Hello community, here is the log from the commit of package libnettle for openSUSE:Factory checked in at 2019-01-08 12:18:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libnettle (Old) and /work/SRC/openSUSE:Factory/.libnettle.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libnettle" Tue Jan 8 12:18:19 2019 rev:31 rq:662470 version:3.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libnettle/libnettle.changes 2018-12-11 15:44:48.226406353 +0100 +++ /work/SRC/openSUSE:Factory/.libnettle.new.28833/libnettle.changes 2019-01-08 12:18:20.312933493 +0100 @@ -1,0 +2,29 @@ +Wed Jan 2 13:48:54 UTC 2019 - Vítězslav Čížek <[email protected]> + +- Update to 3.4.1 release + * Fix CVE-2018-16869 (bsc#1118086) + All functions using RSA private keys are now side-channel + silent, meaning that they try hard to avoid any branches or + memory accesses depending on secret data. This applies both to + the bignum calculations, which now use GMP's mpn_sec_* family + of functions, and the processing of PKCS#1 padding needed for + RSA decryption. + * Changes in behavior: + The functions rsa_decrypt and rsa_decrypt_tr may now clobber + all of the provided message buffer, independent of the + actual message length. They are side-channel silent, in that + branches and memory accesses don't depend on the validity or + length of the message. Side-channel leakage from the + caller's use of length and return value may still provide an + oracle useable for a Bleichenbacher-style chosen ciphertext + attack. Which is why the new function rsa_sec_decrypt is + recommended. + * New features: + A new function rsa_sec_decrypt. + * Bug fixes: + - Fix bug in pkcs1-conv, missing break statements in the + parsing of PEM input files. + - Fix link error on the pss-mgf1-test test, affecting builds + without public key support. + +------------------------------------------------------------------- Old: ---- nettle-3.4.1rc1.tar.gz nettle-3.4.1rc1.tar.gz.sig New: ---- nettle-3.4.1.tar.gz nettle-3.4.1.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libnettle.spec ++++++ --- /var/tmp/diff_new_pack.IMBUNj/_old 2019-01-08 12:18:23.384930611 +0100 +++ /var/tmp/diff_new_pack.IMBUNj/_new 2019-01-08 12:18:23.384930611 +0100 @@ -1,7 +1,7 @@ # # spec file for package libnettle # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,17 +18,15 @@ %define soname 6 %define hogweed_soname 4 -%define realversion 3.4.1rc1 -%define shortversion 3.4.1 Name: libnettle -Version: 3.4.1~rc1 +Version: 3.4.1 Release: 0 Summary: Cryptographic Library License: LGPL-2.1-or-later AND GPL-2.0-or-later Group: Development/Libraries/C and C++ URL: https://www.lysator.liu.se/~nisse/nettle/ -Source0: https://www.lysator.liu.se/~nisse/archive/nettle-%{realversion}.tar.gz -Source1: https://www.lysator.liu.se/~nisse/archive/nettle-%{realversion}.tar.gz.sig +Source0: https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz +Source1: https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz.sig Source2: %{name}.keyring Source3: baselibs.conf # PATCH-FIX-UPSTREAM respect cflags while building @@ -95,7 +93,7 @@ operations using the nettle library. %prep -%setup -q -n nettle-%{shortversion} +%setup -q -n nettle-%{version} %patch0 -p1 %build ++++++ nettle-3.4.1rc1.tar.gz -> nettle-3.4.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.4.1/ChangeLog new/nettle-3.4.1/ChangeLog --- old/nettle-3.4.1/ChangeLog 2018-11-28 22:47:28.000000000 +0100 +++ new/nettle-3.4.1/ChangeLog 2018-12-04 21:56:06.000000000 +0100 @@ -1,3 +1,7 @@ +2018-12-04 Niels Möller <[email protected]> + + * Released nettle-3.4.1. + 2018-11-28 Niels Möller <[email protected]> * configure.ac: Update GMP check. Check for the function
