lp://staging/ubuntu/dapper-security/gnutls12
- Get this branch:
- bzr branch lp://staging/ubuntu/dapper-security/gnutls12
Branch merges
Related source package recipes
Branch information
- Owner:
- Ubuntu branches
- Status:
- Mature
Recent revisions
- 10. By Jamie Strandboge
-
* SECURITY UPDATE: fix potential DoS in certificate verification
- debian/patches/ 92_CVE- 2006-7239. diff: update to verify hash
algorithm is supported and not NULL
- CVE-2006-7239 - 9. By Jamie Strandboge
-
* SECURITY UPDATE: fix improper handling of '\0' in Common Name (CN) and
Subject Alternative Name (SAN) in X.509 certificates (LP: #413136)
- debian/patches/ 91_CVE- 2009-2730. diff: verify length of CN and SAN
are what we expect and error out if either contains an embedded \0.
This fixed required fixing gnutls_x509_crt_ check_hostname( ) to not
"treat absence of CN in subject as a successful RFC 2818 hostname"
This fix also required updating _gnutls_hostname_ compare( ) in
lib/x509/rfc2818_ hostname. c to support wide wildcard hostname and ip
address matching. This is a backward compatible change and which only
adds additional matching of hostnames.
- CVE-2009-2730 - 8. By Jamie Strandboge
-
* Fix for certificate chain regressions introduced by fixes for
CVE-2008-4989
* debian/patches/ 20_CVE- 2008-4989. diff: updated to upstream's final
2.4.2 - 2.4.3 patchset for lib/x509/verify.c to fix CVE-2008-4989 and
address all known regressions. To summarize from upstream:
- Fix X.509 certificate chain validation error (CVE-2008-4989)
- Fix chain verification for chains that end with RSA-MD2 CAs (LP: #305264)
- Deprecate X.509 validation chains using MD5 and MD2 signatures
- Accept chains where intermediary certs are trusted (LP: #305264) - 7. By Jamie Strandboge
-
* Fix for regression where some valid certificate chains would be untrusted
- Update debian/patches/ 91_CVE- 2008-4989. diff to check if last certificate
is self-signed and prevent verifying self-signed certificates against
themselves. Patch from upstream.
- http://lists.gnu. org/archive/ html/gnutls- devel/2008- 12/msg00008. html
- LP: #305264 - 6. By Jamie Strandboge
-
* SECURITY UPDATE: Fix for man-in-the-middle attack in certificate
validation
- debian/patches/ 91_CVE- 2008-4989. diff: don't remove the last certificate
if it is self-signed in lib/x509/verify.c
- http://article. gmane.org/ gmane.comp. encryption. gpg.gnutls. devel/3215
- http://article. gmane.org/ gmane.comp. encryption. gpg.gnutls. devel/3248
- CVE-2008-4989 - 5. By Kees Cook
-
* SECURITY UPDATE: multiple remote denial of service.
* debian/patches/ 90_GNUTLS- SA-2008- 1.diff: upstream fixes, thanks to Debian.
* References
GNUTLS-SA-2008-1
CVE-2008-1948, CVE-2008-1949, CVE-2008-1950 - 4. By Martin Pitt
-
* SECURITY UPDATE: Signature forgery.
* Add debian/patches/ 00CVS_CVE- 2006-4790. patch:
- Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
applications from incorrectly verifying the certificate. (Similar to
recent OpenSSL update.)
- Patch taken from upstream CVS:
http://lists.gnupg. org/pipermail/ gnutls- dev/2006- September/ 001212. html
- CVE-2006-4790 - 3. By Martin Pitt
-
* debian/rules: Activate simple-patchsys.mk.
* debian/control: Bump libtasn1-2-dev build dependency to >=
0.2.17-1ubuntu1.
* Add debian/patches/ 01_tasn_ api_length. patch:
- lib/x509/xml.c: Fix calls to libtasn1-2's internal _asn1_* API calls for
new libtasn1-2 version; these calls now expect a buffer length argument to
check for buffer overflows.
- lib/minitasn1/: Changed internal _asn1_ function prototypes in header
files according to recent change in libtasn1-2. - 2. By Matthias Urlichs
-
* Install /usr/lib/
pkgconfig/ *.pc files.
* Depend on texinfo (>= 4.8, for the @euro{} sign).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
