Security update for gnutls SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0790-1 Final 1 1 2020-06-10T17:41:13Z current 2020-06-10T17:41:13Z 2020-06-10T17:41:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gnutls This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-790 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7AWWZAFHM4X4VDC2SELE3F2YGHU6D3KT/ E-Mail link for openSUSE-SU-2020:0790-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172461 SUSE Bug 1172461 https://bugzilla.suse.com/1172506 SUSE Bug 1172506 https://www.suse.com/security/cve/CVE-2020-13777/ SUSE CVE CVE-2020-13777 page openSUSE Leap 15.1 gnutls-3.6.7-lp151.2.18.1 gnutls-guile-3.6.7-lp151.2.18.1 libgnutls-dane-devel-3.6.7-lp151.2.18.1 libgnutls-dane0-3.6.7-lp151.2.18.1 libgnutls-devel-3.6.7-lp151.2.18.1 libgnutls-devel-32bit-3.6.7-lp151.2.18.1 libgnutls30-3.6.7-lp151.2.18.1 libgnutls30-32bit-3.6.7-lp151.2.18.1 libgnutls30-hmac-3.6.7-lp151.2.18.1 libgnutls30-hmac-32bit-3.6.7-lp151.2.18.1 libgnutlsxx-devel-3.6.7-lp151.2.18.1 libgnutlsxx28-3.6.7-lp151.2.18.1 gnutls-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 gnutls-guile-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutls-dane-devel-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutls-dane0-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutls-devel-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutls-devel-32bit-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutls30-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutls30-32bit-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutls30-hmac-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutls30-hmac-32bit-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutlsxx-devel-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 libgnutlsxx28-3.6.7-lp151.2.18.1 as a component of openSUSE Leap 15.1 GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. CVE-2020-13777 openSUSE Leap 15.1:gnutls-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:gnutls-guile-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutls-dane-devel-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutls-dane0-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutls-devel-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutls-devel-32bit-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutls30-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutls30-32bit-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutls30-hmac-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutls30-hmac-32bit-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutlsxx-devel-3.6.7-lp151.2.18.1 openSUSE Leap 15.1:libgnutlsxx28-3.6.7-lp151.2.18.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7AWWZAFHM4X4VDC2SELE3F2YGHU6D3KT/ https://www.suse.com/security/cve/CVE-2020-13777.html CVE-2020-13777 https://bugzilla.suse.com/1172461 SUSE Bug 1172461 https://bugzilla.suse.com/1172506 SUSE Bug 1172506