Bug 1221746 (CVE-2024-28834)

Summary: VUL-0: CVE-2024-28834: gnutls: side-channel in the deterministic ECDSA
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, camila.matos, otto.hollmann, pmonrealgonzalez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/398337/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-28834:5.3:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2024-03-20 09:52:18 UTC 
libgnutls: Fix side-channel in the deterministic ECDSA. Reported by 
George Pantelakis (#1516). [GNUTLS-SA-2023-12-04, CVSS: medium] 
[CVE-2024-28834]

https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
Comment 1 Pedro Monreal Gonzalez 2024-03-20 10:28:38 UTC 
Uostream: https://gitlab.com/gnutls/gnutls/commit/1c4701ff
Comment 2 Andrea Mattiazzo 2024-03-29 17:19:51 UTC 
deterministic ECDSA/DSA functions was introduced in https://gitlab.com/gnutls/gnutls/-/commit/e94ab6b703ee50ea020565e1b8729a9b1d524d84
and https://gitlab.com/gnutls/gnutls/-/commit/8eb3a29336ea11f6b417ce7e25d53513509bdd87.

https://gitlab.com/gnutls/gnutls/-/issues/94


So considering not affected version before 3.6.10.

Tracking as affected:
- SUSE:ALP:Source:Standard:1.0/gnutls
- SUSE:SLE-15-SP4:Update/gnutls
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/gnutls

Already fixed:
- openSUSE:Factory/gnutls
Comment 7 Maintenance Automation 2024-04-12 16:30:13 UTC 
SUSE-SU-2024:1271-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1221242, 1221746, 1221747
CVE References: CVE-2024-28834, CVE-2024-28835
Maintenance Incident: [SUSE:Maintenance:33311](https://smelt.suse.de/incident/33311/)
Sources used:
openSUSE Leap Micro 5.4 (src):
 gnutls-3.7.3-150400.4.44.1
openSUSE Leap 15.5 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Linux Enterprise Micro 5.4 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Linux Enterprise Micro 5.5 (src):
 gnutls-3.7.3-150400.4.44.1
Basesystem Module 15-SP5 (src):
 gnutls-3.7.3-150400.4.44.1
openSUSE Leap 15.4 (src):
 gnutls-3.7.3-150400.4.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-06-03 16:30:49 UTC 
SUSE-SU-2024:1271-2: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1221242, 1221746, 1221747
CVE References: CVE-2024-28834, CVE-2024-28835
Maintenance Incident: [SUSE:Maintenance:33311](https://smelt.suse.de/incident/33311/)
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Manager Proxy 4.3 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Manager Retail Branch Server 4.3 (src):
 gnutls-3.7.3-150400.4.44.1
SUSE Manager Server 4.3 (src):
 gnutls-3.7.3-150400.4.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-07-17 16:30:03 UTC 
SUSE-SU-2024:2546-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1221242, 1221746, 1221747
CVE References: CVE-2024-28834, CVE-2024-28835
Maintenance Incident: [SUSE:Maintenance:34785](https://smelt.suse.de/incident/34785/)
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 gnutls-3.7.3-150400.8.1
SUSE Linux Enterprise Micro 5.3 (src):
 gnutls-3.7.3-150400.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.