[slackware-security] gnutls

New gnutls packages are available for Slackware 14.2 and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: patches/packages/gnutls-3.6.15-i586-1slack14.2.txz: Upgraded. libgnutls: Fixed "norenegotiation" alert handling at incorrect timing, which could lead ...

CVE-2020-24659

A flaw was found in GnuTLS, where the server can trigger the client to run into heap buffer overflow if a norenegotiation alert is sent in an unexpected timing. This flaw allows the client to crash at the session deinitialization timing. The highest threat from this vulnerability is to system...

DEBIAN-CVE-2020-24659

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a norenegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the...

CVE-2020-24659

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a norenegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the...

UBUNTU-CVE-2020-24659

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a norenegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the...

CVE-2020-24659

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a norenegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the...

Null pointer dereference

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a norenegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the...

CVE-2020-24659

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a norenegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the...

CVE-2020-24659

GnuTLS up to version 3.6.14 is affected by CVE-2020-24659. The issue is described as a heap buffer overflow during TLS handshake involving a no_renegotiation alert and an invalid second handshake, with the crash occurring in the error handling path when gnutls_deinit is called after a handshake f...

CVE-2020-24659

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a norenegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the...

GnuTLS -- null pointer dereference

The GnuTLS project reports: It was found by oss-fuzz that the server sending a "norenegotiation" alert in an unexpected timing, followed by an invalid second handshake can cause a TLS 1.3 client to crash via a null-pointer dereference. The crash happens in the application's error handling path,...

Huawei EulerOS: Security Advisory for gnutls (EulerOS-SA-2020-1899)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS Virtualization for ARM 64 3.0.6.0 : gnutls (EulerOS-SA-2020-1899)

According to the versions of the gnutls packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 2018-07-16...

PT-2020-6565 · Gnutls +7 · Gnutls +7

Name of the Vulnerable Software and Affected Versions: GnuTLS versions prior to 3.6.15 Description: The issue is related to a buffer overflow record in the GnuTLS library, which can cause a denial of service. A remote attacker can exploit this by triggering a NULL pointer dereference in a TLS 1.3...

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2 and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation the TLS server always uses wrong data in place of an encryption key derived from an application.

...

Huawei EulerOS: Security Advisory for gnutls (EulerOS-SA-2020-1803)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP8 : gnutls (EulerOS-SA-2020-1803)

According to the versions of the gnutls packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket a loss of confidentiality in TLS 1.2, and an authenticati...

NewStart CGSL MAIN 6.01 : gnutls Vulnerability (NS-SA-2020-0033)

The remote NewStart CGSL host, running version MAIN 6.01, has gnutls packages installed that are affected by a vulnerability: - GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 2018-07-16 because of an error in a 2017-10-06 commit. The DTLS...

Oracle Linux 8 : gnutls (ELSA-2020-2637)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-2637 advisory. 3.6.8-11 - Fix CVE-2020-13777 1844147 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus h...

Man-in-the-Middle (MitM)

gnutls is vulnerable to man-in-the-middle attack. Session resumption is allowed without the master key, allowing an attacker to perform a man-in-the-middle attack to sniff and modify network traffic...