Date: Fri, 29 Jul 2016 14:19:38 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com, Mitre CVE assign department <cve-assign@...re.org> Subject: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Hi All, The following whitepaper talks about libgcrypt's RSA code being vulnerable to a cache timing attack, which the paper claims is fixed in 1.6.3. It seems nettle is also vulnerable to this flaw. Which was confirmed by upstream via: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html The above link also contains a proposed patch, will be committed soon. I would like to request a CVE id for the flaw in nettle. Note: libgcrypt-1.6.3. release notes talk about 2 cves being fixed, but they dont mention this paper at all. (I am going to talk to the researchers to figure this out) -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