{"id":"MGASA-2018-0435","summary":"Updated gnutls packages fix security vulnerabilities","details":"The updated packages fix security vulnerabilities:\n\nIt was found that the GnuTLS implementation of HMAC-SHA-256 and\nHMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote\nattackers could use this flaw to conduct distinguishing attacks and\nplaintext-recovery attacks via statistical analysis of timing data\nusing crafted packets (CVE-2018-10844, CVE-2018-10845).\n\nA cache-based side channel in GnuTLS implementation that leads to plain\ntext recovery in cross-VM attack setting was found. An attacker could\nuse a combination of \"Just in Time\" Prime+probe attack in combination\nwith Lucky-13 attack to recover plain text using crafted packets\n(CVE-2018-10846).\n","modified":"2026-02-01T10:33:43.471646Z","published":"2018-11-03T11:55:18Z","related":["CVE-2018-10844","CVE-2018-10845","CVE-2018-10846"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0435.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23682"},{"type":"REPORT","url":"https://lists.opensuse.org/opensuse-updates/2018-09/msg00147.html"},{"type":"REPORT","url":"https://lists.opensuse.org/opensuse-updates/2018-10/msg00000.html"}],"affected":[{"package":{"name":"gnutls","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/gnutls?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.5.13-1.1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0435.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}