Ubuntu
gnutls26 package

lp://staging/ubuntu/intrepid-security/gnutls26

Intrepid (8.10)
intrepid-security

Created by James Westby on 2009-06-27 and last modified on 2009-08-20

Get this branch:: bzr branch lp://staging/ubuntu/intrepid-security/gnutls26

Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

No branches dependent on this one.

Related bugs

Link a bug report

Related blueprints

Branch information

Owner:: Ubuntu branches

Review team:: Ubuntu Development Team

Status:: Development

Recent revisions

10. By Jamie Strandboge on 2009-08-14: * SECURITY UPDATE: fix improper handling of '\0' in Common Name (CN) and
  Subject Alternative Name (SAN) in X.509 certificates (LP: #413136)
  - debian/patches/21_CVE-2009-2730.diff: verify length of CN and SAN
    are what we expect and error out if either contains an embedded \0
  - CVE-2009-2730
9. By Jamie Strandboge on 2009-02-20: * Fix for certificate chain regressions introduced by fixes for
  CVE-2008-4989
* debian/patches/20_CVE-2008-4989.diff: updated to upstream's final
  2.4.2 - 2.4.3 patchset for lib/x509/verify.c to fix CVE-2008-4989 and
  address all known regressions. To summarize from upstream:
  - Fix X.509 certificate chain validation error (CVE-2008-4989)
  - Fix chain verification for chains that end with RSA-MD2 CAs (LP: #305264)
  - Deprecate X.509 validation chains using MD5 and MD2 signatures
  - Accept chains where intermediary certs are trusted (LP: #305264)
8. By Jamie Strandboge on 2008-12-05: * Fix for regression where some valid certificate chains would be untrusted
  - Update debian/patches/20_CVE-2008-4989.diff to check if last certificate
    is self-signed and prevent verifying self-signed certificates against
    themselves. Patch from upstream.
  - http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00008.html
  - LP: #305264
7. By Jamie Strandboge on 2008-11-25: * SECURITY UPDATE: Fix for man-in-the-middle attack in certificate
  validation
  - debian/patches/20_CVE-2008-4989.diff: don't remove the last certificate
    if it is self-signed in lib/x509/verify.c
  - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
  - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3248
  - CVE-2008-4989
6. By Martin Pitt on 2008-08-06: Rebuild against thread-enabled guile-1.8.
5. By Andreas Metzler <email address hidden> on 2008-07-01: New upstream version, fixing a local denial of service vulnerability only
present in >= 2.3.5. GNUTLS-SA-2008-2 CVE-2008-2377
4. By Andreas Metzler <email address hidden> on 2008-06-24: * Standards version 3.8.0. Rename README.source_and_patches to README.source.
* Upload to unstable.
* Point watchfile to stable releases again.
* Merge experimental and unstable changelog.
3. By Andreas Metzler <email address hidden> on 2008-05-20: New upstream version.
Fixes three security vulnerabilities.
[GNUTLS-SA-2008-1-1] [GNUTLS-SA-2008-1-2] [GNUTLS-SA-2008-1-3]. See
<http://www.gnu.org/software/gnutls/security.html>.
CVE-2008-1948, CVE-2008-1949, CVE-2008-1950. DSA-1581-1
2. By Andreas Metzler <email address hidden> on 2008-05-01: * New upstream version. Release candidate for 2.2.3.
+ Increase default handshake packet size limit to 48kb. Closes: #478191
* remove unsupported .l command from debian/libgnutls-config.1
* Use Programming/C as doc-base section.
1. By Andreas Metzler <email address hidden> on 2008-05-01: Import upstream version 2.2.3~rc

Branch metadata

Branch format:: Branch format 7

Repository format:: Bazaar repository format 2a (needs bzr 1.16 or later)

Stacked on:: lp://staging/ubuntu/karmic/gnutls26

This branch contains Public information

Everyone can see this information.

Subscribers

James Westby

Ubuntugnutls26 package