CVE-2020-13777

Name
CVE-2020-13777
Description
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03
Third Party Advisory https://www.debian.org/security/2020/dsa-4697
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y/
Third Party Advisory https://security.gentoo.org/glsa/202006-01
Third Party Advisory https://usn.ubuntu.com/4384-1/
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00015.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK/
CONFIRM https://security.netapp.com/advisory/ntap-20200619-0004/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:* gnutls >= 3.6.0 < 3.6.14

Vulnerable and fixed packages

Source package Branch Version Maintainer Status