user/gnutls: multiple vulnerabilities
Bugzilla ID | 254 |
Alias(es) | CVE-2020-11501, CVE-2020-13777 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-04-03 14:29:36 -0500 |
Modified | 2020-06-15 16:38:59 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Description
GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The
earliest affected version is 3.6.3 (2018-07-16) because of an error in
a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead
of a random value, and thus contributes no randomness to a DTLS
negotiation. This breaks the security guarantees of the DTLS protocol.