[arch-security] [ASA-201602-6] lib32-nettle: improper cryptographic calculations
Arch Linux Security Advisory ASA-201602-6 ========================================= Severity: Medium Date : 2016-02-03 CVE-ID : CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 Package : lib32-nettle Type : improper cryptographic calculations Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package lib32-nettle before version 3.2-1 is vulnerable to improper cryptographic calculations with unspecified impact. Resolution ========== Upgrade to 3.2-1. # pacman -Syu "lib32-nettle>=3.2-1" The problems have been fixed upstream in version 3.2-1. Workaround ========== None. Description =========== - CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 (improper cryptographic calculations) It has been discovered that multiple carry propagation bugs are producing wrong results in calculations. They affect the NIST P-256 and P-384 curves. The P-256 bug is in the C code and affects multiple architectures. The P-384 bug is in the assembly code and only affects 64 bit x86. The computation compiles a certain curve point with 1, which should not change the coordinates, however it does. Impact ====== The impact is currently unclear, but miscalculations in cryptographic functions are classified as security issues. References ========== https://access.redhat.com/security/cve/CVE-2015-8803 https://access.redhat.com/security/cve/CVE-2015-8804 https://access.redhat.com/security/cve/CVE-2015-8805 https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar... https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
participants (1)
-
Levente Polyak