Security update for libnettle SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0635-1 Final 1 1 2021-04-30T19:22:54Z current 2021-04-30T19:22:54Z 2021-04-30T19:22:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libnettle This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-635 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JEQQBLTWQPDTYRTWQZSXENUU6TSCBJ5R/ E-Mail link for openSUSE-SU-2021:0635-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184401 SUSE Bug 1184401 https://www.suse.com/security/cve/CVE-2021-20305/ SUSE CVE CVE-2021-20305 page openSUSE Leap 15.2 libhogweed4-3.4.1-lp152.4.3.1 libhogweed4-32bit-3.4.1-lp152.4.3.1 libnettle-devel-3.4.1-lp152.4.3.1 libnettle-devel-32bit-3.4.1-lp152.4.3.1 libnettle6-3.4.1-lp152.4.3.1 libnettle6-32bit-3.4.1-lp152.4.3.1 nettle-3.4.1-lp152.4.3.1 libhogweed4-3.4.1-lp152.4.3.1 as a component of openSUSE Leap 15.2 libhogweed4-32bit-3.4.1-lp152.4.3.1 as a component of openSUSE Leap 15.2 libnettle-devel-3.4.1-lp152.4.3.1 as a component of openSUSE Leap 15.2 libnettle-devel-32bit-3.4.1-lp152.4.3.1 as a component of openSUSE Leap 15.2 libnettle6-3.4.1-lp152.4.3.1 as a component of openSUSE Leap 15.2 libnettle6-32bit-3.4.1-lp152.4.3.1 as a component of openSUSE Leap 15.2 nettle-3.4.1-lp152.4.3.1 as a component of openSUSE Leap 15.2 A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2021-20305 openSUSE Leap 15.2:libhogweed4-3.4.1-lp152.4.3.1 openSUSE Leap 15.2:libhogweed4-32bit-3.4.1-lp152.4.3.1 openSUSE Leap 15.2:libnettle-devel-3.4.1-lp152.4.3.1 openSUSE Leap 15.2:libnettle-devel-32bit-3.4.1-lp152.4.3.1 openSUSE Leap 15.2:libnettle6-3.4.1-lp152.4.3.1 openSUSE Leap 15.2:libnettle6-32bit-3.4.1-lp152.4.3.1 openSUSE Leap 15.2:nettle-3.4.1-lp152.4.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JEQQBLTWQPDTYRTWQZSXENUU6TSCBJ5R/ https://www.suse.com/security/cve/CVE-2021-20305.html CVE-2021-20305 https://bugzilla.suse.com/1183835 SUSE Bug 1183835 https://bugzilla.suse.com/1184401 SUSE Bug 1184401