CVE-2024-0567

Publication date 16 January 2024

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnutls28	24.04 LTS noble	Fixed 3.8.3-1ubuntu1
	23.10 mantic	Fixed 3.8.1-4ubuntu1.2
	23.04 lunar	Fixed 3.7.8-5ubuntu1.2
	22.04 LTS jammy	Fixed 3.7.3-4ubuntu1.4
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Ignored end of standard support

Notes

mdeslaur

The code is different in focal and older and the reproducer doesn't appear to crash the older version of GnuTLS. Marking as not-affected.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnutls28	Upstream: 9edbdaa

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

USN-6593-1
GnuTLS vulnerabilities
22 January 2024