Re: Security update of nettle

[Ola Lundqvist <ola@inguza.com>]

Hi Niels and gnutls maintainers

I do not think coordination with gnutls is needed. I can not see that gnutls depend on nettle in wheezy.

I can see that it can potentially do that, but I do not think it do.

There are no dependencies declared on nettle library and from unstable changelog it looks like this build dependency was first added in gnutls28. Wheezy has gnutls28.

I may be wrong however.

Or can it be so that nettle is built in statically and that a build dependency is not needed as some other package has a build dependency so we get it indirectly?

I'm including the gnutls maintainers to get their opinion.

// Ola

On Sat, Aug 6, 2016 at 8:40 PM, Niels Möller <nisse@lysator.liu.se> wrote:

Ola Lundqvist <ola@inguza.com> writes:

> Magnus, Niels and I have been discussing the nettle update due to
> https://security-tracker.debian.org/tracker/CVE-2016-6489

Please note that some coordinatoino with gnutls may be needed, to avoid
a denial-of-service problem involving invalid private keys.

> I suggest something like this:
> "Protect against potential timing attacks against exponentiation operations
> as described in CVE-2016-6489 RSA code is vulnerable to cache sharing
> related attacks."

I'd suggest the more general "side-channel attacks" over "timing
attacks".

/Niels

--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------