nettle_project nettle 使用已被攻破或存在风险的密码学算法

admin

0
文章

0
评论

2023-12-01 15:25:51 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

低危 nettle_project nettle 使用已被攻破或存在风险的密码学算法

CVE编号

CVE-2021-20305

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-04-06

漏洞描述

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://bugzilla.redhat.com/show_bug.cgi?id=1942533
https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.gentoo.org/glsa/202105-31
https://security.netapp.com/advisory/ntap-20211022-0002/
https://www.debian.org/security/2021/dsa-4933

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	nettle_project	nettle	*		Up to (excluding) 3.7.2
	运行在以下环境
	系统	alibaba_cloud_linux_2.1903	nettle-debuginfo	*		Up to (excluding) 2.7.1-9.1.al7
	运行在以下环境
	系统	alpine_3.13	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.14	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.15	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.16	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.17	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_3.18	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	alpine_edge	nettle	*		Up to (excluding) 3.7.2-r0
	运行在以下环境
	系统	amazon_2	nettle	*		Up to (excluding) 2.7.1-9.amzn2
	运行在以下环境
	系统	anolis_os_8	gnutls-devel	*		Up to (excluding) 3.6.8-12.0.1
	运行在以下环境
	系统	anolis_os_8.2	gnutls-c++	*		Up to (excluding) 3.6.8-12.0.1
	运行在以下环境
	系统	centos_7	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	centos_8	gnutls-c++	*		Up to (excluding) 3.6.14-8.el8_3
	运行在以下环境
	系统	debian_10	nettle	*		Up to (excluding) 3.4.1-1+deb10u1
	运行在以下环境
	系统	debian_11	nettle	*		Up to (excluding) 3.7.2-1
	运行在以下环境
	系统	debian_12	nettle	*		Up to (excluding) 3.7.2-1
	运行在以下环境
	系统	debian_9	nettle	*		Up to (excluding) 3.3-1+deb9u1
	运行在以下环境
	系统	debian_sid	nettle	*		Up to (excluding) 3.7.2-1
	运行在以下环境
	系统	fedora_33	gnutls-devel	*		Up to (excluding) 3.6.16-1.fc33
	运行在以下环境
	系统	kylinos_aarch64_V10	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	nettle	*		Up to (excluding) 3.6-5.p02.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	nettle	*		Up to (excluding) 3.6-5.p02.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	nettle	*		Up to (excluding) 3.6-5.p02.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	nettle	*		Up to (excluding) 3.6-5.p02.ky10
	运行在以下环境
	系统	opensuse_Leap_15.2	libnettle-devel	*		Up to (excluding) 3.4.1-lp152.4.3.1
	运行在以下环境
	系统	oracle_7	oraclelinux-release	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 3.6.14-8.el8_3
	运行在以下环境
	系统	redhat_7	nettle	*		Up to (excluding) 2.7.1-9.el7_9
	运行在以下环境
	系统	redhat_8	gnutls-c++	*		Up to (excluding) 3.6.14-8.el8_3
	运行在以下环境
系统	suse_12_SP5	libnettle4-32bit	*		Up to (excluding) 2.7.1-13.3.1
运行在以下环境
系统	ubuntu_16.04	nettle	*		Up to (excluding) 3.2-1ubuntu0.16.04.2
运行在以下环境
系统	ubuntu_16.04.7_lts	nettle	*		Up to (excluding) 3.2-1ubuntu0.16.04.2
运行在以下环境
系统	ubuntu_18.04	nettle	*		Up to (excluding) 3.4-1ubuntu0.1
运行在以下环境
系统	ubuntu_18.04.5_lts	nettle	*		Up to (excluding) 3.4-1ubuntu0.1
运行在以下环境
系统	ubuntu_20.04	nettle	*		Up to (excluding) 3.5.1+really3.5.1-2ubuntu0.1
运行在以下环境
系统	ubuntu_21.04	nettle	*		Up to (excluding) 3.7-2.1ubuntu1
运行在以下环境
系统	ubuntu_21.10	nettle	*		Up to (excluding) 3.7-2.1ubuntu1
运行在以下环境
系统	ubuntu_22.04	nettle	*		Up to (excluding) 3.7-2.1ubuntu1
运行在以下环境
系统	ubuntu_22.10	nettle	*		Up to (excluding) 3.7-2.1ubuntu1