[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#960836: marked as done (buster-pu: package gnutls28/3.6.7-4+deb10u5)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #960836,
regarding buster-pu: package gnutls28/3.6.7-4+deb10u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
960836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960836
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to update gnutls to fix #95664 aka
https://gitlab.com/gnutls/gnutls/-/issues/841 fixing TLS1.2 client side
resumption errors. And while I am at it I would also pick a one-line
fix for a memory leak (Fix requested in #958704.)

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru gnutls28-3.6.7/debian/changelog gnutls28-3.6.7/debian/changelog
--- gnutls28-3.6.7/debian/changelog	2020-04-03 21:31:50.000000000 +0200
+++ gnutls28-3.6.7/debian/changelog	2020-05-17 13:45:29.000000000 +0200
@@ -1,3 +1,12 @@
+gnutls28 (3.6.7-4+deb10u4) buster; urgency=medium
+
+  * 42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch
+    from GNUTLS 3.6.11: Fix TL1.2 resumption errors. Closes: #956649
+  * 47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch from GNUTLS
+    3.6.14: One line fix for memory leak. Closes: #958704
+
+ -- Andreas Metzler <ametzler@debian.org>  Sun, 17 May 2020 13:45:29 +0200
+
 gnutls28 (3.6.7-4+deb10u3) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch
--- gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch	2020-05-17 10:08:09.000000000 +0200
@@ -0,0 +1,610 @@
+From afa6e340c084542ef416afc9aaaa6dd0329f5507 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Tue, 8 Oct 2019 07:23:31 +0200
+Subject: [PATCH] session tickets: parse extension during session resumption on
+ client side
+
+It is possible for a server to send a new session ticket during
+TLS1.2 resumption. To be able to parse it as client we need to
+check the extension during resumption as well.
+
+Resolves: #841
+
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+---
+ NEWS                            |  3 +++
+ lib/ext/alpn.c                  |  3 ++-
+ lib/ext/client_cert_type.c      |  3 ++-
+ lib/ext/cookie.c                |  3 ++-
+ lib/ext/dumbfw.c                |  3 ++-
+ lib/ext/early_data.c            |  3 ++-
+ lib/ext/ec_point_formats.c      |  3 ++-
+ lib/ext/etm.c                   |  3 ++-
+ lib/ext/ext_master_secret.c     |  3 ++-
+ lib/ext/heartbeat.c             |  3 ++-
+ lib/ext/key_share.c             |  3 ++-
+ lib/ext/max_record.c            |  3 ++-
+ lib/ext/post_handshake.c        |  3 ++-
+ lib/ext/pre_shared_key.c        |  3 ++-
+ lib/ext/psk_ke_modes.c          |  3 ++-
+ lib/ext/record_size_limit.c     |  3 ++-
+ lib/ext/safe_renegotiation.c    |  3 ++-
+ lib/ext/server_cert_type.c      |  3 ++-
+ lib/ext/server_name.c           |  3 ++-
+ lib/ext/session_ticket.c        |  7 ++++++-
+ lib/ext/signature.c             |  3 ++-
+ lib/ext/srp.c                   |  3 ++-
+ lib/ext/srtp.c                  |  3 ++-
+ lib/ext/status_request.c        |  3 ++-
+ lib/ext/supported_groups.c      |  3 ++-
+ lib/ext/supported_versions.c    |  3 ++-
+ lib/hello_ext.c                 | 36 ++++++++++++++++++---------------
+ lib/hello_ext.h                 |  3 ++-
+ lib/includes/gnutls/gnutls.h.in |  4 ++--
+ tests/gnutls-cli-resume.sh      | 17 ++++++++++++++++
+ 30 files changed, 98 insertions(+), 44 deletions(-)
+
+ 
+diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c
+index b9991f0a1..7cc799756 100644
