Hello community, here is the log from the commit of package libnettle for openSUSE:Factory checked in at 2016-11-03 12:57:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libnettle (Old) and /work/SRC/openSUSE:Factory/.libnettle.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libnettle" Changes: -------- --- /work/SRC/openSUSE:Factory/libnettle/libnettle.changes 2016-02-25 21:44:45.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libnettle.new/libnettle.changes 2016-11-03 12:57:45.000000000 +0100 @@ -1,0 +2,31 @@ +Fri Oct 28 13:20:46 UTC 2016 - [email protected] + +- libnettle 3.3: + * Invalid private RSA keys, with an even modulo, are now + rejected by rsa_private_key_prepare. (Earlier versions + allowed such keys, even if results of using them were bogus). + Nettle applications are required to call + rsa_private_key_prepare and check the return value, before + using any other RSA private key functions; failing to do so + may result in crashes for invalid private keys. + * Ignore bit 255 of the x coordinate of the input point to + curve25519_mul, as required by RFC 7748. To differentiate at + compile time, curve25519.h defines the constant + NETTLE_CURVE25519_RFC7748. + * RSA and DSA now use side-channel silent modular + exponentiation, to defend against attacks on the private key + from evil processes sharing the same processor cache. This + attack scenario is of particular relevance when running an + HTTPS server on a virtual machine, where you don't know who + you share the cache hardware with. + bsc#991464 CVE-2016-6489 + * Fix sexp-conv crashes on invalid input + * Fix out-of-bounds read in des_weak_p + * Fix a couple of formally undefined shift operations + * Fix compilation with c89 + * New function memeql_sec, for side-channel silent comparison + of two memory areas. + * Building the public key support of nettle now requires GMP + version 5.0 or later (unless --enable-mini-gmp is used). + +------------------------------------------------------------------- Old: ---- nettle-3.2.tar.gz nettle-3.2.tar.gz.sig New: ---- nettle-3.3.tar.gz nettle-3.3.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libnettle.spec ++++++ --- /var/tmp/diff_new_pack.15jFDJ/_old 2016-11-03 12:57:46.000000000 +0100 +++ /var/tmp/diff_new_pack.15jFDJ/_new 2016-11-03 12:57:46.000000000 +0100 @@ -19,7 +19,7 @@ %define soname 6 %define hogweed_soname 4 Name: libnettle -Version: 3.2 +Version: 3.3 Release: 0 Summary: Cryptographic Library License: LGPL-2.1+ and GPL-2.0+ @@ -101,16 +101,12 @@ make %{?_smp_mflags} %install -make DESTDIR=%{buildroot} install %{?_smp_mflags} +make %{?_smp_mflags} DESTDIR=%{buildroot} install %post -n libnettle%{soname} -p /sbin/ldconfig - %postun -n libnettle%{soname} -p /sbin/ldconfig - %post -n libhogweed%{hogweed_soname} -p /sbin/ldconfig - %postun -n libhogweed%{hogweed_soname} -p /sbin/ldconfig - %post -n libnettle-devel %install_info --info-dir="%{_infodir}" "%{_infodir}"/nettle.info%{ext_info} ++++++ nettle-3.2.tar.gz -> nettle-3.3.tar.gz ++++++ ++++ 3764 lines of diff (skipped)
