** Improved counter-measures for TLS CBC record padding.
Kenny Paterson, Eyal Ronen
and Adi Shamir reported that the existing counter-measures had certain issues and
were insufficient when the attacker has additional access to the CPU cache and
performs a chosen-plaintext attack. This affected the legacy CBC ciphersuites. [CVSS: medium]
BZ#1619511 CVE-2018-10844 mingw-gnutls: gnutls: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls [fedora-all]
0
0
BZ#1619518 CVE-2018-10845 mingw-gnutls: gnutls: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant [fedora-all]
0
0
BZ#1619523 CVE-2018-10846 mingw-gnutls: gnutls: "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery [fedora-all]
0
0
BZ#1821899 CVE-2020-11501 mingw-gnutls: gnutls: DTLS client hello contains a random value of all zeroes [fedora-all]
This update has been submitted for testing by mooninite.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
hello @mooninite, thanks for the update.
The 2018 CVEs have been fixed in 3.6.3 already, did the fixes not make it to mingw-gnutls?
Release Notes: https://lists.gnupg.org/pipermail/gnutls-devel/2018-July/008584.html
External reference, mentioned e.g. in https://bugzilla.redhat.com/show_bug.cgi?id=1582572 (Red Hat issued those CVEs): https://eprint.iacr.org/2018/747
Cheers
Yes, they have been fixed for some time. I added them here so they will get closed. Sorry for the misdirection.
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by bodhi.
This update has been pushed to stable.