nettle-2.7.1-8.el7

エラータID: AXSA:2016-1108:01

Release date: 
Tuesday, November 29, 2016 - 08:15
Subject: 
nettle-2.7.1-8.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Nettle is a cryptographic library that is designed to fit easily in more
or less any context: In crypto toolkits for object-oriented languages
(C , Python, Pike, ...), in applications like LSH or GNUPG, or even in
kernel space.

Security issues fixed with this release:

CVE-2015-8803
The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not
properly handle carry propagation and produces incorrect output in its
implementation of the P-256 NIST elliptic curve, which allows
attackers to have unspecified impact via unknown vectors, a different
vulnerability than CVE-2015-8805.
CVE-2015-8804
x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle
carry propagation and produces incorrect output in its implementation
of the P-384 NIST elliptic curve, which allows attackers to have
unspecified impact via unknown vectors.
CVE-2015-8805
The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not
properly handle carry propagation and produces incorrect output in its
implementation of the P-256 NIST elliptic curve, which allows
attackers to have unspecified impact via unknown vectors, a different
vulnerability than CVE-2015-8803.
CVE-2016-6489
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C , Python, or Pike, in applications like lsh or GnuPG, or even in kernel space.
Additional Changes:

Solution: 

Update packages.

CVEs: 
CVE-2015-8803
The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.
CVE-2015-8804
x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.
CVE-2015-8805
The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.
CVE-2016-6489
The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.
Additional Info: 

N/A

Download: 

SRPMS
  1. nettle-2.7.1-8.el7.src.rpm
    MD5: 52f36d6ef7d94d00a2374792ad48cc4e
    SHA-256: 01b94a68db076bc8e73a1bff4e3b4c9ca18928d354f18fc4448de1c5701aaf24
    Size: 1.75 MB

Asianux Server 7 for x86_64
  1. nettle-2.7.1-8.el7.x86_64.rpm
    MD5: e23f700dd3682b3a915804c308598c1c
    SHA-256: 0a70f313085ee1a3550649bffaba48aa68d34bd0ee9ce70c1ab8ce3261534c4e
    Size: 326.45 kB
  2. nettle-devel-2.7.1-8.el7.x86_64.rpm
    MD5: ad93ebfbe9ee5ad799eef0b9cee2d912
    SHA-256: a88db01673620de5ecca861c6be22ab59d2db735bc2ee2d7985fccc616bb0639
    Size: 470.21 kB
  3. nettle-2.7.1-8.el7.i686.rpm
    MD5: a9c34ab6b1345980edc52322d36bc98c
    SHA-256: 502ca4f31859cbb0bd61fb27096f69b5a85c36961a0f51ffdcdb0e24c9090f09
    Size: 329.08 kB
  4. nettle-devel-2.7.1-8.el7.i686.rpm
    MD5: a935da9925e4a8059829bfcf8ddea08a
    SHA-256: 261079b3449914e24f4d491b71d06ce6e9eb7e04fbc330030e13634c5eae0285
    Size: 470.23 kB