gnutls28: CVE-2015-0294: certificate algorithm consistency checking issue

Debian Bug report logs - #779428
gnutls28: CVE-2015-0294: certificate algorithm consistency checking issue

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnutls28: CVE-2015-0294: certificate algorithm consistency checking issue

Date: Sat, 28 Feb 2015 13:53:15 +0100

Source: gnutls28
Version: 3.3.8-5
Severity: normal
Tags: security upstream fixed-upstream
Control: fixed -1 3.3.13-1

Hi,

the following vulnerability was published for gnutls28.

CVE-2015-0294[0]:
certificate algorithm consistency checking issue

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-0294
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1196323

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #14 received at 779428-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>

To: 779428-close@bugs.debian.org

Subject: Bug#779428: fixed in gnutls28 3.3.8-6

Date: Sat, 28 Feb 2015 15:34:51 +0000

Source: gnutls28
Source-Version: 3.3.8-6

We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 779428@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated gnutls28 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 28 Feb 2015 14:17:21 +0100
Source: gnutls28
Binary: libgnutls28-dev libgnutls-deb0-28 libgnutls28-dbg gnutls-bin gnutls-doc guile-gnutls libgnutlsxx28 libgnutls-openssl27
Architecture: source i386 all
Version: 3.3.8-6
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
 gnutls-bin - GNU TLS library - commandline utilities
 gnutls-doc - GNU TLS library - documentation and examples
 guile-gnutls - GNU TLS library - GNU Guile bindings
 libgnutls-deb0-28 - GNU TLS library - main runtime library
 libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
 libgnutls28-dbg - GNU TLS library - debugger symbols
 libgnutls28-dev - GNU TLS library - development files
 libgnutlsxx28 - GNU TLS library - C++ runtime library
Closes: 779428
Changes:
 gnutls28 (3.3.8-6) unstable; urgency=medium
 .
   * 39_check-whether-the-two-signatur.patch: Pull and unfuzz
     6e76e9b9fa845b76b0b9a45f05f4b54a052578ff from upstream GIT: On
     certificate import check whether the two signature algorithms match.
     CVE-2015-0294. Closes: #779428
Checksums-Sha1:
 b674ccbcca46098adcab1eb8717e5213e3045bd5 2913 gnutls28_3.3.8-6.dsc
 18496ae45208657556f1a4e6fb382559471801d3 89416 gnutls28_3.3.8-6.debian.tar.xz
 74fbbe37f2fbe0a365021d619dc68693dd87386d 679664 libgnutls28-dev_3.3.8-6_i386.deb
 16523e76fe3d5144854051b7dbf676955b3c0a87 709286 libgnutls-deb0-28_3.3.8-6_i386.deb
 df6e5d3088dbbfb26e334297e36dca73fcd89af0 1916888 libgnutls28-dbg_3.3.8-6_i386.deb
 08d71c5f026a600b26f92988dcbccf44e0e0027f 309778 gnutls-bin_3.3.8-6_i386.deb
 c920704f3db0ffd7b2db1f090eda01c4d47f4b35 3626382 gnutls-doc_3.3.8-6_all.deb
 7b3a790697e4829fefc9575f3ed51d92f9307a54 174518 guile-gnutls_3.3.8-6_i386.deb
 2e82059b2872842938db1d18740648100efe4be4 15400 libgnutlsxx28_3.3.8-6_i386.deb
 302a357b86bc5bb79d03dd4407506ce2909527c6 142114 libgnutls-openssl27_3.3.8-6_i386.deb
Checksums-Sha256:
 ef3dfc929aa7cee9a0363cdbd38389f865da1a7ed70db0caaec5092f60f92163 2913 gnutls28_3.3.8-6.dsc
 68fa031fcc1e9c506ebff7c5844516b62abcedf122ca0f9fe4136dea8a297ef2 89416 gnutls28_3.3.8-6.debian.tar.xz
 8c7bede9fcf6de24b3a342918900410dc13c558c4d6d88caf4e88e2e53665882 679664 libgnutls28-dev_3.3.8-6_i386.deb
 5688e2654f9019ad34d6b2282499aacb09ffb9b359effbbc09b9589511cfd900 709286 libgnutls-deb0-28_3.3.8-6_i386.deb
 bfef98a46f77a7a62f30e39baf00cfce1cab82d1d936edc62d5d90cab67f2ea3 1916888 libgnutls28-dbg_3.3.8-6_i386.deb
