subject:"Bug#960836\: buster\-pu\: package gnutls28\/3.6.7\-4\+deb10u4"

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

2020-07-09 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Sun, 2020-06-07 at 08:45 +0200, Andreas Metzler wrote:
> Control: tags -1 - moreinfo
> Control: retitle -1 buster-pu: package gnutls28/3.6.7-4+deb10u5
> 
> On 2020-05-26 Andreas Metzler  wrote:
> > Control: tags 960836 + moreinfo
> > Please hold on approving this. I will probably need to add a fix
> > for
> > https://gitlab.com/gnutls/gnutls/-/issues/997
> 
> Hello,
> 
> find attached a new version rebased on the latests DSA and featuring
> these additional fixes:

Please go ahead, sorry for the delay.

Regards,

Adam

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

2020-06-07 Thread Andreas Metzler

Control: tags -1 - moreinfo
Control: retitle -1 buster-pu: package gnutls28/3.6.7-4+deb10u5

On 2020-05-26 Andreas Metzler  wrote:
> Control: tags 960836 + moreinfo

> Please hold on approving this. I will probably need to add a fix for
> https://gitlab.com/gnutls/gnutls/-/issues/997

Hello,

find attached a new version rebased on the latests DSA and featuring these
additional fixes:

* 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch
  from GnuTLS 3.6.14: Handle zero length session tickets, fixing connection
  errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286)
* 44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
  44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch
  44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch
  backported from GnuTLS 3.6.14: Fix verification error with alternate
  chains. Closes: #961889

TIA, cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2020-06-05 19:32:17.0 +0200
+++ gnutls28-3.6.7/debian/changelog	2020-06-07 07:45:55.0 +0200
@@ -1,3 +1,24 @@
+gnutls28 (3.6.7-4+deb10u5) buster; urgency=medium
+
+  * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch
+from GNUTLS 3.6.11: Fix TL1.2 resumption errors. Closes: #956649
+  * 47_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch from GNUTLS
+3.6.14: One line fix for memory leak. Closes: #958704
+  * Rename
+44_rel3.6.14_01-stek-differentiate-initial-state-from-valid-time-win.patch
+(security upload) to 44_rel3.6.14_90_... to be able to pull earlier fixes
+from 3.6.14 and have correct patch filename order.
+  * 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch
+from GnuTLS 3.6.14: Handle zero length session tickets, fixing connection
+errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286)
+  * 44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
+44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch
+44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch
+backported from GnuTLS 3.6.14: Fix verification error with alternate
+chains. Closes: #961889
+
+ -- Andreas Metzler   Sun, 07 Jun 2020 07:45:55 +0200
+
 gnutls28 (3.6.7-4+deb10u4) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch
--- gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch	1970-01-01 01:00:00.0 +0100
+++ gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch	2020-06-07 06:48:47.0 +0200
@@ -0,0 +1,610 @@
+From afa6e340c084542ef416afc96dd0329f5507 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos 
+Date: Tue, 8 Oct 2019 07:23:31 +0200
+Subject: [PATCH] session tickets: parse extension during session resumption on
+ client side
+
+It is possible for a server to send a new session ticket during
+TLS1.2 resumption. To be able to parse it as client we need to
+check the extension during resumption as well.
+
+Resolves: #841
+
+Signed-off-by: Nikos Mavrogiannopoulos 
+---
+ NEWS|  3 +++
+ lib/ext/alpn.c  |  3 ++-
+ lib/ext/client_cert_type.c  |  3 ++-
+ lib/ext/cookie.c|  3 ++-
+ lib/ext/dumbfw.c|  3 ++-
+ lib/ext/early_data.c|  3 ++-
+ lib/ext/ec_point_formats.c  |  3 ++-
+ lib/ext/etm.c   |  3 ++-
+ lib/ext/ext_master_secret.c |  3 ++-
+ lib/ext/heartbeat.c |  3 ++-
+ lib/ext/key_share.c |  3 ++-
+ lib/ext/max_record.c|  3 ++-
+ lib/ext/post_handshake.c|  3 ++-
+ lib/ext/pre_shared_key.c|  3 ++-
+ lib/ext/psk_ke_modes.c  |  3 ++-
+ lib/ext/record_size_limit.c |  3 ++-
+ lib/ext/safe_renegotiation.c|  3 ++-
+ lib/ext/server_cert_type.c  |  3 ++-
+ lib/ext/server_name.c   |  3 ++-
+ lib/ext/session_ticket.c|  7 ++-
+ lib/ext/signature.c |  3 ++-
+ lib/ext/srp.c   |  3 ++-
+ lib/ext/srtp.c  |  3 ++-
+ lib/ext/status_request.c|  3 ++-
+ lib/ext/supported_groups.c  |  3 ++-
+ lib/ext/supported_versions.c|  3 ++-
+ lib/hello_ext.c | 36 ++---
+ lib/hello_ext.h |  3 ++-
+ lib/includes/gnutls/gnutls.h.in |  4 ++--
+ tests/gnutls-cli-resume.sh  | 17

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

2020-05-26 Thread Andreas Metzler

Control: tags 960836 + moreinfo

Please hold on approving this. I will probably need to add a fix for
https://gitlab.com/gnutls/gnutls/-/issues/997

cu Andreas

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

2020-05-18 Thread Andreas Metzler

Control: tags 960836 - moreinfo

On 2020-05-17 "Adam D. Barratt"  wrote:
> Control: tags -1 + moreinfo

> On Sun, 2020-05-17 at 14:23 +0200, Andreas Metzler wrote:
>> I would like to update gnutls to fix #95664 aka
>> https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client
>> side resumption errors.

