-
gnutls26 (2.12.23-17) unstable; urgency=medium
[ Mauricio Faria de Oliveira ]
* Add fixes for automake (30_fix_automake_oldies.patch).
* Run dh-autoreconf on build. (Closes: #751796)
[ Andreas Metzler ]
* 31_linkage-gpgerror.diff: Stop unnecessary linkage against libgpg-error
caused by buildung with up to date lib-link.m4.
-- Andreas Metzler <email address hidden> Thu, 03 Jul 2014 19:47:01 +0200
-
gnutls26 (2.12.23-16) unstable; urgency=high
* Drop libgnutls26-dbg Conflicts with libgnutls13-dbg, libgnutls28-dbg.
These have been unnecessary since we started using dh compat v9, where
debugging symbols are installed to /usr/lib/debug/.build-id.
* 29_Prevent-memory-corruption.diff from upstream GIT. Fix memory corruption
on client side caused by specifically crafted ServerHello.
GNUTLS-SA-2014-3 / CVE-2014-3466
-- Andreas Metzler <email address hidden> Sat, 31 May 2014 16:14:29 +0200
-
gnutls26 (2.12.23-15) unstable; urgency=medium
* 28_use_gnutls_global_set_time.diff: Use gnutls_global_set_time_function()
in chainverify test to fix a testsuite failure on amd64. Closes: #746018
-- Andreas Metzler <email address hidden> Sun, 27 Apr 2014 20:16:13 +0200
-
gnutls26 (2.12.23-14) unstable; urgency=medium
* Move OpenSSL wrappper over to gnutls28. Stop providing
libgnutls-openssl-dev and building libgnutls-openssl27.
-- Andreas Metzler <email address hidden> Wed, 16 Apr 2014 19:23:02 +0200
-
gnutls26 (2.12.23-13) unstable; urgency=high
* 27_CVE-2014-0092.diff by Nikos Mavrogiannopoulos: Fix certificate
validation issue. CVE-2014-0092
-- Andreas Metzler <email address hidden> Sat, 01 Mar 2014 08:30:13 +0100
-
gnutls26 (2.12.23-12) unstable; urgency=high
* 26_fix_rejection-of-v1-intermedi.diff pulled and unfuzzed from GIT 3.x:
A version 1 intermediate certificate will be considered as a CA
certificate by default (something that deviates from the documented
behavior).
CVE-2014-1959 / GNUTLS-SA-2014-1
-- Andreas Metzler <email address hidden> Sat, 15 Feb 2014 16:37:36 +0100
-
gnutls26 (2.12.23-11) unstable; urgency=medium
* (Build-)Depend on libtasn1-6-dev instead of on transitional libtasn1-3-dev
package.
-- Andreas Metzler <email address hidden> Sat, 08 Feb 2014 15:29:24 +0100
-
gnutls26 (2.12.23-10) unstable; urgency=medium
* Point vcs* to git.
* Fix build on or1k (OpenRISC), thanks to Christian Svensson.
Closes: #736750
+ Drop (build-)depends on libp11-kit-dev on or1k which is lacking libffi
currently.
+ Do not use chrpath if we are cross compiling.
-- Andreas Metzler <email address hidden> Mon, 27 Jan 2014 13:37:21 +0100
-
gnutls26 (2.12.23-8) unstable; urgency=low
* Let libgnutls-dev provide libgnutls-openssl-dev to prepare a seamless
transition to gnutls28.
-- Andreas Metzler <email address hidden> Sun, 06 Oct 2013 13:49:36 +0200
-
gnutls26 (2.12.23-7) unstable; urgency=medium
* Upload to unstable, built against libtasn1-3.
* 25_updatedgdocfrommaster.diff - Update gdoc script from gnutls master to
fix spurious build failure with perl 5.18. Closes: #724167
-- Andreas Metzler <email address hidden> Wed, 25 Sep 2013 19:25:23 +0200
-
gnutls26 (2.12.23-5) unstable; urgency=high
* [21_sanitycheck.diff] Fix out of bounds data access.
