[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2024-01-19 18:13:08
Message-ID: 07e18a7e-6f57-40cd-8342-c238bec790ec () oracle ! com
[Download RAW message or body]
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html reports:
> We have just released gnutls-3.8.3. This is a bug fix and security
> release on the 3.8.x branch.
>
> We would like to thank everyone who contributed in this release:
> Clemens Lang, Daiki Ueno, Jakub Jelen, and Mark Harfouche
>
> The detailed list of changes follows:
>
> * Version 3.8.3 (released 2024-01-16)
>
> ** libgnutls: Fix more timing side-channel inside RSA-PSK key exchange
> [GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553]
>
> ** libgnutls: Fix assertion failure when verifying a certificate chain with a
> cycle of cross signatures
> [GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567]
>
> ** libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token
> certtool was unable to handle Ed25519 keys generated on PKCS#11
> with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2.
>
> ** API and ABI modifications:
> No changes since last version.
https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-09 states:
> GNUTLS-SA-2024-01-09
> CVE-2024-0567
> Severity Medium; Denial of service
> When validating a certificate chain which contains a cycle of cross-signed signatures of \
> multiple CA certificates, GnuTLS applications crash with an assertion failure. This affects \
> GnuTLS 3.7.0 to 3.8.2. The issue was reported in the issue tracker as #1521 \
> <https://gitlab.com/gnutls/gnutls/-/issues/1521> > Recommendation: To address the issue found \
> upgrade to GnuTLS 3.8.3 or later
versions.
https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-14 states:
> GNUTLS-SA-2024-01-14
> CVE-2024-0553
> Severity Medium; more timing sidechannel in RSA-PSK key exchange
> The previous fix for CVE-2023-5981 turned to be incomplete as it still leaves an observable \
> difference in the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange and \
> the one of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is \
> affected. The issue was reported in the issue tracker as #1522 \
> <https://gitlab.com/gnutls/gnutls/-/issues/1522>.
> Recommendation: To address the issue found upgrade to GnuTLS 3.8.3 or later versions.
--
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic