-
gnutls28 (3.8.3-1.1ubuntu3.1) noble-security; urgency=medium
* SECURITY UPDATE: side-channel leak via Minerva attack
- debian/patches/CVE-2024-28834.patch: avoid normalization of mpz_t in
deterministic ECDSA in lib/nettle/int/dsa-compute-k.c,
lib/nettle/int/dsa-compute-k.h, lib/nettle/int/ecdsa-compute-k.c,
lib/nettle/int/ecdsa-compute-k.h, lib/nettle/pk.c,
tests/sign-verify-deterministic.c.
- CVE-2024-28834
* SECURITY UPDATE: crash via specially-crafted cert bundle
- debian/patches/CVE-2024-28835.patch: remove length limit of input in
lib/gnutls_int.h, lib/x509/common.c, lib/x509/verify-high.c,
tests/test-chains.h.
- CVE-2024-28835
-- Marc Deslauriers <email address hidden> Thu, 18 Apr 2024 09:54:34 -0400
-
gnutls28 (3.8.3-1.1ubuntu3) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <email address hidden> Sun, 31 Mar 2024 06:17:25 +0000
-
gnutls28 (3.8.3-1.1ubuntu2) noble; urgency=medium
* No-change rebuild against libhogweed6t64.
-- Matthias Klose <email address hidden> Tue, 05 Mar 2024 16:42:37 +0100
-
gnutls28 (3.8.3-1.1ubuntu1) noble; urgency=medium
* Merge with Debian; remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
- Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.
- Fix logic for i386 autopkgtest on an amd64 host
- Don't run the testsuite under the influence of a configuration file.
gnutls28 (3.8.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1063297
-- Matthias Klose <email address hidden> Mon, 04 Mar 2024 19:00:31 +0100
-
gnutls28 (3.8.3-1ubuntu2) noble; urgency=medium
* No-change rebuild against libhogweed6t64
-- Steve Langasek <email address hidden> Sun, 03 Mar 2024 06:23:24 +0000
-
gnutls28 (3.8.3-1ubuntu1) noble; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
- Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.
- Fix logic for i386 autopkgtest on an amd64 host
- Don't run the testsuite under the influence of a configuration file.
* debian/patches/CVE-2023-5981.patch: dropped, included in new version.
gnutls28 (3.8.3-1) unstable; urgency=medium
* New upstream version.
Fix assertion failure when verifying a certificate chain with a cycle of
cross signatures. CVE-2024-0567 GNUTLS-SA-2024-01-09 Closes: #1061045
Fix more timing side-channel inside RSA-PSK key exchange. CVE-2024-0553
GNUTLS-SA-2024-01-14 Closes: #1061046
gnutls28 (3.8.2-1) unstable; urgency=medium
* New upstream version.
+ Drop cherrypicked patches.
+ Update symbol file.
+ Update copyright file.
+ Includes fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23. Closes: #1056188
-- Marc Deslauriers <email address hidden> Fri, 26 Jan 2024 07:39:04 -0500
-
gnutls28 (3.8.1-4ubuntu7) noble; urgency=medium
* Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.
See lp-merge #458092 for context.
-- Adrien Nader <email address hidden> Wed, 03 Jan 2024 15:06:38 +0100
-
gnutls28 (3.8.1-4ubuntu6) noble; urgency=medium
* SECURITY UPDATE: timing side-channel inside RSA-PSK key exchange
- debian/patches/CVE-2023-5981.patch: side-step potential side-channel
in lib/auth/rsa.c, lib/auth/rsa_psk.c, lib/gnutls_int.h,
lib/priority.c.
- CVE-2023-5981
-- Marc Deslauriers <email address hidden> Thu, 23 Nov 2023 14:04:17 -0500
-
gnutls28 (3.8.1-4ubuntu5) noble; urgency=medium
* armhf (-fstack-clash-protection) breakage rebuild
-- Mate Kukri <email address hidden> Thu, 23 Nov 2023 15:13:53 +0000
-
gnutls28 (3.8.1-4ubuntu4) noble; urgency=medium
* Don't run the testsuite under the influence of a configuration file.
-- Adrien Nader <email address hidden> Fri, 17 Nov 2023 11:08:39 +0100
-
gnutls28 (3.8.1-4ubuntu3) noble; urgency=medium
* Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
-- Adrien Nader <email address hidden> Fri, 27 Oct 2023 17:41:58 -0400
-
gnutls28 (3.8.1-4ubuntu2) noble; urgency=medium
* Rebuild against latest libunistring
-- Jeremy BĂcha <email address hidden> Fri, 27 Oct 2023 06:48:46 -0400
-
gnutls28 (3.8.1-4ubuntu1) mantic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
* Fix logic for i386 autopkgtest on an amd64 host
gnutls28 (3.8.1-4) unstable; urgency=medium
* Fix autopkgtest for 32 bit archs.
* Fix building twice from the same source. Closes: #1044384,#1049512
* Drop orphaned debian/libgnutlsxx30.install and delete related (.a/.so)
files in dh_autoinstall override, fixing dead symlink for libgnutlsxx.so.
Closes: #1050058
-- Dan Bungert <email address hidden> Tue, 22 Aug 2023 16:30:06 -0600
