This bug was fixed in the package gnutls28 - 3.6.15-4ubuntu2 --------------- gnutls28 (3.6.15-4ubuntu2) groovy; urgency=low
* Merge from Debian unstable LP: #1893924. Remaining changes: - Enable CET. - Set default priority string to only allow TLS1.2, DTLS1.2, and TLS1.3 with medium security profile (2048 RSA keys minimum, and similar). * Add patch to fix ftbfs gnulib with new glibc. gnutls28 (3.6.15-4) unstable; urgency=medium * autopkgtest: Require build-essential. * autopkgtest: respect dpkg-buildflags for helper-binary build. gnutls28 (3.6.15-3) unstable; urgency=medium * More autopkgtest hotfixes. gnutls28 (3.6.15-2) unstable; urgency=medium * 50_autopkgtestfixes.diff: Fix testsuite issues when running against installed gnutls-bin. * In autopkgtest set top_builddir and builddir, ignore tests/cert-tests/tolerate-invalid-time and tests/gnutls-cli-debug.sh. gnutls28 (3.6.15-1) unstable; urgency=low * New upstream version. + Fixes NULL pointer dereference if a no_renegotiation alert is sent with unexpected timing. CVE-2020-24659 / GNUTLS-SA-2020-09-04 Closes: #969547 + Drop 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch 50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch 50_03-gnutls_cipher_init-fix-potential-memleak.patch 50_04-crypto-api-always-allocate-memory-when-serializing-i.patch + Fix build error due to outdated gettext in Debian by removing newer gettext m4 macros from m4/. gnutls28 (3.6.14-2) unstable; urgency=medium * Pull selected patches from upstream GIT: + 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch: Fixes difference in generated docs on 32 and 64 bit archs. + 50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch 50_03-gnutls_cipher_init-fix-potential-memleak.patch Fix memleak in gnutls_aead_cipher_init() with keys having invalid length. (Broken since 3.6.3) + 50_04-crypto-api-always-allocate-memory-when-serializing-i.patch Closes: #962467 gnutls28 (3.6.14-1) unstable; urgency=high * Drop debugging code added in -4, fixes nocheck profile build error. Closes: #962199 * Add Daiki Ueno 462225C3B46F34879FC8496CD605848ED7E69871 key to debian/upstream/signing-key.asc. * New upstream version. + Fixes insecure session ticket key construction. [GNUTLS-SA-2020-06-03, CVE-2020-13777] Closes: #962289 + Drop 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch 51_01-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch 51_02-x509-trigger-fallback-verification-path-when-cert-is.patch 51_03-tests-add-test-case-for-certificate-chain-supersedin.patch * Drop guile-gnutls.lintian-overrides. * 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff: In gnutls-serv do not pass AI_ADDRCONFIG to getaddrinfo. This broke the testsuite on systems without IPv4 on non-loopback addresses. (Thanks, Adrian Bunk and Julien Cristau!) Hopefully Closes: #962218 -- Dimitri John Ledkov <x...@ubuntu.com> Thu, 24 Sep 2020 12:03:44 +0100 ** Changed in: gnutls28 (Ubuntu Groovy) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13777 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24659 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1893924 Title: memory leak in GnuTLS iov operations used by Samba To manage notifications about this bug go to: https://bugs.launchpad.net/gnutls/+bug/1893924/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs