On 2018-10-23 19:26:32, Ben Hutchings wrote: > On Tue, 2018-10-23 at 14:00 -0400, Antoine Beaupré wrote: >> Hi, >> >> After the lengthy discussion[1] regarding the pending security issues in >> GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have >> determined it might be simpler to just upgrade to the latest upstream >> 3.3.x version for which upstream is still providing updates. Upstream >> agrees with the approach. This removes 35 Debian-specific, backported >> patches and fixes other unrelated bugs. The API/ABI *changes*, but it >> only adds *new* symbols so the soname versions do not change. > [...] > > I don't know exactly what gnutls's policy is for stable updates, but > based on a quick look at the NEWS file it seems like these changes are > probably suitable for a stable/LTS update. > > I did spot some incompatible changes in behaviour which might need to > be called out in the Debian changelog or NEWS file, or even reverted, > depending on how many users they might affect: > > ** libgnutls: Refuse to import v1 or v2 certificates that contain > extensions. > > ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities > list. It has to be explicitly enabled, e.g., with a string like > "NORMAL:+ARCFOUR-128". The previous behavior can be restored using > the flag --with-arcfour128 to configure. > > ** libgnutls: SSL 3.0 is no longer included in the default priorities > list. It has to be explicitly enabled, e.g., with a string like > "NORMAL:+VERS-SSL3.0". The previous behavior can be restored using > the flag --with-ssl3 to configure. > > ** libgnutls: require strict DER encoding for certificates, OCSP requests, > private > keys, CRLs and certificate requests. This backports the already default > behavior > from the 3.5.x branch, in order to reduce issues due to the complexity of > BER rules.
Good catches. I should really go through those again with a NEWS.Debian update in mind. One thing they did to fix those 'pseudo-constant time' vulnerabilities is to remove certain algorithms as well, and I don't see those above. So we shold probably warn about that as well. A. -- That's one of the remarkable things about life: it's never so bad that it can't get worse. - Calvin