CVE-2024-28834

Publication date 21 March 2024

Last updated 26 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

5.3 · Medium

Score breakdown

Description

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

Read the notes from the security team

Status

Package Ubuntu Release Status
gnutls28 24.04 LTS noble
Fixed 3.8.3-1.1ubuntu3.1
23.10 mantic
Fixed 3.8.1-4ubuntu1.3
22.04 LTS jammy
Fixed 3.7.3-4ubuntu1.5
20.04 LTS focal
Fixed 3.6.13-2ubuntu1.11
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected

Notes

mdeslaur

per Debian, introduced in 3.6.10

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
gnutls28

Severity score breakdown

Parameter Value
Base score 5.3 · Medium
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

Other references