[SECURITY] [DSA 4697-1] gnutls28 security update

2020-06-0617:16:32

lists.debian.org

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

JSON

Debian Security Advisory DSA-4697-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
June 06, 2020 https://www.debian.org/security/faq

Package : gnutls28
CVE ID : CVE-2020-13777
Debian Bug : 962289

A flaw was reported in the TLS session ticket key construction in
GnuTLS, a library implementing the TLS and SSL protocols. The flaw
caused the TLS server to not securely construct a session ticket
encryption key considering the application supplied secret, allowing a
man-in-the-middle attacker to bypass authentication in TLS 1.3 and
recover previous conversations in TLS 1.2.

For the stable distribution (buster), this problem has been fixed in
version 3.6.7-4+deb10u4.

We recommend that you upgrade your gnutls28 packages.

For the detailed security status of gnutls28 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/gnutls28

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian10s390xlibgnutls-openssl27-dbgsym< 3.6.7-4+deb10u4libgnutls-openssl27-dbgsym_3.6.7-4+deb10u4_s390x.deb
Debian10s390xlibgnutls28-dev< 3.6.7-4+deb10u4libgnutls28-dev_3.6.7-4+deb10u4_s390x.deb
Debian10ppc64ellibgnutls30< 3.6.7-4+deb10u4libgnutls30_3.6.7-4+deb10u4_ppc64el.deb
Debian10mipsellibgnutlsxx28-dbgsym< 3.6.7-4+deb10u4libgnutlsxx28-dbgsym_3.6.7-4+deb10u4_mipsel.deb
Debian10arm64libgnutls-openssl27< 3.6.7-4+deb10u4libgnutls-openssl27_3.6.7-4+deb10u4_arm64.deb
Debian10mipsellibgnutls30-dbgsym< 3.6.7-4+deb10u4libgnutls30-dbgsym_3.6.7-4+deb10u4_mipsel.deb
Debian10armhflibgnutlsxx28-dbgsym< 3.6.7-4+deb10u4libgnutlsxx28-dbgsym_3.6.7-4+deb10u4_armhf.deb
Debian10ppc64ellibgnutls-openssl27-dbgsym< 3.6.7-4+deb10u4libgnutls-openssl27-dbgsym_3.6.7-4+deb10u4_ppc64el.deb
Debian10mipslibgnutls-dane0< 3.6.7-4+deb10u4libgnutls-dane0_3.6.7-4+deb10u4_mips.deb
Debian10amd64libgnutls28-dev< 3.6.7-4+deb10u4libgnutls28-dev_3.6.7-4+deb10u4_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	s390x	libgnutls-openssl27-dbgsym	< 3.6.7-4+deb10u4	libgnutls-openssl27-dbgsym_3.6.7-4+deb10u4_s390x.deb
Debian	10	s390x	libgnutls28-dev	< 3.6.7-4+deb10u4	libgnutls28-dev_3.6.7-4+deb10u4_s390x.deb
Debian	10	ppc64el	libgnutls30	< 3.6.7-4+deb10u4	libgnutls30_3.6.7-4+deb10u4_ppc64el.deb
Debian	10	mipsel	libgnutlsxx28-dbgsym	< 3.6.7-4+deb10u4	libgnutlsxx28-dbgsym_3.6.7-4+deb10u4_mipsel.deb
Debian	10	arm64	libgnutls-openssl27	< 3.6.7-4+deb10u4	libgnutls-openssl27_3.6.7-4+deb10u4_arm64.deb
Debian	10	mipsel	libgnutls30-dbgsym	< 3.6.7-4+deb10u4	libgnutls30-dbgsym_3.6.7-4+deb10u4_mipsel.deb
Debian	10	armhf	libgnutlsxx28-dbgsym	< 3.6.7-4+deb10u4	libgnutlsxx28-dbgsym_3.6.7-4+deb10u4_armhf.deb
Debian	10	ppc64el	libgnutls-openssl27-dbgsym	< 3.6.7-4+deb10u4	libgnutls-openssl27-dbgsym_3.6.7-4+deb10u4_ppc64el.deb
Debian	10	mips	libgnutls-dane0	< 3.6.7-4+deb10u4	libgnutls-dane0_3.6.7-4+deb10u4_mips.deb
Debian	10	amd64	libgnutls28-dev	< 3.6.7-4+deb10u4	libgnutls28-dev_3.6.7-4+deb10u4_amd64.deb