Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 509
Alerts This Week
Warning Icon 1 509

Gentoo: GLSA-201706-21 Critical: Nettle Cache Attack Advisory

gentoo
Calendar Grey June 22, 2017
Scroller Gentoo Esm H88
Gentoo GLSA 202109-15 addresses a potential security flaw associated with the OpenSSL library that could lead to unauthorized data exposure. Users are advised to update their systems promptly.
A cache-related side channel vulnerability was found in nettle which might allow an attacker to obtain sensitive information.

Summary

It was found that nettle's RSA and DSA decryption code was vulnerable to cache-related side channel attacks. See the referenced technical paper "Cache Attacks Enable Bulk Key Recovery on the Cloud" below for details.

Resolution

All nettle users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/nettle-3.2-r1"

References

[ 1 ] CVE-2016-6489 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6489 [ 2 ] Cache Attacks Enable Bulk Key Recovery on the Cloud https://eprint.iacr.org/2016/596.pdf

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201706-21
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
important
Lowest
Low
Medium
High
Critical

Severity: Normal
Title: nettle: Information disclosure
Date: June 22, 2017
Bugs: #590484
ID: 201706-21

Synopsis

A cache-related side channel vulnerability was found in nettle which might allow an attacker to obtain sensitive information.

Background

Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/nettle < 3.2-r1 >= 3.2-r1

Impact

===== An attacker could recover the private key from a co-located virtual-machine instance.

Workaround

There is no known workaround at this time.