Change logs for gnutls28 source package in Jammy

  • gnutls28 (3.7.3-4ubuntu1.5) jammy-security; urgency=medium
    
      * SECURITY UPDATE: side-channel leak via Minerva attack
        - debian/patches/CVE-2024-28834.patch: avoid normalization of mpz_t in
          deterministic ECDSA in lib/nettle/int/dsa-compute-k.c,
          lib/nettle/int/dsa-compute-k.h, lib/nettle/int/ecdsa-compute-k.c,
          lib/nettle/int/ecdsa-compute-k.h, lib/nettle/pk.c,
          tests/sign-verify-deterministic.c.
        - CVE-2024-28834
      * SECURITY UPDATE: crash via specially-crafted cert bundle
        - debian/patches/CVE-2024-28835.patch: remove length limit of input in
          lib/gnutls_int.h, lib/x509/common.c, lib/x509/verify-high.c,
          tests/test-chains.h.
        - CVE-2024-28835
    
     -- Marc Deslauriers <email address hidden>  Fri, 12 Apr 2024 09:51:00 -0400
  • gnutls28 (3.7.3-4ubuntu1.4) jammy-security; urgency=medium
    
      * SECURITY UPDATE: timing side-channel attack in the RSA-PSK key exchange
        - debian/patches/CVE-2024-0553.patch: minimize branching after
          decryption in lib/auth/rsa_psk.c.
        - CVE-2024-0553
      * SECURITY UPDATE: DoS via certificate chain with distributed trust
        - debian/patches/CVE-2024-0567.patch: detect loop in certificate chain
          in lib/x509/common.c, tests/test-chains.h.
        - CVE-2024-0567
    
     -- Marc Deslauriers <email address hidden>  Thu, 18 Jan 2024 12:22:01 -0500
  • gnutls28 (3.7.3-4ubuntu1.3) jammy-security; urgency=medium
    
      * SECURITY UPDATE: timing side-channel inside RSA-PSK key exchange
        - debian/patches/CVE-2023-5981.patch: side-step potential side-channel
          in lib/auth/rsa.c, lib/auth/rsa_psk.c, lib/gnutls_int.h,
          lib/priority.c.
        - CVE-2023-5981
    
     -- Marc Deslauriers <email address hidden>  Fri, 17 Nov 2023 09:19:42 -0500
  • gnutls28 (3.7.3-4ubuntu1.2) jammy-security; urgency=medium
    
      * SECURITY UPDATE: timing sidechannel in RSA decryption
        - debian/patches/CVE-2023-0361-1.patch: side-step potential
          side-channel in lib/auth/rsa.c.
        - debian/patches/CVE-2023-0361-2.patch: remove dead code in
          lib/auth/rsa.c.
        - CVE-2023-0361
    
     -- Marc Deslauriers <email address hidden>  Tue, 14 Feb 2023 16:13:17 -0500
  • gnutls28 (3.7.3-4ubuntu1.1) jammy-security; urgency=medium
    
      * SECURITY UPDATE: Double free in verification of pkcs7 signatures
        - debian/patches/CVE-2022-2509.patch: fix double free during
          gnutls_pkcs7_verify in lib/x509/pkcs7.c,
          tests/pkcs7-verify-double-free.c, tests/Makefile.am.
        - CVE-2022-2509
    
     -- Marc Deslauriers <email address hidden>  Tue, 02 Aug 2022 08:48:56 -0400
  • gnutls28 (3.7.3-4ubuntu1) jammy; urgency=low
    
      * Merge from Debian unstable. Remaining changes:
        - Enable CET.
        - Set default priority string to only allow TLS1.2, DTLS1.2, and
        TLS1.3 with medium security profile (2048 RSA keys minimum, and
        similar).
        - Reduce parallelism in build to 2 to address FTBFS with lto
    
    gnutls28 (3.7.3-4) unstable; urgency=low
    
      [ Helmut Grohne ]
      * Fix FTCBFS: Annotate python3 dependency with :any. (Closes: #1004183)
    
      [ Andreas Metzler ]
      * CI: Sort test list.
      * CI: Skip another test wrapping a binary test.
      * CI: Fix missed &> redirection.
    
    gnutls28 (3.7.3-3) unstable; urgency=low
    
      * Fix CI errors:
        + Set PKCS12_ITER_COUNT=600000, avoid more tests requiring a special test
          binary.
        + 40_bashism_in_test.diff: Avoid &> redirection.
    
    gnutls28 (3.7.3-2) unstable; urgency=low
    
      * B-d on python3 instead of python3-minimal, the json module is not part of
        -minimal.
      * Upload to unstable.
    
    gnutls28 (3.7.3-1) experimental; urgency=low
    
      * New upstream version.
       + Does not use GNU autogen anymore, update Build-Depends.
       + Drop 40_fix-gtk-mkhtml.patch.
       + Update symbol file.
    
