Format: 1.8 Date: Sun, 05 Feb 2017 13:47:30 +0100 Source: gnutls28 Binary: libgnutls28-dev libgnutls-deb0-28 libgnutls28-dbg gnutls-bin gnutls-doc guile-gnutls libgnutlsxx28 libgnutls-openssl27 Architecture: source amd64 all Version: 3.3.8-6+deb8u5 Distribution: jessie Urgency: medium Maintainer: Debian GnuTLS Maintainers Changed-By: Andreas Metzler Description: gnutls-bin - GNU TLS library - commandline utilities gnutls-doc - GNU TLS library - documentation and examples guile-gnutls - GNU TLS library - GNU Guile bindings libgnutls-deb0-28 - GNU TLS library - main runtime library libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper libgnutls28-dbg - GNU TLS library - debugger symbols libgnutls28-dev - GNU TLS library - development files libgnutlsxx28 - GNU TLS library - C++ runtime library Changes: gnutls28 (3.3.8-6+deb8u5) jessie; urgency=medium . * Pull multiple fixes from gnutls_3_3_x branch: + 55_00_pkcs12-fixed-the-calculation-of-p_size.patch Fixed issue in PKCS#12 password encoding, which truncated passwords over 32-characters. Reported by Mario Klebsch. + 55_01_gnutls_x509_ext_import_proxy-fix-issue-reading-the-p.patch Fix double free in certificate information printing. If the PKIX extension proxy was set with a policy language set but no policy specified, that could lead to a double free. [GNUTLS-SA-2017-1] CVE-2017-5334 + 55_02_auth-rsa-eliminated-memory-leak-on-pkcs-1-formatting.patch Addressed memory leak in server side error path (issue found using oss-fuzz project) + 55_03_opencdk-Fixes-to-prevent-undefined-behavior-found-wi.patch 55_04_Do-not-infinite-loop-if-an-EOF-occurs-while-skipping.patch 55_05_Attempt-to-fix-a-leak-in-OpenPGP-cert-parsing.patch 55_06_Corrected-a-leak-in-OpenPGP-sub-packet-parsing.patch 55_07_opencdk-read_attribute-added-more-precise-checks-whe.patch 55_08_opencdk-cdk_pk_get_keyid-fix-stack-overflow.patch 55_09_opencdk-added-error-checking-in-the-stream-reading-f.patch 55_10_opencdk-improved-error-code-checking-in-the-stream-r.patch Addressed memory leaks and an infinite loop in OpenPGP certificate parsing. Fixes by Alex Gaynor. (issues found using oss-fuzz project) Addressed invalid memory accesses in OpenPGP certificate parsing. (issues found using oss-fuzz project) [GNUTLS-SA-2017-2] CVE-2017-5335 / CVE-2017-5336 / CVE-2017-5337 + 55_11_gnutls_pkcs11_obj_list_import_url2-Always-return-an-.patch When returning success, but no elements, gnutls_pkcs11_obj_list_import_url4, could have returned zero number of elements with a pointer that was uninitialized. Ensure that an initialized (i.e., null in that case), pointer is always returned. Checksums-Sha1: 660fdd7f3940c7a0775961a95a593c091126a47d 2075 gnutls28_3.3.8-6+deb8u5.dsc 7e31fbbdba79a5308ae6281dde136c5072bf1c3e 101368 