[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#840191: marked as done (jessie-pu: package gnutls28/3.3.8-6+deb8u4)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #840191,
regarding jessie-pu: package gnutls28/3.3.8-6+deb8u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
840191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840191
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable Release Managers,

X-Debbugs-CC'ed Andreas Metzler.

gnutls28 in jessie is affected by CVE-2016-7444, GNUTLS-SA-2016-3,
having a flaw in the OCSP certificate check. This was fixed upstream
and included in unstable with 3.5.3-4 but would not warrant a DSA.

Attached is proposed debdiff for jessie. Would it be acceptable for an
upcoming point release?

Regards,
Salvatore

diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2015-08-14 18:29:51.000000000 +0200
+++ gnutls28-3.3.8/debian/changelog	2016-10-09 14:36:18.000000000 +0200
@@ -1,3 +1,11 @@
+gnutls28 (3.3.8-6+deb8u4) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-7444: Incorrect certificate validation when using OCSP responses
+    (GNUTLS-SA-2016-3)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 09 Oct 2016 14:36:18 +0200
+
 gnutls28 (3.3.8-6+deb8u3) jessie; urgency=medium
 
   * Pull 50_Handle-zero-length-plaintext-for-VIA-PadLock-functio.patch from
diff -Nru gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch
--- gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.3.8/debian/patches/52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch	2016-10-09 14:36:18.000000000 +0200
@@ -0,0 +1,24 @@
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP
+ response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1251,6 +1251,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_r
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
++	cserial.size = t;
+ 
+ 	if (rserial.size != cserial.size
+ 	    || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2015-08-13 19:52:00.000000000 +0200
+++ gnutls28-3.3.8/debian/patches/series	2016-10-09 14:36:18.000000000 +0200
@@ -14,3 +14,4 @@
 51_0001__gnutls_session_sign_algo_enabled-do-not-consider-an.patch
 51_0002_before-falling-back-to-SHA1-as-signature-algorithm-i.patch
 51_0003_tests-added-reproducer-for-the-MD5-acceptance-issue.patch
+52_CVE-2016-7444_ocsp-corrected-the-comparison-of-the-serial-size-in-.patch

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: