INFCSA-2024:2570: gnutls security update
Information about definition
Identificator: INFCSA-2024:2570
Type: security
Release date: 2025-09-24 19:12:50 UTC
Information about package
The gnutls package provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.
Vulnerabilities description
- CVE-2024-28834
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.
- CVE-2024-28835
A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-28834
|
no information | 5.3 | no information |
|
NIST — CVE-2024-28835
|
no information | 5.0 | no information |
Updated packages
Preparing to download...