-
gnutls28 (3.5.18-1ubuntu1.6) bionic-security; urgency=medium
* SECURITY UPDATE: Null pointer dereference in MD_UPDATE
- debian/patches/CVE-2021-4209.patch: avoid calling _update with
zero-length input in lib/nettle/mac.c.
- CVE-2021-4209
* SECURITY UPDATE: Double free in verification of pkcs7 signatures
- debian/patches/CVE-2022-2509.patch: fix double free during
gnutls_pkcs7_verify in lib/x509/pkcs7.c,
tests/pkcs7-verify-double-free.c, tests/Makefile.am.
- CVE-2022-2509
-- Marc Deslauriers <email address hidden> Tue, 02 Aug 2022 08:58:39 -0400
-
gnutls28 (3.5.18-1ubuntu1.5) bionic; urgency=medium
* Backport patches from Upstream/Debian to check validity against system
certs. This is to allow correctly validating default letsencrypt
chains that now also include a redundant expired certficate. LP:
#1928648
-- Dimitri John Ledkov <email address hidden> Wed, 25 Aug 2021 19:11:11 +0100
-
gnutls28 (3.5.18-1ubuntu1.4) bionic; urgency=medium
* d/p/50_Update-session_ticket.c-to-add-support-for-zero-leng.patch:
- add support for zero length session tickets returned from the server,
thanks Rod for the backport and testing! (lp: #1876286)
-- Sebastien Bacher <email address hidden> Wed, 17 Jun 2020 12:03:27 +0200
-
gnutls28 (3.5.18-1ubuntu1.3) bionic-security; urgency=medium
* SECURITY UPDATE: Allow re-enabling SHA1 for certificate signing with a
priority string (LP: #1860656)
- debian/patches/allow_broken_priority_string.patch: introduce the
%VERIFY_ALLOW_BROKEN priority string option.
- debian/patches/allow_sha1_priority_string.patch: introduce the
%VERIFY_ALLOW_SIGN_WITH_SHA1 priority string option.
-- Marc Deslauriers <email address hidden> Thu, 23 Jan 2020 08:39:38 -0500
-
gnutls28 (3.5.18-1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: Mark SHA1 as insecure for certificate signing
- debian/patches/insecuresha1-*.patch: backport upstream patches to
allow marking SHA1 as insecure, but only for certificate signing.
- debian/libgnutls30.symbols: added new symbol.
-- Marc Deslauriers <email address hidden> Wed, 08 Jan 2020 10:39:00 -0500
-
gnutls28 (3.5.18-1ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: Lucky-13 issues
- debian/patches/CVE-2018-1084x-1.patch: correctly account the length
field in SHA384 HMAC in lib/algorithms/mac.c, lib/cipher.c.
- debian/patches/CVE-2018-1084x-2.patch: always hash the same amount of
blocks that would have been on minimum pad in lib/cipher.c.
- debian/patches/CVE-2018-1084x-3.patch: require minimum padding under
SSL3.0 in lib/cipher.c.
- debian/patches/CVE-2018-1084x-4.patch: hmac-sha384 and sha256
ciphersuites were removed from defaults in lib/priority.c,
tests/dtls1-2-mtu-check.c, tests/priorities.c.
- debian/patches/CVE-2018-1084x-5.patch: fix test for SHA512 in
tests/pkcs12_encode.c.
- CVE-2018-10844
- CVE-2018-10845
- CVE-2018-10846
* SECURITY UPDATE: double free in cert verification API
- debian/patches/CVE-2019-3829-1.patch: automatically NULLify after
gnutls_free() in lib/includes/gnutls/gnutls.h.in.
- debian/patches/CVE-2019-3829-2.patch: fix some casts in
lib/extensions.c.
- debian/patches/CVE-2019-3829-3.patch: fix dereference of NULL pointer
in lib/x509/x509.c.
- CVE-2019-3829
-- Marc Deslauriers <email address hidden> Tue, 28 May 2019 13:18:12 -0400
-
gnutls28 (3.5.18-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable
failing test.
- debian/patches/add-openssl-test-link.patch: add link for libssl
gnutls28 (3.5.18-1) unstable; urgency=medium
* New upstream version.
* Refresh upstream key, adding new signing subkey. Move to ascii armored
keyring.
-- Julian Andres Klode <email address hidden> Mon, 12 Mar 2018 11:12:59 +0100
-
gnutls28 (3.5.17-1ubuntu3) bionic; urgency=medium
* Rebuild against new libunistring 0.9.9.
-- Gianfranco Costamagna <email address hidden> Sun, 04 Mar 2018 09:24:47 +0100
-
gnutls28 (3.5.17-1ubuntu2) bionic; urgency=medium
* Stop building with --with-included-unistring now that we get a new
unistring
-- Julian Andres Klode <email address hidden> Tue, 13 Feb 2018 16:14:36 +0100
-
gnutls28 (3.5.17-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable
failing test.
