Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 727108 (CVE-2020-13777) - <net-libs/gnutls-3.6.14: Flaw in TLS session ticket key construction (CVE-2020-13777)
Summary: <net-libs/gnutls-3.6.14: Flaw in TLS session ticket key construction (CVE-202...
Status: RESOLVED FIXED
Alias: CVE-2020-13777
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/gnutls/gnutls/-/is...
Whiteboard: A3 [glsa+ cleanup cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-06-04 11:12 UTC by Sam James
Modified: 2020-06-09 14:58 UTC (History)
1 user (show)

See Also:
Package list:
net-libs/gnutls-3.6.14
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-06-04 11:12:38 UTC
Description:
"GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application."
Comment 1 Larry the Git Cow gentoo-dev 2020-06-04 13:12:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1153fd1d6db7911170bfadb36d09d25c5f946122

commit 1153fd1d6db7911170bfadb36d09d25c5f946122
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 12:07:02 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 13:12:00 +0000

    net-libs/gnutls: bump to v3.6.14
    
    Bug: https://bugs.gentoo.org/727108
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/gnutls/Manifest             |   1 +
 net-libs/gnutls/gnutls-3.6.14.ebuild | 132 +++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2020-06-04 15:29:01 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-06-04 15:29:38 UTC
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:05 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:30 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-04 15:30:57 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-04 15:31:32 UTC
x86 stable
Comment 8 Sam James gentoo-dev Security 2020-06-05 15:46:45 UTC
arm64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-06 17:36:59 UTC
s390 stable
Comment 10 Rolf Eike Beer 2020-06-08 16:46:21 UTC
hppa stable
Comment 11 Sam James gentoo-dev Security 2020-06-09 02:22:57 UTC
@maintainer(s), please cleanup
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-06-09 14:55:07 UTC
This issue was resolved and addressed in
 GLSA 202006-01 at https://security.gentoo.org/glsa/202006-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Larry the Git Cow gentoo-dev 2020-06-09 14:58:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4254290cbaff26d7530a273eb9d307317f7f5f45

commit 4254290cbaff26d7530a273eb9d307317f7f5f45
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-09 14:58:22 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-09 14:58:22 +0000

    net-libs/gnutls: security cleanup
    
    Bug: https://bugs.gentoo.org/727108
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-libs/gnutls/Manifest                           |   1 -
 ...s-3.6.13-handle-expired-root-certificates.patch | 391 ---------------------
 net-libs/gnutls/gnutls-3.6.13-r1.ebuild            | 134 -------
 3 files changed, 526 deletions(-)