Please test gnutls26 update
Raphael Hertzog
hertzog at debian.org
Mon Mar 23 17:19:12 UTC 2015
Hello,
I prepared an update of gnutls26 for squeeze:
$ dget https://people.debian.org/~hertzog/packages/gnutls26_2.8.6-1+squeeze5_amd64.changes
This version seems to work for me. I was able to verify that CVE-2015-0294
is fixed with the test case at
https://gitlab.com/gnutls/gnutls/commit/ca35341243dc2ba13cd703d25becea5da293bc35
For CVE-2015-0282, I used the patch of Red Hat and the test
case at
https://gitlab.com/gnutls/gnutls/commit/58d7dde8a8a6fce1a8aa9aeb29f2247212fe5acd
but unfortunately, I don't get a hard failure with certtool, see
https://bugzilla.redhat.com/show_bug.cgi?id=1194371#c7 but it seems
to correctly detect that the certificate can't be verified... so I'm
tempted to believe that the patch is working correctly anyway.
I see the same behaviour with the updated gnutls26 in wheezy-security
(ccing Salvatore who prepared the wheezy update in case he has some
feedback on this problem).
For CVE-2014-8155, I have no test case.
Please test the packages and report back if you find any regressions.
Thank you!
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
More information about the Pkg-gnutls-maint
mailing list