Bug#1067464: marked as done (gnutls28: CVE-2024-28834)

Debian Bug Tracking System Sat, 23 Mar 2024 05:03:18 -0700

Your message dated Sat, 23 Mar 2024 12:58:43 +0100
with message-id <[email protected]>
and subject line Fixed in gnutls28 (3.8.4-1) experimental
has caused the Debian Bug report #1067464,
regarding gnutls28: CVE-2024-28834
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1067464: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067464
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: gnutls28
Version: 3.8.3-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1516
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for gnutls28.

CVE-2024-28834[0]:
| A flaw was found in GnuTLS. The Minerva attack is a cryptographic
| vulnerability that exploits deterministic behavior in systems like
| GnuTLS, leading to side-channel leaks. In specific scenarios, such
| as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can
| result in a noticeable step in nonce size from 513 to 512 bits,
| exposing a potential timing side-channel.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-28834
    https://www.cve.org/CVERecord?id=CVE-2024-28834
[1] https://gitlab.com/gnutls/gnutls/-/issues/1516
[2] https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
[3] https://www.gnutls.org/security-new.html#GNUTLS-SA-2023-12-04

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Version: 3.8.4-1

 gnutls28 (3.8.4-1) experimental; urgency=medium
 .
   * New upstream version.
     + Fix side-channel in the deterministic ECDSA.
       Reported by George Pantelakis (#1516).
       [GNUTLS-SA-2023-12-04, CVSS: medium] [CVE-2024-28834]
       Closes: #1067464
     + libgnutls: Fixed a bug where certtool crashed when verifying a
       certificate chain with more than 16 certificates. Reported by William
       Woodruff (#1525) and yixiangzhike (#1527).
       [GNUTLS-SA-2024-01-23, CVSS: medium] [CVE-2024-28835] Closes: #1067463
     + Update copyright info.
     + Update symbol file.

--- End Message ---

Bug#1067464: marked as done (gnutls28: CVE-2024-28834)

Reply via email to