FEDORA-2020-f90fb78f70 created by mooninite 3 months ago for Fedora 32
stable

How to install

sudo dnf upgrade --advisory=FEDORA-2020-f90fb78f70

This update has been submitted for testing by mooninite.

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'ignored'.

3 months ago
User Icon bynt commented & provided feedback 3 months ago

hello @mooninite, thanks for the update.

The 2018 CVEs have been fixed in 3.6.3 already, did the fixes not make it to mingw-gnutls?

Release Notes: https://lists.gnupg.org/pipermail/gnutls-devel/2018-July/008584.html

** Improved counter-measures for TLS CBC record padding.

Kenny Paterson, Eyal Ronen and Adi Shamir reported that the existing counter-measures had certain issues and were insufficient when the attacker has additional access to the CPU cache and performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]

External reference, mentioned e.g. in https://bugzilla.redhat.com/show_bug.cgi?id=1582572 (Red Hat issued those CVEs): https://eprint.iacr.org/2018/747

Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure

Eyal Ronen and Kenneth G. Paterson and Adi Shamir

Cheers

User Icon mooninite commented & provided feedback 3 months ago

Yes, they have been fixed for some time. I added them here so they will get closed. Sorry for the misdirection.

This update has been pushed to testing.

3 months ago

This update can be pushed to stable now if the maintainer wishes

2 months ago

This update has been submitted for stable by bodhi.

2 months ago

This update has been pushed to stable.

2 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
1
Stable by Time
7 days
Dates
submitted
3 months ago
in testing
3 months ago
in stable
2 months ago
BZ#1619511 CVE-2018-10844 mingw-gnutls: gnutls: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls [fedora-all]
0
0
BZ#1619518 CVE-2018-10845 mingw-gnutls: gnutls: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant [fedora-all]
0
0
BZ#1619523 CVE-2018-10846 mingw-gnutls: gnutls: "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery [fedora-all]
0
0
BZ#1821899 CVE-2020-11501 mingw-gnutls: gnutls: DTLS client hello contains a random value of all zeroes [fedora-all]
0
0

Automated Test Results