Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

All statuses
Filter by:
With package: python311Packages.python3-gnutls

Found 9 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2025-32990
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 9 months ago
Gnutls: vulnerability in gnutls certtool template parsing

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

References

Affected products

rhcos
gnutls
  • *
libgnutls
  • <3.8.10
rhceph/rhceph-7-rhel9
  • *
discovery/discovery-ui-rhel9
  • *
insights-proxy/insights-proxy-container-rhel9
  • *

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

Package maintainers

Untriaged
Permalink CVE-2025-32989
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 9 months ago
Gnutls: vulnerability in gnutls sct extension parsing

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

References

Affected products

rhcos
gnutls
  • *
libgnutls
  • <3.8.10
rhceph/rhceph-7-rhel9
  • *
discovery/discovery-ui-rhel9
  • *
insights-proxy/insights-proxy-container-rhel9
  • *

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

Package maintainers

Untriaged
Permalink CVE-2025-6395
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 9 months ago
Gnutls: null pointer dereference in _gnutls_figure_common_ciphersuite()

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite(). When it reads certain settings from a template file, it can allow an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial of service (DoS) that could crash the system.

References

Affected products

rhcos
gnutls
  • *
libgnutls
  • <3.8.10
rhceph/rhceph-7-rhel9
  • *
discovery/discovery-ui-rhel9
  • *
insights-proxy/insights-proxy-container-rhel9
  • *

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

Package maintainers

Untriaged
Permalink CVE-2025-32988
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 9 months ago
Gnutls: vulnerability in gnutls othername san export

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

References

Affected products

rhcos
gnutls
  • *
libgnutls
  • <3.8.10
rhceph/rhceph-7-rhel9
  • *
discovery/discovery-ui-rhel9
  • *
insights-proxy/insights-proxy-container-rhel9
  • *

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

Package maintainers

Untriaged
Permalink CVE-2024-0553
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 9 months, 4 weeks ago
Gnutls: incomplete fix for cve-2023-5981

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

References

Affected products

gnutls
  • ==3.8.3
  • <3.8.3
  • *
odf4/cephcsi-rhel9
  • *
odf4/odf-cli-rhel9
  • *
odf4/mcg-core-rhel9
  • *
odf4/odf-console-rhel9
  • *
odf4/mcg-rhel9-operator
  • *
odf4/ocs-rhel9-operator
  • *
odf4/odf-rhel9-operator
  • *
odf4/odr-rhel9-operator
  • *
odf4/mcg-operator-bundle
  • *
odf4/ocs-operator-bundle
  • *
odf4/odf-operator-bundle
  • *
odf4/odf-must-gather-rhel9
  • *
odf4/odf-cosi-sidecar-rhel9
  • *
odf4/odr-hub-operator-bundle
  • *
odf4/ocs-client-console-rhel9
  • *
odf4/rook-ceph-rhel9-operator
  • *
odf4/ocs-client-rhel9-operator
  • *
openshift-logging/vector-rhel9
  • *
odf4/ocs-client-operator-bundle
  • *
odf4/ocs-metrics-exporter-rhel9
  • *
openshift-logging/fluentd-rhel9
  • *
odf4/odr-cluster-operator-bundle
  • *
odf4/odf-csi-addons-sidecar-rhel9
  • *
odf4/odf-csi-addons-rhel9-operator
  • *
odf4/odf-csi-addons-operator-bundle
  • *
odf4/odf-multicluster-console-rhel9
  • *
openshift-logging/eventrouter-rhel9
  • *
odf4/odf-multicluster-rhel9-operator
  • *
openshift-logging/logging-loki-rhel9
  • *
odf4/odf-multicluster-operator-bundle
  • *
openshift-logging/loki-rhel9-operator
  • *
openshift-logging/opa-openshift-rhel9
  • *
openshift-logging/elasticsearch6-rhel9
  • *
openshift-logging/loki-operator-bundle
  • *
openshift-logging/logging-curator5-rhel9
  • *
openshift-logging/lokistack-gateway-rhel9
  • *
openshift-logging/elasticsearch-proxy-rhel9
  • *
openshift-logging/logging-view-plugin-rhel9
  • *
openshift-logging/elasticsearch-rhel9-operator
  • *
openshift-logging/elasticsearch-operator-bundle
  • *
openshift-logging/cluster-logging-rhel9-operator
  • *
openshift-logging/log-file-metric-exporter-rhel9
  • *
openshift-logging/cluster-logging-operator-bundle
  • *

