Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <700c370f-9fc4-7913-9d26-01574b218dba@redhat.com>
Date: Fri, 29 Jul 2016 14:19:38 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: CVE Request: nettle's RSA code is vulnerable to cache sharing related
 attacks

Hi All,

The following whitepaper talks about libgcrypt's RSA code being
vulnerable to a cache timing attack, which the paper claims is fixed in
1.6.3.

It seems nettle is also vulnerable to this flaw. Which was confirmed by
upstream via:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html

The above link also contains a proposed patch, will be committed soon.

I would like to request a CVE id for the flaw in nettle.

Note: libgcrypt-1.6.3. release notes talk about 2 cves being fixed, but
they dont mention this paper at all. (I am going to talk to the
researchers to figure this out)


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.