Headline
Red Hat Security Advisory 2023-3361-01
Red Hat Security Advisory 2023-3361-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: gnutls security update
Advisory ID: RHSA-2023:3361-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3361
Issue date: 2023-05-31
CVE Names: CVE-2023-0361
=====================================================================
- Summary:
An update for gnutls is now available for Red Hat Enterprise Linux 8.6
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64
- Description:
The gnutls packages provide the GNU Transport Layer Security (GnuTLS)
library, which implements cryptographic algorithms and protocols such as
SSL, TLS, and DTLS.
Security Fix(es):
- gnutls: timing side-channel in the TLS RSA key exchange code
(CVE-2023-0361)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2162596 - CVE-2023-0361 gnutls: timing side-channel in the TLS RSA key exchange code
- Package List:
Red Hat Enterprise Linux AppStream EUS (v.8.6):
aarch64:
gnutls-c+±3.6.16-5.el8_6.1.aarch64.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-dane-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-devel-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-utils-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.aarch64.rpm
ppc64le:
gnutls-c+±3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-dane-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-devel-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-utils-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.ppc64le.rpm
s390x:
gnutls-c+±3.6.16-5.el8_6.1.s390x.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.s390x.rpm
gnutls-dane-3.6.16-5.el8_6.1.s390x.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.s390x.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.s390x.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.s390x.rpm
gnutls-devel-3.6.16-5.el8_6.1.s390x.rpm
gnutls-utils-3.6.16-5.el8_6.1.s390x.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.s390x.rpm
x86_64:
gnutls-c+±3.6.16-5.el8_6.1.i686.rpm
gnutls-c+±3.6.16-5.el8_6.1.x86_64.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.i686.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-dane-3.6.16-5.el8_6.1.i686.rpm
gnutls-dane-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.i686.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.i686.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.i686.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-devel-3.6.16-5.el8_6.1.i686.rpm
gnutls-devel-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-utils-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.i686.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.x86_64.rpm
Red Hat Enterprise Linux BaseOS EUS (v.8.6):
Source:
gnutls-3.6.16-5.el8_6.1.src.rpm
aarch64:
gnutls-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.aarch64.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.aarch64.rpm
ppc64le:
gnutls-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.ppc64le.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.ppc64le.rpm
s390x:
gnutls-3.6.16-5.el8_6.1.s390x.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.s390x.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.s390x.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.s390x.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.s390x.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.s390x.rpm
x86_64:
gnutls-3.6.16-5.el8_6.1.i686.rpm
gnutls-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.i686.rpm
gnutls-c+±debuginfo-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.i686.rpm
gnutls-dane-debuginfo-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.i686.rpm
gnutls-debuginfo-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.i686.rpm
gnutls-debugsource-3.6.16-5.el8_6.1.x86_64.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.i686.rpm
gnutls-utils-debuginfo-3.6.16-5.el8_6.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZHsDqNzjgjWX9erEAQjn2RAAjWveyFzvj+lzp5u7m+6iMUpgMMX7i9JQ
zr9YwVRWbtZZcGcUXqgbyqbDoj7lBZbd4eyQ7GKfeNATEjiQUUTsBvHj+DSHACXg
2gjxgZw3rPE1TsNeOu85ztWJyLMuoMXQQOBvuZkEF7/kSN9l1OihqfdGEMJvqCk5
EiZgrFFAZjyFdyUOeNO4uuFArIOqkBtgVl7aBN1xX0PbgN2hBVURBrl/N0o+yX7q
XdRJF4p+2JCSKqCg6XgTHI/R6GNtP68aF8aA1Eb2hTVxXCqSuDk56Qw2UMSUDPGz
6AZmKc3w7qcqyshY4npnbDGBTTL7LtLrZifg7DZ6HoRM/Q+E7vzEH6O8j1Udq3KT
wlXcBkuJpkUZXzB9D7lg4IQhrt9iTNhegQzgCmr748FHsCBtW+6b/NvAy41dkU7X
UCTwjeWcOA9YIp1csjM9s9juZd/gQjPSsk557Hp0j3AQ9etYGPc7B9iBnwqA6YYo
R4h4qntmsntj46Sgfrc+05gQ5quL6OJV0WuWynOgI0KW4AhicRncbP9mUOj/tO6A
g6e2BrPSjtH8o/rxdzA/M6BI60iylWGac7K7dNL3VXVn4L01dZFiyZDGjtAJaKSQ
fmnNTv1ny899LY6ncaei/bT6OpbYbu2FMeT0Y18Jyo51pcLy/8xuL00RUSeNH+o0
WMPOzJTA4CQ=
=CQ+c
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-5103-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.11.6 images.
Red Hat Security Advisory 2023-4694-01 - Red Hat OpenStack Platform (RHOSP) 16.2.z (Train) director Operator containers are now available. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-4488-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.
Red Hat Security Advisory 2023-4091-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4053-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.45. Issues addressed include a code execution vulnerability.
The components for Red Hat OpenShift support for Windows Containers 7.1.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates...
Red Hat Security Advisory 2023-3615-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.22. Issues addressed include a denial of service vulnerability.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.
Red Hat Security Advisory 2023-3624-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...
OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker ...
Red Hat Security Advisory 2023-2728-01 - The Red Hat OpenShift Distributed Tracing 2.8 container images have been updated. CVE-2022-41717 was fixed as part of this release. Users of Red Hat OpenShift Distributed Tracing 2.8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs, and add these enhancements.
Red Hat Security Advisory 2023-2710-01 - Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services. This erratum releases a new image for Red Hat Single Sign-On 7.6.3 for use within the Red Hat OpenShift Container Platform cloud computing Platform-as-a-Service for on-premise or private cloud deployments, aligning with the standalone product release. Issues addressed include denial of service and information leakage vulnerabilities.
A new image is available for Red Hat Single Sign-On 7.6.3, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-0341: In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction...
An update for gnutls is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the v...
Red Hat Security Advisory 2023-1200-01 - The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.
An update for gnutls is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially...
An update for gnutls is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0361: A timing side-channel vulnerability was found in RSA ClientKeyExchange messages in GnuTLS. This side-channel may be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the v...
Ubuntu Security Notice 5901-1 - Hubert Kario discovered that GnuTLS had a timing side-channel when handling certain RSA messages. A remote attacker could possibly use this issue to recover sensitive information.
Debian Linux Security Advisory 5349-1 - Hubert Kario discovered a timing side channel in the RSA decryption implementation of the GNU TLS library.
A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.