-
gnutls28 (3.5.3-5ubuntu1.2) yakkety-security; urgency=medium
* SECURITY UPDATE: null pointer dereference via status response TLS
extension decoding
- debian/patches/CVE-2017-7507-1.patch: ensure response IDs are
properly deinitialized in lib/ext/status_request.c.
- debian/patches/CVE-2017-7507-2.patch: remove parsing of responder IDs
from client extension in lib/ext/status_request.c.
- debian/patches/CVE-2017-7507-3.patch: documented requirements for
parameters in lib/ext/status_request.c.
- CVE-2017-7507
* SECURITY UPDATE: DoS and possible code execution via OpenPGP
certificate decoding
- debian/patches/CVE-2017-7869.patch: enforce packet limits in
lib/opencdk/read-packet.c.
- CVE-2017-7869
-- Marc Deslauriers <email address hidden> Mon, 12 Jun 2017 09:31:08 -0400
-
gnutls28 (3.5.3-5ubuntu1.1) yakkety-security; urgency=medium
* SECURITY UPDATE: denial of service via warning alerts
- debian/patches/CVE-2016-8610.patch: set a maximum number of warning
messages in lib/gnutls_int.h, lib/handshake.c, lib/state.c.
- CVE-2016-8610
* SECURITY UPDATE: double-free when reading proxy language
- debian/patches/CVE-2017-5334.patch: fix double-free in
lib/x509/x509_ext.c.
- CVE-2017-5334
* SECURITY UPDATE: out of memory error in stream reading functions
- debian/patches/CVE-2017-5335.patch: add error checking to
lib/opencdk/read-packet.c.
- CVE-2017-5335
* SECURITY UPDATE: stack overflow in cdk_pk_get_keyid
- debian/patches/CVE-2017-5336.patch: check return code in
lib/opencdk/pubkey.c.
- CVE-2017-5336
* SECURITY UPDATE: heap read overflow when reading streams
- debian/patches/CVE-2017-5337.patch: add more precise checks to
lib/opencdk/read-packet.c.
- CVE-2017-5337
-- Marc Deslauriers <email address hidden> Thu, 26 Jan 2017 08:24:51 -0500
-
gnutls28 (3.5.3-5ubuntu1) yakkety; urgency=medium
* Merge with Debian (LP: #1624856). Remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable failing
test.
- debian/patches/add-openssl-test-link.patch: add link for libssl
gnutls28 (3.5.3-5) experimental; urgency=medium
* Pull DTLS fixes from upstream GIT master.
45_01-tests-enhance-the-DTLS-window-unit-test-to-account-f.patch
45_02-dtls-ensure-that-the-DTLS-window-doesn-t-get-stalled.patch
45_03-tests-mini-dtls-record-modified-expected-order-to-ac.patch
45_04-Import-DTLS-sliding-window-validation-from-OpenConne.patch
Closes: #835587
-- Anders Kaseorg <email address hidden> Sun, 18 Sep 2016 08:03:47 -0400
-
gnutls28 (3.5.3-4ubuntu1) yakkety; urgency=medium
* Merge with Debian; remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable failing
test.
- debian/patches/add-openssl-test-link.patch: add link for libssl
gnutls28 (3.5.3-4) unstable; urgency=high
* 39_ocsptool-corrected-bug-in-session-establishment.patch: Fix segfault of
ocsptool --ask ... Closes: #836371
* 40_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch: OCSP
certificate check doesn't actually verify the serial length and might
succeed when it shouldn't.
-- Matthias Klose <email address hidden> Tue, 06 Sep 2016 14:55:35 +0200
-
gnutls28 (3.5.3-3ubuntu1) yakkety; urgency=medium
* Merge with Debian; remaining changes:
gnutls28 (3.5.3-3) unstable; urgency=medium
* 35_gnutls-cli-print-Handshake-was-completed.patch: Again print 'Handshake
was completed', fixing emacs' lisp/net/tls.el. Closes: #834516
* 36_gnutls-cli-fixed-the-behavior-when-starttls-or-start.patch
gnutls-cli STARTTLS support was broken in 3.5.3.
* 37_openssl-format-fix-from-openconnect.patch: Fix GnuTLS handling of
OpenSSL encrypted PEM files.
gnutls28 (3.5.3-2) unstable; urgency=medium
* Upload to unstable.
gnutls28 (3.5.3-1) experimental; urgency=medium
* New upstream version.
+ Update libgnutls30.symbols.
+ Drop 31_nettle-use-rsa_-_key_prepare-on-key-import.patch (forgot to
apply it in the previous upload anyway.)
+ Add b-d on libcmocka-dev (marked with <!nocheck>).
gnutls28 (3.5.2-3) experimental; urgency=medium
* Cherry pick 31_nettle-use-rsa_-_key_prepare-on-key-import.patch
from upstream GIT, which should allow gnutls continue to work with
CVE-2016-6489-patched nettle.
-- Matthias Klose <email address hidden> Wed, 31 Aug 2016 14:13:04 +0200
-
gnutls28 (3.5.2-2ubuntu4) yakkety; urgency=medium
* Revert the last change, fail again on failed tests.
-- Matthias Klose <email address hidden> Thu, 11 Aug 2016 17:15:26 +0200
-
gnutls28 (3.5.2-2ubuntu3) yakkety; urgency=medium
* Ignore the test results for a first build.
-- Matthias Klose <email address hidden> Thu, 11 Aug 2016 15:22:38 +0200
-
gnutls28 (3.5.2-2ubuntu2) yakkety; urgency=medium
* Ignore the test results for a first build.
-- Matthias Klose <email address hidden> Thu, 11 Aug 2016 15:22:38 +0200
-
gnutls28 (3.5.2-2ubuntu1) yakkety; urgency=low
* Merge from Debian unstable (LP: #1608129). Remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable failing
test.
- debian/patches/add-openssl-test-link.patch: add link for libssl
gnutls28 (3.5.2-2) unstable; urgency=low
* Upload to unstable.
gnutls28 (3.5.2-1) experimental; urgency=low
* New upstream version.
* Add libssl-dev b-d (marked with <!nocheck>), which can be used in
testsuite.
gnutls28 (3.5.1-1) experimental; urgency=medium
* Merge from unstable:
+ Drop libgnutls30 Conflicts with libnettle4, libhogweed2. - These should
have been dropped with the soname bump from libgnutls-deb0-28 to
libgnutls30 in the first place. (Thanks, Andreas Beckmann)
Closes: #825645
+ 3.5.1 testsuite also requires netstat, add b-d, marked as optional via
the <!nocheck> profile.
* New upstream version.
+ Drop 40_openssl_compat-removed-unneeded-headers.patch.
+ Install README.md instead of README.
+ Update symbol file.
gnutls28 (3.5.0-1) experimental; urgency=medium
* New upstream release.
+ Drop unneeded patches:
40_src-added-systemkey-args-to-BUILT_SOURCES.patch
45_01_gnutls_ocsp_resp_get_single-fail-if-thisUpdate-is-no.patch
45_02_gnutls_packet_get-avoid-null-pointer-dereference-on-.patch
45_03_configure-corrected-regression-which-prevented-the-b.patch
45_04_handshake-do-not-overwrite-the-server-s-signature-al.patch
* Pull 40_openssl_compat-removed-unneeded-headers.patch from upstream GIT
to fix FTBFS in openssl wrapper.
* crywrap is not shipped with GnuTLS anymore.
* Update copyright info, ship copy of the GNU Affero General Public
License v3 in /usr/share/doc/libgnutls30/AGPLv3.license, two files of
the testsuite use this license.
* Update symbol file:
+ Add new functions.
+ Multiple core enums (including gnutls_init_flags_t) have been extended,
and most gnutls users will invoke at least one function affected by
this change. Bump symbol dependency info to >= 3.5.0 for all symbols,
because we would end up with this dependency anyway.
-- Gianfranco Costamagna <email address hidden> Sat, 30 Jul 2016 23:39:07 +0200
-
gnutls28 (3.4.14-1ubuntu1) yakkety; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable failing
test.
* Drop rename from libgnutls28-dev to libgnutls-dev. No sign that Debian
is ever going to make this change, and only 14 packages build-depend on
libgnutls-dev in Ubuntu, so this is an unnecessary delta.
gnutls28 (3.4.14-1) unstable; urgency=medium
* Also mark b-d on net-tools/freebsd-net-tools as optional via the
<!nocheck> profile. (Thanks, Steven Chamberlain for bug-report and
patch). Closes: #826693
* New upstream bugfix release. This includes the following fix:
+ libgnutls: Address issue when utilizing the p11-kit trust store
for certificate verification (GNUTLS-SA-2016-2).
The issue is not relevant for the Debian binary packages, since we do not
build with --with-default-trust-store-pkcs11=.
gnutls28 (3.4.13-1) unstable; urgency=high
* New upstream bugfix release.
+ Fixes GNUTLS-SA-2016-1 (File overwrite by setuid programs), which was
introduced in 3.4.12.
