'Re: [oss-security] GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835
From:       Alex Gaynor <alex.gaynor () gmail ! com>
Date:       2024-03-22 19:16:56
Message-ID: CAFRnB2W+-G1XkSUk4NfmxPWcbgLgJ7-ASR-JDW1m67MvwDHmUA () mail ! gmail ! com
[Download RAW message or body]

One thing that may be of interest to this group: Will found
CVE-2024-28835 by running the x509-limbo test suite against gnutls.
x509-limbo is a set of test cases that can be used to test x.509 path
building implementations against a variety of edge cases (inspired by
wycheproof). The tests are at https://github.com/C2SP/x509-limbo

Cheers,
Alex

On Fri, Mar 22, 2024 at 3:12 PM Alan Coopersmith
<alan.coopersmith@oracle.com> wrote:
>
> https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
> announced the release of GnuTLS 3.8.4, including these fixes:
>
> > ** libgnutls: Fix side-channel in the deterministic ECDSA. Reported by
> > George Pantelakis (#1516). [GNUTLS-SA-2023-12-04, CVSS: medium]
> > [CVE-2024-28834]
> >
> > ** libgnutls: Fixed a bug where certtool crashed when verifying a
> > certificate chain with more than 16 certificates. Reported by William
> > Woodruff (#1525) and yixiangzhike (#1527). [GNUTLS-SA-2024-01-23, CVSS:
> > medium] [CVE-2024-28835]
>
> https://gnutls.org/security-new.html#GNUTLS-SA-2023-12-04 says:
>
> > CVE-2024-28834  Severity Medium; timing sidechannel in deterministic ECDSA
> >
> > A vulnerability was found that the deterministic ECDSA code leaks bit-length
> > of random nonce which allows for full recovery of the private key used after
> > observing a few hundreds to a few thousands of signatures on known messages,
> > due to the application of lattice techniques. The issue was reported in the
> > issue tracker as #1516.
> >
> > https://gitlab.com/gnutls/gnutls/-/issues/1516
> >
> > Recommendation: To address the issue found upgrade to GnuTLS 3.8.4 or later
> > versions.
>
>
> https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-23 says:
>
> > CVE-2024-28835  Severity Medium; Denial of service
> >
> > When validating a certificate chain with more then 16 certificates GnuTLS
> > applications crash with an assertion failure. The issue was reported in the
> > issue tracker as #1527 and #1525.
> >
> > https://gitlab.com/gnutls/gnutls/-/issues/1527
> > https://gitlab.com/gnutls/gnutls/-/issues/1525
> >
> > Recommendation: To address the issue found upgrade to GnuTLS 3.8.4 or later
> > versions.
>
>
>
> --
>          -Alan Coopersmith-                 alan.coopersmith@oracle.com
>           Oracle Solaris Engineering - https://blogs.oracle.com/solaris



-- 
All that is necessary for evil to succeed is for good people to do nothing.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic