Your message dated Thu, 28 Mar 2019 07:19:37 +0000
with message-id <[email protected]>
and subject line Bug#922879: fixed in gnutls28 3.6.7-1
has caused the Debian Bug report #922879,
regarding gnutls: gnutls 3.6 pseudo-randomly breaks VLC HTTP/2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
922879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922879
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgnutls30
Version: 3.6.6-2
Severity: important
File: gnutls
Tags: upstream patch
Dear Maintainer,
With GnuTLS 3.6.x, VLC pseudo-randomly fails to connect to HTTP/2
servers due to what seems like a race condition in GnuTLS.
See also https://trac.videolan.org/vlc/ticket/21951 .
To reproduce, run VLC a dozen time or so (depending on the system),
until hitting a failure:
# vlc -Irc
https://streams.videolan.org/issues/21941/Greatest%20Motown%20Songs%2060s%2070s%20Hits.mp3
(Ctrl+C to abort if it does not fail straight away)
The problem appears to be caused by the "fix" for Debian bug 849807,
which does not seem to follow the GnuTLS thread safety rules.
Since breaking working applications seems far worse than protecting
broken applications from shooting themselves in the foot, I suggest
reverting 849807
(i.e. GnuTLS commit 6a62ddfc416a4ec2118704f93c97fdd448d66566).
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64
Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to fi_FI.UTF-8), LANGUAGE=fr:en_GB:fi (charmap=UTF-8) (ignored: LC_ALL set
to fi_FI.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libgnutls30:amd64 depends on:
ii libc6 2.28-7
ii libgmp10 2:6.1.2+dfsg-4
ii libhogweed4 3.4.1-1
ii libidn2-0 2.0.5-1
ii libnettle6 3.4.1-1
ii libp11-kit0 0.23.15-2
ii libtasn1-6 4.13-3
ii libunistring2 0.9.10-1
libgnutls30:amd64 recommends no packages.
Versions of packages libgnutls30:amd64 suggests:
ii gnutls-bin 3.6.6-2
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gnutls28
Source-Version: 3.6.7-1
We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnutls28 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 Mar 2019 07:44:36 +0100
Source: gnutls28
Architecture: source
Version: 3.6.7-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 920477 922879
Changes:
gnutls28 (3.6.7-1) experimental; urgency=medium
.
* New upstream version.
+ Update AUTHOR list in copyright file.
+ Update symbol file.
+ Fixes issue preventing sending and receiving from different
threads when false start was enabled. Closes: #922879
+ gnutls-cli: fix --benchmark-ciphers type overflow. Closes: #920477
+ Fixes a memory corruption (double free) vulnerability in the
certificate verification API.
https://gitlab.com/gnutls/gnutls/issues/694 CVE-2019-3829
GNUTLS-SA-2019-03-27
+ Fixes an invalid pointer access via malformed TLS1.3 async messages;
https://gitlab.com/gnutls/gnutls/issues/704 CVE-2019-3836
GNUTLS-SA-2019-03-27
Checksums-Sha1:
f6e602399dd743c600437e0612a4afc103b049fd 3328 gnutls28_3.6.7-1.dsc
71f73b9829e44c947bb668b25b8b2e594a065345 8153728 gnutls28_3.6.7.orig.tar.xz
5911d8f00c70e65d27f8d5244c37ae3b04b6cae7 534 gnutls28_3.6.7.orig.tar.xz.asc
acbd0a5d96b8e2641bf6b87f05e9120870940faf 66956 gnutls28_3.6.7-1.debian.tar.xz
Checksums-Sha256:
07e138799c8c1b7c3924fb98d83bd6358a4c8835cc1b9732342d34e1ea640335 3328
gnutls28_3.6.7-1.dsc
5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8a188e2 8153728
gnutls28_3.6.7.orig.tar.xz
a14d0a7b9295b65ae797a70f8e765024a2e363dca03d008bfce0aec2b3f292b0 534
gnutls28_3.6.7.orig.tar.xz.asc
29cd55e0c3145583bec6282f015e7f063cce0aa70038cb39f87255051d7535fd 66956
gnutls28_3.6.7-1.debian.tar.xz
Files:
dfb441881692acea5f152bcd710157bf 3328 libs optional gnutls28_3.6.7-1.dsc
c4ac669c500df939d4fbfea722367929 8153728 libs optional
gnutls28_3.6.7.orig.tar.xz
13b4d4d680c451c29129191ae9250529 534 libs optional
gnutls28_3.6.7.orig.tar.xz.asc
3b20524119153b0418d85aad79d68886 66956 libs optional
gnutls28_3.6.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAlycckgACgkQpU8BhUOC
FIQT4g//SL+zd5HnkLIR0WfgAaic4Y4qs2eH5ffUISUrxXJqd8q22Wd9SUpmVO9u
iVSN8SaJ4yCDx8RrUWmotl1/UdFlO2N0hWlNNCD5n1v9JQtbyfXDEcdGWzYwJr7u
XouW+deKjTDsq6kxPQPqfpWhAeRGZdOIOouxopvsAdvFt6xIO9ZqFoQzKIxPB9QZ
cw9tm9fKHug8omENSd/yPBFVtXsLsnB6gv/hUH3g7ehoqOdP9oxsvc2C2E1vRP89
Qvodv7LtMmLmXrrjxu9/cw91wSHAtto1UYASw3CC27PAaZFLzBAHWyuGmVssROKK
imFIiaU3cPfjfTKH/14/kUqA40a5k/a6RyMqiEgDS9MzjzougD7ph/vpsZ5s9iCv
loBTsXpe6B50Np1xmgLXDWgP6hyglzaNNPOxo6J8vGR/m0aMW8tNmRAERYq9GeCU
ZfCWcpCwwdQwmRmrvwkaw1LqN7ConbtqPraKZnKEj4Ok0FVv3SihCdpyURY8U1fn
4SrWBKmA2ZqZv1QLuKQ1aO+1tUonfaIHNrJYu+r+RTe1JoH+fDKixInNMZkmfoqE
eHBpRK5v8GEEWdtFXL+aKZfalS59ns3maJwMgX1U7qACXerEQhXxe+JEdHT5gdEi
/BjHKkxXY+a4XDPEos44u6Ii3xAFMfTylbel+BVo35HNYG53Jsc=
=kV+0
-----END PGP SIGNATURE-----
--- End Message ---
