First published: Mon Feb 18 2019(Updated: )
It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Gnu Gnutls | >=3.6.3<3.6.7 | |
Fedoraproject Fedora | =28 | |
openSUSE Leap | =15.0 | |
redhat/gnutls | <3.6.7 | 3.6.7 |
ubuntu/gnutls28 | <3.6.4-2ubuntu1.2 | 3.6.4-2ubuntu1.2 |
ubuntu/gnutls28 | <3.6.5-2ubuntu1.1 | 3.6.5-2ubuntu1.1 |
ubuntu/gnutls28 | <3.6.7 | 3.6.7 |
debian/gnutls28 | 3.6.7-4+deb10u8 3.6.7-4+deb10u12 3.7.1-5+deb11u4 3.7.1-5+deb11u3 3.7.9-2+deb12u2 3.8.5-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2019-3836.
The severity of CVE-2019-3836 is high, with a severity value of 7.5.
The software affected by CVE-2019-3836 includes gnutls versions 3.6.3 or later.
CVE-2019-3836 can be triggered by certain post-handshake messages.
You can find more information about CVE-2019-3836 at the following references: [GitLab](https://gitlab.com/gnutls/gnutls/issues/704), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1693214), [GitHub](https://github.com/tomato42/tlsfuzzer).