Security update for gnutls SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2546-1 Final 1 1 2024-07-17T12:44:32Z current 2024-07-17T12:44:32Z 2024-07-17T12:44:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gnutls This update for gnutls fixes the following issues: - CVE-2024-28835: Fixed a certtool crash when verifying a certificate chain (bsc#1221747). - CVE-2024-28834: Fixed a side-channel attack in the deterministic ECDSA (bsc#1221746). Other fixes: - Fixed a memory leak when using the entropy collector (bsc#1221242). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP4-Micro-5-3-2024-2546,Image SLES15-SP4-Micro-5-3-BYOS-2024-2546,Image SLES15-SP4-Micro-5-3-BYOS-Azure-2024-2546,Image SLES15-SP4-Micro-5-3-BYOS-EC2-2024-2546,Image SLES15-SP4-Micro-5-3-BYOS-GCE-2024-2546,Image SLES15-SP4-Micro-5-3-EC2-2024-2546,SUSE-2024-2546,SUSE-SLE-Micro-5.3-2024-2546 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/ Link for SUSE-SU-2024:2546-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/018994.html E-Mail link for SUSE-SU-2024:2546-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1221242 SUSE Bug 1221242 https://bugzilla.suse.com/1221746 SUSE Bug 1221746 https://bugzilla.suse.com/1221747 SUSE Bug 1221747 https://www.suse.com/security/cve/CVE-2024-28834/ SUSE CVE CVE-2024-28834 page https://www.suse.com/security/cve/CVE-2024-28835/ SUSE CVE CVE-2024-28835 page Image SLES15-SP4-Micro-5-3 Image SLES15-SP4-Micro-5-3-BYOS Image SLES15-SP4-Micro-5-3-BYOS-Azure Image SLES15-SP4-Micro-5-3-BYOS-EC2 Image SLES15-SP4-Micro-5-3-BYOS-GCE Image SLES15-SP4-Micro-5-3-EC2 SUSE Linux Enterprise Micro 5.3 libgnutls30-3.7.3-150400.8.1 gnutls-3.7.3-150400.8.1 gnutls-guile-3.7.3-150400.8.1 libgnutls-devel-3.7.3-150400.8.1 libgnutls-devel-64bit-3.7.3-150400.8.1 libgnutls30-64bit-3.7.3-150400.8.1 libgnutls30-hmac-3.7.3-150400.8.1 libgnutls30-hmac-64bit-3.7.3-150400.8.1 libgnutlsxx-devel-3.7.3-150400.8.1 libgnutlsxx28-3.7.3-150400.8.1 libgnutls30-3.7.3-150400.8.1 as a component of Image SLES15-SP4-Micro-5-3 libgnutls30-3.7.3-150400.8.1 as a component of Image SLES15-SP4-Micro-5-3-BYOS libgnutls30-3.7.3-150400.8.1 as a component of Image SLES15-SP4-Micro-5-3-BYOS-Azure libgnutls30-3.7.3-150400.8.1 as a component of Image SLES15-SP4-Micro-5-3-BYOS-EC2 libgnutls30-3.7.3-150400.8.1 as a component of Image SLES15-SP4-Micro-5-3-BYOS-GCE libgnutls30-3.7.3-150400.8.1 as a component of Image SLES15-SP4-Micro-5-3-EC2 gnutls-3.7.3-150400.8.1 as a component of SUSE Linux Enterprise Micro 5.3 libgnutls30-3.7.3-150400.8.1 as a component of SUSE Linux Enterprise Micro 5.3 libgnutls30-hmac-3.7.3-150400.8.1 as a component of SUSE Linux Enterprise Micro 5.3 A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. CVE-2024-28834 Image SLES15-SP4-Micro-5-3-BYOS-Azure:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3-BYOS-EC2:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3-BYOS-GCE:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3-BYOS:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3-EC2:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3:libgnutls30-3.7.3-150400.8.1 SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1 SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1 SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/ https://www.suse.com/security/cve/CVE-2024-28834.html CVE-2024-28834 https://bugzilla.suse.com/1221746 SUSE Bug 1221746 A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command. CVE-2024-28835 Image SLES15-SP4-Micro-5-3-BYOS-Azure:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3-BYOS-EC2:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3-BYOS-GCE:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3-BYOS:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3-EC2:libgnutls30-3.7.3-150400.8.1 Image SLES15-SP4-Micro-5-3:libgnutls30-3.7.3-150400.8.1 SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1 SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1 SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/ https://www.suse.com/security/cve/CVE-2024-28835.html CVE-2024-28835 https://bugzilla.suse.com/1221747 SUSE Bug 1221747