Security update for libnettle

Announcement ID: SUSE-RU-2019:0791-1
Rating: moderate
References:
Affected Products:
  • Basesystem Module 15
  • Desktop Applications Module 15
  • SUSE Linux Enterprise Desktop 15
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server for SAP Applications 15

An update that has one fix can now be installed.

Description:

This update for libnettle to version 3.4.1 fixes the following issues:

Issues addressed and new features:

  • Updated to 3.4.1 (fate#327114 and bsc#1129598)
  • Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv.
  • Fixed a link error on the pss-mgf1-test which was affecting builds without public key support.
  • All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption.
  • Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Basesystem Module 15
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-791=1
  • Desktop Applications Module 15
    zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-791=1

Package List:

  • Basesystem Module 15 (aarch64 ppc64le s390x x86_64)
    • libnettle6-3.4.1-4.7.3
    • libnettle-devel-3.4.1-4.7.3
    • libnettle-debugsource-3.4.1-4.7.3
    • libnettle6-debuginfo-3.4.1-4.7.3
    • libhogweed4-debuginfo-3.4.1-4.7.3
    • libhogweed4-3.4.1-4.7.3
  • Desktop Applications Module 15 (x86_64)
    • libhogweed4-32bit-3.4.1-4.7.3
    • libhogweed4-32bit-debuginfo-3.4.1-4.7.3
    • libnettle-debugsource-3.4.1-4.7.3
    • libnettle6-32bit-debuginfo-3.4.1-4.7.3
    • libnettle6-32bit-3.4.1-4.7.3

References: