VulnerableCode Package Details - pkg:deb/ubuntu/gnutls28@3.6.9-5ubuntu1.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-9gzv-9r4m-aaab Aliases: CVE-2020-24659 GNUTLS-SA-2020-09-04	An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.	3.6.13-2ubuntu1.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-cy4t-gfcb-aaak Aliases: CVE-2021-20231	A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.	3.6.13-2ubuntu1.6 Affected by 0 other vulnerabilities.
VCID-e5m6-uzg2-aaaj Aliases: CVE-2020-13777 GNUTLS-SA-2020-06-03	GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.	3.6.9-5ubuntu1.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.6.13-2ubuntu1.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-x6hd-tczu-aaaf Aliases: CVE-2021-20232 GNUTLS-SA-2021-03-10	A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.	3.6.13-2ubuntu1.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-9gzv-9r4m-aaab
Aliases:
CVE-2020-24659
GNUTLS-SA-2020-09-04

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.

3.6.13-2ubuntu1.3
Affected by 2 other vulnerabilities.

VCID-cy4t-gfcb-aaak
Aliases:
CVE-2021-20231

A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.

3.6.13-2ubuntu1.6
Affected by 0 other vulnerabilities.

VCID-e5m6-uzg2-aaaj
Aliases:
CVE-2020-13777
GNUTLS-SA-2020-06-03

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.

3.6.9-5ubuntu1.2
Affected by 3 other vulnerabilities.

3.6.13-2ubuntu1.1
Affected by 3 other vulnerabilities.

VCID-x6hd-tczu-aaaf
Aliases:
CVE-2021-20232
GNUTLS-SA-2021-03-10

A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.

3.6.13-2ubuntu1.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9ugy-hcxz-aaab	GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.	CVE-2020-11501 GNUTLS-SA-2020-03-31

Vulnerability

Summary

Aliases

VCID-9ugy-hcxz-aaab

GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.

CVE-2020-11501
GNUTLS-SA-2020-03-31

Next non-vulnerable version	3.6.13-2ubuntu1.6
Latest non-vulnerable version	3.6.13-2ubuntu1.6
Risk	4.4