GnuTLS

About Security Advisories
Although, the core GnuTLS team does not have resources to analyse the background and impact of security issues in depth, we do take security seriously. All known information on security incidents is collected and published in this page.
Our idea is to turn writing security advisory into an open process where everyone can contribute. Everyone is invited to analyse the impact of discovered bugs, and, of course, also to study the code for new bugs.
All serious analysis of bugs will be posted on this page.
If this level of support is inadequate for your needs, customized commercial support is available.
Reporting security problems
Send non-public reports to the maintainers. All other reports should be sent to one of the mailing lists.

Advisories

Tag	Severity	Information
GNUTLS-SA-2013-1 TLS CBC padding timing attack CVE-2013-1619	Possible plaintext recovery	Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information. In order for the attack to work the client must operate as follows. It connects to a server, it sends some (encrypted) data that will be intercepted by the attacker, who will terminate the client's connection abnormally (i.e. the client will receive a premature termination error). The client should repeat that, multiple times. Who is affected by this attack? Clients that repeatedly reconnect and transfer the same data, after a TLS fatal error occurs. How to mitigate the attack? Do not enable the CBC ciphersuites, prefer ARCFOUR or GCM modes. Upgrade to the latest GnuTLS version (3.1.7, 3.0.28, or 2.12.23). Write-up by Nikos
GNUTLS-SA-2012-4 "CRIME" attack CVE-2012-4929	Possible plaintext recovery	There is an attack on TLS called "CRIME" which takes advantage of compression and may recover plaintext under certain circumstances. Who is affected by this attack? Clients or servers that use compression and provide the ability to an adversary to inject data (multiple times) in their session. How to mitigate the attack? Do not enable compression (GnuTLS doesn't enable it by default) When using compression use the CBC ciphers that include a random padding up to 255 bytes. That would increase the number of trials an attacker needs to perform significantly. Note that using compression provides information to an attacker on the plaintext. Security advisory A description of the attack Another analysis of the attack
GNUTLS-SA-2012-3 CVE-2012-1569	Denial of service	This vulnerability is in the libtasn1 library and affects the DER length decoding which is fixed in 2.12 release. Write-up by Mu Dynamics Recommendation: Upgrade to libtasn1 2.12.
GNUTLS-SA-2012-2 CVE-2012-1573	Possible buffer overflow/Denial of service	TLS record handling vulnerability fixed in GnuTLS 3.0.15. Write-up by Mu Dynamics Recommendation: Upgrade to GnuTLS 3.0.17 or 2.12.18.
GNUTLS-SA-2012-1 CVE-2012-0390	Timing attack (DTLS)	Announcement of GnuTLS 3.0.11 The paper describing the attack This vulnerability allows an attacker to perform partial plaintext recovery using a timing attack in CBC-mode encryption. The attack is applicable to Datagram TLS (DTLS). Recommendation: Upgrade to GnuTLS 3.0.11.
GNUTLS-SA-2011-2 CVE-2011-4128	Possible buffer overflow/Denial of service	Mailing list discussion Note that this vulnerability is triggered by TLS clients that utilize the session resumption functions in a particular way. Clients that perform session resumption using the same steps as in the example code of GnuTLS documentation are not vulnerable. A preliminary analysis found no vulnerable clients. Recommendation: Upgrade to GnuTLS 3.0.7 or 2.12.14.
GNUTLS-SA-2011-1 Rizzo attack on TLS	Plaintext recovery	Mailing list discussion Recommendation: Make use of TLS 1.1 or TLS 1.2 protocols that are not vulnerable to the attack. TLS 1.1 is enabled by default in GnuTLS since version 2.0.0 (released in 2007). If this is not possible, disable CBC ciphers.
~~GNUTLS-SA-2010-1~~ CVE-2010-0731	Remote Denial of Service	RedHat bugzilla report Mailing list discussion This vulnerability is on a deprecated since 2006 version of GnuTLS. We keep the information here because this version was included in some distributions. Recommendation: Upgrade to the latest stable branch.
GNUTLS-SA-2009-5 CERT VU#120541 CVE-2009-3555	Plaintext injection attack	Mailing list discussion Recommendation: Disable support for TLS renegotiation in application servers, or better upgrade to GnuTLS 2.10.x.
GNUTLS-SA-2009-4 CVE-2009-2730	False positive in certificate hostname validation	Announcement of v2.8.3 that solves the problem. Analysis of the vulnerability and minimal patch. How to check if your GnuTLS library is vulnerable. Back-ported patches for earlier releases: [1] [2] Recommendation: Upgrade to GnuTLS 2.8.3 or later.
GNUTLS-SA-2009-3 CVE-2009-1417	No checking of certificate activation/expiration times	Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: Upgrade to GnuTLS 2.6.6 or later. If you still use the 2.4.x branch or earlier branches, apply the patch.
GNUTLS-SA-2009-2 CVE-2009-1416	GnuTLS 2.6.x DSA keys are corrupt	Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6.
GNUTLS-SA-2009-1 CVE-2009-1415	Double/invalid free in GnuTLS 2.6.x on certain errors	Security advisory including patch Announcement of v2.6.6 that includes patch. Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6.
GNUTLS-SA-2008-3 CVE-2008-4989	Remote X.509 Trust Chain Validation error	Announcement of v2.6.1 and patch Detailed analysis Announcement of v2.6.2 and updated patch. Announcement of updated patch and 2.6.3 release candidate. Announcement of v2.6.3. Announcement of v2.6.4 and v2.4.3. Recommendation: Upgrade to GnuTLS 2.6.4 or, if you still use the 2.4.x branch, 2.4.3, or later.
GNUTLS-SA-2008-2 CVE-2008-2377	Local denial of service Server can trigger crash in GnuTLS clients?	Announcement Detailed analysis and patch Another report that suggest it can be exploited by hostile servers Recommendation: Upgrade to GnuTLS 2.4.1 or apply the patch.
GNUTLS-SA-2008-1 CERT-FI announcement CVE-2008-1948, CVE-2008-1949, CVE-2008-1950	Remote Denial of Service	Announcement and Patch Updated announcement and Patch Recommendation: Upgrade to GnuTLS 2.2.5 or apply the patch in the second link.
GNUTLS-SA-2006-4 CVE-2006-4790 (via NVD)	False positive in verifying signature	Announcement Updated patch Original report Recommendation: Upgrade to GnuTLS 1.4.4.
~~GNUTLS-SA-2006-3~~	None	Announcement Bleichenbacher's Crypto 98 paper Recommendation: No action required, see the post where this advisory is essentially withdrawn.
GNUTLS-SA-2006-2 CVE-2006-7239	Denial of service?	Details Recommendation: Upgrade to GnuTLS 1.4.2.
GNUTLS-SA-2006-1 CVE-2006-0645	Denial of service?	Libtasn1 Announcement Recommendation: Upgrade to Libtasn1 0.2.18 and GnuTLS 1.2.10 (stable) or 1.3.4 (experimental).
GNUTLS-SA-2005-1 CVE-2005-1431	Denial of service	Announcement Write-up by Éric Leblond Recommendation: Upgrade to GnuTLS 1.0.25 or 1.2.3.

The GnuTLS Transport Layer Security Library

Advisories