Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: gnutls #1403

Closed
dongsupark opened this issue Mar 25, 2024 · 0 comments · Fixed by flatcar/scripts#1949
Closed

update: gnutls #1403

dongsupark opened this issue Mar 25, 2024 · 0 comments · Fixed by flatcar/scripts#1949
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

Name: gnutls
CVEs: CVE-2024-28834, CVE-2024-28835
CVSSs: 5.3, 5.0
Action Needed: update to >= 3.8.4

Summary:

  • CVE-2024-28834: A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.
  • CVE-2024-28835: A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

See also https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html.

refmap.gentoo: https://bugs.gentoo.org/927557
@dongsupark dongsupark added security security concerns advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS labels Mar 25, 2024
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Mar 25, 2024
@github-actions github-actions bot mentioned this issue Apr 22, 2024
Closed
@krnowak krnowak mentioned this issue Apr 23, 2024
Merged
2 tasks
@dongsupark dongsupark moved this from 🪵Backlog to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Apr 24, 2024
@github-project-automation github-project-automation bot moved this from ⚒️ In Progress to Implemented in Flatcar tactical, release planning, and roadmap Apr 25, 2024
@github-actions github-actions bot mentioned this issue May 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Weekly portage-stable package updates 2024-04-22 flatcar/scripts
1 participant
@dongsupark