new version: 3.7.2 is already in Cauldron, thanks to DavidG.
Can we leave this with you (rather than assigning it globally), since this pkg has no regular maintainer?

Assignee: bugsquad => geiger.david68210

Ubuntu has issued an advisory for this on April 13:
https://ubuntu.com/security/notices/USN-4906-1

Fedora has issued an advisory for this on March 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WFQW4L3RFRTEMBPVMGCLTVYKHV7ZVPZK/

Upstream announcement:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html

GnuTLS issue is in Bug 29021.

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29021

openSUSE has issued an advisory for this on May 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JEQQBLTWQPDTYRTWQZSXENUU6TSCBJ5R/

Done for mga8!

Mageia 7 still needs to be addressed.  Should be able to borrow patches for 3.4.x from CentOS 8, Ubuntu 18.04, or openSUSE 15.2.

RPMS for Mageia 8:
nettle-3.7.2-1.mga8
libhogweed6-3.7.2-1.mga8
libnettle8-3.7.2-1.mga8
libnettle-devel-3.7.2-1.mga8

Debian has issued an advisory on June 18:
https://www.debian.org/security/2021/dsa-4933

The new issue is fixed upstream in 3.7.3.

We should be able to borrow patches from them for 3.4.x.

Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Status comment: Fixed upstream in 3.7.2 => Fixed upstream in 3.7.3
Version: 8 => Cauldron
Summary: nettle new security issue CVE-2021-20305 => nettle new security issues CVE-2021-3580 and CVE-2021-20305

Ubuntu has issued an advisory for this on June 17:
https://ubuntu.com/security/notices/USN-4990-1

Fedora has issued an advisory for CVE-2021-3580 on June 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KGBL75LJ3RNNROM4L4VPSEEABMH3HWL4/

Upstream announcement:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009545.html

openSUSE has issued an advisory for CVE-2021-3580 today (June 24):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/D4XGPKTRWLOEATNJNZGQZCO6BZTKIKJ6/

Advisory:
========================

Updated nettle packages fix security vulnerabilities:

Remote crash in RSA decryption via manipulated ciphertext (CVE-2021-3580).

A flaw was found in Nettle in versions before 3.7.2, where several Nettle
signature verification functions (GOST DSA, EDDSA & ECDSA) result in the
Elliptic Curve Cryptography point (ECC) multiply function being called with
out-of-range scalers, possibly resulting in incorrect results. This flaw
allows an attacker to force an invalid signature, causing an assertion
failure or possible validation (CVE-2021-20305).

The Mageia 8 nettle package has been updated to version 3.7.3 and the Mageia 7
nettle package has been patched to fix these issues.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3580
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20305
https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html
https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009545.html
https://ubuntu.com/security/notices/USN-4906-1
https://ubuntu.com/security/notices/USN-4990-1
========================

Updated packages in core/updates_testing:
========================
nettle-3.4.1-1.1.mga7
libnettle6-3.4.1-1.1.mga7
libhogweed4-3.4.1-1.1.mga7
libnettle-devel-3.4.1-1.1.mga7
nettle-3.7.3-1.mga8
libhogweed6-3.7.3-1.mga8
libnettle8-3.7.3-1.mga8
libnettle-devel-3.7.3-1.mga8

from SRPMS:
nettle-3.4.1-1.1.mga7.src.rpm
nettle-3.7.3-1.mga8.src.rpm

Version: Cauldron => 8
Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210
Status comment: Fixed upstream in 3.7.3 => (none)
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

mga7, x64

Installed any missing core packages.
Introduction at https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nettle.html

There do not seem to be any PoC tests.
Tried out some commands.
$ nettle-hash --algorithm=sha512 manifest
manifest: fce391c58dbae004 da37fa63a11cc8d1 f3bf5c367628dcc6 a87c5e855303bf6a e5abce6b16c5261f 645d825c43ff2031 ad30783fe86fb57b 3053feea857d1836 sha512

$ nettle-lfib-stream
Omitting a seed.
Generated a stream of encrypted data (to be used as test data only).

