Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 727108 (CVE-2020-13777)

Summary: <net-libs/gnutls-3.6.14: Flaw in TLS session ticket key construction (CVE-2020-13777)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://gitlab.com/gnutls/gnutls/-/issues/1011
Whiteboard: A3 [glsa+ cleanup cve]
Package list:
net-libs/gnutls-3.6.14
 Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 11:12:38 UTC 
Description:
"GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application."
Comment 1 Larry the Git Cow gentoo-dev 2020-06-04 13:12:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1153fd1d6db7911170bfadb36d09d25c5f946122

commit 1153fd1d6db7911170bfadb36d09d25c5f946122
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 12:07:02 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 13:12:00 +0000

    net-libs/gnutls: bump to v3.6.14
    
    Bug: https://bugs.gentoo.org/727108
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/gnutls/Manifest             |   1 +
 net-libs/gnutls/gnutls-3.6.14.ebuild | 132 +++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2020-06-04 15:29:01 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-06-04 15:29:38 UTC 
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:05 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:30 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:57 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-04 15:31:32 UTC 
x86 stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-05 15:46:45 UTC 
arm64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-06 17:36:59 UTC 
s390 stable
Comment 10 Rolf Eike Beer archtester 2020-06-08 16:46:21 UTC 
hppa stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 02:22:57 UTC 
@maintainer(s), please cleanup
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-06-09 14:55:07 UTC 
This issue was resolved and addressed in
 GLSA 202006-01 at https://security.gentoo.org/glsa/202006-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Larry the Git Cow gentoo-dev 2020-06-09 14:58:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4254290cbaff26d7530a273eb9d307317f7f5f45

commit 4254290cbaff26d7530a273eb9d307317f7f5f45
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-09 14:58:22 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-09 14:58:22 +0000

    net-libs/gnutls: security cleanup
    
    Bug: https://bugs.gentoo.org/727108
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/gnutls/Manifest                           |   1 -
 ...s-3.6.13-handle-expired-root-certificates.patch | 391 ---------------------
 net-libs/gnutls/gnutls-3.6.13-r1.ebuild            | 134 -------
 3 files changed, 526 deletions(-)