oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 19 Jan 2024 10:13:08 -0800
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html reports:


We have just released gnutls-3.8.3. This is a bug fix and security
release on the 3.8.x branch.

We would like to thank everyone who contributed in this release:
Clemens Lang, Daiki Ueno, Jakub Jelen, and Mark Harfouche
The detailed list of changes follows: 
* Version 3.8.3 (released 2024-01-16)

** libgnutls: Fix more timing side-channel inside RSA-PSK key exchange
   [GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553]

** libgnutls: Fix assertion failure when verifying a certificate chain with a
   cycle of cross signatures
   [GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567]

** libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token
   certtool was unable to handle Ed25519 keys generated on PKCS#11
   with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2.

** API and ABI modifications:
No changes since last version.


https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-09 states:


GNUTLS-SA-2024-01-09
CVE-2024-0567
Severity Medium; Denial of service
When validating a certificate chain which contains a cycle of cross-signed signatures of multiple CA certificates, GnuTLS applications crash with an assertion failure. This affects GnuTLS 3.7.0 to 3.8.2. The issue was reported in the issue tracker as #1521 <https://gitlab.com/gnutls/gnutls/-/issues/1521> > Recommendation: To address the issue found upgrade to GnuTLS 3.8.3 or later 
versions.

https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-14 states:


GNUTLS-SA-2024-01-14
CVE-2024-0553
Severity Medium; more timing sidechannel in RSA-PSK key exchange
The previous fix for CVE-2023-5981 turned to be incomplete as it still leaves an observable difference in the response times 
to malformed ciphertexts in RSA-PSK ClientKeyExchange and the one of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS 
ciphertext processing is affected. The issue was reported in the issue tracker as #1522 
<https://gitlab.com/gnutls/gnutls/-/issues/1522>.
Recommendation: To address the issue found upgrade to GnuTLS 3.8.3 or later versions.


--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: