[arch-security] [ASA-201602-6] lib32-nettle: improper cryptographic calculations
anthraxx at archlinux.org
Wed Feb 3 16:05:49 UTC 2016
Arch Linux Security Advisory ASA-201602-6
Date : 2016-02-03
CVE-ID : CVE-2015-8803 CVE-2015-8804 CVE-2015-8805
Package : lib32-nettle
Type : improper cryptographic calculations
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package lib32-nettle before version 3.2-1 is vulnerable to improper
cryptographic calculations with unspecified impact.
Upgrade to 3.2-1.
# pacman -Syu "lib32-nettle>=3.2-1"
The problems have been fixed upstream in version 3.2-1.
- CVE-2015-8803 CVE-2015-8804 CVE-2015-8805
(improper cryptographic calculations)
It has been discovered that multiple carry propagation bugs are
producing wrong results in calculations. They affect the NIST P-256 and
P-384 curves. The P-256 bug is in the C code and affects multiple
architectures. The P-384 bug is in the assembly code and only affects 64
bit x86. The computation compiles a certain curve point with 1, which
should not change the coordinates, however it does.
The impact is currently unclear, but miscalculations in cryptographic
functions are classified as security issues.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security