gnutls28 (3.8.9-3) unstable; urgency=medium
* Cherry-pick fixes from 3.8.10 release:
+ libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits
PSK Reported by Stefan Bühler.
[GNUTLS-SA-2025-07-07-4, CVSS: medium] [CVE-2025-6395]
+ libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS
timestamps Spotted by oss-fuzz and reported by OpenAI Security
Research Team, and fix developed by Andrew Hamilton.
[GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989]
+ libgnutls: Fix double-free upon error when exporting otherName in
SAN Reported by OpenAI Security Research Team.
[GNUTLS-SA-2025-07-07-2, CVSS: low] [CVE-2025-32988]
+ certtool: Fix 1-byte write buffer overrun when parsing template
Reported by David Aitel. [GNUTLS-SA-2025-07-07-3, CVSS: low]
[CVE-2025-32990]
+ Fixes for memory leaks in lib/x509/x509_ext.c andlib/hello_ext.c.
+ Fix uninitialized memory read while processing the "pre_shared_key"
extension in TLS 1.3.
+ Avoid uninitialized use of crq version.
-- Andreas Metzler <ametzler@debian.org> Wed, 09 Jul 2025 12:34:38 +0200
gnutls28 (3.8.9-2) unstable; urgency=medium
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Mon, 10 Feb 2025 06:33:24 +0100
gnutls28 (3.8.9-1) experimental; urgency=medium
* New upstream version.
+ libgnutls: Fix potential DoS in handling certificates with numerous
name constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
bundled copy of libtasn1 has also been updated to the latest 4.20.0
release to complete the fix. Reported by Bing Shi (#1553).
[GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
+ Unfuzz 14_version_gettextcat.diff.
+ Update copyright information.
+ Let ./configure check for python on Debian builds to run cligen during
build-time.
-- Andreas Metzler <ametzler@debian.org> Sat, 08 Feb 2025 16:19:41 +0100
gnutls28 (3.8.8-2) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sun, 10 Nov 2024 16:32:03 +0100
gnutls28 (3.8.8-1) experimental; urgency=low
* Partial merge from 3.8.6-2ubuntu1:
+ Fix logic for i386 autopkgtest on an amd64 host.
+ Don't run the testsuite under the influence of a configuration
file.
* New upstream version.
+ Drop cherry-picked patches.
-- Andreas Metzler <ametzler@debian.org> Sat, 09 Nov 2024 12:54:44 +0100
gnutls28 (3.8.7.1-1) experimental; urgency=medium
[ Daniel Kahn Gillmor ]
* Refresh upstream signing keys.
[ Andreas Metzler ]
* New upstream version.
+ Update copyright info.
+ Drop now unneeded datefudge build- and autopkgtest-dep.
Closes: #1077935, #1031553
* 51-Also-set-ENABLE_DSA-for-tests-in-cert-tests-subdirec.patch: Do not skip
all DSA tests in cert-tests subdirectory. Also set ENABLE_DSA=1 in
autopkgtest.
* 52_revert-back-to-datefudge-for-openssl-ocsp.patch: Skip some
ocsp test instead of fixing them and requiring datefudge.
-- Andreas Metzler <ametzler@debian.org> Thu, 15 Aug 2024 16:40:32 +0200
gnutls28 (3.8.6-2) unstable; urgency=medium
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sun, 07 Jul 2024 11:39:37 +0200
gnutls28 (3.8.6-1) experimental; urgency=medium
* New upstream version.
+ Unfuzz 14_version_gettextcat.diff.
+ Drop cherry-picked
46_Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch.
+ Bump nettle b-d to >= 3.10 for SHAKE.
+ Update symbol file.
+ Update copyright info.
-- Andreas Metzler <ametzler@debian.org> Sat, 06 Jul 2024 16:33:01 +0200
gnutls28 (3.8.5-4) unstable; urgency=medium
* Fix autopkgtest.
-- Andreas Metzler <ametzler@debian.org> Sun, 02 Jun 2024 14:39:31 +0200
gnutls28 (3.8.5-3) unstable; urgency=low
* Replace 45_Revert_Add-option-to-disable-RSAES-PKCS1-v1_5.patch with
46_Fix-RSAES-PKCS1-v1_5-system-wide-configuration.patch from upstream GIT
master.
-- Andreas Metzler <ametzler@debian.org> Sat, 01 Jun 2024 13:52:02 +0200
gnutls28 (3.8.5-2) unstable; urgency=medium
* Add 45_Revert_Add-option-to-disable-RSAES-PKCS1-v1_5.patch, reverting
upstream commit 10ebc37e41343cb5b18ee9f0b8e2c45c3d83e8c7.
Closes: #1068644
-- Andreas Metzler <ametzler@debian.org> Mon, 08 Apr 2024 18:27:17 +0200
gnutls28 (3.8.5-1) unstable; urgency=medium
* New upstream version, drop cherry-picked patch.
* [lintian] B-d on pkgconf instead of pkg-config.
-- Andreas Metzler <ametzler@debian.org> Sat, 06 Apr 2024 07:48:30 +0200
gnutls28 (3.8.4-2) unstable; urgency=medium
* Cherry-pick from upstream git master:
+ 50_0001-gnutls_privkey_decrypt_data-don-t-free-plaintext-on-.patch
(Regression in 3.8.4).
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Fri, 29 Mar 2024 07:47:24 +0100
gnutls28 (3.8.4-1) experimental; urgency=medium
* New upstream version.
+ Fix side-channel in the deterministic ECDSA.
Reported by George Pantelakis (#1516).
[GNUTLS-SA-2023-12-04, CVSS: medium] [CVE-2024-28834]
Closes: #1067464
+ libgnutls: Fixed a bug where certtool crashed when verifying a
certificate chain with more than 16 certificates. Reported by William
Woodruff (#1525) and yixiangzhike (#1527).
[GNUTLS-SA-2024-01-23, CVSS: medium] [CVE-2024-28835] Closes: #1067463
+ Update copyright info.
+ Update symbol file.
-- Andreas Metzler <ametzler@debian.org> Sat, 23 Mar 2024 11:11:34 +0100
gnutls28 (3.8.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1063297
-- Steve Langasek <vorlon@debian.org> Wed, 28 Feb 2024 21:26:17 +0000
gnutls28 (3.8.3-1) unstable; urgency=medium
* New upstream version.
Fix assertion failure when verifying a certificate chain with a cycle of
cross signatures. CVE-2024-0567 GNUTLS-SA-2024-01-09 Closes: #1061045
Fix more timing side-channel inside RSA-PSK key exchange. CVE-2024-0553
GNUTLS-SA-2024-01-14 Closes: #1061046
-- Andreas Metzler <ametzler@debian.org> Wed, 17 Jan 2024 18:26:52 +0100
gnutls28 (3.8.2-1) unstable; urgency=medium
* New upstream version.
+ Drop cherrypicked patches.
+ Update symbol file.
+ Update copyright file.
+ Includes fix for CVE-2023-5981 / GNUTLS-SA-2023-10-23. Closes: #1056188
-- Andreas Metzler <ametzler@debian.org> Wed, 29 Nov 2023 08:55:21 +0100
gnutls28 (3.8.1-4) unstable; urgency=medium
* Fix autopkgtest for 32 bit archs.
* Fix building twice from the same source. Closes: #1044384,#1049512
* Drop orphaned debian/libgnutlsxx30.install and delete related (.a/.so)
files in dh_autoinstall override, fixing dead symlink for libgnutlsxx.so.
Closes: #1050058
-- Andreas Metzler <ametzler@debian.org> Sat, 19 Aug 2023 11:28:08 +0200
gnutls28 (3.8.1-3) unstable; urgency=low
* 50-0001-Fix-build-on-GNU-Hurd.patch (Thanks, Samuel Thibault) from
upstream git master.
* Fix rdep FTBFS due to removal of GNUTLS_NO_EXTENSIONS macro with
50-0002-Move-the-GNUTLS_NO_EXTENSIONS-compatibility-define-t.patch from
upstream MR 1766 (Thanks, Adrian Bunk)
-- Andreas Metzler <ametzler@debian.org> Mon, 07 Aug 2023 18:33:31 +0200
gnutls28 (3.8.1-2) unstable; urgency=low
* Also use datefudge instead of faketime for autopkgtest.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sun, 06 Aug 2023 11:13:35 +0200
gnutls28 (3.8.1-1) experimental; urgency=medium
* New upstream version.
+ Bump symbol file info.
-- Andreas Metzler <ametzler@debian.org> Sat, 05 Aug 2023 10:59:29 +0200
gnutls28 (3.8.0+git20230713-1) experimental; urgency=medium
* New upstream git snapshot c4023afde53241aedbb94108aa10fda9bd05ee82.
