Security update for libnettle

SUSE Recommended Update: Security update for libnettle
Announcement ID: SUSE-RU-2019:0791-1
Rating: moderate
References: #1129598
Affected Products:
  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
  • SUSE Linux Enterprise Module for Desktop Applications 15
  • SUSE Linux Enterprise Module for Basesystem 15

An update that has one recommended fix can now be installed.

Description:

This update for libnettle to version 3.4.1 fixes the following issues:
Issues addressed and new features:

  • Updated to 3.4.1 (fate#327114 and bsc#1129598)
  • Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv.
  • Fixed a link error on the pss-mgf1-test which was affecting builds without public key support.
  • All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption.
  • Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended.

Patch Instructions:

To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-791=1
  • SUSE Linux Enterprise Module for Desktop Applications 15:
    zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-791=1
  • SUSE Linux Enterprise Module for Basesystem 15:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-791=1

Package List:

  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64):
    • libnettle-debugsource-3.4.1-4.7.3
    • nettle-3.4.1-4.7.3
    • nettle-debuginfo-3.4.1-4.7.3
  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (x86_64):
    • libnettle-devel-32bit-3.4.1-4.7.3
  • SUSE Linux Enterprise Module for Desktop Applications 15 (x86_64):
    • libhogweed4-32bit-3.4.1-4.7.3
    • libhogweed4-32bit-debuginfo-3.4.1-4.7.3
    • libnettle-debugsource-3.4.1-4.7.3
    • libnettle6-32bit-3.4.1-4.7.3
    • libnettle6-32bit-debuginfo-3.4.1-4.7.3
  • SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64):
    • libhogweed4-3.4.1-4.7.3
    • libhogweed4-debuginfo-3.4.1-4.7.3
    • libnettle-debugsource-3.4.1-4.7.3
    • libnettle-devel-3.4.1-4.7.3
    • libnettle6-3.4.1-4.7.3
    • libnettle6-debuginfo-3.4.1-4.7.3

References: