Bug#969547: gnutls28: CVE-2020-24659: GNUTLS-SA-2020-09-04
Salvatore Bonaccorso
carnil at debian.org
Fri Sep 4 19:35:41 BST 2020
Source: gnutls28
Version: 3.6.14-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1071
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for gnutls28.
CVE-2020-24659[0]:
| An issue was discovered in GnuTLS before 3.6.15. A server can trigger
| a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation
| alert is sent with unexpected timing, and then an invalid second
| handshake occurs. The crash happens in the application's error
| handling path, where the gnutls_deinit function is called after
| detecting a handshake failure.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-24659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24659
[1] https://gitlab.com/gnutls/gnutls/-/issues/1071
[2] https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-gnutls-maint
mailing list