On Tue, 2018-10-23 at 14:00 -0400, Antoine Beaupré wrote: > Hi, > > After the lengthy discussion[1] regarding the pending security issues in > GnuTLS (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846), I have > determined it might be simpler to just upgrade to the latest upstream > 3.3.x version for which upstream is still providing updates. Upstream > agrees with the approach. This removes 35 Debian-specific, backported > patches and fixes other unrelated bugs. The API/ABI *changes*, but it > only adds *new* symbols so the soname versions do not change. [...] I don't know exactly what gnutls's policy is for stable updates, but based on a quick look at the NEWS file it seems like these changes are probably suitable for a stable/LTS update. I did spot some incompatible changes in behaviour which might need to be called out in the Debian changelog or NEWS file, or even reverted, depending on how many users they might affect: ** libgnutls: Refuse to import v1 or v2 certificates that contain extensions. ** libgnutls: ARCFOUR (RC4) is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+ARCFOUR-128". The previous behavior can be restored using the flag --with-arcfour128 to configure. ** libgnutls: SSL 3.0 is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+VERS-SSL3.0". The previous behavior can be restored using the flag --with-ssl3 to configure. ** libgnutls: require strict DER encoding for certificates, OCSP requests, private keys, CRLs and certificate requests. This backports the already default behavior from the 3.5.x branch, in order to reduce issues due to the complexity of BER rules. Ben. -- Ben Hutchings Knowledge is power. France is bacon.
Attachment:
signature.asc
Description: This is a digitally signed message part