Nixpkgs security tracker

Untriaged

Permalink CVE-2024-0553

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 10 months ago

Gnutls: incomplete fix for cve-2023-5981

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

References

RHSA-2024:0533 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:0627 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:0796 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1082 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1108 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1383 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:2094 vendor-advisoryx_transferredx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-0553 x_transferredvdb-entryx_refsource_REDHAT
RHBZ#2258412 x_transferredissue-trackingx_refsource_REDHAT
https://gitlab.com/gnutls/gnutls/-/issues/1522 x_transferred
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html x_transferred
http://www.openwall.com/lists/oss-security/2024/01/19/3 x_transferred
https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://security.netapp.com/advisory/ntap-20240202-0011/ x_transferred

Affected products

gnutls

==3.8.3
*
<3.8.3

odf4/cephcsi-rhel9

*

odf4/odf-cli-rhel9

*

odf4/mcg-core-rhel9

*

odf4/odf-console-rhel9

*

odf4/mcg-rhel9-operator

*

odf4/ocs-rhel9-operator

*

odf4/odf-rhel9-operator

*

odf4/odr-rhel9-operator

*

odf4/mcg-operator-bundle

*

odf4/ocs-operator-bundle

*

odf4/odf-operator-bundle

*

odf4/odf-must-gather-rhel9

*

odf4/odf-cosi-sidecar-rhel9

*

odf4/odr-hub-operator-bundle

*

odf4/ocs-client-console-rhel9

*

odf4/rook-ceph-rhel9-operator

*

odf4/ocs-client-rhel9-operator

*

openshift-logging/vector-rhel9

*

odf4/ocs-client-operator-bundle

*

odf4/ocs-metrics-exporter-rhel9

*

openshift-logging/fluentd-rhel9

*

odf4/odr-cluster-operator-bundle

*

odf4/odf-csi-addons-sidecar-rhel9

*

odf4/odf-csi-addons-rhel9-operator

*

odf4/odf-csi-addons-operator-bundle

*

odf4/odf-multicluster-console-rhel9

*

openshift-logging/eventrouter-rhel9

*

odf4/odf-multicluster-rhel9-operator

*

openshift-logging/logging-loki-rhel9

*

odf4/odf-multicluster-operator-bundle

*

openshift-logging/loki-rhel9-operator

*

openshift-logging/opa-openshift-rhel9

*

openshift-logging/elasticsearch6-rhel9

*

openshift-logging/loki-operator-bundle

*

openshift-logging/logging-curator5-rhel9

*

openshift-logging/lokistack-gateway-rhel9

*

openshift-logging/elasticsearch-proxy-rhel9

*

openshift-logging/logging-view-plugin-rhel9

*

openshift-logging/elasticsearch-rhel9-operator

*

openshift-logging/elasticsearch-operator-bundle

*

openshift-logging/cluster-logging-rhel9-operator

*

openshift-logging/log-file-metric-exporter-rhel9

*

openshift-logging/cluster-logging-operator-bundle

*

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

nixos-unstable 3.8.9
- nixpkgs-unstable 3.8.9
- nixos-unstable-small 3.8.9

pkgs.guile-gnutls

Guile bindings for GnuTLS library

nixos-unstable 4.0.1
- nixpkgs-unstable 4.0.1
- nixos-unstable-small 4.0.1

pkgs.python311Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python312Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python313Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

Package maintainers

@vcunat Vladimír Čunát <v@cunat.cz>
@foo-dogsquared Gabriel Arazas <foodogsquared@foodogsquared.one>
@charlieshanley Charlie Hanley <charlieshanley@gmail.com>

Untriaged

Permalink CVE-2024-0567

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 10 months, 2 weeks ago

Gnutls: rejects certificate chain with distributed trust

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

References

RHSA-2024:0533 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1082 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1383 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:2094 vendor-advisoryx_transferredx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-0567 x_transferredvdb-entryx_refsource_REDHAT
RHBZ#2258544 x_transferredissue-trackingx_refsource_REDHAT
https://gitlab.com/gnutls/gnutls/-/issues/1521 x_transferred
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html x_transferred
http://www.openwall.com/lists/oss-security/2024/01/19/3 x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://security.netapp.com/advisory/ntap-20240202-0011/ x_transferred