+ Update copyright file.
+ Switch back to datefudge. faketime using fork() instead of exex() breaks
the cleanup scripting in the testsuite. This together with upstream
changes Closes: #1037917
Most tests do not rely on datefudge/faketime anymore but use -attime so
we would still have meaningful testsuite coverage without datefudge.
+ Update autopkgtest for new upstream.
-- Andreas Metzler <ametzler@debian.org> Sat, 15 Jul 2023 13:40:58 +0200
gnutls28 (3.8.0+git20230529-1) experimental; urgency=medium
* New upstream git snapshot 0a8115000f2353dcabcfdc0caccbb0f2c3d6f512.
+ Update libgnutls30 symbol file.
+ Unfuzz patches.
-- Andreas Metzler <ametzler@debian.org> Sun, 04 Jun 2023 13:06:50 +0200
gnutls28 (3.8.0+git20230413-1) experimental; urgency=medium
* New upstream git snapshot bfbcb238465baffc6a6695c0e593c9a25cf7cb51.
+ Unfuzz patches, drop superfluous patches.
+ Guile wrapper split off, adapt packaging.
+ Use faketime instead of datefudge. Closes: #1031553
+ Update copyright file.
+ Update symbol file.
+ Stop shipping legacy C++ library (libgnutlsxx30). This functionality is
now provided as a header-only library and there are no rdeps in Debian.
* Clean up debian/rules.
-- Andreas Metzler <ametzler@debian.org> Sat, 29 Apr 2023 11:51:27 +0200
gnutls28 (3.7.9-2) unstable; urgency=medium
* CI: Do not try to run tests/ktls.sh, it uses a helper binary. (Plus gnutls
is not built with ktls support on Debian yet.) Closes: #1034350
-- Andreas Metzler <ametzler@debian.org> Sat, 15 Apr 2023 13:45:57 +0200
gnutls28 (3.7.9-1) unstable; urgency=medium
* Drop unused lintian override.
* New upstream version.
+ Drop cherrypicked patches.
-- Andreas Metzler <ametzler@debian.org> Sat, 18 Feb 2023 07:00:58 +0100
gnutls28 (3.7.8-5) unstable; urgency=high
[ Debian Janitor ]
* Remove constraints unnecessary since buster (oldstable):
+ Build-Depends: Drop versioned constraint on libp11-kit-dev,
libtasn1-6-dev, libunbound-dev and libunistring-dev.
+ Build-Depends-Indep: Drop versioned constraint on texinfo.
+ libgnutls28-dev: Drop versioned constraint on libp11-kit-dev in Depends.
[ Andreas Metzler ]
* 55_01-auth-rsa-side-step-potential-side-channel.patch
55_02-rsa-remove-dead-code.patch 55_03-document-the-CVE-fix.patch:
Effectively update to 3.7.9, fixing GNUTLS-SA-2020-07-14 / CVE-2023-0361
-- Andreas Metzler <ametzler@debian.org> Fri, 10 Feb 2023 07:29:17 +0100
gnutls28 (3.7.8-4) unstable; urgency=low
* Replace 50_Fix-removal-of-duplicate-certs-during-verification.patch with
version merged to upstream GIT master. Add
51_add-gnulib-linkedhash-list-module.diff since the new patch uses
gnulib's linkedhash-list module.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Mon, 31 Oct 2022 18:10:09 +0100
gnutls28 (3.7.8-3) experimental; urgency=low
* 50_Fix-removal-of-duplicate-certs-during-verification.patch frpm
https://gitlab.com/gnutls/gnutls/-/merge_requests/1653 fixes chain
verification error on duplicate server cert in chain.
Closes: #1007138
-- Andreas Metzler <ametzler@debian.org> Sat, 15 Oct 2022 13:51:15 +0200
gnutls28 (3.7.8-2) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sun, 02 Oct 2022 13:28:06 +0200
gnutls28 (3.7.8-1) experimental; urgency=low
* New upstream version.
+ Drop 50_01-Avoid-redirection-bashism-in-testsuite.patch.
-- Andreas Metzler <ametzler@debian.org> Sat, 01 Oct 2022 13:48:17 +0200
gnutls28 (3.7.7-2) unstable; urgency=medium
* 50_01-Avoid-redirection-bashism-in-testsuite.patch: Fix CI error.
-- Andreas Metzler <ametzler@debian.org> Sun, 31 Jul 2022 10:32:04 +0200
gnutls28 (3.7.7-1) unstable; urgency=low
* New upstream bugfix release: Fixes double free during verification of
pkcs7 signatures. [GNUTLS-SA-2022-07-07, CVSS: medium] [CVE-2022-2509]
+ Update symbol file.
* Add lintian overrides for source-is-missing false positives.
-- Andreas Metzler <ametzler@debian.org> Sat, 30 Jul 2022 14:09:32 +0200
gnutls28 (3.7.6-2) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sat, 18 Jun 2022 10:23:16 +0200
gnutls28 (3.7.6-1) experimental; urgency=low
* New upstream version.
-- Andreas Metzler <ametzler@debian.org> Sat, 28 May 2022 14:31:39 +0200
gnutls28 (3.7.5-1) experimental; urgency=low
* New upstream version.
+ Update symbol file.
-- Andreas Metzler <ametzler@debian.org> Sun, 22 May 2022 08:16:07 +0200
gnutls28 (3.7.4-2) unstable; urgency=low
* 40_srptest_doubletimeout.diff: Increase timeout for tests/srp to fix
occasionasonal error on slow buildds (mipsel, hppa).
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Thu, 14 Apr 2022 08:54:25 +0200
gnutls28 (3.7.4-1) experimental; urgency=low
* Drop superfluous dependency on libopts25-dev.
* New upstream version.
+ Drop superfluous patches. (40_bashism_in_test.diff
41_more_bashism_in_test.diff)
+ Update symbol file.
+ libgnutlsxx soname bumped due to ABI break in .1 (db_check_entry and
db_check_entry now have const parameters).
-- Andreas Metzler <ametzler@debian.org> Sun, 03 Apr 2022 13:30:32 +0200
gnutls28 (3.7.3-4) unstable; urgency=low
[ Helmut Grohne ]
* Fix FTCBFS: Annotate python3 dependency with :any. (Closes: #1004183)
[ Andreas Metzler ]
* CI: Sort test list.
* CI: Skip another test wrapping a binary test.
* CI: Fix missed &> redirection.
-- Andreas Metzler <ametzler@debian.org> Sun, 23 Jan 2022 08:14:48 +0100
gnutls28 (3.7.3-3) unstable; urgency=low
* Fix CI errors:
+ Set PKCS12_ITER_COUNT=600000, avoid more tests requiring a special test
binary.
+ 40_bashism_in_test.diff: Avoid &> redirection.
-- Andreas Metzler <ametzler@debian.org> Sat, 22 Jan 2022 07:45:00 +0100
gnutls28 (3.7.3-2) unstable; urgency=low
* B-d on python3 instead of python3-minimal, the json module is not part of
-minimal.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Thu, 20 Jan 2022 18:40:59 +0100
gnutls28 (3.7.3-1) experimental; urgency=low
* New upstream version.
+ Does not use GNU autogen anymore, update Build-Depends.
+ Drop 40_fix-gtk-mkhtml.patch.
+ Update symbol file.
-- Andreas Metzler <ametzler@debian.org> Tue, 18 Jan 2022 18:58:41 +0100
gnutls28 (3.7.2-5) unstable; urgency=medium
* 40_fix-gtk-mkhtml.patch by Dennis Filder fixes gtk-doc generation.
Closes: #1003075
* Cherrypick some improvements to debian/rules suggested by Dennis Filder.
-- Andreas Metzler <ametzler@debian.org> Wed, 05 Jan 2022 18:46:29 +0100
gnutls28 (3.7.2-4) unstable; urgency=low
* Run wrap-and-sort -ast, and drop depends/b-d on libgmp > 2:6 since even
oldstable uses this version.
* Upload to unstable
-- Andreas Metzler <ametzler@debian.org> Sun, 19 Dec 2021 13:57:12 +0100
gnutls28 (3.7.2-3) experimental; urgency=medium
* Another test build against guile-3.0. #964284
-- Andreas Metzler <ametzler@debian.org> Sun, 29 Aug 2021 14:29:40 +0200
gnutls28 (3.7.2-2) unstable; urgency=low
* Invoke dh_autoreconf with GTKDOCIZE=echo for arch-only builds, fixing
FTBFS. Closes: #992849
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Tue, 24 Aug 2021 19:46:02 +0200
gnutls28 (3.7.2-1) experimental; urgency=medium
* New upstream version.
