CVE-2024-28834: A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. CVE-2024-28835: A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14ac036c44d51f04f0bb797c152ab1db6c2b684b commit 14ac036c44d51f04f0bb797c152ab1db6c2b684b Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-15 06:41:26 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-15 06:51:32 +0000 net-libs/gnutls: add 3.8.5 Bug: https://bugs.gentoo.org/927557 Signed-off-by: Sam James <sam@gentoo.org> net-libs/gnutls/Manifest | 2 + net-libs/gnutls/gnutls-3.8.5.ebuild | 149 ++++++++++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+)
Depending on the test failure since that'll be a predecessor to a newer stablereq anyway...