- debian/patches/add-openssl-test-link.patch: add link for libssl
* Build with --with-included-unistring for now as our libunistring is
too old and needs a transition.
gnutls28 (3.5.17-1) unstable; urgency=low
* New upstream version.
+ When verifying against a self signed certificate ignore issuer. That
is, ignore issuer when checking the issuer's parameters strength,
resolving issue #347 which caused self signed certificates to be
additionally marked as of insufficient security level.
Closes: #885127
gnutls28 (3.5.16-1) unstable; urgency=medium
* New upstream version.
+ Fixes interoperability issue with openssl when safe renegotiation was
used. Closes: #873055
* 35_modernize_gtkdoc.diff from upstream GIT master: Modernize gtk-doc
support. Update gtk-doc.make, m4/gtk-doc.m4 and doc/reference/Makefile.am
from gtk-doc git head (that is 1.26 +
c08cc78562c59082fc83b55b58747177510b7a70). Disable gtkdoc-check.
Closes: #876587
gnutls28 (3.5.15-2) unstable; urgency=medium
* Upload to unstable.
gnutls28 (3.5.15-1) experimental; urgency=medium
* New upstream version. Drop unneeded patches.
(31_arm64ilp32-unaccelerated.patch
35_record-added-sanity-checking-in-the-record-layer-ver.patch
36_parse_pem_cert_mem-fixed-issue-resulting-to-accessin.patch)
gnutls28 (3.5.14-3) unstable; urgency=low
* 35_record-added-sanity-checking-in-the-record-layer-ver.patch from
upstream gnutls_3_5_x branch: Prevent crash on calling gnutls_bye() on an
already terminated or deinitialized session. Closes: #867303
* 36_parse_pem_cert_mem-fixed-issue-resulting-to-accessin.patch from
upstream gnutls_3_5_x branch: parse_pem_cert_mem: fixed issue resulting
to accessing past the input data.
* 31_arm64ilp32-unaccelerated.patch by Wookey: Disable assembly
code on arm64ilp32 to fix FTBFS. Closes: #872454
* Use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog, except for
the compatibility code for setting SOURCE_DATE_EPOCH with dpkg << 1.18.8.
* Standards-Version 4.0.1, update priorities (extra->optional).
gnutls28 (3.5.14-2) unstable; urgency=medium
* Upload to unstable.
gnutls28 (3.5.14-1) experimental; urgency=low
[ Dan Nicholson ]
* Build with --disable-rpath. Closes: #865674
[ Andreas Metzler ]
* New upstream version.
* Build against external libunistring.
gnutls28 (3.5.13-2) unstable; urgency=medium
* Upload to unstable, merge changelogs.
gnutls28 (3.5.13-1) experimental; urgency=low
* New upstream version.
+ Drop 35_test-corrected-typo-preventing-the-run-of-openpgp-te.patch.
+ Fixes GNUTLS-SA-2017-4/CVE-2017-7507 - Crash due to a null pointer
dereference. #864560
gnutls28 (3.5.12-2) experimental; urgency=medium
* 35_test-corrected-typo-preventing-the-run-of-openpgp-te.patch: Correct
typo preventing the run of openpgp test.
* Stop disabling heartbeat support. Closes: #861193
gnutls28 (3.5.12-1) experimental; urgency=medium
* New upstream version.
* Bump dep info on gnutls_session_ext_register.
gnutls28 (3.5.11-1) experimental; urgency=medium
* New upstream version.
* gnutls.pc: do not include libtool options into Libs.private.
Closes: #857943
* gnutls.pc does not refer to e.g. zlib in *both* Requires.private and
Libs.private. (LP: #1660915)
* OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
which includes TLS1.2 support. Closes: #857436
* Add b-d on ca-certificates, needed for trust-store check.
gnutls28 (3.5.10-1) experimental; urgency=medium
* New upstream version.
+ gnutls.pc: do not include libidn2 in Requires.private. Closes: #855888
+ Includes fixes for GNUTLS-SA-2017-3[ABC].
+ Bump info for gnutls_store_commitment, gnutls_ocsp_resp_verify_direct
and gnutls_ocsp_resp_verify which now accept (more) flags.
gnutls28 (3.5.9-1) experimental; urgency=medium
* New upstream version.
+ Drop debian/patches/35_0*.
+ Update symbol file, adding gnutls_idna_map and gnutls_idna_reverse_map.
* Build with IDNA 2008 support, b-d on libidn2-0-dev instead of
libidn11-dev.
-- Julian Andres Klode <email address hidden> Mon, 22 Jan 2018 13:24:04 +0100
-
gnutls28 (3.5.8-6ubuntu3) artful; urgency=medium
* Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
- 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
signatures. LP: #1714506
- 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and
decryption on aarch64. LP: #1707172
-- Julian Andres Klode <email address hidden> Sat, 02 Sep 2017 16:12:49 +0200