+ Testsuite requires netstat, add b-d.
gnutls28 (3.4.12-2) unstable; urgency=medium
* Drop libgnutls30 Conflicts with libnettle4, libhogweed2. - These should
have been dropped with the soname bump from libgnutls-deb0-28 to
libgnutls30 in the first place. (Thanks, Andreas Beckmann)
Closes: #825645
gnutls28 (3.4.12-1) unstable; urgency=medium
* New upstream version.
+ Drop superfluous patches.
(45_01_gnutls_ocsp_resp_get_single-fail-if-thisUpdate-is-no.patch
45_02_gnutls_packet_get-avoid-null-pointer-dereference-on-.patch
45_03_configure-corrected-regression-which-prevented-the-b.patch
45_04_handshake-do-not-overwrite-the-server-s-signature-al.patch)
+ Update copyright info, ship copy of the GNU Affero General Public
License v3 in /usr/share/doc/libgnutls30/AGPLv3.license, two files
of the testsuite use this license.
-- Steve Langasek <email address hidden> Thu, 14 Jul 2016 19:14:00 -0700
-
gnutls28 (3.4.14-1) unstable; urgency=medium
* Also mark b-d on net-tools/freebsd-net-tools as optional via the
<!nocheck> profile. (Thanks, Steven Chamberlain for bug-report and
patch). Closes: #826693
* New upstream bugfix release. This includes the following fix:
+ libgnutls: Address issue when utilizing the p11-kit trust store
for certificate verification (GNUTLS-SA-2016-2).
The issue is not relevant for the Debian binary packages, since we do not
build with --with-default-trust-store-pkcs11=.
-- Andreas Metzler <email address hidden> Sat, 09 Jul 2016 14:01:05 +0200
-
gnutls28 (3.4.11-4ubuntu1) yakkety; urgency=medium
* Merge with Debian; remaining changes:
- Make gnutls28 default.
- debian/patches/disable_global_init_override_test.patch: disable failing
test.
gnutls28 (3.4.11-4) unstable; urgency=medium
* Drop guile-gnutls package, testsuite errors have stayed unfixed too long.
Closes: #821457, #805863
gnutls28 (3.4.11-3) unstable; urgency=medium
* Upload to unstable.
gnutls28 (3.4.11-2) experimental; urgency=medium
* Pull post-release fixes from upstream gnutls_3_4_x branch.
(45_01_gnutls_ocsp_resp_get_single-fail-if-thisUpdate-is-no.patch
45_02_gnutls_packet_get-avoid-null-pointer-dereference-on-.patch
45_03_configure-corrected-regression-which-prevented-the-b.patch
45_04_handshake-do-not-overwrite-the-server-s-signature-al.patch)
gnutls28 (3.4.11-1) experimental; urgency=medium
* New upstream version.
+ Drop superfluous patches.
(41_tests-mini-loss-time-ensure-client-timeouts.diff
42_mini-loss-time-improved-timeout-detection.patch
43_fix_cpucapoverride.diff)
* Due to changes in gtk-doc or its dependencies api-reference/index.sgml is
not installed/built anymore. Update gnutls-doc file list.
* Enable hardening=+bindnow.
-- Matthias Klose <email address hidden> Thu, 19 May 2016 15:41:35 +0200
-
gnutls28 (3.4.10-4ubuntu1) xenial; urgency=medium
* Merge with Debian; remaining changes:
- Make gnutls28 default.
- debian/patches/disable_global_init_override_test.patch: disable failing
test.
gnutls28 (3.4.10-4) unstable; urgency=medium
* 43_fix_cpucapoverride.diff by Nikos Mavrogiannopoulos: Fix
GNUTLS_CPUID_OVERRIDE function, stopping it from enabling SSE3 when it is
unavailable. Closes: #818341
gnutls28 (3.4.10-3) unstable; urgency=medium
* Upload to unstable.
gnutls28 (3.4.10-2) experimental; urgency=medium
* Simplify override_dh_auto_test target. (Thanks, Steven Chamberlain)
* Add debian/patches/42_mini-loss-time-improved-timeout-detection.patch,
another try for Closes: #813598
gnutls28 (3.4.10-1) experimental; urgency=medium
* Pull 40_src-added-systemkey-args-to-BUILT_SOURCES.patch from upstream GIT
master to fix FTBFS with parallel builds. Closes: #816148
* New upstream version.
* Pull 41_tests-mini-loss-time-ensure-client-timeouts.diff from upstream
master branch to fix occasional testsuite error. Closes: #813598
-- Matthias Klose <email address hidden> Mon, 21 Mar 2016 14:53:18 +0100