TagOther identifiersSeverityInformation
Certificate verification issue

We discoverd a vulnerability that affects certificate verification when GnuTLS is used in combination with the p11-kit trust module. That issue affects gnutls 3.3.23, 3.4.12 and later versions.

Who is affected by this vulnerability?

  • GnuTLS installations which are configured to utilize the p11-kit trust store (i.e., when compiled with --with-default-trust-store-pkcs11).

How to mitigate the vulnerability?

  • Disable the trust store verification or upgrade to GnuTLS 3.3.24, 3.4.14 and later versions.

CVE-2016-4456 File overwrite by setuid programs Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions.
CVE-2015-3308 Double free in CRL distribution points decoding of a certificate Robert Święcki reported that decoding a specially crafted certificate with certain CRL distribution points format can lead to a double free. This issue was fixed in GnuTLS 3.3.14. Recommendation: Upgrade to GnuTLS 3.3.14, or later versions.
CVE-2015-6251 Double free in certificate DN decoding Kurt Roeckx reported that decoding a specific certificate with very long DistinguishedName (DN) entries leads to double free, which may result to a denial of service. Since the DN decoding occurs in almost all applications using certificates it is recommended to upgrade the latest GnuTLS version fixing the issue.
Recommendation: Upgrade to GnuTLS 3.4.4, or 3.3.17.
No CVE assigned ServerKeyExchange signature issue Karthikeyan Bhargavan reported that a ServerKeyExchange signature sent by the server is not verified to be in the acceptable by the client set of algorithms. That has the effect of allowing MD5 signatures (which are disabled by default) in the ServerKeyExchange message. It is not believed that this bug can be exploited because a fraudulent signature has to be generated in real-time which is not known to be possible. However, since attacks can only get better it is recommended to update to a GnuTLS version which addresses the issue.
Recommendation: Upgrade to GnuTLS 3.4.1, or 3.3.15.
CVE-2015-0282 Signature forgery This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012). These versions don't verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm, such as MD5, without detecting it.
Recommendation: Upgrade to GnuTLS 3.1.0, or later. A patch will be included in gnutls_2_12_x branch for the users of that version that cannot upgrade.
CVE-2014-8564 Denial of service Sean Burford reported that the encoding of elliptic curves parameters GnuTLS 3 is vulnerable to a denial of service (heap corruption). It affects clients and servers which print information about the peer's public key, e.g., the key ID, and can be exploited via a specially crafted X.509 certificate.
Recommendation: Upgrade to GnuTLS 3.3.10, 3.2.20 or 3.1.28.
CVE-2014-3566 Possible plaintext recovery This is a vulnerability on the SSL 3.0 protocol (called POODLE), which can be exploited when TLS clients use a non-standard insecure protocol negotiation (it affects mostly browsers). Clients performing the standard TLS handshake as documented by GnuTLS are not affected.
Write-up by Nikos
Recommendation: For clients using the documented handshake process no action is required. Clients that use the non-standard insecure negotiation should not negotiate SSL 3.0. In all cases it recommended to disable SSL 3.0 using a priority string such as "NORMAL:-VERS-SSL3.0".
CVE-2014-3466 Memory corruption This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.
Analysis at
Recommendation: Upgrade to the latest gnutls version (3.1.25, 3.2.15 or 3.3.4)
CVE-2014-0092 Certificate verification issue

A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat.

Who is affected by this attack?

  • Anyone using certificate authentication in any version of GnuTLS.

How are past sessions affected?

  • The vulnerability to be exploited it requires an active man-in-the-middle attacker. Past sessions are not affected unless they were under such an attack.

How to mitigate the attack?

  • Upgrade to the latest GnuTLS version (3.2.12 or 3.1.22), or apply the patch for GnuTLS 2.12.x.

CVE-2014-1959 Certificate verification issue

Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 2.11.5 and later versions. A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior).

Who is affected by this attack?

  • Anyone who has a CA that issues X.509 version 1 certificates in his trusted list.

How to mitigate the attack?

  • Apply this patch or upgrade to the latest GnuTLS version (3.2.11 or 3.1.21).

CVE-2013-4466 Denial of service This vulnerability affects the DANE library of gnutls 3.1.x and gnutls 3.2.x. A server that returns more 4 DANE entries could corrupt the memory of a requesting client.
Recommendation: Upgrade to the latest gnutls version (3.1.16 or 3.2.6)
CVE-2013-2116 Denial of service This vulnerability affects gnutls 2.12.23 and its TLS record decoding.
Recommendation: Apply the patch or upgrade to gnutls 3.x.
TLS CBC padding timing attack
Possible plaintext recovery

Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information.

In order for the attack to work the client must operate as follows. It connects to a server, it sends some (encrypted) data that will be intercepted by the attacker, who will terminate the client's connection abnormally (i.e. the client will receive a premature termination error). The client should repeat that, multiple times.

Who is affected by this attack?

  • Clients that repeatedly reconnect and transfer the same data, after a TLS fatal error occurs.

How to mitigate the attack?

  • Do not enable the CBC ciphersuites, prefer ARCFOUR or GCM modes.
  • Upgrade to the latest GnuTLS version (3.1.7, 3.0.28, or 2.12.23).
Write-up by Nikos

"CRIME" attack
Possible plaintext recovery

There is an attack on TLS called "CRIME" which takes advantage of compression and may recover plaintext under certain circumstances.

Who is affected by this attack?

  • Clients or servers that use compression and provide the ability to an adversary to inject data (multiple times) in their session.

How to mitigate the attack?

  • Do not enable compression (GnuTLS doesn't enable it by default)
  • When using compression use the CBC ciphers that include a random padding up to 255 bytes. That would increase the number of trials an attacker needs to perform significantly.

Note that using compression provides information to an attacker on the plaintext.
Security advisory
A description of the attack
Another analysis of the attack
CVE-2012-1569 Denial of service This vulnerability is in the libtasn1 library and affects the DER length decoding which is fixed in 2.12 release.
Write-up by Mu Dynamics
Recommendation: Upgrade to libtasn1 2.12.
CVE-2012-1573 Possible buffer overflow/Denial of service TLS record handling vulnerability fixed in GnuTLS 3.0.15.
Write-up by Mu Dynamics
Recommendation: Upgrade to GnuTLS 3.0.17 or 2.12.18.
CVE-2012-0390 Timing attack (DTLS) Announcement of GnuTLS 3.0.11
The paper describing the attack
This vulnerability allows an attacker to perform partial plaintext recovery using a timing attack in CBC-mode encryption. The attack is applicable to Datagram TLS (DTLS).
Recommendation: Upgrade to GnuTLS 3.0.11.
CVE-2011-4128 Possible buffer overflow/Denial of service Mailing list discussion
Note that this vulnerability is triggered by TLS clients that utilize the session resumption functions in a particular way. Clients that perform session resumption using the same steps as in the example code of GnuTLS documentation are not vulnerable. A preliminary analysis found no vulnerable clients. Recommendation: Upgrade to GnuTLS 3.0.7 or 2.12.14.
Rizzo attack on TLS Plaintext recovery Mailing list discussion
Recommendation: Make use of TLS 1.1 or TLS 1.2 protocols that are not vulnerable to the attack. TLS 1.1 is enabled by default in GnuTLS since version 2.0.0 (released in 2007). If this is not possible, disable CBC ciphers.
CVE-2010-0731 Remote Denial of Service RedHat bugzilla report
Mailing list discussion

This vulnerability is on a deprecated since 2006 version of GnuTLS. We keep the information here because this version was included in some distributions. Recommendation: Upgrade to the latest stable branch.

CERT VU#120541
Plaintext injection attack Mailing list discussion

Recommendation: Disable support for TLS renegotiation in application servers, or better upgrade to GnuTLS 2.10.x.

CVE-2009-2730 False positive in certificate hostname validation Announcement of v2.8.3 that solves the problem.
Analysis of the vulnerability and minimal patch.
How to check if your GnuTLS library is vulnerable.
Back-ported patches for earlier releases: [1] [2]
Recommendation: Upgrade to GnuTLS 2.8.3 or later.
CVE-2009-1417 No checking of certificate activation/expiration times Security advisory including patch
Announcement of v2.6.6 that includes patch.
Recommendation: Upgrade to GnuTLS 2.6.6 or later. If you still use the 2.4.x branch or earlier branches, apply the patch.
CVE-2009-1416 GnuTLS 2.6.x DSA keys are corrupt Security advisory including patch
Announcement of v2.6.6 that includes patch.
Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6.
CVE-2009-1415 Double/invalid free in GnuTLS 2.6.x on certain errors Security advisory including patch
Announcement of v2.6.6 that includes patch.
Recommendation: If you are using GnuTLS 2.6.x, upgrade to GnuTLS 2.6.6.
CVE-2008-4989 Remote X.509 Trust Chain Validation error Announcement of v2.6.1 and patch
Detailed analysis
Announcement of v2.6.2 and updated patch.
Announcement of updated patch and 2.6.3 release candidate.
Announcement of v2.6.3.
Announcement of v2.6.4 and v2.4.3.
Recommendation: Upgrade to GnuTLS 2.6.4 or, if you still use the 2.4.x branch, 2.4.3, or later.
CVE-2008-2377 Local denial of service
Server can trigger crash in GnuTLS clients?
Detailed analysis and patch
Another report that suggest it can be exploited by hostile servers
Recommendation: Upgrade to GnuTLS 2.4.1 or apply the patch.
CERT-FI announcement
CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
Remote Denial of Service Announcement and Patch
Updated announcement and Patch
Recommendation: Upgrade to GnuTLS 2.2.5 or apply the patch in the second link.
(via NVD)
False positive in verifying signature Announcement
Updated patch
Original report
Recommendation: Upgrade to GnuTLS 1.4.4.
None Announcement
Bleichenbacher's Crypto 98 paper
Recommendation: No action required, see the post where this advisory is essentially withdrawn.
CVE-2006-7239 Denial of service? Details
Recommendation: Upgrade to GnuTLS 1.4.2.
CVE-2006-0645 Denial of service? Libtasn1 Announcement
Recommendation: Upgrade to Libtasn1 0.2.18 and GnuTLS 1.2.10 (stable) or 1.3.4 (experimental).
CVE-2005-1431 Denial of service Announcement
Write-up by Éric Leblond
Recommendation: Upgrade to GnuTLS 1.0.25 or 1.2.3.