StarlingX

[Debian] Medium CVE: CVE-2023-5981 gnutls28: timing side-channel in the RSA-PSK authentication

Bug #2057487 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Wentao Zhang

Bug Description

CVE-2023-5981: https://nvd.nist.gov/vuln/detail/CVE-2023-5981

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Base Score: Medium

Reference:

['libgnutls28-dev_3.7.1-5+deb11u3_amd64.deb===>libgnutls28-dev_3.7.1-5+deb11u4_amd64.deb', 'libgnutls30_3.7.1-5+deb11u3_amd64.deb===>libgnutls30_3.7.1-5+deb11u4_amd64.deb', 'libgnutls-dane0_3.7.1-5+deb11u3_amd64.deb===>libgnutls-dane0_3.7.1-5+deb11u4_amd64.deb', 'libgnutls-openssl27_3.7.1-5+deb11u3_amd64.deb===>libgnutls-openssl27_3.7.1-5+deb11u4_amd64.deb', 'libgnutlsxx28_3.7.1-5+deb11u3_amd64.deb===>libgnutlsxx28_3.7.1-5+deb11u4_amd64.deb']

CVE References

Yue Tao (wrytao)
summary: - [Debian] Medium CVE: CVE-2023-5981 gnutls28
+ [Debian] Medium CVE: CVE-2023-5981 gnutls28: timing side-channel in the
+ RSA-PSK authentication
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/912907

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/912907
Committed: https://opendev.org/starlingx/tools/commit/27881330ab1aadb6bacbcc0f6d492054c509dbdd
Submitter: "Zuul (22348)"
Branch: master

commit 27881330ab1aadb6bacbcc0f6d492054c509dbdd
Author: Wentao Zhang <email address hidden>
Date: Thu Mar 14 02:03:54 2024 -0700

    Debian: gnutls28: CVE-2023-5981

    Upgrade libgnutls28-dev to 3.7.1-5+deb11u4
    Upgrade libgnutls30 to 3.7.1-5+deb11u4
    Upgrade libgnutls-dane0 to 3.7.1-5+deb11u4
    Upgrade libgnutls-openssl27 to 3.7.1-5+deb11u4
    Upgrade libgnutlsxx28 to 3.7.1-5+deb11u4

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2023-5981

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

    Closes-bug: #2057487

    Change-Id: Ibc1d9f3c19b8330cc66a504c3ccb2972814789f8
    Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Changing the target release to stx.10.0 since this only merged in the main branch after the r/stx.9.0 release branch was created (March 7) and the team doesn't port CVE fixes to released branches.

Changed in starlingx:
assignee: nobody → Wentao Zhang (wzhang4)
tags: added: stx.10.0
removed: stx.9.0
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.