GnuTLS TLS and DTLS Information Leakage Vulnerability
Release date:
Updated on: 2013-02-27
Affected Systems:
GNU GnuTLS 3.x
GNU GnuTLS 2.x
Unaffected system:
GNU GnuTLS 2.12.14
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57736
CVE (CAN) ID: CVE-2013-1619
GnuTLS is a function library used to implement TLS encryption.
GnuTLS does not correctly handle timed-side channel attacks that are incompatible with MAC checks during malformed CBC filling, remote attackers can perform differentiated attacks and plain text recovery attacks by statistical analysis of the scheduled data of specially crafted packets.
<* Source: Nadhem Alfardan
Link: http://openwall.com/lists/oss-security/2013/02/05/24
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
GNU
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
GnuTLS details: click here
GnuTLS: click here
Install GnuTLS in Mac OS X 10.6
Compile and install the new GnuTLS version in CentOS
JSSE works with GnuTLS to implement secure communication between Java and C.
Certificate generation when JSSE and GnuTLS are used together