Vulnerability CVE-2020-24659: Information
Description
An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: Sept. 4, 2020
Modified: Nov. 7, 2023
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| gnutls30 | sisyphus | 3.6.15-alt1 | 3.8.4-alt1 | ALT-PU-2020-2749-1 | 257742 | Fixed |
| gnutls30 | p10 | 3.6.15-alt1 | 3.6.16-alt6 | ALT-PU-2020-2749-1 | 257742 | Fixed |
| gnutls30 | p9 | 3.6.15-alt1 | 3.6.16-alt5 | ALT-PU-2020-2779-1 | 257743 | Fixed |
| gnutls30 | c10f1 | 3.6.15-alt1 | 3.6.16-alt5 | ALT-PU-2020-2749-1 | 257742 | Fixed |
| gnutls30 | c9f2 | 3.6.15-alt1 | 3.6.16-alt5 | ALT-PU-2020-2779-1 | 257743 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://gitlab.com/gnutls/gnutls/-/issues/1071 |
|
| https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 |
|
| GLSA-202009-01 |
|
| https://security.netapp.com/advisory/ntap-20200911-0006/ |
|
| USN-4491-1 |
|
| openSUSE-SU-2020:1724 |
|
| openSUSE-SU-2020:1743 |
|
| FEDORA-2020-0ab6656303 | |
| FEDORA-2020-de51ee7cc9 |