{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"nettle security update", "category":"general", "title":"Synopsis" }, { "text":"An update for nettle is now available for openEuler-20.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"Nettle is a cryptographic library designed to fit any context: in crypto toolkits for object-oriented languages, in applications like LSH or GnuPG, or even in kernel space.\n\nSecurity Fix(es):\n\nA flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-20305)", "category":"general", "title":"Description" }, { "text":"An update for nettle is now available for openEuler-20.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"nettle", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1177", "category":"self", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1177" }, { "summary":"CVE-2021-20305", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2021-20305&packageName=nettle" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20305" }, { "summary":"openEuler-SA-2021-1177 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1177.json" } ], "title":"An update for nettle is now available for openEuler-20.03-LTS-SP1", "tracking":{ "initial_release_date":"2021-05-06T09:19:52+08:00", "revision_history":[ { "date":"2021-05-06T09:19:52+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:19:52+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:19:52+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:19:52+08:00", "id":"openEuler-SA-2021-1177", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-debugsource-3.6-2.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"nettle-debugsource-3.6-2.oe1.aarch64.rpm" }, "name":"nettle-debugsource-3.6-2.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-devel-3.6-2.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"nettle-devel-3.6-2.oe1.aarch64.rpm" }, "name":"nettle-devel-3.6-2.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-3.6-2.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"nettle-3.6-2.oe1.aarch64.rpm" }, "name":"nettle-3.6-2.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-debuginfo-3.6-2.oe1.aarch64.rpm(20.03-LTS-SP1)", "name":"nettle-debuginfo-3.6-2.oe1.aarch64.rpm" }, "name":"nettle-debuginfo-3.6-2.oe1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-help-3.6-2.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"nettle-help-3.6-2.oe1.noarch.rpm" }, "name":"nettle-help-3.6-2.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-3.6-2.oe1.src.rpm(20.03-LTS-SP1)", "name":"nettle-3.6-2.oe1.src.rpm" }, "name":"nettle-3.6-2.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-3.6-2.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"nettle-3.6-2.oe1.x86_64.rpm" }, "name":"nettle-3.6-2.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-debuginfo-3.6-2.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"nettle-debuginfo-3.6-2.oe1.x86_64.rpm" }, "name":"nettle-debuginfo-3.6-2.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-debugsource-3.6-2.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"nettle-debugsource-3.6-2.oe1.x86_64.rpm" }, "name":"nettle-debugsource-3.6-2.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"nettle-devel-3.6-2.oe1.x86_64.rpm(20.03-LTS-SP1)", "name":"nettle-devel-3.6-2.oe1.x86_64.rpm" }, "name":"nettle-devel-3.6-2.oe1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-debugsource-3.6-2.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-debugsource-3.6-2.oe1.aarch64", "name":"nettle-debugsource-3.6-2.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-devel-3.6-2.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-devel-3.6-2.oe1.aarch64", "name":"nettle-devel-3.6-2.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-3.6-2.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.aarch64", "name":"nettle-3.6-2.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-debuginfo-3.6-2.oe1.aarch64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-debuginfo-3.6-2.oe1.aarch64", "name":"nettle-debuginfo-3.6-2.oe1.aarch64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-help-3.6-2.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-help-3.6-2.oe1.noarch", "name":"nettle-help-3.6-2.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-3.6-2.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.src", "name":"nettle-3.6-2.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-3.6-2.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.x86_64", "name":"nettle-3.6-2.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-debuginfo-3.6-2.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-debuginfo-3.6-2.oe1.x86_64", "name":"nettle-debuginfo-3.6-2.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-debugsource-3.6-2.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-debugsource-3.6-2.oe1.x86_64", "name":"nettle-debugsource-3.6-2.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"nettle-devel-3.6-2.oe1.x86_64.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:nettle-devel-3.6-2.oe1.x86_64", "name":"nettle-devel-3.6-2.oe1.x86_64 as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-20305", "notes":[ { "text":"A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:nettle-debugsource-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-devel-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-debuginfo-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-help-3.6-2.oe1.noarch", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.src", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-debuginfo-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-debugsource-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-devel-3.6-2.oe1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:nettle-debugsource-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-devel-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-debuginfo-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-help-3.6-2.oe1.noarch", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.src", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-debuginfo-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-debugsource-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-devel-3.6-2.oe1.x86_64" ], "details":"nettle security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1177" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":8.1, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:nettle-debugsource-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-devel-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-debuginfo-3.6-2.oe1.aarch64", "openEuler-20.03-LTS-SP1:nettle-help-3.6-2.oe1.noarch", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.src", "openEuler-20.03-LTS-SP1:nettle-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-debuginfo-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-debugsource-3.6-2.oe1.x86_64", "openEuler-20.03-LTS-SP1:nettle-devel-3.6-2.oe1.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2021-20305" } ] }