openSUSE has issued an advisory on December 23: https://lists.opensuse.org/opensuse-updates/2018-12/msg00120.html The issue is fixed upstream in 3.4.1.
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two committers.
CC: (none) => mageia, marja11, smelrorAssignee: bugsquad => pkg-bugs
Fixed for mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated nettle packages fix security vulnerability: A leaky data conversion exposing a manager oracle (CVE-2018-16869). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16869 https://lists.opensuse.org/opensuse-updates/2018-12/msg00120.html ======================== Updated packages in core/updates_testing: ======================== nettle-3.4.1-1.mga6 libnettle6-3.4.1-1.mga6 libhogweed4-3.4.1-1.mga6 libnettle-devel-3.4.1-1.mga6 from nettle-3.4.1-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
Background "Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space." $ urpmq --whatrequires nettle [nothing else] $ urpmq --whatrequires lib64nettle6 | uniq aria2 filezilla gstreamer1.0-plugins-bad iputils ivshmem-tools lib64gnutls30 lib64hogweed4 lib64nettle-devel lib64nettle6 lib64opendht1 nettle qemu-block-* qemu-common qemu-img qemu-system-* tigervnc-server $ urpmq --whatrequires libhogweed4 | uniq filezilla libgnutls30 libhogweed4 libnettle-devel nettle Nothing useful in the CVE references. ------------------------------------- BUT see bug https://bugs.mageia.org/show_bug.cgi?id=17669 comments 3 & 4 where Len put nettle through hoops, to Claire's commendation; so that should do us.
CC: (none) => lewyssmith
Elaborating on https://bugs.mageia.org/show_bug.cgi?id=17669#c3 for future reference. $ nettle-hash --help Usage: nettle-hash -a ALGORITHM [OPTIONS] [FILE ...] Options: --help Show this help. -V, --version Show version information. --list List supported hash algorithms. -a, --algorithm=ALG Hash algorithm to use. -l, --length=LENGTH Desired digest length (octets) --raw Raw binary output. $ nettle-lfib-stream --help Usage: lfib-stream [SEED] $ nettle-pbkdf2 --help Usage: nettle-pbkdf2 [OPTIONS] SALT Options: --help Show this help. -V, --version Show version information. -i, --iterations=COUNT Desired iteration count (default 10000). -l, --length=LENGTH Desired output length (octets, default 16) --raw Raw binary output. --hex-salt Use hex encoding for the salt. $ pkcs1-conv --help [no usage info] $ sexp-conv --help Usage: sexp-conv [OPTION...] Conversion: sexp-conv [OPTION...] <INPUT-SEXP Fingerprinting: sexp-conv --hash=HASH <INPUT-SEXP Reads an s-expression on stdin, and outputs the same sexp on stdout, possibly with a different syntax. --hash[=ALGORITHM] Outputs only the hash of the expression. Available hash algorithms: md5, sha1, sha256 (default is sha1). -s, --syntax=SYNTAX The syntax used for the output. Available variants: advanced, hex, transport, canonical --once Process only the first s-expression. -w, --width=WIDTH Linewidth for base64 encoded data. Zero means no limit. --lock Lock output file. --raw-hash Alias for --hash, for compatibility with lsh-1.x. Closing this comment to isolate it.
BEFORE update: nettle-3.3-1.mga6 lib64hogweed4-3.3-1.mga6 lib64nettle6-3.3-1.mga6 Tried some simple commands following Len's earlier lead. $ cat nettle.txt Llanfair-ym-Muallt $ nettle-hash -a md5 nettle.txt nettle.txt: 03e3b52ff2e0d4d6 7bc59b38a33b3fe6 md5 $ md5sum nettle.txt 03e3b52ff2e0d4d67bc59b38a33b3fe6 nettle.txt $ nettle-hash -a sha1 nettle.txt nettle.txt: 3211fc7a1375444f 7463dd95b1bebc55 21d14ff4 sha1 $ sha1sum nettle.txt 3211fc7a1375444f7463dd95b1bebc5521d14ff4 nettle.txt $ nettle-pbkdf2 123 < nettle.txt 51fdd1371786138d f67d9f8be7d4457f $ sexp-conv < nettle.txt Llanfair-ym-Muallt $ sexp-conv --hash < nettle.txt 6b12d582097f1ddaa29395f0e5b36032aea8d6a1 $ sexp-conv -s hex < nettle.txt Llanfair-ym-Muallt ------------------- AFTER update: - lib64hogweed4-3.4.1-1.mga6.x86_64 - lib64nettle6-3.4.1-1.mga6.x86_64 - nettle-3.4.1-1.mga6.x86_64 $ nettle-hash -a md5 nettle.txt nettle.txt: 03e3b52ff2e0d4d6 7bc59b38a33b3fe6 md5 $ nettle-hash -a sha1 nettle.txt nettle.txt: 3211fc7a1375444f 7463dd95b1bebc55 21d14ff4 sha1 $ nettle-pbkdf2 123 < nettle.txt 51fdd1371786138d f67d9f8be7d4457f $ sexp-conv < nettle.txt Llanfair-ym-Muallt $ sexp-conv --hash < nettle.txt 6b12d582097f1ddaa29395f0e5b36032aea8d6a1 $ sexp-conv -s hex < nettle.txt Llanfair-ym-Muallt In blissful ignorance of what it all means, all the results are identical. So OKing, validating, advisory from comment 3.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0024.html
Status: NEW => RESOLVEDResolution: (none) => FIXED