Your message dated Sat, 14 Jan 2017 12:37:03 +0000 with message-id <1484397423.1091.25.camel@adam-barratt.org.uk> and subject line Closing requests included in today's point release has caused the Debian Bug report #840191, regarding jessie-pu: package gnutls28/3.3.8-6+deb8u4 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 840191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840191 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package gnutls28/3.3.8-6+deb8u4
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 09 Oct 2016 15:13:56 +0200
- Message-id: <147601883659.21108.9182354146656315165.reportbug@eldamar.local>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi Stable Release Managers, X-Debbugs-CC'ed Andreas Metzler. gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3, having a flaw in the OCSP certificate check. This was fixed upstream and included in unstable with 3.5.3-4 but would not warrant a DSA. Attached is proposed debdiff for jessie. Would it be acceptable for an upcoming point release? Regards, Salvatorediff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog --- gnutls28-3.3.8/debian/changelog 2015-08-14 18:29:51.000000000 +0200 +++ gnutls28-3.3.8/debian/changelog 2016-10-09 14:36:18.000000000 +0200 @@ -1,3 +1,11 @@ +gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium + + * Non-maintainer upload. + * CVE-2016-7444: Incorrect certificate validation when using OCSP responses + (GNUTLS-SA-2016-3) + + -- Salvatore Bonaccorso <carnil@debian.org> Sun, 09 Oct 2016 14:36:18 +0200 + gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch --- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch 2016-10-09 14:36:18.000000000 +0200 @@ -0,0 +1,24 @@ +From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@gnutls.org> +Date: Sat, 27 Aug 2016 17:00:22 +0200 +Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP + response + +Previously the OCSP certificate check wouldn't verify the serial length +and could succeed in cases it shouldn't. + +Reported by Stefan Buehler. +--- + lib/x509/ocsp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/x509/ocsp.c ++++ b/lib/x509/ocsp.c +@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r + gnutls_assert(); + goto cleanup; + } ++ cserial.size = t; + + if (rserial.size != cserial.size + || memcmp(cserial.data, rserial.data, rserial.size) != 0) { diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series --- gnutls28-3.3.8/debian/patches/series 2015-08-13 19:52:00.000000000 +0200 +++ gnutls28-3.3.8/debian/patches/series 2016-10-09 14:36:18.000000000 +0200 @@ -14,3 +14,4 @@ 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch +52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- End Message ---
--- Begin Message ---
- To: 823517-done@bugs.debian.org, 829606-done@bugs.debian.org, 836795-done@bugs.debian.org, 836823-done@bugs.debian.org, 837105-done@bugs.debian.org, 837428-done@bugs.debian.org, 837558-done@bugs.debian.org, 837575-done@bugs.debian.org, 837607-done@bugs.debian.org, 838396-done@bugs.debian.org, 838780-done@bugs.debian.org, 838869-done@bugs.debian.org, 838882-done@bugs.debian.org, 839242-done@bugs.debian.org, 839531-done@bugs.debian.org, 839656-done@bugs.debian.org, 839731-done@bugs.debian.org, 839814-done@bugs.debian.org, 839907-done@bugs.debian.org, 839927-done@bugs.debian.org, 840127-done@bugs.debian.org, 840188-done@bugs.debian.org, 840191-done@bugs.debian.org, 840350-done@bugs.debian.org, 840378-done@bugs.debian.org, 840379-done@bugs.debian.org, 840942-done@bugs.debian.org, 841462-done@bugs.debian.org, 841681-done@bugs.debian.org, 841767-done@bugs.debian.org, 841979-done@bugs.debian.org, 842013-done@bugs.debian.org, 842509-done@bugs.debian.org, 842938-done@bugs.debian.org, 843171-done@bugs.debian.org, 843268-done@bugs.debian.org, 843411-done@bugs.debian.org, 843426-done@bugs.debian.org, 843508-done@bugs.debian.org, 843775-done@bugs.debian.org, 843999-done@bugs.debian.org, 844150-done@bugs.debian.org, 844161-done@bugs.debian.org, 844746-done@bugs.debian.org, 845156-done@bugs.debian.org, 845263-done@bugs.debian.org, 845387-done@bugs.debian.org, 845443-done@bugs.debian.org, 845474-done@bugs.debian.org, 845564-done@bugs.debian.org, 845570-done@bugs.debian.org, 846017-done@bugs.debian.org, 846031-done@bugs.debian.org, 846352-done@bugs.debian.org, 846948-done@bugs.debian.org, 847273-done@bugs.debian.org, 847921-done@bugs.debian.org, 848341-done@bugs.debian.org, 848610-done@bugs.debian.org, 848829-done@bugs.debian.org, 848908-done@bugs.debian.org, 848926-done@bugs.debian.org, 848942-done@bugs.debian.org, 849004-done@bugs.debian.org, 849020-done@bugs.debian.org, 849175-done@bugs.debian.org, 849438-done@bugs.debian.org, 849467-done@bugs.debian.org, 849538-done@bugs.debian.org, 849698-done@bugs.debian.org, 849725-done@bugs.debian.org, 849865-done@bugs.debian.org, 849869-done@bugs.debian.org, 849962-done@bugs.debian.org, 849967-done@bugs.debian.org, 850084-done@bugs.debian.org, 850154-done@bugs.debian.org, 850214-done@bugs.debian.org, 850539-done@bugs.debian.org, 850542-done@bugs.debian.org, 850563-done@bugs.debian.org, 850566-done@bugs.debian.org, 850567-done@bugs.debian.org, 838109-done@bugs.debian.org, 849488-done@bugs.debian.org
- Subject: Closing requests included in today's point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 14 Jan 2017 12:37:03 +0000
- Message-id: <1484397423.1091.25.camel@adam-barratt.org.uk>
Version: 8.7 Hi, Each of these bugs refers to an update that was included in today's 8.7 point release. Regards, Adam
--- End Message ---