Fix CVE-2021-20305: A flaw was found in Nettle in versions before 3.7.2,
where several Nettle signature verification functions (GOST DSA, EDDSA &
ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply
function being called with out-of-range scalers, possibly resulting in
incorrect results. This flaw allows an attacker to force an invalid
signature, causing an assertion failure or possible validation. The
highest threat to this vulnerability is to confidentiality, integrity,
as well as system availability.
https://git.lysator.liu.se/nettle/nettle/-/blob/nettle_3.7.2_release_20210321/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
# Locally calculated after checking pgp signature
-# https://ftp.gnu.org/gnu/nettle/nettle-3.7.1.tar.gz.sig
-sha256 156621427c7b00a75ff9b34b770b95d34f80ef7a55c3407de94b16cbf436c42e nettle-3.7.1.tar.gz
+# https://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz.sig
+sha256 8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162 nettle-3.7.2.tar.gz
# Locally calculated
sha256 a853c2ffec17057872340eee242ae4d96cbf2b520ae27d903e1b2fef1a5f9d1c COPYING.LESSERv3
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYINGv2
#
################################################################################
-NETTLE_VERSION = 3.7.1
+NETTLE_VERSION = 3.7.2
NETTLE_SITE = http://www.lysator.liu.se/~nisse/archive
NETTLE_DEPENDENCIES = gmp
NETTLE_INSTALL_STAGING = YES
projects / buildroot.git / commitdiff