gnutls12 (1.2.9-2ubuntu1.4) dapper-security; urgency=low * Fix for regression where some valid certificate chains would be untrusted - Update debian/patches/91_CVE-2008-4989.diff to check if last certificate is self-signed and prevent verifying self-signed certificates against themselves. Patch from upstream. - http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00008.html - LP: #305264 -- Jamie Strandboge Fri, 05 Dec 2008 14:53:25 -0600 gnutls12 (1.2.9-2ubuntu1.3) dapper-security; urgency=low * SECURITY UPDATE: Fix for man-in-the-middle attack in certificate validation - debian/patches/91_CVE-2008-4989.diff: don't remove the last certificate if it is self-signed in lib/x509/verify.c - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 - http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3248 - CVE-2008-4989 -- Jamie Strandboge Tue, 25 Nov 2008 03:59:08 -0600 gnutls12 (1.2.9-2ubuntu1.2) dapper-security; urgency=low * SECURITY UPDATE: multiple remote denial of service. * debian/patches/90_GNUTLS-SA-2008-1.diff: upstream fixes, thanks to Debian. * References GNUTLS-SA-2008-1 CVE-2008-1948, CVE-2008-1949, CVE-2008-1950 -- Kees Cook Tue, 20 May 2008 18:20:22 -0700 gnutls12 (1.2.9-2ubuntu1.1) dapper-security; urgency=low * SECURITY UPDATE: Signature forgery. * Add debian/patches/00CVS_CVE-2006-4790.patch: - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent applications from incorrectly verifying the certificate. (Similar to recent OpenSSL update.) - Patch taken from upstream CVS: http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001212.html - CVE-2006-4790 -- Martin Pitt Mon, 18 Sep 2006 12:34:57 +0000 gnutls12 (1.2.9-2ubuntu1) dapper; urgency=low * debian/rules: Activate simple-patchsys.mk. * debian/control: Bump libtasn1-2-dev build dependency to >= 0.2.17-1ubuntu1. * Add debian/patches/01_tasn_api_length.patch: - lib/x509/xml.c: Fix calls to libtasn1-2's internal _asn1_* API calls for new libtasn1-2 version; these calls now expect a buffer length argument to check for buffer overflows. - lib/minitasn1/: Changed internal _asn1_ function prototypes in header files according to recent change in libtasn1-2. -- Martin Pitt Wed, 15 Feb 2006 16:16:41 +0100 gnutls12 (1.2.9-2) unstable; urgency=low * Install /usr/lib/pkgconfig/*.pc files. * Depend on texinfo (>= 4.8, for the @euro{} sign). -- Matthias Urlichs Tue, 15 Nov 2005 19:26:02 +0100 gnutls12 (1.2.9-1) unstable; urgency=low * New Upstream version. -- Matthias Urlichs Fri, 11 Nov 2005 18:51:28 +0100 gnutls12 (1.2.8-1) unstable; urgency=low * New Upstream version. - depends on libgcrypt11 1.2.2 * Bumped shlibs version, just to be on the safe side. -- Matthias Urlichs Wed, 19 Oct 2005 12:05:14 +0200 gnutls12 (1.2.6-1) unstable; urgency=low * New Upstream version. * Remove Provides: on libgnutls11-dev. Hopefully this will be temporary (pending discussion with Upstream). -- Matthias Urlichs Thu, 11 Aug 2005 12:21:36 +0200 gnutls12 (1.2.5-3) unstable; urgency=high * Updated libgnutls12.shlibs file. Thanks to Mike Paul . Closes: #319291: libgnutls12: Wrong soversion in shlibs file; breaks dependencies on this library -- Matthias Urlichs Thu, 21 Jul 2005 13:19:25 +0200 gnutls12 (1.2.5-2) unstable; urgency=medium * Did not depend on libgnutls12 -- not picked up by dh_shlibdeps. Added an explicit dependency as a stopgap fix. -- Matthias Urlichs Thu, 21 Jul 2005 08:27:22 +0200 gnutls12 (1.2.5-1) unstable; urgency=low * Merged with the latest stable release. * Renamed to gnutls12. - Changed the library version strings to GNUTLS_1_2. - Renamed the development package back to "libgnutls-dev". -- Matthias Urlichs Tue, 5 Jul 2005 10:35:56 +0200 gnutls11 (1.0.19-1) experimental; urgency=low * Merged with the latest stable release. -- Matthias Urlichs Sun, 26 Dec 2004 13:28:45 +0100 gnutls11 (1.0.16-13) unstable; urgency=high * Fixed an ASN.1 extraction error. Found by Pelle Johansson . -- Matthias Urlichs Mon, 29 Nov 2004 10:16:21 +0100 gnutls11 (1.0.16-12) unstable; urgency=high * Fixed a segfault in certtool. Closes: #278361. -- Matthias Urlichs Thu, 11 Nov 2004 09:40:02 +0100 gnutls11 (1.0.16-11) unstable; urgency=medium * Merged binary (non-UF8) string printing code from Upstream. * Password code in certtool was somewhat broken. -- Matthias Urlichs Sat, 6 Nov 2004 13:11:03 +0100 gnutls11 (1.0.16-10) unstable; urgency=high * Fixed one instance of uninitialized memory usage. -- Matthias Urlichs Thu, 21 Oct 2004 06:07:53 +0200 gnutls11 (1.0.16-9) unstable; urgency=high * Pulled from Upstream CVS: - Fix two memory leaks. - Fix