What is the severity of USN-3999-1?

The severity of USN-3999-1 is high.

How does the GnuTLS vulnerability known as "Lucky Thirteen" work?

The "Lucky Thirteen" vulnerability in GnuTLS is a timing side-channel attack that could allow a remote attacker to perform plaintext-recovery attacks by analyzing timing data.

Which versions of Ubuntu are affected by USN-3999-1?

Ubuntu versions 19.04, 18.10, 18.04, and 16.04 are affected by USN-3999-1.

How can I fix the GnuTLS vulnerability in Ubuntu?

To fix the GnuTLS vulnerability, update the libgnutls30 package to version 3.6.5-2ubuntu1.1 for Ubuntu 19.04, 3.6.4-2ubuntu1.2 for Ubuntu 18.10, 3.5.18-1ubuntu1.1 for Ubuntu 18.04, and 3.4.10-4ubuntu1.5 for Ubuntu 16.04.

Where can I find more information about USN-3999-1?

You can find more information about USN-3999-1 at the following links: - [CVE-2018-10844](https://ubuntu.com/security/CVE-2018-10844) - [CVE-2018-10845](https://ubuntu.com/security/CVE-2018-10845) - [CVE-2018-10846](https://ubuntu.com/security/CVE-2018-10846)

Vulnerability/
USN-3999-1

30/5/2019

USN-3999-1: GnuTLS vulnerabilities

First published: Thu May 30 2019(Updated: )

Eyal Ronen, Kenneth G. Paterson, and Adi Shamir discovered that GnuTLS was vulnerable to a timing side-channel attack known as the "Lucky Thirteen" issue. A remote attacker could possibly use this issue to perform plaintext-recovery attacks via analysis of timing data. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846) Tavis Ormandy discovered that GnuTLS incorrectly handled memory when verifying certain X.509 certificates. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-3829) It was discovered that GnuTLS incorrectly handled certain post-handshake messages. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10 and Ubuntu 19.04. (CVE-2019-3836)

Affected Software	Affected Version	How to fix
All of
ubuntu/libgnutls30	<3.6.5-2ubuntu1.1	3.6.5-2ubuntu1.1
	=19.04
All of
ubuntu/libgnutls30	<3.6.4-2ubuntu1.2	3.6.4-2ubuntu1.2
	=18.10
All of
ubuntu/libgnutls30	<3.5.18-1ubuntu1.1	3.5.18-1ubuntu1.1
	=18.04
All of
ubuntu/libgnutls30	<3.4.10-4ubuntu1.5	3.4.10-4ubuntu1.5
	=16.04

Never miss a vulnerability like this again

Reference Links

Child vulnerabilities

(Contains the following vulnerabilities)

Frequently Asked Questions

What is the severity of USN-3999-1?
The severity of USN-3999-1 is high.
How does the GnuTLS vulnerability known as "Lucky Thirteen" work?
The "Lucky Thirteen" vulnerability in GnuTLS is a timing side-channel attack that could allow a remote attacker to perform plaintext-recovery attacks by analyzing timing data.
Which versions of Ubuntu are affected by USN-3999-1?
Ubuntu versions 19.04, 18.10, 18.04, and 16.04 are affected by USN-3999-1.
How can I fix the GnuTLS vulnerability in Ubuntu?
To fix the GnuTLS vulnerability, update the libgnutls30 package to version 3.6.5-2ubuntu1.1 for Ubuntu 19.04, 3.6.4-2ubuntu1.2 for Ubuntu 18.10, 3.5.18-1ubuntu1.1 for Ubuntu 18.04, and 3.4.10-4ubuntu1.5 for Ubuntu 16.04.
Where can I find more information about USN-3999-1?
You can find more information about USN-3999-1 at the following links: - [CVE-2018-10844](https://ubuntu.com/security/CVE-2018-10844) - [CVE-2018-10845](https://ubuntu.com/security/CVE-2018-10845) - [CVE-2018-10846](https://ubuntu.com/security/CVE-2018-10846)

agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/title
agent/type
collector/usn
source/Ubuntu
agent/software-canonical-lookup
package-manager/ubuntu
vendor/ubuntu
canonical/ubuntu ubuntu
version/ubuntu ubuntu/19.04
version/ubuntu ubuntu/18.10
version/ubuntu ubuntu/18.04
version/ubuntu ubuntu/16.04