Closes: #709301
-- Andreas Metzler <email address hidden> Thu, 23 May 2013 19:04:28 +0200
-
gnutls26 (2.12.23-4) unstable; urgency=low
* Build against libtasn1-3 again.
-- Andreas Metzler <email address hidden> Sat, 18 May 2013 17:44:46 +0200
-
gnutls26 (2.12.23-3) unstable; urgency=low
* Upload to unstable, 2.12.20 FTBFS with libc 2.17 due to removal of gets.
* Import 2.12.20-* changelog entries.
-- Andreas Metzler <email address hidden> Thu, 09 May 2013 13:50:33 +0200
-
gnutls26 (2.12.20-6) unstable; urgency=low
* For wheezy build gnutls-bin and guile-gnutls from this source package
rather than from gnutls28. gnutls28 is a leaf-package in wheezy. Not
shipping would mean a lot less work for the security team if there was a
GnuTLS vulnerability. If wanted, it can be re-introduced via backports.
The versioning trick has been copied from Ubuntu.
* Since guile support would require building with --disable-largefile on
armel armhf mipsel we do not provide the package there.
-- Andreas Metzler <email address hidden> Thu, 04 Apr 2013 18:34:25 +0200
-
gnutls26 (2.12.20-5) unstable; urgency=low
* Testbuild gnutls guile bindings, binary packages unchanged.
-- Andreas Metzler <email address hidden> Fri, 22 Mar 2013 18:58:28 +0100
-
gnutls26 (2.12.20-4) unstable; urgency=high
* Pull fixes from 2.12.23:
+ 34_pkcs11_memleak.diff Eliminated memory leak in PCKS #11
initialization.
+ 35_TLS-CBC_timing-attack.diff (GNUTLS-SA-2013-1) TLS CBC padding timing
attack
-- Andreas Metzler <email address hidden> Mon, 04 Feb 2013 19:35:29 +0100
-
gnutls26 (2.12.20-3) unstable; urgency=low
* Pull fixes from 2.12.22:
+31_allow_key_usage_violation.diff: Always tolerate key usage violation
errors from the side of the peer, but also notify via an audit message.
+32_record-padding-parsing.patch: Fix record padding parsing issue.
+33_stricter_rsa_pkcs_1.5.diff: Fixes random handshake failures with
non-GnuTLS implementations.
This brings us up to GnuTLS 2.12.22, except for these differences:
- The equivalent change of 33_stricter_rsa_pkcs_1.5.diff for the nettle
code is not included as it is not relevant for Debian's binary packages.
- 0b9d8d6f21dad85038c6de36d8fbd56271263f64 Corrected bug in PGP subpacket
encoding.
- Compatibility with libtasn1 3.x, which would require libtasn1 >=2.14.
- Updated gnulib.
* Update watchfile, based on Bart Martens version from q.d.o, but use a)
ftp.gnutls.org as mirror and b) limit the the match to 2.x versions.
-- Andreas Metzler <email address hidden> Sun, 06 Jan 2013 10:56:57 +0100
-
gnutls26 (2.12.20-2) unstable; urgency=low
* 30_strlen_on_null.diff: Fix segfault caused by running strlen() on NULL.
Closes: #647747
* Fix documentation packaging. gnutls-doc is built from the GnuTLS 3.x
packages. Add a new gnutls26-doc package which drops manpages and info
format documentation in favour of being co-installable with
gnutls-doc.
-- Andreas Metzler <email address hidden> Tue, 13 Nov 2012 19:21:25 +0100
-
gnutls26 (2.12.20-1) unstable; urgency=low
* New upstream release.
* Drop 25_nssldapsfix.diff (already included).
-- Andreas Metzler <email address hidden> Sun, 10 Jun 2012 16:53:50 +0200
-
gnutls26 (2.12.19-2) unstable; urgency=low
* Pull debian/patches/25_nssldapsfix.diff from upstream git.
