Your message dated Fri, 12 Jun 2020 08:17:32 +0000 with message-id <e1jjesw-0002kf...@fasolo.debian.org> and subject line Bug#962289: fixed in gnutls28 3.6.7-4+deb10u4 has caused the Debian Bug report #962289, regarding gnutls28: CVE-2020-13777: session resumption works without master key allowing MITM to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 962289: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962289 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gnutls28 Version: 3.6.13-4 Severity: grave Tags: security upstream Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1011 Control: found -1 3.6.4-1 Control: found -1 3.6.7-4+deb10u3 Hi Andreas, The following vulnerability was published for gnutsl28, filling it as RC given the resulting in authentication bypass possibility, but if you do not agree please downgrade. CVE-2020-13777[0]: | GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting | a session ticket (a loss of confidentiality in TLS 1.2, and an | authentication bypass in TLS 1.3). The earliest affected version is | 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until | the first key rotation, the TLS server always uses wrong data in place | of an encryption key derived from an application. If you want I can try to help preparing as well a corresponding buster-security update. The issue was introduced in 3.6.4 upstream, so stretch is not affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13777 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13777 [1] https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03 [2] https://gitlab.com/gnutls/gnutls/-/issues/1011 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: gnutls28 Source-Version: 3.6.7-4+deb10u4 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of gnutls28, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 962...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated gnutls28 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 05 Jun 2020 19:32:17 +0200 Source: gnutls28 Architecture: source Version: 3.6.7-4+deb10u4 Distribution: buster-security Urgency: high Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-ma...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 962289 Changes: gnutls28 (3.6.7-4+deb10u4) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * GNUTLS-SA-2020-06-03: Flaw in TLS session ticket key construction (CVE-2020-13777) (Closes: #962289) Checksums-Sha1: a6a03560185c91ff0756e4a5a89e64cc216aef6e 3509 gnutls28_3.6.7-4+deb10u4.dsc ab70d6845d2efd27986a7af146ffa3192d973838 78712 gnutls28_3.6.7-4+deb10u4.debian.tar.xz Checksums-Sha256: 0d633cb281152d025b49fa398930c8f5ea2e9af529bc9a2d288813679e75d88f 3509 gnutls28_3.6.7-4+deb10u4.dsc 2bf9e2ce3603e46ad2a47762e4e96c2f64729fe5bd784274025aa99f33a11688 78712 gnutls28_3.6.7-4+deb10u4.debian.tar.xz Files: 4e19564f52ba71851112b45c5e4cfc9f 3509 libs optional gnutls28_3.6.7-4+deb10u4.dsc f2e6a94c3af7e8346738ee0b339d9790 78712 libs optional gnutls28_3.6.7-4+deb10u4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7bmT5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EygkP/RmssqHIMnJO3RT8Fcyry1YwfoYOCnnI 7cGQALm5OaQvlduqrrfbw75nSO5MoSoCDVxwEtUkqpMHQR6mZacDfSA/7vdWTQ0g rtRd+LJ2gtUceRdoX0fQV4KH0fCfnYUv/YITjiT4UYqr98RV6n/MZAJyNt1gMOGL 84BPeLqcVfmNOOatoWTpH9H93qqpxPyepqPcx8W21DId8Y9d21OpXNBylo8rc7et k0iwe5bGeQoQA8h9M23P3HtO9o9Fgap/SeKAvm5LPGXRBCpMCuxBnez0rvVw/I6c lR+Ze6xVGIO8H03j66PDhy4D/M7V8JbInP1FEwtw0TNAgVXiwPk2b7YrTepCSgQE ByqF+STaAyccP69NVGwbh7fW2EW/oaJqtUL8w0HH7+3KPcYKKUcyTU/dNvENZlr0 hdqIitX3Ogkr2/A9SGSVhSMR/AonCYodYuZAPjjiicg5BeS+dwauT7kDxvTfCugp LmBsZM81PqiBWMR73WE1VV6YmH32cJRwZn8BbwdZvtlHnjY1aZPHjibs3eHNFpJV 67lwLXV7QkStkRWZE25gQkHRvZW5t8+31w/NzLNBEXJ95zCjRGgzx02ewMYCKZQj wwTkaJRMAtnqvSSi41IdBL4hZB2jCJ1Z4ELs2Hte9xLmsfy4SeZetAfS/gt8auJC HW6jdmFvIY9D =oQIP -----END PGP SIGNATURE-----
--- End Message ---
