UTC 2018 - Jan Engelhardt diff --git a/libnettle.spec b/libnettle.spec index 516aca2..02d7fe8 100644 --- a/libnettle.spec +++ b/libnettle.spec @@ -1,7 +1,7 @@ # # spec file for package libnettle # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,17 +18,15 @@ %define soname 6 %define hogweed_soname 4 -%define realversion 3.4.1rc1 -%define shortversion 3.4.1 Name: libnettle -Version: 3.4.1~rc1 +Version: 3.4.1 Release: 0 Summary: Cryptographic Library License: LGPL-2.1-or-later AND GPL-2.0-or-later Group: Development/Libraries/C and C++ URL: https://www.lysator.liu.se/~nisse/nettle/ -Source0: https://www.lysator.liu.se/~nisse/archive/nettle-%{realversion}.tar.gz -Source1: https://www.lysator.liu.se/~nisse/archive/nettle-%{realversion}.tar.gz.sig +Source0: https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz +Source1: https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz.sig Source2: %{name}.keyring Source3: baselibs.conf # PATCH-FIX-UPSTREAM respect cflags while building @@ -95,7 +93,7 @@ This package contains a few command-line tools to perform cryptographic operations using the nettle library. %prep -%setup -q -n nettle-%{shortversion} +%setup -q -n nettle-%{version} %patch0 -p1 %build diff --git a/nettle-3.4.1.tar.gz b/nettle-3.4.1.tar.gz new file mode 100644 index 0000000..acf531c --- /dev/null +++ b/nettle-3.4.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f941cf1535cd5d1819be5ccae5babef01f6db611f9b5a777bae9c7604b8a92ad +size 1947053 diff --git a/nettle-3.4.1.tar.gz.sig b/nettle-3.4.1.tar.gz.sig new file mode 100644 index 0000000..9607c33 Binary files /dev/null and b/nettle-3.4.1.tar.gz.sig differ diff --git a/nettle-3.4.1rc1.tar.gz b/nettle-3.4.1rc1.tar.gz deleted file mode 100644 index 10f0c72..0000000 --- a/nettle-3.4.1rc1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5a380e9a7b5e4dde2c1aff4de090ed365500046c7c24c2de06933ed09262c1b5 -size 1946834 diff --git a/nettle-3.4.1rc1.tar.gz.sig b/nettle-3.4.1rc1.tar.gz.sig deleted file mode 100644 index c3841b0..0000000 Binary files a/nettle-3.4.1rc1.tar.gz.sig and /dev/null differ