Hide Forgot
GnuTLS servers are able to use tickets issued by each other without access to the secret key as generated by gnutls_session_ticket_key_generate(). In TLS 1.3 this allows a MITM server without valid credentials to resume sessions with a client that first established an initial connection with a server with valid credentials. In TLS 1.2, it may allow attackers to recover the previous conversations. Reference: https://gitlab.com/gnutls/gnutls/-/issues/1011
Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1843724] Created gnutls30 tracking bugs for this issue: Affects: epel-6 [bug 1843726] Created mingw-gnutls tracking bugs for this issue: Affects: fedora-all [bug 1843725]
Upstream commits for this issue: https://gitlab.com/gnutls/gnutls/-/merge_requests/1275/diffs?commit_id=c2646aeee94e71cb15c90a3147cf3b5b0ca158ca https://gitlab.com/gnutls/gnutls/-/merge_requests/1275/diffs?commit_id=3d7fae761e65e9d0f16d7247ee8a464d4fe002da
External References: https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-06-03
Mitigation: There's no available mitigation for this issue.
Does this affect RHEL8? - the version of gnutls shipped in rhel8 is gnutls-3.6.8-10 which would imply it does.
(In reply to jwp from comment #16) > Does this affect RHEL8? - the version of gnutls shipped in rhel8 is > gnutls-3.6.8-10 > > which would imply it does. Answering my own question. Yes. Yes it does: https://access.redhat.com/security/cve/CVE-2020-13777 I assume that anything that uses the rhel8 user-space (OCP4, CoreOS, OSP16) will likewise be affected?
Statement: GnuTLS versions as shipped with Red Hat Enterprise Linux 7 and earlier are not affected, as the bug was introduced in upstream at GnuTLS version 3.6.4. The older versions do not carry the affected code.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2639 https://access.redhat.com/errata/RHSA-2020:2639
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2638 https://access.redhat.com/errata/RHSA-2020:2638
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2637 https://access.redhat.com/errata/RHSA-2020:2637
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13777