[Git][security-tracker-team/security-tracker][master] Track CVE-2018-10846/gnutls28 as fixed in unstable and stable
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 17 14:59:40 GMT 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3527be5e by Salvatore Bonaccorso at 2018-11-17T14:59:20Z
Track CVE-2018-10846/gnutls28 as fixed in unstable and stable
This is not fully correct but upstream does not plan to do further
changes. The full set of changes needed to fix CVE-2018-10846 would be
as in the upstream merge request
https://gitlab.com/gnutls/gnutls/merge_requests/657 .
Those changes were backported (as possible) for 3.5.x ans 3.3.x as with
3.5.19 and 3.3.30 respectively.
Respective merge requests:
https://gitlab.com/gnutls/gnutls/merge_requests/663 (3_5_X)
https://gitlab.com/gnutls/gnutls/merge_requests/676 (3_3_X)
The stable upload done as 3.5.8-5+deb9u4 contains all those changes as
proposed for in MR663.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -22017,13 +22017,15 @@ CVE-2018-10847 (prosody before versions 0.10.2, 0.9.14 is vulnerable to an ...)
CVE-2018-10846 (A cache-based side channel in GnuTLS implementation that leads to ...)
{DLA-1560-1}
[experimental] - gnutls28 3.6.3-1
- - gnutls28 <unfixed>
+ - gnutls28 3.5.19-1
+ [stretch] - gnutls28 3.5.8-5+deb9u4
- gnutls26 <removed>
NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657
NOTE: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39 (master)
NOTE: The proposed fix is to introduce a new option to force encrypt-then-mac
NOTE: instead of correcting the issue.
NOTE: https://eprint.iacr.org/2018/747
+ NOTE: Backport of the MR657 to 3.5.x: https://gitlab.com/gnutls/gnutls/merge_requests/663
CVE-2018-10845 (It was found that the GnuTLS implementation of HMAC-SHA-384 was ...)
{DLA-1560-1}
- gnutls28 3.5.19-1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3527be5e9426814180cf2983b91e90b7a84e4d8a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3527be5e9426814180cf2983b91e90b7a84e4d8a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181117/228300bf/attachment.html>
More information about the debian-security-tracker-commits
mailing list