> #956649. :-)

> I'm assuming this is fixed in at least unstable already, but the BTS
> metadata suggests otherwise (potentially not helped by the local
> "found" version).

> Please could you confirm, and fix either the metadata or unstable.

Hello Adam,

Yes, it is fixed in both buster and sid, I have corrected the bug
metadata accordingly.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

2020-05-17 Thread Adam D. Barratt

Control: tags -1 + moreinfo

On Sun, 2020-05-17 at 14:23 +0200, Andreas Metzler wrote:
> I would like to update gnutls to fix #95664 aka
> https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client
> side resumption errors.

#956649. :-)

I'm assuming this is fixed in at least unstable already, but the BTS
metadata suggests otherwise (potentially not helped by the local
"found" version).

Please could you confirm, and fix either the metadata or unstable.

Thanks,

Adam

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

2020-05-17 Thread Andreas Metzler

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I would like to update gnutls to fix #95664 aka
https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client side
resumption errors. And while I am at it I would also pick a one-line
fix for a memory leak (Fix requested in #958704.)

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2020-04-03 21:31:50.0 +0200
+++ gnutls28-3.6.7/debian/changelog	2020-05-17 13:45:29.0 +0200
@@ -1,3 +1,12 @@
+gnutls28 (3.6.7-4+deb10u4) buster; urgency=medium
+
+  * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch
+from GNUTLS 3.6.11: Fix TL1.2 resumption errors. Closes: #956649
+  * 47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch from GNUTLS
+3.6.14: One line fix for memory leak. Closes: #958704
+
+ -- Andreas Metzler   Sun, 17 May 2020 13:45:29 +0200
+
 gnutls28 (3.6.7-4+deb10u3) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch
--- gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch	1970-01-01 01:00:00.0 +0100
+++ gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch	2020-05-17 10:08:09.0 +0200
@@ -0,0 +1,610 @@
+From afa6e340c084542ef416afc96dd0329f5507 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos 
+Date: Tue, 8 Oct 2019 07:23:31 +0200
+Subject: [PATCH] session tickets: parse extension during session resumption on
+ client side
+
+It is possible for a server to send a new session ticket during
+TLS1.2 resumption. To be able to parse it as client we need to
+check the extension during resumption as well.
+
+Resolves: #841
+
+Signed-off-by: Nikos Mavrogiannopoulos 
+---
+ NEWS|  3 +++
+ lib/ext/alpn.c  |  3 ++-
+ lib/ext/client_cert_type.c  |  3 ++-
+ lib/ext/cookie.c|  3 ++-
+ lib/ext/dumbfw.c|  3 ++-
+ lib/ext/early_data.c|  3 ++-
+ lib/ext/ec_point_formats.c  |  3 ++-
+ lib/ext/etm.c   |  3 ++-
+ lib/ext/ext_master_secret.c |  3 ++-
+ lib/ext/heartbeat.c |  3 ++-
+ lib/ext/key_share.c |  3 ++-
+ lib/ext/max_record.c|  3 ++-
+ lib/ext/post_handshake.c|  3 ++-
+ lib/ext/pre_shared_key.c|  3 ++-
+ lib/ext/psk_ke_modes.c  |  3 ++-
+ lib/ext/record_size_limit.c |  3 ++-
+ lib/ext/safe_renegotiation.c|  3 ++-
+ lib/ext/server_cert_type.c  |  3 ++-
+ lib/ext/server_name.c   |  3 ++-
+ lib/ext/session_ticket.c|  7 ++-
+ lib/ext/signature.c |  3 ++-
+ lib/ext/srp.c   |  3 ++-
+ lib/ext/srtp.c  |  3 ++-
+ lib/ext/status_request.c|  3 ++-
+ lib/ext/supported_groups.c  |  3 ++-
+ lib/ext/supported_versions.c|  3 ++-
+ lib/hello_ext.c | 36 ++---
+ lib/hello_ext.h |  3 ++-
+ lib/includes/gnutls/gnutls.h.in |  4 ++--
+ tests/gnutls-cli-resume.sh  | 17 
+ 30 files changed, 98 insertions(+), 44 deletions(-)
+
+ 
+diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c
+index b9991f0a1..7cc799756 100644
+--- a/lib/ext/alpn.c
 b/lib/ext/alpn.c
+@@ -39,7 +39,8 @@ const hello_ext_entry_st ext_mod_alpn = {
+ 	.tls_id = 16,
+ 	.gid = GNUTLS_EXTENSION_ALPN,
+ 	/* this extension must be parsed even on resumption */
+-	.parse_type = GNUTLS_EXT_MANDATORY,
++	.client_parse_point = GNUTLS_EXT_MANDATORY,
++	.server_parse_point = GNUTLS_EXT_MANDATORY,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS |
+ 		GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_EE |
+ 		GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c
+index b627b71f9..34f4dcfa4 100644
+--- a/lib/ext/client_cert_type.c
 b/lib/ext/client_cert_type.c
+@@ -48,7 +48,8 @@ const hello_ext_entry_st ext_mod_client_cert_type = {
+ 	.name = "Client Certificate Type",
+ 	.tls_id = 19,
+ 	.gid = GNUTLS_EXTENSION_CLIENT_CERT_TYPE,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS |
+ 		GNUTLS_EXT_FLAG_DTLS |
+ 		GNUTLS_EXT_FLAG_CLIENT_HELLO |
+diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c
+index 0feb2f0e5..b4608f3a9 100644
+--- a/lib/ext/cookie.c
 b/lib/ext/cookie.c
+@@ -41,7 +41,8 @@ const hello_ext_entry_st

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4

6 matches

Site Navigation

Mail list logo

Footer information