CVE-2020-11501

Priority
Description
GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The
earliest affected version is 3.6.3 (2018-07-16) because of an error in a
2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a
random value, and thus contributes no randomness to a DTLS negotiation.
This breaks the security guarantees of the DTLS protocol.
Assigned-to
mdeslaur
Notes
Package
Upstream:released (3.6.13-2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (3.4.10-4ubuntu1.7)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.5.18-1ubuntu1.3)
Ubuntu 19.10 (Eoan Ermine):released (3.6.9-5ubuntu1.1)
Ubuntu 20.04 LTS (Focal Fossa):released (3.6.13-2ubuntu1)
Patches:
Upstream:https://gitlab.com/gnutls/gnutls/-/commit/c01011c2d8533dbbbe754e49e256c109cb848d0d
More Information

Updated: 2020-05-25 07:20:23 UTC (commit 11dafbc1d6a43b52e36edd3252d959cb6bc124fe)