Wheezy update of gnutls26?

Tue Apr 25 17:43:58 UTC 2017

On 2017-04-25 18:57:44, Andreas Metzler wrote:
> On 2017-04-24 Antoine Beaupré <anarcat at orangeseeds.org> wrote:
>> On 2017-04-19 21:37:30, Ola Lundqvist wrote:
>>> The Debian LTS team would like to fix the security issues which are
>>> currently open in the Wheezy version of gnutls26:
>>> https://security-tracker.debian.org/tracker/CVE-2017-5337
>>> https://security-tracker.debian.org/tracker/CVE-2017-5336
>>> https://security-tracker.debian.org/tracker/CVE-2017-5335
>>> https://security-tracker.debian.org/tracker/CVE-2017-7869
>>>  (The last one is a minor issue but an easy fix so it is probably
>>>   worth fixing anyway).
>
>> Actually, all 4 of those are minor issues, in my opinion. They have been
>> marked "no-dsa" by the Debian security team, and upstream said:
>
>>     Recommendation: The support of OpenPGP certificates in GnuTLS is
>>     considered obsolete. As such, it is not recommended to use OpenPGP
>>     certificates with GnuTLS. To address the issues found upgrade to
>>     GnuTLS 3.5.10 or later versions.
>
>> Indeed, two weeks ago, OpenPGP support was completely disabled upstream
>> for newer GnuTLS releases.
> [...]
>> So after a long reflexion (I've look at those CVEs a few times already),
>> I have marked the 4 CVEs as "no-dsa".
>
>> Feel free to say so if you are actually using those extensions and want
>> us to take a look again.
>
>> To the GnuTLS maintainers: of course, if you want to produce an update
>> for wheezy (and, for that matter, jessie), we'd be happy to assist you.
>
> Hello,
> Just for completeness sake: Although they are marked no-dsa, we intend
> to fix them for stable <https://bugs.debian.org/856872>.
>
> Regarding LTS I would rather not touch GnuTLS 2.x anymore. If this box
> was opened it probably would make sense to upgrade to 2.12.24.

Agreed!

A.

-- 
Every time I see an adult on a bicycle I no longer despair for the
future of the human race.
                         - H. G. Wells