8124 – [Anolis OS 23] Bugfix for CVE-2024-0553

Bug 8124 - [Anolis OS 23] Bugfix for CVE-2024-0553

Summary: [Anolis OS 23] Bugfix for CVE-2024-0553

Status:	NEW

Alias:	None

Product:	Anolis OS 23
Classification:	Anolis OS
Component:	BaseOS Packages (show other bugs)	BaseOS Packages
Sub Component:
Version:	unspecified
Hardware:	All Linux

Importance:	P2-High S2-major
Target Milestone:	---
Assignee:	happy_orange
QA Contact:	bolong_tbl

URL:
Whiteboard:
Keywords:	CVE

Depends on:
Blocks:

Reported:	2024-01-31 20:11 UTC by 小龙
Modified:	2024-02-01 15:06 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 小龙 admin

2024-01-31 20:11:12 UTC

Description:
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Broken commit info:

Bugfix commit info:
https://gitlab.com/gnutls/gnutls/-/issues/1522
https://bugzilla.redhat.com/show_bug.cgi?id=2258412
https://access.redhat.com/security/cve/CVE-2024-0553
https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
http://www.openwall.com/lists/oss-security/2024/01/19/3
https://github.com/gnutls/gnutls/commit/40dbbd8de499668590e8af51a15799fbc430595e
https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e

Comment 1 扣肉 2024-02-01 15:06:50 UTC

https://gitee.com/src-anolis-os/gnutls/pulls/18