CVE-2012-0390
Published: 6 January 2012
The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108.
Notes
Author | Note |
---|---|
tyhicks | DTLS support was not implemented until gnutls-2.99.0 |
Priority
Status
Package | Release | Status |
---|---|---|
gnutls13 Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
(DTLS not implemented)
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
|
|
gnutls26 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Not vulnerable
|
|
maverick |
Not vulnerable
|
|
natty |
Not vulnerable
|
|
oneiric |
Not vulnerable
|
|
precise |
Not vulnerable
(DTLS not implemented)
|
|
quantal |
Not vulnerable
(DTLS not implemented)
|
|
raring |
Not vulnerable
(DTLS not implemented)
|
|
saucy |
Not vulnerable
(DTLS not implemented)
|
|
trusty |
Not vulnerable
(DTLS not implemented)
|
|
upstream |
Not vulnerable
|
|
gnutls28 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Not vulnerable
(3.0.11-1ubuntu2)
|
|
quantal |
Not vulnerable
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Not vulnerable
|
|
trusty |
Does not exist
(trusty was not-affected)
|
|
upstream |
Released
(3.0.11)
|
|
Patches: upstream: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=35e26ca63c6da01db460d93e9c4bf86cd668534c upstream: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=10267466bde4b80af1c5c7cff8129ce92da99179 |