Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package gnutls28.
This is a upstream bugfix release featuring two security fixes
+ Fixes a memory corruption (double free) vulnerability in the
certificate verification API.
https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829
GNUTLS-SA-2019-03-27
+ Fixes an invalid pointer access via malformed TLS1.3 async messages;
https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836
GNUTLS-SA-2019-03-27
One of these is fixed by a hardening measure (gnutls_free() will
automatically set the free'd pointer to NULL.) It also unbreaks
vlc (#922879) and has some TLS1.3 related changes.
The straight debdiff is huge, because of a) usual release updates of
autogenerated files and b) because it includes a global
's/http:/https:/'. Stripped down debdiff is attached.
unblock gnutls28/3.6.7-2
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
smaller.debdiff.diff.xz
Description: application/xz
signature.asc
Description: PGP signature
