Created by James Westby and last modified
Get this branch:
bzr branch lp://staging/ubuntu/hardy-security/gnutls13
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches

Recent revisions

19. By Marc Deslauriers

* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - debian/patches/91_CVE-2013-1619.diff: avoid timing attacks in
    lib/gnutls_cipher.c, lib/gnutls_hash_int.h.
  - CVE-2013-1619

18. By Tyler Hicks

* SECURITY UPDATE: Denial of service in client application
  - debian/patches/CVE-2011-4128.patch: Fix buffer bounds check when copying
    session data. Based on upstream patch.
  - CVE-2011-4128
* SECURITY UPDATE: Denial of service via crafted TLS record
  - debian/patches/CVE-2012-1573.patch: Validate the size of a
    GenericBlockCipher structure as it is processed. Based on upstream
  - CVE-2012-1573

17. By Jamie Strandboge

* SECURITY UPDATE: fix improper handling of '\0' in Common Name (CN) and
  Subject Alternative Name (SAN) in X.509 certificates (LP: #413136)
  - debian/patches/91_CVE-2009-2730.diff: verify length of CN and SAN
    are what we expect and error out if either contains an embedded \0.
    This fixed required updating _gnutls_hostname_compare() in
    lib/x509/rfc2818_hostname.c to support wide wildcard hostname matching.
    This is a backward compatible change and which only adds additional
    matching of hostnames.
  - CVE-2009-2730

16. By Jamie Strandboge

* Fix for regression where some valid certificate chains would be untrusted
  - Update debian/patches/91_CVE-2008-4989.diff to check if last certificate
    is self-signed and prevent verifying self-signed certificates against
    themselves. Patch from upstream.
  - http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00008.html
  - LP: #305264

15. By Jamie Strandboge

* SECURITY UPDATE: Fix for man-in-the-middle attack in certificate
  - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
    if it is self-signed in lib/x509/verify.c
  - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
  - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3248
  - CVE-2008-4989

14. By Kees Cook

* SECURITY UPDATE: multiple remote denial of service.
* debian/patches/90_GNUTLS-SA-2008-1.diff: upstream fixes, thanks to Debian.
* References
  CVE-2008-1948, CVE-2008-1949, CVE-2008-1950

13. By Steve Langasek

* Pulled from upstream, by way of Debian:
  + debian/patches/20_nulltermfix_465197.diff
    Corrected the behaviour of gnutls_x509_crt_get_subject_alt_name()
    et al. to not null terminate binary strings and return the proper
  + debian/patches/21_nulltermfix_465197_part2.diff
    corrected string handling in parse_general_name.

12. By Martin Pitt

* Merge from debian unstable, remaining changes:
  - debian/rules: Use clean-la.mk.

11. By Martin Pitt

Use clean-la.mk to remove the dependencies from the .la files.

10. By Andreas Metzler <email address hidden>

* New upstream version.
* Remove doc/*.info* on clean to allow building thrice in a row.
  (Closes: #441740)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.