+ Drop debian/patches/5[56]*.
+ Update libgnutls30.symbols.
+ Update copyright file.
-- Andreas Metzler <ametzler@debian.org> Sun, 20 Jun 2021 13:49:44 +0200
gnutls28 (3.7.1-5) unstable; urgency=medium
* Another fix from 3.7.2:
56_30-x509-verify-treat-SHA-1-signed-CA-in-the-trusted-set.patch
* 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff applied upstream, renamed to
56_33-serv-stop-setting-AI_ADDRCONFIG-on-getaddrinfo.patch
-- Andreas Metzler <ametzler@debian.org> Sat, 29 May 2021 12:14:30 +0200
gnutls28 (3.7.1-4) unstable; urgency=medium
* Pull fixes from upstream Git master
+ Ensure array allocations overflow safe.
https://gitlab.com/gnutls/gnutls/-/issues/1179
56_15-mem-add-_gnutls_reallocarray-and-_gnutls_reallocarra.patch
56_16-pkcs11x-find_ext_cb-fix-error-propagation.patch
56_17-build-avoid-potential-integer-overflow-in-array-allo.patch
56_18-build-avoid-integer-overflow-in-additions.patch
56_19-_gnutls_calloc-remove-unused-function.patch
+ Add option to disable TLS 1.3 middlebox compatibility mode
https://gitlab.com/gnutls/gnutls/-/issues/1208
56_20-priority-add-option-to-disable-TLS-1.3-middlebox-com.patch
(Changes gperf input file, add b-d on gperf.)
+ Fix session-id changing when responding to HelloRetryRequest
56_24-handshake-don-t-regenerate-legacy_session_id-in-seco.patch
https://gitlab.com/gnutls/gnutls/-/issues/1210
+ Fix timing of sending TLSv1.3 early data.
56_28-handshake-fix-timing-of-sending-early-data.patch
https://gitlab.com/gnutls/gnutls/-/issues/1146
-- Andreas Metzler <ametzler@debian.org> Sun, 25 Apr 2021 12:55:14 +0200
gnutls28 (3.7.1-3) unstable; urgency=low
* Rename/refetch
*build-doc-install-missing-image-file-gnutls-crypto-l.patch, it is has
been merged into upstream GIT.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Tue, 30 Mar 2021 11:21:58 +0200
gnutls28 (3.7.1-2) experimental; urgency=medium
* Also run ocsptool tests in autopkgtest.
* Add CVE numbers to previous changelog entry.
* Pull selected fixes from upstream GIT:
+ 55_01-_gnutls_buffer_resize-account-for-unused-area-if-AGG.patch
+ 55_02-str-suppress-Wunused-function-if-AGGRESSIVE_REALLOC-.patch
+ 56_01-srptool-avoid-FILE-pointer-leak-on-error.patch
+ 56_02-gnutls-cli-debug-avoid-resource-leak-in-saving-DHE-p.patch
+ 56_03-src-avoid-file-descriptor-leak-in-socket_open2.patch
+ 56_04-examples-avoid-memory-leak-in-tlsproxy.patch
+ 56_05-examples-avoid-memory-leak-in-ex-verify.patch
* 60_build-doc-install-missing-image-file-gnutls-crypto-l.patch
Ship missing image file. (Thanks, lintian)
-- Andreas Metzler <ametzler@debian.org> Sat, 20 Mar 2021 14:01:16 +0100
gnutls28 (3.7.1-1) unstable; urgency=medium
* New upstream version
Fixes potential use-after-free in sending "key_share" and "pre_shared_key"
extensions. GNUTLS-SA-2021-03-10. CVE-2021-20231 CVE-2021-20232
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Wed, 10 Mar 2021 19:02:31 +0100
gnutls28 (3.7.0+git20210306-2) experimental; urgency=medium
* Fix autopkgtest skiplist.
-- Andreas Metzler <ametzler@debian.org> Sun, 07 Mar 2021 16:26:05 +0100
gnutls28 (3.7.0+git20210306-1) experimental; urgency=low
* Update to GIT ba6e4b17bf74e58a8101f825011434b497eacbaa
+ Drop cherry-picked patches {48,49,50}_*.
+ Update copyright file.
