Use of a Broken or Risky Cryptographic Algorithm Affecting gnutls28 package, versions <3.5.8-5+deb9u4


0.0
medium

Snyk CVSS

    Attack Complexity High
    Confidentiality High

    Threat Intelligence

    EPSS 0.51% (77th percentile)
Expand this section
NVD
5.9 medium
Expand this section
SUSE
5.3 medium
Expand this section
Red Hat
5.9 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN9-GNUTLS28-340601
  • published 25 Sep 2018
  • disclosed 22 Aug 2018

How to fix?

Upgrade Debian:9 gnutls28 to version 3.5.8-5+deb9u4 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:9 relevant fixed versions and status.

It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.