oss-sec mailing list archives
CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Fri, 29 Jul 2016 14:19:38 +0530
Hi All, The following whitepaper talks about libgcrypt's RSA code being vulnerable to a cache timing attack, which the paper claims is fixed in 1.6.3. It seems nettle is also vulnerable to this flaw. Which was confirmed by upstream via: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html The above link also contains a proposed patch, will be committed soon. I would like to request a CVE id for the flaw in nettle. Note: libgcrypt-1.6.3. release notes talk about 2 cves being fixed, but they dont mention this paper at all. (I am going to talk to the researchers to figure this out) -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Current thread:
- CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Huzaifa Sidhpurwala (Jul 29)
- Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks cve-assign (Jul 29)
- Re: Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Huzaifa Sidhpurwala (Jul 31)
- Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Hanno Böck (Jul 30)
- Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks cve-assign (Jul 29)