NULL dereference. -- Matthias Urlichs Fri, 8 Oct 2004 10:43:20 +0200 gnutls11 (1.0.16-8) unstable; urgency=high * Pulled these changes from Upstream CVS: - Added default limits in the verification of certificate chains, to avoid denial of service attacks. - Added gnutls_certificate_set_verify_limits() to override them. - Added gnutls_certificate_verify_peers2(). -- Matthias Urlichs Sun, 12 Sep 2004 02:05:25 +0200 gnutls11 (1.0.16-7) unstable; urgency=low * Removed superfluous -lFOO entries from libgnutls{,-extra}-config output. Thanks to joeyh@debian.org for reporting this problem. -- Matthias Urlichs Sat, 14 Aug 2004 11:22:51 +0200 gnutls11 (1.0.16-6) unstable; urgency=medium * Memory leak, found by Modestas Vainius . - Closes: #264420 -- Matthias Urlichs Sun, 8 Aug 2004 22:21:01 +0200 gnutls11 (1.0.16-5) unstable; urgency=low * Depend on current libtasn1-2 (>= 0.2.10). - Closes: #264198. * Fixed maintainer email to point to Debian address. -- Matthias Urlichs Sat, 7 Aug 2004 19:44:38 +0200 gnutls11 (1.0.16-4) unstable; urgency=low * The OpenSSL compatibility library has been linked incorrectly (-ltasn1 was missing). * Need to build-depend on current opencdk8 and libtasn1-2 version. -- Matthias Urlichs Sat, 7 Aug 2004 19:29:32 +0200 gnutls11 (1.0.16-3) unstable; urgency=high * Documentation no longer includes LaTeX-produced output (the source contains latex2html-specific features, which is non-free). * Urgency: High because of pending base freeze. -- Matthias Urlichs Mon, 26 Jul 2004 11:18:20 +0200 gnutls11 (1.0.16-2) unstable; urgency=high * Actually *enable* debug symbols :-/ * Urgency: High for speedy inclusion in d-i -- Matthias Urlichs Fri, 23 Jul 2004 22:38:07 +0200 gnutls11 (1.0.16-1) experimental; urgency=low * Update to latest Upstream version. * now depends on libgcrypt11 * Include debugging package * Use hevea, not latex2html. -- Matthias Urlichs Wed, 21 Jul 2004 16:58:26 +0200 gnutls10 (1.0.4-4) unstable; urgency=low * New maintainer. * Run autotools at source package build time. - Closes: #257237: FTBFS (i386/sid): aclocal failed * Remove "package is still changed upstream" warning. * Build-Depend on debhelper 4.1 (cdbs), versioned libgcrypt7. -- Matthias Urlichs Fri, 16 Jul 2004 02:09:36 +0200 gnutls10 (1.0.4-3) unstable; urgency=low * control: Changed the build dependency and the dependency of libgnutls10-dev to be versioned on libopencdk8-dev >= 0.5.3; libopencdk8-dev 0.5.1 had an invalid dependency on libgcrypt-dev which could cause linking against two versions of libgcrypt. -- Ivo Timmermans Sat, 24 Jan 2004 15:32:22 +0100 gnutls10 (1.0.4-2) unstable; urgency=low * libgnutls-doc.doc-base: Removed HTML manual listing. * control: Removed Jordi Mallach from the list of Uploaders. Thanks, Jordi :) -- Ivo Timmermans Wed, 14 Jan 2004 13:35:42 +0100 gnutls10 (1.0.4-1) unstable; urgency=low * New upstream release (Closes: #227527) * The new documentation in libgnutls-doc fixes several typo's and style glitches: Closes: #215772: inconsistent auth method list in manual Closes: #215775: dangling footnote on page 14 of manual Closes: #215777: bad sentence on page 18 of manual Closes: #215780: incorrect info about ldaps/imaps in manual * rules: * Use --add-missing instead of --force in the call to automake. * Don't build gnutls.ps, use the upstream version. (Closes: #224846) * gnutls-bin.manpages: Use glob to find manpages. * patches/008_manpages.diff: Removed; included upstream. -- Ivo Timmermans Tue, 13 Jan 2004 23:57:16 +0100 gnutls10 (1.0.0-1) unstable; urgency=low * New upstream release. * Major soversion changed to 10. * control: Changed build dependencies of libtasn1-dev. * libgnutls10.shlibs: Added libgnutls-openssl to the list. -- Ivo Timmermans Mon, 29 Dec 2003 23:23:08 +0100 gnutls8 (0.9.99-1) experimental; urgency=low * New upstream release. * Included upstream GPG signature in .orig.tar.gz. -- Ivo Timmermans Wed, 3 Dec 2003 22:33:52 +0100 gnutls8 (0.9.98-1) experimental; urgency=low * New upstream release. * debian/control: libgnutls8-dev depends on libopencdk8-dev. * debian/libgnutls-doc.examples: Install src/*.[ch]. -- Ivo Timmermans Sun, 23 Nov 2003 15:44:38 +0100 gnutls8 (0.9.95-1) experimental; urgency=low * New upstream version. -- Ivo Timmermans Fri, 7 Nov 2003 19:50:22 +0100 gnutls8 (0.9.94-1) experimental; urgency=low * New upstream version; package based on gnutls7 0.8.12-2. * debian/control: * Build-depend on libgcrypt7-dev (>= 1.1.44-0). * debian/rules: Run auto* after the patches have been applied. -- Ivo Timmermans Fri, 31 Oct 2003 18:47:09 +0100