Bugzilla – Bug 802651
VUL-0: CVE-2013-1619: gnutls: 3.1.7/3.0.28/2.12.23 release (lucky thirteen 13)
Last modified: 2019-04-16 11:41:30 UTC
is public, via oss-sec and gnutls.org. CVE-2013-1619 "The GnuTLS implementation of MEE-TLS-CBC deals with bad padding in a different way to that recommended in the RFCs: instead of assuming zero-length padding, it uses the last byte of plaintext to determine how many plaintext bytes to remove (whether or not those bytes are correctly formatted padding). ... This indicates that ignoring the recommendations of the RFCs can have severe security consequences." http://www.gnutls.org/security.html#GNUTLS-SA-2013-1 http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html
The SWAMPID for this issue is 51098. This issue was rated as moderate. Please submit fixed packages until 2013-02-21. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
From Matthias Weckbecker: b8391806cd79095fe566f2401d8c7ad85a64b198 seems to be the commit for GnuTLS that fixes the issue. https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0 https://gitorious.org/gnutls/gnutls/commit/b8391806cd79095fe566f2401d8c7ad85a64b198
bugbot adjusting priority
thanks for the info, Matthias. I'm working on it.
the core patch seems to be commit 328ee22c1b3951e060c7124c7cb1cee592c59bc0 Author: Nikos Mavrogiannopoulos <nmav@gnutls.org> Date: Mon Feb 4 03:08:04 2013 +0100 Fixes to avoid a timing attack in TLS CBC record parsing.
2.12.x branch has: commit 458c67cf98740e7b12404f6c30e0d5317d56fd30 Author: Nikos Mavrogiannopoulos <nmav@gnutls.org> Date: Mon Feb 4 03:08:04 2013 +0100 Fixes to avoid a timing attack in TLS CBC record parsing. and commit 93b7fcfa3297a9123630704668b2946f602b910e Author: Nikos Mavrogiannopoulos <nmav@gnutls.org> Date: Mon Feb 4 09:39:42 2013 +0100 corrected fix git diff 433bc2bdc118ac3b8a83a5fb7d41b3cecdd73cc9..93b7fcfa3297a9123630704668b2946f602b910e
Created attachment 536518 [details] extracted git patch patch from above git diff, minus unnecessary parts
Update released for: gnutls, gnutls-32bit, gnutls-64bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-devel-64bit, gnutls-x86 Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: gnutls, gnutls-devel Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
openSUSE:12.1:Update: no fix openSUSE:12.2: no fix openSUSE:12.3: fix included in gnutls-3.0.28
This is an autogenerated message for OBS integration: This bug (802651) was mentioned in https://build.opensuse.org/request/show/174317 Maintenance /
This is an autogenerated message for OBS integration: This bug (802651) was mentioned in https://build.opensuse.org/request/show/174319 Maintenance / https://build.opensuse.org/request/show/174320 Maintenance /
openSUSE-SU-2013:0807-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 802651 CVE References: CVE-2013-1619 Sources used: openSUSE 12.2 (src): gnutls-3.0.20-1.4.1 openSUSE 12.1 (src): gnutls-3.0.3-5.15.1
released
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86 Products: SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64) SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-x86 Products: SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0320-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (critical) Bug References: 536809,554084,659128,739898,753301,754223,802651,821818,865804,865993 CVE References: CVE-2009-5138,CVE-2011-4108,CVE-2012-0390,CVE-2012-1569,CVE-2012-1573,CVE-2013-0169,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092 Sources used: SUSE Linux Enterprise Server 10 SP3 LTSS (src): gnutls-1.2.10-13.38.1
SUSE-SU-2014:0322-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (critical) Bug References: 760265,802651,821818,835760,865804,865993 CVE References: CVE-2009-5138,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): gnutls-2.4.1-24.39.49.1
Update released for: gnutls, gnutls-devel Products: SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
SUSE-SU-2014:0800-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 554084,670152,802651,880730,880910 CVE References: CVE-2013-1619,CVE-2014-3466,CVE-2014-3467,CVE-2014-3468,CVE-2014-3469 Sources used: SUSE CORE 9 (src): gnutls-1.0.8-26.32