Bug#988508: buster-pu: package gnutls28/3.6.7-4+deb10u7

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + confirmed

On Fri, 2021-05-14 at 14:08 +0200, Andreas Metzler wrote:
> I would like to fix three minor security issues (non-DSA) in stable.
> * 46_handshake-reject-no_renegotiation-alert-if-handshake.patch
> pulled from
>   3.6.15: It was found by oss-fuzz that the server sending a
>   "no_renegotiation" alert in an unexpected timing, followed by an
> invalid
>   second handshake can cause a TLS 1.3 client to crash via a null-
> pointer
>   dereference. The crash happens in the application's error handling
> path,
>   where the gnutls_deinit function is called after detecting a
> handshake
>   failure.
>   GNUTLS-SA-2020-09-04 CVE-2020-24659 Closes: #969547
> * Pull multiple fixes designated for 3.6.15 bugfix release:
>   + 47_rel3.6.16_01-gnutls_buffer_append_data-remove-duplicated-
> code.patch
>   + 47_rel3.6.16_02-_gnutls_buffer_resize-add-option-to-use-
> allocation-s.patch
>   + 47_rel3.6.16_03-key_share-avoid-use-after-free-around-
> realloc.patch
>     (CVE-2021-20231) and
>     47_rel3.6.16_04-pre_shared_key-avoid-use-after-free-around-
> realloc.patch
>     (CVE-2021-20232), both together GNUTLS-SA-2021-03-10.
>   + 47_rel3.6.16_05-_gnutls_buffer_resize-account-for-unused-area-if-
> AGG.patch
>   + 47_rel3.6.16_06-str-suppress-Wunused-function-if-
> AGGRESSIVE_REALLOC-.patch
> 

Please go ahead.

Regards,

Adam