Date: Fri, 29 Jul 2016 14:19:38 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com, Mitre CVE assign department <cve-assign@...re.org> Subject: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Hi All, The following whitepaper talks about libgcrypt's RSA code being vulnerable to a cache timing attack, which the paper claims is fixed in 1.6.3. It seems nettle is also vulnerable to this flaw. Which was confirmed by upstream via: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html The above link also contains a proposed patch, will be committed soon. I would like to request a CVE id for the flaw in nettle. Note: libgcrypt-1.6.3. release notes talk about 2 cves being fixed, but they dont mention this paper at all. (I am going to talk to the researchers to figure this out) -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.