[Pkg-gnutls-commits] r703 - in /packages/gnutls26/trunk/debian: changelog libgnutls26.NEWS

ametzler at users.alioth.debian.org ametzler at users.alioth.debian.org
Thu Apr 30 17:43:15 UTC 2009 

Author: ametzler
Date: Thu Apr 30 17:43:15 2009
New Revision: 703

URL: http://svn.debian.org/wsvn/pkg-gnutls/?sc=1&rev=703
Log:
New upstream security release. 2.6.6

Added:
    packages/gnutls26/trunk/debian/libgnutls26.NEWS
Modified:
    packages/gnutls26/trunk/debian/changelog

Modified: packages/gnutls26/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/changelog?rev=703&op=diff
==============================================================================
--- packages/gnutls26/trunk/debian/changelog (original)
+++ packages/gnutls26/trunk/debian/changelog Thu Apr 30 17:43:15 2009
@@ -1,10 +1,22 @@
-gnutls26 (2.6.5-2) UNRELEASED; urgency=low
-
-  * NOT RELEASED YET
+gnutls26 (2.6.6-1) unstable; urgency=high
+
   * use @LTLIBTASN1@ instead of @LIBTASN1@ in Libs.private of *.pc.in. This
     way lib-link.m4 gives us -ltasn1 instead of /usr/lib/libtasn1.so.
-
- -- Andreas Metzler <ametzler at debian.org>  Tue, 14 Apr 2009 18:27:22 +0200
+  * New upstream security release.
+    + libgnutls: Corrected double free on signature verification failure.
+      GNUTLS-SA-2009-1 CVE-2009-1415
+    + libgnutls: Fix DSA key generation. Noticed when investigating the
+      previous GNUTLS-SA-2009-1 problem. All DSA keys generated using GnuTLS
+      2.6.x are corrupt.  See the advisory for more details.
+      GNUTLS-SA-2009-2 CVE-2009-1416
+    + libgnutls: Check expiration/activation time on untrusted certificates.
+      Before the library did not check activation/expiration times on
+      certificates, and was documented as not doing so.
+      GNUTLS-SA-2009-3 CVE-2009-1417
+   * The former two issues only apply to gnutls 2.6.x. The latter is a
+     brehavior change, add a NEWS.Debian file to document it.
+
+ -- Andreas Metzler <ametzler at debian.org>  Thu, 30 Apr 2009 19:00:21 +0200
 
 gnutls26 (2.6.5-1) unstable; urgency=low
 

Added: packages/gnutls26/trunk/debian/libgnutls26.NEWS
URL: http://svn.debian.org/wsvn/pkg-gnutls/packages/gnutls26/trunk/debian/libgnutls26.NEWS?rev=703&op=file
==============================================================================
--- packages/gnutls26/trunk/debian/libgnutls26.NEWS (added)
+++ packages/gnutls26/trunk/debian/libgnutls26.NEWS Thu Apr 30 17:43:15 2009
@@ -1,0 +1,24 @@
+gnutls26 (2.6.6-1) unstable; urgency=high
+
+  * libgnutls: Check expiration/activation time on untrusted certificates.
+    Before the library did not check activation/expiration times on
+    certificates, and was documented as not doing so. We have realized that
+    many applications that use libgnutls, including gnutls-cli, fail to
+    perform proper checks.  Implementing similar logic in all applications
+    leads to code duplication.  Hence, we decided to check whether the
+    current time (as reported by the time function) is within the
+    activation/expiration period of certificates when verifying untrusted
+    certificates.
+
+    This changes the semantics of gnutls_x509_crt_list_verify, which in
+    turn is used by gnutls_certificate_verify_peers and
+    gnutls_certificate_verify_peers2.  We add two new
+    gnutls_certificate_status_t codes for reporting the new error
+    condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED.  We also
+    add a new gnutls_certificate_verify_flags flag,
+    GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
+    behaviour.
+    GNUTLS-SA-2009-3 CVE-2009-1417
+    http://www.gnu.org/software/gnutls/security.html
+
+ -- Andreas Metzler <ametzler at debian.org>  Thu, 30 Apr 2009 19:00:21 +0200

More information about the Pkg-gnutls-commits mailing list