Skip to content

nettle: 3.2 -> 3.3 #20793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2016
Merged

nettle: 3.2 -> 3.3 #20793

merged 1 commit into from
Dec 3, 2016
+2 −2

Conversation

lsix
Copy link
Member

@lsix lsix commented Nov 29, 2016

Motivation for this change

This is mainly a bugfix release.

See http://lists.gnu.org/archive/html/info-gnu/2016-10/msg00003.html
for release announcement.

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

This is a bugfix release.

See http://lists.gnu.org/archive/html/info-gnu/2016-10/msg00003.html
for release announcement.

Sorry, something went wrong.

@lsix
nettle: 3.2 -> 3.3
06c5943 
This is a bugfix release.

See http://lists.gnu.org/archive/html/info-gnu/2016-10/msg00003.html
for release announcement.
@mention-bot
Copy link

@lsix, thanks for your PR! By analyzing the history of the files in this pull request, we identified @grahamc and @wkennington to be potential reviewers.

@lsix lsix added 1.severity: mass-rebuild This PR causes a large number of packages to rebuild 8.has: package (update) This PR updates a package to a newer version labels Nov 29, 2016
@grahamc
Copy link
Member

grahamc commented Nov 29, 2016 

   Security:

        * RSA and DSA now use side-channel silent modular
          exponentiation, to defend against attacks on the private key
          from evil processes sharing the same processor cache. This
          attack scenario is of particular relevance when running an
          HTTPS server on a virtual machine, where you don't know who
          you share the cache hardware with.

          (Private key operations on elliptic curves were already
          side-channel silent).

Looks like we should consider backporting this to 16.09 tomorrow.

@FRidh FRidh added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 29, 2016
@grahamc
Copy link
Member

grahamc commented Dec 1, 2016

I messed up by not merging and backporting this patch yesterday. Unfortunately, we now have mass rebuilds building and this mass-rebuild to merge. Due to how critical the Firefox / torbrowser/ etc. patches are, I'm inclined to hold off on merging this until the next channel update in order to prioritize getting those out.

@grahamc grahamc merged commit 2dcaa24 into NixOS:staging Dec 3, 2016
@grahamc
Copy link
Member

grahamc commented Dec 3, 2016

Backported in 39c31ca.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: mass-rebuild This PR causes a large number of packages to rebuild 1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: package (update) This PR updates a package to a newer version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lsix @mention-bot @grahamc @FRidh