Security update for gnutls

Announcement ID: SUSE-SU-2024:1179-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2023-0361 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2023-0361 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • CVE-2023-5981 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2023-5981 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2024-0553 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2024-0553 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2024-0567 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2024-0567 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • SUSE Linux Enterprise Micro 5.3
  • SUSE Linux Enterprise Micro for Rancher 5.3

An update that solves four vulnerabilities, contains one feature and has eight security fixes can now be installed.

Description:

This update for gnutls fixes the following issues:

Security issues fixed:

  • CVE-2023-0361: Fixed a Bleichenbacher oracle in the TLS RSA key exchange (bsc#1208143).
  • CVE-2023-5981: Fixed timing side-channel inside RSA-PSK key exchange (bsc#1217277).
  • CVE-2024-0567: Fixed an incorrect rejection of certificate chains with distributed trust (bsc#1218862).
  • CVE-2024-0553: Fixed a timing attack against the RSA-PSK key exchange, which could lead to the leakage of sensitive data (bsc#1218865).

FIPS 140-3 certification related bugs fixed:

  • FIPS: Set error state when jent init failed in FIPS mode (bsc#1202146)
  • FIPS: Make XTS key check failure not fatal (bsc#1203779)
  • FIPS: Added GnuTLS DH/ECDH pairwise consistency check for public key regeneration [bsc#1207183]
  • FIPS: Change all the 140-2 references to FIPS 140-3 in order to account for the new FIPS certification [bsc#1207346]
  • FIPS: Make the jitterentropy calls thread-safe (bsc#1208146).
  • FIPS: GnuTLS DH/ECDH PCT public key regeneration (bsc#1207183).
  • FIPS: Fix pct_test() return code in case of error (bsc#1207183)
  • FIPS: Establish PBKDF2 additional requirements [bsc#1209001]

  • Set the minimum output key length to 112 bits (FIPS 140-3 IG D.N)

  • Set the minimum salt length to 128 bits (SP 800-132 sec. 5.1)
  • Set the minimum iterations count to 1000 (SP 800-132 sec 5.2)
  • Set the minimum passlen of 20 characters (SP SP800-132 sec 5)
  • Add regression tests for the new PBKDF2 requirements.

Other issues fixed:

  • Fix AVX CPU feature detection for OSXSAVE (bsc#1203299) This fixes a SIGILL termination at the verzoupper instruction when trying to run GnuTLS on a Linux kernel with the noxsave command line parameter set. Relevant mostly for virtual systems.
  • Increase the limit of TLS PSK usernames from 128 to 65535 characters. [bsc#1208237, jsc#PED-1562]

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Micro for Rancher 5.3
    zypper in -t patch SUSE-SLE-Micro-5.3-2024-1179=1
  • SUSE Linux Enterprise Micro 5.3
    zypper in -t patch SUSE-SLE-Micro-5.3-2024-1179=1

Package List:

  • SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
    • gnutls-debuginfo-3.7.3-150400.1.3.1
    • libgnutls30-hmac-3.7.3-150400.1.3.1
    • gnutls-debugsource-3.7.3-150400.1.3.1
    • gnutls-3.7.3-150400.1.3.1
    • libgnutls30-3.7.3-150400.1.3.1
    • libgnutls30-debuginfo-3.7.3-150400.1.3.1
  • SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
    • gnutls-debuginfo-3.7.3-150400.1.3.1
    • libgnutls30-hmac-3.7.3-150400.1.3.1
    • gnutls-debugsource-3.7.3-150400.1.3.1
    • gnutls-3.7.3-150400.1.3.1
    • libgnutls30-3.7.3-150400.1.3.1
    • libgnutls30-debuginfo-3.7.3-150400.1.3.1

References: