Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Jul 2016 14:19:38 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: CVE Request: nettle's RSA code is vulnerable to cache sharing related
 attacks

Hi All,

The following whitepaper talks about libgcrypt's RSA code being
vulnerable to a cache timing attack, which the paper claims is fixed in
1.6.3.

It seems nettle is also vulnerable to this flaw. Which was confirmed by
upstream via:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html

The above link also contains a proposed patch, will be committed soon.

I would like to request a CVE id for the flaw in nettle.

Note: libgcrypt-1.6.3. release notes talk about 2 cves being fixed, but
they dont mention this paper at all. (I am going to talk to the
researchers to figure this out)


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