libhogweed6-3.7.3-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10962-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libhogweed6-3.7.3-1.2 on GA media These are all security issues fixed in the libhogweed6-3.7.3-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10962 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-16869/ SUSE CVE CVE-2018-16869 page https://www.suse.com/security/cve/CVE-2021-20305/ SUSE CVE CVE-2021-20305 page https://www.suse.com/security/cve/CVE-2021-3580/ SUSE CVE CVE-2021-3580 page openSUSE Tumbleweed libhogweed6-3.7.3-1.2 libhogweed6-32bit-3.7.3-1.2 libnettle-devel-3.7.3-1.2 libnettle-devel-32bit-3.7.3-1.2 libnettle8-3.7.3-1.2 libnettle8-32bit-3.7.3-1.2 nettle-3.7.3-1.2 libhogweed6-3.7.3-1.2 as a component of openSUSE Tumbleweed libhogweed6-32bit-3.7.3-1.2 as a component of openSUSE Tumbleweed libnettle-devel-3.7.3-1.2 as a component of openSUSE Tumbleweed libnettle-devel-32bit-3.7.3-1.2 as a component of openSUSE Tumbleweed libnettle8-3.7.3-1.2 as a component of openSUSE Tumbleweed libnettle8-32bit-3.7.3-1.2 as a component of openSUSE Tumbleweed nettle-3.7.3-1.2 as a component of openSUSE Tumbleweed A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. CVE-2018-16869 openSUSE Tumbleweed:libhogweed6-3.7.3-1.2 openSUSE Tumbleweed:libhogweed6-32bit-3.7.3-1.2 openSUSE Tumbleweed:libnettle-devel-3.7.3-1.2 openSUSE Tumbleweed:libnettle-devel-32bit-3.7.3-1.2 openSUSE Tumbleweed:libnettle8-3.7.3-1.2 openSUSE Tumbleweed:libnettle8-32bit-3.7.3-1.2 openSUSE Tumbleweed:nettle-3.7.3-1.2 moderate 3.3 AV:L/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16869.html CVE-2018-16869 https://bugzilla.suse.com/1117951 SUSE Bug 1117951 https://bugzilla.suse.com/1118086 SUSE Bug 1118086 https://bugzilla.suse.com/1118087 SUSE Bug 1118087 https://bugzilla.suse.com/1134856 SUSE Bug 1134856 A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2021-20305 openSUSE Tumbleweed:libhogweed6-3.7.3-1.2 openSUSE Tumbleweed:libhogweed6-32bit-3.7.3-1.2 openSUSE Tumbleweed:libnettle-devel-3.7.3-1.2 openSUSE Tumbleweed:libnettle-devel-32bit-3.7.3-1.2 openSUSE Tumbleweed:libnettle8-3.7.3-1.2 openSUSE Tumbleweed:libnettle8-32bit-3.7.3-1.2 openSUSE Tumbleweed:nettle-3.7.3-1.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-20305.html CVE-2021-20305 https://bugzilla.suse.com/1183835 SUSE Bug 1183835 https://bugzilla.suse.com/1184401 SUSE Bug 1184401 A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service. CVE-2021-3580 openSUSE Tumbleweed:libhogweed6-3.7.3-1.2 openSUSE Tumbleweed:libhogweed6-32bit-3.7.3-1.2 openSUSE Tumbleweed:libnettle-devel-3.7.3-1.2 openSUSE Tumbleweed:libnettle-devel-32bit-3.7.3-1.2 openSUSE Tumbleweed:libnettle8-3.7.3-1.2 openSUSE Tumbleweed:libnettle8-32bit-3.7.3-1.2 openSUSE Tumbleweed:nettle-3.7.3-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3580.html CVE-2021-3580 https://bugzilla.suse.com/1187060 SUSE Bug 1187060 https://bugzilla.suse.com/1187892 SUSE Bug 1187892