Bug#955556: libgnutls30: DTLS client hello contains a random value of all zeroes
Luca Boccassi
bluca at debian.org
Thu Apr 2 15:49:31 BST 2020
Package: libgnutls30
Version: 3.6.3-1
Severity: important
X-Debbugs-CC: security at debian.org
Tags: security patch buster bullseye
Dear Maintainer(s),
A security issue has been identified in GnuTLS:
https://gitlab.com/gnutls/gnutls/-/issues/960
https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31
It was reported in the open, so opening a bug here. There will probably
be a CVE soon-ish, as upstream requested one.
The DTLS client implementation is supposed so send a random 32 bytes
token, but it sends all zeros between versions 3.6.3 and 3.6.12
included, so Buster is affected, but Stretch and earlier are not.
Upstream commit that fixes the issue:
https://gitlab.com/gnutls/gnutls/-/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20200402/8a8a6350/attachment.sig>
More information about the Pkg-gnutls-maint
mailing list