First published: Fri May 25 2018(Updated: )
It was found that GnuTLS implementation of HMAC-SHA-256 was vulnerable to Lucky thirteen style attack due to the fact that not enough dummy compression function calls are added to cater for every situation.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
GNU GnuTLS | <3.6.12 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Canonical Ubuntu Linux | =19.04 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Debian Debian Linux | =8.0 | |
debian/gnutls28 | 3.7.1-5+deb11u5 3.7.1-5+deb11u6 3.7.9-2+deb12u3 3.8.8-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-10844 is a vulnerability in the GnuTLS implementation of HMAC-SHA-256 that is vulnerable to a Lucky thirteen style attack.
CVE-2018-10844 has a severity rating of 5.9 (medium).
The GnuTLS package version 3.5.18-1ubuntu1.1 and earlier, and versions 3.5.19 to 3.6.3 on Ubuntu, and version 3.4.10-4ubuntu1.5 on Xenial, are affected by CVE-2018-10844.
To fix CVE-2018-10844, update the GnuTLS package to version 3.5.19 or later on Ubuntu, or version 3.4.10-4ubuntu1.6 on Xenial.
You can find more information about CVE-2018-10844 in the following references: - [SecurityFocus](http://www.securityfocus.com/bid/105138) - [Red Hat Security Advisory RHSA-2018:3050](https://access.redhat.com/errata/RHSA-2018:3050) - [Red Hat Security Advisory RHSA-2018:3505](https://access.redhat.com/errata/RHSA-2018:3505)