Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1061045: gnutls28: CVE-2024-0567
36 views
Skip to first unread message
Salvatore Bonaccorso
Jan 16, 2024, 4:20:05 PM1/16/24
to
Source: gnutls28
Version: 3.8.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1521
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for gnutls28.
CVE-2024-0567[0]:
| A vulnerability was found in GnuTLS, where a cockpit (which uses
| gnuTLS) rejects a certificate chain with distributed trust. This
| issue occurs when validating a certificate chain with cockpit-
| certificate-ensure. This flaw allows an unauthenticated, remote
| client or attacker to initiate a denial of service attack.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-0567
https://www.cve.org/CVERecord?id=CVE-2024-0567
[1] https://gitlab.com/gnutls/gnutls/-/issues/1521
[2] https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Version: 3.8.2-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/gnutls/gnutls/-/issues/1521
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for gnutls28.
CVE-2024-0567[0]:
| A vulnerability was found in GnuTLS, where a cockpit (which uses
| gnuTLS) rejects a certificate chain with distributed trust. This
| issue occurs when validating a certificate chain with cockpit-
| certificate-ensure. This flaw allows an unauthenticated, remote
| client or attacker to initiate a denial of service attack.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-0567
https://www.cve.org/CVERecord?id=CVE-2024-0567
[1] https://gitlab.com/gnutls/gnutls/-/issues/1521
[2] https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Andreas Metzler
Jan 20, 2024, 7:40:06 AM1/20/24
to
Hello,
do you plan/would you rather fix these two issues (CVE-2024-0567 and
CVE-2024-0553) by DSA or should I go for a (old)stable update?
TIA, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
do you plan/would you rather fix these two issues (CVE-2024-0567 and
CVE-2024-0553) by DSA or should I go for a (old)stable update?
TIA, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Salvatore Bonaccorso
Jan 20, 2024, 9:10:05 AM1/20/24
to
Hi,
On Sat, Jan 20, 2024 at 01:28:33PM +0100, Andreas Metzler wrote:
> Hello,
>
> do you plan/would you rather fix these two issues (CVE-2024-0567 and
> CVE-2024-0553) by DSA or should I go for a (old)stable update?
IMHO they can go as well via the point releases (which should be,
though yet not officially announced) around the 10th of february.
Or is there anything I potentially miss that they warrant a DSA?
Regards,
Salvatore
On Sat, Jan 20, 2024 at 01:28:33PM +0100, Andreas Metzler wrote:
> Hello,
>
> do you plan/would you rather fix these two issues (CVE-2024-0567 and
> CVE-2024-0553) by DSA or should I go for a (old)stable update?
though yet not officially announced) around the 10th of february.
Or is there anything I potentially miss that they warrant a DSA?
Regards,
Salvatore
0 new messages