-
gnutls28 (3.8.1-4ubuntu1.3) mantic-security; urgency=medium
* SECURITY UPDATE: side-channel leak via Minerva attack
- debian/patches/CVE-2024-28834.patch: avoid normalization of mpz_t in
deterministic ECDSA in lib/nettle/int/dsa-compute-k.c,
lib/nettle/int/dsa-compute-k.h, lib/nettle/int/ecdsa-compute-k.c,
lib/nettle/int/ecdsa-compute-k.h, lib/nettle/pk.c,
tests/sign-verify-deterministic.c.
- CVE-2024-28834
* SECURITY UPDATE: crash via specially-crafted cert bundle
- debian/patches/CVE-2024-28835.patch: remove length limit of input in
lib/gnutls_int.h, lib/x509/common.c, lib/x509/verify-high.c,
tests/test-chains.h.
- CVE-2024-28835
-- Marc Deslauriers <email address hidden> Fri, 12 Apr 2024 09:12:36 -0400
-
gnutls28 (3.8.1-4ubuntu1.2) mantic-security; urgency=medium
* SECURITY UPDATE: timing side-channel attack in the RSA-PSK key exchange
- debian/patches/CVE-2024-0553.patch: minimize branching after
decryption in lib/auth/rsa_psk.c.
- CVE-2024-0553
* SECURITY UPDATE: DoS via certificate chain with distributed trust
- debian/patches/CVE-2024-0567.patch: detect loop in certificate chain
in lib/x509/common.c, tests/test-chains.h.
- CVE-2024-0567
-- Marc Deslauriers <email address hidden> Thu, 18 Jan 2024 11:12:38 -0500
-
gnutls28 (3.8.1-4ubuntu1.1) mantic-security; urgency=medium
* SECURITY UPDATE: timing side-channel inside RSA-PSK key exchange
- debian/patches/CVE-2023-5981.patch: side-step potential side-channel
in lib/auth/rsa.c, lib/auth/rsa_psk.c, lib/gnutls_int.h,
lib/priority.c.
- CVE-2023-5981
-- Marc Deslauriers <email address hidden> Fri, 17 Nov 2023 09:08:46 -0500
-
gnutls28 (3.8.1-4ubuntu1) mantic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
* Fix logic for i386 autopkgtest on an amd64 host
gnutls28 (3.8.1-4) unstable; urgency=medium
* Fix autopkgtest for 32 bit archs.
* Fix building twice from the same source. Closes: #1044384,#1049512
* Drop orphaned debian/libgnutlsxx30.install and delete related (.a/.so)
files in dh_autoinstall override, fixing dead symlink for libgnutlsxx.so.
Closes: #1050058
-- Dan Bungert <email address hidden> Tue, 22 Aug 2023 16:30:06 -0600
-
gnutls28 (3.8.1-3ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
gnutls28 (3.8.1-3) unstable; urgency=low
* Pull fixes from upstream git master:
* 50-0001-Fix-build-on-GNU-Hurd.patch (Thanks, Samuel Thibault) from
upstream git master.
* Fix rdep FTBFS due to removal of GNUTLS_NO_EXTENSIONS macro with
50-0002-Move-the-GNUTLS_NO_EXTENSIONS-compatibility-define-t.patch from
upstream MR 1766 (Thanks, Adrian Bunk)
gnutls28 (3.8.1-2) unstable; urgency=low
* Also use datefudge instead of faketime for autopkgtest.
* Upload to unstable.
gnutls28 (3.8.1-1) experimental; urgency=medium
* New upstream version.
+ Bump symbol file info.
gnutls28 (3.8.0+git20230713-1) experimental; urgency=medium
* New upstream git snapshot c4023afde53241aedbb94108aa10fda9bd05ee82.
+ Update copyright file.
+ Switch back to datefudge. faketime using fork() instead of exex() breaks
the cleanup scripting in the testsuite. This together with upstream
changes Closes: #1037917
Most tests do not rely on datefudge/faketime anymore but use -attime so
we would still have meaningful testsuite coverage without datefudge.
+ Update autopkgtest for new upstream.
gnutls28 (3.8.0+git20230529-1) experimental; urgency=medium
* New upstream git snapshot 0a8115000f2353dcabcfdc0caccbb0f2c3d6f512.
+ Update libgnutls30 symbol file.
+ Unfuzz patches.
gnutls28 (3.8.0+git20230413-1) experimental; urgency=medium
* New upstream git snapshot bfbcb238465baffc6a6695c0e593c9a25cf7cb51.
+ Unfuzz patches, drop superfluous patches.
+ Guile wrapper split off, adapt packaging.
+ Use faketime instead of datefudge. Closes: #1031553
+ Update copyright file.
+ Update symbol file.
+ Stop shipping legacy C++ library (libgnutlsxx30). This functionality is
now provided as a header-only library and there are no rdeps in Debian.
* Clean up debian/rules.
-- Steve Langasek <email address hidden> Tue, 08 Aug 2023 12:33:16 -0500
-
gnutls28 (3.7.9-2ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
gnutls28 (3.7.9-2) unstable; urgency=medium
* CI: Do not try to run tests/ktls.sh, it uses a helper binary. (Plus gnutls
is not built with ktls support on Debian yet.) Closes: #1034350
gnutls28 (3.7.9-1) unstable; urgency=medium
* Drop unused lintian override.
* New upstream version.
+ Drop cherrypicked patches.
-- Steve Langasek <email address hidden> Fri, 05 May 2023 09:48:08 +0200
-
gnutls28 (3.7.8-5ubuntu1) lunar; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
gnutls28 (3.7.8-5) unstable; urgency=high
[ Debian Janitor ]
* Remove constraints unnecessary since buster (oldstable):
+ Build-Depends: Drop versioned constraint on libp11-kit-dev,
libtasn1-6-dev, libunbound-dev and libunistring-dev.
+ Build-Depends-Indep: Drop versioned constraint on texinfo.
+ libgnutls28-dev: Drop versioned constraint on libp11-kit-dev in Depends.
[ Andreas Metzler ]
* 55_01-auth-rsa-side-step-potential-side-channel.patch
55_02-rsa-remove-dead-code.patch 55_03-document-the-CVE-fix.patch:
Effectively update to 3.7.9, fixing GNUTLS-SA-2020-07-14 / CVE-2023-0361
-- Marc Deslauriers <email address hidden> Fri, 17 Feb 2023 08:00:36 -0500