NEWS entries for 3.7.2.

diff --git a/ChangeLog b/ChangeLog
index ff0e80199a9ae6ac61c08b854b1bfbea172b1112..bb169e86628cd4f24caa0e5cb860890b61ff661d 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2021-03-21  Niels Möller  <nisse@lysator.liu.se>
+
+       * NEWS: NEWS entries for 3.7.2.
+
 2021-03-17  Niels Möller  <nisse@lysator.liu.se>
 
        * configure.ac: Bump package version, to 3.7.2.

diff --git a/NEWS b/NEWS
index af797434fe79641d8ce8f18f1226d4d6a9517f07..897527c9e60ccd72c5c1ff9bf3320ac206a0d738 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,51 @@
+NEWS for the Nettle 3.7.2 release
+
+       This is a bugfix release, fixing a bug in ECDSA signature
+       verification that could lead to a denial of service attack
+       (via an assertion failure) or possibly incorrect results. It
+       also fixes a few related problems where scalars are required
+       to be canonically reduced modulo the ECC group order, but in
+       fact may be slightly larger.
+
+       Upgrading to the new version is strongly recommended.
+
+       Even when no assert is triggered in ecdsa_verify, ECC point
+       multiplication may get invalid intermediate values as input,
+       and produce incorrect results. It's trivial to construct
+       alleged signatures that result in invalid intermediate values.
+       It appears difficult to construct an alleged signature that
+       makes the function misbehave in such a way that an invalid
+       signature is accepted as valid, but such attacks can't be
+       ruled out without further analysis.
+
+       Thanks to Guido Vranken for setting up the fuzzer tests that
+       uncovered this problem.
+
+       The new version is intended to be fully source and binary
+       compatible with Nettle-3.6. The shared library names are
+       libnettle.so.8.3 and libhogweed.so.6.3, with sonames
+       libnettle.so.8 and libhogweed.so.6.
+
+       Bug fixes:
+
+       * Fixed bug in ecdsa_verify, and added a corresponding test
+          case.
+
+       * Similar fixes to ecc_gostdsa_verify and gostdsa_vko.
+
+       * Similar fixes to eddsa signatures. The problem is less severe
+          for these curves, because (i) the potentially out or range
+          value is derived from output of a hash function, making it
+          harder for the attacker to to hit the narrow range of
+          problematic values, and (ii) the ecc operations are
+          inherently more robust, and my current understanding is that
+          unless the corresponding assert is hit, the verify
+          operation should complete with a correct result.
+
+       * Fix to ecdsa_sign, which with a very low probability could
+          return out of range signature values, which would be
+          rejected immediately by a verifier.
+
 NEWS for the Nettle 3.7.1 release
 
        This is primarily a bug fix release, fixing a couple of