CVE-2020-11501

CVE-2020-11501

Name

CVE-2020-11501

Description

GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://gitlab.com/gnutls/gnutls/-/commit/5b595e8e52653f6c5726a4cdd8fddeb6e83804d2
Issue Tracking	https://gitlab.com/gnutls/gnutls/-/issues/960
Vendor Advisory	https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31
Third Party Advisory	https://www.debian.org/security/2020/dsa-4652
Third Party Advisory	http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00015.html
Third Party Advisory	https://security.netapp.com/advisory/ntap-20200416-0002/
Third Party Advisory	https://usn.ubuntu.com/4322-1/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/
Third Party Advisory	https://security.gentoo.org/glsa/202004-06

Type

URI

Patch

https://gitlab.com/gnutls/gnutls/-/commit/5b595e8e52653f6c5726a4cdd8fddeb6e83804d2

Issue Tracking

https://gitlab.com/gnutls/gnutls/-/issues/960

Vendor Advisory

https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31

Third Party Advisory

https://www.debian.org/security/2020/dsa-4652

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00015.html

Third Party Advisory

https://security.netapp.com/advisory/ntap-20200416-0002/

Third Party Advisory

https://usn.ubuntu.com/4322-1/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/

Third Party Advisory

https://security.gentoo.org/glsa/202004-06

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gnu:gnutls::::::::`	gnutls	>= 3.6.3	< 3.6.13

CPE URI

Source package

Min version

Max version

cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*

gnutls

>= 3.6.3

< 3.6.13

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
gnutls	edge-main	3.6.13-r0	None	fixed
gnutls	edge-main	3.6.7-r0	None	possibly vulnerable
gnutls	3.22-main	3.6.13-r0	None	fixed
gnutls	3.22-main	3.6.7-r0	None	possibly vulnerable
gnutls	3.21-main	3.6.13-r0	None	fixed
gnutls	3.21-main	3.6.7-r0	None	possibly vulnerable
gnutls	3.20-main	3.6.13-r0	None	fixed
gnutls	3.20-main	3.6.7-r0	None	possibly vulnerable
gnutls	3.19-main	3.6.13-r0	None	fixed
gnutls	3.19-main	3.6.7-r0	None	possibly vulnerable
gnutls	3.18-main	3.6.13-r0	None	fixed
gnutls	3.17-main	3.6.13-r0	None	fixed
gnutls	3.12-main	3.6.13-r0	None	fixed
gnutls	3.10-main	3.6.8-r1	None	fixed

Source package

Branch

Version

Maintainer

Status

gnutls

edge-main

3.6.13-r0

None

fixed

gnutls

edge-main