Package: libgnutls30 Version: 3.6.3-1 Severity: important X-Debbugs-CC: secur...@debian.org Tags: security patch buster bullseye
Dear Maintainer(s), A security issue has been identified in GnuTLS: https://gitlab.com/gnutls/gnutls/-/issues/960 https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31 It was reported in the open, so opening a bug here. There will probably be a CVE soon-ish, as upstream requested one. The DTLS client implementation is supposed so send a random 32 bytes token, but it sends all zeros between versions 3.6.3 and 3.6.12 included, so Buster is affected, but Stretch and earlier are not. Upstream commit that fixes the issue: https://gitlab.com/gnutls/gnutls/-/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part
