[SECURITY] [DLA 3740-1] gnutls28 security update

2024-02-2609:38:51

lists.debian.org

portable library

transport layer security

datagram transport layer security

timing side-channel attack

cve-2024-0553

gnutls

debian 10 buster

security update

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.002

Percentile

62.0%

JSON

Debian LTS Advisory DLA-3740-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
February 26, 2024 https://wiki.debian.org/LTS

Package : gnutls28
Version : 3.6.7-4+deb10u12
CVE ID : CVE-2024-0553
Debian Bug : 1061046

Hubert Kario discovered that GnuTLS, a portable library which implements
the Transport Layer Security and Datagram Transport Layer Security
protocols, was vulnerable to timing side-channel attack in the RSA-PSK
key exchange, which could lead to leakage of sensitive data. The issue
stems from an incomplete resolution for CVE-2023-5981.

This vulnerability is also known as GNUTLS-SA-2024-01-14.

For Debian 10 buster, this problem has been fixed in version
3.6.7-4+deb10u12.

We recommend that you upgrade your gnutls28 packages.

For the detailed security status of gnutls28 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnutls28

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian11mipsellibgnutls-openssl27< 3.7.1-5+deb11u4libgnutls-openssl27_3.7.1-5+deb11u4_mipsel.deb
Debian10armhflibgnutls30-dbgsym< 3.6.7-4+deb10u12libgnutls30-dbgsym_3.6.7-4+deb10u12_armhf.deb
Debian12ppc64ellibgnutls-openssl27-dbgsym< 3.7.9-2+deb12u2libgnutls-openssl27-dbgsym_3.7.9-2+deb12u2_ppc64el.deb
Debian10amd64libgnutls28-dev< 3.6.7-4+deb10u12libgnutls28-dev_3.6.7-4+deb10u12_amd64.deb
Debian11arm64libgnutls30-dbgsym< 3.7.1-5+deb11u4libgnutls30-dbgsym_3.7.1-5+deb11u4_arm64.deb
Debian11amd64libgnutls-dane0< 3.7.1-5+deb11u4libgnutls-dane0_3.7.1-5+deb11u4_amd64.deb
Debian11ppc64ellibgnutls-openssl27-dbgsym< 3.7.1-5+deb11u4libgnutls-openssl27-dbgsym_3.7.1-5+deb11u4_ppc64el.deb
Debian12amd64libgnutls-dane0< 3.7.9-2+deb12u2libgnutls-dane0_3.7.9-2+deb12u2_amd64.deb
Debian11allgnutls28< 3.7.1-5+deb11u5gnutls28_3.7.1-5+deb11u5_all.deb
Debian11i386libgnutlsxx28< 3.7.1-5+deb11u4libgnutlsxx28_3.7.1-5+deb11u4_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	mipsel	libgnutls-openssl27	< 3.7.1-5+deb11u4	libgnutls-openssl27_3.7.1-5+deb11u4_mipsel.deb
Debian	10	armhf	libgnutls30-dbgsym	< 3.6.7-4+deb10u12	libgnutls30-dbgsym_3.6.7-4+deb10u12_armhf.deb
Debian	12	ppc64el	libgnutls-openssl27-dbgsym	< 3.7.9-2+deb12u2	libgnutls-openssl27-dbgsym_3.7.9-2+deb12u2_ppc64el.deb
Debian	10	amd64	libgnutls28-dev	< 3.6.7-4+deb10u12	libgnutls28-dev_3.6.7-4+deb10u12_amd64.deb
Debian	11	arm64	libgnutls30-dbgsym	< 3.7.1-5+deb11u4	libgnutls30-dbgsym_3.7.1-5+deb11u4_arm64.deb
Debian	11	amd64	libgnutls-dane0	< 3.7.1-5+deb11u4	libgnutls-dane0_3.7.1-5+deb11u4_amd64.deb
Debian	11	ppc64el	libgnutls-openssl27-dbgsym	< 3.7.1-5+deb11u4	libgnutls-openssl27-dbgsym_3.7.1-5+deb11u4_ppc64el.deb
Debian	12	amd64	libgnutls-dane0	< 3.7.9-2+deb12u2	libgnutls-dane0_3.7.9-2+deb12u2_amd64.deb
Debian	11	all	gnutls28	< 3.7.1-5+deb11u5	gnutls28_3.7.1-5+deb11u5_all.deb
Debian	11	i386	libgnutlsxx28	< 3.7.1-5+deb11u4	libgnutlsxx28_3.7.1-5+deb11u4_i386.deb