Debian-LTS has issued an advisory on August 11: http://lwn.net/Alerts/697112/ I had already fixed this in Cauldron, but didn't realize older versions were also affected. Debian's patch for 2.4 applies cleanly to 2.7. I've checked it into Mageia 5 SVN. The patch(es) for 3.2 needs to be rediffed for 3.0 in Mageia 5.
Patched packages uploaded for Mageia 5. More info about this issue in this thread: http://openwall.com/lists/oss-security/2016/07/29/2 Testing hints in Bug 17669. Advisory: ======================== Updated nettle2.7 and nettle packages fix security vulnerability: The cryptographic library nettle had a potential information leak problem reported. RSA code is vulnerable to cache sharing related attacks (CVE-2016-6489). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6489 http://lwn.net/Alerts/697112/ ======================== Updated packages in core/updates_testing: ======================== nettle2.7-2.7.1-6.2.mga5 libnettle4-2.7.1-6.2.mga5 libhogweed2-2.7.1-6.2.mga5 libnettle2.7-devel-2.7.1-6.2.mga5 nettle-3.0-3.2.mga5 libnettle5-3.0-3.2.mga5 libhogweed3-3.0-3.2.mga5 libnettle-devel-3.0-3.2.mga5 from SRPMS: nettle2.7-2.7.1-6.2.mga5.src.rpm nettle-3.0-3.2.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Mate on x86_64 Made a quick inventory check before the update because these packages had been tested on this machine before. After the updates repeated some of the steps in bug 17669 to exercise the libraries. $ nettle-hash -a md5 nettles nettles: 61cd448d4a87840d 0a1ca521bf58abe0 md5 $ md5sum nettles 61cd448d4a87840d0a1ca521bf58abe0 nettles $ nettle-hash -a sha1 nettles nettles: fef2703dc089a852 fbc7d2b9bc31d64d 6ffd6ccd sha1 $ sha1sum nettles fef2703dc089a852fbc7d2b9bc31d64d6ffd6ccd nettles nettles was the original bug report, ascii text. Used nettle-pbkdf2 with the same data as before and returned the same results. nettle-lfib-stream returned a continuous stream of binary data as before. And again, lacking knowledge of "s-expression" (sexp) format and PKCS #1, I left the two conv utilities alone. ------------------------------------------------------------------------------- nettle2.7 could not be installed: # urpmi nettle2.7 http://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/5/x86_64/media/core/updates_testing/nettle2.7-2.7.1-6.2.mga5.x86_64.rpm installing nettle2.7-2.7.1-6.2.mga5.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ############################################# Installation failed: file /usr/bin/nettle-hash from install of nettle2.7-1:2.7.1-6.2.mga5.x86_64 conflicts with file from package nettle-1:3.0-3.2.mga5.x86_64 file /usr/bin/nettle-lfib-stream from install of nettle2.7-1:2.7.1-6.2.mga5.x86_64 conflicts with file from package nettle-1:3.0-3.2.mga5.x86_64 file /usr/bin/pkcs1-conv from install of nettle2.7-1:2.7.1-6.2.mga5.x86_64 conflicts with file from package nettle-1:3.0-3.2.mga5.x86_64 file /usr/bin/sexp-conv from install of nettle2.7-1:2.7.1-6.2.mga5.x86_64 conflicts with file from package nettle-1:3.0-3.2.mga5.x86_64 file /usr/share/info/nettle.info.xz from install of nettle2.7-1:2.7.1-6.2.mga5.x86_64 conflicts with file from package nettle-1:3.0-3.2.mga5.x86_64 This looks a bit like the problem when it was last tested, viz. Claire's report bug 17726.
CC: (none) => tarazed25
They're not meant to be co-installed. Uninstall one before installing the other.
Thanks David. You probably said that before.
Installed nettle2.7 after removing nettle3 packages. nettle-hash and nettle-lfib-stream worked as before. No nettle-pbkdf2 package. Looks OK for 64-bits then.
Whiteboard: (none) => MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0290.html
Status: NEW => RESOLVEDResolution: (none) => FIXED