Difficult to figure out exactly how to use this package - minimal help and no man pages.

viz:
$ pkcs1-conv id_rsa id_rsa.pub
Ignoring unsupported object type `OPENSSH PRIVATE KEY'.

There is also an sexp-conv utility.

Going ahead with the update using qarepo and MageiaUpdate.
$ rpm -qa | grep nettle
lib64nettle-devel-3.4.1-1.1.mga7
lib64nettle6-3.4.1-1.1.mga7
nettle-3.4.1-1.1.mga7
$ rpm -q lib64hogweed4
lib64hogweed4-3.4.1-1.1.mga7

$ nettle-hash --algorithm=sha3_256 list
list: 58945647534e7af5 22e120e69da5be1b 79bbb0dce1e39543 d57c8a90581b06d1 sha3_256
$ nettle-lfib-stream
Interrupted the output stream with SIGINT.

This is as far as it goes.  All we can say is no detectable regressions.

CC: (none) => tarazed25
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

If there's no PoC, testing the nettle package itself doesn't really tell you anything.  Packages that use the library need to be tested, especially on Mageia 8 since it was updated.

Yes, I just realized that I had not checked the requires.  Most of these are unfamiliar territory.  Shall try some tomorrow but don't have much spare time - out of town for a week from Wednesday.

aria2
chrony
claws-mail
dnsmasq
epiphany
filezilla
ocaml-ocamlnet
qemu*
rdesktop
tigervnc-server
viking

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO

Continuing from comment 14.

Ran epiphany under strace.
$ grep nettle epiphany.trace
openat(AT_FDCWD, "/lib64/libnettle.so.6", O_RDONLY|O_CLOEXEC) = 3
read(13, "          /usr/lib64/libnettle.s"..., 1024) = 1024

Installed viking using urpmi.
$ grep aria2 urpmi.trace
stat("/usr/bin/aria2c", {st_mode=S_IFREG|0755, st_size=2041832, ...}) = 0
......
$ grep nettle urpmi.trace
stat("/usr/share/doc/lib64nettle-devel/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

Ran viking under strace.  Help->about indicates that the package is a "GPS Data and Topo Analyzer, Explorer, and Manager".  The gui came up with default coordinates 5 hours west of here, somewhere in the USA.  Most of the tools were greyed out but ruler worked, showing the distance between two points.  No idea what to do with it.  Browsed the manual which gives the impression that the application is not much use without a GPS device.  None here.  It looks like a powerful program though.
$ grep nettle viking.trace
openat(AT_FDCWD, "/lib64/libnettle.so.6", O_RDONLY|O_CLOEXEC) = 3

These quick tests show that nettle is being used in some fashion.  Letting it go.

mga8, x64

Installed nettle components and updated.
Tried out a couple of nettle cli tools then applications which use it:
epiphany browser, aria2 and viking.

$ grep nettle epiphany.trace
openat(AT_FDCWD, "/usr/lib64/epiphany/libnettle.so.8", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libnettle.so.8", O_RDONLY|O_CLOEXEC) = 3

$ sudo strace -o aria2.trace urpmi viking
$ grep nettle aria2.trace
write(5, "lib64hogweed6\nnettle\nlib64nettle"..., 58) = 58
stat("/usr/share/doc/nettle/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/usr/share/doc/lib64nettle-devel/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

Tinkered with the viking interface, which looks fully functional.
$ grep nettle viking.trace
openat(AT_FDCWD, "/lib64/libnettle.so.8", O_RDONLY|O_CLOEXEC) = 3

Hoping this is sufficient.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

"Hogweed." Named after some nasty stuff. The sap produces very bad burns on the skin. The State of New York is on a campaign to eliminate it, if possible. 

But I digress. I'm going to validate. Advisory in Comment 11.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0300.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED