'[oss-security] GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2024-01-19 18:13:08
Message-ID: 07e18a7e-6f57-40cd-8342-c238bec790ec () oracle ! com
[Download RAW message or body]

https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html reports:

> We have just released gnutls-3.8.3. This is a bug fix and security
> release on the 3.8.x branch.
> 
> We would like to thank everyone who contributed in this release:
> Clemens Lang, Daiki Ueno, Jakub Jelen, and Mark Harfouche
> 
> The detailed list of changes follows: 
> 
> * Version 3.8.3 (released 2024-01-16)
> 
> ** libgnutls: Fix more timing side-channel inside RSA-PSK key exchange
> [GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553]
> 
> ** libgnutls: Fix assertion failure when verifying a certificate chain with a
> cycle of cross signatures
> [GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567]
> 
> ** libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token
> certtool was unable to handle Ed25519 keys generated on PKCS#11
> with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2.
> 
> ** API and ABI modifications:
> No changes since last version.

https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-09 states:

> GNUTLS-SA-2024-01-09
> CVE-2024-0567
> Severity Medium; Denial of service
> When validating a certificate chain which contains a cycle of cross-signed signatures of \
> multiple CA certificates, GnuTLS applications crash with an assertion failure. This affects \
> GnuTLS 3.7.0 to 3.8.2. The issue was reported in the issue tracker as #1521 \
> <https://gitlab.com/gnutls/gnutls/-/issues/1521> > Recommendation: To address the issue found \
> upgrade to GnuTLS 3.8.3 or later 
versions.

https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-14 states:

> GNUTLS-SA-2024-01-14
> CVE-2024-0553
> Severity Medium; more timing sidechannel in RSA-PSK key exchange
> The previous fix for CVE-2023-5981 turned to be incomplete as it still leaves an observable \
> difference in the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange and \
> the one of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is \
> affected. The issue was reported in the issue tracker as #1522 \
>                 <https://gitlab.com/gnutls/gnutls/-/issues/1522>.
> Recommendation: To address the issue found upgrade to GnuTLS 3.8.3 or later versions.

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic