-
gnutls28 (3.7.3-4ubuntu1.5) jammy-security; urgency=medium
* SECURITY UPDATE: side-channel leak via Minerva attack
- debian/patches/CVE-2024-28834.patch: avoid normalization of mpz_t in
deterministic ECDSA in lib/nettle/int/dsa-compute-k.c,
lib/nettle/int/dsa-compute-k.h, lib/nettle/int/ecdsa-compute-k.c,
lib/nettle/int/ecdsa-compute-k.h, lib/nettle/pk.c,
tests/sign-verify-deterministic.c.
- CVE-2024-28834
* SECURITY UPDATE: crash via specially-crafted cert bundle
- debian/patches/CVE-2024-28835.patch: remove length limit of input in
lib/gnutls_int.h, lib/x509/common.c, lib/x509/verify-high.c,
tests/test-chains.h.
- CVE-2024-28835
-- Marc Deslauriers <email address hidden> Fri, 12 Apr 2024 09:51:00 -0400
-
gnutls28 (3.7.3-4ubuntu1.4) jammy-security; urgency=medium
* SECURITY UPDATE: timing side-channel attack in the RSA-PSK key exchange
- debian/patches/CVE-2024-0553.patch: minimize branching after
decryption in lib/auth/rsa_psk.c.
- CVE-2024-0553
* SECURITY UPDATE: DoS via certificate chain with distributed trust
- debian/patches/CVE-2024-0567.patch: detect loop in certificate chain
in lib/x509/common.c, tests/test-chains.h.
- CVE-2024-0567
-- Marc Deslauriers <email address hidden> Thu, 18 Jan 2024 12:22:01 -0500
-
gnutls28 (3.7.3-4ubuntu1.3) jammy-security; urgency=medium
* SECURITY UPDATE: timing side-channel inside RSA-PSK key exchange
- debian/patches/CVE-2023-5981.patch: side-step potential side-channel
in lib/auth/rsa.c, lib/auth/rsa_psk.c, lib/gnutls_int.h,
lib/priority.c.
- CVE-2023-5981
-- Marc Deslauriers <email address hidden> Fri, 17 Nov 2023 09:19:42 -0500
-
gnutls28 (3.7.3-4ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: timing sidechannel in RSA decryption
- debian/patches/CVE-2023-0361-1.patch: side-step potential
side-channel in lib/auth/rsa.c.
- debian/patches/CVE-2023-0361-2.patch: remove dead code in
lib/auth/rsa.c.
- CVE-2023-0361
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2023 16:13:17 -0500
-
gnutls28 (3.7.3-4ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Double free in verification of pkcs7 signatures
- debian/patches/CVE-2022-2509.patch: fix double free during
gnutls_pkcs7_verify in lib/x509/pkcs7.c,
tests/pkcs7-verify-double-free.c, tests/Makefile.am.
- CVE-2022-2509
-- Marc Deslauriers <email address hidden> Tue, 02 Aug 2022 08:48:56 -0400
-
gnutls28 (3.7.3-4ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
gnutls28 (3.7.3-4) unstable; urgency=low
[ Helmut Grohne ]
* Fix FTCBFS: Annotate python3 dependency with :any. (Closes: #1004183)
[ Andreas Metzler ]
* CI: Sort test list.
* CI: Skip another test wrapping a binary test.
* CI: Fix missed &> redirection.
gnutls28 (3.7.3-3) unstable; urgency=low
* Fix CI errors:
+ Set PKCS12_ITER_COUNT=600000, avoid more tests requiring a special test
binary.
+ 40_bashism_in_test.diff: Avoid &> redirection.
gnutls28 (3.7.3-2) unstable; urgency=low
* B-d on python3 instead of python3-minimal, the json module is not part of
-minimal.
* Upload to unstable.
gnutls28 (3.7.3-1) experimental; urgency=low
* New upstream version.
+ Does not use GNU autogen anymore, update Build-Depends.
+ Drop 40_fix-gtk-mkhtml.patch.
+ Update symbol file.
-- Gianfranco Costamagna <email address hidden> Mon, 24 Jan 2022 09:23:08 +0100
-
gnutls28 (3.7.2-5ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
gnutls28 (3.7.2-5) unstable; urgency=medium
* 40_fix-gtk-mkhtml.patch by Dennis Filder fixes gtk-doc generation.
Closes: #1003075
* Cherrypick some improvements to debian/rules suggested by Dennis Filder.
-- Gianfranco Costamagna <email address hidden> Sat, 08 Jan 2022 21:03:33 +0100
-
gnutls28 (3.7.2-4ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
gnutls28 (3.7.2-4) unstable; urgency=low
* Run wrap-and-sort -ast, and drop depends/b-d on libgmp > 2:6 since even
oldstable uses this version.
* Upload to unstable
gnutls28 (3.7.2-3) experimental; urgency=medium
* Another test build against guile-3.0. #964284
-- Gianfranco Costamagna <email address hidden> Mon, 20 Dec 2021 21:29:48 +0100
-
gnutls28 (3.7.2-2ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
gnutls28 (3.7.2-2) unstable; urgency=low
* Invoke dh_autoreconf with GTKDOCIZE=echo for arch-only builds, fixing
FTBFS. Closes: #992849
* Upload to unstable.
gnutls28 (3.7.2-1) experimental; urgency=medium
* New upstream version.
+ Drop debian/patches/5[56]*.
+ Update libgnutls30.symbols.
+ Update copyright file.
-- Gianfranco Costamagna <email address hidden> Wed, 03 Nov 2021 09:23:28 +0100
-
gnutls28 (3.7.1-5ubuntu1) impish; urgency=low
* Merge from Debian unstable (LP: #1939739). Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
* Add LP bug number to previous merge entry in changelog
gnutls28 (3.7.1-5) unstable; urgency=medium
* Another fix from 3.7.2:
56_30-x509-verify-treat-SHA-1-signed-CA-in-the-trusted-set.patch
* 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff applied upstream, renamed to
56_33-serv-stop-setting-AI_ADDRCONFIG-on-getaddrinfo.patch
-- William 'jawn-smith' Wilson <email address hidden> Thu, 12 Aug 2021 13:17:53 -0600