CVE-2023-25824: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-25824 affects mod_gnutls versions from 0.9.0 to 0.12.0 (inclusive). The vulnerability was discovered when the software failed to properly handle blocking read operations on TLS connections during transport timeouts. The issue was first reported in October 2019 and was officially assigned a CVE in February 2023 (GitHub Advisory).

The vulnerability stems from an incorrect errno handling in the mgs_transport_read() function when the transport read fails with an APR TIMEUP status. The code incorrectly set the transport errno to EAGAIN instead of ETIMEDOUT, causing blocking reads to enter an endless retry loop. This issue was introduced in commit 92cb0cc and first appeared in version 0.9.0. The bug has been assigned CWE-835 classification (NVD Report).

When exploited, the vulnerability causes the affected system to enter an endless loop, consuming CPU resources and potentially leading to denial of service. Additionally, if trace level logging was enabled, it would generate excessive log output, consuming disk space. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), reflecting its potential for significant availability impact (GitHub Advisory).

The issue has been fixed in version 0.12.1 with commit d7eec4e. For users unable to update, a patch is available that changes the errno from EAGAIN to ETIMEDOUT in the mgs_transport_read function. The fix involves modifying the gnutls_transport_set_errno call to use ETIMEDOUT instead of EAGAIN (GitHub Commit).