GnuTLS: Information disclosure — GLSA 202006-01

An information disclosure vulnerability in GnuTLS allow remote attackers to obtain sensitive information.

Affected packages

net-libs/gnutls on all architectures
Affected versions < 3.6.14
Unaffected versions >= 3.6.14

Background

GnuTLS is an Open Source implementation of the TLS and SSL protocols.

Description

A flaw was reported in the TLS session ticket key construction in GnuTLS.

Impact

A remote attacker could recover previous conversations in TLS 1.2 and obtain sensitive information or conduct a man-in-the-middle attack to bypass authentication in TLS 1.3.

Workaround

There is no known workaround at this time.

Resolution

All GnuTLS user should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/gnutls-3.6.14"
 

References

Release date
June 09, 2020

Latest revision
June 09, 2020: 1

Severity
normal

Exploitable
remote

Bugzilla entries