+--- a/lib/ext/alpn.c
++++ b/lib/ext/alpn.c
+@@ -39,7 +39,8 @@ const hello_ext_entry_st ext_mod_alpn = {
+ 	.tls_id = 16,
+ 	.gid = GNUTLS_EXTENSION_ALPN,
+ 	/* this extension must be parsed even on resumption */
+-	.parse_type = GNUTLS_EXT_MANDATORY,
++	.client_parse_point = GNUTLS_EXT_MANDATORY,
++	.server_parse_point = GNUTLS_EXT_MANDATORY,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS |
+ 		    GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_EE |
+ 		    GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c
+index b627b71f9..34f4dcfa4 100644
+--- a/lib/ext/client_cert_type.c
++++ b/lib/ext/client_cert_type.c
+@@ -48,7 +48,8 @@ const hello_ext_entry_st ext_mod_client_cert_type = {
+ 	.name = "Client Certificate Type",
+ 	.tls_id = 19,
+ 	.gid = GNUTLS_EXTENSION_CLIENT_CERT_TYPE,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS |
+ 		GNUTLS_EXT_FLAG_DTLS |
+ 		GNUTLS_EXT_FLAG_CLIENT_HELLO |
+diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c
+index 0feb2f0e5..b4608f3a9 100644
+--- a/lib/ext/cookie.c
++++ b/lib/ext/cookie.c
+@@ -41,7 +41,8 @@ const hello_ext_entry_st ext_mod_cookie = {
+ 	.gid = GNUTLS_EXTENSION_COOKIE,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_HRR | GNUTLS_EXT_FLAG_IGNORE_CLIENT_REQUEST,
+-	.parse_type = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */
++	.client_parse_point = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */
++	.server_parse_point = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */
+ 	.recv_func = cookie_recv_params,
+ 	.send_func = cookie_send_params,
+ 	.pack_func = NULL,
+diff --git a/lib/ext/dumbfw.c b/lib/ext/dumbfw.c
+index 7ff013e8d..dfd2ee018 100644
+--- a/lib/ext/dumbfw.c
++++ b/lib/ext/dumbfw.c
+@@ -40,7 +40,8 @@ const hello_ext_entry_st ext_mod_dumbfw = {
+ 	.name = "ClientHello Padding",
+ 	.tls_id = 21,
+ 	.gid = GNUTLS_EXTENSION_DUMBFW,
+-	.parse_type = GNUTLS_EXT_APPLICATION,
++	.client_parse_point = GNUTLS_EXT_APPLICATION,
++	.server_parse_point = GNUTLS_EXT_APPLICATION,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ 	.recv_func = NULL,
+ 	.send_func = _gnutls_dumbfw_send_params,
+diff --git a/lib/ext/early_data.c b/lib/ext/early_data.c
+index 4644f296a..8bb2c012c 100644
+--- a/lib/ext/early_data.c
++++ b/lib/ext/early_data.c
+@@ -40,7 +40,8 @@ const hello_ext_entry_st ext_mod_early_data = {
+ 	.tls_id = 42,
+ 	.gid = GNUTLS_EXTENSION_EARLY_DATA,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_EE,
+-	.parse_type = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */
++	.client_parse_point = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */
++	.server_parse_point = GNUTLS_EXT_MANDATORY, /* force parsing prior to EXT_TLS extensions */
+ 	.recv_func = early_data_recv_params,
+ 	.send_func = early_data_send_params,
+ 	.pack_func = NULL,
+diff --git a/lib/ext/ec_point_formats.c b/lib/ext/ec_point_formats.c
+index c702d434c..d426580b1 100644
+--- a/lib/ext/ec_point_formats.c
++++ b/lib/ext/ec_point_formats.c
+@@ -41,7 +41,8 @@ const hello_ext_entry_st ext_mod_supported_ec_point_formats = {
+ 	.name = "Supported EC Point Formats",
+ 	.tls_id = 11,
+ 	.gid = GNUTLS_EXTENSION_SUPPORTED_EC_POINT_FORMATS,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS |
+ 		    GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+ 	.recv_func = _gnutls_supported_ec_point_formats_recv_params,
+diff --git a/lib/ext/etm.c b/lib/ext/etm.c
+index ad335afd5..273a31a8b 100644
+--- a/lib/ext/etm.c
