-
gnutls28 (3.5.8-6ubuntu3) artful; urgency=medium
* Cherry pick several fixes from Debian 3.5.8-5+deb9u3:
- 38_01-OCSP-check-the-subject-public-key-identifier-field-t.patch
38_02-OCSP-find_signercert-improved-DER-length-calculation.patch from
gnutls 3.5.14: Fix OCSP verification errors, especially with ecdsa
signatures. LP: #1714506
- 37_aarch64-fix-AES-GCM-in-place-encryption-and-decrypti.patch from
upstream 3.5.x branch: Fix breakage if AES-GCM in-place encryption and
decryption on aarch64. LP: #1707172
-- Julian Andres Klode <email address hidden> Sat, 02 Sep 2017 16:12:49 +0200
-
gnutls28 (3.5.8-6ubuntu2) artful; urgency=medium
* use_normal_priority_for_openssl_sslv23.diff by Andreas Metzler:
OpenSSL wrapper: SSLv23_*_method translates to NORMAL GnuTLS priority,
which includes TLS1.2 support. (LP: #1709193)
-- Simon Deziel <email address hidden> Thu, 10 Aug 2017 00:34:06 +0000
-
gnutls28 (3.5.8-6ubuntu1) artful; urgency=medium
* Merge with Debian. Remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable
failing test.
- debian/patches/add-openssl-test-link.patch: add link for libssl
gnutls28 (3.5.8-6) unstable; urgency=high
* 36_CVE-2017-7507_*.patch: Pulled from 3.5.13, fix crash upon receiving
well-formed status_request extension. GNUTLS-SA-2017-4/CVE-2017-7507
Closes: #864560
-- Marc Deslauriers <email address hidden> Tue, 13 Jun 2017 13:19:05 -0400
-
gnutls28 (3.5.8-5ubuntu1) artful; urgency=medium
* Merge with Debian. Remaining changes:
- debian/patches/disable_global_init_override_test.patch: disable
failing test.
- debian/patches/add-openssl-test-link.patch: add link for libssl
gnutls28 (3.5.8-5) unstable; urgency=medium
* 35_01_z_opencdk-read-packet.c-corrected-typo-in-type-cast.patch: Fix typo
in 35_01_opencdk-improved-error-code-checking-in-the-stream-r.patch.
* 35_07_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch:
Addressed large allocation in OpenPGP certificate parsing, that could lead
in out-of-memory condition. Issue found using oss-fuzz project, and was
fixed by Alex Gaynor.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392
[GNUTLS-SA-2017-3C]
gnutls28 (3.5.8-4) unstable; urgency=medium
* More upstream fixes from gnutls_3_5_x branch:
+ 35_05_cdk_pkt_read-enforce-packet-limits.patch: Addressed integer
overflow resulting to invalid memory write in OpenPGP certificate
parsing. Issue found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420
[GNUTLS-SA-2017-3A]
+ 35_05_opencdk-read_attribute-account-buffer-size.patch Addressed read of
1 byte past the end of buffer in OpenPGP certificate parsing. Issue
found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391
+ 35_06_opencdk-do-not-parse-any-secret-keys-in-packet-when-.patch
Addressed crashes in OpenPGP certificate parsing, related to private key
parser. No longer allow OpenPGP certificates (public keys) to contain
private key sub-packets. Issue found using oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360
[GNUTLS-SA-2017-3B]
gnutls28 (3.5.8-3) unstable; urgency=high
* Another two bugfixes from upstream.
+ 35_03_Address-test-suite-failure-due-to-timezone-differenc.patch
Address test suite failure due to timezone differences.
Closes: #853732
+ 35_04_gnutls_pkcs11_obj_list_import_url4-always-return-an-.patch
When returning success, but no elements
gnutls_pkcs11_obj_list_import_url4 could have returned zero number of
elements with a pointer that was uninitialized.
gnutls28 (3.5.8-2) unstable; urgency=medium
* Pull two fixes from upstream GIT gnutls_3_5_x branch
35_01_opencdk-improved-error-code-checking-in-the-stream-r.patch
35_02_Disable-AVX-support-when-it-is-not-supported-by-the-.patch.
gnutls28 (3.5.8-1) unstable; urgency=medium
* New upstream release.
