Описание
Security update for gnutls
This update for gnutls fixes the following issues:
- CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506).
- Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461).
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.1
gnutls-3.6.7-lp151.2.18.1
gnutls-guile-3.6.7-lp151.2.18.1
libgnutls-dane-devel-3.6.7-lp151.2.18.1
libgnutls-dane0-3.6.7-lp151.2.18.1
libgnutls-devel-3.6.7-lp151.2.18.1
libgnutls-devel-32bit-3.6.7-lp151.2.18.1
libgnutls30-3.6.7-lp151.2.18.1
libgnutls30-32bit-3.6.7-lp151.2.18.1
libgnutls30-hmac-3.6.7-lp151.2.18.1
libgnutls30-hmac-32bit-3.6.7-lp151.2.18.1
libgnutlsxx-devel-3.6.7-lp151.2.18.1
libgnutlsxx28-3.6.7-lp151.2.18.1
Ссылки
- E-Mail link for openSUSE-SU-2020:0790-1
- SUSE Security Ratings
- SUSE Bug 1172461
- SUSE Bug 1172506
- SUSE CVE CVE-2020-13777 page
Описание
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.
Затронутые продукты
openSUSE Leap 15.1:gnutls-3.6.7-lp151.2.18.1
openSUSE Leap 15.1:gnutls-guile-3.6.7-lp151.2.18.1
openSUSE Leap 15.1:libgnutls-dane-devel-3.6.7-lp151.2.18.1
openSUSE Leap 15.1:libgnutls-dane0-3.6.7-lp151.2.18.1
Ссылки
- CVE-2020-13777
- SUSE Bug 1172461
- SUSE Bug 1172506