++++ b/lib/ext/etm.c
+@@ -39,7 +39,8 @@ const hello_ext_entry_st ext_mod_etm = {
+ 	.name = "Encrypt-then-MAC",
+ 	.tls_id = 22,
+ 	.gid = GNUTLS_EXTENSION_ETM,
+-	.parse_type = GNUTLS_EXT_MANDATORY,
++	.client_parse_point = GNUTLS_EXT_MANDATORY,
++	.server_parse_point = GNUTLS_EXT_MANDATORY,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+ 	.recv_func = _gnutls_ext_etm_recv_params,
+diff --git a/lib/ext/ext_master_secret.c b/lib/ext/ext_master_secret.c
+index ad040bccd..bc704e6b6 100644
+--- a/lib/ext/ext_master_secret.c
++++ b/lib/ext/ext_master_secret.c
+@@ -39,7 +39,8 @@ const hello_ext_entry_st ext_mod_ext_master_secret = {
+ 	.name = "Extended Master Secret",
+ 	.tls_id = 23,
+ 	.gid = GNUTLS_EXTENSION_EXT_MASTER_SECRET,
+-	.parse_type = GNUTLS_EXT_MANDATORY,
++	.client_parse_point = GNUTLS_EXT_MANDATORY,
++	.server_parse_point = GNUTLS_EXT_MANDATORY,
+ 	.validity = GNUTLS_EXT_FLAG_TLS|GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+ 	.recv_func = _gnutls_ext_master_secret_recv_params,
+diff --git a/lib/ext/heartbeat.c b/lib/ext/heartbeat.c
+index e3fa602bf..5d9e9f4f8 100644
+--- a/lib/ext/heartbeat.c
++++ b/lib/ext/heartbeat.c
+@@ -526,7 +526,8 @@ const hello_ext_entry_st ext_mod_heartbeat = {
+ 	.name = "Heartbeat",
+ 	.tls_id = 15,
+ 	.gid = GNUTLS_EXTENSION_HEARTBEAT,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_EE | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+ 	.recv_func = _gnutls_heartbeat_recv_params,
+diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
+index 8f0912e69..4ae12c96b 100644
+--- a/lib/ext/key_share.c
++++ b/lib/ext/key_share.c
+@@ -47,7 +47,8 @@ const hello_ext_entry_st ext_mod_key_share = {
+ 	.name = "Key Share",
+ 	.tls_id = 51,
+ 	.gid = GNUTLS_EXTENSION_KEY_SHARE,
+-	.parse_type = _GNUTLS_EXT_TLS_POST_CS,
++	.client_parse_point = _GNUTLS_EXT_TLS_POST_CS,
++	.server_parse_point = _GNUTLS_EXT_TLS_POST_CS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO |
+ 		    GNUTLS_EXT_FLAG_HRR,
+ 	.recv_func = key_share_recv_params,
+diff --git a/lib/ext/max_record.c b/lib/ext/max_record.c
+index 3cada69be..87302cbd4 100644
+--- a/lib/ext/max_record.c
++++ b/lib/ext/max_record.c
+@@ -46,7 +46,8 @@ const hello_ext_entry_st ext_mod_max_record_size = {
+ 	.name = "Maximum Record Size",
+ 	.tls_id = 1,
+ 	.gid = GNUTLS_EXTENSION_MAX_RECORD_SIZE,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_EE | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+ 	.recv_func = _gnutls_max_record_recv_params,
+diff --git a/lib/ext/post_handshake.c b/lib/ext/post_handshake.c
+index 73846db11..27fe1e734 100644
+--- a/lib/ext/post_handshake.c
++++ b/lib/ext/post_handshake.c
+@@ -40,7 +40,8 @@ const hello_ext_entry_st ext_mod_post_handshake = {
+ 	.name = "Post Handshake Auth",
+ 	.tls_id = 49,
+ 	.gid = GNUTLS_EXTENSION_POST_HANDSHAKE,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ 	.recv_func = _gnutls_post_handshake_recv_params,
+ 	.send_func = _gnutls_post_handshake_send_params,
+diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
+index 436a426a8..d34492291 100644
+--- a/lib/ext/pre_shared_key.c
++++ b/lib/ext/pre_shared_key.c
+@@ -874,7 +874,8 @@ const hello_ext_entry_st ext_mod_pre_shared_key = {
+ 	.name = "Pre Shared Key",
+ 	.tls_id = PRE_SHARED_KEY_TLS_ID,
+ 	.gid = GNUTLS_EXTENSION_PRE_SHARED_KEY,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO,
+ 	.send_func = _gnutls_psk_send_params,
+ 	.recv_func = _gnutls_psk_recv_params
+diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c
+index 8d8effb43..b3d979cdf 100644
+--- a/lib/ext/psk_ke_modes.c
++++ b/lib/ext/psk_ke_modes.c
+@@ -197,7 +197,8 @@ const hello_ext_entry_st ext_mod_psk_ke_modes = {
+ 	.name = "PSK Key Exchange Modes",
+ 	.tls_id = 45,
+ 	.gid = GNUTLS_EXTENSION_PSK_KE_MODES,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO,
+ 	.send_func = psk_ke_modes_send_params,
+ 	.recv_func = psk_ke_modes_recv_params
+diff --git a/lib/ext/record_size_limit.c b/lib/ext/record_size_limit.c
+index 0e94fece3..9398b1888 100644
+--- a/lib/ext/record_size_limit.c
++++ b/lib/ext/record_size_limit.c
+@@ -39,7 +39,8 @@ const hello_ext_entry_st ext_mod_record_size_limit = {
+ 	.name = "Record Size Limit",
+ 	.tls_id = 28,
+ 	.gid = GNUTLS_EXTENSION_RECORD_SIZE_LIMIT,
+-	.parse_type = GNUTLS_EXT_MANDATORY,
++	.client_parse_point = GNUTLS_EXT_MANDATORY,
++	.server_parse_point = GNUTLS_EXT_MANDATORY,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_EE | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+ 	.recv_func = _gnutls_record_size_limit_recv_params,
+diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
+index bb4a57e45..0b3d797bb 100644
+--- a/lib/ext/safe_renegotiation.c
++++ b/lib/ext/safe_renegotiation.c
+@@ -37,7 +37,8 @@ const hello_ext_entry_st ext_mod_sr = {
+ 	.gid = GNUTLS_EXTENSION_SAFE_RENEGOTIATION,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+-	.parse_type = GNUTLS_EXT_MANDATORY,
++	.client_parse_point = GNUTLS_EXT_MANDATORY,
++	.server_parse_point = GNUTLS_EXT_MANDATORY,
+ 	.recv_func = _gnutls_sr_recv_params,
+ 	.send_func = _gnutls_sr_send_params,
+ 	.pack_func = NULL,
+diff --git a/lib/ext/server_cert_type.c b/lib/ext/server_cert_type.c
+index 864a44bbc..81294961e 100644
+--- a/lib/ext/server_cert_type.c
++++ b/lib/ext/server_cert_type.c
+@@ -48,7 +48,8 @@ const hello_ext_entry_st ext_mod_server_cert_type = {
+ 	.name = "Server Certificate Type",
+ 	.tls_id = 20,
+ 	.gid = GNUTLS_EXTENSION_SERVER_CERT_TYPE,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS |
+ 		GNUTLS_EXT_FLAG_DTLS |
+ 		GNUTLS_EXT_FLAG_CLIENT_HELLO |
+diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
+index 0c6331569..d52c8d074 100644
+--- a/lib/ext/server_name.c
++++ b/lib/ext/server_name.c
+@@ -46,7 +46,8 @@ const hello_ext_entry_st ext_mod_server_name = {
+ 	.gid = GNUTLS_EXTENSION_SERVER_NAME,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_EE | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+-	.parse_type = GNUTLS_EXT_MANDATORY,
++	.client_parse_point = GNUTLS_EXT_MANDATORY,
++	.server_parse_point = GNUTLS_EXT_MANDATORY,
+ 	.recv_func = _gnutls_server_name_recv_params,
+ 	.send_func = _gnutls_server_name_send_params,
+ 	.pack_func = _gnutls_hello_ext_default_pack,
+diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
+index 263273fa2..c854d9c2a 100644
+--- a/lib/ext/session_ticket.c
++++ b/lib/ext/session_ticket.c
+@@ -54,7 +54,12 @@ const hello_ext_entry_st ext_mod_session_ticket = {
+ 	.gid = GNUTLS_EXTENSION_SESSION_TICKET,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+-	.parse_type = GNUTLS_EXT_TLS,
++	/* This extension must be parsed on session resumption as well; see
++	 * https://gitlab.com/gnutls/gnutls/issues/841 */
++	.client_parse_point = GNUTLS_EXT_MANDATORY,
++	/* on server side we want this parsed after normal handshake resumption
++	 * actions are complete */
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.recv_func = session_ticket_recv_params,