 d6902d19619ff656d94cf23b21aa69168ef7ad5294fb0cb9fb992e30d7c33598 309778 gnutls-bin_3.3.8-6_i386.deb
 b4c7d0549b3fbbd20e50079746846b1ae41139f95f3fe4c3cfdf61c96ba4e421 3626382 gnutls-doc_3.3.8-6_all.deb
 01535f203b24a45d0edc02e2a0f1daf5a81e1cfbdc0152568ac09178f3416e8a 174518 guile-gnutls_3.3.8-6_i386.deb
 32a44cca88169a7091c0c7ef4ba295752da009b974bef65125acb09505fb4fee 15400 libgnutlsxx28_3.3.8-6_i386.deb
 1b87f4f456eb3666119ada0e0e5d88cb576904c1ccb7d51b7993be61f01cc25c 142114 libgnutls-openssl27_3.3.8-6_i386.deb
Files:
 65def7024b69e1f9d828900e437341db 2913 libs optional gnutls28_3.3.8-6.dsc
 6d591c2d0a3a656d632b345a75a312a0 89416 libs optional gnutls28_3.3.8-6.debian.tar.xz
 3e64a104419f11fc8bc5577197bc7cb5 679664 libdevel optional libgnutls28-dev_3.3.8-6_i386.deb
 14a1938de6b87090b3628bdd66889545 709286 libs standard libgnutls-deb0-28_3.3.8-6_i386.deb
 602cfe1d7e71e03d9e6b7110ac7eebef 1916888 debug extra libgnutls28-dbg_3.3.8-6_i386.deb
 f58baff6b7eaf64c409324e075982f50 309778 net optional gnutls-bin_3.3.8-6_i386.deb
 d034a0a4ebe5f708676ea7fac247ab38 3626382 doc optional gnutls-doc_3.3.8-6_all.deb
 0c43ffd72f75dc09185d5d06e0cbc358 174518 lisp optional guile-gnutls_3.3.8-6_i386.deb
 67907b66fcac3413c1fbbcf66a0821de 15400 libs extra libgnutlsxx28_3.3.8-6_i386.deb
 e0f44b898aa106453cd3010831fd6046 142114 libs standard libgnutls-openssl27_3.3.8-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJU8cZBAAoJEKVPAYVDghSEzkYQAKPVHG8NUfVO55mf2FwTbFWD
HXd1KCq8lVsp+3uY7GnbsLdkl5C8Xhoiv/JVIJm8H/NF+TOUm9mkRjiw3+Q1J/Ro
dHGuSDTtvUCNIm/nsqAajL+88tHeQxXLFWCKc4caNeW7HwoC1i2YM25z32WIrIi6
s1NL+fdcAKfs8/FKuIMdlC0gw1fbtLt9OOBA09DYFVFGh4oiDhFelwFhDd/LsKpa
k1uQ6697NpY49tVMyq4D5VNbnZXLM7S9hv0w/fsUQUIWYyM8Zwv+jpp95gWWLXUM
AAzCdSug4wsag25renFajGKFTSrav+1tS5qTI4rEPSH++0rmCDreq0jE/1dlBut1
85TY9Zu8T3Jmpa0E/HUuek9y9fH19KOsRPRXCRafFYmTazdG/iFXxRtH5NYcKC+U
Yw0BfIUBO+zp+cSfg3lN3+B1rXYDGkG+2eQInUaoEdsWCFKLEoTjYeWuNI8zc4pT
sIAvp3ESO+n2xNd4R2j+MQEg0B20vKUc6KCi+AvS1+T3Fu8B4q4z7USHR/Tll53S
PksUXChYyEja4/Ma38trq1aUjzXmdAAfjT3sSo7O4XgAatEppr3XVKEqNNHOvkAy
CCccpNRwb8MVTnwxwfLtfPnIPY470OjJ/n61ZhFm1pvogQd4MQHPDHPPwsd24YkJ
gTvN3y4DmEMcVxhyBbAw
=ckpk
-----END PGP SIGNATURE-----

Message #19 received at 779428@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>

Cc: debian-lts@lists.debian.org, Andreas Metzler <ametzler@debian.org>, 779428@bugs.debian.org

Subject: squeeze update of gnutls26?

Date: Tue, 10 Mar 2015 10:48:32 +0100

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of gnutls26:
https://security-tracker.debian.org/tracker/CVE-2014-8155
https://security-tracker.debian.org/tracker/CVE-2015-0294

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #24 received at 779428@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Raphael Hertzog <hertzog@debian.org>, 779428@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#779428: squeeze update of gnutls26?

Date: Tue, 10 Mar 2015 19:23:05 +0100

On 2015-03-10 Raphael Hertzog <hertzog@debian.org> wrote:
> Hello dear maintainer(s),

> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of gnutls26:
> https://security-tracker.debian.org/tracker/CVE-2014-8155
> https://security-tracker.debian.org/tracker/CVE-2015-0294

> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated.
[...]

Thank you for the heads up. I currently do not intend to fix this
myself and am perfectly fine with having this uploaded without me
looking at it.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Send a report that this bug log contains spam.