Bug#1121146: gnutls28: CVE-2025-9820
Salvatore Bonaccorso
carnil at debian.org
Fri Nov 21 19:08:30 GMT 2025
Source: gnutls28
Version: 3.8.10-3
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1732
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for gnutls28.
CVE-2025-9820[0]:
| GNUTLS-SA-2025-11-18: When a PKCS#11 token is initialized with
| gnutls_pkcs11_token_init function and it is passed a token label
| longer than 32 characters, it may write past the boundary of stack
| allocated memory.
As we compile with -D_FORTIFY_SOURCE=2 it should be effectively
mitigated already but still might be worth bringing the fix in. But
no urgency IMHO, your take?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-9820
https://www.cve.org/CVERecord?id=CVE-2025-9820
[1] https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18
[2] https://gitlab.com/gnutls/gnutls/-/issues/1732
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-gnutls-maint
mailing list