+ 	.send_func = session_ticket_send_params,
+ 	.pack_func = session_ticket_pack,
+diff --git a/lib/ext/signature.c b/lib/ext/signature.c
+index a90f58d53..28d88c5bf 100644
+--- a/lib/ext/signature.c
++++ b/lib/ext/signature.c
+@@ -53,7 +53,8 @@ const hello_ext_entry_st ext_mod_sig = {
+ 	.tls_id = 13,
+ 	.gid = GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.recv_func = _gnutls_signature_algorithm_recv_params,
+ 	.send_func = _gnutls_signature_algorithm_send_params,
+ 	.pack_func = signature_algorithms_pack,
+diff --git a/lib/ext/srp.c b/lib/ext/srp.c
+index 07f6e6883..26fa56e3a 100644
+--- a/lib/ext/srp.c
++++ b/lib/ext/srp.c
+@@ -46,7 +46,8 @@ const hello_ext_entry_st ext_mod_srp = {
+ 	.name = "SRP",
+ 	.tls_id = 12,
+ 	.gid = GNUTLS_EXTENSION_SRP,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO,
+ 	.recv_func = _gnutls_srp_recv_params,
+ 	.send_func = _gnutls_srp_send_params,
+diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c
+index 412e26d45..b2e36b3a0 100644
+--- a/lib/ext/srtp.c
++++ b/lib/ext/srtp.c
+@@ -45,7 +45,8 @@ const hello_ext_entry_st ext_mod_srtp = {
+ 	.gid = GNUTLS_EXTENSION_SRTP,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_EE | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+-	.parse_type = GNUTLS_EXT_APPLICATION,
++	.client_parse_point = GNUTLS_EXT_APPLICATION,
++	.server_parse_point = GNUTLS_EXT_APPLICATION,
+ 	.recv_func = _gnutls_srtp_recv_params,
+ 	.send_func = _gnutls_srtp_send_params,
+ 	.pack_func = _gnutls_srtp_pack,
+diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
+index cf9d5bd03..2b36308b7 100644
+--- a/lib/ext/status_request.c
++++ b/lib/ext/status_request.c
+@@ -327,7 +327,8 @@ const hello_ext_entry_st ext_mod_status_request = {
+ 	.gid = GNUTLS_EXTENSION_STATUS_REQUEST,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+-	.parse_type = _GNUTLS_EXT_TLS_POST_CS,
++	.client_parse_point = _GNUTLS_EXT_TLS_POST_CS,
++	.server_parse_point = _GNUTLS_EXT_TLS_POST_CS,
+ 	.recv_func = _gnutls_status_request_recv_params,
+ 	.send_func = _gnutls_status_request_send_params,
+ 	.deinit_func = _gnutls_status_request_deinit_data,
+diff --git a/lib/ext/supported_groups.c b/lib/ext/supported_groups.c
+index ef7859f73..6e7e86bbe 100644
+--- a/lib/ext/supported_groups.c
++++ b/lib/ext/supported_groups.c
+@@ -46,7 +46,8 @@ const hello_ext_entry_st ext_mod_supported_groups = {
+ 	.name = "Supported Groups",
+ 	.tls_id = 10,
+ 	.gid = GNUTLS_EXTENSION_SUPPORTED_GROUPS,
+-	.parse_type = GNUTLS_EXT_TLS,
++	.client_parse_point = GNUTLS_EXT_TLS,
++	.server_parse_point = GNUTLS_EXT_TLS,
+ 	.validity = GNUTLS_EXT_FLAG_TLS | GNUTLS_EXT_FLAG_DTLS | GNUTLS_EXT_FLAG_CLIENT_HELLO |
+ 		    GNUTLS_EXT_FLAG_EE | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO,
+ 	.recv_func = _gnutls_supported_groups_recv_params,
+diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c
+index 1b9c29579..69193b60a 100644
+--- a/lib/ext/supported_versions.c
++++ b/lib/ext/supported_versions.c
+@@ -43,7 +43,8 @@ const hello_ext_entry_st ext_mod_supported_versions = {
+ 	.gid = GNUTLS_EXTENSION_SUPPORTED_VERSIONS,
+ 	.validity = GNUTLS_EXT_FLAG_CLIENT_HELLO | GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO |
+ 		    GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO | GNUTLS_EXT_FLAG_HRR|GNUTLS_EXT_FLAG_TLS,
+-	.parse_type = GNUTLS_EXT_VERSION_NEG, /* force parsing prior to EXT_TLS extensions */
++	.client_parse_point = GNUTLS_EXT_VERSION_NEG, /* force parsing prior to EXT_TLS extensions */
