Bug#856872: jessie-pu: package gnutls28/3.3.8-6+deb8u5

Andreas Metzler ametzler at bebt.de
Mon Mar 6 18:24:44 UTC 2017

On 2017-03-05 Andreas Metzler <ametzler at bebt.de> wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian.org at packages.debian.org
> Usertags: pu

> Hello,

> I would like fix a number of minor issues in GnuTLS.

> Most of these (notably CVE-2017-533[4567]) are related to the PGP
> support, security does not intend to issue a DSA:


upstream has now released 3.5.10/3.3.27 including these fixes and
another one on top:
     + 55_16_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch
       Addressed large allocation in OpenPGP certificate parsing, that could
       lead in out-of-memory condition. Issue found using oss-fuzz project, and
       was fixed by Alex Gaynor:

Updated diff for jessie attached.

cu Andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: from_u4_to_u5-v2.diff
Type: text/x-diff
Size: 44179 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20170306/e153ede2/attachment-0001.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20170306/e153ede2/attachment-0001.sig>

More information about the Pkg-gnutls-maint mailing list