(LP: #1003841)
-- Andreas Metzler <email address hidden> Thu, 07 Jun 2012 19:17:07 +0200
-
gnutls26 (2.12.19-1) unstable; urgency=low
* New upstream release.
-- Andreas Metzler <email address hidden> Sat, 05 May 2012 20:02:34 +0200
-
gnutls26 (2.12.18-1) unstable; urgency=low
* New upstream release.
-- Andreas Metzler <email address hidden> Fri, 16 Mar 2012 19:34:18 +0100
-
gnutls26 (2.12.17-2) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <email address hidden> Sat, 10 Mar 2012 16:07:43 +0100
-
gnutls26 (2.12.16-1) unstable; urgency=low
* New upstream release.
-- Andreas Metzler <email address hidden> Sat, 07 Jan 2012 13:20:09 +0100
-
gnutls26 (2.12.14-5) unstable; urgency=low
* Disable gnutls-guile package, let it be provided by gnutls28.
-- Andreas Metzler <email address hidden> Sat, 17 Dec 2011 12:05:34 +0100
-
gnutls26 (2.12.14-4) unstable; urgency=low
* Prepare for uploading gnutls28 to unstable.
+ Drop gnutls-bin package, it is going to be provided by gnutls28.
+ Binaries are still useful for debugging, ship them with libgnutls-dbg
in LIBDIR/libgnutls26.
-- Andreas Metzler <email address hidden> Sat, 03 Dec 2011 09:39:54 +0100
-
gnutls26 (2.12.14-3) unstable; urgency=low
* [20_tests-select.diff] Do not run gnulib test-select test anymore. The
test fails on kfreebsd-i386, the gnutls library does not use select().
Closes: #648247
-- Andreas Metzler <email address hidden> Tue, 15 Nov 2011 19:10:06 +0100
-
gnutls26 (2.12.14-2) unstable; urgency=low
* Build gnutls with --disable-largefile on armel, armhf and mipsel to fix
FTBFS on these architectures.
See http://lists.gnu.org/archive/html/gnutls-devel/2011-10/msg00075.html
-- Andreas Metzler <email address hidden> Sat, 12 Nov 2011 09:30:42 +0100
-
gnutls26 (2.12.14-1) unstable; urgency=medium
* Simplify dependencies:
+ libgnutls-dev Provides/Conflicts/Replaces gnutls-dev (which is
also provided by gnutls28' libgnutls*-dev).
+ Drop *ancient* Conflicts/Replaces against libgnutls5-dev, gnutls0.4-dev,
gnutls-dev (<< 0.4.0-0), libgnutls11-dev.
* New upstream bugfix release.
-- Andreas Metzler <email address hidden> Tue, 08 Nov 2011 19:34:28 +0100
-
gnutls26 (2.12.12-1) unstable; urgency=low
* New upstream version.
* Drop -mlong-double-64 on powerpc, updated gnulib should fix this issue and
the build-failure on powerpc64. Closes: #644944
* Delete superfluous info from debian/README.source.
* Drop 20_guiledocstring, included upstream.
-- Andreas Metzler <email address hidden> Fri, 21 Oct 2011 19:33:04 +0200
-
gnutls26 (2.12.11-1) unstable; urgency=low
* New upstream version.
+ Allow CA importing of 0 certificates to succeed. Closes: #640639
* Add libp11-kit-dev to libgnutls-dev dependencies. (see #643811)
* [20_guiledocstring.diff] guile: Fix docstring extraction with CPP 4.5+.
-- Andreas Metzler <email address hidden> Sat, 01 Oct 2011 15:28:13 +0200
-
gnutls26 (2.12.10-2) unstable; urgency=low
* Add -mlong-double-64 to CFLAGS on powerpc to work around gnulib testsuite
error (test-float). See http://savannah.gnu.org/bugs/?33710 and
http://mid.gmane.org/relbj8-8jh.ln1%40argenau.downhill.at.eu.org
-- Andreas Metzler <email address hidden> Sun, 11 Sep 2011 08:23:54 +0200
-
gnutls26 (2.12.10-1) unstable; urgency=low
* New upstream version.
+ Uses p11-kit instead of forked pakchois for PKCS#11. Update
build-depends (libp11-kit-dev and pkg-config) and debian/copyright.
* Drop superfluous patches (20_gcrypt15compat.diff,
21_gnutls-cli.man.diff 22_export_gnutls_openpgp_privkey_sign_hash.diff
23_deinit_privkey.diff 24_XmppAddr-UTF8String.diff).
* Fix binary-control-field-duplicates-source lintian warnings.
-- Andreas Metzler <email address hidden> Sat, 03 Sep 2011 14:40:36 +0200
-
gnutls26 (2.12.7-8) unstable; urgency=high
* Since libgnutls*-dbg contains debugging symbols of helper applications
libgnutls26-dbg and libgnutls28-dbg are not co-installable. Add Conflicts.
* [24_XmppAddr-UTF8String.diff] Correct parsing of XMPP subject
alternative names. Closes: #638586
* [23_deinit_privkey.diff] gnutls_certificate_set_x509_key() and
gnutls_certificate_set_openpgp_key() operate as in 2.10.x and allow the
release of the private key during the lifetime of the certificate
structure. Closes: #638595
* Upload with urgency=high, 638595 breaks wwwoffle's TLS support.
-- Andreas Metzler <email address hidden> Sun, 28 Aug 2011 08:54:26 +0200
-
gnutls26 (2.12.7-7) unstable; urgency=high
* 21_gnutls-cli.man.diff pulled from upstream git: Formatting fix for
gnutls-cli manpage. Closes: #637551
* 22_export_gnutls_openpgp_privkey_sign_hash.diff. Fix ABI breakage,
export_gnutls_openpgp_privkey_sign_hash() used to be present in 2.10.x was
accidentally dropped from the symbol list. (Thanks, Jakub Wilk)
Closes: #638801
-- Andreas Metzler <email address hidden> Mon, 22 Aug 2011 19:24:08 +0200
-
gnutls26 (2.12.7-6) unstable; urgency=low
* Use common-install-arch instead of common-install-prehook-arch to delete
rpath.
-- Andreas Metzler <email address hidden> Fri, 12 Aug 2011 20:26:22 +0200
-
gnutls26 (2.12.7-4) unstable; urgency=low
* Upload to unstable.
* Point watch file to stable release directory.
* 18_gpgerrorinpkgconfig.diff: Add libgpg-error to pkg-config
Libs.private. Closes: #632891
* Update libgnutls26 Breaks (snowdrop and zoneminder versions.)
-- Andreas Metzler <email address hidden> Sun, 07 Aug 2011 09:58:28 +0200
-
gnutls26 (2.10.5-3) unstable; urgency=medium
* [20_gcrypt15compat.diff] Fix compatibility with gcrypt 1.5. -- Andreas Metzler <email address hidden> Mon, 25 Jul 2011 19:26:34 +0200
-
gnutls26 (2.10.5-2) unstable; urgency=low
* Stop shipping libtool la files. -- Andreas Metzler <email address hidden> Sat, 25 Jun 2011 18:13:38 +0200
-
gnutls26 (2.10.5-1) unstable; urgency=low
* New upstream bugfix release. + Drop 15_fixgnutlspc.diff, included upstream. * Set C(XX)FLAGS += -Wall, the latest combination of cdbs + dpkg-dev does not seem to set it by default. -- Andreas Metzler <email address hidden> Mon, 28 Feb 2011 18:52:57 +0100
-
gnutls26 (2.10.4-2) unstable; urgency=low
* Use debhelper compatibility level 7. * Merge in changes from 2.8.6-1: + Use dh_lintian. + Use dh_makeshlibs for the guile stuff, too. This gets us a) ldconfig in postinst. Closes: #553109 and b) a shlibs file. However the shared objects /usr/lib/libguile-gnutls*so* are still not designed to be used as libraries (linking) but are dlopened. guile-1.10 will address this issue by keeping this stuff in a private directory. + hotfix pkg-config files (proper fix to be included upstream). + Stop unneeeded linkage against libgpg-error. 16_unnecessarydep.diff Closes: #405239 * Upload to unstable. -- Andreas Metzler <email address hidden> Sun, 06 Feb 2011 16:44:09 +0100
-
gnutls26 (2.8.6-1) unstable; urgency=low
* Use dh_lintian.
* Use dh_makeshlibs for the guile stuff, too. This gets us
a) ldconfig in postinst. Closes: #553109
and
b) a shlibs file.
However the shared objects /usr/lib/libguile-gnutls*so* are still not
designed to be used as libraries (linking) but are dlopened. guile-1.10
will address this issue by keeping this stuff in a private directory.
* hotfix pkg-config files (proper fix to be included upstream).
* Stop unneeeded linkage against libgpg-error. 16_unnecessarydep.diff
-- Andreas Metzler <email address hidden> Sat, 20 Mar 2010 15:53:35 +0100
-
gnutls26 (2.8.5-2) unstable; urgency=low
* Add a huge bunch of lintian overrides for the guile stuff to make dak
happy.
-- Andreas Metzler <email address hidden> Fri, 13 Nov 2009 19:53:04 +0100
-
gnutls26 (2.8.4-2) unstable; urgency=high
* [20_fixtimebomb.diff] Fix testsuite error. Closes: #552920
-- Andreas Metzler <email address hidden> Sun, 01 Nov 2009 13:21:27 +0100
-
gnutls26 (2.8.4-1) unstable; urgency=low
* New upstream version.
+ Drop debian/patches/15_openpgp.diff.
* Sync priorities with override file, libgnutls26 has been bumped from
important to standard.
-- Andreas Metzler <email address hidden> Sat, 26 Sep 2009 10:33:52 +0200
-
gnutls26 (2.8.3-3) unstable; urgency=low
* Empty dependency_libs in la-files. (Squeeze release goal.)
-- Andreas Metzler <email address hidden> Sat, 05 Sep 2009 09:09:22 +0200
-
gnutls26 (2.8.3-2) unstable; urgency=low
* [ debian/patches/15_openpgp.diff ] The CVE-2009-2730 patch broke
openpgp connections.
-- Andreas Metzler <email address hidden> Sat, 22 Aug 2009 14:14:48 +0200
-
gnutls26 (2.8.3-1) unstable; urgency=high
* New upstream version.
+ Stops hardcoding a hard dependency on the versions of gcrypt and tasn it
was built against. Closes: #540449
+ Fixes CVE-2009-2730, a vulnerability related to NUL bytes in X.509
certificate name fields. Closes: #541439 GNUTLS-SA-2009-4
http://lists.gnu.org/archive/html/help-gnutls/2009-08/msg00011.html
* Drop 15_chainverify_expiredcert.diff, included upstream.
* Urgency high, since 541439 applies to testing, too.
-- Andreas Metzler <email address hidden> Fri, 14 Aug 2009 19:14:29 +0200
-
gnutls26 (2.8.1-2) unstable; urgency=low
[ Simon Josefsson ]
* Remove cruft in rules file.
* Remove patches/15_tasn1inpc.diff, not needed.
[ Andreas Metzler ]
* Finally add an entry to the NEWS.Debian file concerning the deprecation of
RSA-MD2 and RSA-MD5 for signature verification. Closes: #514578
* Upload to unstable.
* 15_chainverify_expiredcert.diff: New patch, pulled from upstream GIT.
Fix testsuite error caused by expired certificate.
-- Andreas Metzler <email address hidden> Thu, 06 Aug 2009 19:12:51 +0200
-
gnutls26 (2.6.6-1) unstable; urgency=high
* use @LTLIBTASN1@ instead of @LIBTASN1@ in Libs.private of *.pc.in. This
way lib-link.m4 gives us -ltasn1 instead of /usr/lib/libtasn1.so.
* New upstream security release.
+ libgnutls: Corrected double free on signature verification failure.
