[RHSA-2018:3050-01] Moderate: gnutls security, bug fix, and enhancement update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Tue Oct 30 08:00:38 UTC 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: gnutls security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:3050-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:3050
Issue date:        2018-10-30
CVE Names:         CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 
=====================================================================

1. Summary:

An update for gnutls is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le, s390x

3. Description:

The gnutls packages provide the GNU Transport Layer Security (GnuTLS)
library, which implements cryptographic algorithms and protocols such as
SSL, TLS, and DTLS.

The following packages have been upgraded to a later upstream version:
gnutls (3.3.29). (BZ#1561481)

Security Fix(es):

* gnutls: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not
enough dummy function calls (CVE-2018-10844)

* gnutls: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of
wrong constant (CVE-2018-10845)

* gnutls: "Just in Time" PRIME + PROBE cache-based side channel attack can
lead to plaintext recovery (CVE-2018-10846)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.6 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1375307 - Deleting softhsm PKCS#11 objects does not work with p11tool --(so-)login
1434091 - Session renegotiation fails with client certificates
1444792 - Provide ability to set the expected server name in gnutls-serv utility [rhel-7]
1460125 - p11tool: cannot import private keys into Atos HSM
1464896 - p11tool cannot generate DSA keys
1561481 - Rebase gnutls to upstream version 3.3.29
1582571 - CVE-2018-10844 gnutls: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls
1582572 - CVE-2018-10845 gnutls: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant
1582574 - CVE-2018-10846 gnutls: "Just in Time" PRIME + PROBE cache-based side channel attack can lead to plaintext recovery

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
gnutls-3.3.29-8.el7.src.rpm

x86_64:
gnutls-3.3.29-8.el7.i686.rpm
gnutls-3.3.29-8.el7.x86_64.rpm
gnutls-dane-3.3.29-8.el7.i686.rpm
gnutls-dane-3.3.29-8.el7.x86_64.rpm
gnutls-debuginfo-3.3.29-8.el7.i686.rpm
gnutls-debuginfo-3.3.29-8.el7.x86_64.rpm
gnutls-utils-3.3.29-8.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
gnutls-c++-3.3.29-8.el7.i686.rpm
gnutls-c++-3.3.29-8.el7.x86_64.rpm
gnutls-debuginfo-3.3.29-8.el7.i686.rpm
gnutls-debuginfo-3.3.29-8.el7.x86_64.rpm
gnutls-devel-3.3.29-8.el7.i686.rpm
gnutls-devel-3.3.29-8.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
gnutls-3.3.29-8.el7.src.rpm

x86_64:
gnutls-3.3.29-8.el7.i686.rpm
gnutls-3.3.29-8.el7.x86_64.rpm
gnutls-dane-3.3.29-8.el7.i686.rpm
gnutls-dane-3.3.29-8.el7.x86_64.rpm
gnutls-debuginfo-3.3.29-8.el7.i686.rpm
gnutls-debuginfo-3.3.29-8.el7.x86_64.rpm
gnutls-utils-3.3.29-8.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
gnutls-c++-3.3.29-8.el7.i686.rpm
gnutls-c++-3.3.29-8.el7.x86_64.rpm
gnutls-debuginfo-3.3.29-8.el7.i686.rpm
gnutls-debuginfo-3.3.29-8.el7.x86_64.rpm
gnutls-devel-3.3.29-8.el7.i686.rpm
gnutls-devel-3.3.29-8.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
gnutls-3.3.29-8.el7.src.rpm

ppc64:
gnutls-3.3.29-8.el7.ppc.rpm
gnutls-3.3.29-8.el7.ppc64.rpm
gnutls-c++-3.3.29-8.el7.ppc.rpm
gnutls-c++-3.3.29-8.el7.ppc64.rpm
gnutls-dane-3.3.29-8.el7.ppc.rpm
gnutls-dane-3.3.29-8.el7.ppc64.rpm
gnutls-debuginfo-3.3.29-8.el7.ppc.rpm
gnutls-debuginfo-3.3.29-8.el7.ppc64.rpm
gnutls-devel-3.3.29-8.el7.ppc.rpm
gnutls-devel-3.3.29-8.el7.ppc64.rpm
gnutls-utils-3.3.29-8.el7.ppc64.rpm

ppc64le:
gnutls-3.3.29-8.el7.ppc64le.rpm
gnutls-c++-3.3.29-8.el7.ppc64le.rpm
gnutls-dane-3.3.29-8.el7.ppc64le.rpm
gnutls-debuginfo-3.3.29-8.el7.ppc64le.rpm
gnutls-devel-3.3.29-8.el7.ppc64le.rpm
gnutls-utils-3.3.29-8.el7.ppc64le.rpm

s390x:
gnutls-3.3.29-8.el7.s390.rpm
gnutls-3.3.29-8.el7.s390x.rpm
gnutls-c++-3.3.29-8.el7.s390.rpm
gnutls-c++-3.3.29-8.el7.s390x.rpm
gnutls-dane-3.3.29-8.el7.s390.rpm
gnutls-dane-3.3.29-8.el7.s390x.rpm
gnutls-debuginfo-3.3.29-8.el7.s390.rpm
gnutls-debuginfo-3.3.29-8.el7.s390x.rpm
gnutls-devel-3.3.29-8.el7.s390.rpm
gnutls-devel-3.3.29-8.el7.s390x.rpm
gnutls-utils-3.3.29-8.el7.s390x.rpm

