Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2024-28834 CVE-2024-28835

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
GnuTLS 3.8.4 released, fixes CVE-2024-28834 &amp; CVE-2024-28835

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Alan Coopersmith &lt;alan.coopersmith () oracle com&gt;

Date: Fri, 22 Mar 2024 12:10:37 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
announced the release of GnuTLS 3.8.4, including these fixes:

** libgnutls: Fix side-channel in the deterministic ECDSA. Reported by 
George Pantelakis (#1516). [GNUTLS-SA-2023-12-04, CVSS: medium] 
[CVE-2024-28834]

** libgnutls: Fixed a bug where certtool crashed when verifying a 
certificate chain with more than 16 certificates. Reported by William 
Woodruff (#1525) and yixiangzhike (#1527). [GNUTLS-SA-2024-01-23, CVSS: 
medium] [CVE-2024-28835]

https://gnutls.org/security-new.html#GNUTLS-SA-2023-12-04 says:

CVE-2024-28834  Severity Medium; timing sidechannel in deterministic ECDSA

A vulnerability was found that the deterministic ECDSA code leaks bit-length
of random nonce which allows for full recovery of the private key used after
observing a few hundreds to a few thousands of signatures on known messages,
due to the application of lattice techniques. The issue was reported in the
issue tracker as #1516.

https://gitlab.com/gnutls/gnutls/-/issues/1516

Recommendation: To address the issue found upgrade to GnuTLS 3.8.4 or later
versions.

https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-23 says:

CVE-2024-28835  Severity Medium; Denial of service

When validating a certificate chain with more then 16 certificates GnuTLS
applications crash with an assertion failure. The issue was reported in the
issue tracker as #1527 and #1525.

https://gitlab.com/gnutls/gnutls/-/issues/1527
https://gitlab.com/gnutls/gnutls/-/issues/1525

Recommendation: To address the issue found upgrade to GnuTLS 3.8.4 or later
versions.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

GnuTLS 3.8.4 released, fixes CVE-2024-28834 &amp; CVE-2024-28835 Alan Coopersmith (Mar 22)

Re: GnuTLS 3.8.4 released, fixes CVE-2024-28834 &amp; CVE-2024-28835 Alex Gaynor (Mar 22)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835

Vulmon Search

About

Products

Connect