GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
announced the release of GnuTLS 3.8.4, including these fixes:

> ** libgnutls: Fix side-channel in the deterministic ECDSA. Reported by 
> George Pantelakis (#1516). [GNUTLS-SA-2023-12-04, CVSS: medium] 
> [CVE-2024-28834]
>
> ** libgnutls: Fixed a bug where certtool crashed when verifying a 
> certificate chain with more than 16 certificates. Reported by William 
> Woodruff (#1525) and yixiangzhike (#1527). [GNUTLS-SA-2024-01-23, CVSS: 
> medium] [CVE-2024-28835]

https://gnutls.org/security-new.html#GNUTLS-SA-2023-12-04 says:

> CVE-2024-28834  Severity Medium; timing sidechannel in deterministic ECDSA
>
> A vulnerability was found that the deterministic ECDSA code leaks bit-length
> of random nonce which allows for full recovery of the private key used after
> observing a few hundreds to a few thousands of signatures on known messages,
> due to the application of lattice techniques. The issue was reported in the
> issue tracker as #1516.
>
> https://gitlab.com/gnutls/gnutls/-/issues/1516
>
> Recommendation: To address the issue found upgrade to GnuTLS 3.8.4 or later
> versions.


https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-23 says:

> CVE-2024-28835  Severity Medium; Denial of service
>
> When validating a certificate chain with more then 16 certificates GnuTLS
> applications crash with an assertion failure. The issue was reported in the
> issue tracker as #1527 and #1525.
>
> https://gitlab.com/gnutls/gnutls/-/issues/1527
> https://gitlab.com/gnutls/gnutls/-/issues/1525
>
> Recommendation: To address the issue found upgrade to GnuTLS 3.8.4 or later
> versions.



--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris