Arch Linux Security Advisory ASA-202106-28 ========================================== Severity: Medium Date : 2021-06-09 CVE-ID : CVE-2021-3580 Package : nettle Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2052 Summary ======= The package nettle before version 3.7.3-1 is vulnerable to denial of service. Resolution ========== Upgrade to 3.7.3-1. # pacman -Syu "nettle>=3.7.3-1" The problem has been fixed upstream in version 3.7.3. Workaround ========== None. Description =========== Multiple issues were found with Nettle's RSA decryption functions before version 3.7.3. These can be triggered by providing manipulated ciphertext and could lead to application crash and denial of service. Since nettle is used with gnuTLS, there is a possibility that a remote client could crash a server compiled with gnuTLS when RSA is used for the initial key exchange. Impact ====== A remote attacker could crash an application using Nettle with a crafted RSA ciphertext. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1967983 https://git.lysator.liu.se/nettle/nettle/-/commit/0ad0b5df315665250dfdaa4a1e087f4799edaefe https://git.lysator.liu.se/nettle/nettle/-/commit/485b5e2820a057e873b1ba812fdb39cae4adf98c https://security.archlinux.org/CVE-2021-3580