Package: libgnutls30 Version: 3.7.9-2+deb12u4 Severity: important X-Debbugs-Cc: [email protected]
Hi, I am encountering an issue when performing a git clone of a repository hosted on a server using OCSP and that returns multiple OCSP responses. Note that I have reproduced this using a bare metal installation of Debian 12.9 and 12.10 and from WSL2 installations of 12.9 and 12.10. There is a documented defect in GnuTLS that indicated that it would fail under the circumstance documented above. This defect was fixed in GnuTLS 3.8.8 in commit: https://github.com/gnutls/gnutls/commit/ae404fe8488dee424876b5963c00d7e041672415 testing and sid contain GnuTLS 3.8.9 at the time of this submission. Without addressing this concern, the only available workaround is to disable TLS verification during any http operation where the OCSP response will contain multiple entries. This is not a secure workaround. I am requesting that GnuTLS 3.8.8 or later from testing/sid be backported to bookworm in order to resolve the issue without requiring users to disable TLS verification. Additional information may be available in a similar ticket submitted against Ubuntu (https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2102115) Thanks. -- System Information: Debian Release: 12.10 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.6.87.1-microsoft-standard-WSL2 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages libgnutls30 depends on: ii libc6 2.36-9+deb12u10 ii libgmp10 2:6.2.1+dfsg1-1.1 ii libhogweed6 3.8.1-2 ii libidn2-0 2.3.3-1+b1 ii libnettle8 3.8.1-2 ii libp11-kit0 0.24.1-2 ii libtasn1-6 4.19.0-2+deb12u1 ii libunistring2 1.0-2 libgnutls30 recommends no packages. Versions of packages libgnutls30 suggests: pn gnutls-bin <none> -- no debconf information

