Fixing "lucky 13" CVE-2013-0169 in gnutls28

Andreas Metzler ametzler at downhill.at.eu.org
Thu Feb 7 10:54:52 UTC 2013


Hello,

sadly CVE-2013-0169 also (see 699891) applies to gnutls28.
I have just uploaded gnutls28_3.0.22-3 to unstable, pretty much with
the same set of fixes as gnutls26 2.12.20-4 to unstable. I am not
sure how you would prefer to have this fixed in testing.

Could 3.0.22-3 propagate to testing? The version in testing is two
upstream versions older (3.0.20-3), therefore the diff will be pretty
big. Or is a tpu upload necessary?

cu andreas

PS: My first idea was to simply pull gnutls28, providing guile-gnutls
and gnutls-bin from gnutls26 again. However there is a reverse
dependency (pan) on libgnutls28 in testing nowaday. Pan is not
distributable currently http://bugs.debian.org/699892
but that might still be fixed in time for the release.
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



More information about the Pkg-gnutls-maint mailing list