Hello, I prepared an update of gnutls26 for squeeze: $ dget https://people.debian.org/~hertzog/packages/gnutls26_2.8.6-1+squeeze5_amd64.changes
This version seems to work for me. I was able to verify that CVE-2015-0294 is fixed with the test case at https://gitlab.com/gnutls/gnutls/commit/ca35341243dc2ba13cd703d25becea5da293bc35 For CVE-2015-0282, I used the patch of Red Hat and the test case at https://gitlab.com/gnutls/gnutls/commit/58d7dde8a8a6fce1a8aa9aeb29f2247212fe5acd but unfortunately, I don't get a hard failure with certtool, see https://bugzilla.redhat.com/show_bug.cgi?id=1194371#c7 but it seems to correctly detect that the certificate can't be verified... so I'm tempted to believe that the patch is working correctly anyway. I see the same behaviour with the updated gnutls26 in wheezy-security (ccing Salvatore who prepared the wheezy update in case he has some feedback on this problem). For CVE-2014-8155, I have no test case. Please test the packages and report back if you find any regressions. Thank you! -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
