lp:ubuntu/dapper-security/gnutls12

Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/dapper-security/gnutls12
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Status:
Mature

Recent revisions

10. By Jamie Strandboge

* SECURITY UPDATE: fix potential DoS in certificate verification
  - debian/patches/92_CVE-2006-7239.diff: update to verify hash
    algorithm is supported and not NULL
  - CVE-2006-7239

9. By Jamie Strandboge

* SECURITY UPDATE: fix improper handling of '\0' in Common Name (CN) and
  Subject Alternative Name (SAN) in X.509 certificates (LP: #413136)
  - debian/patches/91_CVE-2009-2730.diff: verify length of CN and SAN
    are what we expect and error out if either contains an embedded \0.
    This fixed required fixing gnutls_x509_crt_check_hostname() to not
    "treat absence of CN in subject as a successful RFC 2818 hostname"
    This fix also required updating _gnutls_hostname_compare() in
    lib/x509/rfc2818_hostname.c to support wide wildcard hostname and ip
    address matching. This is a backward compatible change and which only
    adds additional matching of hostnames.
  - CVE-2009-2730

8. By Jamie Strandboge

* Fix for certificate chain regressions introduced by fixes for
  CVE-2008-4989
* debian/patches/20_CVE-2008-4989.diff: updated to upstream's final
  2.4.2 - 2.4.3 patchset for lib/x509/verify.c to fix CVE-2008-4989 and
  address all known regressions. To summarize from upstream:
  - Fix X.509 certificate chain validation error (CVE-2008-4989)
  - Fix chain verification for chains that end with RSA-MD2 CAs (LP: #305264)
  - Deprecate X.509 validation chains using MD5 and MD2 signatures
  - Accept chains where intermediary certs are trusted (LP: #305264)

7. By Jamie Strandboge

* Fix for regression where some valid certificate chains would be untrusted
  - Update debian/patches/91_CVE-2008-4989.diff to check if last certificate
    is self-signed and prevent verifying self-signed certificates against
    themselves. Patch from upstream.
  - http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00008.html
  - LP: #305264

6. By Jamie Strandboge

* SECURITY UPDATE: Fix for man-in-the-middle attack in certificate
  validation
  - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
    if it is self-signed in lib/x509/verify.c
  - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
  - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3248
  - CVE-2008-4989

5. By Kees Cook

* SECURITY UPDATE: multiple remote denial of service.
* debian/patches/90_GNUTLS-SA-2008-1.diff: upstream fixes, thanks to Debian.
* References
  GNUTLS-SA-2008-1
  CVE-2008-1948, CVE-2008-1949, CVE-2008-1950

4. By Martin Pitt

* SECURITY UPDATE: Signature forgery.
* Add debian/patches/00CVS_CVE-2006-4790.patch:
  - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
    applications from incorrectly verifying the certificate. (Similar to
    recent OpenSSL update.)
  - Patch taken from upstream CVS:
    http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001212.html
  - CVE-2006-4790

3. By Martin Pitt

* debian/rules: Activate simple-patchsys.mk.
* debian/control: Bump libtasn1-2-dev build dependency to >=
  0.2.17-1ubuntu1.
* Add debian/patches/01_tasn_api_length.patch:
   - lib/x509/xml.c: Fix calls to libtasn1-2's internal _asn1_* API calls for
     new libtasn1-2 version; these calls now expect a buffer length argument to
     check for buffer overflows.
   - lib/minitasn1/: Changed internal _asn1_ function prototypes in header
     files according to recent change in libtasn1-2.

2. By Matthias Urlichs

* Install /usr/lib/pkgconfig/*.pc files.
* Depend on texinfo (>= 4.8, for the @euro{} sign).

1. By Matthias Urlichs

Import upstream version 1.2.9

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.

Subscribers