Vulnerabilities > CVE-2015-8805 - Cryptographic Issues vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2897-1.NASL description Hanno Bock discovered that Nettle incorrectly handled carry propagation in the NIST P-256 elliptic curve. (CVE-2015-8803) Hanno Bock discovered that Nettle incorrectly handled carry propagation in the NIST P-384 elliptic curve. (CVE-2015-8804) Niels Moeller discovered that Nettle incorrectly handled carry propagation in the NIST P-256 elliptic curve. (CVE-2015-8805). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 88748 published 2016-02-16 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88748 title Ubuntu 14.04 LTS / 15.10 : nettle vulnerabilities (USN-2897-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2897-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(88748); script_version("2.11"); script_cvs_date("Date: 2019/09/18 12:31:45"); script_cve_id("CVE-2015-8803", "CVE-2015-8804", "CVE-2015-8805"); script_xref(name:"USN", value:"2897-1"); script_name(english:"Ubuntu 14.04 LTS / 15.10 : nettle vulnerabilities (USN-2897-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Hanno Bock discovered that Nettle incorrectly handled carry propagation in the NIST P-256 elliptic curve. (CVE-2015-8803) Hanno Bock discovered that Nettle incorrectly handled carry propagation in the NIST P-384 elliptic curve. (CVE-2015-8804) Niels Moeller discovered that Nettle incorrectly handled carry propagation in the NIST P-256 elliptic curve. (CVE-2015-8805). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2897-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected libnettle4 and / or libnettle6 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnettle4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnettle6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/02/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|15\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 15.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libnettle4", pkgver:"2.7.1-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"libnettle6", pkgver:"3.1.1-4ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libnettle4 / libnettle6"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-0455-1.NASL description This update for libnettle fixes the following security issues : - CVE-2015-8803: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964845) - CVE-2015-8804: Fixed carry folding bug in x86_64 ecc_384_modp. (bsc#964847) - CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964849) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 88802 published 2016-02-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88802 title SUSE SLED12 / SLES12 Security Update : libnettle (SUSE-SU-2016:0455-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:0455-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(88802); script_version("2.12"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2015-8803", "CVE-2015-8804", "CVE-2015-8805"); script_name(english:"SUSE SLED12 / SLES12 Security Update : libnettle (SUSE-SU-2016:0455-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for libnettle fixes the following security issues : - CVE-2015-8803: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964845) - CVE-2015-8804: Fixed carry folding bug in x86_64 ecc_384_modp. (bsc#964847) - CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964849) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=964845" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=964847" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=964849" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8803/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8804/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8805/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20160455-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ad471249" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP1 : zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-259=1 SUSE Linux Enterprise Software Development Kit 12 : zypper in -t patch SUSE-SLE-SDK-12-2016-259=1 SUSE Linux Enterprise Server 12-SP1 : zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-259=1 SUSE Linux Enterprise Server 12 : zypper in -t patch SUSE-SLE-SERVER-12-2016-259=1 SUSE Linux Enterprise Desktop 12-SP1 : zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-259=1 SUSE Linux Enterprise Desktop 12 : zypper in -t patch SUSE-SLE-DESKTOP-12-2016-259=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libhogweed2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libhogweed2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libnettle-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libnettle4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libnettle4-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/02/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP0/1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"libhogweed2-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libhogweed2-debuginfo-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libnettle-debugsource-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libnettle4-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libnettle4-debuginfo-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libhogweed2-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libhogweed2-debuginfo-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libnettle4-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libnettle4-debuginfo-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libhogweed2-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libhogweed2-debuginfo-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libnettle-debugsource-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libnettle4-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libnettle4-debuginfo-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libhogweed2-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libhogweed2-debuginfo-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libnettle4-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libnettle4-debuginfo-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libhogweed2-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libhogweed2-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libhogweed2-debuginfo-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libhogweed2-debuginfo-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libnettle-debugsource-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libnettle4-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libnettle4-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libnettle4-debuginfo-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libnettle4-debuginfo-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libhogweed2-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libhogweed2-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libhogweed2-debuginfo-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libhogweed2-debuginfo-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libnettle-debugsource-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libnettle4-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libnettle4-32bit-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libnettle4-debuginfo-2.7.1-9.