Public bug reported: Please allow the merge and upload of https://code.launchpad.net/~adrien-n/ubuntu/+source/gnutls28/+git/gnutls28/+merge/464535 .
I made the commit message there quite complete so I'm basically copying that here. In a few words, this is meant to include as many fixes as possible (potentially including security ones) since they probably would linger on afterwards. There is also a change regarding PKCS#1 v1.5 which has been deprecated but seemingly kept the same status in gnutls; this adds the recommended replacement and makes it possible to disable the deprecated format in configuration. This is the kind of things we want for LTS releases. Moreover, there are no changes that we want to avoid. There are changes we don't care (much) about (tests, static builds, ...), but no changes we want to avoid. Below is a copy of the commit message of the MR. This is a late update to gnutls in order to include the most recent security fixes, even if they are low-severity. It merges 3.8.5-2 from Debian and includes a better fix for the issue that prompted the upload of -2 (wrong default configuration if no config file is present). There are fixes except one potential performance improvement. Some of the fixes are about catching up with current standards. I went through all commits, there are many varied changes. I'm skipping updates to tests or changes that are not relevant to Ubuntu. Basic fixes: - ktls detection (possibly a regression in noble) - memleak in gnutls-serv - segfault in _gnutls13_recv_end_of_early_data - potential segfault in _gnutls13_recv_finished - missing argument when using the _gnutls_debug_log macro - wrong test in lib/mpi.c Misc changes that are still somewhat notable: - nettle: plumb RIPEMD160, because GCR (commit says "GnuTLS", I think it's a typo) still uses it to display a fingerprint for openpgp keys - x509: support PBES1-DES-SHA1, in order to parse legacy PKCS#8 files in GCR (the gnome library) The one performance improvement (that I didn't benchmark): "Make compression libraries dynamically loadable" (it's from January, not April). Finally, a fix to adapt gnutls to current standards: support RSA-OAEP and make it possible to disable RSAES-PKCS1-v1_5. I think it is important this gets into Noble due to the long support period. Moreover, it can come in handy in the future to be able to disable algorithms when flaws are discovered. https://www.rfc-editor.org/rfc/rfc8017#section-7 : > RSAES-OAEP is REQUIRED to be supported for new applications; RSAES- PKCS1-v1_5 is included only for compatibility with existing applications. ** Affects: gnutls28 (Ubuntu) Importance: High Status: Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062018 Title: [FFe] gnutls28: merge 3.8.5-2 and backport RSAES-PKCS1-v1_5 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2062018/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs