gnutls28 (3.8.3-1.1ubuntu3.4) noble-security; urgency=medium
* SECURITY UPDATE: double-free via otherName in the SAN
- debian/patches/CVE-2025-32988.patch: avoid double free when exporting
othernames in SAN in lib/x509/extensions.c.
- CVE-2025-32988
* SECURITY UPDATE: OOB read via malformed length field in SCT extension
- debian/patches/CVE-2025-32989.patch: fix read buffer overrun in SCT
timestamps in lib/x509/x509_ext.c.
- CVE-2025-32989
* SECURITY UPDATE: heap write overflow in certtool via invalid template
- debian/patches/CVE-2025-32990.patch: avoid 1-byte write buffer
overrun when parsing template in src/certtool-cfg.c,
tests/cert-tests/Makefile.am, tests/cert-tests/template-test.sh,
tests/cert-tests/templates/template-too-many-othernames.tmpl.
- CVE-2025-32990
* SECURITY UPDATE: NULL deref via missing PSK in TLS 1.3 handshake
- debian/patches/CVE-2025-6395.patch: clear HSK_PSK_SELECTED when
resetting binders in lib/handshake.c, lib/state.c, tests/Makefile.am,
tests/tls13/hello_retry_request_psk.c.
- CVE-2025-6395
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 11 Jul 2025 08:58:05 -0400
gnutls28 (3.8.3-1.1ubuntu3.3) noble-security; urgency=medium
* SECURITY UPDATE: resource consumption issue when decoding DER-encoded
certificate data
- debian/patches/CVE-2024-12243.patch: optimize name constraints
processing in lib/datum.c, lib/x509/name_constraints.c,
lib/x509/x509_ext.c, lib/x509/x509_ext_int.h, lib/x509/x509_int.h.
- CVE-2024-12243
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 12 Feb 2025 09:55:11 -0500
gnutls28 (3.8.3-1.1ubuntu3.2) noble-proposed; urgency=medium
* SRU: LP: #2076340: No-change rebuild to pick up changed build flags
on ppc64 and s390x.
-- Matthias Klose <doko@ubuntu.com> Fri, 09 Aug 2024 04:33:21 +0200
gnutls28 (3.8.3-1.1ubuntu3.1) noble-security; urgency=medium
* SECURITY UPDATE: side-channel leak via Minerva attack
- debian/patches/CVE-2024-28834.patch: avoid normalization of mpz_t in
deterministic ECDSA in lib/nettle/int/dsa-compute-k.c,
lib/nettle/int/dsa-compute-k.h, lib/nettle/int/ecdsa-compute-k.c,
lib/nettle/int/ecdsa-compute-k.h, lib/nettle/pk.c,
tests/sign-verify-deterministic.c.
- CVE-2024-28834
* SECURITY UPDATE: crash via specially-crafted cert bundle
- debian/patches/CVE-2024-28835.patch: remove length limit of input in
lib/gnutls_int.h, lib/x509/common.c, lib/x509/verify-high.c,
tests/test-chains.h.
- CVE-2024-28835
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 18 Apr 2024 09:54:34 -0400
gnutls28 (3.8.3-1.1ubuntu3) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 06:17:25 +0000
gnutls28 (3.8.3-1.1ubuntu2) noble; urgency=medium
* No-change rebuild against libhogweed6t64.
-- Matthias Klose <doko@ubuntu.com> Tue, 05 Mar 2024 16:42:37 +0100
gnutls28 (3.8.3-1.1ubuntu1) noble; urgency=medium
* Merge with Debian; remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
- Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.
- Fix logic for i386 autopkgtest on an amd64 host
- Don't run the testsuite under the influence of a configuration file.
-- Matthias Klose <doko@ubuntu.com> Mon, 04 Mar 2024 19:00:31 +0100
gnutls28 (3.8.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1063297
-- Steve Langasek <vorlon@debian.org> Wed, 28 Feb 2024 21:26:17 +0000
gnutls28 (3.8.3-1ubuntu1) noble; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
- Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.
- Fix logic for i386 autopkgtest on an amd64 host
- Don't run the testsuite under the influence of a configuration file.
* debian/patches/CVE-2023-5981.patch: dropped, included in new version.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 26 Jan 2024 07:39:04 -0500
gnutls28 (3.8.3-1) unstable; urgency=medium
* New upstream version.
Fix assertion failure when verifying a certificate chain with a cycle of
cross signatures. CVE-2024-0567 GNUTLS-SA-2024-01-09 Closes: #1061045
Fix more timing side-channel inside RSA-PSK key exchange. CVE-2024-0553
GNUTLS-SA-2024-01-14 Closes: #1061046
-- Andreas Metzler <ametzler@debian.org> Wed, 17 Jan 2024 18:26:52 +0100
gnutls28 (3.8.2-1) unstable; urgency=medium
* New upstream version.
+ Drop cherrypicked patches.
+ Update symbol file.
+ Update copyright file.
+ Includes fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23. Closes: #1056188
-- Andreas Metzler <ametzler@debian.org> Wed, 29 Nov 2023 08:55:21 +0100
gnutls28 (3.8.1-4ubuntu7) noble; urgency=medium
* Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.
See lp-merge #458092 for context.
-- Adrien Nader <adrien.nader@canonical.com> Wed, 03 Jan 2024 15:06:38 +0100
gnutls28 (3.8.1-4ubuntu6) noble; urgency=medium
* SECURITY UPDATE: timing side-channel inside RSA-PSK key exchange
- debian/patches/CVE-2023-5981.patch: side-step potential side-channel
in lib/auth/rsa.c, lib/auth/rsa_psk.c, lib/gnutls_int.h,
lib/priority.c.
- CVE-2023-5981
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 23 Nov 2023 14:04:17 -0500
gnutls28 (3.8.1-4ubuntu5) noble; urgency=medium
* armhf (-fstack-clash-protection) breakage rebuild
-- Mate Kukri <mate.kukri@canonical.com> Thu, 23 Nov 2023 15:13:53 +0000
gnutls28 (3.8.1-4ubuntu4) noble; urgency=medium
* Don't run the testsuite under the influence of a configuration file.
-- Adrien Nader <adrien.nader@canonical.com> Fri, 17 Nov 2023 11:08:39 +0100
gnutls28 (3.8.1-4ubuntu3) noble; urgency=medium
* Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.
-- Adrien Nader <adrien.nader@canonical.com> Fri, 27 Oct 2023 17:41:58 -0400
gnutls28 (3.8.1-4ubuntu2) noble; urgency=medium
* Rebuild against latest libunistring
-- Jeremy Bícha <jbicha@ubuntu.com> Fri, 27 Oct 2023 06:48:46 -0400
gnutls28 (3.8.1-4ubuntu1) mantic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
* Fix logic for i386 autopkgtest on an amd64 host
-- Dan Bungert <daniel.bungert@canonical.com> Tue, 22 Aug 2023 16:30:06 -0600
gnutls28 (3.8.1-4) unstable; urgency=medium
* Fix autopkgtest for 32 bit archs.
* Fix building twice from the same source. Closes: #1044384,#1049512
* Drop orphaned debian/libgnutlsxx30.install and delete related (.a/.so)
files in dh_autoinstall override, fixing dead symlink for libgnutlsxx.so.
Closes: #1050058
-- Andreas Metzler <ametzler@debian.org> Sat, 19 Aug 2023 11:28:08 +0200
gnutls28 (3.8.1-3ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 08 Aug 2023 12:33:16 -0500
gnutls28 (3.8.1-3) unstable; urgency=low
* 50-0001-Fix-build-on-GNU-Hurd.patch (Thanks, Samuel Thibault) from
upstream git master.
* Fix rdep FTBFS due to removal of GNUTLS_NO_EXTENSIONS macro with
50-0002-Move-the-GNUTLS_NO_EXTENSIONS-compatibility-define-t.patch from
upstream MR 1766 (Thanks, Adrian Bunk)
-- Andreas Metzler <ametzler@debian.org> Mon, 07 Aug 2023 18:33:31 +0200
gnutls28 (3.8.1-2) unstable; urgency=low
* Also use datefudge instead of faketime for autopkgtest.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sun, 06 Aug 2023 11:13:35 +0200
gnutls28 (3.8.1-1) experimental; urgency=medium
* New upstream version.
+ Bump symbol file info.
-- Andreas Metzler <ametzler@debian.org> Sat, 05 Aug 2023 10:59:29 +0200
gnutls28 (3.8.0+git20230713-1) experimental; urgency=medium
* New upstream git snapshot c4023afde53241aedbb94108aa10fda9bd05ee82.
+ Update copyright file.
+ Switch back to datefudge. faketime using fork() instead of exex() breaks
the cleanup scripting in the testsuite. This together with upstream
changes Closes: #1037917
Most tests do not rely on datefudge/faketime anymore but use -attime so
we would still have meaningful testsuite coverage without datefudge.
+ Update autopkgtest for new upstream.
-- Andreas Metzler <ametzler@debian.org> Sat, 15 Jul 2023 13:40:58 +0200
gnutls28 (3.8.0+git20230529-1) experimental; urgency=medium
* New upstream git snapshot 0a8115000f2353dcabcfdc0caccbb0f2c3d6f512.
+ Update libgnutls30 symbol file.
+ Unfuzz patches.
-- Andreas Metzler <ametzler@debian.org> Sun, 04 Jun 2023 13:06:50 +0200
gnutls28 (3.8.0+git20230413-1) experimental; urgency=medium
* New upstream git snapshot bfbcb238465baffc6a6695c0e593c9a25cf7cb51.
+ Unfuzz patches, drop superfluous patches.
+ Guile wrapper split off, adapt packaging.
+ Use faketime instead of datefudge. Closes: #1031553
+ Update copyright file.
+ Update symbol file.
+ Stop shipping legacy C++ library (libgnutlsxx30). This functionality is
now provided as a header-only library and there are no rdeps in Debian.
* Clean up debian/rules.
-- Andreas Metzler <ametzler@debian.org> Sat, 29 Apr 2023 11:51:27 +0200
gnutls28 (3.7.9-2ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 May 2023 09:48:08 +0200
gnutls28 (3.7.9-2) unstable; urgency=medium
* CI: Do not try to run tests/ktls.sh, it uses a helper binary. (Plus gnutls
is not built with ktls support on Debian yet.) Closes: #1034350
-- Andreas Metzler <ametzler@debian.org> Sat, 15 Apr 2023 13:45:57 +0200
gnutls28 (3.7.9-1) unstable; urgency=medium
* Drop unused lintian override.
* New upstream version.
+ Drop cherrypicked patches.
-- Andreas Metzler <ametzler@debian.org> Sat, 18 Feb 2023 07:00:58 +0100
gnutls28 (3.7.8-5ubuntu1) lunar; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 17 Feb 2023 08:00:36 -0500
gnutls28 (3.7.8-5) unstable; urgency=high
[ Debian Janitor ]
* Remove constraints unnecessary since buster (oldstable):
+ Build-Depends: Drop versioned constraint on libp11-kit-dev,
libtasn1-6-dev, libunbound-dev and libunistring-dev.
+ Build-Depends-Indep: Drop versioned constraint on texinfo.
+ libgnutls28-dev: Drop versioned constraint on libp11-kit-dev in Depends.
[ Andreas Metzler ]
* 55_01-auth-rsa-side-step-potential-side-channel.patch
55_02-rsa-remove-dead-code.patch 55_03-document-the-CVE-fix.patch:
Effectively update to 3.7.9, fixing GNUTLS-SA-2020-07-14 / CVE-2023-0361
-- Andreas Metzler <ametzler@debian.org> Fri, 10 Feb 2023 07:29:17 +0100
gnutls28 (3.7.8-4ubuntu1) lunar; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
* Dropped changes:
- Reduce parallelism in build to 2 to address FTBFS with lto
-- Adrien Nader <adrien.nader@canonical.com> Thu, 19 Jan 2023 14:47:39 +0100
gnutls28 (3.7.8-4) unstable; urgency=low
* Replace 50_Fix-removal-of-duplicate-certs-during-verification.patch with
version merged to upstream GIT master. Add
51_add-gnulib-linkedhash-list-module.diff since the new patch uses
gnulib's linkedhash-list module.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Mon, 31 Oct 2022 18:10:09 +0100
gnutls28 (3.7.8-3) experimental; urgency=low
* 50_Fix-removal-of-duplicate-certs-during-verification.patch frpm
https://gitlab.com/gnutls/gnutls/-/merge_requests/1653 fixes chain
verification error on duplicate server cert in chain.
Closes: #1007138
-- Andreas Metzler <ametzler@debian.org> Sat, 15 Oct 2022 13:51:15 +0200
gnutls28 (3.7.8-2) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sun, 02 Oct 2022 13:28:06 +0200
gnutls28 (3.7.8-1) experimental; urgency=low
* New upstream version.
+ Drop 50_01-Avoid-redirection-bashism-in-testsuite.patch.
-- Andreas Metzler <ametzler@debian.org> Sat, 01 Oct 2022 13:48:17 +0200
gnutls28 (3.7.7-2ubuntu2) kinetic; urgency=medium
* Fix Segmentation Fault due to misdetected Intel AVX support
(LP: #1988398)
-- Gregor Jasny <gjasny@googlemail.com> Thu, 01 Sep 2022 07:42:53 +0100
gnutls28 (3.7.7-2ubuntu1) kinetic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
-- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 01 Aug 2022 09:33:38 +0200
gnutls28 (3.7.7-2) unstable; urgency=medium
* 50_01-Avoid-redirection-bashism-in-testsuite.patch: Fix CI error.
-- Andreas Metzler <ametzler@debian.org> Sun, 31 Jul 2022 10:32:04 +0200
gnutls28 (3.7.7-1) unstable; urgency=low
* New upstream bugfix release: Fixes double free during verification of
pkcs7 signatures. [GNUTLS-SA-2022-07-07, CVSS: medium] [CVE-2022-2509]
+ Update symbol file.
* Add lintian overrides for source-is-missing false positives.
-- Andreas Metzler <ametzler@debian.org> Sat, 30 Jul 2022 14:09:32 +0200
gnutls28 (3.7.6-2ubuntu1) kinetic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
-- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 19 Jun 2022 12:43:43 +0200
gnutls28 (3.7.6-2) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sat, 18 Jun 2022 10:23:16 +0200
gnutls28 (3.7.6-1) experimental; urgency=low
* New upstream version.
-- Andreas Metzler <ametzler@debian.org> Sat, 28 May 2022 14:31:39 +0200
gnutls28 (3.7.5-1) experimental; urgency=low
* New upstream version.
