It was found using the TLS fuzzer tools that decoding a malformed TLS1.3 asynchronous message can cause a server crash via an invalid pointer access. The issue affects GnuTLS server applications since 3.6.4. The issue was reported in issue tracker as #704.
Tavis Ormandy from Google Project Zero found a memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected. The issue was reported in issue tracker as #694.
CVE IDs: CVE-2019-3836, CVE-2019-3829
Other security advisory IDs: GNUTLS-SA-2019-03-27
Descriptions: https://www.gnutls.org/security-new.html
Architectural progress:
amd64
optenv32
arm64
armel
ppc64
powerpc