Bugzilla – Bug 957568
VUL-0: CVE-2015-8313: gnutls: First byte of the padding in CBC mode is not checked
Last modified: 2016-01-12 10:54:49 UTC
via debian Description: Fix off by one issue in padding check (CVE-2015-8313) This could potentially be used for Padding Oracle attacks against gnutls. https://blog.hboeck.de/uploads/gnutls-2-fix-small-poodle.diff References: http://www.debian.org/security/2015/dsa-3408
Created attachment 658081 [details] 42_CVE-2015-8313.diff debian patch
SLE12 with gnutls 3.2.15 has slightly different code and is fixed. SLES 10 , SLES 11 are affected. (actually SLES 12 is fixed better as it has a constant time padding check, which the old code does not have) Issue is related to CVE-2013-1619.
https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html SLE-11 code omits two bytes: 561 if (ver >= GNUTLS_TLS1 && pad_failed == 0) 562 for (i = 2; i < pad; i++)
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Dec. 16, 2015". When done, reassign the bug to "security-team@suse.de". /update/121076/.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-12-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62360
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-12-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62361
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-12-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62362
SUSE-SU-2016:0077-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 924828,947271,957568 CVE References: CVE-2015-2806,CVE-2015-8313 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Server 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Server 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise High Availability Extension 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise High Availability Extension 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Desktop 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Desktop 11-SP3 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gnutls-2.4.1-24.39.60.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): gnutls-2.4.1-24.39.60.1