Your submission was sent successfully! Close

CVE-2013-1619

Published: 8 February 2013

The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Notes

AuthorNote
jdstrand
LP: #1166634 is reported as a regression
Priority

Medium

Status

Package Release Status
gnutls13
Launchpad, Ubuntu, Debian
hardy
Released (2.0.4-1ubuntu2.9)
lucid Does not exist

oneiric Does not exist

precise Does not exist

quantal Does not exist

raring Does not exist

saucy Does not exist

trusty Does not exist

upstream Needs triage

utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

gnutls26
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (2.8.5-2ubuntu0.3)
oneiric
Released (2.10.5-1ubuntu3.3)
precise
Released (2.12.14-5ubuntu3.2)
quantal
Released (2.12.14-5ubuntu4.2)
raring Not vulnerable
(2.12.23-1ubuntu1)
saucy Not vulnerable
(2.12.23-1ubuntu1)
trusty Not vulnerable
(2.12.23-1ubuntu1)
upstream
Released (2.12.20-4)
utopic Not vulnerable
(2.12.23-1ubuntu1)
vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:
upstream: https://gitorious.org/gnutls/gnutls/commit/458c67cf98740e7b12404f6c30e0d5317d56fd30
upstream: https://gitorious.org/gnutls/gnutls/commit/93b7fcfa3297a9123630704668b2946f602b910e
upstream: https://gitorious.org/gnutls/gnutls/commit/7b65049a81ea02a92fef934318a680afd55e98d2 (backporting)

gnutls28
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

oneiric Does not exist

precise Does not exist
(precise was needed)
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Not vulnerable
(3.2.3-1ubuntu1)
trusty Does not exist
(trusty was not-affected [3.2.11-2ubuntu1])
upstream
Released (3.0.22-3)
utopic Not vulnerable
(3.2.11-2ubuntu1)
vivid Not vulnerable
(3.2.11-2ubuntu1)
wily Not vulnerable
(3.2.11-2ubuntu1)
xenial Not vulnerable
(3.2.11-2ubuntu1)
yakkety Not vulnerable
(3.2.11-2ubuntu1)
zesty Not vulnerable
(3.2.11-2ubuntu1)
Patches:



upstream: https://gitorious.org/gnutls/gnutls/commit/8dc2822966f64dd9cf7dde9c7aacd80d49d3ffe5