Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727108 (CVE-2020-13777) - <net-libs/gnutls-3.6.14: Flaw in TLS session ticket key construction (CVE-2020-13777)
Summary: <net-libs/gnutls-3.6.14: Flaw in TLS session ticket key construction (CVE-202...
Status: RESOLVED FIXED
Alias: CVE-2020-13777
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://gitlab.com/gnutls/gnutls/-/is...
Whiteboard: A3 [glsa+ cleanup cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-06-04 11:12 UTC by Sam James
Modified: 2020-06-09 14:58 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/gnutls-3.6.14
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 11:12:38 UTC 
Description:
"GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application."
Comment 1 Larry the Git Cow gentoo-dev 2020-06-04 13:12:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1153fd1d6db7911170bfadb36d09d25c5f946122

commit 1153fd1d6db7911170bfadb36d09d25c5f946122
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 12:07:02 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 13:12:00 +0000

    net-libs/gnutls: bump to v3.6.14
    
    Bug: https://bugs.gentoo.org/727108
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/gnutls/Manifest             |   1 +
 net-libs/gnutls/gnutls-3.6.14.ebuild | 132 +++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2020-06-04 15:29:01 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-06-04 15:29:38 UTC 
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:05 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:30 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:57 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-04 15:31:32 UTC 
x86 stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-05 15:46:45 UTC 
arm64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-06 17:36:59 UTC 
s390 stable
Comment 10 Rolf Eike Beer archtester 2020-06-08 16:46:21 UTC 
hppa stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 02:22:57 UTC 
@maintainer(s), please cleanup
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-06-09 14:55:07 UTC 
This issue was resolved and addressed in
 GLSA 202006-01 at https://security.gentoo.org/glsa/202006-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Larry the Git Cow gentoo-dev 2020-06-09 14:58:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4254290cbaff26d7530a273eb9d307317f7f5f45

commit 4254290cbaff26d7530a273eb9d307317f7f5f45
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-09 14:58:22 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-09 14:58:22 +0000

    net-libs/gnutls: security cleanup
    
    Bug: https://bugs.gentoo.org/727108
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/gnutls/Manifest                           |   1 -
 ...s-3.6.13-handle-expired-root-certificates.patch | 391 ---------------------
 net-libs/gnutls/gnutls-3.6.13-r1.ebuild            | 134 -------
 3 files changed, 526 deletions(-)