Overview

File _patchinfo of Package patchinfo.15330

<patchinfo incident="15330">
  <issue tracker="bnc" id="1172506">VUL-0: CVE-2020-13777: gnutls: session resumption works without master key allowing MITM</issue>
  <issue tracker="bnc" id="1172461">gnutls fails to verify certificate chains that contain an expired cross-signed intermediate in alternate chains</issue>
  <issue tracker="cve" id="2020-13777"/>
  <packager>vitezslav_cizek</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for gnutls</summary>
  <description>This update for gnutls fixes the following issues:

- CVE-2020-13777: Fixed an insecure session ticket key construction which could 
  have made the TLS server to not bind the session ticket encryption key with a
  value supplied by the application until the initial key rotation, allowing
  an attacker to bypass authentication in TLS 1.3 and recover previous
  conversations in TLS 1.2 (bsc#1172506).
- Fixed an  improper handling of certificate chain with cross-signed intermediate
  CA certificates (bsc#1172461).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places