Affected products

GnuTLS

==3.8.3

gnutls

*
<3.8.3

cockpit

odf4/cephcsi-rhel9

*

odf4/odf-cli-rhel9

*

odf4/mcg-core-rhel9

*

odf4/odf-console-rhel9

*

odf4/mcg-rhel9-operator

*

odf4/ocs-rhel9-operator

*

odf4/odf-rhel9-operator

*

odf4/odr-rhel9-operator

*

odf4/mcg-operator-bundle

*

odf4/ocs-operator-bundle

*

odf4/odf-operator-bundle

*

odf4/odf-must-gather-rhel9

*

odf4/odf-cosi-sidecar-rhel9

*

odf4/odr-hub-operator-bundle

*

odf4/ocs-client-console-rhel9

*

odf4/rook-ceph-rhel9-operator

*

odf4/ocs-client-rhel9-operator

*

openshift-logging/vector-rhel9

*

odf4/ocs-client-operator-bundle

*

odf4/ocs-metrics-exporter-rhel9

*

openshift-logging/fluentd-rhel9

*

odf4/odr-cluster-operator-bundle

*

odf4/odf-csi-addons-sidecar-rhel9

*

odf4/odf-csi-addons-rhel9-operator

*

odf4/odf-csi-addons-operator-bundle

*

odf4/odf-multicluster-console-rhel9

*

openshift-logging/eventrouter-rhel9

*

odf4/odf-multicluster-rhel9-operator

*

openshift-logging/logging-loki-rhel9

*

odf4/odf-multicluster-operator-bundle

*

openshift-logging/loki-rhel9-operator

*

openshift-logging/opa-openshift-rhel9

*

openshift-logging/elasticsearch6-rhel9

*

openshift-logging/loki-operator-bundle

*

openshift-logging/logging-curator5-rhel9

*

openshift-logging/lokistack-gateway-rhel9

*

openshift-logging/elasticsearch-proxy-rhel9

*

openshift-logging/logging-view-plugin-rhel9

*

openshift-logging/elasticsearch-rhel9-operator

*

openshift-logging/elasticsearch-operator-bundle

*

openshift-logging/cluster-logging-rhel9-operator

*

openshift-logging/log-file-metric-exporter-rhel9

*

openshift-logging/cluster-logging-operator-bundle

*

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

nixos-unstable 3.8.9
- nixpkgs-unstable 3.8.9
- nixos-unstable-small 3.8.9

pkgs.cockpit

Web-based graphical interface for servers

nixos-unstable 338
- nixpkgs-unstable 338
- nixos-unstable-small 338

pkgs.guile-gnutls

Guile bindings for GnuTLS library

nixos-unstable 4.0.1
- nixpkgs-unstable 4.0.1
- nixos-unstable-small 4.0.1

pkgs.emacsPackages.test-cockpit

None

nixos-unstable 20240604.1943
- nixpkgs-unstable 20240604.1943
- nixos-unstable-small 20240604.1943

pkgs.python311Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python312Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python313Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

Package maintainers

@lucasew Lucas Eduardo Wendt <lucas59356@gmail.com>
@vcunat Vladimír Čunát <v@cunat.cz>
@foo-dogsquared Gabriel Arazas <foodogsquared@foodogsquared.one>
@charlieshanley Charlie Hanley <charlieshanley@gmail.com>

Untriaged

Permalink CVE-2024-28834

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 10 months, 4 weeks ago

Gnutls: vulnerable to minerva side-channel information leak

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

References

RHSA-2024:1784 vendor-advisoryx_refsource_REDHATx_transferred
RHSA-2024:1879 vendor-advisoryx_refsource_REDHATx_transferred
RHSA-2024:1997 vendor-advisoryx_refsource_REDHATx_transferred
RHSA-2024:2044 vendor-advisoryx_refsource_REDHATx_transferred
RHSA-2024:2570 vendor-advisoryx_refsource_REDHATx_transferred
RHSA-2024:2889 vendor-advisoryx_refsource_REDHATx_transferred
https://access.redhat.com/security/cve/CVE-2024-28834 x_transferredvdb-entryx_refsource_REDHAT
RHBZ#2269228 issue-trackingx_transferredx_refsource_REDHAT
https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html x_transferred
https://minerva.crocs.fi.muni.cz/ x_transferred
http://www.openwall.com/lists/oss-security/2024/03/22/1 x_transferred
http://www.openwall.com/lists/oss-security/2024/03/22/2 x_transferred
https://people.redhat.com/~hkario/marvin/ x_transferred
https://security.netapp.com/advisory/ntap-20240524-0004/ x_transferred
https://lists.debian.org/debian-lts-announce/2024/09/msg00019.html

Affected products

gnutls

*
==3.7.6-23
==3.8.4

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

nixos-unstable 3.8.6
- nixpkgs-unstable 3.8.6
- nixos-unstable-small 3.8.6

pkgs.guile-gnutls

Guile bindings for GnuTLS library

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0

pkgs.python311Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python312Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python313Packages.python3-gnutls

