SUSE-SU-2024:1179-1: important: Security update for gnutls
SLE-UPDATES
null at suse.de
Tue Apr 9 20:30:14 UTC 2024
# Security update for gnutls
Announcement ID: SUSE-SU-2024:1179-1
Rating: important
References:
* bsc#1202146
* bsc#1203299
* bsc#1203779
* bsc#1207183
* bsc#1207346
* bsc#1208143
* bsc#1208146
* bsc#1208237
* bsc#1209001
* bsc#1217277
* bsc#1218862
* bsc#1218865
* jsc#PED-1562
Cross-References:
* CVE-2023-0361
* CVE-2023-5981
* CVE-2024-0553
* CVE-2024-0567
CVSS scores:
* CVE-2023-0361 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-0361 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2023-5981 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-5981 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-0553 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-0553 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-0567 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-0567 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro for Rancher 5.3
An update that solves four vulnerabilities, contains one feature and has eight
security fixes can now be installed.
## Description:
This update for gnutls fixes the following issues:
Security issues fixed:
* CVE-2023-0361: Fixed a Bleichenbacher oracle in the TLS RSA key exchange
(bsc#1208143).
* CVE-2023-5981: Fixed timing side-channel inside RSA-PSK key exchange
(bsc#1217277).
* CVE-2024-0567: Fixed an incorrect rejection of certificate chains with
distributed trust (bsc#1218862).
* CVE-2024-0553: Fixed a timing attack against the RSA-PSK key exchange, which
could lead to the leakage of sensitive data (bsc#1218865).
FIPS 140-3 certification related bugs fixed:
* FIPS: Set error state when jent init failed in FIPS mode (bsc#1202146)
* FIPS: Make XTS key check failure not fatal (bsc#1203779)
* FIPS: Added GnuTLS DH/ECDH pairwise consistency check for public key
regeneration [bsc#1207183]
* FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for
the new FIPS certification [bsc#1207346]
* FIPS: Make the jitterentropy calls thread-safe (bsc#1208146).
* FIPS: GnuTLS DH/ECDH PCT public key regeneration (bsc#1207183).
* FIPS: Fix pct_test() return code in case of error (bsc#1207183)
* FIPS: Establish PBKDF2 additional requirements [bsc#1209001]
* Set the minimum output key length to 112 bits (FIPS 140-3 IG D.N)
* Set the minimum salt length to 128 bits (SP 800-132 sec. 5.1)
* Set the minimum iterations count to 1000 (SP 800-132 sec 5.2)
* Set the minimum passlen of 20 characters (SP SP800-132 sec 5)
* Add regression tests for the new PBKDF2 requirements.
Other issues fixed:
* Fix AVX CPU feature detection for OSXSAVE (bsc#1203299) This fixes a SIGILL
termination at the verzoupper instruction when trying to run GnuTLS on a
Linux kernel with the noxsave command line parameter set. Relevant mostly
for virtual systems.
* Increase the limit of TLS PSK usernames from 128 to 65535 characters.
[bsc#1208237, jsc#PED-1562]
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2024-1179=1
* SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2024-1179=1
## Package List:
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
* gnutls-debuginfo-3.7.3-150400.1.3.1
* libgnutls30-hmac-3.7.3-150400.1.3.1
* gnutls-debugsource-3.7.3-150400.1.3.1
* gnutls-3.7.3-150400.1.3.1
* libgnutls30-3.7.3-150400.1.3.1
* libgnutls30-debuginfo-3.7.3-150400.1.3.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
* gnutls-debuginfo-3.7.3-150400.1.3.1
* libgnutls30-hmac-3.7.3-150400.1.3.1
* gnutls-debugsource-3.7.3-150400.1.3.1
* gnutls-3.7.3-150400.1.3.1
* libgnutls30-3.7.3-150400.1.3.1
* libgnutls30-debuginfo-3.7.3-150400.1.3.1
## References:
* https://www.suse.com/security/cve/CVE-2023-0361.html
* https://www.suse.com/security/cve/CVE-2023-5981.html
* https://www.suse.com/security/cve/CVE-2024-0553.html
* https://www.suse.com/security/cve/CVE-2024-0567.html
* https://bugzilla.suse.com/show_bug.cgi?id=1202146
* https://bugzilla.suse.com/show_bug.cgi?id=1203299
* https://bugzilla.suse.com/show_bug.cgi?id=1203779
* https://bugzilla.suse.com/show_bug.cgi?id=1207183
* https://bugzilla.suse.com/show_bug.cgi?id=1207346
* https://bugzilla.suse.com/show_bug.cgi?id=1208143
* https://bugzilla.suse.com/show_bug.cgi?id=1208146
* https://bugzilla.suse.com/show_bug.cgi?id=1208237
* https://bugzilla.suse.com/show_bug.cgi?id=1209001
* https://bugzilla.suse.com/show_bug.cgi?id=1217277
* https://bugzilla.suse.com/show_bug.cgi?id=1218862
* https://bugzilla.suse.com/show_bug.cgi?id=1218865
* https://jira.suse.com/browse/PED-1562
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20240409/ea7866e8/attachment.htm>
More information about the sle-updates
mailing list