Re: Security update of nettle

To: Ola Lundqvist <ola@inguza.com>
Cc: Magnus Holmgren <holmgren@debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Security update of nettle
From: nisse@lysator.liu.se (Niels Möller)
Date: Sat, 06 Aug 2016 20:40:46 +0200
Message-id: <[🔎] nnk2ftlp01.fsf@armitage.lysator.liu.se>
In-reply-to: <[🔎] CABY6=0kr88T=FUPdhS6iaayixSCD1Ou6BaBGi-_Cpsid7AH+xg@mail.gmail.com> (Ola Lundqvist's message of "Fri, 5 Aug 2016 22:16:29 +0200")
References: <[🔎] CABY6=0kr88T=FUPdhS6iaayixSCD1Ou6BaBGi-_Cpsid7AH+xg@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> Magnus, Niels and I have been discussing the nettle update due to
> https://security-tracker.debian.org/tracker/CVE-2016-6489

Please note that some coordinatoino with gnutls may be needed, to avoid
a denial-of-service problem involving invalid private keys.

> I suggest something like this:
> "Protect against potential timing attacks against exponentiation operations
> as described in CVE-2016-6489 RSA code is vulnerable to cache sharing
> related attacks."

I'd suggest the more general "side-channel attacks" over "timing
attacks".

/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

Reply to:

Follow-Ups:
- Re: Security update of nettle
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Security update of nettle
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Wheezy update of mupdf?
Next by Date: Re: Security update of nettle
Previous by thread: Re: Security update of nettle
Next by thread: Re: Security update of nettle
Index(es):
- Date
- Thread