-- Andreas Metzler <ametzler@debian.org> Sun, 07 Mar 2021 08:28:52 +0100
gnutls28 (3.7.0-7) unstable; urgency=medium
* Pull 50_01-gnutls_session_is_resumed-don-t-check-session-ID-in-.patch
50_02-handshake-TLS-1.3-don-t-generate-session-ID-in-resum.patch
50_04-tests-close-unused-fd-opened-by-socketpair.patch from upstream
master, fixing session resumption in non-TLS1.3 mode, which broke ftp-ssl.
(Thanks to Tim Kosse for the pointer) Closes: #980119
-- Andreas Metzler <ametzler@debian.org> Fri, 12 Feb 2021 19:03:16 +0100
gnutls28 (3.7.0-6) unstable; urgency=medium
* Update 49_0001-gnutls_x509_trust_list_verify_crt2-ignore-duplicate-.patch
with merged version from upstream GIT master. Features a fix for an assert
on connection to servers which send a duplicate chain including the
self-signed CA. Closes: #980513
-- Andreas Metzler <ametzler@debian.org> Mon, 08 Feb 2021 18:04:21 +0100
gnutls28 (3.7.0-5) unstable; urgency=low
* Update from upstream GIT master, replace patches, add new ones.
+ 48_0001-Fix-non-empty-session-id-TLS13_APPENDIX_D4.patch added.
+ 50_0001-tests-Fix-tpmtool_test-due-to-changes-in-trousers.patch
--> 48_0002-tests-Fix-tpmtool_test-due-to-changes-in-trousers.patch
+ 50_0002-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
--> 48_0003-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
Closes: #977552
+ 45_opensslcompat_no_export_gl.diff
--> 48_0005-libgnutls-openssl-Clean-up-list-of-exported-symbols.patch.
+ 48_0006-Fix-a-common-typo-of-gnutls_priority_t.patch added.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Thu, 31 Dec 2020 13:11:15 +0100
gnutls28 (3.7.0-4) experimental; urgency=medium
* Test build of fixes from
https://gitlab.com/gnutls/gnutls/-/merge_requests/1371 and
https://gitlab.com/gnutls/gnutls/-/merge_requests/1370/ for #976836 and
#977552.
-- Andreas Metzler <ametzler@debian.org> Tue, 29 Dec 2020 07:52:38 +0100
gnutls28 (3.7.0-3) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Mon, 07 Dec 2020 18:44:34 +0100
gnutls28 (3.7.0-2) experimental; urgency=low
* Fix guile-gnutls guile-x.x dependency.
* 45_opensslcompat_no_export_gl.diff: Cleanup exported symbols.
-- Andreas Metzler <ametzler@debian.org> Sat, 05 Dec 2020 18:22:34 +0100
gnutls28 (3.7.0-1) experimental; urgency=low
* New upstream version.
+ Drop 50_autopkgtestfixes.diff.
+ Update symbol file, bump all requirements to 3.7.0. (New mac/cipher
added).
+ Requires nettle >= 3.6.
* [lintian] Use v4 watch file.
* Add a symbol file for libgnutls-openssl27.
* Use dh v13 compat, (Some fixes for dh_missing.)
-- Andreas Metzler <ametzler@debian.org> Thu, 03 Dec 2020 18:40:03 +0100
gnutls28 (3.6.15-4) unstable; urgency=medium
* autopkgtest: Require build-essential.
* autopkgtest: respect dpkg-buildflags for helper-binary build.
-- Andreas Metzler <ametzler@debian.org> Wed, 16 Sep 2020 18:45:09 +0200
gnutls28 (3.6.15-3) unstable; urgency=medium
* More autopkgtest hotfixes.
-- Andreas Metzler <ametzler@debian.org> Tue, 15 Sep 2020 17:56:30 +0200
gnutls28 (3.6.15-2) unstable; urgency=medium
* 50_autopkgtestfixes.diff: Fix testsuite issues when running against
installed gnutls-bin.
* In autopkgtest set top_builddir and builddir, ignore
tests/cert-tests/tolerate-invalid-time and tests/gnutls-cli-debug.sh.
-- Andreas Metzler <ametzler@debian.org> Sat, 12 Sep 2020 17:56:48 +0200
gnutls28 (3.6.15-1) unstable; urgency=low
* New upstream version.