++	.server_parse_point = GNUTLS_EXT_VERSION_NEG,
+ 	.recv_func = supported_versions_recv_params,
+ 	.send_func = supported_versions_send_params,
+ 	.pack_func = NULL,
+diff --git a/lib/hello_ext.c b/lib/hello_ext.c
+index 491b3c3eb..33eaa27b1 100644
+--- a/lib/hello_ext.c
++++ b/lib/hello_ext.c
+@@ -120,7 +120,7 @@ gid_to_ext_entry(gnutls_session_t session, extensions_t id)
+ }
+ 
+ static const hello_ext_entry_st *
+-tls_id_to_ext_entry(gnutls_session_t session, uint16_t tls_id, gnutls_ext_parse_type_t parse_type)
++tls_id_to_ext_entry(gnutls_session_t session, uint16_t tls_id, gnutls_ext_parse_type_t parse_point)
+ {
+ 	unsigned i;
+ 	const hello_ext_entry_st *e;
+@@ -144,7 +144,8 @@ tls_id_to_ext_entry(gnutls_session_t session, uint16_t tls_id, gnutls_ext_parse_
+ 
+ 	return NULL;
+ done:
+-	if (parse_type == GNUTLS_EXT_ANY || e->parse_type == parse_type) {
++	if (parse_point == GNUTLS_EXT_ANY || (IS_SERVER(session) && e->server_parse_point == parse_point) ||
++	    (!IS_SERVER(session) && e->client_parse_point == parse_point)) {
+ 		return e;
+ 	} else {
+ 		return NULL;
+@@ -201,7 +202,7 @@ static unsigned tls_id_to_gid(gnutls_session_t session, unsigned tls_id)
+ typedef struct hello_ext_ctx_st {
+ 	gnutls_session_t session;
+ 	gnutls_ext_flags_t msg;
+-	gnutls_ext_parse_type_t parse_type;
++	gnutls_ext_parse_type_t parse_point;
+ 	const hello_ext_entry_st *ext; /* used during send */
+ 	unsigned seen_pre_shared_key;
+ } hello_ext_ctx_st;
+@@ -222,7 +223,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
+ 		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ 	}
+ 
+-	ext = tls_id_to_ext_entry(session, tls_id, ctx->parse_type);
++	ext = tls_id_to_ext_entry(session, tls_id, ctx->parse_point);
+ 	if (ext == NULL || ext->recv_func == NULL) {
+ 		goto ignore;
+ 	}
+@@ -288,7 +289,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
+ int
+ _gnutls_parse_hello_extensions(gnutls_session_t session,
+ 			       gnutls_ext_flags_t msg,
+-			       gnutls_ext_parse_type_t parse_type,
++			       gnutls_ext_parse_type_t parse_point,
+ 			       const uint8_t * data, int data_size)
+ {
+ 	int ret;
+@@ -298,7 +299,7 @@ _gnutls_parse_hello_extensions(gnutls_session_t session,
+ 
+ 	ctx.session = session;
+ 	ctx.msg = msg;
+-	ctx.parse_type = parse_type;
++	ctx.parse_point = parse_point;
+ 	ctx.seen_pre_shared_key = 0;
+ 
+ 	ret = _gnutls_extv_parse(&ctx, hello_ext_parse, data, data_size);
+@@ -321,8 +322,9 @@ int hello_ext_send(void *_ctx, gnutls_buffer_st *buf)
+ 	if (unlikely(p->send_func == NULL))
+ 		return 0;
+ 
+-	if (ctx->parse_type != GNUTLS_EXT_ANY
+-	    && p->parse_type != ctx->parse_type) {
++	if (ctx->parse_point != GNUTLS_EXT_ANY &&
++	    ((IS_SERVER(session) && p->server_parse_point != ctx->parse_point) ||
++	     (!IS_SERVER(session) && p->client_parse_point != ctx->parse_point))) {
+ 		return 0;
+ 	}
+ 
+@@ -392,7 +394,7 @@ int
+ _gnutls_gen_hello_extensions(gnutls_session_t session,
+ 			     gnutls_buffer_st * buf,
+ 			     gnutls_ext_flags_t msg,
+-			     gnutls_ext_parse_type_t parse_type)
++			     gnutls_ext_parse_type_t parse_point)
+ {
+ 	int pos, ret;
+ 	size_t i;
+@@ -402,7 +404,7 @@ _gnutls_gen_hello_extensions(gnutls_session_t session,
+ 
+ 	ctx.session = session;
+ 	ctx.msg = msg;
+-	ctx.parse_type = parse_type;
++	ctx.parse_point = parse_point;
+ 
+ 	ret = _gnutls_extv_append_init(buf);
+ 	if (ret < 0)
+@@ -742,7 +744,7 @@ _gnutls_hello_ext_get_resumed_priv(gnutls_session_t session,