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libnettle4-debuginfo-32bit-2.7.1-9.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libnettle"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2016-1061.NASL description According to the versions of the nettle packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages(C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. - Secure Fix(es): - The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.(CVE-2015-8803) - x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.(CVE-2015-8804) - The ecc_256_modq function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8803.(CVE-2015-8805) - It was found that nettle last seen 2020-05-06 modified 2017-05-01 plugin id 99823 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99823 title EulerOS 2.0 SP1 : nettle (EulerOS-SA-2016-1061) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-217.NASL description This update for libnettle fixes the following issues : - CVE-2015-8803: secp256 calculation bug (boo#964845) - CVE-2015-8804: Miscalculations on secp384 curve (boo#964847) - CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (boo#964849) last seen 2020-06-05 modified 2016-02-18 plugin id 88823 published 2016-02-18 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/88823 title openSUSE Security Update : libnettle (openSUSE-2016-217) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-212.NASL description This update for libnettle fixes the following security issues : - CVE-2015-8803: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964845) - CVE-2015-8804: Fixed carry folding bug in x86_64 ecc_384_modp. (bsc#964847) - CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964849) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-02-17 plugin id 88772 published 2016-02-17 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/88772 title openSUSE Security Update : libnettle (openSUSE-2016-212) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-211.NASL description This update for libnettle fixes the following issues : - CVE-2015-8803: secp256 calculation bug (boo#964845) - CVE-2015-8804: Miscalculations on secp384 curve (boo#964847) - CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (boo#964849) last seen 2020-06-05 modified 2016-02-17 plugin id 88771 published 2016-02-17 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/88771 title openSUSE Security Update : libnettle (openSUSE-2016-211) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-2582.NASL description From Red Hat Security Advisory 2016:2582 : An update for nettle is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space. Security Fix(es) : * Multiple flaws were found in the way nettle implemented elliptic curve scalar multiplication. These flaws could potentially introduce cryptographic weaknesses into nettle last seen 2020-06-01 modified 2020-06-02 plugin id 94704 published 2016-11-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94704 title Oracle Linux 7 : nettle (ELSA-2016-2582) NASL family Fedora Local Security Checks NASL id FEDORA_2016-D94300845B.NASL description Fixes CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 (secp256r1 and secp384r1 bugs) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-14 plugin id 92179 published 2016-07-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92179 title Fedora 23 : compat-nettle27 (2016-d94300845b) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-2582.NASL description An update for nettle is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space. Security Fix(es) : * Multiple flaws were found in the way nettle implemented elliptic curve scalar multiplication. These flaws could potentially introduce cryptographic weaknesses into nettle last seen 2020-06-01 modified 2020-06-02 plugin id 95329 published 2016-11-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95329 title CentOS 7 : nettle (CESA-2016:2582) NASL family Scientific Linux Local Security Checks NASL id SL_20161103_NETTLE_ON_SL7_X.NASL description Security Fix(es) : - Multiple flaws were found in the way nettle implemented elliptic curve scalar multiplication. These flaws could potentially introduce cryptographic weaknesses into nettle last seen 2020-03-18 modified 2016-12-15 plugin id 95849 published 2016-12-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95849 title Scientific Linux Security Update : nettle on SL7.x x86_64 (20161103) NASL family Fedora Local Security Checks NASL id FEDORA_2016-8EE88AEE21.NASL description Fixes CVE-2015-8803 CVE-2015-8804 CVE-2015-8805 (secp256r1 and secp384r1 bugs) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89579 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89579 title Fedora 22 : nettle-2.7.1-6.fc22 (2016-8ee88aee21) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-2582.NASL description An update for nettle is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space. Security Fix(es) : * Multiple flaws were found in the way nettle implemented elliptic curve scalar multiplication. These flaws could potentially introduce cryptographic weaknesses into nettle last seen 2020-06-01 modified 2020-06-02 plugin id 94545 published 2016-11-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94545 title RHEL 7 : nettle (RHSA-2016:2582)
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00093.html
- https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
- https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00100.html
- http://www.openwall.com/lists/oss-security/2016/02/02/2
- http://www.openwall.com/lists/oss-security/2016/02/03/1
- http://www.ubuntu.com/usn/USN-2897-1
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00091.html
- http://www.securityfocus.com/bid/84272
- http://rhn.redhat.com/errata/RHSA-2016-2582.html