gnutls28_3.3.8-6+deb8u5.debian.tar.xz fff3b8e111f2ea62fee754cd1f2128b6318e75a3 638446 libgnutls28-dev_3.3.8-6+deb8u5_amd64.deb 2cb6dfa58c704a2f7fc72ea0de259cbadb038ca0 696340 libgnutls-deb0-28_3.3.8-6+deb8u5_amd64.deb d5077926678e4919250bde029464bdcd1be177a0 2388428 libgnutls28-dbg_3.3.8-6+deb8u5_amd64.deb 713d1d7fc40dc88791371b582a7fa8c5eb028264 309140 gnutls-bin_3.3.8-6+deb8u5_amd64.deb c5a4c6ab34bf8b3e66472fefb4547ccae7173628 3628062 gnutls-doc_3.3.8-6+deb8u5_all.deb 7d34c8c6606b49fd5df75eb4610d94895c7ce1d2 175532 guile-gnutls_3.3.8-6+deb8u5_amd64.deb 58459dd76a7812b4b0ae52705f87275fec983d2d 14626 libgnutlsxx28_3.3.8-6+deb8u5_amd64.deb 3c7815c75a3ee8e6003ca6300e1478ec610e5df1 142654 libgnutls-openssl27_3.3.8-6+deb8u5_amd64.deb Checksums-Sha256: 65ff5feab1a11ec16205b3238fa4a1ca20923b8a816f827fc61a32b3ccbb96b8 2075 gnutls28_3.3.8-6+deb8u5.dsc 9219d009afcade24940ab37bfdf58921ebab4c14f475f233b69fb771fa4ffc45 101368 gnutls28_3.3.8-6+deb8u5.debian.tar.xz bd51d684c3eb90dd76ec7b4b401f8ecc0ff2451b941f69edc57815c452551a2b 638446 libgnutls28-dev_3.3.8-6+deb8u5_amd64.deb 43ca7a5a96567b319169a837340755393a8dc71bc7d73758af663e01c1db9fcd 696340 libgnutls-deb0-28_3.3.8-6+deb8u5_amd64.deb 399ba0fce4f4af325e792e7a365d3106b08974c1c268f9806e13ca91dec58da1 2388428 libgnutls28-dbg_3.3.8-6+deb8u5_amd64.deb e9ee9298e1e42da5f854a57977839859f7f28f5517e46616475ed3ecad107e67 309140 gnutls-bin_3.3.8-6+deb8u5_amd64.deb 351c5b4b861bbd1de595264ffedb65f93928186bf500cb635eedc0eb86cb018d 3628062 gnutls-doc_3.3.8-6+deb8u5_all.deb f005ab2e5a41aac4b4d67e2f4562c25f31cb025a6b95a5bcaa0af6c263729ba8 175532 guile-gnutls_3.3.8-6+deb8u5_amd64.deb 66b67d9a0d19664df152b63299037c55de1ebafada8e7e79d54d5b45d4aa6a9d 14626 libgnutlsxx28_3.3.8-6+deb8u5_amd64.deb 6948d3f7c8f8e5da197f6401d6ac83cb253ccf3e69f6fbaa450c7fbc67fd8472 142654 libgnutls-openssl27_3.3.8-6+deb8u5_amd64.deb Files: 71d545388a8227b751e74148ac93494f 2075 libs optional gnutls28_3.3.8-6+deb8u5.dsc 2bd5b2ef8384f34f308d3d39db92998c 101368 libs optional gnutls28_3.3.8-6+deb8u5.debian.tar.xz 11fe77a07ac2370505fdeb21802d80f9 638446 libdevel optional libgnutls28-dev_3.3.8-6+deb8u5_amd64.deb 65a9d6c75b5c9661277d7f676e4cd2cc 696340 libs standard libgnutls-deb0-28_3.3.8-6+deb8u5_amd64.deb 44b24574e4e11a3a3114e5e44251b70b 2388428 debug extra libgnutls28-dbg_3.3.8-6+deb8u5_amd64.deb 7ae524b2482c6da668547cc37f0eb28e 309140 net optional gnutls-bin_3.3.8-6+deb8u5_amd64.deb 5b7e7cc06cce621adec3c4b328664c0d 3628062 doc optional gnutls-doc_3.3.8-6+deb8u5_all.deb 6e62c3cd20c23944b6789a648a117532 175532 lisp optional guile-gnutls_3.3.8-6+deb8u5_amd64.deb 9457b08d8266d3b3ec45ac20a3c37e65 14626 libs extra libgnutlsxx28_3.3.8-6+deb8u5_amd64.deb b23c94f4b1c9be0f1e49530548600c6f 142654 libs standard libgnutls-openssl27_3.3.8-6+deb8u5_amd64.deb