+  * gnutls_ext_register:
+  * @name: the name of the extension to register
+  * @id: the numeric TLS id of the extension
+- * @parse_type: the parse type of the extension (see gnutls_ext_parse_type_t)
++ * @parse_point: the parse type of the extension (see gnutls_ext_parse_type_t)
+  * @recv_func: a function to receive the data
+  * @send_func: a function to send the data
+  * @deinit_func: a function deinitialize any private data
+@@ -767,7 +769,7 @@ _gnutls_hello_ext_get_resumed_priv(gnutls_session_t session,
+  * Since: 3.4.0
+  **/
+ int
+-gnutls_ext_register(const char *name, int id, gnutls_ext_parse_type_t parse_type,
++gnutls_ext_register(const char *name, int id, gnutls_ext_parse_type_t parse_point,
+ 		    gnutls_ext_recv_func recv_func, gnutls_ext_send_func send_func,
+ 		    gnutls_ext_deinit_data_func deinit_func, gnutls_ext_pack_func pack_func,
+ 		    gnutls_ext_unpack_func unpack_func)
+@@ -798,7 +800,8 @@ gnutls_ext_register(const char *name, int id, gnutls_ext_parse_type_t parse_type
+ 	tmp_mod->free_struct = 1;
+ 	tmp_mod->tls_id = id;
+ 	tmp_mod->gid = gid;
+-	tmp_mod->parse_type = parse_type;
++	tmp_mod->client_parse_point = parse_point;
++	tmp_mod->server_parse_point = parse_point;
+ 	tmp_mod->recv_func = recv_func;
+ 	tmp_mod->send_func = send_func;
+ 	tmp_mod->deinit_func = deinit_func;
+@@ -822,7 +825,7 @@ gnutls_ext_register(const char *name, int id, gnutls_ext_parse_type_t parse_type
+  * @session: the session for which this extension will be set
+  * @name: the name of the extension to register
+  * @id: the numeric id of the extension
+- * @parse_type: the parse type of the extension (see gnutls_ext_parse_type_t)
++ * @parse_point: the parse type of the extension (see gnutls_ext_parse_type_t)
+  * @recv_func: a function to receive the data
+  * @send_func: a function to send the data
+  * @deinit_func: a function deinitialize any private data
+@@ -853,7 +856,7 @@ gnutls_ext_register(const char *name, int id, gnutls_ext_parse_type_t parse_type
+  **/
+ int
+ gnutls_session_ext_register(gnutls_session_t session,
+-			    const char *name, int id, gnutls_ext_parse_type_t parse_type,
++			    const char *name, int id, gnutls_ext_parse_type_t parse_point,
+ 			    gnutls_ext_recv_func recv_func, gnutls_ext_send_func send_func,
+ 			    gnutls_ext_deinit_data_func deinit_func, gnutls_ext_pack_func pack_func,
+ 			    gnutls_ext_unpack_func unpack_func, unsigned flags)
+@@ -898,7 +901,8 @@ gnutls_session_ext_register(gnutls_session_t session,
+ 	tmp_mod.free_struct = 1;
+ 	tmp_mod.tls_id = id;
+ 	tmp_mod.gid = gid;
+-	tmp_mod.parse_type = parse_type;
++	tmp_mod.client_parse_point = parse_point;
++	tmp_mod.server_parse_point = parse_point;
+ 	tmp_mod.recv_func = recv_func;
+ 	tmp_mod.send_func = send_func;
+ 	tmp_mod.deinit_func = deinit_func;
+diff --git a/lib/hello_ext.h b/lib/hello_ext.h
+index f8570bb34..f2dfd7ff6 100644
+--- a/lib/hello_ext.h
++++ b/lib/hello_ext.h
+@@ -121,7 +121,8 @@ typedef struct hello_ext_entry_st {
+ 	uint16_t tls_id;
+ 	unsigned gid; /* gnutls internal ID */
+ 
+-	gnutls_ext_parse_type_t parse_type;
++	gnutls_ext_parse_type_t client_parse_point;
++	gnutls_ext_parse_type_t server_parse_point;
+ 	unsigned validity; /* multiple items of gnutls_ext_flags_t */
+ 
+ 	/* this function must return 0 when Not Applicable
+diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
+index 6b35c4434..b4830cc8d 100644
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -3023,12 +3023,12 @@ typedef enum {
