Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Control: tags -1 + confirmed On Sun, 2020-06-07 at 08:45 +0200, Andreas Metzler wrote: > Control: tags -1 - moreinfo > Control: retitle -1 buster-pu: package gnutls28/3.6.7-4+deb10u5 > > On 2020-05-26 Andreas Metzler wrote: > > Control: tags 960836 + moreinfo > > Please hold on approving this. I will probably need to add a fix > > for > > https://gitlab.com/gnutls/gnutls/-/issues/997 > > Hello, > > find attached a new version rebased on the latests DSA and featuring > these additional fixes: Please go ahead, sorry for the delay. Regards, Adam
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Control: tags -1 - moreinfo Control: retitle -1 buster-pu: package gnutls28/3.6.7-4+deb10u5 On 2020-05-26 Andreas Metzler wrote: > Control: tags 960836 + moreinfo > Please hold on approving this. I will probably need to add a fix for > https://gitlab.com/gnutls/gnutls/-/issues/997 Hello, find attached a new version rebased on the latests DSA and featuring these additional fixes: * 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch from GnuTLS 3.6.14: Handle zero length session tickets, fixing connection errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286) * 44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch 44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch 44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch backported from GnuTLS 3.6.14: Fix verification error with alternate chains. Closes: #961889 TIA, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2020-06-05 19:32:17.0 +0200 +++ gnutls28-3.6.7/debian/changelog 2020-06-07 07:45:55.0 +0200 @@ -1,3 +1,24 @@ +gnutls28 (3.6.7-4+deb10u5) buster; urgency=medium + + * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch +from GNUTLS 3.6.11: Fix TL1.2 resumption errors. Closes: #956649 + * 47_rel3.6.13_10-session_pack-fix-leak-in-error-path.patch from GNUTLS +3.6.14: One line fix for memory leak. Closes: #958704 + * Rename +44_rel3.6.14_01-stek-differentiate-initial-state-from-valid-time-win.patch +(security upload) to 44_rel3.6.14_90_... to be able to pull earlier fixes +from 3.6.14 and have correct patch filename order. + * 44_rel3.6.14_10-Update-session_ticket.c-to-add-support-for-zero-leng.patch +from GnuTLS 3.6.14: Handle zero length session tickets, fixing connection +errors on TLS1.2 sessions to some big hosting providers. (See LP 1876286) + * 44_rel3.6.14_15-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch +44_rel3.6.14_16-x509-trigger-fallback-verification-path-when-cert-is.patch +44_rel3.6.14_17-tests-add-test-case-for-certificate-chain-supersedin.patch +backported from GnuTLS 3.6.14: Fix verification error with alternate +chains. Closes: #961889 + + -- Andreas Metzler Sun, 07 Jun 2020 07:45:55 +0200 + gnutls28 (3.6.7-4+deb10u4) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch --- gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch 2020-06-07 06:48:47.0 +0200 @@ -0,0 +1,610 @@ +From afa6e340c084542ef416afc96dd0329f5507 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 8 Oct 2019 07:23:31 +0200 +Subject: [PATCH] session tickets: parse extension during session resumption on + client side + +It is possible for a server to send a new session ticket during +TLS1.2 resumption. To be able to parse it as client we need to +check the extension during resumption as well. + +Resolves: #841 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + NEWS| 3 +++ + lib/ext/alpn.c | 3 ++- + lib/ext/client_cert_type.c | 3 ++- + lib/ext/cookie.c| 3 ++- + lib/ext/dumbfw.c| 3 ++- + lib/ext/early_data.c| 3 ++- + lib/ext/ec_point_formats.c | 3 ++- + lib/ext/etm.c | 3 ++- + lib/ext/ext_master_secret.c | 3 ++- + lib/ext/heartbeat.c | 3 ++- + lib/ext/key_share.c | 3 ++- + lib/ext/max_record.c| 3 ++- + lib/ext/post_handshake.c| 3 ++- + lib/ext/pre_shared_key.c| 3 ++- + lib/ext/psk_ke_modes.c | 3 ++- + lib/ext/record_size_limit.c | 3 ++- + lib/ext/safe_renegotiation.c| 3 ++- + lib/ext/server_cert_type.c | 3 ++- + lib/ext/server_name.c | 3 ++- + lib/ext/session_ticket.c| 7 ++- + lib/ext/signature.c | 3 ++- + lib/ext/srp.c | 3 ++- + lib/ext/srtp.c | 3 ++- + lib/ext/status_request.c| 3 ++- + lib/ext/supported_groups.c | 3 ++- + lib/ext/supported_versions.c| 3 ++- + lib/hello_ext.c | 36 ++--- + lib/hello_ext.h | 3 ++- + lib/includes/gnutls/gnutls.h.in | 4 ++-- + tests/gnutls-cli-resume.sh | 17
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Control: tags 960836 + moreinfo Please hold on approving this. I will probably need to add a fix for https://gitlab.com/gnutls/gnutls/-/issues/997 cu Andreas
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Control: tags 960836 - moreinfo On 2020-05-17 "Adam D. Barratt" wrote: > Control: tags -1 + moreinfo > On Sun, 2020-05-17 at 14:23 +0200, Andreas Metzler wrote: >> I would like to update gnutls to fix #95664 aka >> https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client >> side resumption errors. > #956649. :-) > I'm assuming this is fixed in at least unstable already, but the BTS > metadata suggests otherwise (potentially not helped by the local > "found" version). > Please could you confirm, and fix either the metadata or unstable. Hello Adam, Yes, it is fixed in both buster and sid, I have corrected the bug metadata accordingly. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Control: tags -1 + moreinfo On Sun, 2020-05-17 at 14:23 +0200, Andreas Metzler wrote: > I would like to update gnutls to fix #95664 aka > https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client > side resumption errors. #956649. :-) I'm assuming this is fixed in at least unstable already, but the BTS metadata suggests otherwise (potentially not helped by the local "found" version). Please could you confirm, and fix either the metadata or unstable. Thanks, Adam
Bug#960836: buster-pu: package gnutls28/3.6.7-4+deb10u4
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hello, I would like to update gnutls to fix #95664 aka https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client side resumption errors. And while I am at it I would also pick a one-line fix for a memory leak (Fix requested in #958704.) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog --- gnutls28-3.6.7/debian/changelog 2020-04-03 21:31:50.0 +0200 +++ gnutls28-3.6.7/debian/changelog 2020-05-17 13:45:29.0 +0200 @@ -1,3 +1,12 @@ +gnutls28 (3.6.7-4+deb10u4) buster; urgency=medium + + * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch +from GNUTLS 3.6.11: Fix TL1.2 resumption errors. Closes: #956649 + * 47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch from GNUTLS +3.6.14: One line fix for memory leak. Closes: #958704 + + -- Andreas Metzler Sun, 17 May 2020 13:45:29 +0200 + gnutls28 (3.6.7-4+deb10u3) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch --- gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch 1970-01-01 01:00:00.0 +0100 +++ gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch 2020-05-17 10:08:09.0 +0200 @@ -0,0 +1,610 @@ +From afa6e340c084542ef416afc96dd0329f5507 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Tue, 8 Oct 2019 07:23:31 +0200 +Subject: [PATCH] session tickets: parse extension during session resumption on + client side + +It is possible for a server to send a new session ticket during +TLS1.2 resumption. To be able to parse it as client we need to +check the extension during resumption as well. + +Resolves: #841 + +Signed-off-by: Nikos Mavrogiannopoulos +--- + NEWS| 3 +++ + lib/ext/alpn.c | 3 ++- + lib/ext/client_cert_type.c | 3 ++- + lib/ext/cookie.c| 3 ++- + lib/ext/dumbfw.c| 3 ++- + lib/ext/early_data.c| 3 ++- + lib/ext/ec_point_formats.c | 3 ++- + lib/ext/etm.c | 3 ++- + lib/ext/ext_master_secret.c | 3 ++- + lib/ext/heartbeat.c | 3 ++- + lib/ext/key_share.c | 3 ++- + lib/ext/max_record.c| 3 ++- + lib/ext/post_handshake.c| 3 ++- + lib/ext/pre_shared_key.c| 3 ++- + lib/ext/psk_ke_modes.c | 3 ++- + lib/ext/record_size_limit.c | 3 ++- + lib/ext/safe_renegotiation.c| 3 ++- + lib/ext/server_cert_type.c | 3 ++- + lib/ext/server_name.c | 3 ++- + lib/ext/session_ticket.c| 7 ++- + lib/ext/signature.c | 3 ++- + lib/ext/srp.c | 3 ++- + lib/ext/srtp.c | 3 ++- + lib/ext/status_request.c| 3 ++- + lib/ext/supported_groups.c | 3 ++- + lib/ext/supported_versions.c| 3 ++- + lib/hello_ext.c | 36 ++--- + lib/hello_ext.h | 3 ++- + lib/includes/gnutls/gnutls.h.in | 4 ++-- + tests/gnutls-cli-resume.sh | 17 + 30 files changed, 98 insertions(+), 44 deletions(-) + + +diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c +index b9991f0a1..7cc799756 100644 +--- a/lib/ext/alpn.c b/lib/ext/alpn.c +@@ -39,7 +39,8 @@ const hello_ext_entry_st ext_mod_alpn = { + .tls_id = 16, + .gid = GNUTLS_EXTENSION_ALPN, + /* this extension must be parsed even on resumption */ +- .parse_type = GNUTLS_EXT_MANDATORY, ++ .client_parse_point = GNUTLS_EXT_MANDATORY, ++ .server_parse_point = GNUTLS_EXT_MANDATORY, + .validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | + GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_EE | + GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO, +diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c +index b627b71f9..34f4dcfa4 100644 +--- a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c +@@ -48,7 +48,8 @@ const hello_ext_entry_st ext_mod_client_cert_type = { + .name = "Client Certificate Type", + .tls_id = 19, + .gid = GNUTLS_EXTENSION_CLIENT_CERT_TYPE, +- .parse_type = GNUTLS_EXT_TLS, ++ .client_parse_point = GNUTLS_EXT_TLS, ++ .server_parse_point = GNUTLS_EXT_TLS, + .validity = GNUTLS_EXT_FLAG_TLS | + GNUTLS_EXT_FLAG_DTLS | + GNUTLS_EXT_FLAG_CLIENT_HELLO | +diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c +index 0feb2f0e5..b4608f3a9 100644 +--- a/lib/ext/cookie.c b/lib/ext/cookie.c +@@ -41,7 +41,8 @@ const hello_ext_entry_st