StarlingX

[Debian] High CVE: CVE-2024-0553/CVE-2024-0567 gnutls28 : multiple CVEs

Bug #2071584 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Peng Zhang

Bug Description

CVE-2024-0553: https://nvd.nist.gov/vuln/detail/CVE-2024-0553

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

CVE-2024-0567: https://nvd.nist.gov/vuln/detail/CVE-2024-0567

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

Base Score: High

Reference:

['libgnutls28-dev_3.7.1-5+deb11u4_amd64.deb===>libgnutls28-dev_3.7.1-5+deb11u5_amd64.deb', 'libgnutls30_3.7.1-5+deb11u4_amd64.deb===>libgnutls30_3.7.1-5+deb11u5_amd64.deb', 'libgnutls-dane0_3.7.1-5+deb11u4_amd64.deb===>libgnutls-dane0_3.7.1-5+deb11u5_amd64.deb', 'libgnutls-openssl27_3.7.1-5+deb11u4_amd64.deb===>libgnutls-openssl27_3.7.1-5+deb11u5_amd64.deb', 'libgnutlsxx28_3.7.1-5+deb11u4_amd64.deb===>libgnutlsxx28_3.7.1-5+deb11u5_amd64.deb']

CVE References

Peng Zhang (pzhang2)
Changed in starlingx:
assignee: nobody → Peng Zhang (pzhang2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/924045

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/924045
Committed: https://opendev.org/starlingx/tools/commit/f928267f5b6a6f567b0cca9d00f3647476bfec44
Submitter: "Zuul (22348)"
Branch: master

commit f928267f5b6a6f567b0cca9d00f3647476bfec44
Author: Peng Zhang <email address hidden>
Date: Wed Jul 10 06:30:57 2024 +0000

    Debian: libgnutls: fix CVE-2024-0553 and CVE-2024-0567

    Upgrade libgnutls28-dev to 3.7.1-5+deb11u5
    Upgrade libgnutls30 to 3.7.1-5+deb11u5
    Upgrade libgnutls-dane0 to 3.7.1-5+deb11u5
    Upgrade libgnutls-openssl27 to 3.7.1-5+deb11u5
    Upgrade libgnutlsxx28 to 3.7.1-5+deb11u5

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2024-0553
    https://nvd.nist.gov/vuln/detail/CVE-2024-0567

    TestPlan:
    PASS: downloader; build-pkgs
    PASS: build-image

    Closes-Bug: 2071584

    Change-Id: I57823145b15e462c602ba22a41472eceab67cbde
    Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.