Re: Gnutls and secure renegotiation / CVE-2009-3555 / RFC 5746

[Stefan Fritsch <sf@sfritsch.de>]

On Tuesday 07 December 2010, Simon Josefsson wrote:
> > But Suse has released updates for 2.4.1 and 2.8.6 [2]. I have put
> > the extracted source rpms at [3]. The patches are huge but 80%
> > seem to be the test suite. [3] contains two versions of each,
> > the older one is the released package and the newer one is
> > unreleased but has additional fixes.
> > 
> > My current feeling is that we will just skip gnutls for the first
> > round of Lenny-DSAs that add RFC5746 support. We can reconsider
> > later if it causes many problems for users. Therefore patching
> > squeeze has definitely higher priority. If you have time, it
> > would be great if you could look at the patches.
> 
> If back-ported patches are contributed back upstream (this is the
> first time I heard about Suse's work) we can do an semi-official

The release happened only a few days ago.

> release for 2.8.x with the renegotiation support.  However I don't
> have any free time to do serious checking of the old 2.8.x branch,
> so it will be all up to whoever does the work here to make sure it
> is working correctly.

OK. I think the best way forward is this:

- We will not include gnutls in the first round of RFC5746-DSAs for 
Lenny, which I hope to release before Christmas.
- gnutls in squeeze will be updated by backport to 2.8.6 rather than 
by upgrading to 2.10. This will happen as soon as someone has the time 
to do the testing. IMHO, this can also be done in a DSA or point 
release and should not delay squeeze's release.
- When the backport+testing for 2.8.6 is done, we can decide about 
what to do with 2.4.2 in Lenny.

Cheers,
Stefan