+ Update symbol file.
-- Andreas Metzler <ametzler@debian.org> Sun, 22 May 2022 08:16:07 +0200
gnutls28 (3.7.4-2ubuntu1) kinetic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
-- Gianfranco Costamagna <locutusofborg@debian.org> Fri, 29 Apr 2022 10:25:13 +0200
gnutls28 (3.7.4-2) unstable; urgency=low
* 40_srptest_doubletimeout.diff: Increase timeout for tests/srp to fix
occasionasonal error on slow buildds (mipsel, hppa).
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Thu, 14 Apr 2022 08:54:25 +0200
gnutls28 (3.7.4-1) experimental; urgency=low
* Drop superfluous dependency on libopts25-dev.
* New upstream version.
+ Drop superfluous patches. (40_bashism_in_test.diff
41_more_bashism_in_test.diff)
+ Update symbol file.
+ libgnutlsxx soname bumped due to ABI break in .1 (db_check_entry and
db_check_entry now have const parameters).
-- Andreas Metzler <ametzler@debian.org> Sun, 03 Apr 2022 13:30:32 +0200
gnutls28 (3.7.3-4ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
-- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 24 Jan 2022 09:23:08 +0100
gnutls28 (3.7.3-4) unstable; urgency=low
[ Helmut Grohne ]
* Fix FTCBFS: Annotate python3 dependency with :any. (Closes: #1004183)
[ Andreas Metzler ]
* CI: Sort test list.
* CI: Skip another test wrapping a binary test.
* CI: Fix missed &> redirection.
-- Andreas Metzler <ametzler@debian.org> Sun, 23 Jan 2022 08:14:48 +0100
gnutls28 (3.7.3-3) unstable; urgency=low
* Fix CI errors:
+ Set PKCS12_ITER_COUNT=600000, avoid more tests requiring a special test
binary.
+ 40_bashism_in_test.diff: Avoid &> redirection.
-- Andreas Metzler <ametzler@debian.org> Sat, 22 Jan 2022 07:45:00 +0100
gnutls28 (3.7.3-2) unstable; urgency=low
* B-d on python3 instead of python3-minimal, the json module is not part of
-minimal.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Thu, 20 Jan 2022 18:40:59 +0100
gnutls28 (3.7.3-1) experimental; urgency=low
* New upstream version.
+ Does not use GNU autogen anymore, update Build-Depends.
+ Drop 40_fix-gtk-mkhtml.patch.
+ Update symbol file.
-- Andreas Metzler <ametzler@debian.org> Tue, 18 Jan 2022 18:58:41 +0100
gnutls28 (3.7.2-5ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
-- Gianfranco Costamagna <locutusofborg@debian.org> Sat, 08 Jan 2022 21:03:33 +0100
gnutls28 (3.7.2-5) unstable; urgency=medium
* 40_fix-gtk-mkhtml.patch by Dennis Filder fixes gtk-doc generation.
Closes: #1003075
* Cherrypick some improvements to debian/rules suggested by Dennis Filder.
-- Andreas Metzler <ametzler@debian.org> Wed, 05 Jan 2022 18:46:29 +0100
gnutls28 (3.7.2-4ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
-- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 20 Dec 2021 21:29:48 +0100
gnutls28 (3.7.2-4) unstable; urgency=low
* Run wrap-and-sort -ast, and drop depends/b-d on libgmp > 2:6 since even
oldstable uses this version.
* Upload to unstable
-- Andreas Metzler <ametzler@debian.org> Sun, 19 Dec 2021 13:57:12 +0100
gnutls28 (3.7.2-3) experimental; urgency=medium
* Another test build against guile-3.0. #964284
-- Andreas Metzler <ametzler@debian.org> Sun, 29 Aug 2021 14:29:40 +0200
gnutls28 (3.7.2-2ubuntu1) jammy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
-- Gianfranco Costamagna <locutusofborg@debian.org> Wed, 03 Nov 2021 09:23:28 +0100
gnutls28 (3.7.2-2) unstable; urgency=low
* Invoke dh_autoreconf with GTKDOCIZE=echo for arch-only builds, fixing
FTBFS. Closes: #992849
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Tue, 24 Aug 2021 19:46:02 +0200
gnutls28 (3.7.2-1) experimental; urgency=medium
* New upstream version.
+ Drop debian/patches/5[56]*.
+ Update libgnutls30.symbols.
+ Update copyright file.
