CVE-2023-5981: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in GnuTLS (CVE-2023-5981) where response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. The vulnerability was reported in November 2023 and affects the GnuTLS library implementations (GnuTLS Advisory).

The vulnerability is a timing side-channel attack in the RSA-PSK key exchange mechanism. The issue allows an attacker to observe differences in response times between malformed ciphertexts and those with correct PKCS#1 v1.5 padding during the ClientKeyExchange process. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (Red Hat CVE).

The vulnerability only affects TLS ciphertext processing and could potentially allow an attacker to gather information about the cryptographic operations through timing analysis. This could lead to exposure of confidential information through side-channel analysis (GnuTLS Advisory).

The vulnerability was fixed in GnuTLS version 3.8.2. Users are recommended to upgrade to GnuTLS 3.8.2 or later versions to address this security issue. Multiple vendors have released security updates including Red Hat Enterprise Linux and Fedora (GnuTLS Advisory).