GNU bug report logs -
#47222
Serious bug in Nettle's ecdsa_verify
Previous Next
Reported by: Mark H Weaver <mhw <at> netris.org>
Date: Thu, 18 Mar 2021 00:24:01 UTC
Severity: important
Tags: security
Done: "(" <paren <at> disroot.org>
Bug is archived. No further changes may be made.
Full log
Message #27 received at 47222 <at> debbugs.gnu.org (full text, mbox):
Hi!
(- Niels, - nettle-bugs)
nisse <at> lysator.liu.se (Niels Möller) skribis:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Are there plans to make a new 3.5 release including these fixes?
>
> No, I don't plan any 3.5.x release.
>
>> Alternatively, could you provide guidance as to which commits should be
>> cherry-picked in 3.5 for downstream distros?
>
> Look at the branch release-3.7-fixes
> (https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/).
> The commits since 3.7.1 are the ones you need.
>
> Changes to gostdsa and ed448 will not apply, since those curves didn't
> exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to
> refactoring when adding ed448.
I confirm these patches don’t apply, and I’m not comfortable fiddling
with that.
Leo and I checked and found that Debian doesn’t have 3.5. Do other
distros have backports of these patches to 3.5?
If not, our options are:
1. to invest in the backport ourselves, with good peer review, ideally
getting it stamped by Niels & co;
2. to wait until a full rebuild has come.
It’s not an ideal situation. Thoughts?
Ludo’.
This bug report was last modified 2 years and 343 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.