libgnutls28 appears to not have been updated for CVE-2014-3466 in Trusty

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

There is a fix for this in the Debian version 3.2.15-2 of the package.

It has a severe impact on a large portion of Ubuntu users.

trivial patch attached from
https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3466

test build ongoing on ppa:costamagnagianfranco/locutusofborg-ppa

subscribing ubuntu-security-sponsors as per:

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors

Hi LocutusOfBorg - Thank you for the debdiff. I've made some adjustments to it in order to follow our security update packing guidelines (https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging):

 - Pocket should be trusty-security instead of trusty
 - Version should be 3.2.11-2ubuntu1.1 instead of 3.2.11-2ubuntu2
 - Patch was missing the DEP3 origin patch tag
 - Changelog did not follow the "SECURITY UPDATE:" style

Additionally, I folded in upstream's test patch (https://www.gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf7ce52b36474c157f782d9ca977). Build tests are always a nice thing to add.

Thanks!

Hi Tyler,

> - Pocket should be trusty-security instead of trusty

I remember Coling saying something about proposed mapped automatically to the release, I thought security was actually the same, but obviously not because they are not in the same pocket (bad me, I didn't think enough)

- Version should be 3.2.11-2ubuntu1.1 instead of 3.2.11-2ubuntu2

OOps, sorry I usually fix stuff in packages I maintain, bad me

- Patch was missing the DEP3 origin patch tag

yes, sorry

- Changelog did not follow the "SECURITY UPDATE:" style

this is something I'm trying to learn, but I forgot/I'm not able to do it correctly.

thanks a lot for the fixes and for caring!

No worries! I also prepared a 12.04 update since the patch is trivial. Packages are building now.

This bug was fixed in the package gnutls28 - 3.0.11-1ubuntu2.1

---------------
gnutls28 (3.0.11-1ubuntu2.1) precise-security; urgency=medium

  * SECURITY UPDATE: Denial of service and possible remote arbitrary code
    execution via crafted ServerHello message
    - debian/patches/21_CVE-2014-3466.patch: Add upper bounds check for
      session id size. Based on upstream patch. (LP: #1326779)

 -- Tyler Hicks <email address hidden> Thu, 11 Jun 2015 10:51:35 -0500

This bug was fixed in the package gnutls28 - 3.2.11-2ubuntu1.1

---------------
gnutls28 (3.2.11-2ubuntu1.1) trusty-security; urgency=medium

  [ Gianfranco Costamagna ]
  * SECURITY UPDATE: Denial of service and possible remote arbitrary code
    execution via crafted ServerHello message
    - debian/patches/21_CVE-2014-3466.patch: Add upper bounds check for
      session id size. Based on upstream patch. (LP: #1326779)

  [ Tyler Hicks ]
  * debian/patches/21_CVE-2014-3466.patch: Fold in the test for
    CVE-2014-3466's fix. Based on upstream patch.

 -- Tyler Hicks <email address hidden> Thu, 11 Jun 2015 10:42:35 -0500