* Upload to unstable.
gnutls28 (3.5.7+git668ea9-1) experimental; urgency=medium
* New upstream git snapshot 668ea956379d7ad65908912d2fa2e4499d45eddc from
upstream gnutls_3_5_x branch (2016-01-06). (Results of make dist + adding
tests/key-tests/key-invalid.)
+ Drop 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch
35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch
+ libgnutls: Fix double free in certificate information printing. If the
PKIX extension proxy was set with a policy language set but no policy
specified, that could lead to a double free. GNUTLS-SA-2017-1
CVE-2017-5334
+ libgnutls: Addressed invalid memory accesses in OpenPGP certificate
parsing. (issues found using oss-fuzz project) GNUTLS-SA-2017-2
CVE-2017-5335 / CVE-2017-5336 / CVE-2017-5337
gnutls28 (3.5.7-3) unstable; urgency=medium
* 35_01_pkcs8-ensure-that-the-correct-error-code-is-returned.patch,
35_02_tests-added-test-for-PKCS-8-encrypted-key-decoding.patch from
upstream 3.5 branch: Ensure that GNUTLS_E_DECRYPTION_FAIL will be returned
by PKCS#8 decryption functions when an invalid key is provided. This
addresses regression on decrypting certain PKCS#8 keys.
Closes: #848905
gnutls28 (3.5.7-2) unstable; urgency=medium
* Upload to unstable.
gnutls28 (3.5.7-1) experimental; urgency=low
* New upstream version.
* Drop unneeded patches.
40_01_sockets-only-use-gnutls_bye-on-a-valid-socket-sessio.patch
40_02_gnutls-cli-debug-terminate-sessions-which-cannot-be-.patch
41_01_Introduced-new-functions-to-allow-multiple-DN-parsin.patch
41_02__gnutls_x509_get_dn-when-no-data-ensure-we-return-GN.patch
41_03_certtool-use-the-new-APIs-for-DN-extraction.patch
41_04_cleanups-in-_gnutls_buffer_to_datum.patch
41_05_x509-output-use-the-new-functions-for-DN-output.patch
41_07_tests-account-for-the-strict-RFC4514-compliance-reve.patch
41_08_pkcs7-output-use-the-new-functions-for-DN-output.patch
* Add missing dependency of libgnutls28-dev on libgnutls-dane0.
* Update symbol file. (Add new symbols, bump dependency on functions that
might return new error codes.)
* Build with --with-included-unistring, Debian's libunistring package is
too old (non dual-licensed).
gnutls28 (3.5.6-7) unstable; urgency=low
* Point UNBOUND_ROOT_KEY_FILE to /usr/share/dns/root.key and add a Suggest
for dns-root-data to libgnutls-dane0.
* Upload to unstable.
gnutls28 (3.5.6-6) experimental; urgency=medium
* Pull a patch set from upstream GIT which reverts the DN sorting change in
3.5.6 and adds new functions to provide a RFC4514 compliant sorting.
Closes: #844539
41_01_Introduced-new-functions-to-allow-multiple-DN-parsin.patch
41_02__gnutls_x509_get_dn-when-no-data-ensure-we-return-GN.patch
41_03_certtool-use-the-new-APIs-for-DN-extraction.patch
41_04_cleanups-in-_gnutls_buffer_to_datum.patch
41_05_x509-output-use-the-new-functions-for-DN-output.patch
41_07_tests-account-for-the-strict-RFC4514-compliance-reve.patch
41_08_pkcs7-output-use-the-new-functions-for-DN-output.patch
* Update symbol file.
gnutls28 (3.5.6-5) experimental; urgency=low
* Merge changes from unstable.
-- Marc Deslauriers <email address hidden> Wed, 03 May 2017 10:00:32 -0400
-
gnutls28 (3.5.6-4ubuntu4) zesty; urgency=medium
* Fix FTBFS because of failing test (LP: #1679868)
- debian/patches/fix_tests_timezone.patch: address test suite failure
due to timezone differences in tests/cert-tests/pkcs7.
-- Marc Deslauriers <email address hidden> Wed, 05 Apr 2017 10:06:24 -0400
