Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <[email protected]>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #840191,
regarding jessie-pu: package gnutls28/3.3.8-6+deb8u4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
840191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840191
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi Stable Release Managers,
X-Debbugs-CC'ed Andreas Metzler.
gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3,
having a flaw in the OCSP certificate check. This was fixed upstream
and included in unstable with 3.5.3-4 but would not warrant a DSA.
Attached is proposed debdiff for jessie. Would it be acceptable for an
upcoming point release?
Regards,
Salvatore
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog 2015-08-14 18:29:51.000000000 +0200
+++ gnutls28-3.3.8/debian/changelog 2016-10-09 14:36:18.000000000 +0200
@@ -1,3 +1,11 @@
+gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-7444: Incorrect certificate validation when using OCSP responses
+ (GNUTLS-SA-2016-3)
+
+ -- Salvatore Bonaccorso <[email protected]> Sun, 09 Oct 2016 14:36:18 +0200
+
gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium
* Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from
diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 2016-10-09 14:36:18.000000000 +0200
@@ -0,0 +1,24 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <[email protected]>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP
+ response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r
+ gnutls_assert();
+ goto cleanup;
+ }
++ cserial.size = t;
+
+ if (rserial.size != cserial.size
+ || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series 2015-08-13 19:52:00.000000000 +0200
+++ gnutls28-3.3.8/debian/patches/series 2016-10-09 14:36:18.000000000 +0200
@@ -14,3 +14,4 @@
51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
+52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- End Message ---
--- Begin Message ---
Version: 8.7
Hi,
Each of these bugs refers to an update that was included in today's 8.7
point release.
Regards,
Adam
--- End Message ---
