oss-sec mailing list archives
GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 19 Jan 2024 10:13:08 -0800
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html reports:
We have just released gnutls-3.8.3. This is a bug fix and security release on the 3.8.x branch. We would like to thank everyone who contributed in this release: Clemens Lang, Daiki Ueno, Jakub Jelen, and Mark HarfoucheThe detailed list of changes follows:* Version 3.8.3 (released 2024-01-16) ** libgnutls: Fix more timing side-channel inside RSA-PSK key exchange [GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553] ** libgnutls: Fix assertion failure when verifying a certificate chain with a cycle of cross signatures [GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567] ** libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token certtool was unable to handle Ed25519 keys generated on PKCS#11 with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2. ** API and ABI modifications: No changes since last version.
https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-09 states:
GNUTLS-SA-2024-01-09 CVE-2024-0567 Severity Medium; Denial of serviceWhen validating a certificate chain which contains a cycle of cross-signed signatures of multiple CA certificates, GnuTLS applications crash with an assertion failure. This affects GnuTLS 3.7.0 to 3.8.2. The issue was reported in the issue tracker as #1521 <https://gitlab.com/gnutls/gnutls/-/issues/1521> > Recommendation: To address the issue found upgrade to GnuTLS 3.8.3 or later
versions. https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-14 states:
GNUTLS-SA-2024-01-14 CVE-2024-0553 Severity Medium; more timing sidechannel in RSA-PSK key exchange The previous fix for CVE-2023-5981 turned to be incomplete as it still leaves an observable difference in the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange and the one of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is affected. The issue was reported in the issue tracker as #1522 <https://gitlab.com/gnutls/gnutls/-/issues/1522>. Recommendation: To address the issue found upgrade to GnuTLS 3.8.3 or later versions.
-- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567 Alan Coopersmith (Jan 19)