+ Fixes NULL pointer dereference if a no_renegotiation alert is sent with
unexpected timing. CVE-2020-24659 / GNUTLS-SA-2020-09-04
Closes: #969547
+ Drop 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch
50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
50_03-gnutls_cipher_init-fix-potential-memleak.patch
50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
+ Fix build error due to outdated gettext in Debian by removing newer
gettext m4 macros from m4/.
-- Andreas Metzler <ametzler@debian.org> Sun, 06 Sep 2020 09:50:07 +0200
gnutls28 (3.6.14-2) unstable; urgency=medium
* Pull selected patches from upstream GIT:
+ 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch:
Fixes difference in generated docs on 32 and 64 bit archs.
+ 50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
50_03-gnutls_cipher_init-fix-potential-memleak.patch
Fix memleak in gnutls_aead_cipher_init() with keys having invalid
length. (Broken since 3.6.3)
+ 50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
Closes: #962467
-- Andreas Metzler <ametzler@debian.org> Thu, 11 Jun 2020 11:27:34 +0200
gnutls28 (3.6.14-1) unstable; urgency=high
* Drop debugging code added in -4, fixes nocheck profile build error.
Closes: #962199
* Add Daiki Ueno 462225C3B46F34879FC8496CD605848ED7E69871 key to
debian/upstream/signing-key.asc.
* New upstream version.
+ Fixes insecure session ticket key construction.
[GNUTLS-SA-2020-06-03, CVE-2020-13777] Closes: #962289
+ Drop 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch
51_01-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
51_02-x509-trigger-fallback-verification-path-when-cert-is.patch
51_03-tests-add-test-case-for-certificate-chain-supersedin.patch
* Drop guile-gnutls.lintian-overrides.
* 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff: In gnutls-serv do not pass
AI_ADDRCONFIG to getaddrinfo. This broke the testsuite on systems without
IPv4 on non-loopback addresses. (Thanks, Adrian Bunk and Julien Cristau!)
Hopefully Closes: #962218
-- Andreas Metzler <ametzler@debian.org> Sat, 06 Jun 2020 14:11:30 +0200
gnutls28 (3.6.13-4) unstable; urgency=medium
* Output some network related debugging from debian/rules.
* Fix verification error with alternate chains. Closes: #961889
-- Andreas Metzler <ametzler@debian.org> Mon, 01 Jun 2020 10:34:25 +0200
gnutls28 (3.6.13-3) unstable; urgency=medium
* 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch from GnuTLS
master: Handle zero length session tickets, fixing connection errors on
TLS1.2 sessions to some big hosting providers. (See LP 1876286)
-- Andreas Metzler <ametzler@debian.org> Thu, 28 May 2020 18:25:45 +0200
gnutls28 (3.6.13-2) unstable; urgency=high
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Fri, 03 Apr 2020 17:48:40 +0200
gnutls28 (3.6.13-1) experimental; urgency=low
* New upstream version.
+ libgnutls: Fix a DTLS-protocol regression (caused by TLS1.3
support), since 3.6.3. The DTLS client would not contribute any
randomness to the DTLS negotiation, breaking the security
guarantees of the DTLS protocol
GNUTLS-SA-2020-03-31 CVE-2020-11501 Closes: #955556
* Fix guile lintian override for shared-lib-without-dependency-information.
-- Andreas Metzler <ametzler@debian.org> Thu, 02 Apr 2020 18:31:26 +0200
gnutls28 (3.6.12-2) unstable; urgency=medium
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Fri, 14 Feb 2020 16:14:28 +0100
gnutls28 (3.6.12-1) experimental; urgency=low
[ Debian Janitor ]
* Drop unnecessary dh arguments: --parallel
[ Andreas Metzler ]
* Fix bindtextdomain() call and dgettext() invocations to search for the
correct filename. (Thanks, Laurent Bigonville for report and diagnosis.)
Closes: #949151
* [lintian] Drop superfluous debian/source/include-binaries.
* New upstream version.
+ Update symbol file.
+ Drop workaround for #658110, install guile shared objects to multi-arch
paths.
-- Andreas Metzler <ametzler@debian.org> Sun, 02 Feb 2020 17:45:13 +0100
gnutls28 (3.6.11.1-2) unstable; urgency=low
* Use dh 12 compat level.
+ Install gtk-doc files from as-installed location instead of builddir to
avoid dh_missing warnings.
* List *.la files in debian/not-installed.
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sat, 14 Dec 2019 18:07:49 +0100
gnutls28 (3.6.11.1-1) experimental; urgency=low
* New upstream version.