-- Andreas Metzler <ametzler@debian.org> Sun, 20 Jun 2021 13:49:44 +0200
gnutls28 (3.7.1-5ubuntu1) impish; urgency=low
* Merge from Debian unstable (LP: #1939739). Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
- Reduce parallelism in build to 2 to address FTBFS with lto
* Add LP bug number to previous merge entry in changelog
-- William 'jawn-smith' Wilson <william.wilson@canonical.com> Thu, 12 Aug 2021 13:17:53 -0600
gnutls28 (3.7.1-5) unstable; urgency=medium
* Another fix from 3.7.2:
56_30-x509-verify-treat-SHA-1-signed-CA-in-the-trusted-set.patch
* 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff applied upstream, renamed to
56_33-serv-stop-setting-AI_ADDRCONFIG-on-getaddrinfo.patch
-- Andreas Metzler <ametzler@debian.org> Sat, 29 May 2021 12:14:30 +0200
gnutls28 (3.7.1-4ubuntu1) impish; urgency=low
* Merge from Debian unstable (LP: #1929229). Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
* Fix FTBFS with lto - reduce parallelism to 2. LP: #1922004
-- William 'jawn-smith' Wilson <william.wilson@canonical.com> Fri, 21 May 2021 10:29:32 -0600
gnutls28 (3.7.1-4) unstable; urgency=medium
* Pull fixes from upstream Git master
+ Ensure array allocations overflow safe.
https://gitlab.com/gnutls/gnutls/-/issues/1179
56_15-mem-add-_gnutls_reallocarray-and-_gnutls_reallocarra.patch
56_16-pkcs11x-find_ext_cb-fix-error-propagation.patch
56_17-build-avoid-potential-integer-overflow-in-array-allo.patch
56_18-build-avoid-integer-overflow-in-additions.patch
56_19-_gnutls_calloc-remove-unused-function.patch
+ Add option to disable TLS 1.3 middlebox compatibility mode
https://gitlab.com/gnutls/gnutls/-/issues/1208
56_20-priority-add-option-to-disable-TLS-1.3-middlebox-com.patch
(Changes gperf input file, add b-d on gperf.)
+ Fix session-id changing when responding to HelloRetryRequest
56_24-handshake-don-t-regenerate-legacy_session_id-in-seco.patch
https://gitlab.com/gnutls/gnutls/-/issues/1210
+ Fix timing of sending TLSv1.3 early data.
56_28-handshake-fix-timing-of-sending-early-data.patch
https://gitlab.com/gnutls/gnutls/-/issues/1146
-- Andreas Metzler <ametzler@debian.org> Sun, 25 Apr 2021 12:55:14 +0200
gnutls28 (3.7.1-3ubuntu1) hirsute; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
* Fix FTBFS with lto - reduce parallelism to 2. LP: #1922004
* Merge CVE fixes CVE-2021-20231 CVE-2021-20232
-- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 14 Apr 2021 15:44:37 +0100
gnutls28 (3.7.1-3) unstable; urgency=low
* Rename/refetch
*build-doc-install-missing-image-file-gnutls-crypto-l.patch, it is has
been merged into upstream GIT.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Tue, 30 Mar 2021 11:21:58 +0200
gnutls28 (3.7.1-2) experimental; urgency=medium
* Also run ocsptool tests in autopkgtest.
* Add CVE numbers to previous changelog entry.
* Pull selected fixes from upstream GIT:
+ 55_01-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch
+ 55_02-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch
+ 56_01-srptool-avoid-FILE-pointer-leak-on-error.patch
+ 56_02-gnutls-cli-debug-avoid-resource-leak-in-saving-DHE-p.patch
+ 56_03-src-avoid-file-descriptor-leak-in-socket_open2.patch
+ 56_04-examples-avoid-memory-leak-in-tlsproxy.patch
+ 56_05-examples-avoid-memory-leak-in-ex-verify.patch
* 60_build-doc-install-missing-image-file-gnutls-crypto-l.patch
Ship missing image file. (Thanks, lintian)
-- Andreas Metzler <ametzler@debian.org> Sat, 20 Mar 2021 14:01:16 +0100
gnutls28 (3.7.1-1) unstable; urgency=medium
* New upstream version
Fixes potential use-after-free in sending "key_share" and "pre_shared_key"
extensions. GNUTLS-SA-2021-03-10. CVE-2021-20231 CVE-2021-20232
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Wed, 10 Mar 2021 19:02:31 +0100
gnutls28 (3.7.0+git20210306-2) experimental; urgency=medium
* Fix autopkgtest skiplist.
-- Andreas Metzler <ametzler@debian.org> Sun, 07 Mar 2021 16:26:05 +0100
gnutls28 (3.7.0+git20210306-1) experimental; urgency=low
* Update to GIT ba6e4b17bf74e58a8101f825011434b497eacbaa
+ Drop cherry-picked patches {48,49,50}_*.
+ Update copyright file.
-- Andreas Metzler <ametzler@debian.org> Sun, 07 Mar 2021 08:28:52 +0100
gnutls28 (3.7.0-7) unstable; urgency=medium
* Pull 50_01-gnutls_session_is_resumed-don-t-check-session-ID-in-.patch
50_02-handshake-TLS-1.3-don-t-generate-session-ID-in-resum.patch
50_04-tests-close-unused-fd-opened-by-socketpair.patch from upstream
master, fixing session resumption in non-TLS1.3 mode, which broke ftp-ssl.
