Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-32989

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 9 months, 1 week ago

Gnutls: vulnerability in gnutls sct extension parsing

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

References

https://access.redhat.com/security/cve/CVE-2025-32989 vdb-entryx_refsource_REDHAT
RHBZ#2359621 issue-trackingx_refsource_REDHAT
RHSA-2025:16115 vendor-advisoryx_refsource_REDHAT
RHSA-2025:16116 vendor-advisoryx_refsource_REDHAT
RHSA-2025:17348 vendor-advisoryx_refsource_REDHAT
RHSA-2025:17361 vendor-advisoryx_refsource_REDHAT
RHSA-2025:19088 vendor-advisoryx_refsource_REDHAT
http://www.openwall.com/lists/oss-security/2025/07/11/3
RHSA-2025:17181 vendor-advisoryx_refsource_REDHAT
RHSA-2025:22529 vendor-advisoryx_refsource_REDHAT

Affected products

rhcos

gnutls

*

libgnutls

<3.8.10

rhceph/rhceph-7-rhel9

*

discovery/discovery-ui-rhel9

*

insights-proxy/insights-proxy-container-rhel9

*

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

nixos-unstable 3.8.9
- nixpkgs-unstable 3.8.9
- nixos-unstable-small 3.8.9

pkgs.guile-gnutls

Guile bindings for GnuTLS library

nixos-unstable 4.0.1
- nixpkgs-unstable 4.0.1
- nixos-unstable-small 4.0.1

pkgs.python311Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python312Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python313Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

Package maintainers

@vcunat Vladimír Čunát <v@cunat.cz>
@foo-dogsquared Gabriel Arazas <foodogsquared@foodogsquared.one>
@charlieshanley Charlie Hanley <charlieshanley@gmail.com>