Source: gnutls28 Version: 3.6.14-2 Severity: important Tags: security upstream Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1071 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for gnutls28. CVE-2020-24659[0]: | An issue was discovered in GnuTLS before 3.6.15. A server can trigger | a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation | alert is sent with unexpected timing, and then an invalid second | handshake occurs. The crash happens in the application's error | handling path, where the gnutls_deinit function is called after | detecting a handshake failure. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-24659 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24659 [1] https://gitlab.com/gnutls/gnutls/-/issues/1071 [2] https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 Please adjust the affected versions in the BTS as needed. Regards, Salvatore