Hi Niels and gnutls maintainers I do not think coordination with gnutls is needed. I can not see that gnutls depend on nettle in wheezy. I can see that it can potentially do that, but I do not think it do.
There are no dependencies declared on nettle library and from unstable changelog it looks like this build dependency was first added in gnutls28. Wheezy has gnutls28. I may be wrong however. Or can it be so that nettle is built in statically and that a build dependency is not needed as some other package has a build dependency so we get it indirectly? I'm including the gnutls maintainers to get their opinion. // Ola On Sat, Aug 6, 2016 at 8:40 PM, Niels Möller <ni...@lysator.liu.se> wrote: > Ola Lundqvist <o...@inguza.com> writes: > > > Magnus, Niels and I have been discussing the nettle update due to > > https://security-tracker.debian.org/tracker/CVE-2016-6489 > > Please note that some coordinatoino with gnutls may be needed, to avoid > a denial-of-service problem involving invalid private keys. > > > I suggest something like this: > > "Protect against potential timing attacks against exponentiation > operations > > as described in CVE-2016-6489 RSA code is vulnerable to cache sharing > > related attacks." > > I'd suggest the more general "side-channel attacks" over "timing > attacks". > > /Niels > > -- > Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. > Internet email is subject to wholesale government surveillance. > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
