csaf_suse - suse-su-2024:2546-1

suse-su-2024:2546-1

Vulnerability from csaf_suse

Published

2024-07-17 12:44

Modified

2024-07-17 12:44

Summary

Security update for gnutls

Notes

Title of the patch

Security update for gnutls

Description of the patch

This update for gnutls fixes the following issues: - CVE-2024-28835: Fixed a certtool crash when verifying a certificate chain (bsc#1221747). - CVE-2024-28834: Fixed a side-channel attack in the deterministic ECDSA (bsc#1221746). Other fixes: - Fixed a memory leak when using the entropy collector (bsc#1221242).

Patchnames

SUSE-2024-2546,SUSE-SLE-Micro-5.3-2024-2546

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for gnutls",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for gnutls fixes the following issues:\n\n- CVE-2024-28835: Fixed a certtool crash when verifying a certificate\n  chain (bsc#1221747).\n- CVE-2024-28834: Fixed a side-channel attack in the deterministic\n  ECDSA (bsc#1221746).\n\nOther fixes:\n\n- Fixed a memory leak when using the entropy collector (bsc#1221242).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-2546,SUSE-SLE-Micro-5.3-2024-2546",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_2546-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:2546-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:2546-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018994.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1221242",
        "url": "https://bugzilla.suse.com/1221242"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1221746",
        "url": "https://bugzilla.suse.com/1221746"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1221747",
        "url": "https://bugzilla.suse.com/1221747"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-28834 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-28834/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-28835 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-28835/"
      }
    ],
    "title": "Security update for gnutls",
    "tracking": {
      "current_release_date": "2024-07-17T12:44:32Z",
      "generator": {
        "date": "2024-07-17T12:44:32Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:2546-1",
      "initial_release_date": "2024-07-17T12:44:32Z",
      "revision_history": [
        {
          "date": "2024-07-17T12:44:32Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "gnutls-3.7.3-150400.8.1.aarch64",
                "product": {
                  "name": "gnutls-3.7.3-150400.8.1.aarch64",
                  "product_id": "gnutls-3.7.3-150400.8.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "gnutls-guile-3.7.3-150400.8.1.aarch64",
                "product": {
                  "name": "gnutls-guile-3.7.3-150400.8.1.aarch64",
                  "product_id": "gnutls-guile-3.7.3-150400.8.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls-devel-3.7.3-150400.8.1.aarch64",
                "product": {
                  "name": "libgnutls-devel-3.7.3-150400.8.1.aarch64",
                  "product_id": "libgnutls-devel-3.7.3-150400.8.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-3.7.3-150400.8.1.aarch64",
                "product": {
                  "name": "libgnutls30-3.7.3-150400.8.1.aarch64",
                  "product_id": "libgnutls30-3.7.3-150400.8.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
                "product": {
                  "name": "libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
                  "product_id": "libgnutls30-hmac-3.7.3-150400.8.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutlsxx-devel-3.7.3-150400.8.1.aarch64",
                "product": {
                  "name": "libgnutlsxx-devel-3.7.3-150400.8.1.aarch64",
                  "product_id": "libgnutlsxx-devel-3.7.3-150400.8.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutlsxx28-3.7.3-150400.8.1.aarch64",
                "product": {
                  "name": "libgnutlsxx28-3.7.3-150400.8.1.aarch64",
                  "product_id": "libgnutlsxx28-3.7.3-150400.8.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libgnutls-devel-64bit-3.7.3-150400.8.1.aarch64_ilp32",
                "product": {
                  "name": "libgnutls-devel-64bit-3.7.3-150400.8.1.aarch64_ilp32",
                  "product_id": "libgnutls-devel-64bit-3.7.3-150400.8.1.aarch64_ilp32"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-64bit-3.7.3-150400.8.1.aarch64_ilp32",
                "product": {
                  "name": "libgnutls30-64bit-3.7.3-150400.8.1.aarch64_ilp32",
                  "product_id": "libgnutls30-64bit-3.7.3-150400.8.1.aarch64_ilp32"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-hmac-64bit-3.7.3-150400.8.1.aarch64_ilp32",
                "product": {
                  "name": "libgnutls30-hmac-64bit-3.7.3-150400.8.1.aarch64_ilp32",
                  "product_id": "libgnutls30-hmac-64bit-3.7.3-150400.8.1.aarch64_ilp32"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64_ilp32"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "gnutls-3.7.3-150400.8.1.ppc64le",
                "product": {
                  "name": "gnutls-3.7.3-150400.8.1.ppc64le",
                  "product_id": "gnutls-3.7.3-150400.8.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "gnutls-guile-3.7.3-150400.8.1.ppc64le",
                "product": {
                  "name": "gnutls-guile-3.7.3-150400.8.1.ppc64le",
                  "product_id": "gnutls-guile-3.7.3-150400.8.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls-devel-3.7.3-150400.8.1.ppc64le",
                "product": {
                  "name": "libgnutls-devel-3.7.3-150400.8.1.ppc64le",
                  "product_id": "libgnutls-devel-3.7.3-150400.8.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-3.7.3-150400.8.1.ppc64le",
                "product": {
                  "name": "libgnutls30-3.7.3-150400.8.1.ppc64le",
                  "product_id": "libgnutls30-3.7.3-150400.8.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-hmac-3.7.3-150400.8.1.ppc64le",
                "product": {
                  "name": "libgnutls30-hmac-3.7.3-150400.8.1.ppc64le",
                  "product_id": "libgnutls30-hmac-3.7.3-150400.8.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutlsxx-devel-3.7.3-150400.8.1.ppc64le",
                "product": {
                  "name": "libgnutlsxx-devel-3.7.3-150400.8.1.ppc64le",
                  "product_id": "libgnutlsxx-devel-3.7.3-150400.8.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutlsxx28-3.7.3-150400.8.1.ppc64le",
                "product": {
                  "name": "libgnutlsxx28-3.7.3-150400.8.1.ppc64le",
                  "product_id": "libgnutlsxx28-3.7.3-150400.8.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "gnutls-3.7.3-150400.8.1.s390x",
                "product": {
