[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] Regarding CVE-2021-3580
|
From: |
Mishra, Milind |
|
Subject: |
Re: [libmicrohttpd] Regarding CVE-2021-3580 |
|
Date: |
Fri, 15 Jul 2022 05:25:03 +0000 |
Thanks a lot for that update.
Regards,
Milind.
Internal Use - Confidential
-----Original Message-----
From: libmicrohttpd <libmicrohttpd-bounces+milind_mishra=dell.com@gnu.org> On
Behalf Of Christian Grothoff
Sent: Thursday, July 14, 2022 10:25 PM
To: libmicrohttpd@gnu.org
Subject: Re: [libmicrohttpd] Regarding CVE-2021-3580
[EXTERNAL EMAIL]
On 7/14/22 15:09, Mishra, Milind via libmicrohttpd wrote:
> Hello,
>
> The project I work on uses libmicrohttpd.so. This library in turn is
> dependent on libnettle6.so
>
> As per CVE-2021-3580
> <https://urldefense.com/v3/__https://www.suse.com/security/cve/CVE-202
> 1-3580.html__;!!LpKI!hKkB5hf3K8RDOjQsgFtRKZGD3N3tbjAj3BZX6wfe4jTG_yrs6ONJhu7DxJ3G4GxEQupfN6DYBVzbP7ljwsXy$
> [suse[.]com]> there was a security flaw in libnettle6 - 3.4.1-4.15.1 which
> was fixed in 3.4.1-4.18.1.
>
> Have the fixes in version 3.4.1-4.18.1 incorporated any changes that
> might impact the working of libmicrohttpd.so?
If you are statically linked against libnettle *and* have enabled RSA key
transport in your TLS configuration, then you may need to re-link GNU
libmicrohttpd. If you are dynamically linked, simply updating the libnettle.so
dependency should be completely sufficient.
Note that GNU libmicrohttpd doesn't directly use GNU nettle, we only use it via
GNUtls.