Fixing "lucky 13" CVE-2013-0169 in gnutls28
Andreas Metzler
ametzler at downhill.at.eu.org
Sun Feb 10 15:26:40 UTC 2013
On 2013-02-10 Julien Cristau <jcristau at debian.org> wrote:
> On Thu, Feb 7, 2013 at 11:54:52 +0100, Andreas Metzler wrote:
> > sadly CVE-2013-0169 also (see 699891) applies to gnutls28.
[...]
>> PS: My first idea was to simply pull gnutls28, providing guile-gnutls
>> and gnutls-bin from gnutls26 again. However there is a reverse
>> dependency (pan) on libgnutls28 in testing nowadays. Pan is not
>> distributable currently http://bugs.debian.org/699892
>> but that might still be fixed in time for the release.
> What would be involved in switching pan back to gnutls26?
Hello,
downgrading the build-depency and patching ./configure[1]. The
source builds and the package can still read from news.gmane.org with
NNTP/SSL. Which is not a very elaborate test. ;-)
cu andreas
[1]
--- pan-0.139.orig/configure
+++ pan-0.139/configure
@@ -3045,7 +3045,7 @@ GTK3_REQUIRED=3.0.0
GTKSPELL_REQUIRED=2.0.7
GTKSPELL3_REQUIRED=2.0.16
ENCHANT_REQUIRED=1.6.0
-GNUTLS_REQUIRED=3.0.0
+GNUTLS_REQUIRED=2.12.0
LIBNOTIFY_REQUIRED=0.4.1
LIBGKR_REQUIRED=3.2.0
More information about the Pkg-gnutls-maint
mailing list