Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Gentoo 202401-24: Moderate Nettle Denial of Service Issues

gentoo
Calendar Grey January 16, 2024
Dist Gentoo Esm H88
Several DoS vulnerabilities discovered in the Nettle library. Upgrade immediately to reduce risks and enhance system security.
Multiple denial of service vulnerabilities have been discovered in Nettle.

Summary

Multiple vulnerabilities have been discovered in Nettle. Please review the CVE identifiers referenced below for details.

Resolution

All Nettle users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/nettle-3.9.1"

References

[ 1 ] CVE-2021-3580 https://nvd.nist.gov/vuln/detail/CVE-2021-3580 [ 2 ] CVE-2023-36660 https://nvd.nist.gov/vuln/detail/CVE-2023-36660

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202401-24
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: Nettle: Denial of Service
Date: January 16, 2024
Bugs: #806839, #907673
ID: 202401-24

Synopsis

Multiple denial of service vulnerabilities have been discovered in Nettle.

Background

Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

Package Vulnerable Unaffected --------------- ------------ ------------ dev-libs/nettle < 3.9.1 >= 3.9.1

Impact

A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.

Workaround

There is no known workaround at this time.

Your message here