(Thanks to Tim Kosse for the pointer) Closes: #980119
-- Andreas Metzler <ametzler@debian.org> Fri, 12 Feb 2021 19:03:16 +0100
gnutls28 (3.7.0-6) unstable; urgency=medium
* Update 49_0001-gnutls_x509_trust_list_verify_crt2-ignore-duplicate-.patch
with merged version from upstream GIT master. Features a fix for an assert
on connection to servers which send a duplicate chain including the
self-signed CA. Closes: #980513
-- Andreas Metzler <ametzler@debian.org> Mon, 08 Feb 2021 18:04:21 +0100
gnutls28 (3.7.0-5ubuntu1) hirsute; urgency=low
* Merge from Debian unstable LP: #1893924. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
-- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 31 Dec 2020 15:56:50 +0000
gnutls28 (3.7.0-5) unstable; urgency=low
* Update from upstream GIT master, replace patches, add new ones.
+ 48_0001-Fix-non-empty-session-id-TLS13_APPENDIX_D4.patch added.
+ 50_0001-tests-Fix-tpmtool_test-due-to-changes-in-trousers.patch
--> 48_0002-tests-Fix-tpmtool_test-due-to-changes-in-trousers.patch
+ 50_0002-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
--> 48_0003-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
Closes: #977552
+ 45_opensslcompat_no_export_gl.diff
--> 48_0005-libgnutls-openssl-Clean-up-list-of-exported-symbols.patch.
+ 48_0006-Fix-a-common-typo-of-gnutls_priority_t.patch added.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Thu, 31 Dec 2020 13:11:15 +0100
gnutls28 (3.7.0-4) experimental; urgency=medium
* Test build of fixes from
https://gitlab.com/gnutls/gnutls/-/merge_requests/1371 and
https://gitlab.com/gnutls/gnutls/-/merge_requests/1370/ for #976836 and
#977552.
-- Andreas Metzler <ametzler@debian.org> Tue, 29 Dec 2020 07:52:38 +0100
gnutls28 (3.7.0-3) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Mon, 07 Dec 2020 18:44:34 +0100
gnutls28 (3.7.0-2) experimental; urgency=low
* Fix guile-gnutls guile-x.x dependency.
* 45_opensslcompat_no_export_gl.diff: Cleanup exported symbols.
-- Andreas Metzler <ametzler@debian.org> Sat, 05 Dec 2020 18:22:34 +0100
gnutls28 (3.7.0-1) experimental; urgency=low
* New upstream version.
+ Drop 50_autopkgtestfixes.diff.
+ Update symbol file, bump all requirements to 3.7.0. (New mac/cipher
added).
+ Requires nettle >= 3.6.
* [lintian] Use v4 watch file.
* Add a symbol file for libgnutls-openssl27.
* Use dh v13 compat, (Some fixes for dh_missing.)
-- Andreas Metzler <ametzler@debian.org> Thu, 03 Dec 2020 18:40:03 +0100
gnutls28 (3.6.15-4ubuntu2) groovy; urgency=low
* Merge from Debian unstable LP: #1893924. Remaining changes:
- Enable CET.
- Set default priority string to only allow TLS1.2, DTLS1.2, and
TLS1.3 with medium security profile (2048 RSA keys minimum, and
similar).
* Add patch to fix ftbfs gnulib with new glibc.
-- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Sep 2020 12:03:44 +0100
gnutls28 (3.6.15-4) unstable; urgency=medium
* autopkgtest: Require build-essential.
* autopkgtest: respect dpkg-buildflags for helper-binary build.
-- Andreas Metzler <ametzler@debian.org> Wed, 16 Sep 2020 18:45:09 +0200
gnutls28 (3.6.15-3) unstable; urgency=medium
* More autopkgtest hotfixes.
-- Andreas Metzler <ametzler@debian.org> Tue, 15 Sep 2020 17:56:30 +0200
gnutls28 (3.6.15-2) unstable; urgency=medium
* 50_autopkgtestfixes.diff: Fix testsuite issues when running against
installed gnutls-bin.
* In autopkgtest set top_builddir and builddir, ignore
tests/cert-tests/tolerate-invalid-time and tests/gnutls-cli-debug.sh.
-- Andreas Metzler <ametzler@debian.org> Sat, 12 Sep 2020 17:56:48 +0200
gnutls28 (3.6.15-1) unstable; urgency=low
* New upstream version.
+ Fixes NULL pointer dereference if a no_renegotiation alert is sent with
unexpected timing. CVE-2020-24659 / GNUTLS-SA-2020-09-04
Closes: #969547
+ Drop 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch
50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
50_03-gnutls_cipher_init-fix-potential-memleak.patch
50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
+ Fix build error due to outdated gettext in Debian by removing newer
gettext m4 macros from m4/.
