Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Gentoo: GLSA-202105-31 Low: Nettle Denial Of Service Risk

gentoo
Calendar Grey May 26, 2021
Dist Gentoo Esm H88
The Gentoo advisory on Nettle indicates that all package versions older than 3.7.2 are susceptible to a low-severity denial of service vulnerability.
A vulnerability in Nettle could lead to a Denial of Service condition.

Summary

It was discovered that Nettle incorrectly handled signature verification.

Resolution

All Nettle users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/nettle-3.7.2"

References

[ 1 ] CVE-2021-20305 https://nvd.nist.gov/vuln/detail/CVE-2021-20305

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202105-31
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
low
Lowest
Low
Medium
High
Critical

Severity: Low
Title: Nettle: Denial of service
Date: May 26, 2021
Bugs: #780483
ID: 202105-31

Synopsis

A vulnerability in Nettle could lead to a Denial of Service condition.

Background

Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/nettle < 3.7.2 >= 3.7.2

Impact

===== A remote attacker could send a specially crafted valid-looking input signature, possibly resulting in a Denial of Service condition or force an invalid signature.

Workaround

There is no known workaround at this time.

Your message here