[SECURITY] [DLA 3660-1] gnutls28 security update

2023-11-2219:12:13

lists.debian.org

cryptographic system

gnutls28

debian lts advisory

clientkeyexchange

security tracker

upgrade

rsa-psk

timing attack

debian 10 buster

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.3%

JSON

Debian LTS Advisory DLA-3660-1 [email protected]
https://www.debian.org/lts/security/ Markus Koschany
November 22, 2023 https://wiki.debian.org/LTS

Package : gnutls28
Version : 3.6.7-4+deb10u11
CVE ID : CVE-2023-5981
Debian Bug : 1056188

A vulnerability was found in GnuTLS, a secure communications library, which
may facilitate a timing attack to compromise a cryptographic system. The
response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ
from response times of ciphertexts with correct PKCS#1 v1.5 padding. Only
TLS ciphertext processing is affected.

For Debian 10 buster, this problem has been fixed in version
3.6.7-4+deb10u11.

We recommend that you upgrade your gnutls28 packages.

For the detailed security status of gnutls28 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnutls28

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part

OSVersionArchitecturePackageVersionFilename
Debian12amd64libgnutls30-dbgsym< 3.7.9-2+deb12u1libgnutls30-dbgsym_3.7.9-2+deb12u1_amd64.deb
Debian12arm64libgnutls28-dev< 3.7.9-2+deb12u1libgnutls28-dev_3.7.9-2+deb12u1_arm64.deb
Debian11amd64guile-gnutls-dbgsym< 3.7.1-5+deb11u4guile-gnutls-dbgsym_3.7.1-5+deb11u4_amd64.deb
Debian12i386guile-gnutls-dbgsym< 3.7.9-2+deb12u1guile-gnutls-dbgsym_3.7.9-2+deb12u1_i386.deb
Debian11mipselgnutls-bin-dbgsym< 3.7.1-5+deb11u4gnutls-bin-dbgsym_3.7.1-5+deb11u4_mipsel.deb
Debian11amd64libgnutlsxx28< 3.7.1-5+deb11u4libgnutlsxx28_3.7.1-5+deb11u4_amd64.deb
Debian12arm64libgnutlsxx30< 3.7.9-2+deb12u1libgnutlsxx30_3.7.9-2+deb12u1_arm64.deb
Debian11i386gnutls-bin< 3.7.1-5+deb11u4gnutls-bin_3.7.1-5+deb11u4_i386.deb
Debian11allgnutls-doc< 3.7.1-5+deb11u4gnutls-doc_3.7.1-5+deb11u4_all.deb
Debian10armhflibgnutls-dane0< 3.6.7-4+deb10u11libgnutls-dane0_3.6.7-4+deb10u11_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	amd64	libgnutls30-dbgsym	< 3.7.9-2+deb12u1	libgnutls30-dbgsym_3.7.9-2+deb12u1_amd64.deb
Debian	12	arm64	libgnutls28-dev	< 3.7.9-2+deb12u1	libgnutls28-dev_3.7.9-2+deb12u1_arm64.deb
Debian	11	amd64	guile-gnutls-dbgsym	< 3.7.1-5+deb11u4	guile-gnutls-dbgsym_3.7.1-5+deb11u4_amd64.deb
Debian	12	i386	guile-gnutls-dbgsym	< 3.7.9-2+deb12u1	guile-gnutls-dbgsym_3.7.9-2+deb12u1_i386.deb
Debian	11	mipsel	gnutls-bin-dbgsym	< 3.7.1-5+deb11u4	gnutls-bin-dbgsym_3.7.1-5+deb11u4_mipsel.deb
Debian	11	amd64	libgnutlsxx28	< 3.7.1-5+deb11u4	libgnutlsxx28_3.7.1-5+deb11u4_amd64.deb
Debian	12	arm64	libgnutlsxx30	< 3.7.9-2+deb12u1	libgnutlsxx30_3.7.9-2+deb12u1_arm64.deb
Debian	11	i386	gnutls-bin	< 3.7.1-5+deb11u4	gnutls-bin_3.7.1-5+deb11u4_i386.deb
Debian	11	all	gnutls-doc	< 3.7.1-5+deb11u4	gnutls-doc_3.7.1-5+deb11u4_all.deb
Debian	10	armhf	libgnutls-dane0	< 3.6.7-4+deb10u11	libgnutls-dane0_3.6.7-4+deb10u11_armhf.deb