+ 
+ /* Register a custom tls extension
+  */
+-int gnutls_ext_register(const char *name, int type, gnutls_ext_parse_type_t parse_type,
++int gnutls_ext_register(const char *name, int type, gnutls_ext_parse_type_t parse_point,
+ 				gnutls_ext_recv_func recv_func, gnutls_ext_send_func send_func, 
+ 				gnutls_ext_deinit_data_func deinit_func, gnutls_ext_pack_func pack_func,
+ 				gnutls_ext_unpack_func unpack_func);
+ 
+-int gnutls_session_ext_register(gnutls_session_t, const char *name, int type, gnutls_ext_parse_type_t parse_type,
++int gnutls_session_ext_register(gnutls_session_t, const char *name, int type, gnutls_ext_parse_type_t parse_point,
+ 				gnutls_ext_recv_func recv_func, gnutls_ext_send_func send_func, 
+ 				gnutls_ext_deinit_data_func deinit_func, gnutls_ext_pack_func pack_func,
+ 				gnutls_ext_unpack_func unpack_func, unsigned flags);
+diff --git a/tests/gnutls-cli-resume.sh b/tests/gnutls-cli-resume.sh
+index fe7ed1e02..38ac076ef 100755
+--- a/tests/gnutls-cli-resume.sh
++++ b/tests/gnutls-cli-resume.sh
+@@ -98,6 +98,23 @@ for i in "$WAITPID";do
+ 	test $? != 0 && exit 1
+ done
+ 
++echo "Checking whether session resumption works reliably under TLS1.2 (no tickets)"
++PRIORITY="NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_TICKETS"
++WAITPID=""
++
++i=0
++while [ $i -lt 10 ]
++do
++	run_server_test "${PRIORITY}" $i &
++	WAITPID="$WAITPID $!"
++	i=`expr $i + 1`
++done
++
++for i in "$WAITPID";do
++	wait $i
++	test $? != 0 && exit 1
++done
++
+ kill ${PID}
+ wait
+ 
+-- 
+2.26.2
+
diff -Nru gnutls28-3.6.7/debian/patches/47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch gnutls28-3.6.7/debian/patches/47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch
--- gnutls28-3.6.7/debian/patches/47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnutls28-3.6.7/debian/patches/47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch	2020-05-17 11:21:41.000000000 +0200
@@ -0,0 +1,30 @@
+From 05ace838b3f67836a29a53282ec5a9b3cffd5680 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Sun, 2 Feb 2020 09:47:25 -0600
+Subject: [PATCH] session_pack: fix leak in error path
+
+If called at the wrong time, it allocates the buffer sb and forgets to
+clear it.
+
+Signed-off-by: Michael Catanzaro <mcatanzaro@gnome.org>
+---
+ lib/session_pack.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/session_pack.c b/lib/session_pack.c
+index b655b7128..e5c21f24b 100644
+--- a/lib/session_pack.c
++++ b/lib/session_pack.c
+@@ -143,7 +143,8 @@ _gnutls_session_pack(gnutls_session_t session,
+ 		}
+ 		break;
+ 	default:
+-		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++		ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++		goto fail;
+ 
+ 	}
+ 
+-- 
+2.26.2
+
diff -Nru gnutls28-3.6.7/debian/patches/series gnutls28-3.6.7/debian/patches/series
--- gnutls28-3.6.7/debian/patches/series	2020-04-03 21:31:50.000000000 +0200
+++ gnutls28-3.6.7/debian/patches/series	2020-05-17 13:42:33.000000000 +0200
@@ -7,4 +7,6 @@
 40_rel3.6.8_20-pubkey-remove-deprecated-TLS1_RSA-flag-check.patch
 41_rel3.6.9_01-Support-for-Generalname-registeredID-from-RFC-5280-i.patch
 42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch
+42_rel3.6.11_10-session-tickets-parse-extension-during-session-resum.patch
 43_rel3.6.13_01-dtls-client-hello-fix-zeroed-random-fixes-960.patch
+47_rel3.6.14_10-session_pack-fix-leak-in-error-path.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: