PublicDateAtUSN: 2018-08-22 Candidate: CVE-2018-10844 PublicDate: 2018-08-22 13:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844 https://eprint.iacr.org/2018/747 https://ubuntu.com/security/notices/USN-3999-1 Description: It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets. Ubuntu-Description: Notes: mdeslaur> RHEL7 update brings back SHA256 Bugs: https://gitlab.com/gnutls/gnutls/issues/456 Priority: medium Discovered-by: Assigned-to: mdeslaur CVSS: nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM] nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM] Patches_gnutls26: upstream_gnutls26: needs-triage precise/esm_gnutls26: ignored (end of ESM support, was needs-triage) trusty_gnutls26: ignored (reached end-of-life) trusty/esm_gnutls26: needs-triage xenial_gnutls26: DNE bionic_gnutls26: DNE cosmic_gnutls26: DNE disco_gnutls26: DNE eoan_gnutls26: DNE focal_gnutls26: DNE groovy_gnutls26: DNE hirsute_gnutls26: DNE impish_gnutls26: DNE jammy_gnutls26: DNE devel_gnutls26: DNE Patches_gnutls28: upstream: https://gitlab.com/gnutls/gnutls/merge_requests/657 upstream: https://gitlab.com/gnutls/gnutls/commit/e14d85eb8b1987d86f7b1d101a0e7795675d20d4 (3.5) upstream: https://gitlab.com/gnutls/gnutls/commit/c2e094acd68f7159025b2e2556d6fb4427b41dd7 (3.5) upstream: https://gitlab.com/gnutls/gnutls/commit/62a39773e9d0c4a686a3d8d2b6cca32f82c26cd7 (3.5) upstream: https://gitlab.com/gnutls/gnutls/commit/c433cdf92349afae66c703bdacedf987f423605e (3.5) upstream: https://gitlab.com/gnutls/gnutls/commit/9fdd24d53c84cc68dac1be28f8b1436e424ce1f1 (3.5) upstream_gnutls28: released (3.5.19,3.6.3) precise/esm_gnutls28: DNE trusty_gnutls28: ignored (reached end-of-life) trusty/esm_gnutls28: DNE (trusty was needed) xenial_gnutls28: released (3.4.10-4ubuntu1.5) esm-infra/xenial_gnutls28: released (3.4.10-4ubuntu1.5) bionic_gnutls28: released (3.5.18-1ubuntu1.1) cosmic_gnutls28: not-affected (3.6.4-2ubuntu1) disco_gnutls28: not-affected (3.6.5-2ubuntu1) eoan_gnutls28: not-affected (3.6.5-2ubuntu1) focal_gnutls28: not-affected (3.6.5-2ubuntu1) groovy_gnutls28: not-affected (3.6.5-2ubuntu1) hirsute_gnutls28: not-affected (3.6.5-2ubuntu1) impish_gnutls28: not-affected (3.6.5-2ubuntu1) jammy_gnutls28: not-affected (3.6.5-2ubuntu1) devel_gnutls28: not-affected (3.6.5-2ubuntu1)