Your message dated Sun, 13 Nov 2011 09:12:53 +0100
with message-id <[email protected]>
and subject line Re: Bug#648441: CVE-2011-4128: GNUTLS-SA-2011-2
has caused the Debian Bug report #648441,
regarding CVE-2011-4128: GNUTLS-SA-2011-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
648441: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648441
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnutls26
Severity: important
Tags: security
Please see http://www.gnu.org/s/gnutls/security.html for details.
Fixes:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=7fc8fa6464d305440fddab423079c76a915decc3
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=588708465992e1d9fc09cf4e3a39caef878428d9
Given the following inline documentation I would assume that this
could be triggered by a malicious server providing a service over
TLS to crash the client, but not the other way 'round. Is that correct?
/**
* gnutls_session_get_data - Returns all session
parameters.
* @session: is a
#gnutls_session_t structure.
* @session_data: is a pointer to space to hold the session.
* @session_data_size: is the session_data's size, or it
will be set by the function.
*
* Returns all session parameters, in order to support resuming. The
* client should call this, and keep the returned session,
if he
* wants to resume that current version
later by calling
*
gnutls_session_set_data() This function must be called after a
* successful handshake.
*
* Resuming sessions is really useful and speedups
connections after
* a succesful one.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise
* an error code is returned.
**/
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Version: 2.12.14-1
On 2011-11-11 Moritz Muehlenhoff <[email protected]> wrote:
> Package: gnutls26
> Severity: important
> Tags: security
> Please see http://www.gnu.org/s/gnutls/security.html for details.
> Fixes:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=7fc8fa6464d305440fddab423079c76a915decc3
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=588708465992e1d9fc09cf4e3a39caef878428d9
> Given the following inline documentation I would assume that this
> could be triggered by a malicious server providing a service over
> TLS to crash the client, but not the other way 'round. Is that correct?
[...]
Hello,
Let's get the BTS version info up to date.
This was fixed in sid with this upload (CVE and bug number added
retroactively):
----------------------------------------------------------
gnutls26 (2.12.14-1) unstable; urgency=medium
* Simplify dependencies:
+ libgnutls-dev Provides/Conflicts/Replaces gnutls-dev (which is
also provided by gnutls28' libgnutls*-dev).
+ Drop *ancient* Conflicts/Replaces against libgnutls5-dev, gnutls0.4-dev,
gnutls-dev (<< 0.4.0-0), libgnutls11-dev.
* New upstream bugfix release.
+ Fixes GNUTLS-SA-2011-2 CVE-2011-4128 Closes: #648441
-- Andreas Metzler <[email protected]> Tue, 08 Nov 2011 19:34:28 +0100
----------------------------------------------------------
Sadly gnulib's test-select now fails on kfreebsd-i386. The FTBFS
blocks propagation to testing.
experimental was fixed with 3.0.8-1
----------------------------------------------------------
gnutls28 (3.0.7-1) experimental; urgency=low
* New upstream version.
+ Fixes GNUTLS-SA-2011-2 CVE-2011-4128 #648441
* Drop 20_addGNU-stack.diff, included upstream.
* loadable Guile module no longer installed directly to $libdir but to
$libdir/guile/X.Y/. Drop nunnecessary lintian overrides and
Pre-Depends: ${misc:Pre-Depends} from guile-gnutls. Also modify
DEB_DH_MAKESHLIBS_ARGS_guile-gnutls to ignore the binary module.
* gnutls-extra is removed upstream, there is no need anymore to manually
remove the bits and pieces in debian/rules.
-- Andreas Metzler <[email protected]> Thu, 10 Nov 2011 19:35:30 +0100
----------------------------------------------------------
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--- End Message ---
