[ubuntu/hirsute-proposed] nettle 3.7-2.1ubuntu1 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Thu Apr 8 17:20:52 UTC 2021


nettle (3.7-2.1ubuntu1) hirsute; urgency=medium

  * SECURITY UPDATE: Out of Bound memory access in signature verification
    - debian/patches/CVE-2021-20305-1.patch: new functions
      ecc_mod_mul_canonical and ecc_mod_sqr_canonical in
      curve25519-eh-to-x.c, curve448-eh-to-x.c, ecc-eh-to-a.c,
      ecc-internal.h, ecc-j-to-a.c, ecc-mod-arith.c, ecc-mul-m.c.
    - debian/patches/CVE-2021-20305-2.patch: use ecc_mod_mul_canonical for
      point comparison in eddsa-verify.c.
    - debian/patches/CVE-2021-20305-3.patch: fix bug in ecc_ecdsa_verify in
      ecc-ecdsa-verify.c, testsuite/ecdsa-sign-test.c.
    - debian/patches/CVE-2021-20305-4.patch: ensure ecdsa_sign output is
      canonically reduced in ecc-ecdsa-sign.c.
    - debian/patches/CVE-2021-20305-5.patch: analogous fix to
      ecc_gostdsa_verify in ecc-gostdsa-verify.c.
    - debian/patches/CVE-2021-20305-6.patch: similar fix for eddsa in
      eddsa-hash.c.
    - debian/patches/CVE-2021-20305-7.patch: fix canonical reduction in
      gostdsa_vko in gostdsa-vko.c.
    - debian/libhogweed6.symbols: added new symbols.
    - CVE-2021-20305

Date: Tue, 06 Apr 2021 11:20:32 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/nettle/3.7-2.1ubuntu1
-------------- next part --------------
Format: 1.8
Date: Tue, 06 Apr 2021 11:20:32 -0400
Source: nettle
Built-For-Profiles: noudeb
Architecture: source
Version: 3.7-2.1ubuntu1
Distribution: hirsute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 nettle (3.7-2.1ubuntu1) hirsute; urgency=medium
 .
   * SECURITY UPDATE: Out of Bound memory access in signature verification
     - debian/patches/CVE-2021-20305-1.patch: new functions
       ecc_mod_mul_canonical and ecc_mod_sqr_canonical in
       curve25519-eh-to-x.c, curve448-eh-to-x.c, ecc-eh-to-a.c,
       ecc-internal.h, ecc-j-to-a.c, ecc-mod-arith.c, ecc-mul-m.c.
     - debian/patches/CVE-2021-20305-2.patch: use ecc_mod_mul_canonical for
       point comparison in eddsa-verify.c.
     - debian/patches/CVE-2021-20305-3.patch: fix bug in ecc_ecdsa_verify in
       ecc-ecdsa-verify.c, testsuite/ecdsa-sign-test.c.
     - debian/patches/CVE-2021-20305-4.patch: ensure ecdsa_sign output is
       canonically reduced in ecc-ecdsa-sign.c.
     - debian/patches/CVE-2021-20305-5.patch: analogous fix to
       ecc_gostdsa_verify in ecc-gostdsa-verify.c.
     - debian/patches/CVE-2021-20305-6.patch: similar fix for eddsa in
       eddsa-hash.c.
     - debian/patches/CVE-2021-20305-7.patch: fix canonical reduction in
       gostdsa_vko in gostdsa-vko.c.
     - debian/libhogweed6.symbols: added new symbols.
     - CVE-2021-20305
Checksums-Sha1:
 00c244f280d5143de5fdb3ea35244e318c90187f 2369 nettle_3.7-2.1ubuntu1.dsc
 a4b6f5b8de177ad6fd8ce873599a1b54af5d3def 35844 nettle_3.7-2.1ubuntu1.debian.tar.xz
 280ada41ead09b8e164dd9af0e97790494eedf36 6663 nettle_3.7-2.1ubuntu1_source.buildinfo
Checksums-Sha256:
 3668d67bd73eff9880b94ba03a4ff1968294f57d8d4a79a50e0e2935e840de74 2369 nettle_3.7-2.1ubuntu1.dsc
 4036d43567a99d15fb962f29aea0f8bf537b4133a0c09032df8c3989139baf69 35844 nettle_3.7-2.1ubuntu1.debian.tar.xz
 ee8f2aee5ffdb8df15272901381ba15db36ed33da4205fd404eb2010ca22ec68 6663 nettle_3.7-2.1ubuntu1_source.buildinfo
Files:
 a2881bcc08565009922454b97bbdc640 2369 libs optional nettle_3.7-2.1ubuntu1.dsc
 98926bd25dea83c3043931d00cd3f767 35844 libs optional nettle_3.7-2.1ubuntu1.debian.tar.xz
 96d6d160f61b326ee5792755617fcf33 6663 libs optional nettle_3.7-2.1ubuntu1_source.buildinfo
Original-Maintainer: Magnus Holmgren <holmgren at debian.org>


More information about the Hirsute-changes mailing list