                  "name": "gnutls-3.7.3-150400.8.1.s390x",
                  "product_id": "gnutls-3.7.3-150400.8.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "gnutls-guile-3.7.3-150400.8.1.s390x",
                "product": {
                  "name": "gnutls-guile-3.7.3-150400.8.1.s390x",
                  "product_id": "gnutls-guile-3.7.3-150400.8.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls-devel-3.7.3-150400.8.1.s390x",
                "product": {
                  "name": "libgnutls-devel-3.7.3-150400.8.1.s390x",
                  "product_id": "libgnutls-devel-3.7.3-150400.8.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-3.7.3-150400.8.1.s390x",
                "product": {
                  "name": "libgnutls30-3.7.3-150400.8.1.s390x",
                  "product_id": "libgnutls30-3.7.3-150400.8.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-hmac-3.7.3-150400.8.1.s390x",
                "product": {
                  "name": "libgnutls30-hmac-3.7.3-150400.8.1.s390x",
                  "product_id": "libgnutls30-hmac-3.7.3-150400.8.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutlsxx-devel-3.7.3-150400.8.1.s390x",
                "product": {
                  "name": "libgnutlsxx-devel-3.7.3-150400.8.1.s390x",
                  "product_id": "libgnutlsxx-devel-3.7.3-150400.8.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutlsxx28-3.7.3-150400.8.1.s390x",
                "product": {
                  "name": "libgnutlsxx28-3.7.3-150400.8.1.s390x",
                  "product_id": "libgnutlsxx28-3.7.3-150400.8.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "gnutls-3.7.3-150400.8.1.x86_64",
                "product": {
                  "name": "gnutls-3.7.3-150400.8.1.x86_64",
                  "product_id": "gnutls-3.7.3-150400.8.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "gnutls-guile-3.7.3-150400.8.1.x86_64",
                "product": {
                  "name": "gnutls-guile-3.7.3-150400.8.1.x86_64",
                  "product_id": "gnutls-guile-3.7.3-150400.8.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls-devel-3.7.3-150400.8.1.x86_64",
                "product": {
                  "name": "libgnutls-devel-3.7.3-150400.8.1.x86_64",
                  "product_id": "libgnutls-devel-3.7.3-150400.8.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-3.7.3-150400.8.1.x86_64",
                "product": {
                  "name": "libgnutls30-3.7.3-150400.8.1.x86_64",
                  "product_id": "libgnutls30-3.7.3-150400.8.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutls30-hmac-3.7.3-150400.8.1.x86_64",
                "product": {
                  "name": "libgnutls30-hmac-3.7.3-150400.8.1.x86_64",
                  "product_id": "libgnutls30-hmac-3.7.3-150400.8.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutlsxx-devel-3.7.3-150400.8.1.x86_64",
                "product": {
                  "name": "libgnutlsxx-devel-3.7.3-150400.8.1.x86_64",
                  "product_id": "libgnutlsxx-devel-3.7.3-150400.8.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libgnutlsxx28-3.7.3-150400.8.1.x86_64",
                "product": {
                  "name": "libgnutlsxx28-3.7.3-150400.8.1.x86_64",
                  "product_id": "libgnutlsxx28-3.7.3-150400.8.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.3",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.3",
                  "product_id": "SUSE Linux Enterprise Micro 5.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-micro:5.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gnutls-3.7.3-150400.8.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.aarch64"
        },
        "product_reference": "gnutls-3.7.3-150400.8.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gnutls-3.7.3-150400.8.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.s390x"
        },
        "product_reference": "gnutls-3.7.3-150400.8.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "gnutls-3.7.3-150400.8.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.x86_64"
        },
        "product_reference": "gnutls-3.7.3-150400.8.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgnutls30-3.7.3-150400.8.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.aarch64"
        },
        "product_reference": "libgnutls30-3.7.3-150400.8.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgnutls30-3.7.3-150400.8.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.s390x"
        },
        "product_reference": "libgnutls30-3.7.3-150400.8.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgnutls30-3.7.3-150400.8.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.x86_64"
        },
        "product_reference": "libgnutls30-3.7.3-150400.8.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgnutls30-hmac-3.7.3-150400.8.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.aarch64"
        },
        "product_reference": "libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgnutls30-hmac-3.7.3-150400.8.1.s390x as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.s390x"
        },
        "product_reference": "libgnutls30-hmac-3.7.3-150400.8.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libgnutls30-hmac-3.7.3-150400.8.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3",
          "product_id": "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.x86_64"
        },
        "product_reference": "libgnutls30-hmac-3.7.3-150400.8.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-28834",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-28834"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-28834",
          "url": "https://www.suse.com/security/cve/CVE-2024-28834"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1221746 for CVE-2024-28834",
          "url": "https://bugzilla.suse.com/1221746"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-17T12:44:32Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-28834"
    },
    {
      "cve": "CVE-2024-28835",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-28835"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.x86_64",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.s390x",
          "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-28835",
          "url": "https://www.suse.com/security/cve/CVE-2024-28835"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1221747 for CVE-2024-28835",
          "url": "https://bugzilla.suse.com/1221747"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1.x86_64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.aarch64",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.s390x",
            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-17T12:44:32Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-28835"
    }
  ]
}