-- Andreas Metzler <ametzler@debian.org> Sun, 06 Sep 2020 09:50:07 +0200
gnutls28 (3.6.14-2) unstable; urgency=medium
* Pull selected patches from upstream GIT:
+ 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch:
Fixes difference in generated docs on 32 and 64 bit archs.
+ 50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
50_03-gnutls_cipher_init-fix-potential-memleak.patch
Fix memleak in gnutls_aead_cipher_init() with keys having invalid
length. (Broken since 3.6.3)
+ 50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
Closes: #962467
-- Andreas Metzler <ametzler@debian.org> Thu, 11 Jun 2020 11:27:34 +0200
gnutls28 (3.6.14-1) unstable; urgency=high
* Drop debugging code added in -4, fixes nocheck profile build error.
Closes: #962199
* Add Daiki Ueno 462225C3B46F34879FC8496CD605848ED7E69871 key to
debian/upstream/signing-key.asc.
* New upstream version.
+ Fixes insecure session ticket key construction.
[GNUTLS-SA-2020-06-03, CVE-2020-13777] Closes: #962289
+ Drop 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch
51_01-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
51_02-x509-trigger-fallback-verification-path-when-cert-is.patch
51_03-tests-add-test-case-for-certificate-chain-supersedin.patch
* Drop guile-gnutls.lintian-overrides.
* 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff: In gnutls-serv do not pass
AI_ADDRCONFIG to getaddrinfo. This broke the testsuite on systems without
IPv4 on non-loopback addresses. (Thanks, Adrian Bunk and Julien Cristau!)
Hopefully Closes: #962218
-- Andreas Metzler <ametzler@debian.org> Sat, 06 Jun 2020 14:11:30 +0200
gnutls28 (3.6.13-4ubuntu5) groovy; urgency=medium
* SECURITY UPDATE: null pointer deref via no_renegotiation alert
- debian/patches/CVE-2020-24659.patch: reject no_renegotiation alert if
handshake is incomplete in lib/gnutls_int.h, lib/handshake.c.
- CVE-2020-24659
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 08 Sep 2020 10:09:39 -0400
gnutls28 (3.6.13-4ubuntu4) groovy; urgency=medium
* No change rebuild against new libnettle8 and libhogweed6 ABI.
-- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 29 Jun 2020 22:24:52 +0100
gnutls28 (3.6.13-4ubuntu3) groovy; urgency=medium
* Enable CET.
-- Dimitri John Ledkov <xnox@ubuntu.com> Sun, 28 Jun 2020 23:48:44 +0100
gnutls28 (3.6.13-4ubuntu2) groovy; urgency=medium
* SECURITY UPDATE: flaw in TLS session ticket key construction
- debian/patches/CVE-2020-13777.patch: differentiate initial state from
valid time window of TOTP in lib/stek.c,
tests/resume-with-previous-stek.c, tests/tls13/prf-early.c.
- CVE-2020-13777
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 05 Jun 2020 13:12:39 -0400
gnutls28 (3.6.13-4ubuntu1) groovy; urgency=medium
* Resynchronize with Debian; remaining changes:
Set default priority string to only allow TLS1.2, DTLS1.2, and TLS1.3
with medium security profile (2048 RSA keys minimum, and similar).
-- Sebastien Bacher <seb128@ubuntu.com> Fri, 05 Jun 2020 15:12:03 +0200
gnutls28 (3.6.13-4) unstable; urgency=medium
* Output some network related debugging from debian/rules.
* Fix verification error with alternate chains. Closes: #961889
-- Andreas Metzler <ametzler@debian.org> Mon, 01 Jun 2020 10:34:25 +0200
gnutls28 (3.6.13-3) unstable; urgency=medium
* 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch from GnuTLS
master: Handle zero length session tickets, fixing connection errors on
TLS1.2 sessions to some big hosting providers. (See LP 1876286)
-- Andreas Metzler <ametzler@debian.org> Thu, 28 May 2020 18:25:45 +0200
gnutls28 (3.6.13-2) unstable; urgency=high
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Fri, 03 Apr 2020 17:48:40 +0200
gnutls28 (3.6.13-1) experimental; urgency=low
* New upstream version.
+ libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
support), since 3.6.3. The DTLS client would not contribute any
randomness to the DTLS negotiation, breaking the security
guarantees of the DTLS protocol
GNUTLS-SA-2020-03-31 CVE-2020-11501 Closes: #955556
* Fix guile lintian override for shared-lib-without-dependency-information.
-- Andreas Metzler <ametzler@debian.org> Thu, 02 Apr 2020 18:31:26 +0200
gnutls28 (3.6.12-2) unstable; urgency=medium
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Fri, 14 Feb 2020 16:14:28 +0100
gnutls28 (3.6.12-1) experimental; urgency=low
[ Debian Janitor ]
* Drop unnecessary dh arguments: --parallel
[ Andreas Metzler ]
* Fix bindtextdomain() call and dgettext() invocations to search for the
correct filename. (Thanks, Laurent Bigonville for report and diagnosis.)
