oss-sec mailing list archives
GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 22 Mar 2024 12:10:37 -0700
https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html announced the release of GnuTLS 3.8.4, including these fixes:
** libgnutls: Fix side-channel in the deterministic ECDSA. Reported by George Pantelakis (#1516). [GNUTLS-SA-2023-12-04, CVSS: medium] [CVE-2024-28834]** libgnutls: Fixed a bug where certtool crashed when verifying a certificate chain with more than 16 certificates. Reported by William Woodruff (#1525) and yixiangzhike (#1527). [GNUTLS-SA-2024-01-23, CVSS: medium] [CVE-2024-28835]
https://gnutls.org/security-new.html#GNUTLS-SA-2023-12-04 says:
CVE-2024-28834 Severity Medium; timing sidechannel in deterministic ECDSA A vulnerability was found that the deterministic ECDSA code leaks bit-length of random nonce which allows for full recovery of the private key used after observing a few hundreds to a few thousands of signatures on known messages, due to the application of lattice techniques. The issue was reported in the issue tracker as #1516. https://gitlab.com/gnutls/gnutls/-/issues/1516 Recommendation: To address the issue found upgrade to GnuTLS 3.8.4 or later versions.
https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-23 says:
CVE-2024-28835 Severity Medium; Denial of service When validating a certificate chain with more then 16 certificates GnuTLS applications crash with an assertion failure. The issue was reported in the issue tracker as #1527 and #1525. https://gitlab.com/gnutls/gnutls/-/issues/1527 https://gitlab.com/gnutls/gnutls/-/issues/1525 Recommendation: To address the issue found upgrade to GnuTLS 3.8.4 or later versions.
-- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835 Alan Coopersmith (Mar 22)
- Re: GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835 Alex Gaynor (Mar 22)