Univention Bugzilla – Bug 48174
gnutls28: Multiple issues (4.3)
Last modified: 2018-11-21 15:21:26 CET
New Debian gnutls28 3.5.8-5+deb9u4 fixes: This update addresses the following issues: * HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (CVE-2018-10844) * HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (CVE-2018-10845) * "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (CVE-2018-10846)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/gnutls28_3.5.8-5+deb9u3.dsc +++ apt/ucs_4.3-0-errata4.3-2/source/gnutls28_3.5.8-5+deb9u4.dsc @@ -1,3 +1,12 @@ +3.5.8-5+deb9u4 [Sat, 06 Oct 2018 14:06:18 +0200] Andreas Metzler <ametzler@debian.org>: + + * Pull fixes for CVE-2018-10844 and CVE-2018-10845 from gnutls 3.5.19 + + 39_01-dummy_wait-correctly-account-the-length-field-in-SHA.patch + + 39_02-dummy_wait-always-hash-the-same-amount-of-blocks-tha.patch + + 39_03-cbc_mac_verify-require-minimum-padding-under-SSL3.0.patch + + 39_04-hmac-sha384-and-sha256-ciphersuites-were-removed-fro.patch + + 39_05-tests-pkcs12_encode-fix-test-for-SHA512.patch + 3.5.8-5+deb9u3 [Sun, 23 Jul 2017 14:28:37 +0200] Andreas Metzler <ametzler@debian.org>: * 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch <http://10.200.17.11/4.3-2/#2201705822003174974>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-2] b77be1cd36 Bug #48174: gnutls28 3.5.8-5+deb9u4 doc/errata/staging/gnutls28.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<http://errata.software-univention.de/ucs/4.3/317.html>