Bug#1130735: trixie-pu: package gnutls28/3.8.9-3+deb13u3

Andreas Metzler ametzler at bebt.de
Sat Mar 14 12:24:28 GMT 2026 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: gnutls28 at packages.debian.org, Simon McVittie <smcv at collabora.com>
Control: affects -1 + src:gnutls28
User: release.debian.org at packages.debian.org
Usertags: pu


Hello,

I would like to fix #1130152 for trixie. Simon has done all the heavy
and not so heavy lifting on this, let's quote #1130152:

8X-------------------
A regression in GnuTLS 3.8.5, which started shuffling the extensions
order, causes an interoperability issue leading to handshake failures
with some SSL/TLS servers. I'm reporting this at important severity since
it's an interop regression affecting an unknown number of remote services.

From the linked regression report https://github.com/luakit/luakit/issues/1101,
it seems that at the time of writing, search.dismail.de is a good test-case,
for example:
[...]
    # gnutls-cli search.dismail.de
    Processed 150 CA certificate(s).
    Resolving 'search.dismail.de:443'...
    Connecting to '128.140.68.142:443'...
    *** Fatal error: A TLS fatal alert has been received.
    *** Received alert [47]: Illegal parameter
[...]
I've confirmed that 3.8.12-2 in forky and 3.7.9-2+deb12u6 in bookworm
are both unaffected by this: they successfully connect to that server,
with gnutls-cli output that includes "Handshake was completed". (Press
Ctrl+D to exit after seeing this.)

This appears to have been fixed by
https://gitlab.com/gnutls/gnutls/-/merge_requests/1930
after the 3.8.9 release, commit
[...]
8X-------------------


I have verified the proposed change and that it fixes the issue.

TIA, cu Andreas

-- 
"You people are noisy," Nia said.
I made the gesture of agreement.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.8.9-3+deb13u3.deb.diff
Type: text/x-diff
Size: 8932 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20260314/98c71909/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20260314/98c71909/attachment.sig>

More information about the Pkg-gnutls-maint mailing list