MGASA-2018-0435

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2018-0435.html

Import Source

https://advisories.mageia.org/MGASA-2018-0435.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2018-0435

Related

Published

2018-11-03T11:55:18Z

Modified

2018-11-03T11:29:00Z

Summary

Updated gnutls packages fix security vulnerabilities

Details

The updated packages fix security vulnerabilities:

It was found that the GnuTLS implementation of HMAC-SHA-256 and HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets (CVE-2018-10844, CVE-2018-10845).

A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets (CVE-2018-10846).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / gnutls

Package

Name: gnutls
Purl: pkg:rpm/mageia/gnutls?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.5.13-1.1.mga6

Ecosystem specific

{
    "section": "core"
}