Drop 50_01-guile-Do-not-attempt-to-load-shared-object-when-cros.patch
50_02-guile-Silence-auto-compilation-warning-for-guild.patch
* Update symbol file (VKO GOST key exchange supported was added).
-- Andreas Metzler <ametzler@debian.org> Sat, 07 Dec 2019 07:49:26 +0100
gnutls28 (3.6.10-5) unstable; urgency=medium
* 50_01-guile-Do-not-attempt-to-load-shared-object-when-cros.patch
50_02-guile-Silence-auto-compilation-warning-for-guild.patch from upstream
GIT master: Fix crossbuild error. (Thanks, Ludovic Courtès!)
Closes: #943905
-- Andreas Metzler <ametzler@debian.org> Sat, 16 Nov 2019 18:41:44 +0100
gnutls28 (3.6.10-4) unstable; urgency=medium
* Add support for noguile build profile. See #943905.
-- Andreas Metzler <ametzler@debian.org> Sat, 02 Nov 2019 06:30:43 +0100
gnutls28 (3.6.10-3) unstable; urgency=low
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Wed, 30 Oct 2019 19:23:36 +0100
gnutls28 (3.6.10-2) experimental; urgency=medium
* Switch b-d from texlive-generic-recommended to texlive-plain-generic.
Closes: #941526
-- Andreas Metzler <ametzler@debian.org> Wed, 02 Oct 2019 19:46:25 +0200
gnutls28 (3.6.10-1) experimental; urgency=low
* New upstream version.
+ Drop i386-fix-wrong-reloc.patch and
40_gnutls_epoch_set_keys-do-not-forbid-random-padding-.patch.
+ Update symbol files.
+ Update copyright. Stop shipping a copy of the GNU Affero General Public
License version 3. (pkcs11-mock.* is now under a different license.)
-- Andreas Metzler <ametzler@debian.org> Sun, 29 Sep 2019 18:39:12 +0200
gnutls28 (3.6.9-7) experimental; urgency=low
* Fix copy-paste error (missing line) in libgnutls-dane0 description.
* Re-add guile-gnutls, test-build (including testsuite) was successful.
Closes: #905272
-- Andreas Metzler <ametzler@debian.org> Sun, 22 Sep 2019 17:29:57 +0200
gnutls28 (3.6.9-6) experimental; urgency=low
* Test-build guile bindings.
-- Andreas Metzler <ametzler@debian.org> Sat, 21 Sep 2019 17:34:01 +0200
gnutls28 (3.6.9-5) unstable; urgency=medium
* 40_gnutls_epoch_set_keys-do-not-forbid-random-padding-.patch from upstream
GIT master: Fix interop problems with gnutls 2.x. Closes: #933538
-- Andreas Metzler <ametzler@debian.org> Sat, 14 Sep 2019 13:38:41 +0200
gnutls28 (3.6.9-4) unstable; urgency=medium
* i386-fix-wrong-reloc.patch: Fix bad relocations on i386 due to broken
assembly code. (Thanks, Steve Langasek for report and patch!)
Closes: #934193
-- Andreas Metzler <ametzler@debian.org> Thu, 08 Aug 2019 19:40:21 +0200
gnutls28 (3.6.9-3) unstable; urgency=medium
* autopkgtest: Skip system-override-sig-hash.sh.
-- Andreas Metzler <ametzler@debian.org> Sat, 03 Aug 2019 06:48:46 +0200
gnutls28 (3.6.9-2) unstable; urgency=medium
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Fri, 02 Aug 2019 19:12:42 +0200
gnutls28 (3.6.9-1) experimental; urgency=low
* New upstream version.
+ Update symbol file.
-- Andreas Metzler <ametzler@debian.org> Sat, 27 Jul 2019 16:29:55 +0200
gnutls28 (3.6.8-2) unstable; urgency=low
* Use DH 11 compat again.
* 3.6.8 builds with gcc-9. Closes: #925701
* Fix autopkgtest on 32bit architectures. (Bug report and patch by Julian
Andres Klode) Closes: #930541
See also https://gitlab.com/gnutls/gnutls/merge_requests/986
* Upload to unstable.
-- Andreas Metzler <ametzler@debian.org> Sat, 06 Jul 2019 14:10:29 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libgnutls-dane0t64`.
Generated by dwww version 1.16 on Tue Dec 16 05:37:33 CET 2025.