Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted gnutls28 3.7.1-5+deb11u10 (source) into oldoldstable-security
Date: Fri, 22 May 2026 15:00:17 +0000
Signed by: Guilhem Moulin <guilhem@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2026 01:31:58 +0200
Source: gnutls28
Architecture: source
Version: 3.7.1-5+deb11u10
Distribution: bullseye-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1135319
Changes:
 gnutls28 (3.7.1-5+deb11u10) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * Backport security fixes from 3.8.13 (closes: #1135319):
     + Fix CVE-2026-3833: Policy bypass due to case-sensitive nameconstraints
       comparison.
     + Fix CVE-2026-5260: Remote OOB read in PKCS#11 RSA decrypt path via short
       ClientKeyExchange.
     + Fix CVE-2026-33845: Denial of service via DTLS zero-length fragment.
     + Fix CVE-2026-33846: Denial of service via heap buffer overflow in DTLS
       handshake fragment reassembly.
     + Fix CVE-2026-42009: Denial of service via DTLS packet reordering
       vulnerability.
     + Fix CVE-2026-42010: Security bypass due to incorrect name constraint
       handling.
     + Fix CVE-2026-42011: Security bypass due to incorrect name constraint
       handling.
     + Fix CVE-2026-42012: CN fallback with unsupported SAN type.
     + Fix CVE-2026-42013: Hostname verification bypass via oversized dNSName
       SAN forcing CN fallback (RFC 6125 Violation).
     + Fix CVE-2026-42014: Use-after-free in gnutls_pkcs11_token_set_pin() when
       retrieving SO PIN.
     + Fix CVE-2026-42015: PKCS#12 bag append after parsed full-capacity bag
       causes heap out-of-bounds write.
     + Fix upstream issue #1808: Rehandshaking to a username with embedded NUL
       character could theoretically allow bypassing the GNUTLS_ALLOW_ID_CHANGE
       protection.
     + Fix upstream issue #1810: The OCSP signing EKU OID was compared without
       verifying its length, allowing a shorter OID that shares the same prefix
       to match.
     + Fix upstream issue #1817: Possible invalid pointer dereference in
       PKCS#11 trust removal error path.
     + Fix upstream issue #1818: gnutls_privkey_verify_params overlooked the
       scenario of p and q not being co-prime.  It now returns
       GNUTLS_E_PK_INVALID_PRIVKEY in this case.
     + Fix upstream issue #1819: If gnutls_x509_crt_list_import_pkcs11 failed
       partway through, the trust list cleanup code would try to free
       already-deinitialized certificate entries, leading to a double-free.
     + Fix upstream issue #1854: Insufficient bounds checking on the PEM header
       length could lead to short heap overreads on specially crafted inputs.
Checksums-Sha1:
 9da80cd6a4d782d06f153ee4583f81c881d855bd 3545 gnutls28_3.7.1-5+deb11u10.dsc
 5de5d25534ee5910ea9ee6aaeeb6af1af4350c1e 6038388 gnutls28_3.7.1.orig.tar.xz
 8c2c3aabe289987bbe51ddc1ad4a42558683ca66 854 gnutls28_3.7.1.orig.tar.xz.asc
 c299c19e288453e221c5b474802a5f8eaa2bfc52 165252 gnutls28_3.7.1-5+deb11u10.debian.tar.xz
 083bd0afadf1bd28b36309d71b7d5fe7daaf77b6 6059 gnutls28_3.7.1-5+deb11u10_source.buildinfo
Checksums-Sha256:
 6615de987442a244d54bab8de49d46e91ce02efbd917a03444075cf73252fc03 3545 gnutls28_3.7.1-5+deb11u10.dsc
 3777d7963eca5e06eb315686163b7b3f5045e2baac5e54e038ace9835e5cac6f 6038388 gnutls28_3.7.1.orig.tar.xz
 13a683b12602c169a7ad7827ab0e3f35c8fa1f98675d0073cf7d54a8cd635582 854 gnutls28_3.7.1.orig.tar.xz.asc
 a1b2c47bbc5c38e180d0aa02219901ec99a9cdc90cf7c4fb4b3762f58d23060e 165252 gnutls28_3.7.1-5+deb11u10.debian.tar.xz
 7508810f695ec43815f2fcc942bb4ffb29e1c28abcf34c5257c4782edef76c31 6059 gnutls28_3.7.1-5+deb11u10_source.buildinfo
Files:
 c885f1b0fbd776a7d6cd9699c84122d2 3545 libs optional gnutls28_3.7.1-5+deb11u10.dsc
 278e1f50d79cd13727733adbf01fde8f 6038388 libs optional gnutls28_3.7.1.orig.tar.xz
 590c9d64f7d8ee77671cdb9547f5edaf 854 libs optional gnutls28_3.7.1.orig.tar.xz.asc
 effb278eee124d46869f29c883909f54 165252 libs optional gnutls28_3.7.1-5+deb11u10.debian.tar.xz
 b525358d6f8f66c590ae352b129e4542 6059 libs optional gnutls28_3.7.1-5+deb11u10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmoQa9wACgkQ05pJnDwh
pVKLCxAAoBQI9APSUWidOUcfZe0fkgBYHKk6EZzTD95Dlq4/kzPGW0wbgksFdDDH
kPUI5DnGitO3WNZGLfFIG/5+bMKDKK6tXEcggEikRVhY6l78dqrEIyi3GUvrMQLj
PJP7ZLipNoGp6MBBkq5Ed0kgkVyjpu4iP0Vn4jP/6IzxQt3AGPSnum+7esMoOFHY
QBjCQPN0PPUcb3QD1Jws9DNH243x5lfqFeIC98wfwSpM/f45LJCHGwUzLiM7y9Tc
lH9JfyBWnAbHStR5eaJrIevwmwbrQqZuNoj5MT7vVqPZdMFEG8pjHSP1KSFc9YwT
QefTAgEyuhnMfofQhxbiIJSaYZuoE2eRIJ4TTMOrVSFOEA29K5k6nf7giHpogwAt
kAAMBUUoqfql1AqFePRfXrHPvBAh//p1yYWsdzdxpzGI0EYMPKa5XRCIwhfJ1z9m
dxxsWmw+3ukXkOX2HqZmG8EDo/6Fy6TxQnHocj8yfCjD4VDyzfUCZ+fj9p8suqAP
XAaKALkdtirCkbSOqqbpbX2lchXnpn//YZWFYhKuL8t856mN7CFX2My5YDA+OvRO
NAyLDGIn5N09UJGEoQvO1Mn7VEFxWi5Ri2fmvYmWIvDx4t5xdj+huhOpDvVgpeXm
uOl5szH1RgU5yh4wW6SEgW3FBKvJ/SSx/QD2Gxqk1xZFcxXBwGc=
=XVzI
-----END PGP SIGNATURE-----
News for package gnutls28
