Your message dated Sun, 16 Jun 2024 20:33:48 +0000
with message-id <[email protected]>
and subject line Bug#1067464: fixed in gnutls28 3.7.9-2+deb12u3
has caused the Debian Bug report #1067464,
regarding gnutls28: CVE-2024-28834
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1067464: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067464
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnutls28
Version: 3.8.3-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1516
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for gnutls28.
CVE-2024-28834[0]:
| A flaw was found in GnuTLS. The Minerva attack is a cryptographic
| vulnerability that exploits deterministic behavior in systems like
| GnuTLS, leading to side-channel leaks. In specific scenarios, such
| as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can
| result in a noticeable step in nonce size from 513 to 512 bits,
| exposing a potential timing side-channel.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-28834
https://www.cve.org/CVERecord?id=CVE-2024-28834
[1] https://gitlab.com/gnutls/gnutls/-/issues/1516
[2] https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
[3] https://www.gnutls.org/security-new.html#GNUTLS-SA-2023-12-04
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnutls28
Source-Version: 3.7.9-2+deb12u3
Done: Andreas Metzler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnutls28 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 15 Jun 2024 13:22:35 +0200
Source: gnutls28
Architecture: source
Version: 3.7.9-2+deb12u3
Distribution: bookworm
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 1067463 1067464
Changes:
gnutls28 (3.7.9-2+deb12u3) bookworm; urgency=medium
.
* Update to 3.7.11:
+ Replace 60-auth-rsa_psk-side-step-potential-side-channel.patch
61-x509-detect-loop-in-certificate-chain.patch
62-rsa-psk-minimize-branching-after-decryption.patch with versions from
gnutls_3_7_x branch instead of manual backports from 3.8.x.
+ Add 53-fips-fix-checking-on-hash-algorithm-used-in-ECDSA.patch (Fix
checking on hash algorithm used in ECDSA in FIPS mode) and
54-fips-mark-composite-signature-API-not-approved.patch (Mark composite
signature API non-approved in FIPS mode.) to allow
straight cherry-picking of later patches.
+ 63_01-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch
libgnutls: Fixed a bug where certtool crashed when verifying a
certificate chain with more than 16 certificates. Reported by William
Woodruff (#1525) and yixiangzhike (#1527). [GNUTLS-SA-2024-01-23, CVSS:
medium] [CVE-2024-28835] Closes: #1067463
+ 63_02-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
libgnutls: Fix side-channel in the deterministic ECDSA.
Reported by George Pantelakis (#1516). [GNUTLS-SA-2023-12-04, CVSS:
medium] [CVE-2024-28834] Closes: #1067464
+ 63_03-serv-fix-memleak-when-a-connected-client-disappears.patch
Fix a memleak in gnutls-serv when a connected client disappears.
+ 63_04-lib-fix-a-segfault-in-_gnutls13_recv_end_of_early_da.patch
Fix a segfault in _gnutls13_recv_end_of_early_data().
+ 63_05-lib-fix-a-potential-segfault-in-_gnutls13_recv_finis.patch
Fix a potential segfault in _gnutls13_recv_finished().
Checksums-Sha1:
a29a32c7e06a672f8e724e5c4b08cd7dd99ffc43 3421 gnutls28_3.7.9-2+deb12u3.dsc
4d74829fb268fb0c31667d3eeb5efa424fdb28a1 103728
gnutls28_3.7.9-2+deb12u3.debian.tar.xz
Checksums-Sha256:
3f136935775b93298a194049050769628c5a623e1e7a3021fcd3d9ac9fe0c171 3421
gnutls28_3.7.9-2+deb12u3.dsc
affecf130f25873fd7b18d0904ce757535a0a743b2c770efe1dc7faf1db52328 103728
gnutls28_3.7.9-2+deb12u3.debian.tar.xz
Files:
1c8abc659a7b7194f85a8e641d48f23c 3421 libs optional
gnutls28_3.7.9-2+deb12u3.dsc
36b999d8149fa777937d70733891d33a 103728 libs optional
gnutls28_3.7.9-2+deb12u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmZtg8IACgkQpU8BhUOC
FIRNvA//T7Q8PmVqI3GReS9nhZ5COcX/Etrx+tKvZwBp2kWivlAZ7XHw+5j6Vy5g
+QW6IhZigzokI41ZGVytuWOftZIvEe6ozJtcV3vE1US7tur7vuv4ZTb99r6PKtcE
CrWECdnwkPfubeFm9MKG6gN1lc9sD2d9Y0Wdz9Og6aW22MwE8heqoDDNpa44ECxL
lW/iRWVLtfBR3Ze/f2okYPVYcVKkK4gqb4ntAA7dZ/P1amt+Pr1YgPkMybKaOL00
iT7/jAnfqkJboG04v7mHxG8/B+/Zz1565QOEhKnVPFU/Ut1pI1w8msqwBSiuUH4R
cNwLXn/LMWATCPcW3ipa9mLFymh2Hg7eBKpsJpdfFteTnLg16boehxHzA6eLAZ/Q
bjzNz2++DhhNCxf2k9U7D1ItOPPyE6OsnaH4/Sdfo2Mv1pRrUh++YDJK1QJxhVL7
pI980LLRZQ3eD6hff0GGPllbPprb8nyBfVKjiPXBZC3L5JG8jReyDtm34oj6f/CC
Bam00wVOEgibQsxT9lnEoxEEU7X0frXTJuY1hdmvp1BzvT8kWNhVGlARHGv08dp7
WClpZOXmqvrLrOqOHE8stKwdA9vgRvUP0VVFWbePiMIhScYTSD8nqxGGl5nnnmme
rrPJYZhjda98UED4aSx5v0VEPns6WEAEf6j+6pgLuI8q4Urlkuc=
=/nSx
-----END PGP SIGNATURE-----
pgpVxc3Vz3eMX.pgp
Description: PGP signature
--- End Message ---