CVE-2024-28835 (GCVE-0-2024-28835)

Vulnerability from cvelistv5

Published

2024-03-21 06:13

Modified

2025-08-30 13:38

Severity ?

5.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Summary

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2024:1879	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:2570	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:2889	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2024-28835	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2269084	issue-tracking, x_refsource_REDHAT
	https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html

Impacted products

Vendor

Product

Version

Version: 3.8.3

Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.7.6-23.el9_3.4 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.8.3-4.el9_4 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.7.6-23.el9_3.4 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.8.3-4.el9_4 < * cpe:/a:redhat:enterprise_linux:9::appstream cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 9.2 Extended Update Support	Unaffected: 0:3.7.6-21.el9_2.3 < * cpe:/a:redhat:rhel_eus:9.2::appstream cpe:/o:redhat:rhel_eus:9.2::baseos
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28835",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-21T18:00:08.506389Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:15.160Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-11-22T12:04:48.736Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/22/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/22/2"
          },
          {
            "name": "RHSA-2024:1879",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1879"
          },
          {
            "name": "RHSA-2024:2570",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2570"
          },
          {
            "name": "RHSA-2024:2889",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2889"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-28835"
          },
          {
            "name": "RHBZ#2269084",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269084"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241122-0009/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://gitlab.com/gnutls/gnutls/",
          "defaultStatus": "unaffected",
          "packageName": "gnutls",
          "versions": [
            {
              "status": "affected",
              "version": "3.8.3"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.7.6-23.el9_3.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.8.3-4.el9_4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.7.6-23.el9_3.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.8.3-4.el9_4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.2::appstream",
            "cpe:/o:redhat:rhel_eus:9.2::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.7.6-21.el9_2.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-03-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-30T13:38:33.685Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:1879",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1879"
        },
        {
          "name": "RHSA-2024:2570",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2570"
        },
        {
          "name": "RHSA-2024:2889",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2889"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-28835"
        },
        {
          "name": "RHBZ#2269084",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269084"
        },
        {
          "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-03-11T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-03-21T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Gnutls: potential crash during chain building/verification",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-248: Uncaught Exception"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-28835",
    "datePublished": "2024-03-21T06:13:26.916Z",
    "dateReserved": "2024-03-11T14:43:43.973Z",
    "dateUpdated": "2025-08-30T13:38:33.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-28834 (GCVE-0-2024-28834)