Python wrapper for the GnuTLS library

Package maintainers

@vcunat Vladimír Čunát <v@cunat.cz>
@foo-dogsquared Gabriel Arazas <foodogsquared@foodogsquared.one>
@charlieshanley Charlie Hanley <charlieshanley@gmail.com>

Untriaged

Permalink CVE-2024-28835

5.0 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

created 10 months, 4 weeks ago

Gnutls: potential crash during chain building/verification

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

References

RHSA-2024:1879 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:2570 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:2889 vendor-advisoryx_transferredx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-28835 x_transferredvdb-entryx_refsource_REDHAT
RHBZ#2269084 x_transferredissue-trackingx_refsource_REDHAT
https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html x_transferred
http://www.openwall.com/lists/oss-security/2024/03/22/1 x_transferred
http://www.openwall.com/lists/oss-security/2024/03/22/2 x_transferred
https://security.netapp.com/advisory/ntap-20241122-0009/
https://lists.debian.org/debian-lts-announce/2024/09/msg00019.html

Affected products

gnutls

==3.8.4
*
==3.8.3

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

nixos-unstable 3.8.6
- nixpkgs-unstable 3.8.6
- nixos-unstable-small 3.8.6

pkgs.guile-gnutls

Guile bindings for GnuTLS library

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0

pkgs.python311Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python312Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python313Packages.python3-gnutls

Python wrapper for the GnuTLS library

Package maintainers

@vcunat Vladimír Čunát <v@cunat.cz>
@foo-dogsquared Gabriel Arazas <foodogsquared@foodogsquared.one>
@charlieshanley Charlie Hanley <charlieshanley@gmail.com>

Untriaged

Permalink CVE-2024-12243

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 1 year, 2 months ago

Gnutls: gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

References

https://access.redhat.com/security/cve/CVE-2024-12243 vdb-entryx_refsource_REDHAT
RHBZ#2344615 issue-trackingx_refsource_REDHAT
https://gitlab.com/gnutls/libtasn1/-/issues/52
https://lists.debian.org/debian-lts-announce/2025/02/msg00027.html
RHSA-2025:4051 vendor-advisoryx_refsource_REDHAT
RHSA-2025:7076 vendor-advisoryx_refsource_REDHAT
RHSA-2025:8020 vendor-advisoryx_refsource_REDHAT
https://security.netapp.com/advisory/ntap-20250523-0002/
RHSA-2025:8385 vendor-advisoryx_refsource_REDHAT
RHSA-2025:17361 vendor-advisoryx_refsource_REDHAT

Affected products

rhcos

gnutls

=<3.6.16
=<3.7.11
*
<3.8.8

discovery/discovery-ui-rhel9

*

discovery/discovery-server-rhel9

*

registry.redhat.io/discovery/discovery-ui-rhel9

*

registry.redhat.io/discovery/discovery-server-rhel9

*

Matching in nixpkgs

pkgs.gnutls

GNU Transport Layer Security Library

nixos-unstable 3.8.6
- nixpkgs-unstable 3.8.6
- nixos-unstable-small 3.8.6

pkgs.guile-gnutls

Guile bindings for GnuTLS library

nixos-unstable 4.0.0
- nixpkgs-unstable 4.0.0
- nixos-unstable-small 4.0.0

pkgs.python311Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

pkgs.python312Packages.python3-gnutls

Python wrapper for the GnuTLS library

nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10

Package maintainers

@vcunat Vladimír Čunát <v@cunat.cz>
@foo-dogsquared Gabriel Arazas <foodogsquared@foodogsquared.one>
@charlieshanley Charlie Hanley <charlieshanley@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.gnutls

pkgs.guile-gnutls

pkgs.python311Packages.python3-gnutls

pkgs.python312Packages.python3-gnutls

pkgs.python313Packages.python3-gnutls

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.gnutls

pkgs.cockpit

pkgs.guile-gnutls

pkgs.emacsPackages.test-cockpit

pkgs.python311Packages.python3-gnutls

pkgs.python312Packages.python3-gnutls

pkgs.python313Packages.python3-gnutls

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.gnutls

pkgs.guile-gnutls

pkgs.python311Packages.python3-gnutls

pkgs.python312Packages.python3-gnutls

pkgs.python313Packages.python3-gnutls

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.gnutls

pkgs.guile-gnutls

pkgs.python311Packages.python3-gnutls

pkgs.python312Packages.python3-gnutls

pkgs.python313Packages.python3-gnutls

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.gnutls

pkgs.guile-gnutls

pkgs.python311Packages.python3-gnutls

pkgs.python312Packages.python3-gnutls

Package maintainers