The GnuTLS library has been updated for Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS to fix several security vulnerabilities. The library, used for Transport Layer Security and Datagram Transport Layer Security protocols, may have led to Denial of Service due to the issues found. Two specific CVEs were identified: CVE-2025-9820 and CVE-2025-14831. These vulnerabilities involved out-of-bound write issues with PKCS#11 tokens and resource exhaustion from malicious certificates containing large name constraints and subject alternative names.

ELA-1653-1 gnutls28 security update

ELA-1653-1 gnutls28 security update

Package : gnutls28
Version : 3.5.8-5+deb9u10 (stretch), 3.6.7-4+deb10u15 (buster)

Related CVEs :
CVE-2025-9820
CVE-2025-14831

Vulnerabilities were found in GnuTLS, a portable library which
implements the Transport Layer Security and Datagram Transport Layer
Security protocols, which may lead to Denial of Service.

CVE-2025-9820

An out-of-bound write issue was discovered when a PKCS#11 token is
initialized with the gnutls_pkcs11_token_init() function and it is
passed a token label longer than 32 characters.

CVE-2025-14831

Tim Scheckenbach discovered that verifying specially crafted
malicious certificates containing a large number of name constraints
and subject alternative names (SANs) could lead to resource
exhaustion.

ELA-1653-1 gnutls28 security update