It is described as the Bleichenbacher-style attack. When I read the changelog diffing the source I find that this is fixed by introducing a new function and that new function is recommended by packages that use nettle. Due to that I do not find it suitable to change neither jessie (and not stretch either) since the application software using nettle must be changed too. This applies to buster and sid too by the way, but there it is at least possible that some software will be updated before the release.
It could still be good to update using the patch, but there is a potential 60% performance penalty as well so maybe it is not worth it.
If nobody complains I will therefore mark this CVE as "ignored".
This is the extract from the changelog.
+ Changes in behavior:
+
+ * The functions rsa_decrypt and rsa_decrypt_tr may now clobber
+ all of the provided message buffer, independent of the
+ actual message length. They are side-channel silent, in that
+ branches and memory accesses don't depend on the validity or
+ length of the message. Side-channel leakage from the
+ caller's use of length and return value may still provide an
+ oracle useable for a Bleichenbacher-style chosen ciphertext
+ attack. Which is why the new function rsa_sec_decrypt is
+ recommended.
+
+ New features:
+
+ * A new function rsa_sec_decrypt. It differs from
+ rsa_decrypt_tr in that the length of the decrypted message
+ is given a priori, and PKCS#1 padding indicating a different
+ length is treated as an error. For applications that may be
+ subject to chosen ciphertext attacks, it is recommended to
+ initialize the message area with random data, call this
+ function, and ignore the return value. This applies in
+ particular to RSA-based key exchange in the TLS protocol.
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------