We now have nettle 3.7.3, so this isn't an issue anymore. Closing.
-- (
Hi!
(- Niels, - nettle-bugs)
ni...@lysator.liu.se (Niels Möller) skribis:
> Ludovic Courtès writes:
>
>> Are there plans to make a new 3.5 release including these fixes?
>
> No, I don't plan any 3.5.x release.
>
>> Alternatively, could you provide guidance as to which commits should be
>>
I am no expert cryptographer, it is likely that if I try backporting
such patches I will get something wrong that introduces more flaws.
https://security-tracker.debian.org/tracker/CVE-2021-20305 - no patch
backported yet
https://packages.ubuntu.com/source/focal/nettle - no patch backported
On Thu, Mar 25, 2021 at 05:21:40PM +0100, Niels Möller wrote:
> Changes to gostdsa and ed448 will not apply, since those curves didn't
> exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to
> refactoring when adding ed448.
Okay.
> > I’m asking because in Guix, the easiest way
Ludovic Courtès writes:
> Are there plans to make a new 3.5 release including these fixes?
No, I don't plan any 3.5.x release.
> Alternatively, could you provide guidance as to which commits should be
> cherry-picked in 3.5 for downstream distros?
Look at the branch release-3.7-fixes
Hi Niels,
> I've prepared a new bug-fix release of Nettle, a low-level
> cryptographics library, to fix a serious bug in the function to verify
> ECDSA signatures. Implications include an assertion failure, which could
> be used for denial-of-service, when verifying signatures on the
> secp_224r1
Start of forwarded message
From: ni...@lysator.liu.se (Niels Möller)
To: nettle-b...@lists.lysator.liu.se, info-...@gnu.org
Subject: ANNOUNCE: Nettle-3.7.2
Date: Sun, 21 Mar 2021 10:24:11 +0100
I've prepared a new bug-fix release of Nettle, a low-level
FYI...
Start of forwarded message
From: ni...@lysator.liu.se (Niels Möller)
To: nettle-b...@lists.lysator.liu.se
Subject: ANNOUNCE: Serious bug in Nettle's ecdsa_verify
Date: Tue, 16 Mar 2021 09:07:56 +0100
I've been made aware of a bug in Nettle's code