<p>Upgrade <code>Debian:10</code> <code>gnutls28</code> to version 3.6.7-4+deb10u3 or higher.</p>

Use of a Broken or Risky Cryptographic Algorithm Affecting gnutls28 package, versions <3.6.7-4+deb10u3

Snyk CVSS

Attack Complexity High

Confidentiality High

Integrity High

Threat Intelligence

EPSS 0.5% (76^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN10-GNUTLS28-564383
published 3 Apr 2020
disclosed 3 Apr 2020

Report a new vulnerability Found a mistake?

Introduced: 3 Apr 2020

CVE-2020-11501 Open this link in a new tab CWE-327 Open this link in a new tab

How to fix?

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.