[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2026-42010/gnutls28: Reference commit introducing the issue

Fri May 22 17:12:04 BST 2026


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
af98e4a1 by Guilhem Moulin at 2026-05-22T18:10:45+02:00
CVE-2026-42010/gnutls28: Reference commit introducing the issue

Support for non-null terminated usernames in PSK negotiation was added
in 3.6.13 via https://gitlab.com/gnutls/gnutls/-/work_items/586 , see
https://lists.gnutls.org/pipermail/gnutls-help/2020-March/004642.html
and https://gitlab.com/gnutls/gnutls/-/issues/1850#note_3270513055 .

- - - - -
6e8a75be by Guilhem Moulin at 2026-05-22T18:11:49+02:00
Reserve DLA-4595-1 for gnutls28

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -14467,6 +14467,7 @@ CVE-2026-42010 (A flaw was found in gnutls. Servers configured with RSA-PSK (Riv
 	NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-4
 	NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1850
 	NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5 (3.8.13)
+	NOTE: Introduced with: https://gitlab.com/gnutls/gnutls/-/commit/d00638997fa269a975095d852633b48b2b64fbf9 (3.6.13)
 CVE-2026-33845 (A flaw in GnuTLS DTLS handshake parsing allows malformed fragments wit ...)
 	{DSA-6281-1}
 	- gnutls28 3.8.13-1 (bug #1135319)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[22 May 2026] DLA-4595-1 gnutls28 - security update
+	{CVE-2026-3833 CVE-2026-5260 CVE-2026-33845 CVE-2026-33846 CVE-2026-42009 CVE-2026-42010 CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-42014 CVE-2026-42015}
+	[bullseye] - gnutls28 3.7.1-5+deb11u10
 [22 May 2026] DLA-4594-1 thunderbird - security update
 	{CVE-2026-8388 CVE-2026-8391 CVE-2026-8401 CVE-2026-8946 CVE-2026-8947 CVE-2026-8950 CVE-2026-8953 CVE-2026-8954 CVE-2026-8955 CVE-2026-8956 CVE-2026-8957 CVE-2026-8958 CVE-2026-8961 CVE-2026-8962 CVE-2026-8968 CVE-2026-8970 CVE-2026-8974 CVE-2026-8975}
 	[bullseye] - thunderbird 1:140.11.0esr-1~deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -199,10 +199,6 @@ glibc
   NOTE: 20260404: Added by Front-Desk (ta)
   NOTE: 20260404: no upstream fix yet
 --
-gnutls28 (guilhem)
-  NOTE: 20260503: Added by Front-Desk (lamby)
-  NOTE: 20260520: DSA-6281-1 released (Beuc/front-desk)
---
 golang-github-gorilla-csrf
   NOTE: 20250422: Added by Front-Desk (rouca)
   NOTE: 20250422: Need to binNMU reverse depends (in that order): golang-github-alecthomas-chroma, golang-github-niklasfasching-go-org, golang-github-yuin-goldmark-highlighting, hugo (rouca)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9aa8a8fd5b53fd1de1ed21d96bf5858c33b1b6ab...6e8a75bec0d273d8611deaed3464d5b7ecd5e1ee

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9aa8a8fd5b53fd1de1ed21d96bf5858c33b1b6ab...6e8a75bec0d273d8611deaed3464d5b7ecd5e1ee
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260522/77641294/attachment.htm>
