Please test gnutls26 update

To: debian-lts@lists.debian.org
Cc: pkg-gnutls-maint@lists.alioth.debian.org, carnil@debian.org
Subject: Please test gnutls26 update
From: Raphael Hertzog <hertzog@debian.org>
Date: Mon, 23 Mar 2015 18:19:12 +0100
Message-id: <[🔎] 20150323171912.GA17162@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org, pkg-gnutls-maint@lists.alioth.debian.org, carnil@debian.org

Hello,

I prepared an update of gnutls26 for squeeze:
$ dget https://people.debian.org/~hertzog/packages/gnutls26_2.8.6-1+squeeze5_amd64.changes

This version seems to work for me. I was able to verify that CVE-2015-0294
is fixed with the test case at
https://gitlab.com/gnutls/gnutls/commit/ca35341243dc2ba13cd703d25becea5da293bc35

For CVE-2015-0282, I used the patch of Red Hat and the test
case at
https://gitlab.com/gnutls/gnutls/commit/58d7dde8a8a6fce1a8aa9aeb29f2247212fe5acd
but unfortunately, I don't get a hard failure with certtool, see
https://bugzilla.redhat.com/show_bug.cgi?id=1194371#c7 but it seems
to correctly detect that the certificate can't be verified... so I'm
tempted to believe that the patch is working correctly anyway.
I see the same behaviour with the updated gnutls26 in wheezy-security
(ccing Salvatore who prepared the wheezy update in case he has some
feedback on this problem).

For CVE-2014-8155, I have no test case. 

Please test the packages and report back if you find any regressions.

Thank you!
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

Prev by Date: Re: squeeze update of libxfont?
Next by Date: [debian-lts] qemu package
Previous by thread: About the security issues affecting python-django in Squeeze
Next by thread: [debian-lts] qemu package
Index(es):
- Date
- Thread