-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 27 Apr 2017 18:10:51 +0200 Source: gnutls28 Binary: libgnutls28-dev libgnutls-deb0-28 libgnutls28-dbg gnutls-bin gnutls-doc guile-gnutls libgnutlsxx28 libgnutls-openssl27 Architecture: all source Version: 3.3.8-6+deb8u5 Distribution: jessie Urgency: medium Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametzler@debian.org> Description: gnutls-bin - GNU TLS library - commandline utilities gnutls-doc - GNU TLS library - documentation and examples guile-gnutls - GNU TLS library - GNU Guile bindings libgnutls28-dbg - GNU TLS library - debugger symbols libgnutls28-dev - GNU TLS library - development files libgnutls-deb0-28 - GNU TLS library - main runtime library libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper libgnutlsxx28 - GNU TLS library - C++ runtime library Changes: gnutls28 (3.3.8-6+deb8u5) jessie; urgency=medium . * Pull multiple fixes from gnutls_3_3_x branch: + 55_00_pkcs12-fixed-the-calculation-of-p_size.patch Fixed issue in PKCS#12 password encoding, which truncated passwords over 32-characters. Reported by Mario Klebsch. + 55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. [GNUTLS-SA-2017-1] CVE-2017-5334 + 55_02_auth-rsa-eliminated-memory-leak-on-pkcs-1-formatting.patch Addressed memory leak in server side error path (issue found using oss-fuzz project) + 55_03_opencdk-Fixes-to-prevent-undefined-behavior-found-wi.patch 55_04_Do-not-infinite-loop-if-an-EOF-occurs-while-skipping.patch 55_05_Attempt-to-fix-a-leak-in-OpenPGP-cert-parsing.patch 55_06_Corrected-a-leak-in-OpenPGP-sub-packet-parsing.patch 55_07_opencdk-read_attribute-added-more-precise-checks-whe.patch 55_08_opencdk-cdk_pk_get_keyid-fix-stack-overflow.patch 55_09_opencdk-added-error-checking-in-the-stream-reading-f.patch 55_10_opencdk-improved-error-code-checking-in-the-stream-r.patch 55_11_opencdk-read-packet.c-corrected-typo-in-type-cast.patch Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) [GNUTLS-SA-2017-2] CVE-2017-5335 / CVE-2017-5336 / CVE-2017-5337 + 55_12_gnutls_pkcs11_obj_list_import_url2-Always-return-an-.patch When returning success, but no elements, gnutls_pkcs11_obj_list_import_url4, could have returned zero number of elements with a pointer that was uninitialized. Ensure that an initialized (i.e., null in that case), pointer is always returned. + 55_13_cdk_pkt_read-enforce-packet-limits.patch Addressed integer overflow resulting to invalid memory write in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 [GNUTLS-SA-2017-3A] CVE-2017-7869 + 55_14_opencdk-read_attribute-account-buffer-size.patch Addressed read of 1 byte past the end of buffer in OpenPGP certificate parsing. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391 (This patch is from gnutls_3_5_x branch.) + 55_15_opencdk-do-not-parse-any-secret-keys-in-packet-when-.patch Addressed crashes in OpenPGP certificate parsing, related to private key parser. No longer allow OpenPGP certificates (public keys) to contain private key sub-packets. Issue found using oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=354 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=360 [GNUTLS-SA-2017-3B] + 55_16_Enforce-the-max-packet-length-for-OpenPGP-subpackets.patch Addressed large allocation in OpenPGP certificate parsing, that could lead in out-of-memory condition. Issue found using oss-fuzz project, and was fixed by Alex Gaynor: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 [GNUTLS-SA-2017-3C] Checksums-Sha1: 4e8d1672d1a0b41d352bd5c91adb4e7dff63f192 2958 gnutls28_3.3.8-6+deb8u5.dsc ce6241850b3f6520b32ad15d4b398e4769fd2a95 104392 gnutls28_3.3.8-6+deb8u5.debian.tar.xz de484ee2bc2a1f11f523aa7cbd23700da6a57b12 3628304 gnutls-doc_3.3.8-6+deb8u5_all.deb Checksums-Sha256: 1143c5b76a6899ab266e1e33840d87026108c4623a2ae4c44d1f00a9643ef54d 2958 gnutls28_3.3.8-6+deb8u5.dsc fa47161ac81d77daaa7269e22f0edc037c356dc4386ba785ab201b681c1a9328 104392 gnutls28_3.3.8-6+deb8u5.debian.tar.xz f2ad5361e395e31832fae73a1d2e63d18b59d9847aae3fd894946c83e926275d 3628304 gnutls-doc_3.3.8-6+deb8u5_all.deb Files: f9a9a26fd919f01efbc1b32d59420447 2958 libs optional gnutls28_3.3.8-6+deb8u5.dsc c79e1d2e63dd704dce6e0ef783f403fc 104392 libs optional gnutls28_3.3.8-6+deb8u5.debian.tar.xz 59b740c649371a4ff67695a7ff26f618 3628304 doc optional gnutls-doc_3.3.8-6+deb8u5_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlkCG1EACgkQpU8BhUOC FIRSeRAAgUnJMPCug4UbUV5ZQUXKOUMRLsnQb9ospZO9NaIWS6/bo1GJ1mRJLCN2 WMaXCWacgLHjB/tsQ8sWKFGbwYwIsBdu1gn8qSwgkcWfJf5mcTRB7uX9YZN4hU0r BHS1dY9x4lnO2uOPhhKfjaatc+rw1YkiNDx5B87c8vTrCMyRm5EeJIv2iCYe+qR6 HlJtC+uF8jxwIYmSxuV0nfnP7EVQZzwY2lEDMGbY25LkVX257O7K2CirmKu0XbTm EjM9U0gM3cPgORqd5neSMTqYEmThm8V1Eb/A0lobqsKfC0Gj08VeXsKOZHQg1sHX VAs/rMcgrZbgxkEJyTgnhm1l83XLAXWO0gDX+UE16hdAG1lwpzXjnC2jIXXzGZUC ZTLkN/xv0l5ZiUKJiRj2yp8z5QKhXED5jd1eHm5UqVeDM6j1apDs8ZvfowFMHcZQ 8F8AK2mBc8x9cikKFmyBeKRWyS8GtenbTGDIqXic1AerJw2EbDgfdYgANV6w/vtA XmUI6mICgz+0OFLBWvOsN5zPdS+PQ7b4jcTB0877LsZ61m6oEbUg9Ei2V7Nu+Ly/ e0IR0mxLezLu1oMIzpIHgXfVlopE7vrlVW6ZFkOK4axVTt6lLi8JLqB05AkKQVz/ AmtfNN4PdKjzWUesl22FKxXDHIpxaHJLVK52nS8+mxEDWPlSZfc= =vy3M -----END PGP SIGNATURE-----