x86_64:
gnutls-3.3.29-8.el7.i686.rpm
gnutls-3.3.29-8.el7.x86_64.rpm
gnutls-c++-3.3.29-8.el7.i686.rpm
gnutls-c++-3.3.29-8.el7.x86_64.rpm
gnutls-dane-3.3.29-8.el7.i686.rpm
gnutls-dane-3.3.29-8.el7.x86_64.rpm
gnutls-debuginfo-3.3.29-8.el7.i686.rpm
gnutls-debuginfo-3.3.29-8.el7.x86_64.rpm
gnutls-devel-3.3.29-8.el7.i686.rpm
gnutls-devel-3.3.29-8.el7.x86_64.rpm
gnutls-utils-3.3.29-8.el7.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):

Source:
gnutls-3.3.29-8.el7.src.rpm

aarch64:
gnutls-3.3.29-8.el7.aarch64.rpm
gnutls-c++-3.3.29-8.el7.aarch64.rpm
gnutls-dane-3.3.29-8.el7.aarch64.rpm
gnutls-debuginfo-3.3.29-8.el7.aarch64.rpm
gnutls-devel-3.3.29-8.el7.aarch64.rpm
gnutls-utils-3.3.29-8.el7.aarch64.rpm

ppc64le:
gnutls-3.3.29-8.el7.ppc64le.rpm
gnutls-c++-3.3.29-8.el7.ppc64le.rpm
gnutls-dane-3.3.29-8.el7.ppc64le.rpm
gnutls-debuginfo-3.3.29-8.el7.ppc64le.rpm
gnutls-devel-3.3.29-8.el7.ppc64le.rpm
gnutls-utils-3.3.29-8.el7.ppc64le.rpm

s390x:
gnutls-3.3.29-8.el7.s390.rpm
gnutls-3.3.29-8.el7.s390x.rpm
gnutls-c++-3.3.29-8.el7.s390.rpm
gnutls-c++-3.3.29-8.el7.s390x.rpm
gnutls-dane-3.3.29-8.el7.s390.rpm
gnutls-dane-3.3.29-8.el7.s390x.rpm
gnutls-debuginfo-3.3.29-8.el7.s390.rpm
gnutls-debuginfo-3.3.29-8.el7.s390x.rpm
gnutls-devel-3.3.29-8.el7.s390.rpm
gnutls-devel-3.3.29-8.el7.s390x.rpm
gnutls-utils-3.3.29-8.el7.s390x.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
gnutls-3.3.29-8.el7.src.rpm

x86_64:
gnutls-3.3.29-8.el7.i686.rpm
gnutls-3.3.29-8.el7.x86_64.rpm
gnutls-c++-3.3.29-8.el7.i686.rpm
gnutls-c++-3.3.29-8.el7.x86_64.rpm
gnutls-dane-3.3.29-8.el7.i686.rpm
gnutls-dane-3.3.29-8.el7.x86_64.rpm
gnutls-debuginfo-3.3.29-8.el7.i686.rpm
gnutls-debuginfo-3.3.29-8.el7.x86_64.rpm
gnutls-devel-3.3.29-8.el7.i686.rpm
gnutls-devel-3.3.29-8.el7.x86_64.rpm
gnutls-utils-3.3.29-8.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-10844
https://access.redhat.com/security/cve/CVE-2018-10845
https://access.redhat.com/security/cve/CVE-2018-10846
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/index

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW9gPo9zjgjWX9erEAQjFHQ/8D1B2LIKNFLK24/zQQ1sqDb+JCVta9r/f
bypmsANPimkBOL6OtKO84jfaWmLS/dbhUjB6hHA9iOq6XhqrUWmUlgC6bvt6zaPB
7q9yo0IaUJaUEeyfwrHY0GGLs3lmMWMtDNPHjCoywiPtqmrozWxmDUUi5mSCNVeJ
vW4XV/Gqxc7H3qHv2Q11m9/UKjJERU6QXPGjaNLHA7iAauJ9r1vLq7n5dkEaHE9i
58nS7EskHHSv+PA9xceJLDwKGyoaXE7VnDzP18cjIoa+eSIEsVffW1AFT9stwsT0
aGZ0xVk4ll9DYRoEJkza3eVLcgBO+gNjZgs39pSeE3/G+QtnaooyVI1vvtOmM4L2
vPY/ZJUoPnp7sHQJXb/IDF2q9vNqaR8eH4IQjrNou6KIdYd9hKeY9sTI9shD2YQE
XNlnUK6isjM8dlVtFYIquZssvmq0uNZqPw0LrlLvvTM8/uxc5MqYe4u7tG/3y7zN
mPTdpwZ3Zlrn4xRKDWYjhW0MD1ZSP5k5drUSwqDm5URE7czU3j0b4JhCP6SVbugc
KAo2uZiFw0yF04bC0SUzqYxSYJv/t3sW4g3HMS4N6ZfO4e6FltFxKg2FYP0yoz9I
Ll7nAuQvskESncqCTQHWoO9sPjKgcNvIJxaTp865YCQA3HUWeJ0S58ye8ZlAW+P/
H44dbJvzMvc=
=UAzc
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list