Fixing "lucky 13" CVE-2013-0169 in gnutls28
Julien Cristau
jcristau at debian.org
Sun Feb 10 14:28:41 UTC 2013
On Thu, Feb 7, 2013 at 11:54:52 +0100, Andreas Metzler wrote:
> Hello,
>
> sadly CVE-2013-0169 also (see 699891) applies to gnutls28.
> I have just uploaded gnutls28_3.0.22-3 to unstable, pretty much with
> the same set of fixes as gnutls26 2.12.20-4 to unstable. I am not
> sure how you would prefer to have this fixed in testing.
>
> Could 3.0.22-3 propagate to testing? The version in testing is two
> upstream versions older (3.0.20-3), therefore the diff will be pretty
> big. Or is a tpu upload necessary?
>
I don't think 3.0.22-3 is suitable at this stage...
> PS: My first idea was to simply pull gnutls28, providing guile-gnutls
> and gnutls-bin from gnutls26 again. However there is a reverse
> dependency (pan) on libgnutls28 in testing nowaday. Pan is not
> distributable currently http://bugs.debian.org/699892
> but that might still be fixed in time for the release.
What would be involved in switching pan back to gnutls26?
Cheers,
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20130210/e0baa64d/attachment.pgp>
More information about the Pkg-gnutls-maint
mailing list