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

Package maintainers

Untriaged
Permalink CVE-2024-0567
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 10 months, 1 week ago
Gnutls: rejects certificate chain with distributed trust

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

References

Affected products

GnuTLS
  • ==3.8.3
gnutls
  • *
  • <3.8.3
cockpit
odf4/cephcsi-rhel9
  • *
odf4/odf-cli-rhel9
  • *
odf4/mcg-core-rhel9
  • *
odf4/odf-console-rhel9
  • *
odf4/mcg-rhel9-operator
  • *
odf4/ocs-rhel9-operator
  • *
odf4/odf-rhel9-operator
  • *
odf4/odr-rhel9-operator
  • *
odf4/mcg-operator-bundle
  • *
odf4/ocs-operator-bundle
  • *
odf4/odf-operator-bundle
  • *
odf4/odf-must-gather-rhel9
  • *
odf4/odf-cosi-sidecar-rhel9
  • *
odf4/odr-hub-operator-bundle
  • *
odf4/ocs-client-console-rhel9
  • *
odf4/rook-ceph-rhel9-operator
  • *
odf4/ocs-client-rhel9-operator
  • *
openshift-logging/vector-rhel9
  • *
odf4/ocs-client-operator-bundle
  • *
odf4/ocs-metrics-exporter-rhel9
  • *
openshift-logging/fluentd-rhel9
  • *
odf4/odr-cluster-operator-bundle
  • *
odf4/odf-csi-addons-sidecar-rhel9
  • *
odf4/odf-csi-addons-rhel9-operator
  • *
odf4/odf-csi-addons-operator-bundle
  • *
odf4/odf-multicluster-console-rhel9
  • *
openshift-logging/eventrouter-rhel9
  • *
odf4/odf-multicluster-rhel9-operator
  • *
openshift-logging/logging-loki-rhel9
  • *
odf4/odf-multicluster-operator-bundle
  • *
openshift-logging/loki-rhel9-operator
  • *
openshift-logging/opa-openshift-rhel9
  • *
openshift-logging/elasticsearch6-rhel9
  • *
openshift-logging/loki-operator-bundle
  • *
openshift-logging/logging-curator5-rhel9
  • *
openshift-logging/lokistack-gateway-rhel9
  • *
openshift-logging/elasticsearch-proxy-rhel9
  • *
openshift-logging/logging-view-plugin-rhel9
  • *
openshift-logging/elasticsearch-rhel9-operator
  • *
openshift-logging/elasticsearch-operator-bundle
  • *
openshift-logging/cluster-logging-rhel9-operator
  • *
openshift-logging/log-file-metric-exporter-rhel9
  • *
openshift-logging/cluster-logging-operator-bundle
  • *

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

pkgs.cockpit

Web-based graphical interface for servers

  • nixos-unstable 338
    • nixpkgs-unstable 338
    • nixos-unstable-small 338

Package maintainers

Untriaged
Permalink CVE-2024-28834
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 10 months, 3 weeks ago
Gnutls: vulnerable to minerva side-channel information leak

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

References

Affected products

gnutls
  • *
  • ==3.7.6-23
  • ==3.8.4

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

Package maintainers

Untriaged
Permalink CVE-2024-28835
5.0 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 10 months, 3 weeks ago
Gnutls: potential crash during chain building/verification

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

References

Affected products

gnutls
  • *
  • ==3.8.3
  • ==3.8.4

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

Package maintainers

Untriaged
Permalink CVE-2024-12243
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 1 year, 2 months ago
Gnutls: gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

References

Affected products

rhcos
gnutls
  • <3.8.8
  • =<3.7.11
  • *
  • =<3.6.16
discovery/discovery-ui-rhel9
  • *
discovery/discovery-server-rhel9
  • *
registry.redhat.io/discovery/discovery-ui-rhel9
  • *
registry.redhat.io/discovery/discovery-server-rhel9
  • *

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

Package maintainers