GNUTLS-SA-2009-1 CVE-2009-1415
+ libgnutls: Fix DSA key generation. Noticed when investigating the
previous GNUTLS-SA-2009-1 problem. All DSA keys generated using GnuTLS
2.6.x are corrupt. See the advisory for more details.
GNUTLS-SA-2009-2 CVE-2009-1416
+ libgnutls: Check expiration/activation time on untrusted certificates.
Before the library did not check activation/expiration times on
certificates, and was documented as not doing so.
GNUTLS-SA-2009-3 CVE-2009-1417
* The former two issues only apply to gnutls 2.6.x. The latter is a
brehavior change, add a NEWS.Debian file to document it.
-- Andreas Metzler <email address hidden> Thu, 30 Apr 2009 19:00:21 +0200
-
gnutls26 (2.6.5-1) unstable; urgency=low
* Sync sections in debian/control with override file. libgnutls26-dbg is
section debug, guile-gnutls is section lisp.
* New upstream version. (Needed for Libtasn1-3 2.0)
* New patch 15_tasn1inpc.diff. Make sure libtasn1 is listed in Libs.private.
* Standards-Version: 3.8.1, no changes required.
-- Andreas Metzler <email address hidden> Tue, 14 Apr 2009 14:23:19 +0200
-
gnutls26 (2.6.4-2) unstable; urgency=low
* Upload to unstable.
* Merge changelog entries from unstable and experimental.
-- Andreas Metzler <email address hidden> Mon, 16 Feb 2009 16:43:37 +0100
-
gnutls26 (2.4.2-6) unstable; urgency=medium
* New patches, syncing with 2.4.3 upstream oldstable release:
+ 24_intermedcertificate.patch If a non-root certificate ist trusted
gnutls certificateificate verification stops there instead of checking
up to the root of the certificate chain.
+ 22_whitespace.patch - Whitespace only changes, to make it possible to
apply upstream fixes without manual changes.
+ 25_bufferoverrun.patch. Fix buffer overrun bug in
gnutls_x509_crt_list_import.
http://news.gmane.org/find-root.php?message_id=%3c000001c91d6e%2463059c90%242910d5b0%24%40com%3e
-- Andreas Metzler <email address hidden> Sat, 07 Feb 2009 12:58:51 +0100
-
gnutls26 (2.4.2-5) unstable; urgency=low
* Pull two patches from upstream stable branch to make gnutls behavior
match documentation:
+ patch 23_permit_v1_CA.diff:Accept v1 x509 CA
certs if GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT and/or
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT were supplied. Closes: #509593
+ 22_deprecate_md2_md5_x509_validation.diff: Verifying untrusted X.509
certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
GNUTLS_CERT_INSECURE_ALGORITHM verification output.
-- Andreas Metzler <email address hidden> Sat, 31 Jan 2009 16:26:52 +0100
-
gnutls26 (2.4.2-4) unstable; urgency=medium
* Add Simon Josefsson to uploaders.
* Another fix for the verification fix. Some correct certificate chains were
not recognized as verified. Closes: #507633
-- Andreas Metzler <email address hidden> Sat, 06 Dec 2008 12:09:33 +0100
-
gnutls26 (2.4.2-3) unstable; urgency=low
* Fix a crash on trying to verify self-signed certificates introduced by the
patch for CVE-2008-4989. Closes: #505279
-- Andreas Metzler <email address hidden> Wed, 12 Nov 2008 19:23:23 +0100
-
gnutls26 (2.4.2-2) unstable; urgency=medium
* [CVE-2008-4989.diff] Fix man in the middle attack for certificate
verification. CVE-2008-4989 GNUTLS-SA-2008-3
-- Andreas Metzler <email address hidden> Mon, 10 Nov 2008 19:42:54 +0100
-
gnutls26 (2.4.2-1) unstable; urgency=low
* New upstream bugfix release.
* Up to date gnutls-cli manpage. Closes: #492775
-- Andreas Metzler <email address hidden> Tue, 01 Jul 2008 20:31:24 +0200