update: gnutls #1403

dongsupark · 2024-03-25T15:02:36Z

Name: gnutls
CVEs: CVE-2024-28834, CVE-2024-28835
CVSSs: 5.3, 5.0
Action Needed: update to >= 3.8.4

Summary:

CVE-2024-28834: A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.
CVE-2024-28835: A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

refmap.gentoo: https://bugs.gentoo.org/927557

dongsupark added security security concerns advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS labels Mar 25, 2024

github-actions bot mentioned this issue Apr 22, 2024

Monthly contributions report 2024-03-22 - 2024-04-21 #1435

Closed

krnowak mentioned this issue Apr 23, 2024

Weekly portage-stable package updates 2024-04-22 flatcar/scripts#1949

Merged

2 tasks

krnowak closed this as completed in flatcar/scripts#1949 Apr 25, 2024

github-actions bot mentioned this issue May 22, 2024

Monthly contributions report 2024-04-22 - 2024-05-21 #1451

Closed

Provide feedback