Accepting request 662470 from security:tls

OBS-URL: https://build.opensuse.org/request/show/662470
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libnettle?expand=0&rev=31

libnettle.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Wed Jan  2 13:48:54 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 3.4.1 release
+  * Fix CVE-2018-16869 (bsc#1118086)
+    All functions using RSA private keys are now side-channel
+    silent, meaning that they try hard to avoid any branches or
+    memory accesses depending on secret data. This applies both to
+    the bignum calculations, which now use GMP's mpn_sec_* family
+    of functions, and the processing of PKCS#1 padding needed for
+    RSA decryption.
+  * Changes in behavior:
+    The functions rsa_decrypt and rsa_decrypt_tr may now clobber
+    all of the provided message buffer, independent of the
+    actual message length. They are side-channel silent, in that
+    branches and memory accesses don't depend on the validity or
+    length of the message. Side-channel leakage from the
+    caller's use of length and return value may still provide an
+    oracle useable for a Bleichenbacher-style chosen ciphertext
+    attack. Which is why the new function rsa_sec_decrypt is
+    recommended.
+  * New features:
+    A new function rsa_sec_decrypt.
+  * Bug fixes:
+    - Fix bug in pkcs1-conv, missing break statements in the
+      parsing of PEM input files.
+    - Fix link error on the pss-mgf1-test test, affecting builds
+      without public key support.
+
 -------------------------------------------------------------------
 Thu Dec  6 12:56:30 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
 

libnettle.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libnettle
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,17 +18,15 @@
 
 %define soname 6
 %define hogweed_soname 4
-%define realversion 3.4.1rc1
-%define shortversion 3.4.1
 Name:           libnettle
-Version:        3.4.1~rc1
+Version:        3.4.1
 Release:        0
 Summary:        Cryptographic Library
 License:        LGPL-2.1-or-later AND GPL-2.0-or-later
 Group:          Development/Libraries/C and C++
 URL:            https://www.lysator.liu.se/~nisse/nettle/
-Source0:        https://www.lysator.liu.se/~nisse/archive/nettle-%{realversion}.tar.gz
-Source1:        https://www.lysator.liu.se/~nisse/archive/nettle-%{realversion}.tar.gz.sig
+Source0:        https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz
+Source1:        https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz.sig
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 # PATCH-FIX-UPSTREAM respect cflags while building
@@ -95,7 +93,7 @@ This package contains a few command-line tools to perform cryptographic
 operations using the nettle library.
 
 %prep
-%setup -q -n nettle-%{shortversion}
+%setup -q -n nettle-%{version}
 %patch0 -p1
 
 %build

nettle-3.4.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f941cf1535cd5d1819be5ccae5babef01f6db611f9b5a777bae9c7604b8a92ad
+size 1947053

nettle-3.4.1rc1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5a380e9a7b5e4dde2c1aff4de090ed365500046c7c24c2de06933ed09262c1b5
-size 1946834