Amazon Linux 2023 Security Advisory: ALAS-2024-591
Advisory Release Date: 2024-04-25 16:39 Pacific
Advisory Updated Date: 2024-04-25 16:39 Pacific
Severity:
Medium
Issue Overview:
A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel. (CVE-2024-28834)
A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command. (CVE-2024-28835)
Affected Packages:
gnutls
Issue Correction:
Run dnf update gnutls --releasever 2023.4.20240429 to update your system.
New Packages:
aarch64:
gnutls-c++-debuginfo-3.8.0-380.amzn2023.0.6.aarch64
gnutls-utils-debuginfo-3.8.0-380.amzn2023.0.6.aarch64
gnutls-dane-debuginfo-3.8.0-380.amzn2023.0.6.aarch64
gnutls-debuginfo-3.8.0-380.amzn2023.0.6.aarch64
gnutls-dane-3.8.0-380.amzn2023.0.6.aarch64
gnutls-debugsource-3.8.0-380.amzn2023.0.6.aarch64
gnutls-c++-3.8.0-380.amzn2023.0.6.aarch64
gnutls-utils-3.8.0-380.amzn2023.0.6.aarch64
gnutls-3.8.0-380.amzn2023.0.6.aarch64
gnutls-devel-3.8.0-380.amzn2023.0.6.aarch64
src:
gnutls-3.8.0-380.amzn2023.0.6.src
x86_64:
gnutls-utils-debuginfo-3.8.0-380.amzn2023.0.6.x86_64
gnutls-c++-debuginfo-3.8.0-380.amzn2023.0.6.x86_64
gnutls-utils-3.8.0-380.amzn2023.0.6.x86_64
gnutls-debuginfo-3.8.0-380.amzn2023.0.6.x86_64
gnutls-dane-debuginfo-3.8.0-380.amzn2023.0.6.x86_64
gnutls-dane-3.8.0-380.amzn2023.0.6.x86_64
gnutls-c++-3.8.0-380.amzn2023.0.6.x86_64
gnutls-debugsource-3.8.0-380.amzn2023.0.6.x86_64
gnutls-3.8.0-380.amzn2023.0.6.x86_64
gnutls-devel-3.8.0-380.amzn2023.0.6.x86_64