Created by James Westby on 2009-08-13 and last modified on 2010-06-02
Get this branch:
bzr branch lp:ubuntu/dapper-security/gnutls12
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches

Recent revisions

10. By Jamie Strandboge on 2010-06-02

* SECURITY UPDATE: fix potential DoS in certificate verification
  - debian/patches/92_CVE-2006-7239.diff: update to verify hash
    algorithm is supported and not NULL
  - CVE-2006-7239

9. By Jamie Strandboge on 2009-08-18

* SECURITY UPDATE: fix improper handling of '\0' in Common Name (CN) and
  Subject Alternative Name (SAN) in X.509 certificates (LP: #413136)
  - debian/patches/91_CVE-2009-2730.diff: verify length of CN and SAN
    are what we expect and error out if either contains an embedded \0.
    This fixed required fixing gnutls_x509_crt_check_hostname() to not
    "treat absence of CN in subject as a successful RFC 2818 hostname"
    This fix also required updating _gnutls_hostname_compare() in
    lib/x509/rfc2818_hostname.c to support wide wildcard hostname and ip
    address matching. This is a backward compatible change and which only
    adds additional matching of hostnames.
  - CVE-2009-2730

8. By Jamie Strandboge on 2009-02-20

* Fix for certificate chain regressions introduced by fixes for
* debian/patches/20_CVE-2008-4989.diff: updated to upstream's final
  2.4.2 - 2.4.3 patchset for lib/x509/verify.c to fix CVE-2008-4989 and
  address all known regressions. To summarize from upstream:
  - Fix X.509 certificate chain validation error (CVE-2008-4989)
  - Fix chain verification for chains that end with RSA-MD2 CAs (LP: #305264)
  - Deprecate X.509 validation chains using MD5 and MD2 signatures
  - Accept chains where intermediary certs are trusted (LP: #305264)

7. By Jamie Strandboge on 2008-12-05

* Fix for regression where some valid certificate chains would be untrusted
  - Update debian/patches/91_CVE-2008-4989.diff to check if last certificate
    is self-signed and prevent verifying self-signed certificates against
    themselves. Patch from upstream.
  - http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00008.html
  - LP: #305264

6. By Jamie Strandboge on 2008-11-25

* SECURITY UPDATE: Fix for man-in-the-middle attack in certificate
  - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate
    if it is self-signed in lib/x509/verify.c
  - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
  - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3248
  - CVE-2008-4989

5. By Kees Cook on 2008-05-20

* SECURITY UPDATE: multiple remote denial of service.
* debian/patches/90_GNUTLS-SA-2008-1.diff: upstream fixes, thanks to Debian.
* References
  CVE-2008-1948, CVE-2008-1949, CVE-2008-1950

4. By Martin Pitt on 2006-09-18

* SECURITY UPDATE: Signature forgery.
* Add debian/patches/00CVS_CVE-2006-4790.patch:
  - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
    applications from incorrectly verifying the certificate. (Similar to
    recent OpenSSL update.)
  - Patch taken from upstream CVS:
  - CVE-2006-4790

3. By Martin Pitt on 2006-02-15

* debian/rules: Activate simple-patchsys.mk.
* debian/control: Bump libtasn1-2-dev build dependency to >=
* Add debian/patches/01_tasn_api_length.patch:
   - lib/x509/xml.c: Fix calls to libtasn1-2's internal _asn1_* API calls for
     new libtasn1-2 version; these calls now expect a buffer length argument to
     check for buffer overflows.
   - lib/minitasn1/: Changed internal _asn1_ function prototypes in header
     files according to recent change in libtasn1-2.

2. By Matthias Urlichs on 2005-11-15

* Install /usr/lib/pkgconfig/*.pc files.
* Depend on texinfo (>= 4.8, for the @euro{} sign).

1. By Matthias Urlichs on 2005-11-15

Import upstream version 1.2.9

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.