Unrated severityNVD Advisory· Published Sep 4, 2020· Updated Aug 4, 2024
CVE-2020-24659
CVE-2020-24659
Description
An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.
Affected products
22- GnuTLS/GnuTLSdescription
- osv-coords21 versionspkg:apk/chainguard/gnutlspkg:apk/chainguard/gnutls-c++pkg:apk/chainguard/gnutls-c%2B%2Bpkg:apk/chainguard/gnutls-devpkg:apk/chainguard/gnutls-docpkg:apk/chainguard/gnutls-utilspkg:apk/wolfi/gnutlspkg:apk/wolfi/gnutls-c++pkg:apk/wolfi/gnutls-c%2B%2Bpkg:apk/wolfi/gnutls-devpkg:apk/wolfi/gnutls-docpkg:apk/wolfi/gnutls-utilspkg:rpm/opensuse/gnutls&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/gnutls&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Certifications%2015%20SP3pkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/gnutls&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
< 0+ 20 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.6.7-lp151.2.21.1
- (no CPE)range: < 3.6.7-lp152.9.3.2
- (no CPE)range: < 3.6.7-6.34.1
- (no CPE)range: < 3.6.7-6.34.1
- (no CPE)range: < 3.6.7-6.34.1
- (no CPE)range: < 3.6.7-14.4.1
- (no CPE)range: < 3.6.7-14.4.1
- (no CPE)range: < 3.6.7-6.34.1
- (no CPE)range: < 3.6.7-6.34.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- lists.opensuse.org/opensuse-security-announce/2020-10/msg00054.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-10/msg00060.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62BUAI4FQQLG6VTKRT7SUZPGJJ4NASQ3/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWN56FDLQQXT2D2YHNI4TYH432TDMQ7N/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202009-01mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4491-1/mitrevendor-advisoryx_refsource_UBUNTU
- gitlab.com/gnutls/gnutls/-/issues/1071mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20200911-0006/mitrex_refsource_CONFIRM
- www.gnutls.org/security-new.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.