Vulnerability from cvelistv5

Published

2024-03-21 13:29

Modified

2025-08-18 09:22

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Summary

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2024:1784	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:1879	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:1997	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:2044	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:2570	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:2889	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2024-28834	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2269228	issue-tracking, x_refsource_REDHAT
	https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
	https://minerva.crocs.fi.muni.cz/

Impacted products

Vendor

Product

Version

Version: 3.7.6-23

Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:3.6.16-8.el8_9.3 < * cpe:/a:redhat:enterprise_linux:8::appstream cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:3.6.16-8.el8_9.3 < * cpe:/a:redhat:enterprise_linux:8::appstream cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 8.6 Extended Update Support	Unaffected: 0:3.6.16-5.el8_6.4 < * cpe:/a:redhat:rhel_eus:8.6::appstream cpe:/o:redhat:rhel_eus:8.6::baseos
Red Hat	Red Hat Enterprise Linux 8.8 Extended Update Support	Unaffected: 0:3.6.16-7.el8_8.3 < * cpe:/o:redhat:rhel_eus:8.8::baseos cpe:/a:redhat:rhel_eus:8.8::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.7.6-23.el9_3.4 < * cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.8.3-4.el9_4 < * cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.7.6-23.el9_3.4 < * cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:3.8.3-4.el9_4 < * cpe:/o:redhat:enterprise_linux:9::baseos cpe:/a:redhat:enterprise_linux:9::appstream
Red Hat	Red Hat Enterprise Linux 9.2 Extended Update Support	Unaffected: 0:3.7.6-21.el9_2.3 < * cpe:/o:redhat:rhel_eus:9.2::baseos cpe:/a:redhat:rhel_eus:9.2::appstream
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28834",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-21T18:20:34.669036Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:15.410Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:56:58.323Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/22/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/22/2"
          },
          {
            "name": "RHSA-2024:1784",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1784"
          },
          {
            "name": "RHSA-2024:1879",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1879"
          },
          {
            "name": "RHSA-2024:1997",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1997"
          },
          {
            "name": "RHSA-2024:2044",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2044"
          },
          {
            "name": "RHSA-2024:2570",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2570"
          },
          {
            "name": "RHSA-2024:2889",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2889"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-28834"
          },
          {
            "name": "RHBZ#2269228",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269228"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://minerva.crocs.fi.muni.cz/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://people.redhat.com/~hkario/marvin/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240524-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://gitlab.com/gnutls/gnutls/",
          "defaultStatus": "unaffected",
          "packageName": "gnutls",
          "versions": [
            {
              "status": "affected",
              "version": "3.7.6-23"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::appstream",
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.6.16-8.el8_9.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::appstream",
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.6.16-8.el8_9.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.6::appstream",
            "cpe:/o:redhat:rhel_eus:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.6.16-5.el8_6.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:8.8::baseos",
            "cpe:/a:redhat:rhel_eus:8.8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.6.16-7.el8_8.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos",
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.7.6-23.el9_3.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos",
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.8.3-4.el9_4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos",
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.7.6-23.el9_3.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos",
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.8.3-4.el9_4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:9.2::baseos",
            "cpe:/a:redhat:rhel_eus:9.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.7.6-21.el9_2.3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "affected",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "gnutls",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-03-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-327",
              "description": "Use of a Broken or Risky Cryptographic Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-18T09:22:48.422Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:1784",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1784"
        },
        {
          "name": "RHSA-2024:1879",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1879"
        },
        {
          "name": "RHSA-2024:1997",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1997"
        },
        {
          "name": "RHSA-2024:2044",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2044"
        },
        {
          "name": "RHSA-2024:2570",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2570"
        },
        {
          "name": "RHSA-2024:2889",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2889"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-28834"
        },
        {
          "name": "RHBZ#2269228",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269228"
        },
        {
          "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html"
        },
        {
          "url": "https://minerva.crocs.fi.muni.cz/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-03-11T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-03-21T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Gnutls: vulnerable to minerva side-channel information leak",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-28834",
    "datePublished": "2024-03-21T13:29:11.532Z",
    "dateReserved": "2024-03-11T14:43:43.973Z",
    "dateUpdated": "2025-08-18T09:22:48.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2024:2546-1

Vulnerability from csaf_suse

CVE-2024-28835 (GCVE-0-2024-28835)

Vulnerability from cvelistv5

CVE-2024-28834 (GCVE-0-2024-28834)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature