SB2013040804 - Cryptographic issues in gnutls (Alpine package)
Published: April 8, 2013
Security Bulletin ID
SB2013040804
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2013-1619)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e284167aecd00197e8f835d500d9956bfa3a90fb
- https://git.alpinelinux.org/aports/commit/?id=cc886f2ba7fe3142721ca39008a137f4d1d342ea
- https://git.alpinelinux.org/aports/commit/?id=23f5cb321fd961b0c56518f7c1d44705f6328e9b
- https://git.alpinelinux.org/aports/commit/?id=58f9c7090bf9d7fdf1a33cac74cfef550badd4f5