Wheezy update of gnutls26?
Andreas Metzler
ametzler at bebt.de
Tue Apr 25 16:57:44 UTC 2017
On 2017-04-24 Antoine Beaupré <anarcat at orangeseeds.org> wrote:
> On 2017-04-19 21:37:30, Ola Lundqvist wrote:
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of gnutls26:
>> https://security-tracker.debian.org/tracker/CVE-2017-5337
>> https://security-tracker.debian.org/tracker/CVE-2017-5336
>> https://security-tracker.debian.org/tracker/CVE-2017-5335
>> https://security-tracker.debian.org/tracker/CVE-2017-7869
>> (The last one is a minor issue but an easy fix so it is probably
>> worth fixing anyway).
> Actually, all 4 of those are minor issues, in my opinion. They have been
> marked "no-dsa" by the Debian security team, and upstream said:
> Recommendation: The support of OpenPGP certificates in GnuTLS is
> considered obsolete. As such, it is not recommended to use OpenPGP
> certificates with GnuTLS. To address the issues found upgrade to
> GnuTLS 3.5.10 or later versions.
> Indeed, two weeks ago, OpenPGP support was completely disabled upstream
> for newer GnuTLS releases.
[...]
> So after a long reflexion (I've look at those CVEs a few times already),
> I have marked the 4 CVEs as "no-dsa".
> Feel free to say so if you are actually using those extensions and want
> us to take a look again.
> To the GnuTLS maintainers: of course, if you want to produce an update
> for wheezy (and, for that matter, jessie), we'd be happy to assist you.
Hello,
Just for completeness sake: Although they are marked no-dsa, we intend
to fix them for stable <https://bugs.debian.org/856872>.
Regarding LTS I would rather not touch GnuTLS 2.x anymore. If this box
was opened it probably would make sense to upgrade to 2.12.24.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list