UBUNTU-CVE-2023-25824

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2023-25824

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-25824.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-25824

Upstream

CVE-2023-25824

Published

2023-02-23T22:15:00Z

Modified

2025-10-24T05:01:50Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions from 0.9.0 to 0.12.0 (including) did not properly fail blocking read operations on TLS connections when the transport hit timeouts. Instead it entered an endless loop retrying the read operation, consuming CPU resources. This could be exploited for denial of service attacks. If trace level logging was enabled, it would also produce an excessive amount of log output during the loop, consuming disk space. The problem has been fixed in commit d7eec4e598158ab6a98bf505354e84352f9715ec, please update to version 0.12.1. There are no workarounds, users who cannot update should apply the errno fix detailed in the security advisory.

References

Affected packages

Ubuntu:20.04:LTS / mod-gnutls

Package

Name: mod-gnutls
Purl: pkg:deb/ubuntu/mod-gnutls@0.9.0-1.1ubuntu1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.2-3ubuntu1

0.9.0-1.1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.9.0-1.1ubuntu1",
            "binary_name": "libapache2-mod-gnutls"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-25824.json"

Ubuntu:22.04:LTS / mod-gnutls