Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2016-6489

Published: 1 August 2016

The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.

Notes

AuthorNote
mdeslaur
original patch had issues,
see http://seclists.org/oss-sec/2016/q3/206
subsequent commits fix issue

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
nettle
Launchpad, Ubuntu, Debian
precise
Released (2.4-1ubuntu0.1)
trusty
Released (2.7.1-1ubuntu0.2)
upstream Needs triage

wily Ignored
(end of life)
xenial
Released (3.2-1ubuntu0.16.04.1)
yakkety
Released (3.2-1ubuntu0.16.10.1)
zesty Not vulnerable
(3.3-1)
Patches:
upstream: https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3
upstream: https://git.lysator.liu.se/nettle/nettle/commit/5eb30d94f6f5f3f0cb9ba9ed24bc52b7376176b6
upstream: https://git.lysator.liu.se/nettle/nettle/commit/52b9223126b3f997c00d399166c006ae28669068
upstream: https://git.lysator.liu.se/nettle/nettle/commit/544b4047de689519ab3e6ec55b776b95b3e264a9

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N