     -- Gianfranco Costamagna <email address hidden>  Mon, 24 Jan 2022 09:23:08 +0100
  • gnutls28 (3.7.2-5ubuntu1) jammy; urgency=low
    
      * Merge from Debian unstable. Remaining changes:
        - Enable CET.
        - Set default priority string to only allow TLS1.2, DTLS1.2, and
        TLS1.3 with medium security profile (2048 RSA keys minimum, and
        similar).
        - Reduce parallelism in build to 2 to address FTBFS with lto
    
    gnutls28 (3.7.2-5) unstable; urgency=medium
    
      * 40_fix-gtk-mkhtml.patch by Dennis Filder fixes gtk-doc generation.
        Closes: #1003075
      * Cherrypick some improvements to debian/rules suggested by Dennis Filder.
    
     -- Gianfranco Costamagna <email address hidden>  Sat, 08 Jan 2022 21:03:33 +0100
  • gnutls28 (3.7.2-4ubuntu1) jammy; urgency=low
    
      * Merge from Debian unstable. Remaining changes:
        - Enable CET.
        - Set default priority string to only allow TLS1.2, DTLS1.2, and
        TLS1.3 with medium security profile (2048 RSA keys minimum, and
        similar).
        - Reduce parallelism in build to 2 to address FTBFS with lto
    
    gnutls28 (3.7.2-4) unstable; urgency=low
    
      * Run wrap-and-sort -ast, and drop depends/b-d on libgmp > 2:6 since even
        oldstable uses this version.
      * Upload to unstable
    
    gnutls28 (3.7.2-3) experimental; urgency=medium
    
      * Another test build against guile-3.0. #964284
    
     -- Gianfranco Costamagna <email address hidden>  Mon, 20 Dec 2021 21:29:48 +0100
  • gnutls28 (3.7.2-2ubuntu1) jammy; urgency=low
    
      * Merge from Debian unstable. Remaining changes:
        - Enable CET.
        - Set default priority string to only allow TLS1.2, DTLS1.2, and
        TLS1.3 with medium security profile (2048 RSA keys minimum, and
        similar).
        - Reduce parallelism in build to 2 to address FTBFS with lto
    
    gnutls28 (3.7.2-2) unstable; urgency=low
    
      * Invoke dh_autoreconf with GTKDOCIZE=echo for arch-only builds, fixing
        FTBFS. Closes: #992849
      * Upload to unstable.
    
    gnutls28 (3.7.2-1) experimental; urgency=medium
    
      * New upstream version.
        + Drop debian/patches/5[56]*.
        + Update libgnutls30.symbols.
        + Update copyright file.
    
     -- Gianfranco Costamagna <email address hidden>  Wed, 03 Nov 2021 09:23:28 +0100
  • gnutls28 (3.7.1-5ubuntu1) impish; urgency=low
    
      * Merge from Debian unstable (LP: #1939739). Remaining changes:
        - Enable CET.
        - Set default priority string to only allow TLS1.2, DTLS1.2, and
        TLS1.3 with medium security profile (2048 RSA keys minimum, and
        similar).
        - Reduce parallelism in build to 2 to address FTBFS with lto
      * Add LP bug number to previous merge entry in changelog
    
    gnutls28 (3.7.1-5) unstable; urgency=medium
    
      * Another fix from 3.7.2:
        56_30-x509-verify-treat-SHA-1-signed-CA-in-the-trusted-set.patch
      * 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff applied upstream, renamed to
        56_33-serv-stop-setting-AI_ADDRCONFIG-on-getaddrinfo.patch
    
     -- William 'jawn-smith' Wilson <email address hidden>  Thu, 12 Aug 2021 13:17:53 -0600