On 7/14/22 15:09, Mishra, Milind via libmicrohttpd wrote:
Hello,
The project I work on uses libmicrohttpd.so. This library in turn is
dependent on libnettle6.so
As per CVE-2021-3580
<https://www.suse.com/security/cve/CVE-2021-3580.html> there was a
security flaw in libnettle6 - 3.4.1-4.15.1 which was fixed in 3.4.1-4.18.1.
Have the fixes in version 3.4.1-4.18.1 incorporated any changes that
might impact the working of libmicrohttpd.so?
If you are statically linked against libnettle *and* have enabled RSA
key transport in your TLS configuration, then you may need to re-link
GNU libmicrohttpd. If you are dynamically linked, simply updating the
libnettle.so dependency should be completely sufficient.
Note that GNU libmicrohttpd doesn't directly use GNU nettle, we only use
it via GNUtls.
