<p>Upgrade <code>Debian:10</code> <code>gnutls28</code> to version 3.6.7-4+deb10u4 or higher.</p>

Use of a Broken or Risky Cryptographic Algorithm Affecting gnutls28 package, versions <3.6.7-4+deb10u4

Snyk CVSS

Attack Complexity High

Confidentiality High

Integrity High

Threat Intelligence

EPSS 0.32% (71^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN10-GNUTLS28-571282
published 4 Jun 2020
disclosed 4 Jun 2020

Report a new vulnerability Found a mistake?

Introduced: 4 Jun 2020

CVE-2020-13777 Open this link in a new tab CWE-327 Open this link in a new tab

How to fix?

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u4 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.