Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker
Commits: af98e4a1 by Guilhem Moulin at 2026-05-22T18:10:45+02:00 CVE-2026-42010/gnutls28: Reference commit introducing the issue Support for non-null terminated usernames in PSK negotiation was added in 3.6.13 via https://gitlab.com/gnutls/gnutls/-/work_items/586 , see https://lists.gnutls.org/pipermail/gnutls-help/2020-March/004642.html and https://gitlab.com/gnutls/gnutls/-/issues/1850#note_3270513055 . - - - - - 6e8a75be by Guilhem Moulin at 2026-05-22T18:11:49+02:00 Reserve DLA-4595-1 for gnutls28 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -14467,6 +14467,7 @@ CVE-2026-42010 (A flaw was found in gnutls. Servers configured with RSA-PSK (Riv NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-4 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1850 NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5 (3.8.13) + NOTE: Introduced with: https://gitlab.com/gnutls/gnutls/-/commit/d00638997fa269a975095d852633b48b2b64fbf9 (3.6.13) CVE-2026-33845 (A flaw in GnuTLS DTLS handshake parsing allows malformed fragments wit ...) {DSA-6281-1} - gnutls28 3.8.13-1 (bug #1135319) ===================================== data/DLA/list ===================================== @@ -1,3 +1,6 @@ +[22 May 2026] DLA-4595-1 gnutls28 - security update + {CVE-2026-3833 CVE-2026-5260 CVE-2026-33845 CVE-2026-33846 CVE-2026-42009 CVE-2026-42010 CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015} + [bullseye] - gnutls28 3.7.1-5+deb11u10 [22 May 2026] DLA-4594-1 thunderbird - security update {CVE-2026-8388 CVE-2026-8391 CVE-2026-8401 CVE-2026-8946 CVE-2026-8947 CVE-2026-8950 CVE-2026-8953 CVE-2026-8954 CVE-2026-8955 CVE-2026-8956 CVE-2026-8957 CVE-2026-8958 CVE-2026-8961 CVE-2026-8962 CVE-2026-8968 CVE-2026-8970 CVE-2026-8974 CVE-2026-8975} [bullseye] - thunderbird 1:140.11.0esr-1~deb11u1 ===================================== data/dla-needed.txt ===================================== @@ -199,10 +199,6 @@ glibc NOTE: 20260404: Added by Front-Desk (ta) NOTE: 20260404: no upstream fix yet -- -gnutls28 (guilhem) - NOTE: 20260503: Added by Front-Desk (lamby) - NOTE: 20260520: DSA-6281-1 released (Beuc/front-desk) --- golang-github-gorilla-csrf NOTE: 20250422: Added by Front-Desk (rouca) NOTE: 20250422: Need to binNMU reverse depends (in that order): golang-github-alecthomas-chroma, golang-github-niklasfasching-go-org, golang-github-yuin-goldmark-highlighting, hugo (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9aa8a8fd5b53fd1de1ed21d96bf5858c33b1b6ab...6e8a75bec0d273d8611deaed3464d5b7ecd5e1ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9aa8a8fd5b53fd1de1ed21d96bf5858c33b1b6ab...6e8a75bec0d273d8611deaed3464d5b7ecd5e1ee You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
