Mageia 9: 2024-0031 Critical GnuTLS Update on DoS and Timing Attacks
mageia
February 9, 2024
The updated packages fix security vulnerabilities: A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust
Summary
The updated packages fix security vulnerabilities:
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS)
rejects a certificate chain with distributed trust. This issue occurs
when validating a certificate chain with cockpit-certificate-ensure.
This flaw allows an unauthenticated, remote client or attacker to
initiate a denial of service attack. (CVE-2024-0567)
A vulnerability was found in GnuTLS. The response times to malformed
ciphertexts in RSA-PSK ClientKeyExchange differ from response times of
ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a
remote attacker to perform a timing side-channel attack in the RSA-PSK
key exchange, potentially leading to the leakage of sensitive data.
CVE-2024-0553 is designated as an incomplete resolution for
CVE-2023-5981. (CVE-2024-0553)
References
- https://bugs.mageia.org/show_bug.cgi?id=32755
- https://www.openwall.com/lists/oss-security/2024/01/19/3
- https://www.cve.org/CVERecord?id=CVE-2024-0567
- https://www.cve.org/CVERecord?id=CVE-2024-0553
Resolution
SRPMS
- 9/core/gnutls-3.8.0-2.2.mga9
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 09 Feb 2024
URL: https://advisories.mageia.org/MGASA-2024-0031.html
Type: security
CVE: CVE-2024-0567,
CVE-2024-0553
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!