Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue,  2 Feb 2016 19:33:33 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Miscomputations of elliptic curve scalar multiplications in Nettle

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I discovered two carry propagation bugs

> The P-256 bug is
> in the C code and affects multiple architectures.
> 
> https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
> 
> secp256 calculation bug (already fixed)
> 
> Sat Dec 12 21:48:58 CET 2015
> 
> https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
> 
> 2015-12-10

Use CVE-2015-8803.


> The P-384 bug is in
> the assembly code and only affects 64 bit x86.
> 
> https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003024.html
> 
> Miscalculations on secp384 curve
> 
> Fri Dec 11 11:19:05 CET 2015
> 
> https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
> 
> 2015-12-15

Use CVE-2015-8804.


> Niels Moeller discovered
> another carry propagation bug in P-256
>
> https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
>
> 2015-12-10

Use CVE-2015-8805.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWsUqEAAoJEL54rhJi8gl5kBgP/3SoSxsZyGfBYj+2LR1uF/o7
1cIStfXACb7RaB02DnCzkjxlBBPUxxPnZbW3nDR7XHe1n9dVSmWYavenQceikS2y
EJmRuu6L7CaXDQ9nwj9kfmUaLoPmC737eD5vkUNu3gWyyDaDpeb4ve0UHNmInNRG
efDC4MbT9Tmzhpfx0cDkG5hdPImWgNDQRf2loSZ2owy7XcH3a0U60kZ5mwXndQms
eEzyj2tD4gE1VWbadjuqPplkyCjp39a30WhbWNAdizHKj5N4ai0+W7uy1P1y47qK
BsRQwtPprsf/Vsozmf4y/tMwX4zB3DFLKq/Gtm7wjj43SSahMkN22d2tCxHfTfHB
Cj8YciUtun9oGOPDFCMcwmzY6UrmR+Hn+DCmp821FrHD12JEaptB+BNvDkit1/0F
lyMWCuoiqoUUplIYY3K33Ys5I8WFxw2E3eGrCmcNs3nZ+IOEqZRedwGElLFKISwJ
EFA2fzJp0VI2jpq6+/S4d3F70BFjsZ1ZvVd+KIYvrncfOz0A76/xCWCo2spQFz39
W3gsOVN5vPajqfI091nFwTaX3y7wqkFhb20YV11Pz38rgiM5Kfrgj03g5n1tF0oD
7mSgLHCnI8Uz1UxJcTAYoAGHLxFZu4hM+CL5rVq3hVlUpZhj4fjE29LUdq16lYij
dZFxx5TihZtuH0n6KxkM
=5gQs
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.