CVE-2023-5981

NameCVE-2023-5981
DescriptionA vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3660-1
Debian Bugs1056188

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnutls28 (PTS)buster3.6.7-4+deb10u8vulnerable
buster (security)3.6.7-4+deb10u12fixed
bullseye3.7.1-5+deb11u4fixed
bullseye (security)3.7.1-5+deb11u3vulnerable
bookworm3.7.9-2+deb12u2fixed
trixie, sid3.8.5-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnutls28sourcebuster3.6.7-4+deb10u11DLA-3660-1
gnutls28sourcebullseye3.7.1-5+deb11u4
gnutls28sourcebookworm3.7.9-2+deb12u1
gnutls28source(unstable)3.8.2-11056188

Notes

https://gitlab.com/gnutls/gnutls/-/issues/1511
https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23
https://lists.gnupg.org/pipermail/gnutls-help/2023-November/004837.html
Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d (3.8.2)
Fixing this issue incompletely opens up CVE-2024-0553
Search for package or bug name: Reporting problems