Closes: #949151
* [lintian] Drop superfluous debian/source/include-binaries.
* New upstream version.
+ Update symbol file.
+ Drop workaround for #658110, install guile shared objects to multi-arch
paths.
-- Andreas Metzler <ametzler@debian.org> Sun, 02 Feb 2020 17:45:13 +0100
gnutls28 (3.6.11.1-2) unstable; urgency=low
* Use dh 12 compat level.
+ Install gtk-doc files from as-installed location instead of builddir to
avoid dh_missing warnings.
* List *.la files in debian/not-installed.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sat, 14 Dec 2019 18:07:49 +0100
gnutls28 (3.6.11.1-1) experimental; urgency=low
* New upstream version.
Drop 50_01-guile-Do-not-attempt-to-load-shared-object-when-cros.patch
50_02-guile-Silence-auto-compilation-warning-for-guild.patch
* Update symbol file (VKO GOST key exchange supported was added).
-- Andreas Metzler <ametzler@debian.org> Sat, 07 Dec 2019 07:49:26 +0100
gnutls28 (3.6.10-5) unstable; urgency=medium
* 50_01-guile-Do-not-attempt-to-load-shared-object-when-cros.patch
50_02-guile-Silence-auto-compilation-warning-for-guild.patch from upstream
GIT master: Fix crossbuild error. (Thanks, Ludovic Courtès!)
Closes: #943905
-- Andreas Metzler <ametzler@debian.org> Sat, 16 Nov 2019 18:41:44 +0100
gnutls28 (3.6.10-4) unstable; urgency=medium
* Add support for noguile build profile. See #943905.
-- Andreas Metzler <ametzler@debian.org> Sat, 02 Nov 2019 06:30:43 +0100
gnutls28 (3.6.10-3) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Wed, 30 Oct 2019 19:23:36 +0100
gnutls28 (3.6.10-2) experimental; urgency=medium
* Switch b-d from texlive-generic-recommended to texlive-plain-generic.
Closes: #941526
-- Andreas Metzler <ametzler@debian.org> Wed, 02 Oct 2019 19:46:25 +0200
gnutls28 (3.6.10-1) experimental; urgency=low
* New upstream version.
+ Drop i386-fix-wrong-reloc.patch and
40_gnutls_epoch_set_keys-do-not-forbid-random-padding-.patch.
+ Update symbol files.
+ Update copyright. Stop shipping a copy of the GNU Affero General Public
License version 3. (pkcs11-mock.* is now under a different license.)
-- Andreas Metzler <ametzler@debian.org> Sun, 29 Sep 2019 18:39:12 +0200
gnutls28 (3.6.9-7) experimental; urgency=low
* Fix copy-paste error (missing line) in libgnutls-dane0 description.
* Re-add guile-gnutls, test-build (including testsuite) was successful.
Closes: #905272
-- Andreas Metzler <ametzler@debian.org> Sun, 22 Sep 2019 17:29:57 +0200
gnutls28 (3.6.9-6) experimental; urgency=low
* Test-build guile bindings.
-- Andreas Metzler <ametzler@debian.org> Sat, 21 Sep 2019 17:34:01 +0200
gnutls28 (3.6.9-5) unstable; urgency=medium
* 40_gnutls_epoch_set_keys-do-not-forbid-random-padding-.patch from upstream
GIT master: Fix interop problems with gnutls 2.x. Closes: #933538
-- Andreas Metzler <ametzler@debian.org> Sat, 14 Sep 2019 13:38:41 +0200
gnutls28 (3.6.9-4) unstable; urgency=medium
* i386-fix-wrong-reloc.patch: Fix bad relocations on i386 due to broken
assembly code. (Thanks, Steve Langasek for report and patch!)
Closes: #934193
-- Andreas Metzler <ametzler@debian.org> Thu, 08 Aug 2019 19:40:21 +0200
gnutls28 (3.6.9-3) unstable; urgency=medium
* autopkgtest: Skip system-override-sig-hash.sh.
-- Andreas Metzler <ametzler@debian.org> Sat, 03 Aug 2019 06:48:46 +0200
gnutls28 (3.6.9-2) unstable; urgency=medium
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Fri, 02 Aug 2019 19:12:42 +0200
gnutls28 (3.6.9-1) experimental; urgency=low
* New upstream version.
+ Update symbol file.
-- Andreas Metzler <ametzler@debian.org> Sat, 27 Jul 2019 16:29:55 +0200
gnutls28 (3.6.8-2) unstable; urgency=low
* Use DH 11 compat again.
* 3.6.8 builds with gcc-9. Closes: #925701
* Fix autopkgtest on 32bit architectures. (Bug report and patch by Julian
Andres Klode) Closes: #930541
See also https://gitlab.com/gnutls/gnutls/merge_requests/986
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sat, 06 Jul 2019 14:10:29 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libgnutls30t64`.
Generated by dwww version 1.16 on Mon Dec 15 20:54:56 CET 2025.