PublicDateAtUSN: 2020-04-03 13:15:00 UTC
Candidate: CVE-2020-11501
PublicDate: 2020-04-03 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11501
 https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31
 https://gitlab.com/gnutls/gnutls/-/commit/5b595e8e52653f6c5726a4cdd8fddeb6e83804d2
 https://ubuntu.com/security/notices/USN-4322-1
Description:
 GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The
 earliest affected version is 3.6.3 (2018-07-16) because of an error in a
 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a
 random value, and thus contributes no randomness to a DTLS negotiation.
 This breaks the security guarantees of the DTLS protocol.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955556
 https://gitlab.com/gnutls/gnutls/-/issues/960
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N [7.4 HIGH]


Patches_gnutls28:
 upstream: https://gitlab.com/gnutls/gnutls/-/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d
upstream_gnutls28: released (3.6.13-2)
precise/esm_gnutls28: DNE
trusty_gnutls28: ignored (out of standard support)
trusty/esm_gnutls28: DNE
xenial_gnutls28: not-affected (3.4.10-4ubuntu1.7)
esm-infra/xenial_gnutls28: not-affected (3.4.10-4ubuntu1.7)
bionic_gnutls28: not-affected (3.5.18-1ubuntu1.3)
eoan_gnutls28: released (3.6.9-5ubuntu1.1)
devel_gnutls28: released (3.6.13-2ubuntu1)