Hi Niels, > I've prepared a new bug-fix release of Nettle, a low-level > cryptographics library, to fix a serious bug in the function to verify > ECDSA signatures. Implications include an assertion failure, which could > be used for denial-of-service, when verifying signatures on the > secp_224r1 and secp521_r1 curves. More details in NEWS file below. > > Upgrading is strongly recomended.
Are there plans to make a new 3.5 release including these fixes? Alternatively, could you provide guidance as to which commits should be cherry-picked in 3.5 for downstream distros? I’m asking because in Guix, the easiest way for us to deploy the fixes on the ‘master’ branch would be by “grafting” a new Nettle variant ABI-compatible with 3.5.1, which is the one packages currently depend on. Thanks in advance, Ludo’.
