SUSE-RU-2019:0791-1: moderate: Security update for libnettle

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Mar 28 11:21:06 MDT 2019 

   SUSE Recommended Update: Security update for libnettle
______________________________________________________________________________

Announcement ID:    SUSE-RU-2019:0791-1
Rating:             moderate
References:         #1129598 
Affected Products:
                    SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
                    SUSE Linux Enterprise Module for Desktop Applications 15
                    SUSE Linux Enterprise Module for Basesystem 15
______________________________________________________________________________

   An update that has one recommended fix can now be installed.

Description:

   This update for libnettle to version 3.4.1 fixes the following issues:

   Issues addressed and new features:

   - Updated to 3.4.1 (fate#327114 and bsc#1129598)
   - Fixed a missing break statements in the parsing of PEM input files in
     pkcs1-conv.
   - Fixed a link error on the pss-mgf1-test which was affecting builds
     without public key support.
   - All functions using RSA private keys are now side-channel silent. This
     applies both to the bignum calculations, which now use GMP's mpn_sec_*
     family of functions, and the processing of PKCS#1 padding needed for RSA
     decryption.
   - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may
     now clobber all of the provided message buffer, independent of the
     actual message length. They are side-channel silent, in that branches
     and memory accesses don't depend on the validity or length of the
     message. Side-channel leakage from the caller's use of length and return
     value may still provide an oracle useable for a Bleichenbacher-style
     chosen ciphertext attack. Which is why the new function rsa_sec_decrypt
     is recommended.


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-791=1

   - SUSE Linux Enterprise Module for Desktop Applications 15:

      zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-791=1

   - SUSE Linux Enterprise Module for Basesystem 15:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-791=1



Package List:

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64):

      libnettle-debugsource-3.4.1-4.7.3
      nettle-3.4.1-4.7.3
      nettle-debuginfo-3.4.1-4.7.3

   - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (x86_64):

      libnettle-devel-32bit-3.4.1-4.7.3

   - SUSE Linux Enterprise Module for Desktop Applications 15 (x86_64):

      libhogweed4-32bit-3.4.1-4.7.3
      libhogweed4-32bit-debuginfo-3.4.1-4.7.3
      libnettle-debugsource-3.4.1-4.7.3
      libnettle6-32bit-3.4.1-4.7.3
      libnettle6-32bit-debuginfo-3.4.1-4.7.3

   - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64):

      libhogweed4-3.4.1-4.7.3
      libhogweed4-debuginfo-3.4.1-4.7.3
      libnettle-debugsource-3.4.1-4.7.3
      libnettle-devel-3.4.1-4.7.3
      libnettle6-3.4.1-4.7.3
      libnettle6-debuginfo-3.4.1-4.7.3


References:

   https://bugzilla.suse.com/1129598

More information about the sle-updates mailing list