-
gnutls28 (3.6.15-4ubuntu2.1) groovy; urgency=medium
* testpkcs11: use datefudge to allow testing with expired certificates.
(LP: #1910255)
-- Brian Murray <email address hidden> Fri, 26 Feb 2021 16:23:02 -0800
-
gnutls28 (3.6.15-4ubuntu2) groovy; urgency=low
* Merge from Debian unstable LP: #1893924. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
* Add patch to fix ftbfs gnulib with new glibc.
gnutls28 (3.6.15-4) unstable; urgency=medium
* autopkgtest: Require build-essential.
* autopkgtest: respect dpkg-buildflags for helper-binary build.
gnutls28 (3.6.15-3) unstable; urgency=medium
* More autopkgtest hotfixes.
gnutls28 (3.6.15-2) unstable; urgency=medium
* 50_autopkgtestfixes.diff: Fix testsuite issues when running against
installed gnutls-bin.
* In autopkgtest set top_builddir and builddir, ignore
tests/cert-tests/tolerate-invalid-time and tests/gnutls-cli-debug.sh.
gnutls28 (3.6.15-1) unstable; urgency=low
* New upstream version.
+ Fixes NULL pointer dereference if a no_renegotiation alert is sent with
unexpected timing. CVE-2020-24659 / GNUTLS-SA-2020-09-04
Closes: #969547
+ Drop 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch
50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
50_03-gnutls_cipher_init-fix-potential-memleak.patch
50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
+ Fix build error due to outdated gettext in Debian by removing newer
gettext m4 macros from m4/.
gnutls28 (3.6.14-2) unstable; urgency=medium
* Pull selected patches from upstream GIT:
+ 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch:
Fixes difference in generated docs on 32 and 64 bit archs.
+ 50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
50_03-gnutls_cipher_init-fix-potential-memleak.patch
Fix memleak in gnutls_aead_cipher_init() with keys having invalid
length. (Broken since 3.6.3)
+ 50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
Closes: #962467
gnutls28 (3.6.14-1) unstable; urgency=high
* Drop debugging code added in -4, fixes nocheck profile build error.
Closes: #962199
* Add Daiki Ueno 462225C3B46F34879FC8496CD605848ED7E69871 key to
debian/upstream/signing-key.asc.
* New upstream version.
+ Fixes insecure session ticket key construction.
[GNUTLS-SA-2020-06-03, CVE-2020-13777] Closes: #962289
+ Drop 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch
51_01-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
51_02-x509-trigger-fallback-verification-path-when-cert-is.patch
51_03-tests-add-test-case-for-certificate-chain-supersedin.patch
* Drop guile-gnutls.lintian-overrides.
* 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff: In gnutls-serv do not pass
AI_ADDRCONFIG to getaddrinfo. This broke the testsuite on systems without
IPv4 on non-loopback addresses. (Thanks, Adrian Bunk and Julien Cristau!)
Hopefully Closes: #962218
-- Dimitri John Ledkov <email address hidden> Thu, 24 Sep 2020 12:03:44 +0100
-
gnutls28 (3.6.15-4ubuntu1) groovy; urgency=low
* Merge from Debian unstable LP: #1893924. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
gnutls28 (3.6.15-4) unstable; urgency=medium
* autopkgtest: Require build-essential.
* autopkgtest: respect dpkg-buildflags for helper-binary build.
gnutls28 (3.6.15-3) unstable; urgency=medium
* More autopkgtest hotfixes.
gnutls28 (3.6.15-2) unstable; urgency=medium
* 50_autopkgtestfixes.diff: Fix testsuite issues when running against
installed gnutls-bin.
* In autopkgtest set top_builddir and builddir, ignore
tests/cert-tests/tolerate-invalid-time and tests/gnutls-cli-debug.sh.
gnutls28 (3.6.15-1) unstable; urgency=low
* New upstream version.
+ Fixes NULL pointer dereference if a no_renegotiation alert is sent with
unexpected timing. CVE-2020-24659 / GNUTLS-SA-2020-09-04
Closes: #969547
+ Drop 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch
50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
50_03-gnutls_cipher_init-fix-potential-memleak.patch
50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
+ Fix build error due to outdated gettext in Debian by removing newer
gettext m4 macros from m4/.
gnutls28 (3.6.14-2) unstable; urgency=medium
* Pull selected patches from upstream GIT:
+ 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch:
Fixes difference in generated docs on 32 and 64 bit archs.
+ 50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
50_03-gnutls_cipher_init-fix-potential-memleak.patch
Fix memleak in gnutls_aead_cipher_init() with keys having invalid
length. (Broken since 3.6.3)
+ 50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
Closes: #962467
gnutls28 (3.6.14-1) unstable; urgency=high
* Drop debugging code added in -4, fixes nocheck profile build error.
Closes: #962199
* Add Daiki Ueno 462225C3B46F34879FC8496CD605848ED7E69871 key to
debian/upstream/signing-key.asc.
* New upstream version.
+ Fixes insecure session ticket key construction.
[GNUTLS-SA-2020-06-03, CVE-2020-13777] Closes: #962289
+ Drop 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch
51_01-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
51_02-x509-trigger-fallback-verification-path-when-cert-is.patch
51_03-tests-add-test-case-for-certificate-chain-supersedin.patch
* Drop guile-gnutls.lintian-overrides.
* 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff: In gnutls-serv do not pass
AI_ADDRCONFIG to getaddrinfo. This broke the testsuite on systems without
IPv4 on non-loopback addresses. (Thanks, Adrian Bunk and Julien Cristau!)
Hopefully Closes: #962218
-- Dimitri John Ledkov <email address hidden> Thu, 24 Sep 2020 12:03:44 +0100
-
gnutls28 (3.6.13-4ubuntu5) groovy; urgency=medium
* SECURITY UPDATE: null pointer deref via no_renegotiation alert
- debian/patches/CVE-2020-24659.patch: reject no_renegotiation alert if
handshake is incomplete in lib/gnutls_int.h, lib/handshake.c.
- CVE-2020-24659
-- Marc Deslauriers <email address hidden> Tue, 08 Sep 2020 10:09:39 -0400
-
gnutls28 (3.6.13-4ubuntu4) groovy; urgency=medium
* No change rebuild against new libnettle8 and libhogweed6 ABI.
-- Dimitri John Ledkov <email address hidden> Mon, 29 Jun 2020 22:24:52 +0100
-
gnutls28 (3.6.13-4ubuntu3) groovy; urgency=medium
* Enable CET.
-- Dimitri John Ledkov <email address hidden> Sun, 28 Jun 2020 23:48:44 +0100
-
gnutls28 (3.6.13-4ubuntu2) groovy; urgency=medium
* SECURITY UPDATE: flaw in TLS session ticket key construction
- debian/patches/CVE-2020-13777.patch: differentiate initial state from
valid time window of TOTP in lib/stek.c,
tests/resume-with-previous-stek.c, tests/tls13/prf-early.c.
- CVE-2020-13777
-- Marc Deslauriers <email address hidden> Fri, 05 Jun 2020 13:12:39 -0400
-
gnutls28 (3.6.13-4ubuntu1) groovy; urgency=medium
* Resynchronize with Debian; remaining changes:
Set default priority string to only allow TLS1.2, DTLS1.2, and TLS1.3
with medium security profile (2048 RSA keys minimum, and similar).
gnutls28 (3.6.13-4) unstable; urgency=medium
* Output some network related debugging from debian/rules.
* Fix verification error with alternate chains. Closes: #961889
gnutls28 (3.6.13-3) unstable; urgency=medium
* 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch from GnuTLS
master: Handle zero length session tickets, fixing connection errors on
TLS1.2 sessions to some big hosting providers. (See LP 1876286)
-- Sebastien Bacher <email address hidden> Fri, 05 Jun 2020 15:12:03 +0200
-
gnutls28 (3.6.13-2ubuntu1) focal; urgency=medium
* Merge with Debian; remaining changes:
- Set default priority string to only allow TLS1.2, DTLS1.2, and TLS1.3
with medium security profile (2048 RSA keys minimum, and similar).
gnutls28 (3.6.13-2) unstable; urgency=high
* Upload to unstable.
gnutls28 (3.6.13-1) experimental; urgency=low
* New upstream version.
+ libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
support), since 3.6.3. The DTLS client would not contribute any
randomness to the DTLS negotiation, breaking the security
guarantees of the DTLS protocol
GNUTLS-SA-2020-03-31 Closes: #955556
* Fix guile lintian override for shared-lib-without-dependency-information.
gnutls28 (3.6.12-2) unstable; urgency=medium
* Upload to unstable.
gnutls28 (3.6.12-1) experimental; urgency=low
[ Debian Janitor ]
* Drop unnecessary dh arguments: --parallel
[ Andreas Metzler ]
* Fix bindtextdomain() call and dgettext() invocations to search for the
correct filename. (Thanks, Laurent Bigonville for report and diagnosis.)
Closes: #949151
* [lintian] Drop superfluous debian/source/include-binaries.
* New upstream version.
+ Update symbol file.
+ Drop workaround for #658110, install guile shared objects to multi-arch
paths.
-- Matthias Klose <email address hidden> Sun, 05 Apr 2020 20:44:49 +0200